1) Install Sysmon 5 (Sysinternals)
2) Configure registry monitoring in Sysmon configuration (xml file):
<RegistryEvent onmatch="include">
<TargetObject
condition="contains">Software\Microsoft\Windows\CurrentVersion\Run</TargetObject>
<TargetObject
condition="contains">Software\Microsoft\Windows\CurrentVersion\RunOnce</TargetObject>
</RegistryEvent>
3) Configure OSSEC agents to parse Sysmon eventlog:
<localfile>
<location>Microsoft-Windows-Sysmon/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
4) Create OSSEC rule:
<rule id="18200" level="5">
<if_sid>18101</if_sid>
<id>^12$|13$|14$</id>
<match>Sysmon</match>
<description>Sysmon: registry modified</description>
<info>Microsoft Sysmon</info>
</rule>
Alert:
Rule: 18200 (level 5) -> 'Sysmon: registry modified'
User: SYSTEM
2016 Dec 20 WinEvtLog: Microsoft-Windows-Sysmon/Operational:
Information(12): no source: SYSTEM: NT AUTHORITY: COMPUTER: Registry object
added or deleted:
EventType: CreateKey
UtcTime: 2016-12-20
ProcessGuid: {6C563ED9-D21B-5858-0000-0010C79A2E07}
ProcessId: 6252
Image: C:\Program Files
(x86)\Google\Chrome\Application\55.0.2883.87\Installer\setup.exe
TargetObject:
\REGISTRY\USER\S-1-5*\Software\Microsoft\Windows\CurrentVersion\Run
On Wednesday, December 14, 2016 at 9:27:10 PM UTC+2, namobud...@gmail.com
wrote:
>
> I'm wondering if anyone has created (or could help me) create an OSSEC
> rule to detect new additions to the "run" keys in the registry.
>
> The goal is to detect malware and fileless malware adding run keys to the
> registry.
>
> If anyway has started creating rules for fileless malware detection that
> would be great too.
>
> Thanks.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
