OSSEC Windows Registry Integrity Check
772 views
Skip to first unread message
Ricardo Muhammad
Apr 17, 2018, 4:58:28 AM4/17/18
to Wazuh mailing list
Hi together,
I have a maybe too simple question,
but someone can explain me what this syscheck note does mean?
New entries will not trigger alerts, only changes to existing entries.
If the registry subkey actually doesn't exist, I can see if someone adds this key
and adds entries to the key?
Thanks in advance
Regards
Ricardo
I have a maybe too simple question,
but someone can explain me what this syscheck note does mean?
New entries will not trigger alerts, only changes to existing entries.
If the registry subkey actually doesn't exist, I can see if someone adds this key
and adds entries to the key?
Thanks in advance
Regards
Ricardo
rafael...@wazuh.com
Apr 19, 2018, 11:04:52 AM4/19/18
to Wazuh mailing list
Hi Ricardo,
when the agent starts, it adds the windows registry entries that you specified, on its internal list.
If you for example have
And you add a new Value to it, it will alert that the checksum for HKEY_LOCAL_MACHINE\Software\Classes\test has changed but you will not able to see the value you added.
Now if you add a new Key to HKEY_LOCAL_MACHINE\Software\Classes\test for example HKEY_LOCAL_MACHINE\Software\Classes\test\eee.
You will see an alert like this:
I hope this explanation helps you to understand it all.
Best regards.
when the agent starts, it adds the windows registry entries that you specified, on its internal list.
If you for example have
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\test</windows_registry>And you add a new Value to it, it will alert that the checksum for HKEY_LOCAL_MACHINE\Software\Classes\test has changed but you will not able to see the value you added.
Now if you add a new Key to HKEY_LOCAL_MACHINE\Software\Classes\test for example HKEY_LOCAL_MACHINE\Software\Classes\test\eee.
You will see an alert like this:
any->syscheck-registry New file 'HKEY_LOCAL_MACHINE\Software\Classes\test\eee' added to the file system.
I hope this explanation helps you to understand it all.
Best regards.
Message has been deleted
Ricardo Muhammad
Apr 20, 2018, 4:03:37 AM4/20/18
to Wazuh mailing list
Hi Rafael,
thank you for your answer. Yes, this helped me .But just one last question.
This alerting even works, if the key, for example:
thank you for your answer. Yes, this helped me .But just one last question.
This alerting even works, if the key, for example:
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\test</windows_registry>actually doesn't exist, but someone adds the key?
Cause in my ossec.log several Keys can't be access, cause they aren't existent yet:
2018/04/20 03:46:40 ossec-agent: ERROR: (1758): Unable to open registry key: 'Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx'.
2018/04/20 03:47:12 ossec-agent: ERROR: (1758): Unable to open registry key: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'.
2018/04/20 03:47:54 ossec-agent: ERROR: (1758): Unable to open registry key: 'Software\Microsoft\Windows CE Services\AutoStartOnConnect'.
I hope u can understand my confused question.
Thanks and with regards
Ricardo
Cause in my ossec.log several Keys can't be access, cause they aren't existent yet:
2018/04/20 03:46:40 ossec-agent: ERROR: (1758): Unable to open registry key: 'Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx'.
2018/04/20 03:47:12 ossec-agent: ERROR: (1758): Unable to open registry key: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'.
2018/04/20 03:47:54 ossec-agent: ERROR: (1758): Unable to open registry key: 'Software\Microsoft\Windows CE Services\AutoStartOnConnect'.
I hope u can understand my confused question.
Thanks and with regards
Ricardo
rafael...@wazuh.com
Apr 20, 2018, 7:28:40 AM4/20/18
to Wazuh mailing list
Hi Ricardo,
if the key doesn't exists but you have it added to your syscheck configuration, you will see the errors you posted.
Now if someone adds that key you will see an alert with the integrity checksum for that key and it will scan for changes on that key.
if the key doesn't exists but you have it added to your syscheck configuration, you will see the errors you posted.
Now if someone adds that key you will see an alert with the integrity checksum for that key and it will scan for changes on that key.
Best regards.
On Tuesday, April 17, 2018 at 10:58:28 AM UTC+2, Ricardo Muhammad wrote:
Ricardo Muhammad
Apr 20, 2018, 10:13:33 AM4/20/18
to Wazuh mailing list
Hi Rafael,
thank you very much, this answered my question.
Have a nice day,
With regards
Ricardo
thank you very much, this answered my question.
Have a nice day,
With regards
Ricardo
Reply all
Reply to author
Forward
0 new messages