Defender-DeviceRegistryEvents
5 ActionTypes
| ActionType | Title |
|---|---|
| any | Registry activity (any) |
| RegistryKeyCreated | Registry key created |
| RegistryKeyDeleted | Registry key deleted |
| RegistryValueSet | Registry value set |
| RegistryValueDeleted | Registry value deleted |
any: Registry activity (any)
#Description
Registry activity (any)
Fields #
| Name | Description | Rules |
|---|---|---|
DeviceId | ||
Timestamp | ||
ActionType | ||
RegistryKey | ||
RegistryValueName | ||
RegistryValueType | ||
RegistryValueData | 1 | |
PreviousRegistryValueData | 1 | |
InitiatingProcessFileName |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
EventType | in | RegistryKeyCreated | 5 rules | kusto |
EventType | in | RegistryValueSet | 5 rules | kusto |
Details | eq | 1 | 1 rule | elastic, kusto, splunk |
ParentImage | ends_with | cmd.exe | 1 rule | kusto |
ParentImage | ends_with | powershell.exe | 1 rule | kusto |
ParentImage | ends_with | powershell_ise.exe | 1 rule | kusto |
Detection Rules #
View all rules referencing this event →
Kusto # view in coverage
- Potential Fodhelper UAC Bypass (ASIM Version) source medium: This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.↳ also matchesRegistryKeyDeleted: Registry key deleted, RegistryValueSet: Registry value set, RegistryValueDeleted: Registry value deleted
- Detect Print Processors Registry Driver Key Creation/Modification source medium: This analytic rule detects any registry value creation or modification of print processor registry Driver key. This will load the executable at startup with print spooler service. This could be an indication of a persistence attempt by an adversary.↳ also matchesRegistryKeyDeleted: Registry key deleted, RegistryValueSet: Registry value set, RegistryValueDeleted: Registry value deleted
- Detect Registry Run Key Creation/Modification source medium: This analytic rule detects any registry value or key creation in the registry run keys. This could be an indication of a persistence attempt by an adversary.↳ also matchesRegistryKeyDeleted: Registry key deleted, RegistryValueSet: Registry value set, RegistryValueDeleted: Registry value deleted
Show 2 more (5 total)
- Detect Windows Allow Firewall Rule Addition/Modification source medium: This analytic rule detects any registry value creation or modification of Windows firewall registry keys to allow network traffic. This could be an indication of defense evasion by an adversary to allow network traffic to/from a compromised host.↳ also matchesRegistryKeyDeleted: Registry key deleted, RegistryValueSet: Registry value set, RegistryValueDeleted: Registry value deleted
- Detect Windows Update Disabled from Registry source medium: This analytic rule detects any registry value creation or modification of Windows Update registry keys to disable Windows Update. This could be an indication of defense evasion by an adversary on a compromised host.↳ also matchesRegistryKeyDeleted: Registry key deleted, RegistryValueSet: Registry value set, RegistryValueDeleted: Registry value deleted
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceregistryevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceregistryevents/
RegistryKeyCreated: Registry key created
#Description
Registry key created
Fields #
| Name | Description |
|---|---|
DeviceId | |
Timestamp | |
RegistryKey | |
InitiatingProcessFileName |
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceregistryevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceregistryevents/
RegistryKeyDeleted: Registry key deleted
#Description
Registry key deleted
Fields #
| Name | Description |
|---|---|
DeviceId | |
Timestamp | |
RegistryKey | |
InitiatingProcessFileName |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
EventType | in | RegistryKeyCreated | 5 rules | kusto |
EventType | in | RegistryValueSet | 5 rules | kusto |
Details | eq | 1 | 1 rule | elastic, kusto, splunk |
ParentImage | ends_with | cmd.exe | 1 rule | kusto |
ParentImage | ends_with | powershell.exe | 1 rule | kusto |
ParentImage | ends_with | powershell_ise.exe | 1 rule | kusto |
Detection Rules #
View all rules referencing this event →
Kusto # view in coverage
- Potential Fodhelper UAC Bypass (ASIM Version) source medium: This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.↳ also matchesany: Registry activity (any), RegistryValueSet: Registry value set, RegistryValueDeleted: Registry value deleted
- Detect Print Processors Registry Driver Key Creation/Modification source medium: This analytic rule detects any registry value creation or modification of print processor registry Driver key. This will load the executable at startup with print spooler service. This could be an indication of a persistence attempt by an adversary.↳ also matchesany: Registry activity (any), RegistryValueSet: Registry value set, RegistryValueDeleted: Registry value deleted
- Detect Registry Run Key Creation/Modification source medium: This analytic rule detects any registry value or key creation in the registry run keys. This could be an indication of a persistence attempt by an adversary.↳ also matchesany: Registry activity (any), RegistryValueSet: Registry value set, RegistryValueDeleted: Registry value deleted
Show 2 more (5 total)
- Detect Windows Allow Firewall Rule Addition/Modification source medium: This analytic rule detects any registry value creation or modification of Windows firewall registry keys to allow network traffic. This could be an indication of defense evasion by an adversary to allow network traffic to/from a compromised host.↳ also matchesany: Registry activity (any), RegistryValueSet: Registry value set, RegistryValueDeleted: Registry value deleted
- Detect Windows Update Disabled from Registry source medium: This analytic rule detects any registry value creation or modification of Windows Update registry keys to disable Windows Update. This could be an indication of defense evasion by an adversary on a compromised host.↳ also matchesany: Registry activity (any), RegistryValueSet: Registry value set, RegistryValueDeleted: Registry value deleted
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceregistryevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceregistryevents/
RegistryValueSet: Registry value set
#Description
Registry value set
Fields #
| Name | Description | Rules |
|---|---|---|
DeviceId | ||
Timestamp | ||
RegistryKey | ||
RegistryValueName | 1 | |
RegistryValueData | ||
PreviousRegistryValueData | ||
InitiatingProcessFileName |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
EventType | in | RegistryKeyCreated | 5 rules | kusto |
EventType | in | RegistryValueSet | 5 rules | kusto |
EventType | eq | RegistryValueSet | 4 rules | kusto |
Details | eq | 1 | 1 rule | elastic, kusto, splunk |
parent_process_name | in | cmd.exe | 1 rule | kusto, splunk |
parent_process_name | in | powershell.exe | 1 rule | kusto, splunk |
TargetObject | contains | \software\microsoft\windows\currentversion\policies\explorer\run | 1 rule | kusto, sigma |
GlobalPrevalence | lt | 100 | 1 rule | kusto |
GlobalPrevalence | is_null | | 1 rule | kusto |
ParentImage | ends_with | cmd.exe | 1 rule | kusto |
ParentImage | ends_with | powershell.exe | 1 rule | kusto |
ParentImage | ends_with | powershell_ise.exe | 1 rule | kusto |
Detection Rules #
View all rules referencing this event →
Kusto # view in coverage
- COM Registry Key Modified to Point to File in Color Profile Folder source medium: This query looks for changes to COM registry keys to point to files in C:\Windows\System32\spool\drivers\color. This can be used to enable COM hijacking for persistence. Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/
- Potential Fodhelper UAC Bypass (ASIM Version) source medium: This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.↳ also matchesany: Registry activity (any), RegistryKeyDeleted: Registry key deleted, RegistryValueDeleted: Registry value deleted
- Component Object Model Hijacking - Vault7 trick source medium: This detection looks for the very specific value of "Attribute" in the "ShellFolder" CLSID of a COM object. This value (0xf090013d) seems to only link back to this specific persistence method. The blog post linked here (https://www.ired.team/offensive-security/code-execution/forcing-iexplore.exe-to-load-a-malicious-dll-via-com-abuse) provides more background on the meaning of this value.
Show 7 more (10 total)
- Detect Print Processors Registry Driver Key Creation/Modification source medium: This analytic rule detects any registry value creation or modification of print processor registry Driver key. This will load the executable at startup with print spooler service. This could be an indication of a persistence attempt by an adversary.↳ also matchesany: Registry activity (any), RegistryKeyDeleted: Registry key deleted, RegistryValueDeleted: Registry value deleted
- Detect Registry Run Key Creation/Modification source medium: This analytic rule detects any registry value or key creation in the registry run keys. This could be an indication of a persistence attempt by an adversary.↳ also matchesany: Registry activity (any), RegistryKeyDeleted: Registry key deleted, RegistryValueDeleted: Registry value deleted
- Detect Windows Allow Firewall Rule Addition/Modification source medium: This analytic rule detects any registry value creation or modification of Windows firewall registry keys to allow network traffic. This could be an indication of defense evasion by an adversary to allow network traffic to/from a compromised host.↳ also matchesany: Registry activity (any), RegistryKeyDeleted: Registry key deleted, RegistryValueDeleted: Registry value deleted
- Detect Windows Update Disabled from Registry source medium: This analytic rule detects any registry value creation or modification of Windows Update registry keys to disable Windows Update. This could be an indication of defense evasion by an adversary on a compromised host.↳ also matchesany: Registry activity (any), RegistryKeyDeleted: Registry key deleted, RegistryValueDeleted: Registry value deleted
- MosaicLoader source high: This query looks Malware Hides Itself Among Windows Defender Exclusions to Evade Detection.
- Spearphishing Attachment: ISO Images (Microsoft Defender for Endpoint) source: ISO images are often meant to be used offline and they are often used by IT Admins and/or used on Servers.
Installation from an iso file don't require network connection most of the time. Activities deviating from these situations can be considered as highly suspicious. Below queries detects opening a mounted image, process creation under a mounted image, and network connection from a process created under a mounted image.
All detections can be used seperately or combined together to generate a higher fidelity alert. Detect opening of a mounted image: - Registry Run Keys - Suspicious Registry Run Keys source: Below query looks for suspicious additions to Run, RunOnce and several other registry keys. The query analyzes all values in the specified registry keys and finds anomalous ones based on commonality in the environment and excludes possible legitimate activities like software installations. The query might require tuning according to the environment.
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceregistryevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceregistryevents/
RegistryValueDeleted: Registry value deleted
#Description
Registry value deleted
Fields #
| Name | Description |
|---|---|
DeviceId | |
Timestamp | |
RegistryKey | |
RegistryValueName | |
InitiatingProcessFileName |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
EventType | in | RegistryKeyCreated | 5 rules | kusto |
EventType | in | RegistryValueSet | 5 rules | kusto |
ParentImage | ends_with | cmd.exe | 1 rule | kusto |
ParentImage | ends_with | powershell.exe | 1 rule | kusto |
ParentImage | ends_with | powershell_ise.exe | 1 rule | kusto |
Detection Rules #
View all rules referencing this event →
Kusto # view in coverage
- Potential Fodhelper UAC Bypass (ASIM Version) source medium: This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.↳ also matchesany: Registry activity (any), RegistryKeyDeleted: Registry key deleted, RegistryValueSet: Registry value set
- Detect Print Processors Registry Driver Key Creation/Modification source medium: This analytic rule detects any registry value creation or modification of print processor registry Driver key. This will load the executable at startup with print spooler service. This could be an indication of a persistence attempt by an adversary.↳ also matchesany: Registry activity (any), RegistryKeyDeleted: Registry key deleted, RegistryValueSet: Registry value set
- Detect Registry Run Key Creation/Modification source medium: This analytic rule detects any registry value or key creation in the registry run keys. This could be an indication of a persistence attempt by an adversary.↳ also matchesany: Registry activity (any), RegistryKeyDeleted: Registry key deleted, RegistryValueSet: Registry value set
Show 2 more (5 total)
- Detect Windows Allow Firewall Rule Addition/Modification source medium: This analytic rule detects any registry value creation or modification of Windows firewall registry keys to allow network traffic. This could be an indication of defense evasion by an adversary to allow network traffic to/from a compromised host.↳ also matchesany: Registry activity (any), RegistryKeyDeleted: Registry key deleted, RegistryValueSet: Registry value set
- Detect Windows Update Disabled from Registry source medium: This analytic rule detects any registry value creation or modification of Windows Update registry keys to disable Windows Update. This could be an indication of defense evasion by an adversary on a compromised host.↳ also matchesany: Registry activity (any), RegistryKeyDeleted: Registry key deleted, RegistryValueSet: Registry value set
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceregistryevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceregistryevents/