Query Details
Set Persistence Using Event Viewer Microsoft Redirection Program
Query
//Ref:https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/ DeviceRegistryEvents | where TimeGenerated > ago(90d) | where ActionType == "RegistryValueSet" | where RegistryKey contains @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Event Viewer" // use of @ notation so string is interpreted literally | where RegistryValueName contains "Redirection" or RegistryValueData == 1 //ConfirmUrl of 1 to avoid prompt, redirection program to set the persistence method //this method was brought to my attention by https://www.linkedin.com/posts/nasreddinebencherchali_windows-persistence-activity-7032415514660376576-7YyT/
Explanation
This KQL (Kusto Query Language) query is designed to analyze device registry events to identify potential persistence mechanisms on a Windows system. Here's a simplified explanation of what the query does:
-
Data Source: It examines data from
DeviceRegistryEvents, which logs changes to the Windows registry. -
Time Filter: It looks at events that have occurred in the last 90 days.
-
Action Type: It filters for events where a registry value has been set (
RegistryValueSet). -
Registry Key: It specifically targets changes to the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Event Viewer. -
Registry Value: It further filters for registry values that either contain the word "Redirection" or have a value of 1. This is significant because a value of 1 can indicate a configuration that avoids user prompts, potentially being used to set up a persistence method.
Overall, the query is looking for specific registry changes that might indicate an attempt to establish persistence on a Windows machine, possibly by redirecting or modifying how the Event Viewer operates.
Details
Jay Kerai
Released: August 27, 2025
Tables
Keywords
Operators