← Back to Explore
kqlHunting
Zscaler Registry Tampering Detection
This query detects tampering of Zscaler registry keys for Start and State values
Detection Query
//This query detects tampering of Zscaler registry keys for Start and State values
DeviceRegistryEvents
| where RegistryKey == "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\ZSAService" or RegistryKey contains @"SOFTWARE\ZScaler\App"
| where RegistryValueName == "Start" or RegistryValueName contains "State"
| where RegistryValueData == "4" or RegistryValueData == "3" or RegistryValueData == "OFF" or RegistryValueData contains "None"//3 = Manual , 4 = DisabledData Sources
DeviceRegistryEvents
Platforms
windows
Tags
defender
Raw Content
//This query detects tampering of Zscaler registry keys for Start and State values
DeviceRegistryEvents
| where RegistryKey == "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\ZSAService" or RegistryKey contains @"SOFTWARE\ZScaler\App"
| where RegistryValueName == "Start" or RegistryValueName contains "State"
| where RegistryValueData == "4" or RegistryValueData == "3" or RegistryValueData == "OFF" or RegistryValueData contains "None"//3 = Manual , 4 = Disabled