Restrict Registry Permissions - M1024 (a2c36a5d-4058-475e-8e77-fff75e50d3b9)

Restricting registry permissions involves configuring access control settings for sensitive registry keys and hives to ensure that only authorized users or processes can make modifications. By limiting access, organizations can prevent unauthorized changes that adversaries might use for persistence, privilege escalation, or defense evasion. This mitigation can be implemented through the following measures:

Review and Adjust Permissions on Critical Keys

Regularly review permissions on keys such as Run, RunOnce, and Services to ensure only authorized users have write access.
Use tools like icacls or PowerShell to automate permission adjustments.

Enable Registry Auditing

Enable auditing on sensitive keys to log access attempts.
Use Event Viewer or SIEM solutions to analyze logs and detect suspicious activity.
Example Audit Policy: auditpol /set /subcategory:"Registry" /success:enable /failure:enable

Protect Credential-Related Hives

Limit access to hives like SAM,SECURITY, and SYSTEM to prevent credential dumping or other unauthorized access.
Use LSA Protection to add an additional security layer for credential storage.

Restrict Registry Editor Usage

Use Group Policy to restrict access to regedit.exe for non-administrative users.
Block execution of registry editing tools on endpoints where they are unnecessary.

Deploy Baseline Configuration Tools

Use tools like Microsoft Security Compliance Toolkit or CIS Benchmarks to apply and maintain secure registry configurations.

Tools for Implementation

Registry Permission Tools:

Registry Editor (regedit): Built-in tool to manage registry permissions.
PowerShell: Automate permissions and manage keys. Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "KeyName" -Value "Value"
icacls: Command-line tool to modify ACLs.

Monitoring Tools:

Sysmon: Monitor and log registry events.
Event Viewer: View registry access logs.

Policy Management Tools:

Group Policy Management Console (GPMC): Enforce registry permissions via GPOs.
Microsoft Endpoint Manager: Deploy configuration baselines for registry permissions.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Disable Windows Event Logging - T1562.002 (4eb28bed-d11a-4641-9863-c2ac017d910a)	Attack Pattern	Restrict Registry Permissions - M1024 (a2c36a5d-4058-475e-8e77-fff75e50d3b9)	Course of Action	1
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	Restrict Registry Permissions - M1024 (a2c36a5d-4058-475e-8e77-fff75e50d3b9)	Course of Action	1
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Restrict Registry Permissions - M1024 (a2c36a5d-4058-475e-8e77-fff75e50d3b9)	Course of Action	1
Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84)	Attack Pattern	Restrict Registry Permissions - M1024 (a2c36a5d-4058-475e-8e77-fff75e50d3b9)	Course of Action	1
Boot or Logon Initialization Scripts - T1037 (03259939-0b57-482f-8eb5-87c0e0d54334)	Attack Pattern	Restrict Registry Permissions - M1024 (a2c36a5d-4058-475e-8e77-fff75e50d3b9)	Course of Action	1
Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb)	Attack Pattern	Restrict Registry Permissions - M1024 (a2c36a5d-4058-475e-8e77-fff75e50d3b9)	Course of Action	1
Logon Script (Windows) - T1037.001 (eb125d40-0b2d-41ac-a71a-3229241c2cd3)	Attack Pattern	Restrict Registry Permissions - M1024 (a2c36a5d-4058-475e-8e77-fff75e50d3b9)	Course of Action	1
Code Signing Policy Modification - T1553.006 (565275d5-fcc3-4b66-b4e7-928e4cac6b8c)	Attack Pattern	Restrict Registry Permissions - M1024 (a2c36a5d-4058-475e-8e77-fff75e50d3b9)	Course of Action	1
Services Registry Permissions Weakness - T1574.011 (17cc750b-e95b-4d7d-9dde-49e0de24148c)	Attack Pattern	Restrict Registry Permissions - M1024 (a2c36a5d-4058-475e-8e77-fff75e50d3b9)	Course of Action	1
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	Restrict Registry Permissions - M1024 (a2c36a5d-4058-475e-8e77-fff75e50d3b9)	Course of Action	1
Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b)	Attack Pattern	Restrict Registry Permissions - M1024 (a2c36a5d-4058-475e-8e77-fff75e50d3b9)	Course of Action	1
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	Restrict Registry Permissions - M1024 (a2c36a5d-4058-475e-8e77-fff75e50d3b9)	Course of Action	1
Clear Network Connection History and Configurations - T1070.007 (3975dbb5-0e1e-4f5b-bae1-cf2ab84b46dc)	Attack Pattern	Restrict Registry Permissions - M1024 (a2c36a5d-4058-475e-8e77-fff75e50d3b9)	Course of Action	1
SIP and Trust Provider Hijacking - T1553.003 (543fceb5-cb92-40cb-aacf-6913d4db58bc)	Attack Pattern	Restrict Registry Permissions - M1024 (a2c36a5d-4058-475e-8e77-fff75e50d3b9)	Course of Action	1
Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b)	Attack Pattern	Restrict Registry Permissions - M1024 (a2c36a5d-4058-475e-8e77-fff75e50d3b9)	Course of Action	1
Network Provider DLL - T1556.008 (90c4a591-d02d-490b-92aa-619d9701ac04)	Attack Pattern	Restrict Registry Permissions - M1024 (a2c36a5d-4058-475e-8e77-fff75e50d3b9)	Course of Action	1
Time Providers - T1547.003 (61afc315-860c-4364-825d-0d62b2e91edc)	Attack Pattern	Restrict Registry Permissions - M1024 (a2c36a5d-4058-475e-8e77-fff75e50d3b9)	Course of Action	1
Terminal Services DLL - T1505.005 (379809f6-2fac-42c1-bd2e-e9dee70b27f8)	Attack Pattern	Restrict Registry Permissions - M1024 (a2c36a5d-4058-475e-8e77-fff75e50d3b9)	Course of Action	1
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	Restrict Registry Permissions - M1024 (a2c36a5d-4058-475e-8e77-fff75e50d3b9)	Course of Action	1
COR_PROFILER - T1574.012 (ffeb0780-356e-4261-b036-cfb6bd234335)	Attack Pattern	Restrict Registry Permissions - M1024 (a2c36a5d-4058-475e-8e77-fff75e50d3b9)	Course of Action	1
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Disable Windows Event Logging - T1562.002 (4eb28bed-d11a-4641-9863-c2ac017d910a)	Attack Pattern	2
Boot or Logon Initialization Scripts - T1037 (03259939-0b57-482f-8eb5-87c0e0d54334)	Attack Pattern	Logon Script (Windows) - T1037.001 (eb125d40-0b2d-41ac-a71a-3229241c2cd3)	Attack Pattern	2
Code Signing Policy Modification - T1553.006 (565275d5-fcc3-4b66-b4e7-928e4cac6b8c)	Attack Pattern	Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	2
Services Registry Permissions Weakness - T1574.011 (17cc750b-e95b-4d7d-9dde-49e0de24148c)	Attack Pattern	Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b)	Attack Pattern	2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Clear Network Connection History and Configurations - T1070.007 (3975dbb5-0e1e-4f5b-bae1-cf2ab84b46dc)	Attack Pattern	2
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	SIP and Trust Provider Hijacking - T1553.003 (543fceb5-cb92-40cb-aacf-6913d4db58bc)	Attack Pattern	2
Network Provider DLL - T1556.008 (90c4a591-d02d-490b-92aa-619d9701ac04)	Attack Pattern	Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84)	Attack Pattern	2
Time Providers - T1547.003 (61afc315-860c-4364-825d-0d62b2e91edc)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	2
Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb)	Attack Pattern	Terminal Services DLL - T1505.005 (379809f6-2fac-42c1-bd2e-e9dee70b27f8)	Attack Pattern	2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	COR_PROFILER - T1574.012 (ffeb0780-356e-4261-b036-cfb6bd234335)	Attack Pattern	2