Query Details
Safeboot Registry Modification Detection
Query
//This query detects modifications to safeboot registry keys //Often used by attackers to prevent safeboot execution of security products DeviceRegistryEvents | project TimeGenerated, Customer, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessAccountUpn, InitiatingProcessParentFileName, InitiatingProcessFolderPath, ActionType, RegistryKey, RegistryValueName | where TimeGenerated > ago(7d) | where ActionType == "RegistryKeyCreated" or ActionType == "RegistryKeyModified" | where RegistryKey has @"SYSTEM\CurrentControlSet\Control\SafeBoot"
Explanation
This query is designed to identify any changes made to specific registry keys related to SafeBoot on devices. SafeBoot is a feature that can be targeted by attackers to disable security software. The query looks at events from the past seven days and focuses on actions where registry keys were either created or modified. It specifically filters for registry keys that contain the path "SYSTEM\CurrentControlSet\Control\SafeBoot". The results include details such as the time of the event, the customer, device name, the account and process that initiated the change, and the specific registry key and value that were affected.
Details
Jay Kerai
Released: November 10, 2024
Tables
DeviceRegistryEvents
Keywords
DeviceRegistryEventsTimeGeneratedCustomerDeviceNameInitiatingProcessAccountNameInitiatingProcessCommandLineInitiatingProcessFileNameInitiatingProcessAccountUpnInitiatingProcessParentFileNameInitiatingProcessFolderPathActionTypeRegistryKeyRegistryValueName
Operators
projectwhere>ago==orhas