Anti-Forensics
Clear Browser Artifacts
Clear Command History
Clear Operating System Logs
Delete User Account
Disk Wiping
File Deletion
File Encryption
Hide Artifacts
Log Tampering
Modify Windows Registry
Physical Destruction of Storage Media
Physical Removal of Disk Storage
Steganography
System Shutdown
Timestomping
Tripwires
Uninstalling Software
Use of a Virtual Machine
- ID: AF007.002
- Created: 25th May 2024
- Updated: 27th July 2024
- Platform: Windows
- Contributor: The ITM Team
Delete or Modify Registry Key Value
The subject deletes or modifies Windows Registry key values to hinder an investigation by removing information that can be used by investigators. Many actions and configurations on a Windows system are logged or stored in the registry. Deleting key values can make it harder for investigators to trace the attacker's steps and understand what changes were made to the system.
Prevention
| ID | Name | Description |
|---|---|---|
| PV002 | Restrict Access to Administrative Privileges | The Principle of Least Privilege should be enforced, and period reviews of permissions conducted to ensure that accounts have the minimum level of access required to complete duties as per their role. |