https://groups.google.com/forum/#!topic/ossec-list/xgkBnuyJ6ek
Q:
I’m wondering if anyone has created (or could help me) create an OSSEC rule to detect new additions to the “run” keys in the registry.
A: by Janis Zoldners
1) Install Sysmon 5 (Sysinternals)
2) Configure registry monitoring in Sysmon configuration (xml file):
<RegistryEvent onmatch=”include”>
<TargetObject condition=”contains”>Software\
<TargetObject condition=”contains”>Software\
</RegistryEvent>
3) Configure OSSEC agents to parse Sysmon eventlog:
<localfile>
<location>Microsoft-Windows-
<log_format>eventchannel</log_
</localfile>
4) Create OSSEC rule:
<rule id=”18200″ level=”5″>
<if_sid>18101</if_sid>
<id>^12$|13$|14$</id>
<match>Sysmon</match>
<description>Sysmon: registry modified</description>
<info>Microsoft Sysmon</info>
</rule>
Alert:
Rule: 18200 (level 5) -> ‘Sysmon: registry modified’
User: SYSTEM
2016 Dec 20 WinEvtLog: Microsoft-Windows-Sysmon/
EventType: CreateKey
UtcTime: 2016-12-20
ProcessGuid: {6C563ED9-D21B-5858-0000-
ProcessId: 6252
Image: C:\Program Files (x86)\Google\Chrome\
TargetObject: \REGISTRY\USER\S-1-5*\