System Information Discovery via Registry Queries
Detects attempts to query system information directly from the Windows Registry.
Sigma rule (View on GitHub)
1title: System Information Discovery via Registry Queries
2id: 0022869c-49f7-4ff2-ba03-85ac42ddac58
3status: experimental
4description: Detects attempts to query system information directly from the Windows Registry.
5references:
6 - https://cert.gov.ua/article/6277849
7 - https://github.com/redcanaryco/atomic-red-team/blob/75fa21076dcefa348a7521403cdd6bfc4e88623c/atomics/T1082/T1082.md
8 - https://github.com/redcanaryco/atomic-red-team/blob/75fa21076dcefa348a7521403cdd6bfc4e88623c/atomics/T1124/T1124.md
9author: lazarg
10date: 2025-06-12
11tags:
12 - attack.discovery
13 - attack.t1082
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_cmd_reg:
19 Image|endswith: '\reg.exe'
20 CommandLine|contains: 'query'
21 CommandLine|contains|windash: '-v'
22 selection_cmd_powershell:
23 Image|endswith:
24 - '\powershell.exe'
25 - '\pwsh.exe'
26 CommandLine|contains:
27 - 'Get-ItemPropertyValue'
28 - 'gpv'
29 selection_keys:
30 CommandLine|contains:
31 - '\SYSTEM\CurrentControlSet\Control\TimeZoneInformation' # Contains time zone details
32 - '\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces' # Holds network configuration details
33 - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion' # Provides details about the OS
34 - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall' # Lists installed programs
35 - '\SOFTWARE\Microsoft\Windows Defender' # Details about defender state
36 - '\SYSTEM\CurrentControlSet\Services' # Details about existing services
37 - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks' # Details about existing scheduled tasks
38 condition: 1 of selection_cmd_* and selection_keys
39falsepositives:
40 - Unlikely
41level: low
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- System Info Discovery via Sysinfo Syscall
- Bitbucket User Permissions Export Attempt
- HackTool - winPEAS Execution
- Potential Product Class Reconnaissance Via Wmic.EXE
- System Information Discovery Via Sysctl - MacOS