Query Registry

Query Registry [T1012]

Information

Name: Query Registry
ID: T1012
Tactics: TA0007

Introduction

Query Registry (Technique ID: T1012) is an adversarial technique documented in the MITRE ATT&CK framework under the tactic "Discovery." Attackers leverage this method to extract valuable information from the Windows Registry, a hierarchical database that stores configuration settings, options, and other system information critical to the operating system and installed applications. By querying the Registry, threat actors gain insight into system configurations, installed software, security settings, user account details, network configurations, and other sensitive data, facilitating further attack stages such as privilege escalation, lateral movement, and persistence.

Deep Dive Into Technique

The Windows Registry is structured as a hierarchical tree composed of keys, subkeys, and values that store critical configuration information. Attackers typically query the Registry to enumerate system details and gather intelligence, aiding their subsequent activities.

Technical details include:

Execution Methods:
- Command-line utilities such as reg.exe (built-in Windows tool).
- PowerShell cmdlets (Get-Item, Get-ItemProperty, Get-ChildItem).
- Windows API calls via custom malware or scripts (RegOpenKeyEx, RegQueryValueEx).
- Third-party tools and frameworks (e.g., Metasploit, Empire, Cobalt Strike).
Commonly Queried Registry Keys:
- HKLM\Software\Microsoft\Windows\CurrentVersion: Reveals OS version, build number, installation date, and installed software.
- HKLM\SYSTEM\CurrentControlSet\Services: Enumerates running services and drivers.
- HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders: Provides information about security providers and authentication methods.
- HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon: Contains details on user logon behavior and authentication processes.
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU: Lists recently executed commands by the user.
- HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server: Indicates Remote Desktop Protocol (RDP) configurations and status.
Mechanisms and Procedures:
- Attackers use Registry queries as part of reconnaissance to map out the victim environment.
- Malware may automate Registry queries to identify security settings, antivirus products, and system vulnerabilities.
- Attackers can leverage Registry data to identify installed software versions, which helps determine potential exploits.
- Registry queries often precede privilege escalation, lateral movement, persistence, and credential access attempts.

When this Technique is Usually Used

This technique appears across multiple attack stages and scenarios, including:

Initial Reconnaissance and Discovery:
- Identifying installed software, security tools, and system configurations.
- Enumerating user accounts, passwords policies, and user privileges.
Privilege Escalation:
- Discovering misconfigured Registry permissions or weak security settings.
- Identifying installed software or services vulnerable to exploitation.
Persistence:
- Checking Registry entries to confirm successful installation of persistence mechanisms.
- Ensuring persistence mechanisms remain hidden or undetected.
Credential Access:
- Querying Registry keys storing credentials or authentication-related data.
Lateral Movement:
- Enumerating network and remote desktop configurations to facilitate lateral movement.
- Gathering information about remote systems and available services.
Defense Evasion:
- Identifying installed antivirus and endpoint detection and response (EDR) solutions to evade detection.

How this Technique is Usually Detected

Detection of Registry queries requires monitoring and analysis of system activities, including:

Process Monitoring and Logging:
- Monitor execution of reg.exe and associated command-line arguments.
- Track PowerShell commands and scripts querying Registry keys.
- Utilize Sysmon (System Monitor) to log Registry query events (Event ID 12 and Event ID 13).
Endpoint Detection and Response (EDR) Solutions:
- Detect anomalous Registry queries indicative of reconnaissance.
- Alert on known malicious Registry keys or unusual patterns.
SIEM and Log Analysis:
- Aggregate and correlate Windows event logs, Sysmon logs, and EDR alerts.
- Detect abnormal frequency or patterns of Registry queries from a single host or user.
Behavioral Analysis:
- Identify unusual processes or applications querying sensitive Registry keys.
- Detect processes performing Registry queries not typical for their operational profile.
Indicators of Compromise (IoCs):
- Suspicious or rare Registry paths accessed by unknown processes.
- Unusual usage of command-line utilities like reg.exe with reconnaissance flags (reg query).
- Unexpected Registry queries from PowerShell, scripts, or unknown executables.
- Registry access from unusual user accounts or at irregular times.

Why it is Important to Detect This Technique

Early detection of Registry queries is critical due to several potential impacts on systems and networks:

Reconnaissance Facilitation:
- Attackers gain detailed knowledge of system configurations, installed software, security posture, and vulnerabilities, enabling targeted attacks.
Privilege Escalation and Lateral Movement:
- Information gathered through Registry queries can directly enable privilege escalation and lateral movement, increasing the scope and severity of an attack.
Persistence and Stealth:
- Attackers use Registry queries to verify successful persistence mechanisms, ensuring long-term compromise and stealthy operations.
Credential Harvesting:
- Sensitive authentication-related Registry keys queried by attackers can lead to credential theft and further compromise of user accounts and systems.
Operational Security (OPSEC):
- Early detection helps defenders understand attacker intent, capabilities, and objectives, improving response strategies and reducing dwell time.

Examples

Real-world examples of Query Registry technique usage include:

APT29 (Cozy Bear):
- Utilized PowerShell scripts and custom malware to query Registry keys for system reconnaissance.
- Queried keys such as HKLM\Software\Microsoft\Windows\CurrentVersion to enumerate installed software and patches, enabling targeted exploitation.
FIN7:
- Leveraged Registry queries to identify antivirus products and EDR solutions installed on victim systems.
- Used information gathered to tailor malware behavior and evade detection.
TrickBot Malware:
- Queried Registry keys related to installed security software, firewall settings, and user accounts.
- Used data gathered for credential theft, privilege escalation, and lateral movement.
Emotet Malware:
- Queried Registry entries to enumerate installed software and security solutions.
- Adjusted its payload delivery and execution methods based on information gathered.
Cobalt Strike Framework:
- Attackers frequently use built-in Registry query capabilities to perform reconnaissance and identify sensitive system information.
- Used Registry queries to identify vulnerabilities, software versions, and security configurations, enabling sophisticated attack campaigns.

These examples highlight the widespread adoption of Registry queries among threat actors, emphasizing the importance of robust monitoring, detection, and response capabilities.

Last updated 10 days ago

Was this helpful?

Introduction

Deep Dive Into Technique

Technical details include:

Execution Methods:

Command-line utilities such as reg.exe (built-in Windows tool).
PowerShell cmdlets (Get-Item, Get-ItemProperty, Get-ChildItem).
Windows API calls via custom malware or scripts (RegOpenKeyEx, RegQueryValueEx).
Third-party tools and frameworks (e.g., Metasploit, Empire, Cobalt Strike).

Commonly Queried Registry Keys:

HKLM\Software\Microsoft\Windows\CurrentVersion: Reveals OS version, build number, installation date, and installed software.
HKLM\SYSTEM\CurrentControlSet\Services: Enumerates running services and drivers.
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders: Provides information about security providers and authentication methods.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon: Contains details on user logon behavior and authentication processes.
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU: Lists recently executed commands by the user.
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server: Indicates Remote Desktop Protocol (RDP) configurations and status.

Mechanisms and Procedures:

Attackers use Registry queries as part of reconnaissance to map out the victim environment.
Malware may automate Registry queries to identify security settings, antivirus products, and system vulnerabilities.
Attackers can leverage Registry data to identify installed software versions, which helps determine potential exploits.
Registry queries often precede privilege escalation, lateral movement, persistence, and credential access attempts.

When this Technique is Usually Used

This technique appears across multiple attack stages and scenarios, including:

Initial Reconnaissance and Discovery:

Identifying installed software, security tools, and system configurations.
Enumerating user accounts, passwords policies, and user privileges.

Privilege Escalation:

Discovering misconfigured Registry permissions or weak security settings.
Identifying installed software or services vulnerable to exploitation.

Persistence:

Checking Registry entries to confirm successful installation of persistence mechanisms.
Ensuring persistence mechanisms remain hidden or undetected.

Credential Access:

Querying Registry keys storing credentials or authentication-related data.

Lateral Movement:

Enumerating network and remote desktop configurations to facilitate lateral movement.
Gathering information about remote systems and available services.

Defense Evasion:

Identifying installed antivirus and endpoint detection and response (EDR) solutions to evade detection.

How this Technique is Usually Detected

Detection of Registry queries requires monitoring and analysis of system activities, including:

Process Monitoring and Logging:

Monitor execution of reg.exe and associated command-line arguments.
Track PowerShell commands and scripts querying Registry keys.
Utilize Sysmon (System Monitor) to log Registry query events (Event ID 12 and Event ID 13).

Endpoint Detection and Response (EDR) Solutions:

Detect anomalous Registry queries indicative of reconnaissance.
Alert on known malicious Registry keys or unusual patterns.

SIEM and Log Analysis:

Aggregate and correlate Windows event logs, Sysmon logs, and EDR alerts.
Detect abnormal frequency or patterns of Registry queries from a single host or user.

Behavioral Analysis:

Identify unusual processes or applications querying sensitive Registry keys.
Detect processes performing Registry queries not typical for their operational profile.

Indicators of Compromise (IoCs):

Suspicious or rare Registry paths accessed by unknown processes.
Unusual usage of command-line utilities like reg.exe with reconnaissance flags (reg query).
Unexpected Registry queries from PowerShell, scripts, or unknown executables.
Registry access from unusual user accounts or at irregular times.

Why it is Important to Detect This Technique

Early detection of Registry queries is critical due to several potential impacts on systems and networks:

Reconnaissance Facilitation:

Attackers gain detailed knowledge of system configurations, installed software, security posture, and vulnerabilities, enabling targeted attacks.

Privilege Escalation and Lateral Movement:

Information gathered through Registry queries can directly enable privilege escalation and lateral movement, increasing the scope and severity of an attack.

Persistence and Stealth:

Attackers use Registry queries to verify successful persistence mechanisms, ensuring long-term compromise and stealthy operations.

Credential Harvesting:

Sensitive authentication-related Registry keys queried by attackers can lead to credential theft and further compromise of user accounts and systems.

Operational Security (OPSEC):

Early detection helps defenders understand attacker intent, capabilities, and objectives, improving response strategies and reducing dwell time.

Examples

Real-world examples of Query Registry technique usage include:

APT29 (Cozy Bear):

Utilized PowerShell scripts and custom malware to query Registry keys for system reconnaissance.
Queried keys such as HKLM\Software\Microsoft\Windows\CurrentVersion to enumerate installed software and patches, enabling targeted exploitation.

FIN7:

Leveraged Registry queries to identify antivirus products and EDR solutions installed on victim systems.
Used information gathered to tailor malware behavior and evade detection.

TrickBot Malware:

Queried Registry keys related to installed security software, firewall settings, and user accounts.
Used data gathered for credential theft, privilege escalation, and lateral movement.

Emotet Malware:

Queried Registry entries to enumerate installed software and security solutions.
Adjusted its payload delivery and execution methods based on information gathered.

Cobalt Strike Framework:

Attackers frequently use built-in Registry query capabilities to perform reconnaissance and identify sensitive system information.
Used Registry queries to identify vulnerabilities, software versions, and security configurations, enabling sophisticated attack campaigns.

These examples highlight the widespread adoption of Registry queries among threat actors, emphasizing the importance of robust monitoring, detection, and response capabilities.