Rehabilitating Registry Tradecraft with RegRestoreKey

This post will take registry primitives as an example to explore how we can (a) think critically about the ways that EDR products detect specific procedures, (b) design tooling that takes away their ability to observe those procedures, and (c) force vendors to make meaningful changes to telemetry collection and detection strategies.

A practical look at under-modeled Windows registry tradecraft and what defenders can observe when attackers restore registry hives over existing keys, rather than updating registry keys and values directly.