← Back to SOC feed Coverage →

Modifying the registry to add a ransom message notification

kql MEDIUM Azure-Sentinel
DeviceProcessEvents
huntingmicrosoftofficialransomware
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at Azure-Sentinel →
Retrieved: 2026-05-25T11:00:00Z · Confidence: medium

Hunt Hypothesis

Adversaries are likely leaving ransomware notification messages in the registry to communicate demands, a common tactic to

KQL Query

DeviceProcessEvents 
| where InitiatingProcessCommandLine has_all('"reg"', 'add', @'"HKLM\SOFTWARE\Policies\', '/v','/t', 'REG_DWORD', '/d', '/f', 'RecoveryKeyMessage', 'Your drives are Encrypted!', '@')

Analytic Rule Definition

id: acd4112f-5271-4680-ab2a-f07952d71888
name: Modifying the registry to add a ransom message notification
description: |
  Identify registry modifications that is indicative of a ransom note tied to DEV-0270.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
tactics:
- Impact
query: |   
  DeviceProcessEvents 
  | where InitiatingProcessCommandLine has_all('"reg"', 'add', @'"HKLM\SOFTWARE\Policies\', '/v','/t', 'REG_DWORD', '/d', '/f', 'RecoveryKeyMessage', 'Your drives are Encrypted!', '@')

Required Data Sources

Sentinel TableNotes
DeviceProcessEventsEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Ransomware/DEV-0270/Modifying the registry to add a ransom message notification.yaml