What is the correct filter to find persistence in ...

tonyfer · ‎05-12-2023

Hi

I'm investigating Windows log in Splunk, struggling to apply the correct filter.

What filter do I need to apply to find the persistence in the Windows registry?

What filter do I need to apply to find the Sysmon id 13 events to find the registry key used to maintain persistence in Windows?

Filter for what port number is listening for an incoming connection, using Sysmon 12 and sysmon13 event IDs.

my current search: index=*

Any assistance will be immensely appreciated

ITWhisperer · ‎05-12-2023

Similar to this question Re: How to Identify windows registry key use for p... - Splunk Community

Do you have examples of the events you are dealing with?

tonyfer · ‎05-12-2023

Hi

I want to search for sysmon events in splunk

my current search: index=* sourcetype="WinEventLog:Microsoft-Windows-sysmon/operation" Registry

I'm trying to identify any persistence in the system, is that the correct filter for Splunk search?

Thanks

ITWhisperer · ‎05-13-2023

So, your question is not really a Splunk question, it is more about your data, and how to interpret your data to identify the "persistence" events. Without knowledge of your data, it is difficult for us to advise. Perhaps if you shared some of your events, anonymised of course, we might be able to make some suggestions.

Having said that, a quick google search (which you could have done yourself!) returns this link to Microsoft, which seems to indicate that events 12, 13 and 14 are to do with the Registry. Perhaps you could start with those.

What is the correct filter to find persistence in Windows registry?

field extraction

regex

search job inspector

subsearch

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!