title: Query Registry
status: experimental
description: Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
modified: 2019/11/04
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.yaml
logsource:
    category: process_creation
    product: windows
detection:
    selection_1:
        Image|endswith: '\reg.exe'
        CommandLine|contains: 
            - 'query'
            - 'save'
            - 'export'
    selection_2:
        CommandLine|contains:
            - 'currentVersion\windows'
            - 'currentVersion\runServicesOnce'
            - 'currentVersion\runServices'
            - 'winlogon\'
            - 'currentVersion\shellServiceObjectDelayLoad'
            - 'currentVersion\runOnce'
            - 'currentVersion\runOnceEx'
            - 'currentVersion\run'
            - 'currentVersion\policies\explorer\run'
            - 'currentcontrolset\services'
    condition: selection_1 and selection_2
fields:
    - Image
    - CommandLine
    - User
    - LogonGuid
    - Hashes
    - ParentProcessGuid
    - ParentCommandLine
level: low
tags:
    - attack.discovery
    - attack.t1012
    - attack.t1007