atomic-threat-coverage/data_needed/DN_0059_4657_registry_value_was_modified.yml

title: DN_0059_4657_registry_value_was_modified
description: >
  This event generates when a registry key value was modified. It doesn't generate 
  when a registry key was modified. This event generates only if "Set Value" auditing 
  is set in registry key’s SACL  
loggingpolicy: 
  - LP_0103_windows_audit_registry
references: 
  - https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4657.md
category: OS Logs
platform: Windows
type: Windows Log
channel: Security
provider: Microsoft-Windows-Security-Auditing
fields: 
  - EventID
  - Computer
  - Hostname # redundant
  - SubjectUserSid
  - SubjectUserName
  - SubjectDomainName
  - SubjectLogonId
  - ObjectName
  - ObjectValueName
  - HandleId
  - OperationType
  - OldValueType
  - OldValue
  - NewValueType
  - NewValue
  - ProcessId
  - ProcessName
sample: |
  - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    - <System>
      <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
      <EventID>4657</EventID> 
      <Version>0</Version> 
      <Level>0</Level> 
      <Task>12801</Task> 
      <Opcode>0</Opcode> 
      <Keywords>0x8020000000000000</Keywords> 
      <TimeCreated SystemTime="2015-09-24T01:28:43.639634100Z" /> 
      <EventRecordID>744725</EventRecordID> 
      <Correlation /> 
      <Execution ProcessID="4" ThreadID="4824" /> 
      <Channel>Security</Channel> 
      <Computer>DC01.contoso.local</Computer> 
      <Security /> 
    </System>
    - <EventData>
      <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
      <Data Name="SubjectUserName">dadmin</Data> 
      <Data Name="SubjectDomainName">CONTOSO</Data> 
      <Data Name="SubjectLogonId">0x364eb</Data> 
      <Data Name="ObjectName">\\REGISTRY\\MACHINE</Data> 
      <Data Name="ObjectValueName">Name\_New</Data> 
      <Data Name="HandleId">0x54</Data> 
      <Data Name="OperationType">%%1905</Data> 
      <Data Name="OldValueType">%%1873</Data> 
      <Data Name="OldValue" /> 
      <Data Name="NewValueType">%%1873</Data> 
      <Data Name="NewValue">Andrei</Data> 
      <Data Name="ProcessId">0xce4</Data> 
      <Data Name="ProcessName">C:\\Windows\\regedit.exe</Data> 
    </EventData>
  </Event>