Registry Enumeration via WMI Stdregprov

calendar Jun 19, 2026 · attack.execution attack.t1047 attack.discovery attack.t1012  ·
Share on: linkedin copy

Detects the usage of wmic.exe to enumerate or read Windows registry via the WMI StdRegProv class read methods (EnumKey, EnumValues, GetStringValue, etc.). While registry reads are common, attackers may use this technique to perform reconnaissance and discover sensitive configuration values, credentials, or installed software. The use of WMI as an alternative to standard tools like reg.exe can indicate an attempt to evade detection focused on traditional registry query commands.

Sigma rule (View on GitHub)

 1title: Registry Enumeration via WMI Stdregprov
 2id: a0e417e2-2fa1-40da-b6d2-e094cd5e1191
 3related:
 4    - id: c453ab7a-1f5c-4716-a3b4-dea8135fb43a # Registry Manipulation via WMI Stdregprov
 5      type: similar
 6status: experimental
 7description: |
 8    Detects the usage of wmic.exe to enumerate or read Windows registry via the WMI StdRegProv class read methods (EnumKey, EnumValues, GetStringValue, etc.).
 9    While registry reads are common, attackers may use this technique to perform reconnaissance and discover sensitive configuration values, credentials, or installed software.
10    The use of WMI as an alternative to standard tools like reg.exe can indicate an attempt to evade detection focused on traditional registry query commands.    
11references:
12    - https://trustedsec.com/blog/command-line-underdog-wmic-in-action
13    - https://trustedsec.com/blog/wmi-for-script-kiddies
14    - https://learn.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov
15author: Swachchhanda Shrawan Poudel (Nextron Systems)
16date: 2025-07-30
17modified: 2026-06-19
18tags:
19    - attack.execution
20    - attack.t1047
21    - attack.discovery
22    - attack.t1012
23logsource:
24    category: process_creation
25    product: windows
26detection:
27    selection_img:   # Example command simulated:  WMIC  /NameSpace:\\root\default Class StdRegProv Call EnumKey hDefKey=&H80000002 sSubKeyName="Software\Microsoft\Windows\CurrentVersion\Uninstall"
28        - Image|endswith: '\wmic.exe'
29        - OriginalFileName: 'wmic.exe'
30    selection_cli:
31        CommandLine|contains|all:
32            - 'stdregprov'
33            - 'call'
34        CommandLine|contains:
35            - 'CheckAccess'
36            - 'EnumKey'
37            - 'EnumValues'
38            - 'GetBinaryValue'
39            - 'GetDWORDValue'
40            - 'GetExpandedStringValue'
41            - 'GetMultiStringValue'
42            - 'GetQWORDValue'
43            - 'GetSecurityDescriptor'
44            - 'GetStringValue'
45    condition: all of selection_*
46falsepositives:
47    - Legitimate administrative activity
48level: medium

References

Related rules

to-top