Evidence Category · 7 Questions

Windows Registry

Measures Windows registry persistence triage.

Questions in This Category

Q059Malicious value name providing persistence in the Run key?

Q060File path the malicious value executes?

Q131From which directory does the legitimate OneDrive entry run?

Q132Which directory is the SecurityHealth entry in? (legit)

Q133How many entries are in the Run key?

Q155Command argument of the malicious Run value?

Q176Which hive holds the malicious Run key?