← Back to Explore
kqlHunting
Safeboot Registry Modification Detection
This query detects modifications to safeboot registry keys
Detection Query
//This query detects modifications to safeboot registry keys
//Often used by attackers to prevent safeboot execution of security products
DeviceRegistryEvents
| project TimeGenerated, Customer, DeviceName, InitiatingProcessAccountName,
InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessAccountUpn, InitiatingProcessParentFileName, InitiatingProcessFolderPath,
ActionType, RegistryKey, RegistryValueName
| where TimeGenerated > ago(7d)
| where ActionType == "RegistryKeyCreated" or ActionType == "RegistryKeyModified"
| where RegistryKey has @"SYSTEM\CurrentControlSet\Control\SafeBoot"Data Sources
DeviceRegistryEvents
Platforms
windows
Tags
defender
Raw Content
//This query detects modifications to safeboot registry keys
//Often used by attackers to prevent safeboot execution of security products
DeviceRegistryEvents
| project TimeGenerated, Customer, DeviceName, InitiatingProcessAccountName,
InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessAccountUpn, InitiatingProcessParentFileName, InitiatingProcessFolderPath,
ActionType, RegistryKey, RegistryValueName
| where TimeGenerated > ago(7d)
| where ActionType == "RegistryKeyCreated" or ActionType == "RegistryKeyModified"
| where RegistryKey has @"SYSTEM\CurrentControlSet\Control\SafeBoot"