Query.dll

  • File Path: C:\Windows\SysWOW64\Query.dll
  • Description: Content Index Utility DLL

Hashes

Type Hash
MD5 23213AF0943223AC771D19C87B72A0EC
SHA1 9F7CFDE32FEF0E37CA331A0CD133B3B7ED08D988
SHA256 91B590BF6BCAA4FFEF30D3476ADCC216DB3963C158091D93032AE2268A977821
SHA384 92502E3A3EAE93B5B33BC6AE062D09EDABF0DCDB28D386204C474F08EF19C2B7B9304A3EC4E12758535BC4FE6A0E824A
SHA512 FA067D057DB8904AC0CACFDC0E31110D835E9D5971D4C8326E94C87D3F4A89E86BA26B0F216A36F6627CD6495E06A75B5D63ED6E672D8EF8E97358DF96690F84
SSDEEP 1536:lOWO6/fEQUv6ENxHaE30fAHZMoxBhBCzMAU0rFCF3AfeQMxRm3CT:VOhQUvxx6EQIMQBnAMAUyAF3Af7MxRms
IMP FB575F462A1DB6FCACADF4100004F438
PESHA1 D38DD15D8383E0A9AB4BE9C7AB79168BF3436B50
PE256 D5369FCBBEA676999924429615542AB118A2B60100E471776D9255C8566D8440

DLL Exports:

Function Name Ordinal Type
LoadBinaryFilter 1 Exported Function
DllUnregisterServer 8 Exported Function
LoadIFilter 9 Exported Function
LoadTextFilter 2 Exported Function
LoadIFilterEx 10 Exported Function
BindIFilterFromStream 4 Exported Function
BindIFilterFromStorage 3 Exported Function
DllCanUnloadNow 5 Exported Function
DllRegisterServer 7 Exported Function
DllGetClassObject 6 Exported Function

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: query.dll
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/71
  • VirusTotal Link: https://www.virustotal.com/gui/file/91b590bf6bcaa4ffef30d3476adcc216db3963c158091d93032ae2268a977821/detection/

Possible Misuse

The following table contains possible examples of Query.dll being misused. While Query.dll is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma net_high_dns_bytes_out.yml query: '*' DRL 1.0
sigma net_high_dns_requests_rate.yml query: '*' DRL 1.0
sigma net_mal_dns_cobaltstrike.yml query: DRL 1.0
sigma net_susp_dns_b64_queries.yml title: Suspicious DNS Query with B64 Encoded String DRL 1.0
sigma net_susp_dns_b64_queries.yml query: DRL 1.0
sigma net_susp_telegram_api.yml query: DRL 1.0
sigma net_wannacry_killswitch_domain.yml query: DRL 1.0
sigma proxy_empire_ua_uri_combos.yml cs-uri-query: DRL 1.0
sigma proxy_susp_flash_download_loc.yml c-uri-query: DRL 1.0
sigma win_apt_babyshark.yml - reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" DRL 1.0
sigma win_apt_wocao.yml - 'reg query HKEY_CURRENT_USER\Software\\*\PuTTY\Sessions\' DRL 1.0
sigma win_hwp_exploits.yml - https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1 DRL 1.0
sigma win_query_registry.yml title: Query Registry DRL 1.0
sigma win_query_registry.yml - 'query' DRL 1.0
sigma win_remote_time_discovery.yml description: "Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system." DRL 1.0
sigma win_spn_enum.yml Description: '*Query or reset the computer* SPN attribute*' DRL 1.0
sigma net_dns_high_subdomain_rate.yml query: "*" DRL 1.0
sigma ala.yml url.query: URL DRL 1.0
sigma arcsight-zeek.yml c-uri-query: DRL 1.0
sigma arcsight-zeek.yml query: destinationDnsDomain DRL 1.0
sigma arcsight-zeek.yml http.request.url-query-params: DRL 1.0
sigma arcsight-zeek.yml url.query: DRL 1.0
sigma arcsight.yml Query: DRL 1.0
sigma arcsight.yml url.query: DRL 1.0
sigma ecs-dns.yml query: dns.question.name DRL 1.0
sigma ecs-proxy.yml c-uri-query: url.query DRL 1.0
sigma ecs-proxy.yml http.request.url-query-params: url.original DRL 1.0
sigma ecs-proxy.yml url.query: url.original DRL 1.0
sigma ecs-suricata.yml dns.query: suricata.eve.dns.query DRL 1.0
sigma ecs-zeek-corelight.yml c-uri-query: url.query DRL 1.0
sigma ecs-zeek-corelight.yml query: dns.question.name DRL 1.0
sigma ecs-zeek-corelight.yml http.request.url-query-params: url.original DRL 1.0
sigma ecs-zeek-corelight.yml url.query: url.original DRL 1.0
sigma ecs-zeek-elastic-beats-implementation.yml c-uri-query: url.query DRL 1.0
sigma ecs-zeek-elastic-beats-implementation.yml query: dns.question.name DRL 1.0
sigma ecs-zeek-elastic-beats-implementation.yml - query DRL 1.0
sigma fireeye-helix.yml c-uri-query: uri DRL 1.0
sigma helk.yml Query: DRL 1.0
sigma humio.yml c-uri-query: DRL 1.0
sigma humio.yml #- query DRL 1.0
sigma humio.yml http.request.url-query-params: DRL 1.0
sigma humio.yml url.query: DRL 1.0
sigma logstash-zeek-default-json.yml c-uri-query: uri DRL 1.0
sigma logstash-zeek-default-json.yml - query DRL 1.0
sigma logstash-zeek-default-json.yml http.request.url-query-params: uri DRL 1.0
sigma logstash-zeek-default-json.yml url.query: uri DRL 1.0
sigma netwitness-epl.yml c-uri-query: DRL 1.0
sigma netwitness.yml c-uri-query: DRL 1.0
sigma qradar.yml c-uri-query: uri_query DRL 1.0
sigma qradar.yml url.query: URL DRL 1.0
sigma splunk-zeek.yml c-uri-query: uri DRL 1.0
sigma splunk-zeek.yml - query DRL 1.0
sigma splunk-zeek.yml http.request.url-query-params: uri DRL 1.0
sigma splunk-zeek.yml url.query: uri DRL 1.0
sigma stix.yml c-uri-query: DRL 1.0
sigma stix.yml - x-dns:query DRL 1.0
sigma stix.yml query: DRL 1.0
LOLBAS Nltest.yml - Command: nltest.exe /SERVER:192.168.1.10 /QUERY  
malware-ioc dnsbirthday * DNS query to domain matching [0-9a-f]{60}.smoke`` © ESET 2014-2018
malware-ioc rqz-dnsduvel_blocklist.json "geo.query.yahoo.com", © ESET 2014-2018
malware-ioc misp-dukes-operation-ghost-event.json "description": "Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. \n\n### Windows\n\nFile sharing over a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder)\n\n[Net](https://attack.mitre.org/software/S0039) can be used to query a remote system for available shared drives using the <code>net view \\\\remotesystem</code> command. It can also be used to query shared drives on the local system using <code>net share</code>.\n\nAdversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement.\n\n### Mac\n\nOn Mac, locally mounted shares can be viewed with the <code>df -aH</code> command.", © ESET 2014-2018
malware-ioc misp_invisimole.json "description": "Adversaries may check for the presence of a virtual machine environment (VME) or sandbox to avoid potential detection of tools and activities. If the adversary detects a VME, they may alter their malware to conceal the core functions of the implant or disengage from the victim. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information from learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.\n\nAdversaries may use several methods including [Security Software Discovery](https://attack.mitre.org/techniques/T1063) to accomplish [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) by searching for security monitoring tools (e.g., Sysinternals, Wireshark, etc.) to help determine if it is an analysis environment. Additional methods include use of sleep timers or loops within malware code to avoid operating within a temporary sandboxes. (Citation: Unit 42 Pirpi July 2015)\n\n###Virtual Machine Environment Artifacts Discovery###\n\nAdversaries may use utilities such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047), [PowerShell](https://attack.mitre.org/techniques/T1086), [Systeminfo](https://attack.mitre.org/software/S0096), and the [Query Registry](https://attack.mitre.org/techniques/T1012) to obtain system information and search for VME artifacts. Adversaries may search for VME artifacts in memory, processes, file system, and/or the Registry. Adversaries may use [Scripting](https://attack.mitre.org/techniques/T1064) to combine these checks into one script and then have the program exit if it determines the system to be a virtual environment. Also, in applications like VMWare, adversaries can use a special I/O port to send commands and receive output. Adversaries may also check the drive size. For example, this can be done using the Win32 DeviceIOControl function. \n\nExample VME Artifacts in the Registry(Citation: McAfee Virtual Jan 2017)\n\n* <code>HKLM\\SOFTWARE\\Oracle\\VirtualBox Guest Additions</code>\n* <code>HKLM\\HARDWARE\\Description\\System\\”SystemBiosVersion”;”VMWARE”</code>\n* <code>HKLM\\HARDWARE\\ACPI\\DSDT\\BOX_</code>\n\nExample VME files and DLLs on the system(Citation: McAfee Virtual Jan 2017)\n\n* <code>WINDOWS\\system32\\drivers\\vmmouse.sys</code> \n* <code>WINDOWS\\system32\\vboxhook.dll</code>\n* <code>Windows\\system32\\vboxdisp.dll</code>\n\nCommon checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings relating to virtual machine applications, and VME-specific hardware/processor instructions.(Citation: McAfee Virtual Jan 2017)\n\n###User Activity Discovery###\n\nAdversaries may search for user activity on the host (e.g., browser history, cache, bookmarks, number of files in the home directories, etc.) for reassurance of an authentic environment. They might detect this type of information via user interaction and digital signatures. They may have malware check the speed and frequency of mouse clicks to determine if it’s a sandboxed environment.(Citation: Sans Virtual Jan 2016) Other methods may rely on specific user interaction with the system before the malicious code is activated. Examples include waiting for a document to close before activating a macro (Citation: Unit 42 Sofacy Nov 2018) and waiting for a user to double click on an embedded image to activate (Citation: FireEye FIN7 April 2017).\n\n###Virtual Hardware Fingerprinting Discovery###\n\nAdversaries may check the fan and temperature of the system to gather evidence that can be indicative a virtual environment. An adversary may perform a CPU check using a WMI query <code>$q = “Select * from Win32_Fan” Get-WmiObject -Query $q</code>. If the results of the WMI query return more than zero elements, this might tell them that the machine is a physical one. (Citation: Unit 42 OilRig Sept 2018)", © ESET 2014-2018
malware-ioc misp_invisimole.json "value": "Query Registry - T1012", © ESET 2014-2018
malware-ioc misp_invisimole.json "tag_name": "misp-galaxy:mitre-attack-pattern=\"Query Registry - T1012\"", © ESET 2014-2018
malware-ioc misp_invisimole.json "description": "Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.\n\nThe Registry contains a significant amount of information about the operating system, configuration, software, and security. (Citation: Wikipedia Windows Registry) Some of the information may help adversaries to further their operation within a network. Adversaries may use the information from [Query Registry](https://attack.mitre.org/techniques/T1012) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.", © ESET 2014-2018
malware-ioc misp_invisimole.json "description": "Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1063) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\n\n### Windows\n\nExample commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), <code>reg query</code> with [Reg](https://attack.mitre.org/software/S0075), <code>dir</code> with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for.\n\n### Mac\n\nIt's becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.", © ESET 2014-2018
malware-ioc misp_invisimole.json "description": "Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. \n\n### Windows\n\nFile sharing over a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder)\n\n[Net](https://attack.mitre.org/software/S0039) can be used to query a remote system for available shared drives using the <code>net view \\\\remotesystem</code> command. It can also be used to query shared drives on the local system using <code>net share</code>.\n\nAdversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement.\n\n### Mac\n\nOn Mac, locally mounted shares can be viewed with the <code>df -aH</code> command.\n\n### Cloud\n\nCloud virtual networks may contain remote network shares or file storage services accessible to an adversary after they have obtained access to a system. For example, AWS, GCP, and Azure support creation of Network File System (NFS) shares and Server Message Block (SMB) shares that may be mapped on endpoint or cloud-based systems.(Citation: Amazon Creating an NFS File Share)(Citation: Google File servers on Compute Engine)", © ESET 2014-2018
malware-ioc misp_invisimole.json "name": "misp-galaxy:mitre-attack-pattern=\"Query Registry - T1012\"", © ESET 2014-2018
malware-ioc oceanlotus-rtf_ocx_campaigns.misp.event.json "value": "Query Registry - T1012", © ESET 2014-2018
malware-ioc oceanlotus-rtf_ocx_campaigns.misp.event.json "tag_name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Query Registry - T1012\"", © ESET 2014-2018
malware-ioc oceanlotus-rtf_ocx_campaigns.misp.event.json "description": "Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.\n\nThe Registry contains a significant amount of information about the operating system, configuration, software, and security. (Citation: Wikipedia Windows Registry) Some of the information may help adversaries to further their operation within a network.\n\nDetection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nInteraction with the Windows Registry may come from the command line using utilities such as Reg or through running malware that may interact with the Registry through an API. Command-line invocation of utilities used to query the Registry may be detected through process and command-line monitoring. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.\n\nPlatforms: Windows\n\nData Sources: Windows Registry, Process monitoring, Process command-line parameters\n\nPermissions Required: User, Administrator, SYSTEM", © ESET 2014-2018
malware-ioc oceanlotus-rtf_ocx_campaigns.misp.event.json "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Query Registry - T1012\"", © ESET 2014-2018
malware-ioc oceanlotus \|T1012\|Query Registry © ESET 2014-2018
malware-ioc misp-telebots.json "comment": "LDAP query tool - Xchecked via VT: 81f73c76fbf4ab3487d5e6e8629e83c0568de713", © ESET 2014-2018
malware-ioc misp-telebots.json "comment": "LDAP query tool", © ESET 2014-2018
malware-ioc telebots === LDAP query tool © ESET 2014-2018
malware-ioc misp-mosquito-event.json "value": "\/scripts\/m\/query.php?id=", © ESET 2014-2018
malware-ioc misp-turla-powershell-event.json "value": "Query Registry - T1012", © ESET 2014-2018
malware-ioc misp-turla-powershell-event.json "tag_name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Query Registry - T1012\"", © ESET 2014-2018
malware-ioc misp-turla-powershell-event.json "description": "Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.\n\nThe Registry contains a significant amount of information about the operating system, configuration, software, and security. (Citation: Wikipedia Windows Registry) Some of the information may help adversaries to further their operation within a network.\n\nDetection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nInteraction with the Windows Registry may come from the command line using utilities such as Reg or through running malware that may interact with the Registry through an API. Command-line invocation of utilities used to query the Registry may be detected through process and command-line monitoring. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.\n\nPlatforms: Windows\n\nData Sources: Windows Registry, Process monitoring, Process command-line parameters\n\nPermissions Required: User, Administrator, SYSTEM", © ESET 2014-2018
malware-ioc misp-turla-powershell-event.json "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Query Registry - T1012\"", © ESET 2014-2018
atomic-red-team index.md - Atomic Test #8: Adfind - Query Active Directory Groups [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - T1012 Query Registry MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #1: Query Registry [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #7: Create a Process using WMI Query and an Encoded Command [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #1: DNS Large Query Volume [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #3: DNS Long Domain Query [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #8: Adfind - Query Active Directory Groups [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - T1012 Query Registry MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: Query Registry [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: DNS Large Query Volume [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #3: DNS Long Domain Query [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #7: Create a Process using WMI Query and an Encoded Command [windows] MIT License. © 2018 Red Canary
atomic-red-team matrix.md | | Scripting CONTRIBUTE A TEST | Component Object Model Hijacking CONTRIBUTE A TEST | DLL Side-Loading | DLL Search Order Hijacking | Keychain | Query Registry | Windows Remote Management | LLMNR/NBT-NS Poisoning and SMB Relay CONTRIBUTE A TEST | | Multi-Stage Channels CONTRIBUTE A TEST | Service Stop | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | Valid Accounts CONTRIBUTE A TEST | Service Execution | Compromise Client Software Binary CONTRIBUTE A TEST | DLL Search Order Hijacking | DLL Search Order Hijacking | Input Capture CONTRIBUTE A TEST | Query Registry | VNC CONTRIBUTE A TEST | Input Capture CONTRIBUTE A TEST | | File Transfer Protocols CONTRIBUTE A TEST | OS Exhaustion Flood CONTRIBUTE A TEST | MIT License. © 2018 Red Canary
atomic-red-team T1003.003.md reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT MIT License. © 2018 Red Canary
atomic-red-team T1007.md sc query MIT License. © 2018 Red Canary
atomic-red-team T1007.md sc query state= all MIT License. © 2018 Red Canary
atomic-red-team T1012.md # T1012 - Query Registry MIT License. © 2018 Red Canary
atomic-red-team T1012.md The Registry contains a significant amount of information about the operating system, configuration, software, and security.(Citation: Wikipedia Windows Registry) Information can easily be queried using the Reg utility, though other means to access the Registry exist. Some of the information may help adversaries to further their operation within a network. Adversaries may use the information from Query Registry during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1012.md - Atomic Test #1 - Query Registry MIT License. © 2018 Red Canary
atomic-red-team T1012.md ## Atomic Test #1 - Query Registry MIT License. © 2018 Red Canary
atomic-red-team T1012.md Query Windows Registry. MIT License. © 2018 Red Canary
atomic-red-team T1012.md reg query “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows” MIT License. © 2018 Red Canary
atomic-red-team T1012.md reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce MIT License. © 2018 Red Canary
atomic-red-team T1012.md reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce MIT License. © 2018 Red Canary
atomic-red-team T1012.md reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices MIT License. © 2018 Red Canary
atomic-red-team T1012.md reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices MIT License. © 2018 Red Canary
atomic-red-team T1012.md reg query “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify” MIT License. © 2018 Red Canary
atomic-red-team T1012.md reg query “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit” MIT License. © 2018 Red Canary
atomic-red-team T1012.md reg query “HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell” MIT License. © 2018 Red Canary
atomic-red-team T1012.md reg query “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell” MIT License. © 2018 Red Canary
atomic-red-team T1012.md reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad MIT License. © 2018 Red Canary
atomic-red-team T1012.md reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce MIT License. © 2018 Red Canary
atomic-red-team T1012.md reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx MIT License. © 2018 Red Canary
atomic-red-team T1012.md reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run MIT License. © 2018 Red Canary
atomic-red-team T1012.md reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run MIT License. © 2018 Red Canary
atomic-red-team T1012.md reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce MIT License. © 2018 Red Canary
atomic-red-team T1012.md reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run MIT License. © 2018 Red Canary
atomic-red-team T1012.md reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run MIT License. © 2018 Red Canary
atomic-red-team T1012.md reg query HKLM\system\currentcontrolset\services /s | findstr ImagePath 2>nul | findstr /Ri “.*.sys$” MIT License. © 2018 Red Canary
atomic-red-team T1018.md | target_domain | Domain to query for domain controllers | String | domain.local| MIT License. © 2018 Red Canary
atomic-red-team T1036.004.md schtasks /query /tn win32times MIT License. © 2018 Red Canary
atomic-red-team T1047.md - Atomic Test #7 - Create a Process using WMI Query and an Encoded Command MIT License. © 2018 Red Canary
atomic-red-team T1047.md ## Atomic Test #7 - Create a Process using WMI Query and an Encoded Command MIT License. © 2018 Red Canary
atomic-red-team T1069.002.md - Atomic Test #8 - Adfind - Query Active Directory Groups MIT License. © 2018 Red Canary
atomic-red-team T1069.002.md ## Atomic Test #8 - Adfind - Query Active Directory Groups MIT License. © 2018 Red Canary
atomic-red-team T1071.004.md - Atomic Test #1 - DNS Large Query Volume MIT License. © 2018 Red Canary
atomic-red-team T1071.004.md - Atomic Test #3 - DNS Long Domain Query MIT License. © 2018 Red Canary
atomic-red-team T1071.004.md ## Atomic Test #1 - DNS Large Query Volume MIT License. © 2018 Red Canary
atomic-red-team T1071.004.md | query_type | DNS query type | string | TXT| MIT License. © 2018 Red Canary
atomic-red-team T1071.004.md This behaviour is typical of implants either in an idle state waiting for instructions or configured to use a low query volume over time to evade threshold based detection. MIT License. © 2018 Red Canary
atomic-red-team T1071.004.md ## Atomic Test #3 - DNS Long Domain Query MIT License. © 2018 Red Canary
atomic-red-team T1082.md reg query HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum MIT License. © 2018 Red Canary
atomic-red-team T1082.md REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid MIT License. © 2018 Red Canary
atomic-red-team T1087.001.md query user MIT License. © 2018 Red Canary
atomic-red-team T1087.002.md | computer_name | Name of remote system to query | String | $env:COMPUTERNAME| MIT License. © 2018 Red Canary
atomic-red-team T1087.002.md query user /SERVER:#{computer_name} MIT License. © 2018 Red Canary
atomic-red-team T1087.002.md Adfind tool can be used for reconnaissance in an Active directory environment. The example chosen illustrates adfind used to query the local password policy. MIT License. © 2018 Red Canary
atomic-red-team T1119.md sc query type=service > %TEMP%\T1119_1.txt MIT License. © 2018 Red Canary
atomic-red-team T1124.md | computer_name | computer name to query | string | localhost| MIT License. © 2018 Red Canary
atomic-red-team T1135.md File sharing over a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder) Net can be used to query a remote system for available shared drives using the net view \\remotesystem command. It can also be used to query shared drives on the local system using net share.</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1490.md execution, if no shadow volumes exist the message “No items found that satisfy the query.” will be displayed. If shadow volumes are present, it MIT License. © 2018 Red Canary
atomic-red-team T1490.md if(!(vssadmin.exe list shadows | findstr “No items found that satisfy the query.”)) { exit 0 } else { exit 1 } MIT License. © 2018 Red Canary
atomic-red-team T1497.001.md Specific checks may will vary based on the target and/or adversary, but may involve behaviors such as Windows Management Instrumentation, PowerShell, System Information Discovery, and Query Registry to obtain system information and search for VME artifacts. Adversaries may search for VME artifacts in memory, processes, file system, hardware, and/or the Registry. Adversaries may use scripting to automate these checks into one script and then have the program exit if it determines the system to be a virtual environment. MIT License. © 2018 Red Canary
atomic-red-team T1497.001.md Hardware checks, such as the presence of the fan, temperature, and audio devices, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices.(Citation: Unit 42 OilRig Sept 2018)</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1497.001.md Get-WmiObject -Query “SELECT * FROM MSAcpi_ThermalZoneTemperature” -ErrorAction SilentlyContinue MIT License. © 2018 Red Canary
atomic-red-team T1518.md Query the registry to determine the version of internet explorer installed on the system. MIT License. © 2018 Red Canary
atomic-red-team T1518.md reg query “HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer” /v svcVersion MIT License. © 2018 Red Canary
atomic-red-team T1518.md Query the registry to determine software and versions installed on the system. Upon execution a table of MIT License. © 2018 Red Canary
atomic-red-team T1518.001.md Example commands that can be used to obtain security software information are netsh, reg query with Reg, dir with cmd, and Tasklist, but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software. MIT License. © 2018 Red Canary
atomic-red-team T1518.001.md Discovery of installed antivirus products via a WMI query. MIT License. © 2018 Red Canary
atomic-red-team T1546.003.md Query=”SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA ‘Win32_PerfFormattedData_PerfOS_System’ AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325”}; MIT License. © 2018 Red Canary
atomic-red-team T1546.003.md $FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query “REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding” -ErrorAction SilentlyContinue MIT License. © 2018 Red Canary
atomic-red-team T1552.002.md <blockquote>Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons. MIT License. © 2018 Red Canary
atomic-red-team T1552.002.md * Local Machine Hive: reg query HKLM /f password /t REG_SZ /s MIT License. © 2018 Red Canary
atomic-red-team T1552.002.md * Current User Hive: reg query HKCU /f password /t REG_SZ /s</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1552.002.md reg query HKLM /f password /t REG_SZ /s MIT License. © 2018 Red Canary
atomic-red-team T1552.002.md reg query HKCU /f password /t REG_SZ /s MIT License. © 2018 Red Canary
atomic-red-team T1552.002.md reg query HKCU\Software\SimonTatham\PuTTY\Sessions /t REG_SZ /s MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md For example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, AppData\Local\Google\Chrome\User Data\Default\Login Data and executing a SQL query: SELECT action_url, username_value, password_value FROM logins;. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function CryptUnprotectData, which uses the victim’s cached logon credentials as the decryption key. (Citation: Microsoft CryptUnprotectData ‎April 2018) MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md if(sc.exe query sysmon | findstr sysmon) { exit 0 } else { exit 1 } MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md if(cmd /c sc query sysmon) { exit 0} else { exit 1} MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md To verify that the service has stopped, run “sc query McAfeeDLPAgentService” MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md sc query WinDefend MIT License. © 2018 Red Canary
atomic-red-team T1563.002.md query user MIT License. © 2018 Red Canary
signature-base airbnb_binaryalert.yar $s4 = “This option allows you to fingerprint a host that issued an NBT-NS or LLMNR query.” fullword ascii wide CC BY-NC 4.0
signature-base airbnb_binaryalert.yar $s7 = “This option allows you to fingerprint a host that issued an NBT-NS or LLMNR query.” fullword ascii wide CC BY-NC 4.0
signature-base apt_laudanum_webshells.yar $s1 = “$query = isset($_POST[‘query’]) ? $_POST[‘query’] : ‘’;” fullword ascii /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base apt_laudanum_webshells.yar $s2 = “$result = dns_get_record($query, $types[$type], $authns, $addtl);” fullword ascii /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base apt_laudanum_webshells.yar $s1 = “command = "nslookup -type=" & qtype & " " & query “ fullword ascii /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base apt_lazarus_dec20.yar description = “Webshell named template-query.aspimg.asp used by APT37” CC BY-NC 4.0
signature-base apt_ms_platinum.yara $str2 = /exit.{0,3}@exit.{0,3}new.{0,3}query.{0,3}rcz.{0,3}scz/ wide CC BY-NC 4.0
signature-base apt_oilrig_oct17.yar $x1 = “cmd /c schtasks /query /tn TimeUpdate > NUL 2>&1” ascii CC BY-NC 4.0
signature-base apt_solarwinds_sunburst.yar description = “SUPERNOVA is a .NET web shell backdoor masquerading as a legitimate SolarWinds web service handler. SUPERNOVA inspects and responds to HTTP requests with the appropriate HTTP query strings, Cookies, and/or HTML form values (e.g. named codes, class, method, and args). This rule is looking for specific strings and attributes related to SUPERNOVA.” CC BY-NC 4.0
signature-base apt_solarwinds_sunburst.yar description = “This rule is looking for specific strings related to SUPERNOVA. SUPERNOVA is a .NET web shell backdoor masquerading as a legitimate SolarWinds web service handler. SUPERNOVA inspects and responds to HTTP requests with the appropriate HTTP query strings, Cookies, and/or HTML form values (e.g. named codes, class, method, and args).” CC BY-NC 4.0
signature-base apt_ta18_074A.yar $s1 = “Running -s cmd /c query user on “ ascii CC BY-NC 4.0
signature-base apt_turla_mosquito.yar $s2 = “/scripts/m/query.php?id=” fullword wide CC BY-NC 4.0
signature-base apt_turla_mosquito.yar $a1 = “/scripts/m/query.php?id=” fullword wide CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s6 = “Md5 query tool” fullword wide /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base cn_pentestset_webshells.yar $s0 = “’;$i=$g->query("SELECT SUBSTRING_INDEX(CURRENT_USER, ‘@’, 1) AS User, SUBSTRING” ascii /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base gen_cn_webshells.yar $s3 = “if($_POST[‘query’] != ‘’)” fullword ascii CC BY-NC 4.0
signature-base gen_recon_indicators.yar $s19 = “sc query type= service” ascii CC BY-NC 4.0
signature-base gen_wmi_implant.yar $x2 = “$Target -query "SELECT * FROM Win32_NTLogEvent WHERE (logfile=’security’)” ascii CC BY-NC 4.0
signature-base thor-hacktools.yar $s6 = “Unable to query service status. Something is wrong, please manually check the st” CC BY-NC 4.0
signature-base thor-hacktools.yar $r = “Cannot query LSA Secret on remote host” CC BY-NC 4.0
signature-base thor-hacktools.yar $s11 = “Set objExecObject = objShell.Exec("cmd /c schtasks /query /XML /TN wDw00t")” fullword ascii CC BY-NC 4.0
signature-base thor-webshells.yar $s9 = “<option value=’reg query \"HKLM\\System\\CurrentControlSet\\Control\\T” CC BY-NC 4.0
signature-base thor-webshells.yar $s2 = “No Query Executed” CC BY-NC 4.0
signature-base thor-webshells.yar $s3 = “echo "<td> <a href=\"".$sql_surl."sql_act=query&sql_query=".ur” CC BY-NC 4.0
signature-base thor-webshells.yar $s0 = “"<td> <a href=\"".$sql_surl."sql_act=query&sql_query=".ur” CC BY-NC 4.0
signature-base thor-webshells.yar $s20 = “my $command = $self->query(‘command’);” fullword CC BY-NC 4.0
signature-base thor-webshells.yar $s15 = “$query = "SHOW COLUMNS FROM " . $_GET[‘table’];” fullword CC BY-NC 4.0
signature-base thor-webshells.yar $s4 = “<asp:Button ID="executesql" runat="server" Text="Execute SQL Query"” ascii CC BY-NC 4.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


query commands

Applies to: Windows Server (Semi-Annual Channel), Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Displays information about processes, sessions, and Remote Desktop Session Host servers. To find out what’s new in the latest version, see What’s New in Remote Desktop Services in Windows Server.

Syntax

query process
query session
query termserver
query user

Parameters

Parameter Description
query process Displays information about processes running on an Remote Desktop Session Host server.
query session Displays information about sessions on a Remote Desktop Session Host server.
query termserver Displays a list of all Remote Desktop Session Host servers on the network.
query user Displays information about user sessions on a Remote Desktop Session Host server.

Additional References


MIT License. Copyright (c) 2020 Strontic.