DET0209: Detection of Registry Query for Environmental Discovery
DET0209 is a detection strategy for spotting registry queries used for environmental discovery. Its value is that registry access can reveal operating syst...
Analyst context for executives and security teams
DET0209 is a detection strategy for spotting registry queries used for environmental discovery. Its value is that registry access can reveal operating system, configuration, installed software, and security details that help an adversary decide what to do next. For leaders, this is less about a single command and more about whether the organization can see early-stage Windows discovery before it turns into broader intrusion activity.
Executive priority
Prioritize this as an early-warning and investigation-quality control for Windows environments. Security leaders should ask whether SOC teams collect enough registry query evidence to distinguish normal administration and software activity from unusual discovery behavior, and whether that evidence is retained and searchable during incident response. Because the ATT&CK object provides no official detection logic, this should be treated as a coverage validation item rather than a guaranteed detection outcome.
Technical view
This detection strategy maps to ATT&CK T1012, Query Registry, under Discovery for Windows. SOC and detection engineering teams should validate visibility into registry query activity, including use of built-in utilities such as Reg where available, and other processes that access registry information. Tuning should focus on environmental discovery context: unusual users, unusual parent processes, unexpected command-line patterns, registry paths associated with system configuration, installed software, or security configuration, and correlation with adjacent discovery activity.
Likely telemetry
- Process creation events with command-line arguments
- Parent-child process relationships for registry-querying tools or processes
- Registry access or registry query telemetry where available
- User, host, and time context for queried systems
- Endpoint detection and response alerts or enriched endpoint activity records
Detection direction
- Validate that Windows endpoint telemetry captures registry-querying behavior, not just process names.
- Baseline common administrative, software inventory, installer, and management-tool registry activity to reduce false positives.
- Correlate registry queries with other discovery behavior rather than treating every registry read as suspicious.
- Review whether command-line logging and endpoint telemetry are consistently enabled on high-value servers and workstations.
- Account for blind spots where registry access occurs through methods other than the Reg utility, since the related ATT&CK technique notes that other means exist.
Mitigation priorities
- Confirm logging and retention for Windows process and registry activity before relying on this detection strategy operationally.
- Harden and monitor privileged and administrative accounts that can perform broad environmental discovery.
- Use application control or administrative restrictions where appropriate to limit unnecessary use of built-in administrative utilities.
- Ensure incident response playbooks include registry discovery as a triage indicator when investigating suspicious Windows activity.
- Maintain asset, software, and security configuration inventories so analysts can more easily identify abnormal discovery attempts.
Analyst notes and limits
The supplied ATT&CK object is a detection strategy with no official description, no official detection text, and no platform listed directly on the object. The practical interpretation comes from its relationship to T1012 Query Registry, which is a Windows Discovery technique. Treat this as guidance for coverage assessment and detection engineering validation, not as a complete analytic rule.
This take uses only the supplied STIX fields, external reference, and relationship context. No active exploitation, actor attribution, specific detection logic, data source requirements, or guaranteed coverage are provided by the source object. Local environment baselines are required to determine what registry query behavior is normal or suspicious.
Detection of Registry Query for Environmental Discovery
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1012 | Query Registry | This object detects Query Registry. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | c8a28741cf83… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0209Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.