Skip to content

Hide Navigation Hide TOC

Windows Registry Key Access (ed0dd8aa-1677-4551-bb7d-8da767617e1b)

The action of opening a specific Windows Registry key, typically to read its associated value. This activity can be used for system configuration, application settings retrieval, and security policies.

Data Collection Measures:

  • Windows Event Logs
    • Event ID 4656 - Handle to an Object was Requested: Logs attempts to open registry keys.
    • Event ID 4663 - An Object was Accessed: Captures read/write operations on registry keys.
    • Event ID 4657 - Registry Value Modification: Useful for detecting changes to registry keys after being accessed.
  • Sysmon
    • Sysmon Event ID 13 - Registry Value Set: Captures modifications to existing registry keys.
  • Endpoint Detection and Response (EDR) Solutions
    • Provide telemetry on registry key access activities, especially when linked to suspicious processes.
Cluster A Galaxy A Cluster B Galaxy B Level
Windows Registry Key Access (ed0dd8aa-1677-4551-bb7d-8da767617e1b) mitre-data-component System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 1
Windows Registry Key Access (ed0dd8aa-1677-4551-bb7d-8da767617e1b) mitre-data-component Steal or Forge Authentication Certificates - T1649 (7de1f7ac-5d0c-4c9c-8873-627202205331) Attack Pattern 1
Windows Registry Key Access (ed0dd8aa-1677-4551-bb7d-8da767617e1b) mitre-data-component Device Driver Discovery - T1652 (215d9700-5881-48b8-8265-6449dbb7195d) Attack Pattern 1
Windows Registry Key Access (ed0dd8aa-1677-4551-bb7d-8da767617e1b) mitre-data-component Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern 1
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern Windows Registry Key Access (ed0dd8aa-1677-4551-bb7d-8da767617e1b) mitre-data-component 1
Windows Registry Key Access (ed0dd8aa-1677-4551-bb7d-8da767617e1b) mitre-data-component Credentials in Registry - T1552.002 (341e222a-a6e3-4f6f-b69c-831d792b1580) Attack Pattern 1
Windows Registry Key Access (ed0dd8aa-1677-4551-bb7d-8da767617e1b) mitre-data-component Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 1
Windows Registry Key Access (ed0dd8aa-1677-4551-bb7d-8da767617e1b) mitre-data-component LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern 1
Windows Registry Key Access (ed0dd8aa-1677-4551-bb7d-8da767617e1b) mitre-data-component System Language Discovery - T1614.001 (c1b68a96-3c48-49ea-a6c0-9b27359f9c19) Attack Pattern 1
Windows Registry Key Access (ed0dd8aa-1677-4551-bb7d-8da767617e1b) mitre-data-component Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 1
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern 2
Credentials in Registry - T1552.002 (341e222a-a6e3-4f6f-b69c-831d792b1580) Attack Pattern Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern 2
System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979) Attack Pattern System Language Discovery - T1614.001 (c1b68a96-3c48-49ea-a6c0-9b27359f9c19) Attack Pattern 2