DC0050 Windows Registry Key Access
| Item | Value |
|---|---|
| ID | DC0050 |
| Version | 2.0 |
| Created | 20 October 2021 |
| Last Modified | 12 November 2025 |
Log Sources
| Name | Channel |
|---|---|
| Autoruns:RegistryScan | Enumerate Winlogon subkeys for unknown or unsigned binaries |
| EDR:hunting | Behavioral rule for registry enumeration under credential-related paths |
| WinEventLog:Security | EventCode=4663, 4670, 4656 |
| WinEventLog:Security | EventCode=4657 |
Detection Strategy
| ID | Name | Technique Detected |
|---|---|---|
| DET0224 | Detect Abuse of Component Object Model (T1559.001) | T1559.001 |
| DET0504 | Detect Abuse of Dynamic Data Exchange (T1559.002) | T1559.002 |
| DET0250 | Detect Credential Discovery via Windows Registry Enumeration | T1552.002 |
| DET0404 | Detect Winlogon Helper DLL Abuse via Registry and Process Artifacts on Windows | T1547.004 |
| DET0240 | Detection Strategy for Steal or Forge Authentication Certificates | T1649 |
| DET0565 | Detection Strategy for System Language Discovery | T1614.001 |