KQL Search

Query Details

HomeAI ToolsDevice Query

Device Registry Events Unexpected Network Provider

Query

let expected_dlls = dynamic([]);
let expected_services = dynamic([]);
union
    (
    DeviceRegistryEvents
    | where RegistryKey has_all (@"HKEY_LOCAL_MACHINE\SYSTEM\", @"\Control\NetworkProvider\Order") and RegistryValueName has "ProviderOrder"
    | extend NewNetworkProviderService = set_difference(split(RegistryValueData, ","), split(PreviousRegistryValueData, ","))
    | where array_length(NewNetworkProviderService) > 0 // A Network Provider was added instead of deleted
    | where not(array_length(NewNetworkProviderService) == 1 and NewNetworkProviderService[0] in (expected_services))
    )
    ,
    (
    DeviceRegistryEvents
    | where RegistryKey has_all (@"HKEY_LOCAL_MACHINE\SYSTEM\", @"\Services\", @"\NetworkProvider") and RegistryValueName has "ProviderPath"
    | where not(RegistryValueData in (expected_dlls))
    | extend NewNetworkProviderDLL = RegistryValueData
    )
| project
    TimeGenerated,
    DeviceName,
    ActionType,
    RegistryKey,
    RegistryValueName,
    RegistryValueData,
    PreviousRegistryValueData,
    NewNetworkProviderService,
    NewNetworkProviderDLL,
    InitiatingProcessAccountName,
    InitiatingProcessAccountSid,
    InitiatingProcessFolderPath,
    InitiatingProcessSHA256,
    InitiatingProcessCommandLine,
    InitiatingProcessRemoteSessionDeviceName,
    InitiatingProcessRemoteSessionIP

Explanation

This query looks for changes in network provider services and DLLs in the Windows registry. It checks for added network providers and new DLLs related to network providers. The results include information about the device, registry key, value, and the process that made the changes.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: June 27, 2024

Tables

DeviceRegistryEvents

Keywords

DeviceRegistryEvents,RegistryKey,RegistryValueName,RegistryValueData,PreviousRegistryValueData,NewNetworkProviderService,expected_services,expected_dlls,DeviceName,ActionType,InitiatingProcessAccountName,InitiatingProcessAccountSid,InitiatingProcessFolderPath,InitiatingProcessSHA256,InitiatingProcessCommandLine,InitiatingProcessRemoteSessionDeviceName,InitiatingProcessRemoteSessionIP.

Operators

unionwherehas_allextendset_differencesplitarray_lengthproject

Actions