Home >
Enterprise >
Participants >
Bitdefender >
Query Registry (T1012)
|
|
Carbanak+FIN7 |
||||||
Step | ATT&CK Pattern |
|
||||
3.B.4
|
Tactic Discovery (TA0007) |
|
APT29 |
||||
Step | ATT&CK Pattern |
|
||
12.C.1
|
Tactic Discovery (TA0007) |
|
||
12.C.2
|
Tactic Discovery (TA0007) |
|
Procedure
Enumerated installed software via the Registry (Wow6432 Uninstall key) using PowerShell
Criteria
powershell.exe executing a Registry query for HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Enumerated installed software via the Registry (Uninstall key) using PowerShell
Criteria
powershell.exe executing a Registry query for HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.

