Question Analysis

DeviceRegistryEvents | where RegistryKey has "CurrentVersion\\Policies\\System" | where RegistryValueName =~ "ConsentPromptBehaviorAdmin" | where ActionType == "RegistryValueSet" | project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RegistryKey, RegistryValueName, RegistryValueData | where RegistryValueData == "0" | sort by TimeGenerated desc

let targetPath = @"\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"; DeviceRegistryEvents | where ActionType in ("RegistryValueSet", "RegistryValueModified") | where RegistryValueName =~ "ConsentPromptBehaviorAdmin" | where RegistryKey has targetPath | extend NewValueRaw = tostring(RegistryValueData) | extend NewValueLc = tolower(trim(" ", NewValueRaw)) | where NewValueLc in ("0", "dword:0", "dword:00000000") or NewValueLc matches regex "^0x0+$" or NewValueLc has "(0)" | project TimeGenerated, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, RegistryKey, RegistryValueName, PreviousValue = PreviousRegistryValueData, NewValue = NewValueRaw, RegistryValueType | order by TimeGenerated desc

let matches = DeviceRegistryEvents | where tolower(RegistryKey) contains "currentversion\\policies\\system" | where tolower(RegistryValueName) == "consentpromptbehavioradmin" | where ActionType has_any ("Set","Write","Create","Modify","RegistryValueSet","Update","Add") | project TimeGenerated, DeviceName, DeviceId, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessFileName, InitiatingProcessCommandLine, ActionType, RegistryKey, RegistryValueName, RegistryValueData, RegistryValueType, PreviousRegistryValueData; matches | summarize Count = count(), LastSeen = max(TimeGenerated), SampleEvents = make_list(pack('TimeGenerated', TimeGenerated, 'DeviceName', DeviceName, 'Account', InitiatingProcessAccountName, 'Process', InitiatingProcessFileName, 'Cmd', InitiatingProcessCommandLine, 'Action', ActionType), 5), PreviousValues = make_set(iff(isnull(PreviousRegistryValueData) or PreviousRegistryValueData == "", "<empty>", PreviousRegistryValueData)) by NewValue = coalesce(tostring(trim(" ", RegistryValueData)), "<empty>") | order by LastSeen desc

union DeviceRegistryEvents, DeviceEvents | where isnotempty(RegistryKey) | where tolower(RegistryKey) has "software\\microsoft\\windows\\currentversion\\policies\\system" | where tolower(RegistryValueName) == "consentpromptbehavioradmin" | where ActionType in ("RegistryValueSet", "RegistryValueModified", "RegistryValueAdded", "RegistryValueNameSet", "RegistryKeyValueSet", "RegistryKeyCreate", "RegistryKeyModified") | extend NewValue = tostring(RegistryValueData) | extend IsDisabled = case( NewValue matches regex "^(0x0+|0|00000000)$", 1, 0 ) | where IsDisabled == 1 | project TimeGenerated, DeviceName, ActionType, RegistryKey, RegistryValueName, PreviousRegistryValueData, NewValue, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine | order by TimeGenerated desc

DeviceRegistryEvents | where ActionType in ("RegistryValueSet", "RegistryValueModified") | where RegistryKey has_all ("Software", "Policies", "System") | where RegistryValueName =~ "ConsentPromptBehaviorAdmin" | where RegistryValueData in~ ("0", "0x0", "0x00000000 (0)", "0x00000000", "00000000") | project TimeGenerated, DeviceName, ActionType, PreviousRegistryValueData, RegistryValueData, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountUpn, InitiatingProcessCommandLine | order by TimeGenerated desc

DeviceRegistryEvents | where ActionType == "RegistryValueSet" // registry value modifications | where tolower(RegistryKey) has "software\\microsoft\\windows\\currentversion\\policies\\system" // target path | where RegistryValueName == "ConsentPromptBehaviorAdmin" // target value name // optional: uncomment next line if you only care about the disabling value (DWORD 0) // | where RegistryValueData == "0" | summarize arg_max(TimeGenerated, RegistryKey, RegistryValueData, PreviousRegistryValueData, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine) by DeviceId, DeviceName | project TimeGenerated, DeviceName, DeviceId, NewValue = RegistryValueData, OldValue = PreviousRegistryValueData, ChangedBy = strcat(InitiatingProcessAccountDomain, "\\", InitiatingProcessAccountName), InitiatingProcessFileName, InitiatingProcessCommandLine | order by TimeGenerated desc

DeviceRegistryEvents | where RegistryKey contains "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" | where RegistryValueName == "ConsentPromptBehaviorAdmin" | where ActionType contains "Set" | project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessCommandLine | order by TimeGenerated desc

DeviceRegistryEvents | where RegistryKey startswith @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" and RegistryValueName == "ConsentPromptBehaviorAdmin" and ActionType in~ ("RegistryValueSet","SetValue","ValueSet") | extend NewValue = toint(RegistryValueData), OldValue = toint(PreviousRegistryValueData) | where NewValue == 0 | project TimeGenerated, DeviceName, InitiatingUser = InitiatingProcessAccountName, InitiatingProcess = InitiatingProcessFileName, ActionType, OldValue, NewValue | order by TimeGenerated desc

DeviceRegistryEvents | where RegistryKey startswith "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" | where RegistryValueName == "ConsentPromptBehaviorAdmin" | where ActionType == "RegistryValueSet" | project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, RegistryValueData | distinct RegistryValueData