T1012 IBM QRadar · QRadar

Detect Query Registry in IBM QRadar

Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software. The Registry contains a significant amount of information about the operating system, configuration, software, and security. Information can easily be queried using the Reg utility, though other means to access the Registry exist. Some of the information may help adversaries to further their operation within a network. Adversaries may use the information from Query Registry during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Threat actors including Turla (Epic), APT41 (DUSTTRAP), NOBELIUM (Sibot), Sandworm (TEARDROP), Lazarus (HOPLIGHT), Lyceum (Shark), and numerous commodity malware families leverage registry queries to fingerprint targets, locate credentials, identify installed security products, and discover network proxy configurations.

MITRE ATT&CK

Tactic
Discovery
Technique
T1012 Query Registry
Canonical reference
https://attack.mitre.org/techniques/T1012/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip,
  username,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Process Name" AS parent_process_name,
  CASE
    WHEN LOWER("Command") MATCHES '.*reg\.exe.*' THEN 'reg.exe'
    WHEN LOWER("Command") MATCHES '.*(powershell|pwsh)\.exe.*' THEN 'PowerShell'
    ELSE 'Unknown'
  END AS query_type,
  CASE
    WHEN LOWER("Command") MATCHES '.*(windows nt.currentversion|hardware.description.system|currentversion.uninstall|microsoft.cryptography|currentcontrolset.services|currentcontrolset.control.lsa|simontatham.putty|openssh.agent|internet settings|terminal server|software.policies|bitcoin|image file execution options|classes.http.shell|currentversion.run|winscp.sessions).*' THEN 1
    ELSE 0
  END AS sensitive_path,
  CASE
    WHEN LOWER("Command") MATCHES '.*/s\b.*' OR LOWER("Command") MATCHES '.*-recurse.*' THEN 1
    ELSE 0
  END AS recursive_query,
  CASE
    WHEN LOWER("Parent Process Name") MATCHES '.*(wscript|cscript|mshta|wmic|rundll32|regsvr32|msbuild|installutil|excel|winword|outlook|powerpnt)\.exe.*' THEN 1
    ELSE 0
  END AS suspicious_parent
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 433)
  AND eventid IN (1, 4688)
  AND (
    (
      LOWER("Process Name") MATCHES '.*\\reg\.exe$'
      AND LOWER("Command") MATCHES '.*(\squery\s|\sexport\s|\ssave\s).*'
    )
    OR
    (
      LOWER("Process Name") MATCHES '.*(powershell|pwsh)\.exe$'
      AND LOWER("Command") MATCHES '.*(hklm:|hkcu:|hkey_local_machine|hkey_current_user|registry::).*'
      AND LOWER("Command") MATCHES '.*(get-item|get-itemproperty|get-childitem|get-itempropertyvalue).*'
    )
  )
  AND (
    LOWER("Command") MATCHES '.*(windows nt.currentversion|hardware.description.system|currentversion.uninstall|microsoft.cryptography|currentcontrolset.services|currentcontrolset.control.lsa|simontatham.putty|openssh.agent|internet settings|terminal server|software.policies|bitcoin|image file execution options|classes.http.shell|currentversion.run|winscp.sessions).*'
    OR LOWER("Parent Process Name") MATCHES '.*(wscript|cscript|mshta|wmic|rundll32|regsvr32|msbuild|installutil|excel|winword|outlook|powerpnt)\.exe.*'
    OR LOWER("Command") MATCHES '.*(\s/s\b|\s-s\b|-recurse).*'
  )
LAST 24 HOURS
ORDER BY starttime DESC
medium severity medium confidence

AQL detection for T1012 Query Registry via Sysmon Event ID 1 or Windows Security Event 4688. Identifies reg.exe query/export/save operations and PowerShell registry enumeration targeting sensitive keys. Filters on sensitive path matches, suspicious parent processes, and recursive query flags consistent with adversary reconnaissance. LOGSOURCETYPEID 12 covers Microsoft Windows Security Event Log, 433 covers Sysmon.

Data Sources

IBM QRadar SIEMMicrosoft Windows Security Event Log (DSM)Sysmon via Windows Event Log DSM

Required Tables

events

False Positives & Tuning

  • Enterprise asset management and discovery tools (e.g., Lansweeper, Tanium) that routinely query registry for hardware and software inventory
  • Group Policy processing and SCCM client operations that enumerate registry keys under Software\Policies and CurrentControlSet
  • Developer tooling and IDE plugins (e.g., Visual Studio, JetBrains) that query registry for SDK paths, COM registration, and file associations
Download portable Sigma rule (.yml)

Other platforms for T1012

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Registry Query for OS Version and Hardware Information

    Expected signal: Sysmon Event ID 1: Multiple Process Create events with Image=reg.exe, CommandLine containing 'query' and 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion' and 'HKLM\HARDWARE\DESCRIPTION\System'. Security Event ID 4688 with identical command line details if command line auditing is enabled. Prefetch entry updated at C:\Windows\Prefetch\REG.EXE-*.pf with current timestamp.

  2. Test 2Recursive Registry Query for Installed Software

    Expected signal: Sysmon Event ID 1: Two Process Create events for reg.exe — one per command — with CommandLine containing 'query', 'Uninstall', and '/s' flag. The recursive query generates a large stdout output but only one process creation event per reg.exe invocation. Security Event ID 4688 with command line if auditing enabled.

  3. Test 3PowerShell Registry Query for Proxy Configuration

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-ItemProperty', 'HKCU:', and 'Internet Settings'. PowerShell ScriptBlock Log Event ID 4104 from Microsoft-Windows-PowerShell/Operational with the full command content. Note: read-only registry access does not generate Sysmon Event IDs 12/13/14 — process-level telemetry is the primary detection source.

  4. Test 4Registry Query for Machine GUID and LSA Configuration

    Expected signal: Sysmon Event ID 1: Three sequential Process Create events for reg.exe with CommandLine targeting 'Cryptography', 'Control\Lsa' keys respectively. Security Event ID 4688 with command line if auditing enabled. Consecutive execution timestamps within milliseconds of each other, consistent with scripted automated enumeration rather than manual administrative queries.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1012 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1552.002Credentials in RegistryT1082System Information DiscoveryT1518Software DiscoveryT1518.001Security Software DiscoveryT1057Process DiscoveryT1059.001PowerShellT1059.003Windows Command ShellT1562.001Disable or Modify ToolsT1547.001Registry Run Keys / Startup FolderT1021.001Remote Desktop Protocol

Same Tactic: Discovery

Popular Detections