FIM MS "Registry Key Integrity Checksum Changed"
837 views
Skip to first unread message
M G
Aug 24, 2023, 8:17:20 AM8/24/23
to Wazuh | Mailing List
Hello,
I have some question,
At my config I check only one registry:
"<windows_registry restrict_value="test" recursion_level="0">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion</windows_registry>"
The 'Registry Key Integrity Checksum Changed' event always occurs when the registry in the key changes. no matter which.
If I change the value of "test" I get two events:
-Registry Key Integrity Checksum Changed
-Registry Value Integrity Checksum Changed
If I change the value of another key (e.g. qwerty), I get:
-Registry Key Integrity Checksum Changed
At setting
" <windows_registry restrict_value="test" recursion_level="3">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion</windows_registry>"
event is created when a value changes in any register up to 3 keys "down the branch".
Despite being limited to the "test" register, I get huge noise whenever any register changes up to 3 keys down the branch.
If I change the value of "test" I get two events:
-Registry Key Integrity Checksum Changed
-Registry Value Integrity Checksum Changed
If I change the value of another key (e.g. qwerty), I get:
-Registry Key Integrity Checksum Changed
At setting
" <windows_registry restrict_value="test" recursion_level="3">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion</windows_registry>"
event is created when a value changes in any register up to 3 keys "down the branch".
Despite being limited to the "test" register, I get huge noise whenever any register changes up to 3 keys down the branch.
Can I turn it off?
Is it a bug?
Is it a bug?
Regards
Mateusz
Stuti Gupta
Aug 25, 2023, 1:58:15 AM8/25/23
to Wazuh | Mailing List
Hi
Mateusz,
In the above configuration, the windows_registry directive specifies that the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion and its subkeys will be monitored up to a depth of 3 levels (recursion_level="3"). The restrict_value attribute is set to "test", so only registry values with the name "test" within this key and its subkeys will be included in the monitoring process.
In summary, the alerts you're observing are expected behavior based on the configuration you've set up. The "Registry Key Integrity Checksum Changed" alerts occur whenever changes are detected in the monitored registry key, and "Registry Value Integrity Checksum Changed" alerts occur for specific values you're monitoring. The difference in alerts between "test" and "qwerty" values is that you're monitoring the "test" value but not monitoring values within the "qwerty" key. When you change the value of another key, such as "qwerty", you're only getting the "Registry Key Integrity Checksum Changed" alert. This is because you're not monitoring the values within that key, only the key itself. So, the change in the "qwerty" value doesn't generate a separate value integrity alert as the "test" value does.
If you want to ignore the registry please use the registry_ignore option for that please refer to https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#registry-ignore
To know more about Windows registry monitoring please refer to https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/windows-registry-monitoring.html
Note : It's essential to track these changes to ensure system stability and security. The Wazuh FIM module scans the Windows Registry periodically and triggers an alert when it detects changes in the entries.
Hope this will be helpful. Please feel free to contact us for any information/issues.
Regards,
In the above configuration, the windows_registry directive specifies that the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion and its subkeys will be monitored up to a depth of 3 levels (recursion_level="3"). The restrict_value attribute is set to "test", so only registry values with the name "test" within this key and its subkeys will be included in the monitoring process.
In summary, the alerts you're observing are expected behavior based on the configuration you've set up. The "Registry Key Integrity Checksum Changed" alerts occur whenever changes are detected in the monitored registry key, and "Registry Value Integrity Checksum Changed" alerts occur for specific values you're monitoring. The difference in alerts between "test" and "qwerty" values is that you're monitoring the "test" value but not monitoring values within the "qwerty" key. When you change the value of another key, such as "qwerty", you're only getting the "Registry Key Integrity Checksum Changed" alert. This is because you're not monitoring the values within that key, only the key itself. So, the change in the "qwerty" value doesn't generate a separate value integrity alert as the "test" value does.
If you want to ignore the registry please use the registry_ignore option for that please refer to https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#registry-ignore
To know more about Windows registry monitoring please refer to https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/windows-registry-monitoring.html
Note : It's essential to track these changes to ensure system stability and security. The Wazuh FIM module scans the Windows Registry periodically and triggers an alert when it detects changes in the entries.
Hope this will be helpful. Please feel free to contact us for any information/issues.
Regards,
Reply all
Reply to author
Forward
0 new messages