Event 4657: A registry value was modified.
Quick Answer
Event 4657 is generated when a registry value is modified, created, or deleted, providing critical visibility into registry changes often used for persistence, privilege escalation, and configuration tampering. This event is essential for detecting malware establishing autorun persistence, attackers disabling security controls, and unauthorized system configuration modifications.
Technical Details
Event ID: 4657
Windows Security- Object Access
Event Description
A registry value was modified.
Key Log Fields
SubjectUserName- Account that modified the registrySubjectDomainName- Domain of the accountSubjectLogonId- Logon ID for correlationObjectName- Full registry key pathObjectValueName- Name of the modified registry valueOperationType- Type of operation (New value written, Existing value modified, Value deleted)OldValueType- Previous value type (REG_SZ, REG_DWORD, etc.)OldValue- Previous registry value dataNewValueType- New value typeNewValue- New registry value dataProcessName- Process that modified the registryProcessId- Process ID
MITRE ATT&CK® Mapping (17)
Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution. Access to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote Registry modification. (Citation: Microsoft Reg) Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API. Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities using the Win32 API. (Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence. (Citation: TrendMicro POWELIKS AUG 2014) (Citation: SpectorOps Hiding Reg Jul 2017) The Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system. (Citation: Microsoft Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078) are required, along with access to the remote system's [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) for RPC communication.
Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user login, or the computer's uptime.(Citation: Mandiant M-Trends 2015) Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.(Citation: FireEye WMI SANS 2015)(Citation: FireEye WMI 2015) Adversaries may also compile WMI scripts – using `mofcomp.exe` –into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription.(Citation: Dell WMI Persistence)(Citation: Microsoft MOF May 2018) WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges.
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the <code>AppCertDLLs</code> Registry key under <code>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\</code> are loaded into every process that calls the ubiquitously used application programming interface (API) functions <code>CreateProcess</code>, <code>CreateProcessAsUser</code>, <code>CreateProcessWithLoginW</code>, <code>CreateProcessWithTokenW</code>, or <code>WinExec</code>. (Citation: Elastic Process Injection July 2017) Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), this value can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. Malicious AppCert DLLs may also provide persistence by continuously being triggered by API activity.
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the <code>AppInit_DLLs</code> value in the Registry keys <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</code> or <code>HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows</code> are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. (Citation: Elastic Process Injection July 2017) Similar to Process Injection, these values can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. (Citation: AppInit Registry) Malicious AppInit DLLs may also provide persistence by continuously being triggered by API activity. The AppInit DLL functionality is disabled in Windows 8 and later versions when secure boot is enabled. (Citation: AppInit Secure Boot)
Event Comparison
Event 4657 specifically tracks registry value modifications, while Event 7045 (Service Control Manager Event) monitors service installation. Event 4663 provides broader object access auditing. Monitor registry-specific Event 4657 for detailed registry change visibility.
What This Event Means
Event 4657 provides detailed visibility into Windows registry modifications, which is critical for detecting various attack techniques. The Windows registry stores system configuration, application settings, and security policies, making it a primary target for attackers establishing persistence and evading defenses. Common malicious registry modifications include adding entries to Run/RunOnce keys for startup persistence, modifying Windows Defender settings to disable real-time protection, changing UAC settings to weaken privilege controls, and altering network configuration for command and control communication. This event captures the registry path modified, the value name, the old and new data, and the process that performed the modification. Security teams should focus monitoring on high-value registry keys related to startup, security software, and privilege controls.
Security Implications
- Persistence establishment through modifications to HKLM\Software\Microsoft\Windows\CurrentVersion\Run and similar autorun keys
- Security control tampering by disabling Windows Defender, UAC, or firewall through registry value changes
- Privilege escalation through modification of service configurations or elevation policies in registry
- Credential access by modifying WDigest UseLogonCredential setting to enable plaintext password storage in memory
- Nearly all malware families modify registry for persistence - Emotet, TrickBot, Qakbot all use Run key modifications
Detection Strategies
Enable Event 4657 auditing on critical registry paths including all Run/RunOnce keys, Windows Defender configuration keys, service definitions, and UAC settings. Alert on any modifications to autorun registry keys from non-installer processes. Monitor changes to Windows Defender registry values, particularly DisableRealtimeMonitoring and DisableAntiSpyware. Track WDigest UseLogonCredential modifications which enable credential theft. Correlate Event 4657 with Event 4688 to identify which processes are modifying registry values - legitimate system installers vs suspicious user-mode processes. Alert on registry modifications during off-hours or from unusual user accounts. Monitor service-related registry changes under HKLM\SYSTEM\CurrentControlSet\Services for malicious service creation.
Note: Comprehensive SIEM detection queries for Splunk SPL, Microsoft KQL, and Elastic Query DSL will be added in future updates.
Real-World Attack Examples
Emotet malware persistence: Event 4657 showed modification of HKLM\Software\Microsoft\Windows\CurrentVersion\Run adding 'WindowsUpdate' value pointing to malware executable in AppData
TrickBot credential theft: Attackers modified HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential to value '1' enabling plaintext password capture
Ransomware defense evasion: Before encryption, ransomware modified HKLM\Software\Policies\Microsoft\Windows Defender\DisableRealtimeMonitoring to disable antivirus
APT privilege escalation: Attackers modified UAC registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA to '0' to disable User Account Control prompts