https://github.com/osquery/osquery logo
Powered by
#eclecticiq-polylogyx-extension
Title
# eclecticiq-polylogyx-extension
l

lvferdi

11/29/2021, 9:00 PM
I am working on filtering windows registry events. I am testing the filters with this activity on my windows server
Copy code
$start = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wuauserv" | Select-Object -ExpandProperty "Start"
Attack successful if zero exit

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wuauserv" -Name "Start" -Value 4 -Force
Attack successful if zero exit

Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wuauserv" | Select-Object -ExpandProperty "Start"
Attack successful if output matches /4/

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wuauserv" -Name "Start" -Value $start -Force
When I execute this with 
target_name: { include: { values [ * ] } }
, I get the results I would expect but if I add
Copy code
"target_name": {
        "include": {
          "values": [
            "*\\Start",
          ]
        }
       }
I get no results. Expected outcome is that since the resulting registry entry ends with 
\Start
the include filter for 
*\\Start
would be enough to capture the information.
But when I run the above actions I don't see any data for the event in question, if I remove the target_name filter I will get results.
h

himanshu

11/30/2021, 8:05 AM
can you remove the trailing comma at the end of filter (highlighted in yellow) and then try? since there is only one filter applied, comma is not expected.
if possible, please also share full json snippet for 
win_registry_events
filters.
l

lvferdi

11/30/2021, 12:53 PM
sorry that was a typo when writing it out here, there is no comma in the original file
h

himanshu

11/30/2021, 1:11 PM
ok. is this the ONLY filter set in 
win_registry_events
?
Copy code
"target_name": {
        "include": {
          "values": [
            "*\\Start"
          ]
        }
       }
l

lvferdi

11/30/2021, 1:12 PM
Copy code
"win_registry_events": {
  "action": {
    "exclude": {
      "values": [
        "REG_CREATE"
      ]
    }
  },
  "target_name": {
    "include": {
      "values": [
        "*"
      ]
    }
  },
  "process_name": {
    "exclude": {
      "values": [       "C:\\WINDOWS\\system32\\svchost.exe",
        "C:\\WINDOWS\\SysWOW64\\F5FltSrv.exe",
        "System",
        "C:\\WINDOWS\\system32\\lsass.exe",
        "C:\\ProgramData\\Core\\VPNCC.exe",
        "C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe",
        "C:\\Program Files (x86)\\OpenText\\Office Editor\\OTEditTray.exe",
        "C:\\WINDOWS\\SysWOW64\\AbtSvcHost_.exe",
        "C:\\Program Files (x86)\\NVIDIA Corporation\\Update Core\\NvBackend.exe",
        "C:\\WINDOWS\\SysWOW64\\netsh.exe",
        "C:\\Program Files\\Windows Event Reporting\\Core\\EventReporting.AgentService.exe",
        "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe",
        "*\\AppData\\Local\\Akamai\\netsession_win.exe",
        "C:\\Windows\\winipbin\\*"
      ]
    }
  }
},
This works as expected, when I put the 
"*\\Start
in the config it no longer sees the data
edited to remove some filenames
h

himanshu

11/30/2021, 1:27 PM
ok we'll try out this conf
o

OpenPlgx

11/30/2021, 3:14 PM
What is the raw registry event?
l

lvferdi

11/30/2021, 8:13 PM
I'll have to pull it, I have the output from sysmon and osquery for the same event monitoring the same registry entry, but I'll pull the raw reg event
h

himanshu

12/01/2021, 11:38 AM
registry event filters will be working on registry key paths (not including registry values) in the extension version 3.0.0.0. i shall discuss with team to consider supporting it in future release.
👍 1
16 Views
Powered by