MITRE ATT&CK

Registry Structure & Terminology

The Windows Registry functions similarly to a file system. Understanding its structure helps in identifying potential persistence mechanisms.

• Keys & Sub-Keys → These act like folders and subfolders.
• Values → These are like files inside a folder, containing configuration data.
• Setting a Value → This is equivalent to adding content to a file.

Lists in the registry appear in three forms:

1. Lists of Sub-Keys – Similar to a directory containing multiple subdirectories (e.g., a list of port monitors).
2. A Key with Multiple Values – Functions like a folder containing multiple files (e.g., Run Keys).
3. A Multi-Line Value – Each line represents an item (e.g., authentication packages for LSA).

                                                   **  Registry terminology example**

                                                       **List of values in the Run Key**

Registry Run Keys & Malware Persistence

Windows Run Keys allow programs to start automatically when a user logs in. Attackers leverage these keys to execute malware upon system startup.

Important Registry Hives

The registry consists of several "hives" major sections storing system and user data. The two most important for persistence are: