Monitoring specific keys in the registry

heathramos · ‎10-30-2017

I had the default registry monitoring turned on for our desktops for a day but it used way too much of our license so I had to disable it.

I am interested in monitoring a few keys but I am unclear on how to fill out the hive portion within the inputs.conf file.

Example of the keys I might monitor:

REGISTRY: Watch for the creation or modification of new registry keys and values a. 4657 – Accesses: WriteData (or AddFile) i. HKLM, HKCU & HKU – Software\Microsoft\Windows\CurrentVersion
Run, RunOnce ii. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
Watch AppInit_Dlls iii. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt
Watch Connection time of USB Devices iv. HKLM\System\CurrentControlSet\Services
Watch for NEW Services v. HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR
Watch for NEW USB devices

xavierashe · ‎11-08-2017

Here are a few examples that I run. For HKCU, you have to use this format:

[WinRegMon://hkcu_run1]
disabled = 0
hive = \\REGISTRY\\USER\\.*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\.*
proc = .*
type = set|create|delete|rename
index = windows

For HKLM you use MACHINE:

[WinRegMon://hklm_run1]
disabled = 0
hive = \\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\.*
proc = .*
type = set|create|delete|rename
index = windows

You don't need to add stanzas for HKU, because your HKCU stanzas will suffice.

AaronMoorcroft · ‎06-01-2018

Hi,

Can you advise how you can monitor multiple Reg Keys in the same stanza ?

Thank you

Monitoring specific keys in the registry

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk