Suspicious Registry Modifications
This query detects suspicious registry modifications that could indicate persistence mechanisms or system configuration tampering by attackers.
EDRhuntingT1112T1547.001
FDR intermediatepor ByteRay GmbH (cql-hub.com) 1 min read
Query
#event_simpleName=RegGenericValue
| RegObjectName=/\\(Run|RunOnce|Winlogon|AppInit_DLLs|Image File Execution Options)/i
| RegValueName!=/^(ctfmon|SecurityHealth|OneDrive)$/i
| join({#event_simpleName=UserIdentity}, field=AuthenticationID, include=[UserName])
| table([aid, UserName, RegObjectName, RegValueName, RegStringValue, ProcessImageFileName])Explicación
Importado desde cql-hub.com. Agrega explicación de pipes aquí.
Variables a ajustar
Revisa y ajusta los valores según tu entorno.