Track & Tackle: Files and Reg Activity (Part 4)

Introduction: Discover how to monitor and analyse file and registry activities using powerful VQL queries. Learn to detect and respond to suspicious object notifications in real-time.

How to determine malicious file and registry activity?

• Monitor File Manipulation

• Keep Tabs on Registry Activity

• Keep Tabs on Registry Activity

Tip #1 - Monitor File Manipulation

Keep an eye on various file activities like creation, opening, deletion, modification, and renaming using VQL queries in Velociraptor.

File Creation VQL query:

SELECT * FROM watch_monitor(globs="C:\\Users\\*\\Documents\\*.txt", accessor="ntfs") WHERE Type='created'

File Opened VQL query:

SELECT * FROM watch_monitor(globs="C:\\Users\\*\\Documents\\*.txt", accessor="ntfs") WHERE Type='opened'

File Deletion VQL query:

SELECT * FROM watch_monitor(globs="C:\\Users\\*\\Documents\\*.txt", accessor="ntfs") WHERE Type='deleted'

File Modification VQL query:

SELECT * FROM watch_monitor(globs="C:\\Users\\*\\Documents\\*.txt", accessor="ntfs") WHERE Type='modified'

File Renaming VQL query:

SELECT * FROM watch_monitor(globs="C:\\Users\\*\\Documents\\*.txt", accessor="ntfs") WHERE Type='renamed'

Tip #2 - Keep Tabs on Registry Activity

Stay vigilant about registry activities like key/value creation, modification, and deletion with targeted VQL queries.

Key/Value Creation VQL query:

SELECT * FROM Artifact.Windows.Registry.Events() WHERE EventType='SetValueKey'

Key/Value Modification VQL query:

SELECT * FROM Artifact.Windows.Registry.Events() WHERE EventType='ModifyValueKey'

Key/Value Deletion VQL query:

SELECT * FROM Artifact.Windows.Registry.Events() WHERE EventType='DeleteValueKey'

By utilising these VQL queries, you can effectively monitor file and registry activities in your environment. Keep track of object notifications and respond to suspicious events promptly. Stay one step ahead of potential threats by mastering the art of monitoring object notifications.

MDR unveiling Image-Load-Registry PART5

#ObjectNotifications #EndpointSecurity #EDR #FileMonitoring #RegistryMonitoring #CyberSecurity #WindowsSecurity #InfoSec #Velociraptor