Query Registry via reg.exe
Enumeration or discovery of the Windows registry using reg.exe. This information can be used to perform follow-on activities.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/12/04"
3deprecation_date = "2021/04/15"
4maturity = "deprecated"
5updated_date = "2021/04/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10Enumeration or discovery of the Windows registry using reg.exe. This information can be used to perform follow-on
11activities.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Query Registry via reg.exe"
18risk_score = 21
19rule_id = "68113fdc-3105-4cdd-85bb-e643c416ef0b"
20severity = "low"
21tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery"]
22timestamp_override = "event.ingested"
23type = "eql"
24
25query = '''
26process where event.type in ("start", "process_started") and
27 (process.name : "reg.exe" or process.pe.original_file_name == "reg.exe") and
28 process.args == "query"
29'''
30
31
32[[rule.threat]]
33framework = "MITRE ATT&CK"
34[[rule.threat.technique]]
35id = "T1012"
36name = "Query Registry"
37reference = "https://attack.mitre.org/techniques/T1012/"
38
39
40[rule.threat.tactic]
41id = "TA0007"
42name = "Discovery"
43reference = "https://attack.mitre.org/tactics/TA0007/"
Related rules
- Process Discovery via Tasklist
- PowerShell spawning Cmd
- User Discovery via Whoami
- Trusted Developer Application Usage
- Execution via Regsvcs/Regasm