Skip to content

Commit 5e79c36

Browse files
Neo23x0Neo23x0
authored
Merge pull request #65 from TKCERT/neo23x0-pr2
Add registry keys often used by malware and windows services
2 parents 51f9c77 + 5554c69 commit 5e79c36

File tree

1 file changed

+3
-0
lines changed

1 file changed

+3
-0
lines changed

sysmonconfig-export.xml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -846,6 +846,9 @@
846846
<TargetObject condition="contains">\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\</TargetObject>
847847
<TargetObject condition="contains">\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths\</TargetObject>
848848
<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\services\DNS\Parameters\</TargetObject> <!--Microsoft:Windows:DNS: ServerLevelPluginDll Issue https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 -->
849+
<!-- Testing - Unknown log volume but relevant registry keys -->
850+
<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_</TargetObject> <!-- Often used by malware -->
851+
<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\</TargetObject> <!--Windows Services -->
849852
</RegistryEvent>
850853
</RuleGroup>
851854

0 commit comments

Comments
 (0)