Registry read access associated with suspicious or non-interactive processes querying system config, installed software, or security settings.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Windows Registry Key Modification (DC0063) | WinEventLog:Sysmon | EventCode=13 |
| Command Execution (DC0064) | WinEventLog:PowerShell | EventCode=4104 |
| Field | Description |
|---|---|
| TargetRegistryPath | Focus detection on registry hives or keys likely to reveal environment info (e.g., HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion). |
| ParentProcess | May tune for suspicious parent processes such as cmd.exe, wscript.exe, or mshta.exe. |
| TimeWindow | Controls how closely registry access must follow process creation for correlation. |