sentinel-attack icon indicating copy to clipboard operation
sentinel-attack copied to clipboard

Published 20 hours ago verified publisher icon netevert

SysmonEvent13_RegistrySetValue missing from Sysmon function query

Open mpp-eric-m opened this issue 4 years ago • 0 comments
trafficstars

I had a problem with missing Registry "SetValue" events in most of the Workbook queries, I would only see CreateKey (EventId 12) results. Noticed that the data was present in the raw xml, and returned data as expected with something like: Event | where Source contains "sysmon" | where EventID in (13,14) | extend RenderedDescription = tostring(split(RenderedDescription, ":")[0]) | project TimeGenerated, EventID, RenderedDescription, Computer, UserName, Data=parse_xml(EventData).DataItem.EventData.Data

I then noticed that the sentinel-attack/Sysmon saved Search was missing SysmonEvent13_RegistrySetValue at the end in: (union isfuzzy=true SysmonEvent1_ProcessCreate,SysmonEvent2_FileCreateTime,SysmonEvent3_NetworkConnect,SysmonEvent4_ServiceStateChange,SysmonEvent5_ProcessTerminate, SysmonEvent6_DriverLoad,SysmonEvent7_ImageLoad,SysmonEvent8_CreateRemoteThread,SysmonEvent9_RawAccessRead,SysmonEvent10_ProcessAccess, SysmonEvent11_FileCreate,SysmonEvent12_RegistryObjectAddDel,SysmonEvent14_RegistryObjectRename, SysmonEvent15_FileCreateStreamHash,SysmonEvent16_ConfigChange,SysmonEvent17_CreateNamedPipe,SysmonEvent18_ConnectNamedPipe, SysmonEvent19_WMIEventFilter,SysmonEvent20_WMIEventConsumer,SysmonEvent21_WMIEventConsumerToFilter,SysmonEvent22_DNSEvents)

Adding SysmonEvent13_RegistrySetValue in between SysmonEvent12_RegistryObjectAddDel and SysmonEvent14_RegistryObjectRename fixed it.

I'm just seeing that sentinel-attack\deployment\gallery.azuredeploy.json has the corresponding missing item in this section: "type": "Microsoft.OperationalInsights/workspaces/savedSearches", "apiVersion": "2020-03-01-preview", "name": "[concat(parameters('workspace_name'), '/Sysmon')]", "dependsOn": [ "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace_name'))]" ], "properties": { "category": "sentinel-attack", "displayName": "Sysmon", ... \r\n(union isfuzzy=true\r\nSysmonEvent1_ProcessCreate,SysmonEvent2_FileCreateTime,SysmonEvent3_NetworkConnect,SysmonEvent4_ServiceStateChange,SysmonEvent5_ProcessTerminate,\r\nSysmonEvent6_DriverLoad,SysmonEvent7_ImageLoad,SysmonEvent8_CreateRemoteThread,SysmonEvent9_RawAccessRead,SysmonEvent10_ProcessAccess,\r\nSysmonEvent11_FileCreate,SysmonEvent12_RegistryObjectAddDel,SysmonEvent14_RegistryObjectRename,\r\nSysmonEvent15_FileCreateStreamHash,SysmonEvent16_ConfigChange,SysmonEvent17_CreateNamedPipe,SysmonEvent18_ConnectNamedPipe,\r\nSysmonEvent19_WMIEventFilter,SysmonEvent20_WMIEventConsumer,SysmonEvent21_WMIEventConsumerToFilter,SysmonEvent22_DNSEvents)\r\n", "functionAlias": "Sysmon", "version": 2 }

mpp-eric-m avatar Dec 16 '20 17:12 mpp-eric-m