T1012 is exclusive to the Windows platform, but its adoption is near-universal among threat actors that operate in Windows environments. Over 100 malware families and threat groups have been documented querying the Registry for reconnaissance purposes, including state-sponsored espionage operations (APT28, APT29, APT32, APT41, Lazarus Group), ransomware families (REvil, SynAck, WastedLocker), infostealers (Redline, Raccoon, Azorult), and red team frameworks (Cobalt Strike, Empire, PowerSploit). The technique has no sub-techniques — the variations in implementation are procedural rather than structural — and cannot be mitigated with preventive controls because it relies entirely on the abuse of legitimate system features.
T1012 falls under the Discovery tactic (TA0007). Like other discovery techniques, registry queries are observational — the adversary reads the registry without modifying it (registry modification falls under T1112, Modify Registry). This distinction matters for detection: T1012 generates read events, not write events, and read operations are orders of magnitude more common on a running Windows system. Every application startup, every Group Policy refresh, every service initialization generates registry reads. This background noise makes isolating malicious queries extremely difficult without strong contextual analysis.
The intelligence value of the Registry is exceptional. Within its five root keys (HKEY_LOCAL_MACHINE, HKEY_CURRENT_USER, HKEY_CLASSES_ROOT, HKEY_USERS, and HKEY_CURRENT_CONFIG), the Registry contains the OS version and build number, installed hotfixes, hardware details, default browser, configured proxy settings, startup programs, installed services, security software configuration, RDP settings, VPN credentials, cached domain information, and application license keys. For an adversary, this is a one-stop shop for system profiling.
How Registry Querying Works
Adversaries access the Registry through several distinct mechanisms, each with different detection implications.
Command-Line Tools
reg.exe. The built-in reg utility is the most commonly observed tool for T1012. The reg query command reads values from specified registry keys. Adversaries use it to enumerate installed software (reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall), check security settings (reg query HKLM\SOFTWARE\Policies\Microsoft\Windows Defender), discover RDP configuration (reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server"), and identify startup programs (reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run). The Turla group's Epic malware uses rem reg query to obtain values from registry keys as part of its automated discovery routine. Volt Typhoon has been observed running reg query hklm\software\ as part of its living-off-the-land reconnaissance against US critical infrastructure.
PowerShell. PowerShell provides registry access through drive notation (HKLM:\, HKCU:\) and cmdlets like Get-ItemProperty, Get-Item, and Get-ChildItem. Unlike reg.exe, PowerShell cmdlets do not spawn a new process, which means they avoid generating Sysmon Event ID 1 process creation events. This makes PowerShell-based registry queries harder to detect through process monitoring alone, though Script Block Logging (Event ID 4104) captures them in full. PowerSploit, the PowerShell post-exploitation framework, includes dedicated modules for registry enumeration.
WMIC. The WMI StdRegProv class provides programmatic registry access through WMIC or PowerShell WMI cmdlets. Commands like wmic /namespace:\\root\default class StdRegProv can read registry values remotely, making WMI-based registry queries particularly dangerous for lateral discovery. Detection rules from Sigma and other frameworks specifically flag WMI-based registry manipulation as potentially suspicious because it uses an alternative access method that many security tools do not monitor as closely as direct reg.exe calls.
Native API Access
Sophisticated malware queries the Registry directly through Windows API functions: RegOpenKeyEx, RegQueryValueEx, RegEnumKeyEx, and RegEnumValue. These calls happen entirely within the malware's own process space, generating no child process events and leaving minimal forensic artifacts beyond Sysmon Event ID 13 (Registry value set — though this only fires on writes, not reads) and Event ID 12/14 (Registry key/value create/delete). For read-only queries, the primary detection surface is EDR telemetry that monitors API calls.
The SVCReady malware searches HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System for detailed hardware information, using the data for environment fingerprinting and sandbox detection. The TEARDROP malware, deployed as part of the SolarWinds compromise, checks for the existence of the registry key HKU\SOFTWARE\Microsoft\CTF before proceeding to decode its embedded payload — using a registry check as an execution gate to avoid detonating in analysis environments.
Remote Registry Access
When the Remote Registry service is enabled (it is disabled by default on modern Windows but commonly enabled in enterprise environments for management purposes), adversaries can query the Registry of remote machines using reg query \\target\HKLM\... or through WMI's StdRegProv class. This enables lateral discovery without deploying tools to the target system — the adversary can profile remote machines entirely from their current foothold. Threat Group-3390 (Emissary Panda) has been documented using tools that can read and decrypt stored registry values on remote systems.
What Adversaries Look For in the Registry
Registry queries are rarely random. Adversaries target specific keys and values that provide high-intelligence-value data.
Installed software and security products. The HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall key lists all installed programs. Adversaries scan this to identify security tools (antivirus, EDR, HIPS), remote access software (VNC, RDP clients, TeamViewer), and business applications (databases, email clients, financial software). The Amadey botnet searches the registry for antivirus folder paths to determine which security products are installed.
System configuration. Keys under HKLM\SYSTEM\CurrentControlSet contain hardware profiles, service configurations, network adapter settings, and disk enumeration data. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion provides the exact OS version, build number, registered owner, and installation date. The Hydraq malware (associated with Operation Aurora) queries the registry for CPU speed and other hardware details to profile the compromised system.
Network and proxy settings. HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings contains proxy configuration that adversaries need to route their C2 traffic through corporate proxies. APT31 (ZIRCONIUM) has specifically used tools to query proxy settings from the Registry to configure outbound communications for its malware implants.
Remote access configuration. Lazarus Group malware (IndiaIndia) checks registry keys within both HKCU and HKLM to determine if remote access applications are present, including SecureCRT, Terminal Services, RealVNC, TightVNC, UltraVNC, Radmin, mRemote, TeamViewer, and pcAnywhere. This reveals which lateral movement vectors are available from the compromised system.
Credential stores and cached data. The Registry stores cached domain credentials (HKLM\SECURITY\Cache), LSA secrets (HKLM\SECURITY\Policy\Secrets), and default password information (HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon). While extracting these values typically requires SYSTEM privileges and falls under credential access techniques, querying for their existence is a T1012 discovery action that informs the adversary whether credential dumping is viable.
Security policy and privilege escalation vectors. The AlwaysInstallElevated registry key (HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer and HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer) indicates whether MSI packages can be installed with SYSTEM privileges — a well-known privilege escalation vector. Querying UAC configuration (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System) reveals whether User Account Control can be bypassed. These queries are T1012 in service of T1548 (Abuse Elevation Control Mechanism).
Virtualization and sandbox detection. Registry keys like HKLM\SOFTWARE\VMware, Inc.\VMware Tools, HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions, and hardware description keys that contain VMware or QEMU identifiers help malware determine whether it is running in a virtual machine. The SVCReady malware and TEARDROP both use registry-based environment checks as anti-analysis mechanisms.
Real-World Case Studies
SUNBURST and TEARDROP — Registry Queries in the SolarWinds Supply Chain Attack
The SolarWinds compromise employed T1012 at multiple stages. The SUNBURST backdoor, once activated within the Orion software, queried the Registry to gather system configuration data that it used to fingerprint the target environment and determine whether to proceed with second-stage payloads. The TEARDROP malware, a second-stage payload deployed selectively to high-value targets, used the Registry as an execution gate: it checked for the existence of the key HKU\SOFTWARE\Microsoft\CTF before decoding its embedded Cobalt Strike beacon. If the key did not exist — as it might not in a sandbox or analysis environment — TEARDROP would not execute its payload. This demonstrates T1012 used both for reconnaissance and as an anti-analysis mechanism within the same attack chain.
Lazarus Group — Registry-Based Remote Access Tool Discovery
The Lazarus Group's IndiaIndia malware performs extensive registry enumeration to build a map of remote access capabilities on each compromised host. The malware queries registry keys associated with SecureCRT, Terminal Services, RealVNC, TightVNC, UltraVNC, Radmin, mRemote, TeamViewer, and pcAnywhere. For each tool found, Lazarus knows whether it can use that tool for lateral movement, whether saved credentials exist, and what network connections are configured. This registry-based discovery is significantly stealthier than scanning the filesystem for installed executables because it generates read-only registry access events rather than file access events.
Volt Typhoon — Registry Enumeration as Living Off the Land
Volt Typhoon, the Chinese state-sponsored group targeting US critical infrastructure, includes reg query hklm\software\ in its standard post-compromise reconnaissance toolkit. This broad query enumerates all software registered under the HKLM Software hive, revealing installed applications, security products, and system configuration. Combined with systeminfo, tasklist /v, and wmic queries, Volt Typhoon's registry enumeration forms part of a comprehensive system profiling operation that uses exclusively native Windows tools. The group's emphasis on living-off-the-land techniques makes registry queries a natural fit — reg.exe is present on every Windows system and its execution blends seamlessly with normal administrative activity.
Redline Stealer — Registry Queries for Credential and Configuration Theft
Redline Stealer, one of the most prevalent infostealers in the threat landscape, uses extensive registry queries to locate browser credential stores, cryptocurrency wallet paths, and installed application configurations. A 2024 analysis by Trend Micro documented Redline's novel approach to registry enumeration, showing how the malware systematically queries keys associated with Chromium-based browsers, Mozilla Firefox, cryptocurrency wallets, and VPN clients to locate stored credentials and configuration data. Redline's registry queries feed directly into its data collection module, which harvests the identified credential stores for exfiltration. The stealer's reliance on registry queries rather than filesystem scanning makes its discovery phase faster and quieter.
Cobalt Strike — Registry Queries as Standard Post-Exploitation Tradecraft
Cobalt Strike includes built-in capabilities for querying the Windows Registry through its Beacon implant. Operators use registry queries to check for security software, enumerate startup programs, discover installed applications, and read proxy configurations. Cobalt Strike's registry access can operate through either reg.exe spawning or direct API calls, depending on the operator's preference and the target environment's monitoring capabilities. Because Cobalt Strike is used in both legitimate red team operations and criminal campaigns, its registry enumeration patterns appear across a wide range of documented incidents.
Detection Strategies
Detecting T1012 is among the hardest challenges in discovery technique detection because registry reads are the single most common operation on a running Windows system. Every application startup, every Group Policy update, every service check generates registry reads. Effective detection requires focusing on the specific keys being queried, the process performing the query, and the broader behavioral context.
The Windows Registry receives millions of read operations per hour on an active system. Alerting on all registry queries is not feasible. Detection strategies must focus on specific high-value keys, anomalous querying processes, and correlation with other discovery techniques. Sysmon's registry monitoring (Event IDs 12, 13, 14) only captures create, set, and delete operations by default — not reads. Detecting T1012 at the command-line level (monitoring reg.exe execution) is more practical but misses API-level queries.
Key Monitoring Points
| Data Source | What to Monitor | Detection Logic |
|---|---|---|
| Sysmon Event ID 1 (Process Creation) | reg.exe query execution | Flag reg query targeting security-sensitive keys: Uninstall, Run/RunOnce, Terminal Server, Windows Defender policies, Internet Settings, and CurrentVersion. Prioritize queries from non-administrative users or unexpected parent processes |
| PowerShell Script Block Logging (Event ID 4104) | Get-ItemProperty / Get-Item on HKLM/HKCU | Flag PowerShell scripts that enumerate broad registry subtrees or query keys associated with security products, credentials, or system configuration |
| Sysmon Event ID 1 | wmic with StdRegProv | Flag WMI-based registry queries, especially remote queries targeting other machines. WMI registry access is an alternative method that bypasses direct reg.exe monitoring |
| Windows Security Event ID 4663 | Registry object access (if auditing enabled) | Enable auditing on high-value registry keys (Uninstall, Run, Defender policies, LSA) and alert on access from unexpected processes. This catches API-level queries that bypass command-line monitoring |
| EDR / API Monitoring | RegOpenKeyEx / RegQueryValueEx calls | Flag API-level registry reads from unsigned binaries, processes in temp directories, or recently created executables targeting security-sensitive keys |
| Network Traffic | Remote Registry access (TCP 445) | Monitor for SMB-based remote registry queries, especially from non-administrative workstations. Remote registry enumeration indicates lateral discovery |
Splunk Detection Queries
Query 1: Registry Queries Targeting Security and Configuration Keys
Detects reg.exe queries targeting high-value registry keys commonly enumerated by adversaries for security tool identification, privilege escalation checks, and system profiling.
index=windows source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
process_name=reg.exe CommandLine="*query*"
(CommandLine="*Uninstall*" OR CommandLine="*CurrentVersion\\Run*"
OR CommandLine="*Terminal Server*" OR CommandLine="*Windows Defender*"
OR CommandLine="*Internet Settings*" OR CommandLine="*AlwaysInstallElevated*"
OR CommandLine="*Winlogon*" OR CommandLine="*SecurityHealth*"
OR CommandLine="*VNC*" OR CommandLine="*TeamViewer*"
OR CommandLine="*SYSTEM\\CurrentControlSet\\Services\\Disk*")
| table _time host user CommandLine parent_process_name parent_process_path
| sort -_timeQuery 2: Broad Registry Enumeration via reg.exe
Detects adversaries performing broad registry sweeps — querying entire hive subtrees rather than specific values — which indicates systematic reconnaissance rather than targeted lookups.
index=windows source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
process_name=reg.exe CommandLine="*query*"
(CommandLine="*hklm\\software\\*" OR CommandLine="*hkcu\\software\\*"
OR CommandLine="*/s *" OR CommandLine="*HKLM\\SYSTEM\\*")
NOT (parent_process_name IN ("svchost.exe","mmc.exe","explorer.exe","services.exe"))
| table _time host user CommandLine parent_process_name
| sort -_timeQuery 3: WMI-Based Registry Access
Detects registry queries performed through WMI's StdRegProv class, an alternative access method that bypasses direct reg.exe monitoring and is flagged by Sigma detection rules as potentially suspicious.
index=windows source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(process_name=wmic.exe AND CommandLine="*StdRegProv*")
OR (process_name=powershell.exe AND
(CommandLine="*StdRegProv*" OR CommandLine="*Invoke-WmiMethod*registry*"))
| table _time host user process_name CommandLine parent_process_name
| sort -_timeQuery 4: Registry Queries Combined with Other Discovery Commands
Detects the pattern of registry enumeration occurring alongside other discovery techniques within a short time window, which strongly suggests adversarial reconnaissance.
index=windows source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(process_name IN (reg.exe, systeminfo.exe, tasklist.exe, ipconfig.exe,
net.exe, whoami.exe, hostname.exe, netstat.exe, wmic.exe))
| bin _time span=120s
| stats count dc(process_name) as unique_commands values(process_name) as commands by _time host user
| where unique_commands >= 4 AND match(commands,"reg\.exe")
| sort -_timeKnown Threat Actors and Malware
State-Sponsored Espionage
| Actor / Malware | Attribution | T1012 Usage |
|---|---|---|
| APT29 / SUNBURST / TEARDROP | Russia (SVR) | SUNBURST queries Registry for system profiling; TEARDROP checks HKU\SOFTWARE\Microsoft\CTF as execution gate |
| APT29 / Sibot | Russia (SVR) | Queries the Registry for proxy server information to configure C2 communications |
| APT28 / Turla / Epic | Russia | Uses rem reg query to obtain values from registry keys during automated discovery |
| Lazarus Group / IndiaIndia | North Korea | Checks HKCU and HKLM for remote access tools including VNC variants, RDP, TeamViewer, Radmin, and pcAnywhere |
| APT32 (OceanLotus) | Vietnam | Backdoor queries the Windows Registry to gather system information |
| APT31 (ZIRCONIUM) | China | Tools specifically query proxy settings from the Registry to configure outbound C2 traffic |
| APT41 / DUSTTRAP | China | DUSTTRAP enumerates Registry items as part of comprehensive system discovery |
| Dragonfly (Energetic Bear) | Russia | Queried the Registry to identify victim information in energy sector targeting |
| Gamaredon / Shuckworm | Russia (FSB) | Registry queries for system configuration on Ukrainian government targets (2025 campaigns) |
Ransomware and Financially Motivated Groups
| Actor / Malware | T1012 Usage |
|---|---|
| REvil / Sodinokibi | Registry queries for system configuration and keyboard layout (to avoid CIS countries) |
| SynAck | Uses the Doppelganging technique with registry queries for environment profiling |
| WastedLocker | Registry enumeration for system configuration as part of pre-encryption reconnaissance |
| Cobalt Strike | Built-in registry query capabilities for security product identification and system profiling |
| FIN7 / CARBANAK | Registry queries for installed software, security products, and application configuration |
Infostealers and Commodity Malware
| Actor / Malware | T1012 Usage |
|---|---|
| Redline Stealer | Registry queries to locate browser credential stores, crypto wallets, and VPN configurations (2024 novel approach documented) |
| Raccoon Stealer v2 | Registry enumeration for installed browser and application credential paths |
| Azorult | Queries registry for system configuration and installed software profiles |
| Bumblebee | Registry queries for environment fingerprinting and sandbox detection |
| Ursnif / Gozi | Queries registry for proxy settings, installed browsers, and system configuration |
| SVCReady | Searches HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System for detailed hardware information |
Defensive Recommendations
1. Enable command-line process creation logging
Deploy Sysmon with full command-line argument logging for all process creation events. This captures every reg.exe query command with its full arguments, revealing exactly which registry keys the adversary is targeting. Without command-line logging, you can see that reg.exe ran but not what it queried — which means you cannot distinguish a legitimate administrative check from adversarial reconnaissance.
2. Enable PowerShell Script Block Logging
PowerShell registry queries via Get-ItemProperty, Get-Item, and drive notation (HKLM:\) do not spawn a reg.exe process, making them invisible to process-based monitoring. Script Block Logging (Event ID 4104) captures these queries in full. This is critical because PowerSploit and other post-exploitation frameworks prefer PowerShell-based registry access specifically because it evades process creation detection.
3. Audit access to high-value registry keys
Use Windows Security Auditing to set SACLs (System Access Control Lists) on registry keys that adversaries commonly target: the Uninstall key, Run/RunOnce startup keys, Windows Defender policy keys, Terminal Server configuration, LSA settings, and Internet Settings. This generates Windows Security Event ID 4663 when these keys are accessed, catching API-level queries that bypass command-line monitoring. Focus on read access from non-system processes to manage log volume.
4. Disable the Remote Registry service
Unless specifically required for management purposes, disable the Remote Registry service on all workstations and servers. This prevents adversaries from querying the Registry of remote machines using reg query \\target\... or WMI StdRegProv, eliminating a significant lateral discovery vector. If Remote Registry is required for specific management tools, restrict access to designated management accounts and monitor for unauthorized usage.
5. Deploy registry canary keys
Create decoy registry keys in locations that adversaries commonly enumerate — fake entries under the Uninstall key that appear to be security products, bogus VPN configurations, or fabricated remote access tool entries. Any read access to these keys is a strong indicator of adversarial registry enumeration because no legitimate software would query keys that do not correspond to real installations. Registry canary keys provide the same high-fidelity, low-false-positive alerting as filesystem canary files but in the registry domain.
6. Monitor for WMI-based registry access
WMI's StdRegProv class provides an alternative registry access path that many organizations do not monitor. Build detection rules that flag wmic commands referencing StdRegProv or PowerShell scripts using Invoke-WmiMethod with registry targets. This is particularly important because WMI can access the Registry on remote machines without enabling the Remote Registry service, providing an additional lateral discovery vector.
7. Correlate registry queries with other discovery techniques
Registry queries rarely occur in isolation during an attack. When reg query commands are observed alongside systeminfo, tasklist, ipconfig, whoami, and net commands from the same user or host within a short time window, it strongly indicates adversarial reconnaissance. Build correlation rules that fire on this multi-technique discovery pattern — the combination is far more reliable than alerting on registry queries alone.
8. Restrict registry permissions on sensitive keys
While the Registry must remain broadly readable for normal system operation, specific high-sensitivity keys can have their ACLs tightened to restrict read access to administrative accounts. Keys under HKLM\SECURITY (which contain cached credentials and LSA secrets) already require SYSTEM access, but other sensitive keys like Defender policies, startup locations, and service configurations can be further restricted where operational requirements allow.
MITRE ATT&CK Mapping
| Field | Value |
|---|---|
| Technique ID | T1012 |
| Technique Name | Query Registry |
| Tactics | Discovery (TA0007) |
| Platforms | Windows |
| Sub-Techniques | None (no sub-techniques defined) |
| Data Sources | Process (Creation), Command (Execution), Windows Registry (Key Access) |
| Version | 1.3 (last modified October 2025) |
| MITRE Reference | attack.mitre.org/techniques/T1012 |
Sources and References
- MITRE ATT&CK — T1012 Query Registry: attack.mitre.org
- FireEye/Mandiant — SUNBURST Backdoor Analysis (SolarWinds): mandiant.com
- Microsoft — Solorigate Second-Stage Activation: SUNBURST to TEARDROP and Raindrop: microsoft.com
- Microsoft — Volt Typhoon Targets US Critical Infrastructure: microsoft.com
- CISA/NSA — PRC State-Sponsored Cyber Actor Living Off the Land (Volt Typhoon): cisa.gov
- Trend Micro — Redline Stealer: A Novel Approach (2024): trendmicro.com
- Red Canary — Atomic Red Team T1012 Tests: github.com
- Picus Security — Red Report 2026: picussecurity.com
- Symantec — Shuckworm Targets Foreign Military Mission Based in Ukraine (2025): security.com