Windows Registry Attacks Cheat Sheet

The Windows Registry Editor, commonly referred to as regedit, is a graphical tool in the Microsoft Windows operating system that allows
authorized users to view and modify the Windows registry. The registry itself is a hierarchical database that stores configuration settings and
options for the operating system, including information about hardware, software, user preferences, and system settings. Here is a table
summarizing the function and description of each HKEY hive in the Windows Registry:

HKEY Hive Function and Description

This hive contains information about registered applications, including file associations and OLE
Object Class IDs that tell Windows which programs to use for opening specific files. It merges data
HKEY_CLASSES_ROOT (HKCR)
from HKEY_LOCAL_MACHINE\Software\Classes and HKEY_CURRENT_USER\Software\Classes,
prioritizing user-specific settings over system defaults

This hive stores configuration information related to the currently logged-in user, including
HKEY_CURRENT_USER (HKCU) personalized settings like desktop background, screensavers, and application settings. It is
dynamically linked to a specific subkey in HKEY_USERS that corresponds to the user

This hive contains configuration data that applies to the computer regardless of who is logged in. It
HKEY_LOCAL_MACHINE (HKLM) includes information about the system's hardware, installed software, security settings, and other
system-wide settings.

This hive includes subkeys corresponding to each user profile on the system. Each subkey contains
HKEY_USERS (HKU) the same type of information as HKEY_CURRENT_USER for each user. It serves as a master list of
user settings on the computer

This hive contains information about the hardware profile that is currently in use by the system. It is
HKEY_CURRENT_CONFIG (HKCC)
used primarily for system configuration details such as which hardware profile is active

This table provides a simplified overview of the primary functions and roles of each major registry hive in the Windows operating system.

Registry hives are logical containers within the Windows Registry, designed to group related information together. Each hive contains a
specific set of keys, subkeys, and values, organizing configuration data in a way that supports the management of system and user settings.
Hives play a crucial role in the functioning of Windows by organizing and storing configuration data, making it easier to manage and
troubleshoot system and user settings.

https://www.linkedin.com/in/harunseker/ 1
Here's a detailed table summarizing the top 20 different examples of Windows Registry attacks, outlining the purpose of each
attack and providing specific details along with examples of how each is executed:

Attack
Purpose Detail of Execution Example of Execution

Kovter writes its code directly

Persistence of Kovter modifies
into the Registry to ensure it
Kovter HKCU\Software\Microsoft\Windows\CurrentVersion\Run to execute its
executes upon system
Malware script each time the computer boots.
startup.

A fake Adobe Flash update

Malware pop-up writes malicious code
A user clicks on a pop-up, leading to a Registry change at
Installation via into the Registry, which then
HKCU\Software\Classes\clsid that triggers malware execution.
Fake Update executes further harmful
scripts.

Privilege Modifies the ImagePath

An attacker changes
Escalation via registry key under services to
HKLM\System\CurrentControlSet\Services\svcname\ImagePath to
Service redirect a legitimate service to
point to a malicious executable.
Modification execute a malicious binary.

Remote Installs RATs and modifies the

A RAT modifies
Access via Registry to ensure the RAT
HKCU\Software\Microsoft\Windows\CurrentVersion\Run to add itself,
RAT executes at every system
ensuring it runs on startup.
Installation start.

https://www.linkedin.com/in/harunseker/ 2
 Ryuk ransomware modifies
Ransomware Ryuk adds a new value in
run keys to load the
Activation HKLM\Software\Microsoft\Windows\CurrentVersion\Run to execute its
ransomware during system
(Ryuk) encryption routine.
startup.

Alters Registry settings

Anti-Forensics
controlling System Restore to
via System Malware modifies HKLM\SOFTWARE\Microsoft\Windows
hide malicious activities or
Restore NT\CurrentVersion\SystemRestore to disable System Restore functionality.
prevent recovery from
Manipulation
backups.

Modifies registry keys

Disabling Malware sets the HKLM\Software$$Antivirus Name]\RealTime
associated with antivirus
Security Tools Protection key to 0 to turn off antivirus protection.
software to disable it.

Changes UserInit or
User Logon Shell keys to execute Malware modifies HKLM\SOFTWARE\Microsoft\Windows
Hijacking malicious scripts at user NT\CurrentVersion\Winlogon\Userinit to include a malicious script.
logon.

Adds entries to
A rootkit adds itself to
Early Malware BootExecute to execute
HKLM\System\CurrentControlSet\Control\Session
Execution malware before the operating
Manager\BootExecute for early system execution.
system fully loads.

https://www.linkedin.com/in/harunseker/ 3
Persistence Adds links to malicious Malware adds a new entry in
via Startup programs in the Startup folder HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User
Folder through the Registry. Shell Folders pointing to its executable.

Uses registry keys to store

Fileless
and execute next-step code A fileless virus stores its payload in HKCU\Software\Classes\clsid and
Malware
for malware after initial schedules execution using WMI events.
Execution
deployment.

Replaces a legitimate DLL file

An attacker modifies
with a malicious one by
DLL Hijacking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs to
modifying the registry to point
load a malicious DLL instead of the legitimate one.
to the bogus DLL.

Modifies the PATH

Command environment variable in the
Malware appends a malicious directory to
Interception Registry to redirect the HKLM\SYSTEM\CurrentControlSet\Control\Session
via PATH execution of legitimate
Manager\Environment\Path.
Modification commands to malicious
executables.

Service Exploits weak permissions on

An attacker grants themselves modify permissions on
Hijacking via service-related registry keys
HKLM\System\CurrentControlSet\Services\svcname and changes the
Weak to launch malicious code
service binary path.
Permissions when a service starts.

https://www.linkedin.com/in/harunseker/ 4
 Dumps the Security Account
Credential
Manager (SAM) database Tools like Mimikatz modify HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Dumping via
from the registry to extract to dump credentials stored in the SAM.
SAM Keys
password hashes.

Stores malicious payloads in

Data Hiding in the Registry to evade Malware hides its data in HKCU\Software\Classes\Local
Registry detection by signature-based Settings\Software\Microsoft\Windows\Shell\MuiCache.
security software.

Modifies or deletes registry

Lateral An attacker deletes
keys to disrupt normal system HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfil
Movement
operations or to prepare the
Preparation e to disable firewall rules before moving laterally.
system for further attacks.

Information Remotely queries the registry An external script queries

Gathering via to gather information about HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall to find
Registry installed remote access tools. installed software for exploitation.

Uses the registry to bypass

Evading Malware modifies
application whitelisting by HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifier
Application
modifying keys that control
Whitelisting s to whitelist its executable.
which applications can run.

Stores configuration settings

Malware
for malware in the Registry to A Trojan stores its C&C server addresses in HKCU\Software$$Malware
Configuration
maintain flexibility and Name]\Settings to dynamically update its behavior.
Storage
stealth.

https://www.linkedin.com/in/harunseker/ 5
This table provides a comprehensive overview of the diverse and sophisticated ways in which attackers can leverage the
Windows Registry to conduct malicious activities, emphasizing the need for vigilant monitoring and robust security measures to
protect against such threats.

https://www.linkedin.com/in/harunseker/ 6