Manual
  • BluSapphire Manuals
  • BluSapphire
    • Detections
      • Creating "Detections" Using BluSapphire Portal
    • Roles & Permissions
    • Knowledge Base
  • BluGenie
    • Full Function List
      • Add-BluGenieFirewallRule
      • Clear-BlugenieMemory
      • Connect-BluGenieToSystem
      • Convert-BluGenieSID2UserName
      • Convert-BluGenieSize
      • Convert-BluGenieUserName2SID
      • Convert-BluGenieUTCtoLocal
      • ConvertFrom-Yaml
      • ConvertTo-BluGenieDate
      • ConvertTo-Yaml
      • Disable-BluGenieAllFirewallRules
      • Disable-BluGenieFirewallRule
      • Enable-BluGenieAllFirewallRules
      • Enable-BluGenieFirewallRule
      • Enable-BluGenieWinRMoverWMI
      • Expand-BluGenieArchivePS2
      • Format-BluGenieEvent
      • Get-BluGenieADGroupMembers
      • Get-BluGenieADGroups
      • Get-BluGenieADMachineInfo
      • Get-BluGenieAuditProcessTracking
      • Get-BluGenieAutoRuns
      • Get-BluGenieChildItemList
      • Get-BluGenieCOMObjectInfo
      • Get-BluGenieCurrentSessionAliases
      • Get-BluGenieCurrentSessionFunctions
      • Get-BluGenieCurrentSessionVariables
      • Get-BluGenieErrorAction
      • Get-BluGenieFileADS
      • Get-BluGenieFilePermissions
      • Get-BluGenieFileSnapshot
      • Get-BluGenieFileStreams
      • Get-BluGenieFirewallRules
      • Get-BluGenieHashInfo
      • Get-BluGenieHelp
      • Get-BluGenieHostingVersion
      • Get-BluGenieIPrange
      • Get-BluGenieLiteralPath
      • Get-BluGenieLoadedRegHives
      • Get-BluGenieLockingProcess
      • Get-BluGenieMRUActivityView
      • Get-BluGenieProcessList
      • Get-BluGenieRegistry
      • Get-BluGenieRegistryProcessTracking
      • Get-BluGenieRegSnapshot
      • Get-BluGenieRunSpaceSessionAliases
      • Get-BluGenieRunSpaceSessionFunctions
      • Get-BluGenieRunSpaceSessionVariables
      • Get-BluGenieSchTaskInfo
      • Get-BluGenieScriptDirectory
      • Get-BluGenieServiceList
      • Get-BluGenieServiceStatus
      • Get-BluGenieSessionAliasList
      • Get-BluGenieSessionFunctionList
      • Get-BluGenieSessionVariableList
      • Get-BluGenieSettings
      • Get-BluGenieSignature
      • Get-BluGenieSystemInfo
      • Get-BluGenieToolsDirectory
      • Get-BluGenieTranscriptsDir
      • Get-BluGenieTranscriptsFile
      • Get-BluGenieTrapData
      • Get-BluGenieWindowsTitle
      • Get-BluGenieWindowsUpdates
      • Install-BluGenieHarvester
      • Install-BluGenieSysMon
      • Invoke-BluGenieAnalyzer
      • Invoke-BluGenieFileBrowser
      • Invoke-BluGenieLoadAllProfileHives
      • Invoke-BluGenieNetStat
      • Invoke-BluGenieParallel
      • Invoke-BluGenieProcess
      • Invoke-BluGenieProcessHash
      • Invoke-BluGeniePSQuery
      • Invoke-BluGeniePython
      • Invoke-BluGenieSQLLQuery
      • Invoke-BluGenieThreadLock
      • Invoke-BluGenieUnLoadAllProfileHives
      • Invoke-BluGenieWalkThrough
      • Invoke-BluGenieWipe
      • Invoke-BluGenieYara
      • Invoke-PSipcalc
      • Invoke-PSnmap
      • Invoke-SQLiteBulkCopy
      • Invoke-SqliteQuery
      • Invoke-WalkThrough
      • Join-BluGenieObjects
      • New-BluGenieCommand
      • New-BluGenieHelpMenu
      • New-BluGenieService
      • New-BluGenieSessionInfo
      • New-BluGenieTimeStamp
      • New-BluGenieUID
      • New-SQLiteConnection
      • Open-BluGenieLog
      • Open-BluGenieLogDir
      • Open-BluGenieScriptDir
      • Open-BluGenieToolDir
      • Open-BluGenieTransDir
      • Out-DataTable
      • Publish-BluGenieArtifact
      • Publish-BluGenieFirewallRules
      • Remove-BluGenieFile
      • Remove-BluGenieFirewallRule
      • Remove-BluGenieModule
      • Remove-BluGenieService
      • Resolve-BluGenieDnsName
      • Send-BluGenieItem
      • Set-BluGenieAuditProcessPol
      • Set-BluGenieCommands
      • Set-BluGenieCores
      • Set-BluGenieDebugger
      • Set-BluGenieFirewallGPOStatus
      • Set-BluGenieFirewallStatus
      • Set-BluGenieJobId
      • Set-BluGenieJobMemory
      • Set-BluGenieJobTimeout
      • Set-BluGenieNoBanner
      • Set-BluGenieNoExit
      • Set-BluGenieNoSetRes
      • Set-BluGenieParallelCommands
      • Set-BluGeniePostCommands
      • Set-BluGeniePrefetch
      • Set-BluGenieProcessCPUAffinity
      • Set-BluGenieProcessPriority
      • Set-BluGenieRange
      • Set-BluGenieRemoteDesktopProcess
      • Set-BluGenieScriptCredentials
      • Set-BluGenieServiceJob
      • Set-BluGenieSessionInfo
      • Set-BluGenieSettingsPriority
      • Set-BluGenieSystems
      • Set-BluGenieThreadCount
      • Set-BluGenieTrapping
      • Set-BluGenieUpdateMods
      • Set-BluGenieVerbose
      • Show-BluGenieGUI
      • Show-BluGenieMore
      • Start-BluGenieNewProcess
      • Start-BluGenieRunSpace
      • Stop-BluGenieService
      • Test-BluGenieIsFileLocked
      • Test-BluGenieIsMutexAvailable
      • Trace-BluGenieFireWallStatus
      • Update-BluGenieFirewallProfileStatus
      • Update-BluGenieSysinternals
      • Update-Sqlite
      • Write BluGenieVerboseMsg
    • Functions by Category
      • Discovery
        • Registry
        • File/Folder
        • Process
        • System
        • Network
        • ActiveDirectory
      • Execution
        • Registry
        • File/Folder
        • Process
        • System
        • Network
        • Tools
      • Support
    • Artifacts
      • Example Template
      • Tactical Artifacts by Category
        • Combination Query
          • Query Autorun locations for any item nested that is not digitally signed
        • EventLog Query
          • Query for Process execution from unusual directories
          • Query suspicious programs processed by the Task Scheduler using the Event Log
          • Query for unusual instances of rundll32.exe via the Event Log
          • Query for Unusual Instances of rundll32.exe making outbound network connections using SysMon Data
          • Query Suspicious Powershell Command Line Executions
          • Query the Windows System Log for 104, 517, 1102
        • File and Folder Query
          • Query for malicious file types in all users and system temp directories
          • Query Malicious file types from any directory not including the default OS and Install directories
          • Query all users for their Powershell Profile content for Powershell, Powershell_ISE, and VS Code
          • Query to Determine if any lolbin files are installed outside the normal OS and Program Files dir's
        • Network Query
          • Query for Unusual Windows Network Activity
        • Process Query
          • Query for all Processes not running from the Windows and Program Files.* Directories
        • Registry Query
          • Query Information from the Registry on Recentdocs, Recentapps
          • Query Registry for a list of mounted USB storage devices, including external memory cards
          • Query the Most Recently Used items from the Registry
          • Query the Most Recently Open and Saved File information from the Registry
          • Query all Run, RunOnce, and RunOnceEx Registry Keys
          • Query Command list from the MRU Registry List
          • Query Startup Services from the Registry
          • Query Map Network Drives from the Registry
          • Query Shell Folders and User Shell Folders from both the HKLM and HKU Registry Information
          • Query Typed Urls from the Registry
          • Query Current Control Set Services information from the Registry
          • Query Accessibility Features from Image File Execution Options from the Registry
          • Query the Registry for Commands that are automatically executed each time cmd.exe is run
          • Query the Registry for Mounted Device information
          • Query the Registry for Browser Helper Objects (BHO)
          • Query the Registry for Explore Run commands
          • Query the Registry for Winlogon Helper Dll's
          • Query the Registry for Active Setup information
          • Query the Registry for Bypassing UAC Mechanisms from the User-Accessible information
          • Query the Registry for User-Logon, and Startup Scripts
          • Query the Registry for the most common MRU information for All User Hives, including offline users
          • Query the Registry for any user, using the SysInternals Tools
Powered by GitBook
On this page
  1. BluGenie
  2. Artifacts
  3. Tactical Artifacts by Category

Registry Query

PreviousQuery for all Processes not running from the Windows and Program Files.* DirectoriesNextQuery Information from the Registry on Recentdocs, Recentapps

Last updated 3 years ago

Query Information from the Registry on Recentdocs, Recentapps
Query Registry for a list of mounted USB storage devices, including external memory cards
Query the Most Recently Used items from the Registry
Query the Most Recently Open and Saved File information from the Registry
Query all Run, RunOnce, and RunOnceEx Registry Keys
Query Command list from the MRU Registry List
Query Startup Services from the Registry
Query Map Network Drives from the Registry
Query Shell Folders and User Shell Folders from both the HKLM and HKU Registry Information
Query Typed Urls from the Registry
Query Current Control Set Services information from the Registry
Query Accessibility Features from Image File Execution Options from the Registry
Query the Registry for Commands that are automatically executed each time cmd.exe is run
Query the Registry for Mounted Device information
Query the Registry for Browser Helper Objects (BHO)
Query the Registry for Explore Run commands
Query the Registry for Winlogon Helper Dll's
Query the Registry for Active Setup information
Query the Registry for Bypassing UAC Mechanisms from the User-Accessible information
Query the Registry for User-Logon, and Startup Scripts
Query the Registry for the most common MRU information for All User Hives, including offline users
Query the Registry for any user, using the SysInternals Tools