Description
Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
The Registry contains a significant amount of information about the operating system, configuration, software, and security.(Citation: Wikipedia Windows Registry) Information can easily be queried using the Reg utility, though other means to access the Registry exist. Some of the information may help adversaries to further their operation within a network. Adversaries may use the information from Query Registry during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Platforms
Threat Groups (19)
| ID | Group | Context |
|---|---|---|
| G0128 | ZIRCONIUM | [ZIRCONIUM](https://attack.mitre.org/groups/G0128) has used a tool to query the Registry for proxy settings.(Citation: Zscaler APT31 Covid-19 October ... |
| G0027 | Threat Group-3390 | A [Threat Group-3390](https://attack.mitre.org/groups/G0027) tool can read and decrypt stored Registry values.(Citation: Nccgroup Emissary Panda May 2... |
| G0032 | Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) malware IndiaIndia checks Registry keys within HKCU and HKLM to determine if certain applicatio... |
| G0050 | APT32 | [APT32](https://attack.mitre.org/groups/G0050)'s backdoor can query the Windows Registry to gather system information. (Citation: ESET OceanLotus Mar ... |
| G0035 | Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has queried the Registry to identify victim information.(Citation: US-CERT TA18-074A) |
| G0010 | Turla | [Turla](https://attack.mitre.org/groups/G0010) surveys a system upon check-in to discover information in the Windows Registry with the <code>reg query... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has obtained specific Registry keys and values on a compromised host.(Citation: Talos Kimsuky Nov 202... |
| G0038 | Stealth Falcon | [Stealth Falcon](https://attack.mitre.org/groups/G0038) malware attempts to determine the installed version of .NET by querying the Registry.(Citation... |
| G0047 | Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has queried ` HKEY_CURRENT_USER\\Console\\WindowsUpdates` to obtain the C2 addresses.(Citatio... |
| G1043 | BlackByte | [BlackByte](https://attack.mitre.org/groups/G1043) queried registry values to determine system language settings.(Citation: Picus BlackByte 2022) |
| G0117 | Fox Kitten | [Fox Kitten](https://attack.mitre.org/groups/G0117) has accessed Registry hives ntuser.dat and UserClass.dat.(Citation: CISA AA20-259A Iran-Based Acto... |
| G0087 | APT39 | [APT39](https://attack.mitre.org/groups/G0087) has used various strains of malware to query the Registry.(Citation: FBI FLASH APT39 September 2020) |
| G0114 | Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has queried Registry keys using <code>reg query \\<host>\HKU\<SID>\SOFTWARE\Microsoft\Terminal Server... |
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) queried registry values to determine items such as configured RDP ports and network configurations.(Cit... |
| G1034 | Daggerfly | [Daggerfly](https://attack.mitre.org/groups/G1034) used [Reg](https://attack.mitre.org/software/S0075) to dump the Security Account Manager (SAM), Sys... |
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has queried the Registry on compromised systems, `reg query hklm\software\`, for information on ... |
| G0049 | OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has used <code>reg query “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default”</code> ... |
| G0119 | Indrik Spider | [Indrik Spider](https://attack.mitre.org/groups/G0119) has used a service account to extract copies of the `Security` Registry hive.(Citation: Mandian... |
| G0030 | Lotus Blossom | [Lotus Blossom](https://attack.mitre.org/groups/G0030) has run commands such as `reg query HKLM\SYSTEM\CurrentControlSet\Services\[service name]\Param... |
Associated Software (99)
| ID | Name | Type | Context |
|---|---|---|---|
| S0091 | Epic | Malware | [Epic](https://attack.mitre.org/software/S0091) uses the <code>rem reg query</code> command to obtain values from Registry keys.(Citation: Kaspersky T... |
| S1159 | DUSTTRAP | Malware | [DUSTTRAP](https://attack.mitre.org/software/S1159) can enumerate Registry items.(Citation: Google Cloud APT41 2024) |
| S0589 | Sibot | Malware | [Sibot](https://attack.mitre.org/software/S0589) has queried the registry for proxy server information.(Citation: MSTIC NOBELIUM Mar 2021) |
| S0512 | FatDuke | Malware | [FatDuke](https://attack.mitre.org/software/S0512) can get user agent strings for the default browser from <code>HKCU\Software\Classes\http\shell\open... |
| S0203 | Hydraq | Malware | [Hydraq](https://attack.mitre.org/software/S0203) creates a backdoor through which remote attackers can retrieve system information, such as CPU speed... |
| S1064 | SVCReady | Malware | [SVCReady](https://attack.mitre.org/software/S1064) can search for the `HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System` Registry key to gather system ... |
| S0560 | TEARDROP | Malware | [TEARDROP](https://attack.mitre.org/software/S0560) checked that <code>HKU\SOFTWARE\Microsoft\CTF</code> existed before decoding its embedded payload.... |
| S0376 | HOPLIGHT | Malware | A variant of [HOPLIGHT](https://attack.mitre.org/software/S0376) hooks lsass.exe, and lsass.exe then checks the Registry for the data value 'rdpproto'... |
| S1019 | Shark | Malware | [Shark](https://attack.mitre.org/software/S1019) can query `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid` to retrieve the machine GU... |
| S1180 | BlackByte Ransomware | Malware | [BlackByte Ransomware](https://attack.mitre.org/software/S1180) enumerates the Registry, specifically the `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentV... |
| S0344 | Azorult | Malware | [Azorult](https://attack.mitre.org/software/S0344) can check for installed software on the system under the Registry key <code>Software\Microsoft\Wind... |
| S0660 | Clambling | Malware | [Clambling](https://attack.mitre.org/software/S0660) has the ability to enumerate Registry keys, including <code>KEY_CURRENT_USER\Software\Bitcoin\Bit... |
| S0180 | Volgmer | Malware | [Volgmer](https://attack.mitre.org/software/S0180) checks the system for certain Registry keys.(Citation: US-CERT Volgmer 2 Nov 2017) |
| S0385 | njRAT | Malware | [njRAT](https://attack.mitre.org/software/S0385) can read specific registry values.(Citation: Trend Micro njRAT 2018) |
| S0240 | ROKRAT | Malware | [ROKRAT](https://attack.mitre.org/software/S0240) can access the <code>HKLM\System\CurrentControlSet\Services\mssmbios\Data\SMBiosData</code> Registry... |
| S0140 | Shamoon | Malware | [Shamoon](https://attack.mitre.org/software/S0140) queries several Registry keys to identify hard disk partitions to overwrite.(Citation: Palo Alto Sh... |
| S0414 | BabyShark | Malware | [BabyShark](https://attack.mitre.org/software/S0414) has executed the <code>reg query</code> command for <code>HKEY_CURRENT_USER\Software\Microsoft\Te... |
| S0354 | Denis | Malware | [Denis](https://attack.mitre.org/software/S0354) queries the Registry for keys and values.(Citation: Cybereason Cobalt Kitty 2017) |
| S0194 | PowerSploit | Tool | [PowerSploit](https://attack.mitre.org/software/S0194) contains a collection of Privesc-PowerUp modules that can query Registry keys for potential opp... |
| S0517 | Pillowmint | Malware | [Pillowmint](https://attack.mitre.org/software/S0517) has used shellcode which reads code stored in the registry keys <code>\REGISTRY\SOFTWARE\Microso... |
References
Frequently Asked Questions
What is T1012 (Query Registry)?
T1012 is a MITRE ATT&CK technique named 'Query Registry'. It belongs to the Discovery tactic(s). Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software. The Registry contains a significant amount of information about the o...
How can T1012 be detected?
Detection of T1012 (Query Registry) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1012?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1012?
Known threat groups using T1012 include: ZIRCONIUM, Threat Group-3390, Lazarus Group, APT32, Dragonfly, Turla, Kimsuky, Stealth Falcon.