Query Details

Forensics on Registry Run keys in Windows.

MDE Registry Run Keys Forensics

Query

let CompromisedDevices = dynamic (["workstation01", "server1"]);
let SearchWindow = 7d; //Customizable h = hours, d = days
DeviceRegistryEvents
| where Timestamp > ago(SearchWindow)
| where DeviceName has_any (CompromisedDevices)
| where RegistryKey endswith @'\Software\Microsoft\Windows\CurrentVersion\Run' or  RegistryKey endswith @'\Microsoft\Windows\CurrentVersion\RunOnce'
| project-reorder Timestamp, ActionType, DeviceId, DeviceName, RegistryKey, PreviousRegistryValueData, InitiatingProcessCommandLine

About this query

Forensics on Registry Run keys in Windows.

Query Information

Description

Registry Run keys can be used to establish persistence on a device.

The detection covers the following registry key paths:

HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce

Defender XDR

Sentinel

let CompromisedDevices = dynamic (["workstation01", "server1"]);
let SearchWindow = 7d; //Customizable h = hours, d = days
DeviceRegistryEvents
| where Timestamp > ago(SearchWindow)
| where DeviceName has_any (CompromisedDevices)
| where RegistryKey endswith @'\Software\Microsoft\Windows\CurrentVersion\Run' or  RegistryKey endswith @'\Microsoft\Windows\CurrentVersion\RunOnce'
| project-reorder TimeGenerated, ActionType, DeviceId, DeviceName, RegistryKey, PreviousRegistryValueData, InitiatingProcessCommandLine

Explanation

This query is designed to help identify potential persistence mechanisms on Windows devices by examining specific registry keys that are commonly used to run programs automatically when the system starts. Here's a simple breakdown of what the query does:

  1. Purpose: The query is used for forensic analysis to detect if any suspicious or unauthorized programs are set to run automatically on compromised devices by examining certain registry keys.

  2. Registry Keys Monitored: It looks at the following registry paths, which are known for being used to establish persistence:

    • HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
    • HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
    • HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
    • HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
  3. Scope: The query focuses on devices that are suspected to be compromised, specifically "workstation01" and "server1".

  4. Time Frame: It examines registry events that occurred within the last 7 days, but this time frame can be adjusted.

  5. Output: The query retrieves and organizes data about registry events, including:

    • The time the event was generated
    • The type of action performed
    • The device ID and name
    • The specific registry key involved
    • The previous value of the registry key
    • The command line of the process that initiated the change

This query is useful for security analysts to track and investigate potential persistence mechanisms on compromised devices.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: September 30, 2025

Tables

DeviceRegistryEvents

Keywords

RegistryRunKeysWindowsDeviceDevicesPersistence

Operators

letdynamicago|wherehas_anyendswithorproject-reorder

Actions

GitHub