Anti-Forensics
Clear Browser Artifacts
Clear Command History
Clear Operating System Logs
Decrease Privileges
Delete User Account
Deletion of Volume Shadow Copy
Disk Wiping
File Deletion
File Encryption
Hide Artifacts
Log Tampering
Modify Windows Registry
Physical Destruction of Storage Media
Physical Removal of Disk Storage
Steganography
System Shutdown
Timestomping
Tripwires
Uninstalling Software
Virtualization
Windows System Time Modification
- ID: AF007
- Created: 25th May 2024
- Updated: 05th July 2024
- Platform: Windows
- Contributor: The ITM Team
Modify Windows Registry
A subject may modify keys or key values within the Windows Registry to conceal actions they have conducted related to an infringement.
Subsections
ID | Name | Description |
---|---|---|
AF007.001 | Delete or Modify Registry Key | The subject deletes or modifies Windows Registry keys to hinder an investigation by removing information that can be used by investigators. Many actions and configurations on a Windows system are logged or stored in the registry. Deleting these keys can make it harder for investigators to trace the attacker's steps and understand what changes were made to the system. |
AF007.002 | Delete or Modify Registry Key Value | The subject deletes or modifies Windows Registry key values to hinder an investigation by removing information that can be used by investigators. Many actions and configurations on a Windows system are logged or stored in the registry. Deleting key values can make it harder for investigators to trace the attacker's steps and understand what changes were made to the system. |
AF007.003 | Disabling Application Launch Tracking via Registry | The subject modifies the Windows Registry to disable the operating system’s application launch tracking, thereby preventing the creation of key forensic artifacts used to reconstruct user activity. This technique suppresses the generation of records in RunMRU (Run Most Recently Used) and UserAssist, both of which are commonly referenced in forensic timelines to identify command execution and GUI application use.
Windows stops logging user application launches, resulting in missing or incomplete histories. This technique is subtle and persistent, particularly effective on systems where registry auditing is not actively enforced.
Example Scenario: |