Query Details
Zscaler Registry Tampering Detection
Query
//This query detects tampering of Zscaler registry keys for Start and State values DeviceRegistryEvents | where RegistryKey == "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\ZSAService" or RegistryKey contains @"SOFTWARE\ZScaler\App" | where RegistryValueName == "Start" or RegistryValueName contains "State" | where RegistryValueData == "4" or RegistryValueData == "3" or RegistryValueData == "OFF" or RegistryValueData contains "None"//3 = Manual , 4 = Disabled
Explanation
This query is designed to identify any changes made to specific Zscaler-related registry keys on a device. It focuses on two registry keys: one related to the ZSAService and another within the ZScaler software path. The query checks if the registry values named "Start" or those containing "State" have been altered to specific values. These values include "3" (indicating a manual start), "4" (indicating a disabled state), "OFF", or any value containing "None". Essentially, the query is looking for signs that the Zscaler service settings have been tampered with, potentially affecting how the service starts or operates.
Details
Jay Kerai
Released: November 10, 2024
Tables
DeviceRegistryEvents
Keywords
DeviceRegistryEventsZscalerServicesSoftware
Operators
DeviceRegistryEvents|where==orcontains