Registry Run Key Modification for Persistence
Detects writes to Windows Run, RunOnce, and Winlogon registry keys, the most widely used persistence mechanism employed by malware to execute automatically at system startup. Essential for basic post-compromise triage during Incident Response to identify residual persistence artifacts per CrowdStrike best practices.
Persistenceregistryrun-keypersistencestartupmalware-artifactsT1547.001
FDR Beginnerby darkreitor 2 min read
Query
#repo="base_sensor" #event_simpleName=RegGenericValueUpdate
| RegKeyPath=/(?i)(Software\\Microsoft\\Windows\\CurrentVersion\\Run|Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce|Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon)/
| groupBy([ComputerName, UserName, RegKeyPath, RegValueName, RegStringValue], function=count())
| sort(_count, order=desc, limit=20)Explanation
| Pipe | Description | |
|---|---|---|
#repo="base_sensor" #event_simpleName=RegGenericValueUpdate | Filters registry value modification events in FDR endpoint telemetry | |
| `RegKeyPath=/(?i)(Software\\Microsoft\\Windows\\CurrentVersion\\Run\ | ...)/` | Selects Run, RunOnce, and Winlogon registry keys, classic persistence paths on Windows systems |
groupBy([ComputerName, UserName, RegKeyPath, RegValueName, RegStringValue], function=count()) | Groups by host, user, key path, registry name, and value to obtain complete forensic context | |
sort(_count, order=desc, limit=20) | Sorts by frequency to identify the most recurrent or recent modifications as an investigation priority |
Adjustable Variables
Expand the list of monitored keys by including HKCU Run paths, AppInit_DLLs, Image File Execution Options, or system services for more complete coverage. Filter by UserName or exclude known management processes to reduce noise in environments with heavy administration software.