T1012: Query Registry
Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
The Registry contains a significant amount of information about the operating system, configuration, software, and security. Information can easily be queried using the Reg utility, though other means to access the Registry exist. Some of the information may help adversaries to further their operation within a network. Adversaries may use the information from Query Registry during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
mitre_attck_discovery: PT-CR-329: Query_Registry: An attempt to query the registry is detected
mitre_attck_discovery: PT-CR-1082: Enumerating_Delegated_Credentials: Credential delegation is checked in the registry
mssql_database: PT-CR-419: MSSQL_read_registry_value: An attempt to read a registry key value from a database
Detection
ID | DS0024 | Data source and component | Windows Registry: Windows Registry Key Access | Description | Monitor for unexpected process interactions with the Windows Registry (i.e. reads) that may be related to gathering information. Note: For Security Auditing event ids 4656 and 4663, a System Access Control List (SACL) that controls the use of specific access rights such as Enumerate sub-keys and Query key value is required for event generation. Depending on the Registry key you are monitoring, the implementation of a new System Access Control List (SACL) might be required. Depending of Registry key used for the creation of a System Access Control List (SACL), the generation of event ids 4656 and 4663 might be noisy. Analytic 1 - Suspicious Registry
|
---|
ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor for newly executed processes that may interact with the Windows Registry to gather information about the system, configuration, and installed software. Note: The New-PSDrive PowerShell cmdlet creates temporary and persistent drives that are mapped to or associated with a location in a data store, such a registry key (PSProvider “Registry”). The Get-ChildItem gets the items in one or more specified locations. By using both, you can enumerate COM objects in one or more specified locations. Note for Analytic 3: Replace FilePathToLolbasProcessXX.exe with lolBAS process names that are used by your organization. The number_standard_deviations parameter should be tuned accordingly. Identifying outliers by comparing distance from a data point to the average value against a certain number of standard deviations is recommended for data values that are symmetrical distributed. If your data is not distributed, try a different algorithm such as the Interquartile Range (IQR). Analytic 1 - Suspicious Processes with Registry keys
Analytic 2 - reg.exe spawned from suspicious cmd.exe
Analytic 3 - Rare LolBAS command lines
|
---|
ID | DS0009 | Data source and component | Process: OS API Execution | Description | Monitor for API calls (such as Note: Most EDR tools do not support direct monitoring of API calls due to the sheer volume of calls produced by an endpoint but may have alerts or events that are based on abstractions of OS API calls. |
---|
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments for actions that may interact with the Windows Registry to gather information about the system, configuration, and installed software. Note: For PowerShell Module logging event id 4103, enable logging for module Microsoft.PowerShell.Management. The New-PSDrive PowerShell cmdlet creates temporary and persistent drives that are mapped to or associated with a location in a data store, such a registry key (PSProvider “Registry”). The the Get-ChildItem gets the items in one or more specified locations. By using both, you can enumerate COM objects in one or more specified locations. Analytic 1 - Suspicious Commands
|
---|