diff --git a/atomics/T1012/T1012.yaml b/atomics/T1012/T1012.yaml
new file mode 100644
index 00000000..cb6c5519
--- /dev/null
+++ b/atomics/T1012/T1012.yaml
@@ -0,0 +1,49 @@
+---
+attack_technique: T1012
+display_name: Query Registry
+
+atomic_tests:
+- name: Query Registry
+  description: |
+    Query Windows Registry
+    References:
+
+    https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order
+
+    https://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services
+
+    References:
+
+    http://www.handgrep.se/repository/cheatsheets/postexploitation/WindowsPost-Exploitation.pdf
+
+    https://www.offensive-security.com/wp-content/uploads/2015/04/wp.Registry_Quick_Find_Chart.en_us.pdf
+
+  supported_platforms:
+    - windows
+
+  executor:
+    name: command_prompt
+    command: |
+      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
+      reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
+      reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
+      reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
+      reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
+      reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
+      reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
+      reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
+      reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
+      reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
+      reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
+      reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
+      reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
+      reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
+      reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
+      reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
+      reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
+      reg query hklm\system\currentcontrolset\services /s | findstr ImagePath 2>nul | findstr /Ri ".*\.sys$"
+      reg Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
+      reg save HKLM\Security security.hive
+      reg save HKLM\System system.hive
+      reg save HKLM\SAM sam.hive
+