# T1012 Query Registry

-----------------------------------------------------------------------

## Technique Description

Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.

The Registry contains a significant amount of information about the operating system, configuration, software, and security.(Citation: Wikipedia Windows Registry) Information can easily be queried using the [Reg](https://attack.mitre.org/software/S0075) utility, though other means to access the Registry exist. Some of the information may help adversaries to further their operation within a network. Adversaries may use the information from [Query Registry](https://attack.mitre.org/techniques/T1012) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

## Technique Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

Interaction with the Windows Registry may come from the command line using utilities such as [Reg](https://attack.mitre.org/software/S0075) or through running malware that may interact with the Registry through an API. Command-line invocation of utilities used to query the Registry may be detected through process and command-line monitoring. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).

-----------------------------------------------------------------------

### Tactics:

  *   Discovery

### Platforms:

  * Windows

### Adversary Required Permissions:

  * User

  * Administrator

  * SYSTEM

### Data Sources:

  * **Process:** OS API Execution

  * **Process:** Process Creation

  * **Windows Registry:** Windows Registry Key Access

  * **Command:** Command Execution

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| ZIRCONIUM | [ZIRCONIUM](https://attack.mitre.org/groups/G0128) has used a tool to query the Registry for proxy settings.(Citation: Zscaler APT31 Covid-19 October 2020)| 
| Fox Kitten | [Fox Kitten](https://attack.mitre.org/groups/G0117) has accessed Registry hives ntuser.dat and UserClass.dat.(Citation: CISA AA20-259A Iran-Based Actor September 2020)| 
| Operation Wocao | [Operation Wocao](https://attack.mitre.org/groups/G0116) has queried the registry to detect recent PuTTY sessions.(Citation: FoxIT Wocao December 2019)| 
| Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has queried Registry keys using <code>reg query \\<host>\HKU\<SID>\SOFTWARE\Microsoft\Terminal Server Client\Servers</code> and <code>reg query \\<host>\HKU\<SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings</code>.(Citation: NCC Group Chimera January 2021)| 
| Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has obtained specific Registry keys and values on a compromised host.(Citation: Talos Kimsuky Nov 2021)| 
| APT39 | [APT39](https://attack.mitre.org/groups/G0087) has used various strains of malware to query the Registry.(Citation: FBI FLASH APT39 September 2020)| 
| APT32 | [APT32](https://attack.mitre.org/groups/G0050)'s backdoor can query the Windows Registry to gather system information. (Citation: ESET OceanLotus Mar 2019)| 
| OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has used <code>reg query “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default”</code> on a victim to query the Registry.(Citation: Palo Alto OilRig May 2016)| 
| Stealth Falcon | [Stealth Falcon](https://attack.mitre.org/groups/G0038) malware attempts to determine the installed version of .NET by querying the Registry.(Citation: Citizen Lab Stealth Falcon May 2016)| 
| Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has queried the Registry to identify victim information.(Citation: US-CERT TA18-074A)| 
| Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) malware IndiaIndia checks Registry keys within HKCU and HKLM to determine if certain applications are present, including SecureCRT, Terminal Services, RealVNC, TightVNC, UltraVNC, Radmin, mRemote, TeamViewer, FileZilla, pcAnyware, and Remote Desktop. Another [Lazarus Group](https://attack.mitre.org/groups/G0032) malware sample checks for the presence of the following Registry key:<code>HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt</code>.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: McAfee Lazarus Resurfaces Feb 2018)| 
| Threat Group-3390 | A [Threat Group-3390](https://attack.mitre.org/groups/G0027) tool can read and decrypt stored Registry values.(Citation: Nccgroup Emissary Panda May 2018)| 
| Turla | [Turla](https://attack.mitre.org/groups/G0010) surveys a system upon check-in to discover information in the Windows Registry with the <code>reg query</code> command.(Citation: Kaspersky Turla) [Turla](https://attack.mitre.org/groups/G0010) has also retrieved PowerShell payloads hidden in Registry keys as well as checking keys associated with null session named pipes .(Citation: ESET Turla PowerShell May 2019)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1012)

  * [Capec](https://capec.mitre.org/data/definitions/647.html)

  * [Wikipedia Windows Registry](https://en.wikipedia.org/wiki/Windows_Registry), Wikipedia. (n.d.). Windows Registry. Retrieved February 2, 2015.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 28 June 2022

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres, Jacob Crome

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Malicious actors may query the Windows Registry using common LOLBins in order to gather information about the system–such as configuration or installed software.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Turla | 4 | |

#### Turla 
- surveys a system upon check-in to discover information in the Windows Registry with the reg query command. Turla has also retrieved PowerShell payloads hidden in Registry keys as well as checking keys associated with null session named pipes .
- has also retrieved PowerShell payloads hidden in Registry keys as well as checking keys associated with null session named pipes.

## Detection Blindspots

- Missing logs
- Undocumented LOLBins

## Analytical References

  * [Turla Powershell Usage 2019 (welivesecurity)](https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/)
  * [The Epic Turla Operation (securelist)](https://securelist.com/the-epic-turla-operation/65545/)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
- Additional events that may be related [`Event_id : 1 and process.name : reg.exe or regedit.exe`, `Event_id : 4657`, `Event_id : 12 or 13 or 14`]
  
#### Analytic 1

  * **Information:** Monitor processes and command-line arguments for actions that could be taken to gather registry information.

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** The * after "get-childitem" and "gci" is meant to catch the parameter, even though it is implied.

  * **Query:** ```event_id:1 AND command_line:"reg query*"```
  * **Query:** ```event_id:1 AND command_line:"get-childitem*<registry hive>:*"```
  * **Query:** ```event_id:1 AND command_line:"gci*<registry hive>:*"```
  * **Query:** ```event_id:1 AND command_line:"wmic /namespace:\\root\default class stdregprov*"```

#### Analytic 2

  * **Information:** Monitor requests to Registry Keys

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** Note that this query will return all registry access events. These events will have to be filtered for users, process names, etc to identify malicious activities.

  * **Query:** ```event_id:4656 AND object_type:Key```

#### Analytic 3

  * **Information:** Monitor requests to Registry Keys

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** Note that this query will return all registry access events. These events will have to be filtered for users, process names, etc to identify malicious activities. There well be many so do consider a.) Locations & b.) Frequency

  * **Query:** ```event_id:4656 AND object_type:Key```

#### Analytic 4

  * **Information:** Malicious actors may query the Windows Registry using common LOLBins in order to gather information about the system–such as configuration or installed software:
    * Collection:
      * Identify the common/present binaries on the network capable of querying registry hives. ([Known/observed LOLBins](https://lolbas-project.github.io/#) (page where a list of tools is kept with a first-observed date, name, common commandline constructions!!, perhaps hash and version, and a cloud of tags for it's capabilities to make it searchable)).
      * Perform a search to collect process_start events pertaining to the identified tools. This data can be queried from aggregated log data using Kibana (Kibana SOP), or other data aggregation platforms (list of familiar products with links to their SOPs–think Arcsight, Splunk, greylog, elasticsearch). It may also be available from host agents (page of familiar agents–again, linked to their SOPs) or from built-in command line logging.
    * Analysis:
      * Process start events pertaining to registry-viewing tools should not be excessively common on a network. If you find many, look for common automation noise (wiki page on observed instances of noisy automation tools–e.g. tanium/sccm with suggestions about how to eliminate them) and eliminate them cautiously–you do not want to allow the adversary to hide in the exclusions.
      * Legitimate uses of these tools will be performed by admins while they are working. Elimination of legitimate admin activity can be difficult; you can try to work with the MP to identify legitimate admin accounts and align those accounts with work schedules
      * At this point, remaining instances should be investigated more thoroughly. Consider the following:
        - What is being queried?
        - Why would a legitimate admin query that information?
        - Why would an adversary want to collect the suggested information?
        - Has the subject user account performed both similar AND related tasks?
        - And do those tasks fit with the expected work functions of that user?

  * **Source:**
    * Sysmon EventID: 1
    * Windows Audit: 4688

  * **Tool:** Kibana

  * **Notes:** Possible Blindspots = Missing logs, Undocumented LOLBins

  * **Query:** N/A

-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Information Here

#### Analytic 1

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

#### Analytic 2

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

