Detectionlowexperimental

System Information Discovery via Registry Queries

Detects attempts to query system information directly from the Windows Registry.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

lazargCreated Thu Jun 12Updated Sat Oct 250022869c-49f7-4ff2-ba03-85ac42ddac58windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_cmd_reg:
        Image|endswith: '\reg.exe'
        CommandLine|contains: 'query'
        CommandLine|contains|windash: '-v'
    selection_cmd_powershell:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        CommandLine|contains:
            - 'Get-ItemPropertyValue'
            - 'gpv'
    selection_keys:
        CommandLine|contains:
            - '\SOFTWARE\Microsoft\Windows Defender' # Details about defender state
            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion' # Provides details about the OS
            - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall' # Lists installed programs
            - '\SYSTEM\CurrentControlSet\Control\TimeZoneInformation' # Contains time zone details
            - '\SYSTEM\CurrentControlSet\Services' # Details about existing services
    condition: 1 of selection_cmd_* and selection_keys