Splunk Search

Regmon filters not working

jambajuice
Communicator

I'm trying to monitor the registry and filter on a few critical keys. When I look at the events, I'm seeing events from outside the keys specified in my filters. Not sure what the problem is...

Here is my sysmon.conf:

[RegistryMonitor]
filter_file_name = regmon-filters
event_types = set.<em>|create.</em>|delete.<em>|rename.</em>
inclusive = 0
disabled = 0

Here is my regmon-filters.conf:

[Run]
proc = .*
hive = \REGISTRY\MACHINE\SOFTWARE\MICROSOT\WINDOWS\CurrentVersion\Run\.*
type = set|create|delete|rename
baseline = 0
disabled = 0

[RunOnce]
proc = .*
hive = \REGISTRY\MACHINE\SOFTWARE\MICROSOT\WINDOWS\CurrentVersion\RunOnce\.*
type = set|create|delete|rename
baseline = 0
disabled = 0

[RunOnceEx]
proc = .*
hive = \REGISTRY\MACHINE\SOFTWARE\MICROSOT\WINDOWS\CurrentVersion\RunOnceEx\.*
type = set|create|delete|rename
baseline = 0
disabled = 0

[User-Shell-Folders]
proc = .*
hive = \REGISTRY\MACHINE\SOFTWARE\MICROSOT\WINDOWS\CurrentVersion\Explorer\User Shell Folders\.*
type = set|create|delete|rename
baseline = 0
disabled = 0

[Shell-Folders]
proc = .*
hive = \REGISTRY\MACHINE\SOFTWARE\MICROSOT\WINDOWS\CurrentVersion\Explorer\Shell Folders\Startup\.*
type = set|create|delete|rename
baseline = 0
disabled = 0

[ShellExecuteHooks]
proc = .*
hive = \REGISTRY\MACHINE\SOFTWARE\MICROSOT\WINDOWS\CurrentVersion\Explorer\ShellExecuteHooks\.*
type = set|create|delete|rename
baseline = 0
disabled = 0

[SharedTaskScheduler]
proc = .*
hive = \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\.*
type = set|create|delete|rename
baseline = 0
disabled = 0

[ShellServicewObjectDelayLoad]
proc = .*
hive = \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\.*
type = set|create|delete|rename
baseline = 0
disabled = 0

[arpcache]
proc = .*
hive = \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\app management\arpcache\.*
type = set|create|delete|rename
baseline = 0
disabled = 0

[shellopencommand]
proc = .*
\REGISTRY\MACHINE\Software\CLASSES\.<em>\shell\open\command\.</em>
type = set|create|delete|rename
baseline = 0
disabled = 0

[ExplorerRun]
proc = .*
\REGISTRY\MACHINE\SOFTWAREMICROSOFT\Windows\CurrentVersion\policies\Explorer\Run\.*
type = set|create|delete|rename
baseline = 0
disabled = 0

Thanks for any help!

Craig

Tags (1)

thall79
Communicator

If you haven't tried Splunk 4.2.2 they have updated splunk_regmon.exe and able to monitor the keys I wanted.

travis.

0 Karma

thall79
Communicator

Had the same problem when trying to setup regmon filters like yours. Found that I had to add the following to the &SPLUNK_HOME\etc\apps\search\local\regmon-filters.conf ( or wherever you have your regmon-filters.conf located with the above info).

[User keys]
disable = 1
proc = \\Device\\.*
hive = \\REGISTRY\\USER\\.*
type = set|create|delete|rename

[Machine keys]
disable = 1
proc = \\Device\\.*
hive = \\REGISTRY\\USER\\.*
type = set|create|delete|rename

This kept those 2 filters from running, but my problem now is that I only get my first filter to work. For example your [Run] filter that is defined would be the only results I would see. Whats even worse I labeled my filters all that same [Machine keys] it would give me events for the last one.

I am still working on it to see if i am doing something wrong, but my regmon-filters.conf looks very similair to yours and I am trying this with Splunk 4.1.6 on a Vista 32bit machine for testing.

Travis.

0 Karma

thall79
Communicator

After some more work I found that in sysmon.conf you can set active_filter = "Run", "RunOnce", "rest of your filters" and you will not need the User & Machine key entries in regmon-filters.conf like I had above. With this setup I am able to get a baseline, but it will not see any changes that I make to the registry. Still looking into it.

0 Karma

thall79
Communicator

Ok I take that back on which filter gets used. From Splunk Web - manager - data inputs - registry monitoring the first one listed seems to be the one that gets used.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...