Splunk Search

What is the correct filter to find persistence in Windows registry?

tonyfer
Observer

Hi 

I'm investigating Windows log in Splunk, struggling to apply the correct filter.

What filter do I need to apply to find the persistence in the Windows registry?

What filter do I need to apply to find the Sysmon id 13 events to find the registry key used to maintain persistence in Windows?

Filter for what port number is listening for an incoming connection, using Sysmon  12 and sysmon13 event IDs.

my current search: index=*

Any assistance will be immensely appreciated

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Similar to this question Re: How to Identify windows registry key use for p... - Splunk Community

Do you have examples of the events you are dealing with?

0 Karma

tonyfer
Observer

Hi

I want to search for sysmon events in splunk

 my current search: index=* sourcetype="WinEventLog:Microsoft-Windows-sysmon/operation" Registry

I'm trying to identify any persistence in the system, is that the correct filter for Splunk search?

 

Thanks

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

So, your question is not really a Splunk question, it is more about your data, and how to interpret your data to identify the "persistence" events. Without knowledge of your data, it is difficult for us to advise. Perhaps if you shared some of your events, anonymised of course, we might be able to make some suggestions.

Having said that, a quick google search (which you could have done yourself!) returns this link to Microsoft, which seems to indicate that events 12, 13 and 14 are to do with the Registry. Perhaps you could start with those.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...