The Suspicious Registry Keys rule detects potential adversary behavior involving the modification or creation of registry keys associated with ZLoader malware delivery, which could indicate a compromised system. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage malware infections that may evade traditional detection methods.
KQL Query
DeviceRegistryEvents
| where RegistryValueData in('Flyintellect Inc.', 'Datalyst ou')
id: fab0fc37-d74a-43b6-9f13-d517b9cbcb14
name: Suspicious Registry Keys
description: |
ZLoader was delivered in a campaign in late summer 2021 using malvertising to download malicious .msi files onto affected machines. This campaign was originally tweeted by @MsftSecIntel on Twitter.
In this campaign, the malicious .msi files create registry keys that use that attacker-created comapny names.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceRegistryEvents
tactics:
- Persistence
query: |
DeviceRegistryEvents
| where RegistryValueData in('Flyintellect Inc.', 'Datalyst ou')
| Sentinel Table | Notes |
|---|---|
DeviceRegistryEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that modifies registry keys commonly associated with malware (e.g., HKLM\Software\Microsoft\Windows\CurrentVersion\Run).
Filter/Exclusion: Check the task origin using Task Scheduler and exclude tasks with names containing “System Maintenance” or “Windows Update”.
Scenario: Microsoft Endpoint Configuration Manager (MECM) Deployment
Description: A configuration baseline or software deployment via MECM modifies registry keys to enforce security policies or install updates.
Filter/Exclusion: Filter by registry key paths common in MECM deployments (e.g., HKLM\Software\Policies\Microsoft\Windows), and exclude entries with Microsoft Endpoint Configuration Manager in the registry value.
Scenario: PowerShell Script for System Monitoring
Description: A PowerShell script used for system monitoring (e.g., by tools like SolarWinds Server & Application Monitor) writes to registry keys for persistent monitoring.
Filter/Exclusion: Exclude registry modifications made by scripts with powershell.exe and containing keywords like “monitor”, “log”, or “audit”.
Scenario: Admin Task for Software Installation
Description: An admin task (e.g., using Group Policy Preferences) modifies registry keys to install or configure enterprise software (e.g., Microsoft Intune, Microsoft 365).
Filter/Exclusion: Filter by registry key paths associated with enterprise software and exclude entries where the registry value contains “Intune”, “Microsoft 365”, or “Group Policy”.
Scenario: Malware Analysis Lab Environment
Description: A sandboxed environment (e.g., Cuckoo Sandbox, FireEye Sandbox) is used to analyze suspicious files, and registry keys are modified as part of the analysis process.