Forum Discussion
KQL query
I wanted to best KQL query to check registry modifications, run key value , startup items in defender
hi Yogeesh143 check this out, might work
Since you’re asking specifically about KQL queries in Microsoft Defender (Advanced Hunting) to track registry modifications, Run key values, and startup items, here are some solid starting points you can use in the Advanced Hunting portal:
Detect Registry Modifications (general)
DeviceRegistryEvents
| where ActionType == "RegistryKeyCreated" or ActionType == "RegistryValueSet"
| project Timestamp, DeviceName, ActionType, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName
| order by Timestamp desc
Monitor Run Key Persistence (startup registry entries)
DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey has @"SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
or RegistryKey has @"SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName
| order by Timestamp desc
Look for Startup Folder Modifications
DeviceFileEvents
| where FolderPath endswith @"\Microsoft\Windows\Start Menu\Programs\Startup"
| project Timestamp, DeviceName, FolderPath, FileName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName
| order by Timestamp desc
You can also extend these queries by adding filters for suspicious processes (e.g., where InitiatingProcessFileName !in~ ("explorer.exe","msiexec.exe")).
3 Replies
hi Yogeesh143 check this out, might work
Since you’re asking specifically about KQL queries in Microsoft Defender (Advanced Hunting) to track registry modifications, Run key values, and startup items, here are some solid starting points you can use in the Advanced Hunting portal:
Detect Registry Modifications (general)
DeviceRegistryEvents
| where ActionType == "RegistryKeyCreated" or ActionType == "RegistryValueSet"
| project Timestamp, DeviceName, ActionType, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName
| order by Timestamp desc
Monitor Run Key Persistence (startup registry entries)
DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey has @"SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
or RegistryKey has @"SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName
| order by Timestamp desc
Look for Startup Folder Modifications
DeviceFileEvents
| where FolderPath endswith @"\Microsoft\Windows\Start Menu\Programs\Startup"
| project Timestamp, DeviceName, FolderPath, FileName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName
| order by Timestamp desc
You can also extend these queries by adding filters for suspicious processes (e.g., where InitiatingProcessFileName !in~ ("explorer.exe","msiexec.exe")).
Thank you so much
thanks. pl close the thread once you resolve
