Username: Evidence Muvindi

MITIGATION
DESCRIPTION
Employ Registry Protection
Techniques
Malware developers use the registry as a method of persistence in order to avoid detection by host based antivirus solutions. By integrating itself into the registry, the malware will thwart any weak attempts by the user to remove it.
The best way to protect an asset from this type of malware is to prevent or monitor registry changes to certain keys in the first place. Install software to monitor potential registry changes and create automatic rules for specific programs to allow or deny access.
This software will either notify the user or block attempted registry changes to certain keys. If a key change is blocked, the registry protection software will stop the process associated with it and restore removed keys if needed.
Install or Verify Advanced Endpoint
Security Technologies
Advanced Endpoint Security technologies area relatively new type of endpoint security controls that are able to detect advanced threats that would not be detected by traditional antivirus.
There are several types of these controls. Some of them operate on custom rules that the user is able to feed to the control, others use machine learning techniques in order to statically detect malicious files which have not been seen before based on the similarity to other known malicious families, and finally other controls detect malicious activities by using a combination of rules and heuristics, however the heuristics are far more advanced than those used by traditional antivirus, including known TTP (Tactics, Techniques and Procedures) from known threat actors and monitoring the whole system in order to find malicious patterns to give a threat score to any activity.
By installing any of these advanced security controls and properly configuring it, you will be able to detect more advanced threats not yet detected by traditional antivirus as well as customize the product in order to apply custom mitigations depending on your threat model.

Monitor and/or block anomalous registry changes
Monitor anomalous registry changes, which are known to be used by malware and less used for legitimate purposes. Find an endpoint product that is monitoring registry changes, especially on keys that are typically used by malware.
The following steps allow to prevent changes to registry keys, just take into account that administrator rights are required to perform these actions. Open the Registry Editor by executing “regedit.exe”, and find the key you want to protect. It is only possible to protect keys, so to protect values you have to protect the keys where they are set, but take into account that changes will affect other values on the same key. Also, key changes can be propagated to its subkeys if desired. Perform a right-click on the key that you want to protect, and then click on
Permissions.
3. On the new screen, click on the Advanced button, and then on the Add button. If
Add button is disabled, close the Permission windows, and go to the Owner tab to take ownership of the key, and then apply changes before you can make any changes to key permissions. Type Everyone inside the Enter the object names to select field to make this rule apply to everyone, and then click OK. In the next window, Permission Entry for, click the checkbox in the Deny value of Full Control, then click on the Allow checkbox of Query Value”,
“Enumerate Subkeys” and Read Control. Finally, click the OK button of each open dialogue windows, and the changes will take effect immediately.
It is recommended to disable by default key write and key creation permissions on potentially dangerous registry keys, and only enable write access to them temporarily if it is necessary to edit the blocked key or subkeys.
Visit the following link for more information about preventing registry key changes:
https://www.windowscentral.com/how-prevent-users-accessing-registry-windows-
10