OSSEC rule to detect new run keys added to the registry

https://groups.google.com/forum/#!topic/ossec-list/xgkBnuyJ6ek

Q:

I’m wondering if anyone has created (or could help me) create an OSSEC rule to detect new additions to the “run” keys in the registry.

The goal is to detect malware and fileless malware adding run keys to the registry.
If anyway has started creating rules for fileless malware detection that would be great too.

A: by Janis Zoldners

1) Install Sysmon 5 (Sysinternals)

2) Configure registry monitoring in Sysmon configuration (xml file):

<RegistryEvent onmatch=”include”>
<TargetObject condition=”contains”>Software\Microsoft\Windows\CurrentVersion\Run</TargetObject>
<TargetObject condition=”contains”>Software\Microsoft\Windows\CurrentVersion\RunOnce</TargetObject>
</RegistryEvent>

3) Configure OSSEC agents to parse Sysmon eventlog:

<localfile>
<location>Microsoft-Windows-Sysmon/Operational</location>
<log_format>eventchannel</log_format>
</localfile>

4) Create OSSEC rule:

<rule id=”18200″ level=”5″>
<if_sid>18101</if_sid>
<id>^12$|13$|14$</id>
<match>Sysmon</match>
<description>Sysmon: registry modified</description>
<info>Microsoft Sysmon</info>
</rule>

Alert:

Rule: 18200 (level 5) -> ‘Sysmon: registry modified’
User: SYSTEM
2016 Dec 20 WinEvtLog: Microsoft-Windows-Sysmon/Operational: Information(12): no source: SYSTEM: NT AUTHORITY: COMPUTER: Registry object added or deleted:
EventType: CreateKey
UtcTime: 2016-12-20
ProcessGuid: {6C563ED9-D21B-5858-0000-0010C79A2E07}
ProcessId: 6252
Image: C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\Installer\setup.exe
TargetObject: \REGISTRY\USER\S-1-5*\Software\Microsoft\Windows\CurrentVersion\Run