Home >
Enterprise >
Participants >
SentinelOne >
Query Registry (T1012)
|
|
Carbanak+FIN7 |
||||||
Step | ATT&CK Pattern |
|
||||
3.B.4
|
Tactic Discovery (TA0007) |
|
APT29 |
||||||
Step | ATT&CK Pattern |
|
||||
12.C.1
|
Tactic Discovery (TA0007) |
|
||||
12.C.2
|
Tactic Discovery (TA0007) |
|
Procedure
Enumerated installed software via the Registry (Wow6432 Uninstall key) using PowerShell
Criteria
powershell.exe executing a Registry query for HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
Footnotes
- A UX Configuration Change was made to bring PowerShell script block logs into the user interface.


APT3 |
||||
Step | ATT&CK Pattern |
|
||
2.H.1
|
Tactic Discovery (TA0007) |
|
||
6.A.1
|
Tactic Discovery (TA0007) |
|
||
12.E.1.7
|
Tactic Discovery (TA0007) |
|
||
13.C.1
|
Tactic Discovery (TA0007) |
|
||
17.A.1.2
|
Tactic Discovery (TA0007) |
|