EventLogging icon indicating copy to clipboard operation
EventLogging copied to clipboard

Published 20 hours ago verified publisher icon blackhillsinfosec

HKCU Entries

Open kevinelwell opened this issue 3 years ago • 3 comments

Your .XML files contain HKCU registry entries. Since the Sysmon service runs under the SYSTEM account, Sysmon would be looking for any HKCU registry items under the SYSTEM account; NOT the logged-on user(s). Several of your .XML files contain HKCU registry entries. Since the Sysmon service runs under the SYSTEM account, Sysmon would be looking for any HKCU registry items under the SYSTEM account; NOT the logged-on user(s).

Reference: https://github.com/olafhartong/sysmon-modular/issues/130

kevinelwell avatar May 26 '22 17:05 kevinelwell

Thanks for bring this to our attention. We are working on a bunch of Sysmon config changes in the near future so we will work something in to fix this!

mon0pixel avatar May 31 '22 13:05 mon0pixel

Awesome teamwork! ❣️🔥📡📞📡🎯🍎🍎♠️♠️🪙🥓

On Tue, May 31, 2022, 9:45 AM Noah H @.***> wrote:

Thanks for bring this to our attention. We are working on a bunch of Sysmon config changes in the near future so we will work something in to fix this!

— Reply to this email directly, view it on GitHub https://github.com/blackhillsinfosec/EventLogging/issues/6#issuecomment-1142157080, or unsubscribe https://github.com/notifications/unsubscribe-auth/AY6RWE654MPDGO6AS7PRPVTVMYJYDANCNFSM5XB4A6YA . You are receiving this because you are subscribed to this thread.Message ID: @.***>

icass avatar May 31 '22 14:05 icass

We will be pointed this repo to https://github.com/olafhartong/sysmon-modular in some upcoming releases as the group over their is able to dedicate more time to maintaining the config than we are at this time.

mon0pixel avatar Aug 15 '22 13:08 mon0pixel

resolved in https://github.com/blackhillsinfosec/EventLogging/commit/46986e7d96b45f8b32bd227eb466cd8cfd8b24a2

mon0pixel avatar Nov 18 '22 14:11 mon0pixel