suspicious-keywords-in-registry

Hunt Hypothesis

Adversaries may use registry modifications to persist across reboots by embedding malicious payloads or command execution triggers. SOC teams should proactively hunt for suspicious registry keyword additions in Azure Sentinel to identify potential persistence mechanisms and early-stage compromise indicators.

KQL Query

DeviceRegistryEvents
| where Timestamp > ago(30d)
| where ActionType has_any ('RegistryValueSet','RegistryKeyCreated')
| where RegistryValueData has_any('xor','new-item','invoke-expression','iex','sleep','invoke-','System.Net.HttpWebRequest','webclient','iwr','curl')  // Look for common obfuscation techniques or commands used in malicious scripts
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName  // Project relevant fields for analysis

Analytic Rule Definition

id: 749f313e-08b4-48f6-9f9d-ba57c1abbf55
name: suspicious-keywords-in-registry
description: |
  Looks for suspicious keyword additions to windows registry.
  Author: Jouni Mikkola
  References:
  https://threathunt.blog/registry-hunts/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceRegistryEvents
tactics:
- Defense evasion
relevantTechniques:
  - T1112
query: |
  DeviceRegistryEvents
  | where Timestamp > ago(30d)
  | where ActionType has_any ('RegistryValueSet','RegistryKeyCreated')
  | where RegistryValueData has_any('xor','new-item','invoke-expression','iex','sleep','invoke-','System.Net.HttpWebRequest','webclient','iwr','curl')  // Look for common obfuscation techniques or commands used in malicious scripts
  | project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName  // Project relevant fields for analysis

Required Data Sources

Sentinel Table	Notes
`DeviceRegistryEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Defense evasion
Technique: T1112 — T1112

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Defense evasion/suspicious-keywords-in-registry.yaml)

False Positive Guidance

Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that modifies the registry to update system settings or perform maintenance.
Filter/Exclusion: Exclude registry modifications made by tasks with TaskName containing “Maintenance” or “Update” and originating from C:\Windows\System32\task scheduler.
Scenario: Software Installation via Group Policy
Description: A group policy object (GPO) deploys software that adds registry entries for configuration purposes.
Filter/Exclusion: Exclude registry changes made by processes with CommandLine containing gpupdate or GroupPolicy.
Scenario: Antivirus or Endpoint Protection Configuration
Description: Antivirus or endpoint protection software adds registry keys to configure scan paths or update locations.
Filter/Exclusion: Exclude registry modifications made by processes with ProcessName like mpcmdrun.exe, mcafee.exe, or avgnt.exe.
Scenario: User-Initiated Registry Edit via Registry Editor
Description: A user manually edits the registry using regedit.exe to configure system settings or applications.
Filter/Exclusion: Exclude registry changes made by ProcessName equal to regedit.exe or reg.exe and with User matching known administrators.
Scenario: System Restore Point Creation
Description: Creating a system restore point can result in registry modifications to track restore points.
Filter/Exclusion: Exclude registry changes made by ProcessName equal to sr.msc or SystemRestore.exe.