INTRODUCTION TO THREAT HUNTING & HUNTING WITH ELASTIC - Skills Assessment

Hello everyone. Has anyone been able to complete this?
Hunt 2 : Create a KQL query to hunt for “Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder”. Enter the content of the registry.value field in the document that is related to the first registry-based persistence action as your answer.

I have searched for the event.code it mentions in the hint and tried to create several queries looking for registry modification or the start up folder being ran. Any help would be super helpful.

1 Like

Hi there, just figured out the answer.
Pay close attention to the process executable value, besides the event code.
There is only one right hit.
Good luck.

I was also stuck. Couldnt manage to get to work the wildcard filter with *\SOFWARE…Run* HINT: You know its a users fault

I was stuck on this one for constantly 2 days and then I figured it out…

For those who are stuck and can’t find anything (and are hopeless :sweat_smile:)

HINT:
filter path without using “”.
estaric Run estaric

Take a took at the path and process executable.
I hope it helps you.

Happy Hunting!

My Question Intepretation

  1. A program has been added to the registry based folder for Autostart to ensure persistence
  2. Hunt for the content in the first registry based document

Thought Process

  • Create a EVENT.CODE 13 and a filter for the registry.path using “Run” as my filter as I am on the look out for Registy Run Key ( event.code: 13 AND registry.value * Run*, if it was the Start Up folder, it would have been *Start *)
  • Add registry.value as field as well as the registry.path
1 Like

Hi all, just have a general query
i have solved the questions, mostly with help from this forum and also some luck.
Would that be good enough to clear the exam?

2 Likes

just got it by usinge search (use star to search all values) and filter with as HKU and use as column. you will get few hundreds of hits, just keep filtering out all the hits that happened more than once so you left with around 10 - 20, answer will be in those hits, just try one at a time and you will get it. Good luck

I’m not quite sure how I got the answer, it became a bit trial-and-error come my final query. Tips for anyone stuck; Use the hint; Because we are looking for registry run keys, filter the registry path to include Run (do not use “”, or spaces, caps also matter); Good Luck all! :slight_smile:

1 Like

your trick worked for me man thanks heaps

1 Like

hi, please let us know in case if the exam is given

Pls what trick the use sued still stuck here

Pls what I’m I missing I have seen this MicrosoftEdgeAutoLnch in the pics but it’s keeping showing incorrect what I’m I not doing right pls

I love how people have gotten the answer but neglect to provide the actual KQL query.

Use this code: event.code:13 AND registry.path: Run

1 Like

The filters event.code: 13, *registry.path: Run, and process.name: PowerShell help me find the answer