Defender-DeviceRegistryEvents

5 events across 5 channels

Event ID	Title	Channel
9005000	Registry activity (any)	DeviceRegistryEvents
9005001	Registry key created	RegistryKeyCreated
9005002	Registry key deleted	RegistryKeyDeleted
9005003	Registry value set	RegistryValueSet
9005004	Registry value deleted	RegistryValueDeleted

Event ID 9005000 — Registry activity (any)

Provider: Defender-DeviceRegistryEvents
Channel: DeviceRegistryEvents

Description

Registry activity (any)

Fields #

Name	Description
`DeviceId`	—
`Timestamp`	—
`ActionType`	—
`RegistryKey`	—
`RegistryValueName`	—
`RegistryValueType`	—
`RegistryValueData`	—
`PreviousRegistryValueData`	—
`InitiatingProcessFileName`	—

Detection Patterns #

Uac Bypass

Defender-DeviceRegistryEvents Event ID 9005000: Registry activity→Event ID 9005002: Registry key deleted→Event ID 9005003: Registry value set→Event ID 9005004: Registry value deleted→Security-Auditing Event ID 4657: A registry value was modified.→Event ID 4660: An object was deleted.→Event ID 4663: An attempt was made to access an object.→Sysmon Event ID 12: RegistryEvent→Event ID 13: RegistryEvent→Event ID 14: RegistryEvent

5 rules

Sigma

UAC Bypass Via Wsreset (source)

oscd.community, Dmitry Uchakin

Shell Open Registry Keys Manipulation (source)

Christian Burkard (Nextron Systems)

Splunk

Sdclt UAC Bypass (source)

Steven Dick, Teoderick Contreras, Splunk

WSReset UAC Bypass (source)

Steven Dick, Teoderick Contreras, Splunk

Kusto Query Language

Potential Fodhelper UAC Bypass (ASIM Version) (source)

Pete Bryan

References #

Microsoft Defender XDR — advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceregistryevents-table

Event ID 9005001 — Registry key created

Provider: Defender-DeviceRegistryEvents
Channel: RegistryKeyCreated

Description

Registry key created

Fields #

Name	Description
`DeviceId`	—
`Timestamp`	—
`RegistryKey`	—
`InitiatingProcessFileName`	—

References #

Microsoft Defender XDR — advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceregistryevents-table

Event ID 9005002 — Registry key deleted

Provider: Defender-DeviceRegistryEvents
Channel: RegistryKeyDeleted

Description

Registry key deleted

Fields #

Name	Description
`DeviceId`	—
`Timestamp`	—
`RegistryKey`	—
`InitiatingProcessFileName`	—

Detection Patterns #

Uac Bypass

Defender-DeviceRegistryEvents Event ID 9005000: Registry activity→Event ID 9005002: Registry key deleted→Event ID 9005003: Registry value set→Event ID 9005004: Registry value deleted→Security-Auditing Event ID 4657: A registry value was modified.→Event ID 4660: An object was deleted.→Event ID 4663: An attempt was made to access an object.→Sysmon Event ID 12: RegistryEvent→Event ID 13: RegistryEvent→Event ID 14: RegistryEvent

5 rules

Sigma

UAC Bypass Via Wsreset (source)

oscd.community, Dmitry Uchakin

Shell Open Registry Keys Manipulation (source)

Christian Burkard (Nextron Systems)

Splunk

Sdclt UAC Bypass (source)

Steven Dick, Teoderick Contreras, Splunk

WSReset UAC Bypass (source)

Steven Dick, Teoderick Contreras, Splunk

Kusto Query Language

Potential Fodhelper UAC Bypass (ASIM Version) (source)

Pete Bryan

References #

Microsoft Defender XDR — advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceregistryevents-table

Event ID 9005003 — Registry value set

Provider: Defender-DeviceRegistryEvents
Channel: RegistryValueSet

Description

Registry value set

Fields #

Name	Description
`DeviceId`	—
`Timestamp`	—
`RegistryKey`	—
`RegistryValueName`	—
`RegistryValueData`	—
`PreviousRegistryValueData`	—
`InitiatingProcessFileName`	—

Detection Patterns #

Uac Bypass

Defender-DeviceRegistryEvents Event ID 9005000: Registry activity→Event ID 9005002: Registry key deleted→Event ID 9005003: Registry value set→Event ID 9005004: Registry value deleted→Security-Auditing Event ID 4657: A registry value was modified.→Event ID 4660: An object was deleted.→Event ID 4663: An attempt was made to access an object.→Sysmon Event ID 12: RegistryEvent→Event ID 13: RegistryEvent→Event ID 14: RegistryEvent

5 rules

Sigma

UAC Bypass Via Wsreset (source)

oscd.community, Dmitry Uchakin

Shell Open Registry Keys Manipulation (source)

Christian Burkard (Nextron Systems)

Splunk

Sdclt UAC Bypass (source)

Steven Dick, Teoderick Contreras, Splunk

WSReset UAC Bypass (source)

Steven Dick, Teoderick Contreras, Splunk

Kusto Query Language

Potential Fodhelper UAC Bypass (ASIM Version) (source)

Pete Bryan

Defense Evasion: Impair Defenses

Defender-DeviceRegistryEvents Event ID 9005003: Registry value setORSecurity-Auditing Event ID 4657: A registry value was modified.ORSysmon Event ID 13: RegistryEvent

1 rule

Kusto Query Language

MosaicLoader (source)

References #

Microsoft Defender XDR — advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceregistryevents-table

Event ID 9005004 — Registry value deleted

Provider: Defender-DeviceRegistryEvents
Channel: RegistryValueDeleted

Description

Registry value deleted

Fields #

Name	Description
`DeviceId`	—
`Timestamp`	—
`RegistryKey`	—
`RegistryValueName`	—
`InitiatingProcessFileName`	—

Detection Patterns #

Uac Bypass

Defender-DeviceRegistryEvents Event ID 9005000: Registry activity→Event ID 9005002: Registry key deleted→Event ID 9005003: Registry value set→Event ID 9005004: Registry value deleted→Security-Auditing Event ID 4657: A registry value was modified.→Event ID 4660: An object was deleted.→Event ID 4663: An attempt was made to access an object.→Sysmon Event ID 12: RegistryEvent→Event ID 13: RegistryEvent→Event ID 14: RegistryEvent

5 rules

Sigma

UAC Bypass Via Wsreset (source)

oscd.community, Dmitry Uchakin

Shell Open Registry Keys Manipulation (source)

Christian Burkard (Nextron Systems)

Splunk

Sdclt UAC Bypass (source)

Steven Dick, Teoderick Contreras, Splunk

WSReset UAC Bypass (source)

Steven Dick, Teoderick Contreras, Splunk

Kusto Query Language

Potential Fodhelper UAC Bypass (ASIM Version) (source)

Pete Bryan

References #

Microsoft Defender XDR — advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceregistryevents-table