requested changes to fix merge and adjust query

2021-07-01 16:28:58 -04:00 · 2021-07-01 16:28:58 -04:00 · 1567a5a5cf
--- a/Queries/MultipleDataSources/PersistViaIFEORegistryKey.yaml
+++ b/Queries/MultipleDataSources/PersistViaIFEORegistryKey.yaml
@ -23,7 +23,7 @@ query: |
  (
  SecurityEvent
  | where EventID == 4657
-  | where ObjectName has "Image File Execution Options"
+  | where ObjectName has_all ("\REGISTRY\MACHINE, "Image File Execution Options")
  | summarize Count=count() by Computer, Account, ObjectName
  | top 10 by Count desc 
  | extend AccountCustomEntity = Account, HostCustomEntity = Computer
@ -41,6 +41,14 @@ query: |
  | summarize Count=count() by Computer, UserName, tostring(TargetObject)
  | top 10 by Count desc
  | extend AccountCustomEntity = UserName, HostCustomEntity = Computer
+  ),
+  (
+  imRegistry
+  | where RegistryKey has_all ("HKEY_LOCAL_MACHINE", "Image File Execution Options")
+  | summarize Count=count() by Dvc, Username, RegistryKey
+  | top 10 by Count desc
+  | extend AccountCustomEntity = Username, HostCustomEntity = Dvc
+  )
  )
  )
 entityMappings: