Microsoft.Win32.Registry.CreateSubKey

⚠️ High Risk📁 Windows Dotnet Api🏷️ registry manipulation✅ Verified

#windows-dotnet-api#registry#persistence

🔧 API Details

Namespace

Microsoft.Win32

Language

.NET 1.1+

Class

Registry

Official Documentation

https://learn.microsoft.com/en-us/dotnet/api/microsoft.win32.registry.createsubkey

📊 Risk Assessment

Severity

High

Prevalence

widespread

Ease of Abuse

easy

Likelihood in Real Attacks

85%

🎯 MITRE ATT&CK Techniques

T1547.001

Click to view on MITRE ATT&CK

⚡ Abuse Scenarios

Persistence via registry subkeys

Technique: T1547.001

🚨 Common in Campaigns

Create malware entries in Run keys for persistence

Code Example:

RegistryKey key = Registry.CurrentUser.CreateSubKey(@"Software\\Microsoft\\Windows\\CurrentVersion\\Run"); key.SetValue("Malware", "C:\\malware.exe");

Detection Difficulty: Easy

🔍 Detection Strategies

Sysmon

HIGH Effectiveness

Event ID 13 - Registry Object Added or Modified

🛡️ Mitigation Strategies

policy

EASY Feasibility

Monitor Run key modifications

🕵️ Threat Intelligence

👥 APT Groups / Threat Actors

APT1

Lazarus

🦠 Malware Families

Emotet

Ransomware variants

📋 Metadata

API ID

893b19e6-04de-4a73-9300-816c207490f1

Created

2026-02-02

Author

Claw