Unusual modifications to system registry keys may indicate an adversary attempting to persist across reboots or alter system behavior. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise and mitigate lateral movement risks.
YARA Rule
rule win_registry {
meta:
author = "x0r"
description = "Affect system registries"
version = "0.1"
strings:
$f1 = "advapi32.dll" nocase
$c1 = "RegQueryValueExA"
$c2 = "RegOpenKeyExA"
$c3 = "RegCloseKey"
$c4 = "RegSetValueExA"
$c5 = "RegCreateKeyA"
$c6 = "RegCloseKey"
condition:
$f1 and 1 of ($c*)
}This YARA rule can be deployed in the following contexts:
This rule contains 7 string patterns in its detection logic.
Scenario: A system administrator is using Group Policy Management Console (GPMC) to deploy registry settings to multiple workstations.
Filter/Exclusion: Check for EventID=1000 with Source=GroupPolicy and EventMessage containing “registry settings applied” or “policy update”.
Scenario: A Windows Task Scheduler job is configured to run a script that modifies registry keys as part of a routine system maintenance task.
Filter/Exclusion: Filter by EventID=1 with TaskName matching the known maintenance task name, or check for ProcessName=taskhost.exe with a known task identifier.
Scenario: A Windows Server Update Services (WSUS) server is applying registry-based updates to client machines during a scheduled patch deployment.
Filter/Exclusion: Use EventID=19 with Source=WindowsUpdate and filter by ComputerName matching the WSUS server or client machines in the update scope.
Scenario: A Microsoft Intune policy is being enforced that modifies registry settings on endpoint devices to enforce security configurations.
Filter/Exclusion: Filter by EventID=1 with ProcessName=msiexec.exe or ProcessName=setup.exe and check for known Intune-related command-line arguments or registry paths.
Scenario: A PowerShell script is run by a system admin to automate registry backups or cleanups, such as using Export-Registry or Remove-Item on registry keys.
Filter/Exclusion: Filter by ProcessName=powershell.exe with command-line arguments containing Export-Registry, Remove-Item, or reg.exe, and check for known admin user accounts or scheduled task names.