title: Query Registry (T1012)
id: df00tech-t1012
status: experimental
description: "Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software. The Registry contains a significant amount of information about the operating system, configuration, software, and security. Information can easily be queried using the Reg utility, though other means to access the Registry exist. Some of the information may help adversaries to further their operation within a network. Adversaries may use the information from Query Registry during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Threat actors including Turla (Epic), APT41 (DUSTTRAP), NOBELIUM (Sibot), Sandworm (TEARDROP), Lazarus (HOPLIGHT), Lyceum (Shark), and numerous commodity malware families leverage registry queries to fingerprint targets, locate credentials, identify installed security products, and discover network proxy configurations."
references:
  - https://attack.mitre.org/techniques/T1012/
  - https://df00tech.com/detections/T1012
author: df00tech
date: 2026/04/13
tags:
  - attack.t1012
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "IT administrators using reg.exe or PowerShell scripts for legitimate system auditing, compliance checks, or configuration validation workflows"
  - "Software deployment tools (SCCM, Intune, Chef, Puppet) that query registry for version checks and configuration state before deploying updates"
  - "System monitoring and inventory agents (SCOM, Tanium, Qualys, Tenable Nessus) that regularly enumerate installed software via the Uninstall key"
  - "Help desk and remote support tools (TeamViewer, ConnectWise) querying registry for diagnostic purposes during active support sessions"
  - "Application installers that read registry paths to detect prerequisites, conflicting software versions, or existing installation state before proceeding"
level: medium