Skip to content

DET0209 Detection of Registry Query for Environmental Discovery

Item Value
ID DET0209
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1012 (Query Registry)

Analytics

Windows

AN0589

Registry read access associated with suspicious or non-interactive processes querying system config, installed software, or security settings.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Windows Registry Key Modification (DC0063) WinEventLog:Sysmon EventCode=13, 14
Command Execution (DC0064) WinEventLog:PowerShell EventCode=4103, 4104, 4105, 4106
Mutable Elements
Field Description
TargetRegistryPath Focus detection on registry hives or keys likely to reveal environment info (e.g., HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion).
ParentProcess May tune for suspicious parent processes such as cmd.exe, wscript.exe, or mshta.exe.
TimeWindow Controls how closely registry access must follow process creation for correlation.