- Tactics
- Discovery
- Platforms
- Windows
- Reference
- attack.mitre.org/techniques/T1012
Description
Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
The Registry contains a significant amount of information about the operating system, configuration, software, and security.(Citation: Wikipedia Windows Registry) Information can easily be queried using the Reg utility, though other means to access the Registry exist. Some of the information may help adversaries to further their operation within a network. Adversaries may use the information from Query Registry during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
How GTK Cyber trains on this
GTK Cyber's Threat Hunting with Data Science course teaches you to build machine-learning detections for techniques like this across the MITRE ATT&CK framework, including the Discovery tactic this technique falls under. Practitioner-led, focused on real detections, not memorizing technique IDs.
Related techniques
- T1007 — System Service Discovery
- T1010 — Application Window Discovery
- T1016 — System Network Configuration Discovery
- T1018 — Remote System Discovery
- T1033 — System Owner/User Discovery
- T1040 — Network Sniffing
- T1046 — Network Service Discovery
- T1049 — System Network Connections Discovery
- T1057 — Process Discovery
- T1069 — Permission Groups Discovery
- T1082 — System Information Discovery
- T1083 — File and Directory Discovery