1) Install Sysmon 5 (Sysinternals) 2) Configure registry monitoring in Sysmon configuration (xml file):
<RegistryEvent onmatch="include"> <TargetObject condition="contains">Software\Microsoft\Windows\CurrentVersion\Run</TargetObject> <TargetObject condition="contains">Software\Microsoft\Windows\CurrentVersion\RunOnce</TargetObject> </RegistryEvent> 3) Configure OSSEC agents to parse Sysmon eventlog: <localfile> <location>Microsoft-Windows-Sysmon/Operational</location> <log_format>eventchannel</log_format> </localfile> 4) Create OSSEC rule: <rule id="18200" level="5"> <if_sid>18101</if_sid> <id>^12$|13$|14$</id> <match>Sysmon</match> <description>Sysmon: registry modified</description> <info>Microsoft Sysmon</info> </rule> Alert: Rule: 18200 (level 5) -> 'Sysmon: registry modified' User: SYSTEM 2016 Dec 20 WinEvtLog: Microsoft-Windows-Sysmon/Operational: Information(12): no source: SYSTEM: NT AUTHORITY: COMPUTER: Registry object added or deleted: EventType: CreateKey UtcTime: 2016-12-20 ProcessGuid: {6C563ED9-D21B-5858-0000-0010C79A2E07} ProcessId: 6252 Image: C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\Installer\setup.exe TargetObject: \REGISTRY\USER\S-1-5*\Software\Microsoft\Windows\CurrentVersion\Run On Wednesday, December 14, 2016 at 9:27:10 PM UTC+2, namobud...@gmail.com wrote: > > I'm wondering if anyone has created (or could help me) create an OSSEC > rule to detect new additions to the "run" keys in the registry. > > The goal is to detect malware and fileless malware adding run keys to the > registry. > > If anyway has started creating rules for fileless malware detection that > would be great too. > > Thanks. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.