Find sigma rule
Attack: Query Registry
Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
The Registry contains a significant amount of information about the operating system, configuration, software, and security.(Citation: Wikipedia Windows Registry) Information can easily be queried using the Reg utility, though other means to access the Registry exist. Some of the information may help adversaries to further their operation within a network. Adversaries may use the information from Query Registry during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
MITRE
Tactic
- discovery
technique
- T1012
Test : Query Registry
OS
- windows
Description:
Query Windows Registry. Upon successful execution, cmd.exe will perform multiple reg queries. Some will succeed and others will fail (dependent upon OS). References: https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order https://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services http://www.handgrep.se/repository/cheatsheets/postexploitation/WindowsPost-Exploitation.pdf https://www.offensive-security.com/wp-content/uploads/2015/04/wp.Registry_Quick_Find_Chart.en_us.pdf
Executor
command_prompt
Sigma Rule
- proc_creation_win_reg_query_registry.yml (id: 970007b7-ce32-49d0-a4a4-fbef016950bd)