Detect Query Registry in Microsoft Sentinel
Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software. The Registry contains a significant amount of information about the operating system, configuration, software, and security. Information can easily be queried using the Reg utility, though other means to access the Registry exist. Some of the information may help adversaries to further their operation within a network. Adversaries may use the information from Query Registry during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Threat actors including Turla (Epic), APT41 (DUSTTRAP), NOBELIUM (Sibot), Sandworm (TEARDROP), Lazarus (HOPLIGHT), Lyceum (Shark), and numerous commodity malware families leverage registry queries to fingerprint targets, locate credentials, identify installed security products, and discover network proxy configurations.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1012 Query Registry
- Canonical reference
- https://attack.mitre.org/techniques/T1012/
KQL Detection Query
let SensitiveRegistryPaths = dynamic([
"Windows NT\\CurrentVersion",
"HARDWARE\\DESCRIPTION\\System",
"CurrentVersion\\Uninstall",
"Microsoft\\Cryptography",
"CurrentControlSet\\Services",
"CurrentControlSet\\Control\\Lsa",
"SimonTatham\\PuTTY\\Sessions",
"OpenSSH\\Agent\\Keys",
"Windows\\CurrentVersion\\Internet Settings",
"Control\\Terminal Server",
"Software\\Policies",
"Bitcoin",
"Image File Execution Options",
"SOFTWARE\\Microsoft\\CTF",
"Classes\\http\\shell\\open\\command",
"CurrentVersion\\Run",
"CurrentVersion\\RunOnce",
"WinSCP\\Sessions"
]);
let SuspiciousInitiators = dynamic([
"wscript.exe", "cscript.exe", "mshta.exe", "wmic.exe",
"rundll32.exe", "regsvr32.exe", "msbuild.exe", "installutil.exe",
"excel.exe", "winword.exe", "outlook.exe", "powerpnt.exe"
]);
// Branch 1: reg.exe query / export / save
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "reg.exe"
| where ProcessCommandLine has_any ("query", "export", "save")
| extend TargetKey = extract(@"(?i)(HKLM|HKCU|HKEY_LOCAL_MACHINE|HKEY_CURRENT_USER|HKEY_USERS|HKU|HKCR|HKEY_CLASSES_ROOT)\\[^\s]+", 0, ProcessCommandLine)
| extend SensitivePath = ProcessCommandLine has_any (SensitiveRegistryPaths)
| extend RecursiveQuery = ProcessCommandLine has "/s" or ProcessCommandLine has "-s"
| extend SuspiciousParent = InitiatingProcessFileName has_any (SuspiciousInitiators)
| extend QueryType = "reg.exe"
| union (
// Branch 2: PowerShell registry enumeration
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("HKLM:", "HKCU:", "HKEY_LOCAL_MACHINE", "HKEY_CURRENT_USER", "Registry::")
| where ProcessCommandLine has_any ("Get-Item", "Get-ItemProperty", "Get-ChildItem", "Get-ItemPropertyValue")
| extend TargetKey = extract(@"(?i)(HKLM:|HKCU:|HKEY_LOCAL_MACHINE|HKEY_CURRENT_USER|Registry::HKEY)[\\\w\s]+", 0, ProcessCommandLine)
| extend SensitivePath = ProcessCommandLine has_any (SensitiveRegistryPaths)
| extend RecursiveQuery = ProcessCommandLine has "-Recurse"
| extend SuspiciousParent = InitiatingProcessFileName has_any (SuspiciousInitiators)
| extend QueryType = "PowerShell"
)
| where SensitivePath == true or SuspiciousParent == true or RecursiveQuery == true
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
TargetKey, SensitivePath, RecursiveQuery, SuspiciousParent, QueryType
| sort by Timestamp descDetects suspicious Windows Registry queries using reg.exe or PowerShell targeting sensitive registry paths associated with system fingerprinting, credential discovery, and documented malware tradecraft. Two primary execution vectors are monitored: direct reg.exe query/export/save commands and PowerShell Get-Item/Get-ItemProperty/Get-ChildItem cmdlets. Results are filtered to sensitive registry paths (OS version, hardware info, installed software, LSA settings, stored sessions, proxy configuration, RDP settings, persistence keys) and suspicious parent processes (scripting engines, Office apps, LOLBins) to reduce noise while maintaining high-fidelity detection.
Data Sources
Required Tables
False Positives & Tuning
- IT administrators using reg.exe or PowerShell scripts for legitimate system auditing, compliance checks, or configuration validation workflows
- Software deployment tools (SCCM, Intune, Chef, Puppet) that query registry for version checks and configuration state before deploying updates
- System monitoring and inventory agents (SCOM, Tanium, Qualys, Tenable Nessus) that regularly enumerate installed software via the Uninstall key
- Help desk and remote support tools (TeamViewer, ConnectWise) querying registry for diagnostic purposes during active support sessions
- Application installers that read registry paths to detect prerequisites, conflicting software versions, or existing installation state before proceeding
Other platforms for T1012
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Registry Query for OS Version and Hardware Information
Expected signal: Sysmon Event ID 1: Multiple Process Create events with Image=reg.exe, CommandLine containing 'query' and 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion' and 'HKLM\HARDWARE\DESCRIPTION\System'. Security Event ID 4688 with identical command line details if command line auditing is enabled. Prefetch entry updated at C:\Windows\Prefetch\REG.EXE-*.pf with current timestamp.
- Test 2Recursive Registry Query for Installed Software
Expected signal: Sysmon Event ID 1: Two Process Create events for reg.exe — one per command — with CommandLine containing 'query', 'Uninstall', and '/s' flag. The recursive query generates a large stdout output but only one process creation event per reg.exe invocation. Security Event ID 4688 with command line if auditing enabled.
- Test 3PowerShell Registry Query for Proxy Configuration
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-ItemProperty', 'HKCU:', and 'Internet Settings'. PowerShell ScriptBlock Log Event ID 4104 from Microsoft-Windows-PowerShell/Operational with the full command content. Note: read-only registry access does not generate Sysmon Event IDs 12/13/14 — process-level telemetry is the primary detection source.
- Test 4Registry Query for Machine GUID and LSA Configuration
Expected signal: Sysmon Event ID 1: Three sequential Process Create events for reg.exe with CommandLine targeting 'Cryptography', 'Control\Lsa' keys respectively. Security Event ID 4688 with command line if auditing enabled. Consecutive execution timestamps within milliseconds of each other, consistent with scripted automated enumeration rather than manual administrative queries.
References (10)
- https://attack.mitre.org/techniques/T1012/
- https://en.wikipedia.org/wiki/Windows_Registry
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/reg-query
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md
- https://securelist.com/the-epic-turla-operation/65545/
- https://www.microsoft.com/en-us/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa19-168a
- https://unit42.paloaltonetworks.com/unit42-azorult-now-comes-ransomware/
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
Unlock Pro Content
Get the full detection package for T1012 including response playbook, investigation guide, and atomic red team tests.