ATT&CK v18 has been released! Check out the blog post or changelog for more information.

Windows Registry Key Access

The action of opening a specific Windows Registry key, typically to read its associated value. This activity can be used for system configuration, application settings retrieval, and security policies.

ID: DC0050

Domains: Enterprise

Version: 2.0

Created: 20 October 2021

Last Modified: 12 November 2025

Log Sources

Name	Channel
Autoruns:RegistryScan	Enumerate Winlogon subkeys for unknown or unsigned binaries
EDR:hunting	Behavioral rule for registry enumeration under credential-related paths
WinEventLog:Security	EventCode=4663, 4670, 4656
WinEventLog:Security	EventCode=4657

Detection Strategy

ID	Name	Technique Detected
DET0224	Detect Abuse of Component Object Model (T1559.001)	T1559.001
DET0504	Detect Abuse of Dynamic Data Exchange (T1559.002)	T1559.002
DET0250	Detect Credential Discovery via Windows Registry Enumeration	T1552.002
DET0404	Detect Winlogon Helper DLL Abuse via Registry and Process Artifacts on Windows	T1547.004
DET0240	Detection Strategy for Steal or Forge Authentication Certificates	T1649
DET0565	Detection Strategy for System Language Discovery	T1614.001