Query Registry, Technique T1012 - Enterprise (original) (raw)
ADVSTORESHELL can enumerate registry keys.[2][3]
APT32's backdoor can query the Windows Registry to gather system information. [4]
APT39 has used various strains of malware to query the Registry.[5]
APT41 queried registry values to determine items such as configured RDP ports and network configurations.[6]
Attor has opened the registry and performed query searches.[7]
Azorult can check for installed software on the system under the Registry key Software\Microsoft\Windows\CurrentVersion\Uninstall.[8]
BabyShark has executed the reg query command for HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default.[9]
BACKSPACE is capable of enumerating and making modifications to an infected system's Registry.[10]
Bankshot searches for certain Registry keys to be configured before executing the payload.[11]
Bazar can query Windows\CurrentVersion\Uninstall for installed applications.[12][13]
BendyBear can query the host's Registry key at HKEY_CURRENT_USER\Console\QuickEdit to retrieve data.[14]
Bisonal has used the RegQueryValueExA function to retrieve proxy information in the Registry.[15]
BitPaymer can use the RegEnumKeyW to iterate through Registry keys.[16]
BlackByte queried registry values to determine system language settings.[17]
BlackByte Ransomware enumerates the Registry, specifically the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options key.[18]
Brave Prince gathers information about the Registry.[19]
Bumblebee can check the Registry for specific keys.[20]
Carbanak checks the Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings for proxy configurations information.[21]
Carberp has searched the Image File Execution Options registry key for "Debugger" within every subkey.[22]
Carbon enumerates values in the Registry.[23]
Cardinal RAT contains watchdog functionality that periodically ensures HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load is set to point to its executable.[24]
CharmPower has the ability to enumerate Uninstall registry values.[25]
Chimera has queried Registry keys using reg query \\HKU\\SOFTWARE\Microsoft\Terminal Server Client\Servers and reg query \\HKU\\Software\Microsoft\Windows\CurrentVersion\Internet Settings.[26]
CHOPSTICK provides access to the Windows Registry, which can be used to gather information.[27]
Clambling has the ability to enumerate Registry keys, including KEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt\strDataDir to search for a bitcoin wallet.[28][29]
Cobalt Strike can query HKEY_CURRENT_USER\Software\Microsoft\Office\\Excel\Security\AccessVBOM\ to determine if the security setting for restricting default programmatic access is enabled.[30][31]
ComRAT can check the default browser by querying HKCR\http\shell\open\command.[32]
Crimson can check the Registry for the presence of HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\last_edate to determine how long it has been installed on a host.[33]
Daggerfly used Reg to dump the Security Account Manager (SAM), System, and Security Windows registry hives from victim machines.[34]
DarkWatchman can query the Registry to determine if it has already been installed on the system.[35]
Denis queries the Registry for keys and values.[36]
Derusbi is capable of enumerating Registry keys and values.[37]
DownPaper searches and reads the value of the Windows Update Registry Run key.[38]
Dragonfly has queried the Registry to identify victim information.[39]
Dtrack can collect the RegisteredOwner, RegisteredOrganization, and InstallDate registry values.[40]
DUSTTRAP can enumerate Registry items.[41]
Epic uses the rem reg query command to obtain values from Registry keys.[42]
FatDuke can get user agent strings for the default browser from HKCU\Software\Classes\http\shell\open\command.[43]
FELIXROOT queries the Registry for specific keys for potential privilege escalation and proxy information. FELIXROOT has also used WMI to query the Windows Registry.[44][45]
FinFisher queries Registry values as part of its anti-sandbox checks.[46][47]
Fox Kitten has accessed Registry hives ntuser.dat and UserClass.dat.[48]
FunnyDream can check Software\Microsoft\Windows\CurrentVersion\Internet Settings to extract the ProxyServer string.[49]
Gamaredon Group has queried HKEY_CURRENT_USER\\Console\\WindowsUpdates to obtain the C2 addresses.[50] Gamaredon Group has queried HKEY_CURRENT_USER\\Console\\WindowsUpdates to obtain the C2 addresses.[50]
Gelsemium can open random files and Registry keys to obscure malware behavior from sandbox analysis.[51]
gh0st RAT has checked for the existence of a Service key to determine if it has already been installed on the system.[52]
Gold Dragon enumerates registry keys with the command regkeyenum and obtains information for the Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.[19]
A variant of HOPLIGHT hooks lsass.exe, and lsass.exe then checks the Registry for the data value 'rdpproto' under the key SYSTEM\CurrentControlSet\Control\Lsa Name.[53]
Hydraq creates a backdoor through which remote attackers can retrieve system information, such as CPU speed, from Registry keys.[54][55]
Indrik Spider has used a service account to extract copies of the Security Registry hive.[56]
Industroyer has a data wiper component that enumerates keys in the Registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.[57]
InvisiMole can enumerate Registry values, keys, and data.[58]
JPIN can enumerate Registry keys.[59]
Kapeka queries registry values for stored configuration information.[60]
Kimsuky has obtained specific Registry keys and values on a compromised host.[61]
Lazarus Group malware IndiaIndia checks Registry keys within HKCU and HKLM to determine if certain applications are present, including SecureCRT, Terminal Services, RealVNC, TightVNC, UltraVNC, Radmin, mRemote, TeamViewer, FileZilla, pcAnyware, and Remote Desktop. Another Lazarus Group malware sample checks for the presence of the following Registry key:HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt.[62][63][64]
LiteDuke can query the Registry to check for the presence of HKCU\Software\KasperskyLab.[43]
LitePower can query the Registry for keys added to execute COM hijacking.[65]
Lotus Blossom has run commands such as reg query HKLM\SYSTEM\CurrentControlSet\Services\[service name]\Parameters to verify if installed implants are running as a service.[66]
Lucifer can check for existing stratum cryptomining information in HKLM\Software\Microsoft\Windows\CurrentVersion\spreadCpuXmr – %stratum info%.[67]
Mafalda can enumerate Registry keys with all subkeys and values.[68]
Milan can query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid to retrieve the machine GUID.[69]
Mori can read data from the Registry including from HKLM\Software\NFC\IPA andHKLM\Software\NFC\.[70]
njRAT can read specific registry values.[71]
OilRig has used reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" on a victim to query the Registry.[72]
During Operation Wocao, the threat actors executed /c cd /d c:\windows\temp\ & reg query HKEY_CURRENT_USER\Software\<username>\PuTTY\Sessions\ to detect recent PuTTY sessions, likely to further lateral movement.[73]
OSInfo queries the registry to look for information about Terminal Services.[74]
PcShare can search the registry files of a compromised host.[49]
Pillowmint has used shellcode which reads code stored in the registry keys \REGISTRY\SOFTWARE\Microsoft\DRM using the native Windows API as well as read HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces as part of its C2.[75]
PlugX can enumerate and query for information contained within the Windows Registry.[76][77][78]
POWERSOURCE queries Registry keys in preparation for setting Run keys to achieve persistence.[79]
PowerSploit contains a collection of Privesc-PowerUp modules that can query Registry keys for potential opportunities.[80][81]
POWRUNER may query the Registry by running reg query on a victim.[82]
Proxysvc gathers product names from the Registry key: HKLM\Software\Microsoft\Windows NT\CurrentVersion ProductName and the processor description from the Registry key HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ProcessorNameString.[83]
PUBLOAD has queried Registry values to identify software using reg query.[84]
Qilin can check HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control SystemStartOptions to determine if a machine is running in safe mode.[85]
QUADAGENT checks if a value exists within a Registry key in the HKCU hive whose name is the same as the scheduled task it has created.[86]
QUIETCANARY has the ability to retrieve information from the Registry.[87]
Raccoon Stealer queries the Windows Registry to fingerprint the infected host via the HKLM:\SOFTWARE\Microsoft\Cryptography\MachineGuid key.[88][89]
RATANKBA uses the command reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings".[90]
Reaver queries the Registry to determine the correct Startup path to use for persistence.[91]
RedLine Stealer can query the Windows Registry.[92]
Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface.[93]
Remcos can obtain Registry data from targeted systems.[94]
REvil can query the Registry to get random file extensions to append to encrypted files.[95]
Rising Sun has identified the OS product name from a compromised host by searching the registry for SOFTWARE\MICROSOFT\Windows NT\ CurrentVersion | ProductName.[96]
ROKRAT can access the HKLM\System\CurrentControlSet\Services\mssmbios\Data\SMBiosData Registry key to obtain the System manufacturer value to identify the machine type.[97]
Saint Bot has used check_registry_keys as part of its environmental checks.[98]
Samurai can query SOFTWARE\Microsoft\.NETFramework\policy\v2.0 for discovery.[99]
Shamoon queries several Registry keys to identify hard disk partitions to overwrite.[100]
Shark can query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid to retrieve the machine GUID.[69]
Sibot has queried the registry for proxy server information.[101]
SILENTTRINITY can use the GetRegValue function to check Registry keys within HKCU\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated and HKLM\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated. It also contains additional modules that can check software AutoRun values and use the Win32 namespace to get values from HKCU, HKLM, HKCR, and HKCC hives.[102]
SodaMaster has the ability to query the Registry to detect a key specific to VMware.[103]
Stealth Falcon malware attempts to determine the installed version of .NET by querying the Registry.[104]
StoneDrill has looked in the registry to find the default browser path.[105]
Stuxnet searches the Registry for indicators of security programs.[106]
SUNBURST collected the registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid from compromised hosts.[107]
SVCReady can search for the HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System Registry key to gather system information.[108]
SynAck enumerates Registry keys associated with event logs.[109]
Taidoor can query the Registry on compromised hosts using RegQueryValueExA.[110]
TEARDROP checked that HKU\SOFTWARE\Microsoft\CTF existed before decoding its embedded payload.[107][111]
A Threat Group-3390 tool can read and decrypt stored Registry values.[112]
TinyTurla can query the Registry for its configuration information.[113]
TRANSLATEXT has queried the following registry key to check for installed Chrome extensions: HKCU\Software\Policies\Google\Chrome\ExtensionInstallForcelist.[114]
Turla surveys a system upon check-in to discover information in the Windows Registry with the reg query command.[42] Turla has also retrieved PowerShell payloads hidden in Registry keys as well as checking keys associated with null session named pipes .[115]
Uroburos can query the Registry, typically HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds, to find the key and path to decrypt and load its kernel driver and kernel driver loader.[116]
Ursnif has used Reg to query the Registry for installed programs.[117][118]
Valak can use the Registry for code updates and to collect credentials.[119]
Volgmer checks the system for certain Registry keys.[120]
Volt Typhoon has queried the Registry on compromised systems, reg query hklm\software\, for information on installed software including PuTTY.[121][122]
WastedLocker checks for specific registry keys related to the UCOMIEnumConnections and IActiveScriptParseProcedure32 interfaces.[123]
Waterbear can query the Registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC\MTxOCI" to see if the value OracleOcilib exists.[124]
WINDSHIELD can gather Registry values.[125]
Woody RAT can search registry keys to identify antivirus programs on an compromised host.[126]
Zebrocy executes the reg query command to obtain information in the Registry.[127]
Zeus Panda checks for the existence of a Registry key and if it contains certain values.[128]
ZIRCONIUM has used a tool to query the Registry for proxy settings.[129]
ZxShell can query the netsvc group value data located in the svchost group Registry key.[130]