Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- Re: Monitor Registry for reg key creation
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Monitor Registry for reg key creation
Hi Guys,
So I wish to monitor for the creation of a reg key that currently does not exist, could one of you kind folk help me out please ?
So I need to know if UserInitMprLogonScript is ever created in HKCU\Environment\
Not sure how to go about this via the inputs.conf
Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Guys so I have the registry logging into Splunk now with this -
[WinRegMon://Registry]
proc = .*
hive = \REGISTRY\USER\.*
type = create|delete|set|rename
baseline = 1
index = main
but this seems to be logging lots of other changes, any ideas how I can get this to only monitor the Environment hive ? I've tried this - hive = \REGISTRY\USER\ENVIRONMENT\.* but this seems to stop everything logging then ????
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried proc=.* ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, yeah thats a typo on the above there is a ? in the Stanza, this is now working fine thank you, the next thing I need to work out is how to add multiple reg keys into the monitor without having multiple stanzas.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why can't you define multiple stanzas? Or asked differently; What are you trying to do?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
It's not that I cant define multiple stanzas its more a case that I would like to keep the config files small and tidy, call it OCD !!!
As for what I'm trying to do, I'm looking at creating a config file that will log everything needed for every type of attack based off of the Mitre Table attack vectors so the config files will be quite comprehensive, this will then be distributed over all the systems so I just want to keep it as simple and tidy as possible.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Guys,
ok so I managed to get this sorted in the end with the below -
[WinRegMon://Registry]
proc = .*
hive = \REGISTRY\USER\.\ENVIRONMENT\.
type = create|delete|set|rename
baseline = 1
index = main
I also set up an alert so any activity in this registry hive now sends an alert, great mitigation for some trojan's that create persistence by adding keys here
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
