MITRE ATT&CK and the Windows Registry: a detection map

The registry is one of the densest corners of the MITRE ATT&CK matrix. Adversaries persist in it, escalate through it, hide in it, evade defenses with it, and steal credentials out of it. For a defender, that is good news: a single SYSTEM, SOFTWARE, SAM and NTUSER set covers a large slice of the techniques an intrusion will touch — if you know which keys map to which technique and what a clean baseline looks like.

This page maps the ATT&CK techniques with a meaningful registry footprint to the keys behind them, and links a detection-focused deep-dive for each. The framing throughout is defensive: where the technique lives, what normal looks like, and how to hunt the anomaly. You can run the checks against your own hives — and many of these are flagged automatically — in the browser-based parser, whose triage Findings surface several of the techniques below.

Persistence

The largest registry tactic. Most autostart vectors are a key write away.

• T1547.001 — Registry Run Keys / Startup Folder: the Run/RunOnce family in HKCU and HKLM.
• T1543.003 — Create or Modify System Process: Windows Service: new services, ServiceDll swaps, ImagePath changes under SYSTEM\Services.
• T1546 — Event Triggered Execution: IFEO debuggers, AppInit DLLs, shims, netsh helpers, COM hijacks — persistence that fires on an event.

Privilege escalation & execution-flow hijacking

• T1574 — Hijack Execution Flow: COM CLSID overrides, DLL search order, App Paths, and file-association handlers — usually with HKCU quietly overriding HKLM.

Defense evasion

• T1112 — Modify Registry: the broad technique — weakening settings, fileless payload storage, and clearing tracks.
• T1562.001 — Impair Defenses: Disable or Modify Tools: Defender exclusions/disable, Event Log tampering, UAC/SmartScreen, and security-tool service changes.
• T1564.001 — Hide Artifacts: NULL-embedded key names and other tricks that hide data from RegEdit but not from a raw-hive parser.

Credential access

• T1003.002 — OS Credential Dumping: Security Account Manager: why the SAM is targeted, why it needs the SYSTEM bootkey, and how defenders detect access. (Investigation only — no offensive steps.)

How to use this map

Two ways. Reactively, when you have a hive set: walk the persistence techniques first (they are where most intrusions leave the clearest mark), then defense evasion, then credential access. Proactively, as a hunting checklist: baseline these keys on a known-good image, then diff. The recurring anomaly signals across nearly every technique are the same — a recent key LastWrite, a path in a user-writable or temp directory, an unsigned binary, an HKCU entry overriding an HKLM default, or a value whose type doesn't match its data.

These techniques rarely appear alone. Pair this map with the investigation playbooks — which chain artifacts by case type — and the RegRipper plugins reference for the per-artifact detail. To check a hive against the high-risk configurations directly, load it in your browser and read the Findings tab.