Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
The Registry contains a significant amount of information about the operating system, configuration, software, and security.[1] Information can easily be queried using the Reg utility, though other means to access the Registry exist. Some of the information may help adversaries to further their operation within a network. Adversaries may use the information from Query Registry during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
ID | Name | Description |
---|---|---|
S0045 | ADVSTORESHELL |
ADVSTORESHELL can enumerate registry keys.[2][3] |
G0050 | APT32 |
APT32's backdoor can query the Windows Registry to gather system information. [4] |
G0087 | APT39 |
APT39 has used various strains of malware to query the Registry.[5] |
S0438 | Attor |
Attor has opened the registry and performed query searches.[6] |
S0344 | Azorult |
Azorult can check for installed software on the system under the Registry key |
S0414 | BabyShark |
BabyShark has executed the |
S0031 | BACKSPACE |
BACKSPACE is capable of enumerating and making modifications to an infected system's Registry.[9] |
S0239 | Bankshot |
Bankshot searches for certain Registry keys to be configured before executing the payload.[10] |
S0534 | Bazar |
Bazar can query |
S0574 | BendyBear |
BendyBear can query the host's Registry key at |
S0570 | BitPaymer |
BitPaymer can use the RegEnumKeyW to iterate through Registry keys.[14] |
S0252 | Brave Prince |
Brave Prince gathers information about the Registry.[15] |
S0030 | Carbanak |
Carbanak checks the Registry key |
S0484 | Carberp |
Carberp has searched the Image File Execution Options registry key for "Debugger" within every subkey.[17] |
S0335 | Carbon | |
S0348 | Cardinal RAT |
Cardinal RAT contains watchdog functionality that periodically ensures |
G0114 | Chimera |
Chimera has queried Registry keys using |
S0023 | CHOPSTICK |
CHOPSTICK provides access to the Windows Registry, which can be used to gather information.[21] |
S0154 | Cobalt Strike |
Cobalt Strike can query |
S0126 | ComRAT |
ComRAT can check the default browser by querying |
S0115 | Crimson |
Crimson can check the Registry for the presence of |
S0354 | Denis | |
S0021 | Derusbi |
Derusbi is capable of enumerating Registry keys and values.[27] |
S0186 | DownPaper |
DownPaper searches and reads the value of the Windows Update Registry Run key.[28] |
G0074 | Dragonfly 2.0 |
Dragonfly 2.0 queried the Registry to identify victim information.[29] |
S0567 | Dtrack |
Dtrack can collect the RegisteredOwner, RegisteredOrganization, and InstallDate registry values.[30] |
S0091 | Epic |
Epic uses the |
S0512 | FatDuke |
FatDuke can get user agent strings for the default browser from |
S0267 | FELIXROOT |
FELIXROOT queries the Registry for specific keys for potential privilege escalation and proxy information. FELIXROOT has also used WMI to query the Windows Registry.[33][34] |
S0182 | FinFisher |
FinFisher queries Registry values as part of its anti-sandbox checks.[35][36] |
G0117 | Fox Kitten |
Fox Kitten has accessed Registry hives ntuser.dat and UserClass.dat.[37] |
S0032 | gh0st RAT |
gh0st RAT has checked for the existence of a Service key to determine if it has already been installed on the system.[38] |
S0249 | Gold Dragon |
Gold Dragon enumerates registry keys with the command |
S0376 | HOPLIGHT |
A variant of HOPLIGHT hooks lsass.exe, and lsass.exe then checks the Registry for the data value 'rdpproto' under the key |
S0203 | Hydraq |
Hydraq creates a backdoor through which remote attackers can retrieve system information, such as CPU speed, from Registry keys.[40][41] |
S0604 | Industroyer |
Industroyer has a data wiper component that enumerates keys in the Registry |
S0260 | InvisiMole |
InvisiMole can enumerate Registry values, keys, and data.[43] |
S0201 | JPIN | |
G0032 | Lazarus Group |
Lazarus Group malware IndiaIndia checks Registry keys within HKCU and HKLM to determine if certain applications are present, including SecureCRT, Terminal Services, RealVNC, TightVNC, UltraVNC, Radmin, mRemote, TeamViewer, FileZilla, pcAnyware, and Remote Desktop. Another Lazarus Group malware sample checks for the presence of the following Registry key: |
S0513 | LiteDuke |
LiteDuke can query the Registry to check for the presence of |
S0532 | Lucifer |
Lucifer can check for existing stratum cryptomining information in |
S0385 | njRAT | |
G0049 | OilRig |
OilRig has used |
G0116 | Operation Wocao |
Operation Wocao has queried the registry to detect recent PuTTY sessions.[51] |
S0165 | OSInfo |
OSInfo queries the registry to look for information about Terminal Services.[52] |
S0517 | Pillowmint |
Pillowmint has used shellcode which reads code stored in the registry keys |
S0013 | PlugX |
PlugX can enumerate and query for information contained within the Windows Registry.[54][55] |
S0145 | POWERSOURCE |
POWERSOURCE queries Registry keys in preparation for setting Run keys to achieve persistence.[56] |
S0194 | PowerSploit |
PowerSploit contains a collection of Privesc-PowerUp modules that can query Registry keys for potential opportunities.[57][58] |
S0184 | POWRUNER |
POWRUNER may query the Registry by running |
S0238 | Proxysvc |
Proxysvc gathers product names from the Registry key: |
S0269 | QUADAGENT |
QUADAGENT checks if a value exists within a Registry key in the HKCU hive whose name is the same as the scheduled task it has created.[61] |
S0241 | RATANKBA |
RATANKBA uses the command |
S0172 | Reaver |
Reaver queries the Registry to determine the correct Startup path to use for persistence.[63] |
S0075 | Reg |
Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface.[64] |
S0496 | REvil |
REvil can query the Registry to get random file extensions to append to encrypted files.[65] |
S0240 | ROKRAT |
ROKRAT accesses the |
S0140 | Shamoon |
Shamoon queries several Registry keys to identify hard disk partitions to overwrite.[67] |
S0589 | Sibot |
Sibot has queried the registry for proxy server information.[68] |
S0627 | SodaMaster |
SodaMaster has the ability to query the Registry to detect a key specific to VMware.[69] |
G0038 | Stealth Falcon |
Stealth Falcon malware attempts to determine the installed version of .NET by querying the Registry.[70] |
S0380 | StoneDrill |
StoneDrill has looked in the registry to find the default browser path.[71] |
S0603 | Stuxnet |
Stuxnet searches the Registry for indicators of security programs.[72] |
S0559 | SUNBURST |
SUNBURST collected the registry value |
S0242 | SynAck |
SynAck enumerates Registry keys associated with event logs.[74] |
S0011 | Taidoor |
Taidoor can query the Registry on compromised hosts using |
S0560 | TEARDROP |
TEARDROP checked that |
G0027 | Threat Group-3390 |
A Threat Group-3390 tool can read and decrypt stored Registry values.[77] |
G0010 | Turla |
Turla surveys a system upon check-in to discover information in the Windows Registry with the |
S0386 | Ursnif |
Ursnif has used Reg to query the Registry for installed programs.[79][80] |
S0476 | Valak |
Valak can use the Registry for code updates and to collect credentials.[81] |
S0180 | Volgmer | |
S0612 | WastedLocker |
WastedLocker checks for specific registry keys related to the |
S0579 | Waterbear | |
S0155 | WINDSHIELD |
WINDSHIELD can gather Registry values.[85] |
S0251 | Zebrocy |
Zebrocy executes the |
S0330 | Zeus Panda |
Zeus Panda checks for the existence of a Registry key and if it contains certain values.[87] |
G0128 | ZIRCONIUM |
ZIRCONIUM has used a tool to query the Registry for proxy settings.[88] |
S0412 | ZxShell |
ZxShell can query the netsvc group value data located in the svchost group Registry key.[89] |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0009 | Process | OS API Execution |
Process Creation | ||
DS0024 | Windows Registry | Windows Registry Key Access |
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
Interaction with the Windows Registry may come from the command line using utilities such as Reg or through running malware that may interact with the Registry through an API. Command-line invocation of utilities used to query the Registry may be detected through process and command-line monitoring. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.