Keypoints
- Adversaries query the Windows Registry to gather OS and configuration facts for targeted follow-up actions.
- Common access methods include the Reg.exe utility, PowerShell, WMI, and direct Windows API calls.
- Monitor command-line arguments, process creation, and OS API calls to detect registry query activity.
- Registry queries are often part of automated discovery chains that inform lateral movement or selective compromise.
- Detection requires correlating registry access with other behaviors to reduce false positives and identify malicious intent.
Description:
- Like a detective flipping through a buildingβs blueprint to find wiring and entry points, querying the Registry reveals hidden system layouts and installed components to an attacker.
- Query Registry involves reading Registry keys and values to learn OS version, installed software, services, and configuration details. This enables adversaries to tailor payloads, choose exploitation paths, decide on persistence techniques, and determine whether to expand operations on the host or network.
Detection:
- Enable and collect detailed process creation and command-line logging (e.g., Sysmon Event ID 1 and Windows Audit Process Creation) to capture Reg.exe, PowerShell, and other tools invoking registry queries.
- Monitor Windows Registry access events (e.g., Sysmon Event ID 13) and correlate suspicious read patterns against known discovery behavior and timelines.
- Inspect PowerShell logging (Script Block Logging, Module Logging) for registry-related cmdlets (Get-ItemProperty, Get-Item) and suspicious obfuscation or encoded commands.
- Use EDR/endpoint sensors to capture Windows API registry calls from processes that normally do not access the Registry, and flag unusual parent-child process chains (e.g., office app spawning cmd/PowerShell/Reg.exe).
- Watch WMI and WMIC activity for queries that enumerate system configuration, and correlate with registry access to identify automated discovery tools.
- Establish baselines of normal registry query patterns for critical hosts and alert on deviations; tune to reduce false positives from management and inventory tools.
- Hunt for sequences where registry enumeration is followed by credential access, lateral movement attempts, or persistence changes; investigate chains rather than isolated events.
Tactics:
Discovery
Platforms:
Windows
Data Sources:
Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Relationship Citations:
(Citation: MalwareBytes WoodyRAT Aug 2022),(Citation: Trend Micro njRAT 2018),(Citation: Unit42 BabyShark Feb 2019),(Citation: TrendMicro BKDR_URSNIF.SM),(Citation: Novetta Blockbuster),(Citation: FireEye APT34 Dec 2017),(Citation: ESET Turla PowerShell May 2019),(Citation: NCC Group WastedLocker June 2020),(Citation: Symantec Daggerfly 2023),(Citation: Securelist APT10 March 2021),(Citation: SecureList SynAck Doppelg,οΏ½nging May 2018),(Citation: Unit 42 Valak July 2020),(Citation: ClearSky Charming Kitten Dec 2017),(Citation: US-CERT Volgmer 2 Nov 2017),(Citation: TrendMicro Ursnif Mar 2015),(Citation: Crowdstrike Indrik November 2018),(Citation: Zscaler Kimsuky TRANSLATEXT),(Citation: NCC Group Team9 June 2020),(Citation: Trustwave BlackByte 2021),(Citation: Symantec Trojan.Hydraq Jan 2010),(Citation: PowerSploit Documentation),(Citation: ESET Attor Oct 2019),(Citation: FBI FLASH APT39 September 2020),(Citation: Sekoia Raccoon1 2022),(Citation: ESET Gelsemium June 2021),(Citation: Cisco DNSMessenger March 2017),(Citation: CISA AA20-259A Iran-Based Actor September 2020),(Citation: Unit42 Azorult Nov 2018),(Citation: McAfee GhostSecret),(Citation: Citizen Lab Stealth Falcon May 2016),(Citation: Palo Alto Reaver Nov 2017),(Citation: FireEye APT28),(Citation: Unit42 BendyBear Feb 2021),(Citation: Microsoft FinFisher March 2018),(Citation: Cobalt Strike Manual 4.3 November 2020),(Citation: Prevailion DarkWatchman 2021),(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023),(Citation: Zscaler APT31 Covid-19 October 2020),(Citation: Lastline PlugX Analysis),(Citation: Symantec Buckeye),(Citation: Secureworks REvil September 2019),(Citation: CISA MAR-10292089-1.v2 TAIDOOR August 2021),(Citation: Unit 42 Lucifer June 2020),(Citation: Accenture Lyceum Targets November 2021),(Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023),(Citation: McAfee Gold Dragon),(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024),(Citation: CyberBit Dtrack),(Citation: ESET Zebrocy May 2019),(Citation: Nccgroup Emissary Panda May 2018),(Citation: Cybereason Bazar July 2020),(Citation: Prevx Carberp March 2011),(Citation: Symantec Hydraq Jan 2010),(Citation: Medium Ali Salem Bumblebee April 2022),(Citation: Mandiant Suspected Turla Campaign February 2023),(Citation: ESET Dukes October 2019),(Citation: Cybereason Cobalt Kitty 2017),(Citation: FireEye Periscope March 2018),(Citation: FoxIT Wocao December 2019),(Citation: FireEye FELIXROOT July 2018),(Citation: Bitdefender FunnyDream Campaign November 2020),(Citation: FireEye APT30),(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011),(Citation: Proofpoint Operation Transparent Tribe March 2016),(Citation: US-CERT TA18-074A),(Citation: ESET GreyEnergy Oct 2018),(Citation: Kaspersky ToddyCat June 2022),(Citation: Picus BlackByte 2022),(Citation: NCC Group Chimera January 2021),(Citation: ESET Carbon Mar 2017),(Citation: Palo Alto Shamoon Nov 2016),(Citation: ESET Industroyer),(Citation: ESET OceanLotus Mar 2019),(Citation: Talos Cobalt Strike September 2020),(Citation: Talos Bisonal Mar 2020),(Citation: Palo Alto OilRig May 2016),(Citation: RATANKBA),(Citation: Gh0stRAT ATT March 2019),(Citation: WithSecure Kapeka 2024),(Citation: Google Cloud APT41 2024),(Citation: Talos Kimsuky Nov 2021),(Citation: ESET InvisiMole June 2018),(Citation: Talos ZxShell Oct 2014),(Citation: Cisco Talos Bitter Bangladesh May 2022),(Citation: Kaspersky StoneDrill 2017),(Citation: Bitdefender APT28 Dec 2015),(Citation: GitHub SILENTTRINITY Modules July 2019),(Citation: GitHub PowerSploit May 2012),(Citation: FireEye APT32 May 2017),(Citation: ESET ComRAT May 2020),(Citation: Malwarebytes Saint Bot April 2021),(Citation: Talos TinyTurla September 2021),(Citation: US-CERT Bankshot Dec 2017),(Citation: Cisco LotusBlossom 2025),(Citation: PaloAlto CardinalRat Apr 2017),(Citation: McAfee Sharpshooter December 2018),(Citation: CIRCL PlugX March 2013),(Citation: Microsoft Deep Dive Solorigate January 2021),(Citation: Rostovcev APT41 2021),(Citation: Mandiant_UNC2165),(Citation: US-CERT HOPLIGHT Apr 2019),(Citation: HP SVCReady Jun 2022),(Citation: Kaspersky Turla),(Citation: GDATA Zeus Panda June 2017),(Citation: Trend Micro Waterbear December 2019),(Citation: Trustwave Pillowmint June 2020),(Citation: Microsoft Reg),(Citation: ESET Sednit Part 2),(Citation: FireEye SUNBURST Backdoor December 2020),(Citation: Microsoft PLATINUM April 2016),(Citation: Talent-Jump Clambling February 2020),(Citation: Talos Group123),(Citation: Check Point APT35 CharmPower January 2022),(Citation: Trend Micro DRBControl February 2020),(Citation: FinFisher Citation),(Citation: FireEye CARBANAK June 2017),(Citation: SentinelLabs Metador Technical Appendix Sept 2022),(Citation: MSTIC NOBELIUM Mar 2021),(Citation: Sekoia Raccoon2 2022),(Citation: Unit 42 QUADAGENT July 2018),(Citation: McAfee Lazarus Resurfaces Feb 2018),(Citation: Novetta Blockbuster Loaders),(Citation: DHS CISA AA22-055A MuddyWater February 2022),(Citation: Kaspersky WIRTE November 2021),
Read More: https://attack.mitre.org/techniques/T1012