1. Home
  2. Data Components
  3. Windows Registry Key Access

Windows Registry Key Access

The action of opening a specific Windows Registry key, typically to read its associated value. This activity can be used for system configuration, application settings retrieval, and security policies.

Data Collection Measures:

  • Windows Event Logs
    • Event ID 4656 - Handle to an Object was Requested: Logs attempts to open registry keys.
    • Event ID 4663 - An Object was Accessed: Captures read/write operations on registry keys.
    • Event ID 4657 - Registry Value Modification: Useful for detecting changes to registry keys after being accessed.
  • Sysmon
    • Sysmon Event ID 13 - Registry Value Set: Captures modifications to existing registry keys.
  • Endpoint Detection and Response (EDR) Solutions
    • Provide telemetry on registry key access activities, especially when linked to suspicious processes.
ID: DC0050
Domains: Enterprise
Version: 2.0
Created: 20 October 2021
Last Modified: 21 October 2025

Log Sources

Name Channel
Autoruns:RegistryScan Enumerate Winlogon subkeys for unknown or unsigned binaries
EDR:hunting Behavioral rule for registry enumeration under credential-related paths
WinEventLog:Security EventCode=4656
WinEventLog:Security EventCode=4657

Detection Strategy

ID Name Technique Detected
DET0224 Detect Abuse of Component Object Model (T1559.001) T1559.001
DET0504 Detect Abuse of Dynamic Data Exchange (T1559.002) T1559.002
DET0250 Detect Credential Discovery via Windows Registry Enumeration T1552.002
DET0404 Detect Winlogon Helper DLL Abuse via Registry and Process Artifacts on Windows T1547.004
DET0240 Detection Strategy for Steal or Forge Authentication Certificates T1649
DET0565 Detection Strategy for System Language Discovery T1614.001