Home
  •  

Security Monitoring: A suspicious process creation (registry) was executed

SecurityMonitoringMP.Event.4688.SuspiciousReg (Rule)

This rule inventories 4688 events and flags alerts for manually added registry keys. These are rare events and should be investigated when they appear.

Element properties:

TargetMicrosoft.Windows.Server.OperatingSystem
CategoryAlert
EnabledTrue
Event_ID4688
Alert GenerateTrue
Alert SeverityError
Alert PriorityNormal
RemotableTrue
Alert Message
Security Monitoring: A suspicious process creation (registry) was executed
Event Description: {0}
Event LogSecurity

Member Modules:

ID Module Type TypeId RunAs 
DS DataSource Microsoft.Windows.EventProvider Default
Alert WriteAction System.Health.GenerateAlert Default

Source Code:

<Rule ID="SecurityMonitoringMP.Event.4688.SuspiciousReg" Enabled="true" Target="Windows!Microsoft.Windows.Server.OperatingSystem" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">

  <Category>Alert</Category>

  <DataSources>

    <DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">

      <ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

      <LogName>Security</LogName>

      <Expression>

        <And>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value Type="UnsignedInteger">4688</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

          <Expression>

            <RegExExpression>

              <ValueExpression>

                <XPathQuery Type="String">Params/Param[6]</XPathQuery>

              </ValueExpression>

              <Operator>ContainsSubstring</Operator>

              <Pattern>reg.exe</Pattern>

            </RegExExpression>

          </Expression>

          <Expression>

            <RegExExpression>

              <ValueExpression>

                <XPathQuery Type="String">Params/Param[9]</XPathQuery>

              </ValueExpression>

              <Operator>ContainsSubstring</Operator>

              <Pattern>Add</Pattern>

            </RegExExpression>

          </Expression>

          <Expression>

            <RegExExpression>

              <ValueExpression>

                <XPathQuery Type="String">Params/Param[9]</XPathQuery>

              </ValueExpression>

              <Operator>ContainsSubstring</Operator>

              <Pattern>\Run /v</Pattern>

            </RegExExpression>

          </Expression>

          <Expression>

            <RegExExpression>

              <ValueExpression>

                <XPathQuery Type="String">Params/Param[9]</XPathQuery>

              </ValueExpression>

              <Operator>DoesNotContainSubstring</Operator>

              <Pattern>bginfo</Pattern>

            </RegExExpression>

          </Expression>

          <Expression>

            <RegExExpression>

              <ValueExpression>

                <XPathQuery Type="String">Params/Param[9]</XPathQuery>

              </ValueExpression>

              <Operator>DoesNotContainSubstring</Operator>

              <Pattern>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v e2e /d c:\windows\System32\notepad.exe /f</Pattern>

            </RegExExpression>

          </Expression>

          <Expression>

            <RegExExpression>

              <ValueExpression>

                <XPathQuery Type="String">Params/Param[9]</XPathQuery>

              </ValueExpression>

              <Operator>DoesNotContainSubstring</Operator>

              <Pattern>\Prep\</Pattern>

            </RegExExpression>

          </Expression>

          <Expression>

            <RegExExpression>

              <ValueExpression>

                <XPathQuery Type="String">Params/Param[9]</XPathQuery>

              </ValueExpression>

              <Operator>DoesNotContainSubstring</Operator>

              <Pattern>C:\Program Files</Pattern>

            </RegExExpression>

          </Expression>

          <Expression>

            <RegExExpression>

              <ValueExpression>

                <XPathQuery Type="String">Params/Param[9]</XPathQuery>

              </ValueExpression>

              <Operator>DoesNotContainSubstring</Operator>

              <Pattern>Yahoo Messenger</Pattern>

            </RegExExpression>

          </Expression>

        </And>

      </Expression>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">

      <Priority>1</Priority>

      <Severity>2</Severity>

      <AlertOwner/>

      <AlertMessageId>$MPElement[Name="SecurityMonitoringMP.Event.4688.SuspiciousReg.AlertMessage"]$</AlertMessageId>

      <AlertParameters>

        <AlertParameter1>$Data[Default='']/EventDescription$</AlertParameter1>

      </AlertParameters>

      <Suppression/>

      <Custom1/>

      <Custom2/>

      <Custom3/>

      <Custom4/>

      <Custom5/>

      <Custom6/>

      <Custom7/>

      <Custom8/>

      <Custom9/>

      <Custom10>Security Monitoring</Custom10>

    </WriteAction>

  </WriteActions>

</Rule>