EXPLORE
Sign In
← Back to Explore
crowdstrike_cqlHunting

Suspicious Registry Modifications

This query detects suspicious registry modifications that could indicate persistence mechanisms or system configuration tampering by attackers. This query uses CrowdStrike Query Language (CQL) to detect suspicious registry modifications: 1. **Event Filtering**: `#event_simpleName=RegGenericValue` - Searches for registry value modification events 2. **High-Risk Keys**: `RegObjectName=/\\(Run|RunOnce|Winlogon|AppInit_DLLs|Image File Execution Options)/i` - Focuses on common persistence and execution registry locations 3. **Exclude Legitimate**: `RegValueName!=/^(ctfmon|SecurityHealth|OneDrive)$/i` - Filters out known legitimate applications 4. **User Context**: `join({#event_simpleName=UserIdentity}, field=AuthenticationID, include=[UserName])` - Enriches results with username information 5. **Output**: `table([aid, UserName, RegObjectName, RegValueName, RegStringValue, ProcessImageFileName])` - Displays registry path, value, and modifying process

MITRE ATT&CK

T1112T1547.001
defense-evasionpersistenceprivilege-escalation

Detection Query

#event_simpleName=RegGenericValue 
| RegObjectName=/\\(Run|RunOnce|Winlogon|AppInit_DLLs|Image File Execution Options)/i
| RegValueName!=/^(ctfmon|SecurityHealth|OneDrive)$/i
| join({#event_simpleName=UserIdentity}, field=AuthenticationID, include=[UserName])
| table([aid, UserName, RegObjectName, RegValueName, RegStringValue, ProcessImageFileName])

Author

ByteRay GmbH

Data Sources

Endpoint

Platforms

windowslinux

Tags

Huntingcs_module:Insightcs_module:Identity
Raw Content
# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: Suspicious Registry Modifications

# MITRE ATT&CK technique IDs
mitre_ids:
  - T1112
  - T1547.001

# Description of what the query does and its purpose.
description: This query detects suspicious registry modifications that could indicate persistence mechanisms or system configuration tampering by attackers.

# The author or team that created the query.
author: ByteRay GmbH

# The required log sources to run this query successfully in Next-Gen SIEM.
# This will be displayed in the UI to inform the user.
log_sources:
  - Endpoint

# Tags for filtering and categorization.
tags:
  - Hunting

cs_required_modules: 
  - Insight
  - Identity

# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
  #event_simpleName=RegGenericValue 
  | RegObjectName=/\\(Run|RunOnce|Winlogon|AppInit_DLLs|Image File Execution Options)/i
  | RegValueName!=/^(ctfmon|SecurityHealth|OneDrive)$/i
  | join({#event_simpleName=UserIdentity}, field=AuthenticationID, include=[UserName])
  | table([aid, UserName, RegObjectName, RegValueName, RegStringValue, ProcessImageFileName])

# Explanation of the query.
# Using the YAML block scalar `|` allows for multi-line strings.
# Uses markdown for formatting on the webpage.
explanation: |
  This query uses CrowdStrike Query Language (CQL) to detect suspicious registry modifications:

  1. **Event Filtering**: `#event_simpleName=RegGenericValue`
     - Searches for registry value modification events

  2. **High-Risk Keys**: `RegObjectName=/\\(Run|RunOnce|Winlogon|AppInit_DLLs|Image File Execution Options)/i`
     - Focuses on common persistence and execution registry locations

  3. **Exclude Legitimate**: `RegValueName!=/^(ctfmon|SecurityHealth|OneDrive)$/i`
     - Filters out known legitimate applications

  4. **User Context**: `join({#event_simpleName=UserIdentity}, field=AuthenticationID, include=[UserName])`
     - Enriches results with username information

  5. **Output**: `table([aid, UserName, RegObjectName, RegValueName, RegStringValue, ProcessImageFileName])`
     - Displays registry path, value, and modifying process