ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: AF007.001
  • Created: 25th May 2024
  • Updated: 27th July 2024
  • Platform: Windows
  • Contributor: The ITM Team

Delete or Modify Registry Key

The subject deletes or modifies Windows Registry keys to hinder an investigation by removing information that can be used by investigators. Many actions and configurations on a Windows system are logged or stored in the registry. Deleting these keys can make it harder for investigators to trace the attacker's steps and understand what changes were made to the system.

Prevention

ID Name Description
PV002Restrict Access to Administrative Privileges

The Principle of Least Privilege should be enforced, and period reviews of permissions conducted to ensure that accounts have the minimum level of access required to complete duties as per their role.