Link to rule
Description
Here are rules that will never fire on sysmon provided registry info:
https://github.com/elastic/detection-rules/search?p=2&q=ControlSet%2A
This is because sysmon always uses the symbolic link CurrentControlSet
https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-12-registryevent-object-create-and-delete
not all of those rules in the repo are affected. Just the ones like 'ControlSet*' NOT 'ControlSet'
I addition some EDR (crowdstrike) only see kernel paths so the keys will always start with \REGISTRY\
Example Data
Link to rule
Description
Here are rules that will never fire on sysmon provided registry info:
https://github.com/elastic/detection-rules/search?p=2&q=ControlSet%2A
This is because sysmon always uses the symbolic link CurrentControlSet
https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-12-registryevent-object-create-and-delete
not all of those rules in the repo are affected. Just the ones like 'ControlSet*' NOT 'ControlSet'
I addition some EDR (crowdstrike) only see kernel paths so the keys will always start with \REGISTRY\
Example Data