EXPEL BLOG

New auto remediation updates: Delete registry key & customizable response action preferences

alt=""

Product · 4 MIN READ · JAKE GODGART · MAR 13, 2025 · TAGS: Announcement

Accelerating your incident response and offering you more flexibility for how Expel responds on your behalf

TL;DR

  • Expel has launched two new features to improve our auto remediation capabilities and help customers reduce mean time to respond (MTTR) and better protect their org
  • Expel’s SOC can now trigger “delete registry key” response actions for customers using the CrowdStrike Falcon endpoint agent to remove malware persistence, revert malicious modifications, and clean up after attacks.
  • Response actions can now be tailored to customer-defined auto remediation preferences, providing more flexibility and control than other MDR providers.

 

Seconds matter. When threats appear in your environment, response speed is critical to minimize ‌impact and blast radius.

That’s where Expel’s auto remediation shines. Our elite analysts use our AI-powered platform, Expel Workbench™, to validate every threat and launch the correct response action on your behalf to block the threat, contain the attacker, and remediate an incident.

Whether threats target your employees’ laptops or your critical cloud servers, we respond to attackers to kick them out and keep them out so you can (finally) get better sleep. That means no more 3am emergency wake-up calls.

We’re excited to announce two new capabilities for Expel’s auto remediations: 

  • We’ve added a new response action: delete registry key
  • Customers now have greater flexibility and control to customize auto remediation preferences

New auto remediation: Delete registry key

The Windows Registry is a central database for operating system configuration and user data. It’s a database of registry keys and values. These provide instructions for the computer on how your operating system, hardware, and software work—from your personal preferences (like your desktop background), to critical system configurations (like which programs start automatically when you turn on your computer).

This makes the registry a very powerful tool, but also a potential target for attackers seeking to gain control, maintain persistence, and evade detection. Attackers may modify existing registry keys for malicious purposes, like making malware run automatically at startup or disabling security features.

Cybersecurity analysts often respond by deleting registry keys to remove or disable malware that may be using them for malicious purposes. By deleting these keys, analysts can disrupt malware operations, prevent it from re-infecting the system, and restore system functionality.

With this new auto remediation launch, our MDR analysts can kick off a delete registry key remediation action using a customer’s CrowdStrike Falcon endpoint agent. Customers may also specify registry paths, values, and hosts that shouldn’t be automatically deleted for deeper control within the auto remediation.

When to expect Expel to use the delete registry key response action

There are several instances where an Expel threat analyst may respond by deleting the registry key:

  • Malware persistence: Malware uses registry keys to ensure it runs every time the system starts or a user logs in. This often involves entries in “Run” keys or startup folders. Deleting these entries prevents the malware from automatically launching and regaining control of the system.   
  • Disabling security tools: Malware sometimes modifies or creates registry keys to disable security tools like antivirus software, firewalls, or system restore points. Analysts need to identify and delete or restore the specific keys to their default values to re-enable security features.   
  • Hiding malware: Some malware uses techniques like embedding null characters in registry key names to hide from analysis tools. Analysts may need to use specialized tools to identify and delete these hidden keys.   
  • Modifying system settings: Malware can alter registry keys to change system behavior, user preferences, or application settings. This can include redirecting web traffic, disabling security features, or stealing sensitive information. Analysts need to identify and correct these modifications.   
  • Creating backdoors: This happens when malware creates hidden registry entries to establish persistent access to the infected system. Deleting these entries can prevent attackers from gaining unauthorized control.   
  • Exploiting vulnerabilities: Malware can exploit vulnerabilities in the registry to execute arbitrary code or bypass security mechanisms. Deleting the vulnerable keys or correcting the exploited settings can mitigate the risk.   
  • Cleaning up after malware removal: Even after removing the main malware files, remnants can remain in the registry. Analysts may need to manually clean up these entries to ensure complete removal and prevent re-infection.

Expel MDR customers can enable this auto remediation directly from Workbench. If you need documentation to set up the CrowdStrike delete registry key auto remediation, you can find it here.

Customizable auto remediation: Tailoring responses to your org

Part of what makes Expel’s auto remediations different from other MDR services is our ability to keep customers in control. 

Yes, our analysts are the ones who decide when and what to remediate based on the persistence of a threat (and push the response button for you). But each customer can dictate what, when, and how these actions are taken.

Our service tailors our response to your org’s preferences based on the frequency of threats seen in your environment, your technology, business context, risk tolerance, policies, internal processes, and your general comfort level with us acting on your behalf.

Now, we’re adding even more customizability for customers to ensure our response actions align with your specific security needs. 

We’ve introduced the ability to customize auto remediation preferences so you can select preferred security devices for each action, empowering you to fine-tune our response to your unique environment. This allows your business to gain:

  • Enhanced efficiency: Prioritize preferred devices, so we can accelerate response times and minimize disruptions.
  • Greater control: Customize our actions to meet your specific requirements with more flexibility than other providers.

This applies to a broad range of security tools across your attack surface, detailed in the table below. 

Endpoint Cloud Identity & user Email
  • VMware Carbon Black EDR
  • Carbon Black Cloud
  • CrowdStrike
  • Elastic Security
  • Microsoft Defender for Endpoint
  • Palo Alto Cortex XDR
  • SentinelOne
  • Cybereason
  • AWS IAM
  • Azure Cloud Direct
  • Duo Cloud
  • GitHub
  • Google Workspace
  • Office 365
  • Office 365
  • Okta
  • Entra ID
  • Google Workspace
  • Microsoft 365

 

Better, faster responses start with Expel MDR

We’re committed to continuously evolving our service to provide the most effective and efficient MDR service to meet our customers’ needs, while offering the ultimate fusion of transparency and control.

By combining these two new powerful capabilities, we’re able to:

  • Accelerate incident response: Quickly neutralize threats and minimize their impact.
  • Reduce mean time to respond (MTTR): Streamline our response processes and get to the root cause faster.
  • Enhance security posture: Proactively protect your organization from emerging threats.

We want our customers to feel like our analysts are part of their team, too—because they are. . Unlike other MDRs—who force their customers into an all-or-nothing choice of service delivery—we aim to tailor our service delivery to each customer’s unique needs.

With these new capabilities, we’re taking yet another step towards that goal.

Blog home