Event ID 9005002 — Registry key deleted

Provider: Defender-DeviceRegistryEvents
Channel: RegistryKeyDeleted

Description

Registry key deleted

Fields #

Name	Description
`DeviceId`	—
`Timestamp`	—
`RegistryKey`	—
`InitiatingProcessFileName`	—

Detection Patterns #

Uac Bypass

Defender-DeviceRegistryEvents Event ID 9005000: Registry activity→Event ID 9005002: Registry key deleted→Event ID 9005003: Registry value set→Event ID 9005004: Registry value deleted→Security-Auditing Event ID 4657: A registry value was modified.→Event ID 4660: An object was deleted.→Event ID 4663: An attempt was made to access an object.→Sysmon Event ID 12: RegistryEvent→Event ID 13: RegistryEvent→Event ID 14: RegistryEvent

5 rules

Sigma

UAC Bypass Via Wsreset (source)

oscd.community, Dmitry Uchakin

Shell Open Registry Keys Manipulation (source)

Christian Burkard (Nextron Systems)

Splunk

Sdclt UAC Bypass (source)

Steven Dick, Teoderick Contreras, Splunk

WSReset UAC Bypass (source)

Steven Dick, Teoderick Contreras, Splunk

Kusto Query Language

Potential Fodhelper UAC Bypass (ASIM Version) (source)

Pete Bryan

References #

Microsoft Defender XDR — advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceregistryevents-table