Query Details
Chromeloader Registry Value Large Size Generic
Query
DeviceRegistryEvents | where RegistryValueType =~ 'String' | where RegistryValueName != @"OnboardingInfo" | where strlen(RegistryValueData) > 5000 | where InitiatingProcessFileName != @"mssense.exe"
Explanation
Show me all Device Registry Events where the Registry Value Type is a String, the Registry Value Name is not "OnboardingInfo", the length of the Registry Value Data is greater than 5000 characters, and the Initiating Process File Name is not "mssense.exe".
Details
Ali Hussein
Released: March 20, 2024
Tables
DeviceRegistryEvents
Keywords
DeviceRegistryEvents,RegistryValueType,String,RegistryValueName,OnboardingInfo,RegistryValueData,InitiatingProcessFileName,mssenseexe
Operators
where=~!=strlen()>@"".