{"description": "Enterprise techniques mitigated by Restrict Registry Permissions, ATT&CK mitigation M1024 (v1.2)", "name": "Restrict Registry Permissions (M1024)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.003", "comment": "Consider using Group Policy to configure and block modifications to W32Time parameters in the Registry. (Citation: Microsoft W32Time May 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1037", "comment": "Ensure proper permissions are set for Registry hives to prevent users from modifying keys for logon scripts that may lead to persistence.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1037.001", "comment": "Ensure proper permissions are set for Registry hives to prevent users from modifying keys for logon scripts that may lead to persistence.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574", "comment": "Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1574.011", "comment": "Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574.012", "comment": "Ensure proper permissions are set for Registry hives to prevent users from modifying keys associated with COR_PROFILER.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562", "comment": "Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering with security/logging services.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1562.001", "comment": "Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering with security services.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562.002", "comment": "Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering logging. The addition of the MiniNT registry key disables Event Viewer.(Citation: def_ev_win_event_logging)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562.004", "comment": "Ensure proper Registry permissions are in place to prevent adversaries from disabling or modifying firewall settings.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.007", "comment": "Protect generated event files and logs that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1556", "comment": "Restrict Registry permissions to disallow the modification of sensitive Registry keys such as `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\NetworkProvider\\Order`.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1556.008", "comment": "Restrict Registry permissions to disallow the modification of sensitive Registry keys such as `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\NetworkProvider\\Order`.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1505", "comment": "Consider using Group Policy to configure and block modifications to service and other critical server parameters in the Registry.(Citation: Microsoft System Services Fundamentals)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1505.005", "comment": "Consider using Group Policy to configure and block modifications to Terminal Services parameters in the Registry.(Citation: Microsoft System Services Fundamentals)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1489", "comment": "Ensure proper registry permissions are in place to inhibit adversaries from disabling or interfering with critical services.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1553", "comment": "Ensure proper permissions are set for Registry hives to prevent users from modifying keys related to SIP and trust provider components. Components may still be able to be hijacked to suitable functions already present on disk if malicious modifications to Registry keys are not prevented.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1553.003", "comment": "Ensure proper permissions are set for Registry hives to prevent users from modifying keys related to SIP and trust provider components. Components may still be able to be hijacked to suitable functions already present on disk if malicious modifications to Registry keys are not prevented. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1553.006", "comment": "Ensure proper permissions are set for the Registry to prevent users from modifying keys related to code signing policies.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "mitigated by Restrict Registry Permissions", "color": "#66b1ff"}]}