Query Registry

From enterprise
Jump to: navigation, search
Query Registry
ID T1012
Tactic Discovery
Platform Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Windows 10
Permissions Required User, Administrator, SYSTEM
Data Sources Windows Registry, Process monitoring, Process command-line parameters

Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.

The Registry contains a significant amount of information about the operating system, configuration, software, and security.1 Some of the information may help adversaries to further their operation within a network.


  • Lazarus Group malware IndiaIndia checks Registry keys within HKCU and HKLM to determine if certain applications are present, including SecureCRT, Terminal Services, RealVNC, TightVNC, UltraVNC, Radmin, mRemote, TeamViewer, FileZilla, pcAnyware, and Remote Desktop.2
  • Stealth Falcon malware attempts to determine the installed version of .NET by querying the Registry.3
  • Turla surveys a system upon check-in to discover information in the Windows Registry with the reg query command.4
  • ADVSTORESHELL can enumerate registry keys.56
  • BACKSPACE is capable of enumerating and making modifications to an infected system's Registry.7
  • CHOPSTICK provides access to the Windows Registry, which can be used to gather information.8
  • POWERSOURCE queries Registry keys in preparation for setting Run keys to achieve persistence.9
  • PlugX can query for information contained within the Windows Registry.10
  • Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface.11
  • Shamoon queries several Registry keys to identify hard disk partitions to overwrite.12
  • WINDSHIELD can gather Registry values.13


Identify unnecessary system utilities or potentially malicious software that may be used to acquire information within the Registry, and audit and/or block them by using whitelisting14 tools, like AppLocker,1516 or Software Restriction Policies17 where appropriate.18


System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

Interaction with the Windows Registry may come from the command line using utilities such as Reg or through running malware that may interact with the Registry through an API. Command-line invocation of utilities used to query the Registry may be detected through process and command-line monitoring. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.