Adversaries may add suspicious command interpreters to the Windows registry to execute arbitrary code or maintain persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential command and control (C2) activity or persistence mechanisms early.
KQL Query
DeviceRegistryEvents
// Filter out events initiated by OneDriveSetup.exe to reduce noise
| where InitiatingProcessVersionInfoInternalFileName != @"OneDriveSetup.exe"
// Look at events from the last 30 days
| where Timestamp > ago(30d)
// Consider only key set and key created actions
| where ActionType has_any ('RegistryValueSet','RegistryKeyCreated')
// Search for registry values containing 'powershell' or 'cmd'
| where RegistryValueData has_any('powershell','cmd')
// Project relevant fields for analysis
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileNameid: 74dd8aa9-996b-44b1-bf36-9ac9ef6d2c02
name: suspicious-command-interpreters-added-to-registry
description: |
Looks for suspicious addition of command interpreters to windows registry.
Author: Jouni Mikkola
References:
https://threathunt.blog/registry-hunts/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceRegistryEvents
tactics:
- Defense evasion
relevantTechniques:
- T1112
query: |
DeviceRegistryEvents
// Filter out events initiated by OneDriveSetup.exe to reduce noise
| where InitiatingProcessVersionInfoInternalFileName != @"OneDriveSetup.exe"
// Look at events from the last 30 days
| where Timestamp > ago(30d)
// Consider only key set and key created actions
| where ActionType has_any ('RegistryValueSet','RegistryKeyCreated')
// Search for registry values containing 'powershell' or 'cmd'
| where RegistryValueData has_any('powershell','cmd')
// Project relevant fields for analysis
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName| Sentinel Table | Notes |
|---|---|
DeviceRegistryEvents | Ensure this data connector is enabled |
Scenario: Scheduled Task Creation via Task Scheduler
Description: A system administrator creates a scheduled task using the Task Scheduler that includes a command interpreter in the registry.
Filter/Exclusion: registry_key_path:*Microsoft\Windows\TaskScheduler\* or command_line:*schtasks.exe*
Scenario: PowerShell Script Execution with Registry Persistence
Description: A legitimate PowerShell script adds a command interpreter to the registry to ensure it runs on system startup.
Filter/Exclusion: process_name:*powershell.exe* and command_line:*-Command*
Scenario: Windows Service Installation
Description: A system administrator installs a Windows service that requires a command interpreter to be registered in the registry for execution.
Filter/Exclusion: process_name:*sc.exe* or process_name:*installutil.exe*
Scenario: User-Initiated Registry Edit via Registry Editor
Description: An admin manually edits the registry using regedit.exe to configure a command interpreter for a legitimate application.
Filter/Exclusion: process_name:*regedit.exe* or user_account:*Administrator*
Scenario: Antivirus or Endpoint Protection Configuration
Description: A security tool adds a command interpreter to the registry as part of its configuration to execute scripts or commands.
Filter/Exclusion: process_name:*avast.exe* or process_name:*mcafee.exe* (or specific AV tool names)