Event ID 12 — RegistryEvent (Object create and delete)
Description
Registry key and value create and delete operations map to this event type.
Message #
Fields #
| Name | Description |
|---|---|
RuleName UnicodeString → string | Custom tag mapped to event, i.e. ATT&CK technique ID |
EventType UnicodeString → string | Registry event. Either Create or Delete |
UtcTime UnicodeString → string | Time in UTC when event was created |
ProcessGuid GUID → GUID | Process GUID of the process that created or deleted a registry key |
ProcessId UInt32 → PID | Process ID used by the OS to identify the process that created or deleted a registry key |
Image UnicodeString → string | File path of the process that created or deleted a registry key |
TargetObject UnicodeString → string | Complete path of the registry key |
User UnicodeString → string | The name of the account that created or deleted a registry key or value |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 12,
"version": 2,
"level": 4,
"task": 12,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T02:04:32.928398+00:00",
"event_record_id": 1441161,
"correlation": {},
"execution": {
"process_id": 7064,
"thread_id": 9788
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"EventType": "CreateKey",
"UtcTime": "2023-11-06 02:04:32.913",
"ProcessGuid": "E56ADA26-1870-6548-C000-000000000D00",
"ProcessId": 7484,
"Image": "C:\\Windows\\System32\\svchost.exe",
"TargetObject": "HKU\\S-1-5-21-1992711665-1655669231-58201500-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\StorageSense\\Parameters\\StoragePolicy",
"User": "NT AUTHORITY\\SYSTEM"
},
"message": ""
}
Detection Patterns #
36 rules
Sigma
Show 26 more (29 total)
Splunk
Kusto Query Language
21 rules
Sigma
Show 8 more (11 total)
Splunk
Kusto Query Language
Uac Bypass
Defender-DeviceRegistryEvents Event ID 9005000: Registry activity→Event ID 9005002: Registry key deleted→Event ID 9005003: Registry value set→Event ID 9005004: Registry value deleted→Security-Auditing Event ID 4657: A registry value was modified.→Event ID 4660: An object was deleted.→Event ID 4663: An attempt was made to access an object.→Sysmon Event ID 12: RegistryEvent→Event ID 13: RegistryEvent→Event ID 14: RegistryEvent
5 rules
Kusto Query Language
Defense Evasion: Modify Registry
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Potential Persistence Via Disk Cleanup Handler - Registry source medium: Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence. The disk cleanup manager is part of the operating system. It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI. Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications. Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.
Splunk # view in reference
- Windows Modify Registry Delete Firewall Rules source: The following analytic detects a potential deletion of firewall rules, indicating a possible security breach or unauthorized access attempt. It identifies actions where firewall rules are removed using commands like netsh advfirewall firewall delete rule, which can expose the network to external threats by disabling critical security measures. Monitoring these activities helps maintain network integrity and prevent malicious attacks.
- Windows Registry Delete Task SD source: The following analytic detects a process attempting to delete a scheduled task's Security Descriptor (SD) from the registry path of that task. It leverages the Endpoint.Registry data model to identify registry actions performed by the SYSTEM user, specifically targeting deletions of the SD value. This activity is significant as it may indicate an attempt to remove evidence of a scheduled task for defense evasion. If confirmed malicious, it suggests an attacker with privileged access trying to hide their tracks, potentially compromising system integrity and security.
- Windows RunMRU Registry Key or Value Deleted source: The following analytic detects the deletion or modification of Most Recently Used (MRU) command entries stored within the Windows Registry. Adversaries often clear these registry keys, such as HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU, to remove forensic evidence of commands executed via the Windows Run dialog or other system utilities. This activity aims to obscure their actions, hinder incident response efforts, and evade detection. Detection focuses on monitoring for changes (deletion of values or modification of the MRUList value) to these specific registry paths, particularly when performed by unusual processes or outside of typical user behavior. Anomalous deletion events can indicate an attempt at defense evasion or post-exploitation cleanup by a malicious actor.