heroui logo

Windows Query Registry UnInstall Program List

Splunk Security Content

View Source
Summary
The "Windows Query Registry UnInstall Program List" detection rule is designed to identify potentially malicious access requests to the Windows Uninstall registry key, which can provide adversaries with insights into installed applications on a target system. Utilizing Windows Security Event log (Event Code 4663), the rule captures events related to any attempts to access the uninstall registry entries. This information helps security analysts pinpoint suspicious behavior that could indicate reconnaissance efforts by threats like malware or adversaries seeking to identify exploitable software. The implemented search query filters for specific patterns indicative of such activities, allowing for effective monitoring and alerting. To establish the rule, administrators need to enable auditing for object access in the Group Policy and ensure they ingest the relevant security events. This detection is crucial for early intervention in potential system compromises, as attackers often target this key to locate systemic vulnerabilities.
Categories
  • Endpoint
Data Sources
  • Windows Registry
ATT&CK Techniques
  • T1012
Created: 2024-12-10