valitydev/atomic-threat-coverage
14
0
Fork 0
mirror of https://github.com/valitydev/atomic-threat-coverage.git synced 2024-11-06 09:35:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
b693f38157
atomic-threat-coverage/data_needed/DN_0016_12_windows_sysmon_RegistryEvent.yml
yugoslavskiy f79f50bec3 changed directories names
2019-02-12 04:55:11 +01:00

54 lines
1.9 KiB
YAML
Raw Blame History

title: DN_0016_12_windows_sysmon_RegistryEvent
description: >
Registry key and value create and delete operations map to this event type,
which can be useful for monitoring for changes to Registry autostart
locations, or specific malware registry modifications
loggingpolicy:
- None
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90012
- https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-12.md
category: OS Logs
platform: Windows
type: Applications and Services Logs
channel: Microsoft-Windows-Sysmon/Operational
provider: Microsoft-Windows-Sysmon
fields:
- EventID
- Computer
- Hostname # redundant
- EventType
- UtcTime
- ProcessGuid
- ProcessId
- Image
- TargetObject
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>12</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>12</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-01-30T17:05:28.027841800Z" />
<EventRecordID>42938</EventRecordID>
<Correlation />
<Execution ProcessID="3892" ThreadID="5724" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="EventType">DeleteKey</Data>
<Data Name="UtcTime">2019-01-30 17:05:28.023</Data>
<Data Name="ProcessGuid">{9683FBB1-D812-5C51-0000-0010F3871201}</Data>
<Data Name="ProcessId">10396</Data>
<Data Name="Image">C:\Windows\regedit.exe</Data>
<Data Name="TargetObject">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\New Key #1</Data>
</EventData>
</Event>
Reference in New Issue View Git Blame Copy Permalink