Query Details
MDE Registry Run Keys Forensics
Query
# Forensics on Registry Run keys in Windows. Registry Run keys can be used to establish persistence on a device.
----
### Defender For Endpoint
```
let RegistryRunKeys = dynamic
([@"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run",
@"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce",
@"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run",
@"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce"]);
let CompromisedDevices = dynamic (["laptop1", "server1"]);
let SearchWindow = 7d; //Customizable h = hours, d = days
DeviceRegistryEvents
| where Timestamp > ago(SearchWindow)
| where DeviceName has_any (CompromisedDevices)
| where RegistryKey has_any (RegistryRunKeys)
| extend RegistryChangeInfo = bag_pack("RegistryKey", RegistryKey, "Action Performed", ActionType, "Old Value", PreviousRegistryKey, "New Value", RegistryValueData)
| summarize TotalRunKeysChanged = count(), RegistryInfo = make_set(RegistryChangeInfo) by DeviceName
```
### Sentinel
```
let RegistryRunKeys = dynamic
([@"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run",
@"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce",
@"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run",
@"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce"]);
let CompromisedDevices = dynamic (["laptop1", "server1"]);
let SearchWindow = 7d; //Customizable h = hours, d = days
DeviceRegistryEvents
| where TimeGenerated > ago(SearchWindow)
| where DeviceName has_any (CompromisedDevices)
| where RegistryKey has_any (RegistryRunKeys)
| extend RegistryChangeInfo = pack_dictionary("RegistryKey", RegistryKey, "Action Performed", ActionType, "Old Value", PreviousRegistryKey, "New Value", RegistryValueData)
| summarize TotalRunKeysChanged = count(), RegistryInfo = make_set(RegistryChangeInfo) by DeviceName
```
Explanation
The query is used to perform forensics on Registry Run keys in Windows. Registry Run keys are used to establish persistence on a device. The query searches for any changes made to the Registry Run keys in the specified time window (customizable) on compromised devices (specified as "laptop1" and "server1"). It retrieves information about the changes made to the Registry Run keys, including the action performed, old value, and new value. The query then summarizes the total number of Run keys changed and the Registry information for each device.
Details
Bert-Jan Pals
Released: May 10, 2023
Tables
DeviceRegistryEvents
Keywords
Devices,Intune,User,Forensics,RegistryRunkeys,Windows,Persistence
Operators
letdynamic[@HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce];CompromisedDevices=SearchWindow=7d|whereTimestamp>ago(SearchWindow)|whereDeviceNamehas_any(CompromisedDevices)|whereRegistryKeyhas_any(RegistryRunKeys)|extendRegistryChangeInfo=bag_pack("RegistryKey",RegistryKey,"Action Performed",ActionType,"Old Value",PreviousRegistryKey,"New Value",RegistryValueData)|summarizeTotalRunKeysChanged=count(),RegistryInfo=make_set(RegistryChangeInfo)byDeviceNameletRegistryRunKeys=dynamic([@"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run",@"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce",@"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run",@"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce",])letCompromisedDevices=dynamic(["laptop1","server1"],)letSearchWindow=7d|whereTimeGenerated>ago(SearchWindow)|whereDeviceNamehas_any(CompromisedDevices)|whereRegistryKeyhas_any(RegistryRunKeys)|extendRegistryChangeInfo=pack_dictionary("RegistryKey",RegistryKey,"Action Performed",ActionType,"Old Value",PreviousRegistryKey,"New Value",RegistryValueData)|summarizeTotalRunKeysChanged=count(),RegistryInfo=make_set(RegistryChangeInfo)byDeviceName