System Information Discovery via Registry Queries

calendar Nov 26, 2025 · attack.discovery attack.t1082  ·
Share on: linkedin copy

Detects attempts to query system information directly from the Windows Registry.

Sigma rule (View on GitHub)

 1title: System Information Discovery via Registry Queries
 2id: 0022869c-49f7-4ff2-ba03-85ac42ddac58
 3status: experimental
 4description: Detects attempts to query system information directly from the Windows Registry.
 5references:
 6    - https://cert.gov.ua/article/6277849
 7    - https://github.com/redcanaryco/atomic-red-team/blob/75fa21076dcefa348a7521403cdd6bfc4e88623c/atomics/T1082/T1082.md
 8    - https://github.com/redcanaryco/atomic-red-team/blob/75fa21076dcefa348a7521403cdd6bfc4e88623c/atomics/T1124/T1124.md
 9author: lazarg
10date: 2025-06-12
11modified: 2025-10-25
12tags:
13    - attack.discovery
14    - attack.t1082
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_cmd_reg:
20        Image|endswith: '\reg.exe'
21        CommandLine|contains: 'query'
22        CommandLine|contains|windash: '-v'
23    selection_cmd_powershell:
24        Image|endswith:
25            - '\powershell.exe'
26            - '\pwsh.exe'
27        CommandLine|contains:
28            - 'Get-ItemPropertyValue'
29            - 'gpv'
30    selection_keys:
31        CommandLine|contains:
32            - '\SOFTWARE\Microsoft\Windows Defender' # Details about defender state
33            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion' # Provides details about the OS
34            - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall' # Lists installed programs
35            - '\SYSTEM\CurrentControlSet\Control\TimeZoneInformation' # Contains time zone details
36            - '\SYSTEM\CurrentControlSet\Services' # Details about existing services
37    condition: 1 of selection_cmd_* and selection_keys
38falsepositives:
39    - Unlikely
40level: low
41regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_discovery_via_reg_queries/info.yml
42simulation:
43    - type: atomic-red-team
44      name: System Information Discovery
45      technique: T1010
46      atomic_guid: 66703791-c902-4560-8770-42b8a91f7667
47    - type: atomic-red-team
48      name: Discover OS Product Name via Registry
49      technique: T1082
50      atomic_guid: be3b5fe3-a575-4fb8-83f6-ad4a68dd5ce7
51    - type: atomic-red-team
52      name: Discover OS Build Number via Registry
53      technique: T1082
54      atomic_guid: acfcd709-0013-4f1e-b9ee-bc1e7bafaaec

References

Related rules

to-top