DET0280: Behavior-Based Registry Modification Detection on Windows
DET0280 is a detection strategy for spotting behavior-based Windows Registry modifications associated with ATT&CK technique T1112, Modify Registry. For sec...
Analyst context for executives and security teams
DET0280 is a detection strategy for spotting behavior-based Windows Registry modifications associated with ATT&CK technique T1112, Modify Registry. For security leaders, the value is not simply watching registry writes; it is validating whether the organization can notice registry changes that may support persistence or defense impairment before they become an incident-response surprise.
Executive priority
Prioritize this as a Windows resilience and SOC readiness question: do teams have enough registry-related telemetry, context, and triage process to distinguish expected administrative or software activity from changes that could weaken defenses or help unauthorized persistence? This also supports audit and incident decision-making by showing whether registry modification monitoring is risk-based rather than purely tool-dependent.
Technical view
SOC and detection engineering teams should validate behavior-based coverage for Windows Registry modification activity related to T1112. Because the supplied ATT&CK object has no official detection text or platform list, the strongest supported scope comes from its relationship to Modify Registry, whose related platforms include Windows and tactics include persistence and defense-impairment. Focus validation on whether registry change events can be correlated with process, user, privilege level, host, and remote/local execution context.
Likely telemetry
- Windows Registry key/value creation, modification, and deletion events
- Process execution telemetry for tools or programs modifying the Registry
- User and account context, including elevated or administrator-level activity where available
- Host and endpoint telemetry showing local versus remote administration context
- Security control or endpoint logs that show changes affecting defensive configuration
Detection direction
- Validate that registry modification monitoring covers behavior, not only static indicators or known bad key paths.
- Tune detections around sensitive persistence and defense-impairment registry areas using local baselines to reduce noise from legitimate administration and software installation.
- Correlate registry changes with the initiating process, command line where available, user identity, host role, and timing.
- Review blind spots where registry telemetry is absent, filtered, retained too briefly, or not joined to endpoint process context.
- Use the T1112 relationship as the ATT&CK mapping for detection logic and reporting, while documenting any local assumptions because DET0280 has no official detection text supplied.
Mitigation priorities
- Establish or confirm collection of Windows Registry modification telemetry on relevant Windows systems.
- Baseline legitimate administrative, software deployment, and endpoint management activity before enforcing high-severity alerting.
- Apply least-privilege and administrative access governance because some registry areas require elevated permissions.
- Ensure SOC runbooks define how to triage registry changes that may indicate persistence or defense impairment.
- Retain evidence needed for incident response and compliance reporting, including who changed what, on which host, by what process, and when.
Analyst notes and limits
This take is based on the DET0280 name, external reference, and its relationship to T1112 Modify Registry. The object itself provides no official description, detection text, tactics, or platforms, so practical guidance is derived conservatively from the related technique’s Windows platform and persistence/defense-impairment tactics.
Local coverage depends on endpoint logging configuration, registry audit scope, retention, and the ability to correlate registry activity with process and identity context. The supplied data does not support claims about active exploitation, specific adversaries, guaranteed detection, or vendor-specific controls.
Behavior-Based Registry Modification Detection on Windows
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1112 | Modify Registry | This object detects Modify Registry. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 5db3589f0afa… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0280Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.