Incomplete field conversion in `registry_xx` rules
fukusuket opened this issue · 4 comments
Describe the bug
Currently, following rules are automatically converted to EventID: 4657(Security) and EventID: 12,13,14(Sysmon).
registry_addregistry_setregistry_event
However, due to imperfect field conversion, rules which cannot be detected are created.
Actual behavior
Undetectable rules are created.
For example, the rule below uses field EventType,TargetObject that does not exist in EventID: 4657(Security)
Expected behavior
Undetectable rules are not created.
- If there are fields that can be converted, convert the fields correctly
- If there are no fields that can be converted, don't create post-conversion rules
Additional context
Security: EID 4657
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x364eb</Data>
<Data Name="ObjectName">\\REGISTRY\\MACHINE</Data>
<Data Name="ObjectValueName">Name\_New</Data>
<Data Name="HandleId">0x54</Data>
<Data Name="OperationType">%%1905</Data>
<Data Name="OldValueType">%%1873</Data>
<Data Name="OldValue" />
<Data Name="NewValueType">%%1873</Data>
<Data Name="NewValue">Andrei</Data>
<Data Name="ProcessId">0xce4</Data>
<Data Name="ProcessName">C:\\Windows\\regedit.exe</Data>
@YamatoSecurity
I think it would be better if it could be converted like issue #443(or not create undetectable rule), but what do you think?
(It seems that we need to convert not only the field name but also the value...?🤔)
@fukusuket Sounds good! I will try to make a comparison again like I did with process creation.
@YamatoSecurity
I looked into the registry events and summarized them as follows! (I confirmed on Windows11 and Sysmon v15.11)
I'm thinking of creating a conversion logic based on this, but what do you think?
@fukusuket Thanks for researching this! (Sorry I haven't had time). That looks good to me for conversion.