https://github.com/osquery/osquery logo
Join Slack
Powered by
I am working on filtering windows registry events....
# eclecticiq-polylogyx-extension
l
I am working on filtering windows registry events. I am testing the filters with this activity on my windows server
Copy code
$start = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wuauserv" | Select-Object -ExpandProperty "Start"
Attack successful if zero exit

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wuauserv" -Name "Start" -Value 4 -Force
Attack successful if zero exit

Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wuauserv" | Select-Object -ExpandProperty "Start"
Attack successful if output matches /4/

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wuauserv" -Name "Start" -Value $start -Force
When I execute this with 
target_name: { include: { values [ * ] } }
, I get the results I would expect but if I add
Copy code
"target_name": {
        "include": {
          "values": [
            "*\\Start",
          ]
        }
       }
I get no results. Expected outcome is that since the resulting registry entry ends with 
\Start
the include filter for 
*\\Start
would be enough to capture the information.
But when I run the above actions I don't see any data for the event in question, if I remove the target_name filter I will get results.
h
can you remove the trailing comma at the end of filter (highlighted in yellow) and then try? since there is only one filter applied, comma is not expected.
if possible, please also share full json snippet for 
win_registry_events
filters.
l
sorry that was a typo when writing it out here, there is no comma in the original file
h
ok. is this the ONLY filter set in 
win_registry_events
?
Copy code
"target_name": {
        "include": {
          "values": [
            "*\\Start"
          ]
        }
       }
l
Copy code
"win_registry_events": {
  "action": {
    "exclude": {
      "values": [
        "REG_CREATE"
      ]
    }
  },
  "target_name": {
    "include": {
      "values": [
        "*"
      ]
    }
  },
  "process_name": {
    "exclude": {
      "values": [       "C:\\WINDOWS\\system32\\svchost.exe",
        "C:\\WINDOWS\\SysWOW64\\F5FltSrv.exe",
        "System",
        "C:\\WINDOWS\\system32\\lsass.exe",
        "C:\\ProgramData\\Core\\VPNCC.exe",
        "C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe",
        "C:\\Program Files (x86)\\OpenText\\Office Editor\\OTEditTray.exe",
        "C:\\WINDOWS\\SysWOW64\\AbtSvcHost_.exe",
        "C:\\Program Files (x86)\\NVIDIA Corporation\\Update Core\\NvBackend.exe",
        "C:\\WINDOWS\\SysWOW64\\netsh.exe",
        "C:\\Program Files\\Windows Event Reporting\\Core\\EventReporting.AgentService.exe",
        "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe",
        "*\\AppData\\Local\\Akamai\\netsession_win.exe",
        "C:\\Windows\\winipbin\\*"
      ]
    }
  }
},
This works as expected, when I put the 
"*\\Start
in the config it no longer sees the data
edited to remove some filenames
h
ok we'll try out this conf
o
What is the raw registry event?
l
I'll have to pull it, I have the output from sysmon and osquery for the same event monitoring the same registry entry, but I'll pull the raw reg event
h
registry event filters will be working on registry key paths (not including registry values) in the extension version 3.0.0.0. i shall discuss with team to consider supporting it in future release.
👍 1
17 Views
Open in Slack
PreviousNext
Powered by