This will identify registry value modifications of the DWORD and QWORD values. With Sysmon logs, hunt teams can look for events with an Event ID of 13 ( RegistryEntry (Value Set)). So, teams will want to focus on logs relating to the specific registry keys noted above. Now, it should be said, the registry is generally a very busy place, and logs generated from registry activity can be exceptionally noisy. In this case, teams will want logs from a tool like Sysmon. However, most will be faced with much larger environments where manual hunting isn’t feasible. In fact, the tool will even cross reference the data with VirusTotal to flag known bad entries. If an organization is relatively small, hunting across the registries manually using a tool like SysInternals could be used. One of the first elements hunt teams typically must tackle when starting a hunt is to determine what log sources are required. It should be noted that there are many other run keys that can be used for this type of persistence however, these are the most common. ![]()
0 Comments
Leave a Reply. |