Defender-DeviceRegistryEvents

6 ActionTypes

ActionType	Title
any	Registry activity (any)
RegistryKeyCreated	Registry key created
RegistryKeyDeleted	Registry key deleted
RegistryValueSet	Registry value set
RegistryValueDeleted	Registry value deleted
RegistryKeyRenamed	Registry key renamed

any: Registry activity (any)

Table: DeviceRegistryEvents

Description

Registry activity (any)

Fields #

Name	Description
`DeviceId`
`Timestamp`
`ActionType`
`RegistryKey`
`RegistryValueName`
`RegistryValueType`
`RegistryValueData`
`PreviousRegistryValueData`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceregistryevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceregistryevents/

RegistryKeyCreated: Registry key created

Table: DeviceRegistryEvents

Description

Registry key created

Fields #

Name	Description
`DeviceId`
`Timestamp`
`RegistryKey`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceregistryevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceregistryevents/

RegistryKeyDeleted: Registry key deleted

Table: DeviceRegistryEvents

Description

Registry key deleted

Fields #

Name	Description
`DeviceId`
`Timestamp`
`RegistryKey`
`InitiatingProcessFileName`

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	in	`RegistryKeyCreated`	5 rules	kusto
`EventType`	in	`RegistryValueSet`	5 rules	kusto
`Details`	eq	`1`	1 rule	elastic, kusto, splunk
`ParentImage`	ends_with	`cmd.exe`	1 rule	kusto
`ParentImage`	ends_with	`powershell.exe`	1 rule	kusto
`ParentImage`	ends_with	`powershell_ise.exe`	1 rule	kusto
`TargetObject`	contains	`software\\classes\\ms-settings\\shell\\open\\command`	1 rule	kusto

Detection Rules #

View all rules referencing this event →

Kusto #

Potential Fodhelper UAC Bypass (ASIM Version) source medium: This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.↳ also matches RegistryValueSet: Registry value set, RegistryValueDeleted: Registry value deleted, RegistryKeyRenamed: Registry key renamed
Detect Print Processors Registry Driver Key Creation/Modification source medium: This analytic rule detects any registry value creation or modification of print processor registry Driver key. This will load the executable at startup with print spooler service. This could be an indication of a persistence attempt by an adversary.↳ also matches RegistryValueSet: Registry value set, RegistryValueDeleted: Registry value deleted, RegistryKeyRenamed: Registry key renamed
Detect Registry Run Key Creation/Modification source medium: This analytic rule detects any registry value or key creation in the registry run keys. This could be an indication of a persistence attempt by an adversary.↳ also matches RegistryValueSet: Registry value set, RegistryValueDeleted: Registry value deleted, RegistryKeyRenamed: Registry key renamed

Show 2 more (5 total)

Detect Windows Allow Firewall Rule Addition/Modification source medium: This analytic rule detects any registry value creation or modification of Windows firewall registry keys to allow network traffic. This could be an indication of defense evasion by an adversary to allow network traffic to/from a compromised host.↳ also matches RegistryValueSet: Registry value set, RegistryValueDeleted: Registry value deleted, RegistryKeyRenamed: Registry key renamed
Detect Windows Update Disabled from Registry source medium: This analytic rule detects any registry value creation or modification of Windows Update registry keys to disable Windows Update. This could be an indication of defense evasion by an adversary on a compromised host.↳ also matches RegistryValueSet: Registry value set, RegistryValueDeleted: Registry value deleted, RegistryKeyRenamed: Registry key renamed

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceregistryevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceregistryevents/

RegistryValueSet: Registry value set

Table: DeviceRegistryEvents

Description

Registry value set

Fields #

Name	Description	Rules
`DeviceId`
`Timestamp`
`RegistryKey`
`RegistryValueName`		1 detection rule
`RegistryValueData`
`PreviousRegistryValueData`
`InitiatingProcessFileName`

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	eq	`RegistryValueSet`	4 rules	kusto
`EventType`	in	`RegistryKeyCreated`	5 rules	kusto
`EventType`	in	`RegistryValueSet`	5 rules	kusto
`Details`	eq	`1`	1 rule	elastic, kusto, splunk
`GlobalPrevalence`	is_null		1 rule	kusto
`GlobalPrevalence`	lt	`100`	1 rule	kusto
`ParentImage`	ends_with	`cmd.exe`	1 rule	kusto
`ParentImage`	ends_with	`powershell.exe`	1 rule	kusto
`ParentImage`	ends_with	`powershell_ise.exe`	1 rule	kusto
`TargetObject`	contains	`\software\microsoft\windows\currentversion\policies\explorer\run`	1 rule	kusto, sigma
`TargetObject`	contains	`software\\classes\\ms-settings\\shell\\open\\command`	1 rule	kusto
`parent_process_name`	in	`cmd.exe`	1 rule	elastic, kusto, splunk
`parent_process_name`	in	`powershell.exe`	1 rule	elastic, kusto, splunk

Detection Rules #

View all rules referencing this event →

Kusto #

COM Registry Key Modified to Point to File in Color Profile Folder source medium: This query looks for changes to COM registry keys to point to files in C:\Windows\System32\spool\drivers\color. This can be used to enable COM hijacking for persistence. Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/
Potential Fodhelper UAC Bypass (ASIM Version) source medium: This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.↳ also matches RegistryKeyDeleted: Registry key deleted, RegistryValueDeleted: Registry value deleted, RegistryKeyRenamed: Registry key renamed
Component Object Model Hijacking - Vault7 trick source medium: This detection looks for the very specific value of "Attribute" in the "ShellFolder" CLSID of a COM object. This value (0xf090013d) seems to only link back to this specific persistence method. The blog post linked here (https://www.ired.team/offensive-security/code-execution/forcing-iexplore.exe-to-load-a-malicious-dll-via-com-abuse) provides more background on the meaning of this value.

Show 7 more (10 total)

Detect Print Processors Registry Driver Key Creation/Modification source medium: This analytic rule detects any registry value creation or modification of print processor registry Driver key. This will load the executable at startup with print spooler service. This could be an indication of a persistence attempt by an adversary.↳ also matches RegistryKeyDeleted: Registry key deleted, RegistryValueDeleted: Registry value deleted, RegistryKeyRenamed: Registry key renamed
Detect Registry Run Key Creation/Modification source medium: This analytic rule detects any registry value or key creation in the registry run keys. This could be an indication of a persistence attempt by an adversary.↳ also matches RegistryKeyDeleted: Registry key deleted, RegistryValueDeleted: Registry value deleted, RegistryKeyRenamed: Registry key renamed
Detect Windows Allow Firewall Rule Addition/Modification source medium: This analytic rule detects any registry value creation or modification of Windows firewall registry keys to allow network traffic. This could be an indication of defense evasion by an adversary to allow network traffic to/from a compromised host.↳ also matches RegistryKeyDeleted: Registry key deleted, RegistryValueDeleted: Registry value deleted, RegistryKeyRenamed: Registry key renamed
Detect Windows Update Disabled from Registry source medium: This analytic rule detects any registry value creation or modification of Windows Update registry keys to disable Windows Update. This could be an indication of defense evasion by an adversary on a compromised host.↳ also matches RegistryKeyDeleted: Registry key deleted, RegistryValueDeleted: Registry value deleted, RegistryKeyRenamed: Registry key renamed
MosaicLoader source high: This query looks Malware Hides Itself Among Windows Defender Exclusions to Evade Detection.
Spearphishing Attachment: ISO Images (Microsoft Defender for Endpoint) source: ISO images are often meant to be used offline and they are often used by IT Admins and/or used on Servers.
Installation from an iso file don't require network connection most of the time. Activities deviating from these situations can be considered as highly suspicious. Below queries detects opening a mounted image, process creation under a mounted image, and network connection from a process created under a mounted image.
All detections can be used seperately or combined together to generate a higher fidelity alert. Detect opening of a mounted image:
Registry Run Keys - Suspicious Registry Run Keys source: Below query looks for suspicious additions to Run, RunOnce and several other registry keys. The query analyzes all values in the specified registry keys and finds anomalous ones based on commonality in the environment and excludes possible legitimate activities like software installations. The query might require tuning according to the environment.

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceregistryevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceregistryevents/

RegistryValueDeleted: Registry value deleted

Table: DeviceRegistryEvents

Description

Registry value deleted

Fields #

Name	Description
`DeviceId`
`Timestamp`
`RegistryKey`
`RegistryValueName`
`InitiatingProcessFileName`

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	in	`RegistryKeyCreated`	5 rules	kusto
`EventType`	in	`RegistryValueSet`	5 rules	kusto
`Details`	eq	`1`	1 rule	elastic, kusto, splunk
`ParentImage`	ends_with	`cmd.exe`	1 rule	kusto
`ParentImage`	ends_with	`powershell.exe`	1 rule	kusto
`ParentImage`	ends_with	`powershell_ise.exe`	1 rule	kusto
`TargetObject`	contains	`software\\classes\\ms-settings\\shell\\open\\command`	1 rule	kusto

Detection Rules #

View all rules referencing this event →

Kusto #

Potential Fodhelper UAC Bypass (ASIM Version) source medium: This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.↳ also matches RegistryKeyDeleted: Registry key deleted, RegistryValueSet: Registry value set, RegistryKeyRenamed: Registry key renamed
Detect Print Processors Registry Driver Key Creation/Modification source medium: This analytic rule detects any registry value creation or modification of print processor registry Driver key. This will load the executable at startup with print spooler service. This could be an indication of a persistence attempt by an adversary.↳ also matches RegistryKeyDeleted: Registry key deleted, RegistryValueSet: Registry value set, RegistryKeyRenamed: Registry key renamed
Detect Registry Run Key Creation/Modification source medium: This analytic rule detects any registry value or key creation in the registry run keys. This could be an indication of a persistence attempt by an adversary.↳ also matches RegistryKeyDeleted: Registry key deleted, RegistryValueSet: Registry value set, RegistryKeyRenamed: Registry key renamed

Show 2 more (5 total)

Detect Windows Allow Firewall Rule Addition/Modification source medium: This analytic rule detects any registry value creation or modification of Windows firewall registry keys to allow network traffic. This could be an indication of defense evasion by an adversary to allow network traffic to/from a compromised host.↳ also matches RegistryKeyDeleted: Registry key deleted, RegistryValueSet: Registry value set, RegistryKeyRenamed: Registry key renamed
Detect Windows Update Disabled from Registry source medium: This analytic rule detects any registry value creation or modification of Windows Update registry keys to disable Windows Update. This could be an indication of defense evasion by an adversary on a compromised host.↳ also matches RegistryKeyDeleted: Registry key deleted, RegistryValueSet: Registry value set, RegistryKeyRenamed: Registry key renamed

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceregistryevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceregistryevents/

RegistryKeyRenamed: Registry key renamed

Table: DeviceRegistryEvents

Description

Registry key renamed. Sysmon-14 RegistryEvent (Key and Value Rename) is the one-to-one Windows native equivalent. ASIM RegistryEvent parsers map this AT consistently across MDE, Sysmon, Carbon Black, and SentinelOne sources.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`RegistryKey`
`PreviousRegistryKey`
`InitiatingProcessFileName`

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	in	`RegistryKeyCreated`	5 rules	kusto
`EventType`	in	`RegistryValueSet`	5 rules	kusto
`ParentImage`	ends_with	`cmd.exe`	1 rule	kusto
`ParentImage`	ends_with	`powershell.exe`	1 rule	kusto
`ParentImage`	ends_with	`powershell_ise.exe`	1 rule	kusto
`TargetObject`	contains	`software\\classes\\ms-settings\\shell\\open\\command`	1 rule	kusto

Detection Rules #

View all rules referencing this event →

Kusto #

Potential Fodhelper UAC Bypass (ASIM Version) source medium: This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.↳ also matches RegistryKeyDeleted: Registry key deleted, RegistryValueSet: Registry value set, RegistryValueDeleted: Registry value deleted
Detect Print Processors Registry Driver Key Creation/Modification source medium: This analytic rule detects any registry value creation or modification of print processor registry Driver key. This will load the executable at startup with print spooler service. This could be an indication of a persistence attempt by an adversary.↳ also matches RegistryKeyDeleted: Registry key deleted, RegistryValueSet: Registry value set, RegistryValueDeleted: Registry value deleted
Detect Registry Run Key Creation/Modification source medium: This analytic rule detects any registry value or key creation in the registry run keys. This could be an indication of a persistence attempt by an adversary.↳ also matches RegistryKeyDeleted: Registry key deleted, RegistryValueSet: Registry value set, RegistryValueDeleted: Registry value deleted

Show 2 more (5 total)

Detect Windows Allow Firewall Rule Addition/Modification source medium: This analytic rule detects any registry value creation or modification of Windows firewall registry keys to allow network traffic. This could be an indication of defense evasion by an adversary to allow network traffic to/from a compromised host.↳ also matches RegistryKeyDeleted: Registry key deleted, RegistryValueSet: Registry value set, RegistryValueDeleted: Registry value deleted
Detect Windows Update Disabled from Registry source medium: This analytic rule detects any registry value creation or modification of Windows Update registry keys to disable Windows Update. This could be an indication of defense evasion by an adversary on a compromised host.↳ also matches RegistryKeyDeleted: Registry key deleted, RegistryValueSet: Registry value set, RegistryValueDeleted: Registry value deleted

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceregistryevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceregistryevents/

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Defender-DeviceRegistryEvents

any: Registry activity (any)

Description

Fields #

References #

RegistryKeyCreated: Registry key created

Description

Fields #

References #

RegistryKeyDeleted: Registry key deleted

Description

Fields #

Common Indicators #

Detection Rules #

Kusto #

References #

RegistryValueSet: Registry value set

Description

Fields #

Common Indicators #

Detection Rules #

Kusto #

References #

RegistryValueDeleted: Registry value deleted

Description

Fields #

Common Indicators #

Detection Rules #

Kusto #

References #

RegistryKeyRenamed: Registry key renamed

Description

Fields #

Common Indicators #

Detection Rules #

Kusto #

References #

Keyboard shortcuts

Search operators