Cynor Sense
- Apr 25, 2023
- 1 min read

Track & Tackle: Files and Reg Activity (Part 4)

Updated: Mar 1

Introduction: Discover how to monitor and analyse file and registry activities using powerful VQL queries. Learn to detect and respond to suspicious object notifications in real-time.

#ObjectNotifications #EndpointSecurity #EDR #FileMonitoring #RegistryMonitoring #CyberSecurity #WindowsSecurity #InfoSec #Velociraptor

How to determine malicious file and registry activity?

Monitor File Manipulation
Keep Tabs on Registry Activity
Keep Tabs on Registry Activity

Tip #1 - Monitor File Manipulation

Keep an eye on various file activities like creation, opening, deletion, modification, and renaming using VQL queries in Velociraptor.

File Creation VQL query:


SELECT * FROM watch_monitor(globs="C:\\Users\\*\\Documents\\*.txt", accessor="ntfs") WHERE Type='created'

File Opened VQL query:


SELECT * FROM watch_monitor(globs="C:\\Users\\*\\Documents\\*.txt", accessor="ntfs") WHERE Type='opened'

File Deletion VQL query:


SELECT * FROM watch_monitor(globs="C:\\Users\\*\\Documents\\*.txt", accessor="ntfs") WHERE Type='deleted'

File Modification VQL query:


SELECT * FROM watch_monitor(globs="C:\\Users\\*\\Documents\\*.txt", accessor="ntfs") WHERE Type='modified'

File Renaming VQL query:


SELECT * FROM watch_monitor(globs="C:\\Users\\*\\Documents\\*.txt", accessor="ntfs") WHERE Type='renamed'

SOC | SIEM Services

Book Now

Tip #2 - Keep Tabs on Registry Activity

Stay vigilant about registry activities like key/value creation, modification, and deletion with targeted VQL queries.

Key/Value Creation VQL query:


SELECT * FROM Artifact.Windows.Registry.Events() WHERE EventType='SetValueKey'

Key/Value Modification VQL query:


SELECT * FROM Artifact.Windows.Registry.Events() WHERE EventType='ModifyValueKey'

Key/Value Deletion VQL query:


SELECT * FROM Artifact.Windows.Registry.Events() WHERE EventType='DeleteValueKey'

Incident Response

Book Now

By utilising these VQL queries, you can effectively monitor file and registry activities in your environment. Keep track of object notifications and respond to suspicious events promptly. Stay one step ahead of potential threats by mastering the art of monitoring object notifications.

MDR unveiling Image-Load-Registry PART5

#ObjectNotifications #EndpointSecurity #EDR #FileMonitoring #RegistryMonitoring #CyberSecurity #WindowsSecurity #InfoSec #Velociraptor

Track & Tackle: Files and Reg Activity (Part 4)

How to determine malicious file and registry activity?

Tip #1 - Monitor File Manipulation

Tip #2 - Keep Tabs on Registry Activity

Recent Posts

Cyber Security Services