System Information Discovery via Registry Queries

Original Source: [Sigma source]

Title: System Information Discovery via Registry Queries
Status: experimental
Description:Detects attempts to query system information directly from the Windows Registry.
References:
-https://cert.gov.ua/article/6277849
-https://github.com/redcanaryco/atomic-red-team/blob/75fa21076dcefa348a7521403cdd6bfc4e88623c/atomics/T1082/T1082.md
-https://github.com/redcanaryco/atomic-red-team/blob/75fa21076dcefa348a7521403cdd6bfc4e88623c/atomics/T1124/T1124.md
Author: lazarg
Date: 2025-06-12
modified:None
Tags:

-'attack.discovery'
-'attack.t1082'

Logsource:

category: process_creation
product: windows

Detection:
selection_cmd_reg:
Image|endswith: '\reg.exe'
CommandLine|contains: 'query'
CommandLine|contains|windash: '-v'
selection_cmd_powershell:
Image|endswith:
-'\powershell.exe'
-'\pwsh.exe'

CommandLine|contains:
-'Get-ItemPropertyValue'
-'gpv'

selection_keys:
CommandLine|contains:
-'\SYSTEM\CurrentControlSet\Control\TimeZoneInformation'
-'\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces'
-'\SOFTWARE\Microsoft\Windows NT\CurrentVersion'
-'\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall'
-'\SOFTWARE\Microsoft\Windows Defender'
-'\SYSTEM\CurrentControlSet\Services'
-'\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks'

condition:1 of selection_cmd_* and selection_keys
Falsepositives:
-Unlikely
Level: low

Sign Up to Personalize and Manage Your Detection

System Information Discovery via Registry Queries