T1012

Query Registry

Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software. The Registry contains a significant amount of information about the operating system, configuration, software, and security. Information can easily be queried using the Reg utility, though other means to access the Registry exist. Some of the information may help adversaries to further their operation within a network. Adversaries may use the information from Query Registry during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Threat actors including Turla (Epic), APT41 (DUSTTRAP), NOBELIUM (Sibot), Sandworm (TEARDROP), Lazarus (HOPLIGHT), Lyceum (Shark), and numerous commodity malware families leverage registry queries to fingerprint targets, locate credentials, identify installed security products, and discover network proxy configurations.

Microsoft Sentinel / Defender

kusto

let SensitiveRegistryPaths = dynamic([
    "Windows NT\\CurrentVersion",
    "HARDWARE\\DESCRIPTION\\System",
    "CurrentVersion\\Uninstall",
    "Microsoft\\Cryptography",
    "CurrentControlSet\\Services",
    "CurrentControlSet\\Control\\Lsa",
    "SimonTatham\\PuTTY\\Sessions",
    "OpenSSH\\Agent\\Keys",
    "Windows\\CurrentVersion\\Internet Settings",
    "Control\\Terminal Server",
    "Software\\Policies",
    "Bitcoin",
    "Image File Execution Options",
    "SOFTWARE\\Microsoft\\CTF",
    "Classes\\http\\shell\\open\\command",
    "CurrentVersion\\Run",
    "CurrentVersion\\RunOnce",
    "WinSCP\\Sessions"
]);
let SuspiciousInitiators = dynamic([
    "wscript.exe", "cscript.exe", "mshta.exe", "wmic.exe",
    "rundll32.exe", "regsvr32.exe", "msbuild.exe", "installutil.exe",
    "excel.exe", "winword.exe", "outlook.exe", "powerpnt.exe"
]);
// Branch 1: reg.exe query / export / save
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "reg.exe"
| where ProcessCommandLine has_any ("query", "export", "save")
| extend TargetKey = extract(@"(?i)(HKLM|HKCU|HKEY_LOCAL_MACHINE|HKEY_CURRENT_USER|HKEY_USERS|HKU|HKCR|HKEY_CLASSES_ROOT)\\[^\s]+", 0, ProcessCommandLine)
| extend SensitivePath = ProcessCommandLine has_any (SensitiveRegistryPaths)
| extend RecursiveQuery = ProcessCommandLine has "/s" or ProcessCommandLine has "-s"
| extend SuspiciousParent = InitiatingProcessFileName has_any (SuspiciousInitiators)
| extend QueryType = "reg.exe"
| union (
    // Branch 2: PowerShell registry enumeration
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where FileName in~ ("powershell.exe", "pwsh.exe")
    | where ProcessCommandLine has_any ("HKLM:", "HKCU:", "HKEY_LOCAL_MACHINE", "HKEY_CURRENT_USER", "Registry::")
    | where ProcessCommandLine has_any ("Get-Item", "Get-ItemProperty", "Get-ChildItem", "Get-ItemPropertyValue")
    | extend TargetKey = extract(@"(?i)(HKLM:|HKCU:|HKEY_LOCAL_MACHINE|HKEY_CURRENT_USER|Registry::HKEY)[\\\w\s]+", 0, ProcessCommandLine)
    | extend SensitivePath = ProcessCommandLine has_any (SensitiveRegistryPaths)
    | extend RecursiveQuery = ProcessCommandLine has "-Recurse"
    | extend SuspiciousParent = InitiatingProcessFileName has_any (SuspiciousInitiators)
    | extend QueryType = "PowerShell"
)
| where SensitivePath == true or SuspiciousParent == true or RecursiveQuery == true
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         TargetKey, SensitivePath, RecursiveQuery, SuspiciousParent, QueryType
| sort by Timestamp desc

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

IT administrators using reg.exe or PowerShell scripts for legitimate system auditing, compliance checks, or configuration validation workflows
Software deployment tools (SCCM, Intune, Chef, Puppet) that query registry for version checks and configuration state before deploying updates
System monitoring and inventory agents (SCOM, Tanium, Qualys, Tenable Nessus) that regularly enumerate installed software via the Uninstall key
Help desk and remote support tools (TeamViewer, ConnectWise) querying registry for diagnostic purposes during active support sessions
Application installers that read registry paths to detect prerequisites, conflicting software versions, or existing installation state before proceeding

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval SensitivePath=if(
    match(CommandLine, "(?i)(Windows NT.CurrentVersion|HARDWARE.DESCRIPTION.System|CurrentVersion.Uninstall|Microsoft.Cryptography|CurrentControlSet.Services|CurrentControlSet.Control.Lsa|SimonTatham.PuTTY|WinSCP.Sessions|OpenSSH.Agent|Internet Settings|Control.Terminal Server|Software.Policies|Bitcoin|Image File Execution Options|Classes.http.shell|CurrentVersion.Run|CurrentVersion.RunOnce)"), 1, 0
)
| eval IsRegExe=if(
    match(Image, "(?i)\\reg\.exe$") AND match(CommandLine, "(?i)(\squery\s|\sexport\s|\ssave\s)"), 1, 0
)
| eval IsPowerShellReg=if(
    match(Image, "(?i)(powershell|pwsh)\.exe$") AND
    match(CommandLine, "(?i)(HKLM:|HKCU:|HKEY_LOCAL_MACHINE|HKEY_CURRENT_USER|Registry::)") AND
    match(CommandLine, "(?i)(Get-Item|Get-ItemProperty|Get-ChildItem|Get-ItemPropertyValue)"), 1, 0
)
| eval RecursiveQuery=if(match(CommandLine, "(?i)(/s\b|-s\b|-Recurse)"), 1, 0)
| eval SuspiciousParent=if(
    match(ParentImage, "(?i)(wscript|cscript|mshta|wmic|rundll32|regsvr32|msbuild|installutil|excel|winword|outlook|powerpnt)\.exe$"), 1, 0
)
| where (IsRegExe=1 OR IsPowerShellReg=1) AND (SensitivePath=1 OR SuspiciousParent=1 OR RecursiveQuery=1)
| eval QueryType=if(IsRegExe=1, "reg.exe", "PowerShell")
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, QueryType, SensitivePath, RecursiveQuery, SuspiciousParent
| sort - _time

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

IT administrators using reg.exe or PowerShell scripts for legitimate system auditing, compliance checks, or configuration validation workflows
Software deployment tools (SCCM, Intune, Chef, Puppet) that query registry for version checks and configuration state before deploying updates
System monitoring and inventory agents (SCOM, Tanium, Qualys, Tenable Nessus) that regularly enumerate installed software via the Uninstall key
Help desk and remote support tools querying registry for diagnostic purposes during active support sessions
Application installers that read registry paths to detect prerequisites, conflicting software versions, or existing installation state

Elastic Security (EQL)

eql

sequence by host.id with maxspan=5m
  [process where event.type == "start" and
   (
     (process.name : "reg.exe" and process.args : ("query", "export", "save") and
      process.command_line : ("*Windows NT\\CurrentVersion*", "*HARDWARE\\DESCRIPTION\\System*", "*CurrentVersion\\Uninstall*", "*Microsoft\\Cryptography*", "*CurrentControlSet\\Services*", "*CurrentControlSet\\Control\\Lsa*", "*SimonTatham\\PuTTY*", "*OpenSSH\\Agent*", "*Internet Settings*", "*Terminal Server*", "*Software\\Policies*", "*Bitcoin*", "*Image File Execution Options*", "*Classes\\http\\shell*", "*CurrentVersion\\Run*", "*WinSCP\\Sessions*"))
     or
     (process.name : ("powershell.exe", "pwsh.exe") and
      process.command_line : ("*HKLM:*", "*HKCU:*", "*HKEY_LOCAL_MACHINE*", "*HKEY_CURRENT_USER*", "*Registry::*") and
      process.command_line : ("*Get-Item*", "*Get-ItemProperty*", "*Get-ChildItem*", "*Get-ItemPropertyValue*"))
   ) and
   (
     process.command_line : ("*Windows NT\\CurrentVersion*", "*HARDWARE\\DESCRIPTION\\System*", "*CurrentVersion\\Uninstall*", "*Microsoft\\Cryptography*", "*CurrentControlSet\\Services*", "*CurrentControlSet\\Control\\Lsa*", "*SimonTatham\\PuTTY*", "*OpenSSH\\Agent*", "*Internet Settings*", "*Terminal Server*", "*Software\\Policies*", "*Bitcoin*", "*Image File Execution Options*", "*Classes\\http\\shell*", "*CurrentVersion\\Run*", "*WinSCP\\Sessions*")
     or process.parent.name : ("wscript.exe", "cscript.exe", "mshta.exe", "wmic.exe", "rundll32.exe", "regsvr32.exe", "msbuild.exe", "installutil.exe", "excel.exe", "winword.exe", "outlook.exe", "powerpnt.exe")
     or process.command_line : ("* /s*", "* -s *", "*-Recurse*")
   )
  ]

medium severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Elastic Agent (endpoint integration)

Required Tables

logs-endpoint.events.process-* winlogbeat-*

False Positives

Legitimate IT administration scripts querying registry for inventory or configuration management (e.g., SCCM, Ansible, Puppet)
Software installers and uninstallers querying CurrentVersion\Uninstall to check for existing installations or perform cleanup
Security tools such as vulnerability scanners, EDR agents, or SIEM forwarders enumerating registry keys as part of baseline collection

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip,
  username,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Process Name" AS parent_process_name,
  CASE
    WHEN LOWER("Command") MATCHES '.*reg\.exe.*' THEN 'reg.exe'
    WHEN LOWER("Command") MATCHES '.*(powershell|pwsh)\.exe.*' THEN 'PowerShell'
    ELSE 'Unknown'
  END AS query_type,
  CASE
    WHEN LOWER("Command") MATCHES '.*(windows nt.currentversion|hardware.description.system|currentversion.uninstall|microsoft.cryptography|currentcontrolset.services|currentcontrolset.control.lsa|simontatham.putty|openssh.agent|internet settings|terminal server|software.policies|bitcoin|image file execution options|classes.http.shell|currentversion.run|winscp.sessions).*' THEN 1
    ELSE 0
  END AS sensitive_path,
  CASE
    WHEN LOWER("Command") MATCHES '.*/s\b.*' OR LOWER("Command") MATCHES '.*-recurse.*' THEN 1
    ELSE 0
  END AS recursive_query,
  CASE
    WHEN LOWER("Parent Process Name") MATCHES '.*(wscript|cscript|mshta|wmic|rundll32|regsvr32|msbuild|installutil|excel|winword|outlook|powerpnt)\.exe.*' THEN 1
    ELSE 0
  END AS suspicious_parent
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 433)
  AND eventid IN (1, 4688)
  AND (
    (
      LOWER("Process Name") MATCHES '.*\\reg\.exe$'
      AND LOWER("Command") MATCHES '.*(\squery\s|\sexport\s|\ssave\s).*'
    )
    OR
    (
      LOWER("Process Name") MATCHES '.*(powershell|pwsh)\.exe$'
      AND LOWER("Command") MATCHES '.*(hklm:|hkcu:|hkey_local_machine|hkey_current_user|registry::).*'
      AND LOWER("Command") MATCHES '.*(get-item|get-itemproperty|get-childitem|get-itempropertyvalue).*'
    )
  )
  AND (
    LOWER("Command") MATCHES '.*(windows nt.currentversion|hardware.description.system|currentversion.uninstall|microsoft.cryptography|currentcontrolset.services|currentcontrolset.control.lsa|simontatham.putty|openssh.agent|internet settings|terminal server|software.policies|bitcoin|image file execution options|classes.http.shell|currentversion.run|winscp.sessions).*'
    OR LOWER("Parent Process Name") MATCHES '.*(wscript|cscript|mshta|wmic|rundll32|regsvr32|msbuild|installutil|excel|winword|outlook|powerpnt)\.exe.*'
    OR LOWER("Command") MATCHES '.*(\s/s\b|\s-s\b|-recurse).*'
  )
LAST 24 HOURS
ORDER BY starttime DESC

medium severity medium confidence

Data Sources

IBM QRadar SIEM Microsoft Windows Security Event Log (DSM) Sysmon via Windows Event Log DSM

Required Tables

events

False Positives

Enterprise asset management and discovery tools (e.g., Lansweeper, Tanium) that routinely query registry for hardware and software inventory
Group Policy processing and SCCM client operations that enumerate registry keys under Software\Policies and CurrentControlSet
Developer tooling and IDE plugins (e.g., Visual Studio, JetBrains) that query registry for SDK paths, COM registration, and file associations

Sumo Logic CSE

sql

_sourceCategory="windows/sysmon" EventCode=1
| parse regex field=Image "(?i)(?<process_name>[^\\]+\.exe)$"
| parse regex field=CommandLine "(?i)(?<target_key>(?:HKLM|HKCU|HKEY_LOCAL_MACHINE|HKEY_CURRENT_USER|HKEY_USERS|HKU|HKCR|HKEY_CLASSES_ROOT)[\\/][^\s]+)" nodrop
| eval is_reg_exe = if(matches(Image, "(?i)\\reg\.exe$") and matches(CommandLine, "(?i)(\squery\s|\sexport\s|\ssave\s)"), 1, 0)
| eval is_ps_reg = if(
    matches(Image, "(?i)(powershell|pwsh)\.exe$")
    and matches(CommandLine, "(?i)(HKLM:|HKCU:|HKEY_LOCAL_MACHINE|HKEY_CURRENT_USER|Registry::)")
    and matches(CommandLine, "(?i)(Get-Item|Get-ItemProperty|Get-ChildItem|Get-ItemPropertyValue)"),
    1, 0
)
| where is_reg_exe = 1 or is_ps_reg = 1
| eval sensitive_path = if(
    matches(CommandLine, "(?i)(Windows NT.CurrentVersion|HARDWARE.DESCRIPTION.System|CurrentVersion.Uninstall|Microsoft.Cryptography|CurrentControlSet.Services|CurrentControlSet.Control.Lsa|SimonTatham.PuTTY|OpenSSH.Agent|Internet Settings|Terminal Server|Software.Policies|Bitcoin|Image File Execution Options|Classes.http.shell|CurrentVersion.Run|WinSCP.Sessions)"),
    1, 0
)
| eval recursive_query = if(matches(CommandLine, "(?i)(\s/s\b|\s-s\b|-Recurse)"), 1, 0)
| eval suspicious_parent = if(
    matches(ParentImage, "(?i)(wscript|cscript|mshta|wmic|rundll32|regsvr32|msbuild|installutil|excel|winword|outlook|powerpnt)\.exe$"),
    1, 0
)
| where sensitive_path = 1 or suspicious_parent = 1 or recursive_query = 1
| eval query_type = if(is_reg_exe = 1, "reg.exe", "PowerShell")
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, target_key, query_type, sensitive_path, recursive_query, suspicious_parent
| sort by _messageTime desc

medium severity high confidence

Data Sources

Sumo Logic Cloud SIEM Sysmon (Windows Event Forwarding to Sumo Logic) Sumo Logic Installed Collector on Windows endpoints

Required Tables

_sourceCategory=windows/sysmon

False Positives

Endpoint detection and response (EDR) agents performing periodic registry baseline scans as part of file integrity monitoring or behavioral telemetry collection
Software deployment tools such as PDQ Deploy, Chocolatey, or WinGet querying CurrentVersion\Uninstall or Run keys during install/uninstall operations
PowerShell DSC (Desired State Configuration) scripts checking registry state to enforce compliance baselines in managed enterprise environments

Google Chronicle / SecOps

yaral

rule t1012_query_registry_sensitive_paths {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1012 Query Registry — adversary enumeration of sensitive registry paths via reg.exe or PowerShell. Covers credential stores, persistence locations, installed software, security configuration, and SSH/credential manager keys."
    mitre_attack_tactic = "Discovery"
    mitre_attack_technique = "T1012"
    severity = "MEDIUM"
    confidence = "HIGH"
    created = "2026-04-13"
    reference = "https://attack.mitre.org/techniques/T1012/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.target.process.command_line = $cmdline

    // Match reg.exe query/export/save OR PowerShell registry enumeration
    (
      (
        re.regex($e.target.process.file.full_path, `(?i)\\reg\.exe$`)
        and re.regex($cmdline, `(?i)(\squery\s|\sexport\s|\ssave\s)`)
      )
      or
      (
        re.regex($e.target.process.file.full_path, `(?i)(powershell|pwsh)\.exe$`)
        and re.regex($cmdline, `(?i)(HKLM:|HKCU:|HKEY_LOCAL_MACHINE|HKEY_CURRENT_USER|Registry::)`)
        and re.regex($cmdline, `(?i)(Get-Item|Get-ItemProperty|Get-ChildItem|Get-ItemPropertyValue)`)
      )
    )

    // Must match at least one trigger condition
    (
      // Sensitive registry path accessed
      re.regex($cmdline, `(?i)(Windows NT.CurrentVersion|HARDWARE.DESCRIPTION.System|CurrentVersion.Uninstall|Microsoft.Cryptography|CurrentControlSet.Services|CurrentControlSet.Control.Lsa|SimonTatham.PuTTY|OpenSSH.Agent|Internet Settings|Terminal Server|Software.Policies|Bitcoin|Image File Execution.Options|Classes.http.shell|CurrentVersion.Run|WinSCP.Sessions)`)
      or
      // Spawned from suspicious parent process
      re.regex($e.principal.process.file.full_path, `(?i)(wscript|cscript|mshta|wmic|rundll32|regsvr32|msbuild|installutil|excel|winword|outlook|powerpnt)\.exe$`)
      or
      // Recursive enumeration flag
      re.regex($cmdline, `(?i)(\s/s\b|\s-s\b|-Recurse)`)
    )

  condition:
    $e
}

medium severity high confidence

Data Sources

Google Chronicle SIEM Windows endpoint telemetry via Chronicle forwarder Sysmon via Chronicle ingestion pipeline

Required Tables

UDM Events (PROCESS_LAUNCH)

False Positives

System monitoring and observability agents (e.g., Datadog, New Relic, Dynatrace) querying registry for performance counters and installed application versions
Antivirus and endpoint security product self-checks querying Image File Execution Options, LSA providers, and CurrentControlSet\Services to verify their own integrity
Enterprise PKI and certificate management tools querying Microsoft\Cryptography for machine GUID and certificate store configuration

CrowdStrike LogScale (CQL)

cql

// T1012 Query Registry — reg.exe and PowerShell sensitive path enumeration
#event_simpleName = ProcessRollup2
| FileName = /(?i)^(reg\.exe|powershell\.exe|pwsh\.exe)$/

// Classify query type
| case {
    FileName = /(?i)^reg\.exe$/ AND CommandLine = /(?i)(\squery\s|\sexport\s|\ssave\s)/
      | QueryType := "reg.exe";
    FileName = /(?i)^(powershell|pwsh)\.exe$/
      AND CommandLine = /(?i)(HKLM:|HKCU:|HKEY_LOCAL_MACHINE|HKEY_CURRENT_USER|Registry::)/
      AND CommandLine = /(?i)(Get-Item|Get-ItemProperty|Get-ChildItem|Get-ItemPropertyValue)/
      | QueryType := "PowerShell";
    * | QueryType := "Other"
  }
| QueryType != "Other"

// Flag sensitive registry path access
| SensitivePath := if(
    CommandLine = /(?i)(Windows NT.CurrentVersion|HARDWARE.DESCRIPTION.System|CurrentVersion.Uninstall|Microsoft.Cryptography|CurrentControlSet.Services|CurrentControlSet.Control.Lsa|SimonTatham.PuTTY|OpenSSH.Agent|Internet Settings|Terminal Server|Software.Policies|Bitcoin|Image File Execution Options|Classes.http.shell|CurrentVersion.Run|WinSCP.Sessions)/,
    "true", "false"
  )

// Flag recursive queries
| RecursiveQuery := if(
    CommandLine = /(?i)(\s\/s\b|\s-s\b|-Recurse)/,
    "true", "false"
  )

// Flag suspicious parent processes
| SuspiciousParent := if(
    ParentBaseFileName = /(?i)^(wscript|cscript|mshta|wmic|rundll32|regsvr32|msbuild|installutil|excel|winword|outlook|powerpnt)\.exe$/,
    "true", "false"
  )

// Require at least one suspicion indicator
| SensitivePath = "true" OR RecursiveQuery = "true" OR SuspiciousParent = "true"

// Extract target registry key from command line
| TargetKey := replace(CommandLine, /(?i).*(HKLM[:\\]|HKCU[:\\]|HKEY_LOCAL_MACHINE[\\]|HKEY_CURRENT_USER[\\]|HKEY_USERS[\\])([^\s"]+).*/,
    "$1$2")

| fields
    timestamp,
    ComputerName,
    UserName,
    FileName,
    CommandLine,
    ParentBaseFileName,
    ParentCommandLine,
    TargetKey,
    QueryType,
    SensitivePath,
    RecursiveQuery,
    SuspiciousParent,
    TargetProcessId,
    ContextProcessId
| sort timestamp desc

medium severity high confidence

Data Sources

CrowdStrike Falcon EDR CrowdStrike Falcon LogScale (Humio) Falcon Insight XDR telemetry

Required Tables

ProcessRollup2 (Falcon event stream)

False Positives

CrowdStrike Falcon sensor itself and competing security products performing integrity checks of LSA, boot configuration, and service registry entries
Windows Installer (msiexec.exe) and software packaging tools querying CurrentVersion\Uninstall and CurrentControlSet\Services during installation, patching, or rollback operations
IT automation frameworks including Puppet, Chef, and SaltStack that use PowerShell to read and assert registry state as part of idempotent configuration enforcement

Last updated: 2026-04-13 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1012 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Query Registry

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Discovery

Popular Detections