[metadata] bypass_bbr_timing = true creation_date = "2023/07/13" integration = ["endpoint"] maturity = "production" updated_date = "2024/12/19" [rule] author = ["Elastic"] building_block_type = "default" description = """ This rule identifies the execution of commands that can be used to query the Windows Registry. Adversaries may query the registry to gain situational awareness about the host, like installed security software, programs and settings. """ from = "now-24h" index = ["logs-endpoint.events.process-*"] interval = "12h" language = "kuery" license = "Elastic License v2" name = "Query Registry using Built-in Tools" risk_score = 21 rule_id = "ded09d02-0137-4ccc-8005-c45e617e8d4c" severity = "low" tags = [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "new_terms" query = ''' host.os.type:windows and event.category:process and event.type:start and ( (process.name.caseless:"reg.exe" and process.args:"query") or (process.name.caseless:("powershell.exe" or "powershell_ise.exe" or "pwsh.exe") and process.args:( ("get-childitem" or "Get-ChildItem" or "gci" or "dir" or "ls" or "get-item" or "Get-Item" or "gi" or "get-itemproperty" or "Get-ItemProperty" or "gp") and ("hkcu" or "HKCU" or "hkey_current_user" or "HKEY_CURRENT_USER" or "hkey_local_machine" or "HKEY_LOCAL_MACHINE" or "hklm" or "HKLM" or registry\:\:*) ) ) ) and not process.command_line : ( "C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64" or "reg query \"HKLM\\Software\\WOW6432Node\\Npcap\" /ve " ) ''' [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1012" name = "Query Registry" reference = "https://attack.mitre.org/techniques/T1012/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "user.id"] [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d"