[windows] Lacks parsing for Sysmon Registry non-QWORD/DWORD events

[w0rk3r]

When using the Windows Integration for collecting Sysmon logs, we found that Sysmon registry logs are not parsed if they are not DWORD or QWORD.

We had to drop sysmon support to various detection rules in elastic/detection-rules#1775 that were ineffective due to this limitation on the integration.

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[r00tu53r]

@w0rk3r Can you please clarify with perhaps an event sample that the integration missed parsing ? From what I understand the Sysmon registry Events -

• Event ID 12: Create / Delete object - Only has the path to the key and not the value available in the event.
• Event ID 13: Value Set - The event records the value written for Registry values of type DWORD and QWORD. Doc about it is here.
• Event ID 14: Rename - Only has the path to the key that was renamed and the target new name.

[w0rk3r]

Hey @r00tu53r, sure!

Here is an event that is perfectly handled by the integration:

And here is an event that is not parsed:

Event JSON

{
  "_index": ".ds-logs-windows.sysmon_operational-default-2022.02.11-000002",
  "_type": "_doc",
  "_id": "J59W-H4B7Kld_xqUEa0n",
  "_version": 1,
  "_score": 1,
  "_source": {
    "registry": {
      "hive": "HKLM",
      "path": "HKLM\\System\\CurrentControlSet\\Services\\NPTest\\NetworkProvider\\ProviderPath",
      "value": "ProviderPath",
      "key": "System\\CurrentControlSet\\Services\\NPTest\\NetworkProvider\\ProviderPath"
    },
    "agent": {
      "hostname": "EXCC",
      "name": "EXCC",
      "id": "3832aecf-bfec-4ee4-9a5c-c257c05b578c",
      "ephemeral_id": "aba42cbf-4e1a-49e6-857b-be90f31c2683",
      "type": "filebeat",
      "version": "7.16.2"
    },
    "process": {
      "name": "powershell.exe",
      "pid": 2128,
      "entity_id": "{cf593be5-5063-620a-a40c-000000001100}",
      "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
    },
    "winlog": {
      "computer_name": "EXCC",
      "process": {
        "pid": 1640,
        "thread": {
          "id": 4916
        }
      },
      "channel": "Microsoft-Windows-Sysmon/Operational",
      "event_data": {
        "EventType": "SetValue"
      },
      "opcode": "Info",
      "version": 2,
      "record_id": "2061581",
      "task": "Registry value set (rule: RegistryEvent)",
      "event_id": "13",
      "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
      "api": "wineventlog",
      "provider_name": "Microsoft-Windows-Sysmon",
      "user": {
        "identifier": "S-1-5-18",
        "domain": "NT AUTHORITY",
        "name": "SYSTEM",
        "type": "User"
      }
    },
    "log": {
      "level": "information"
    },
    "elastic_agent": {
      "id": "3832aecf-bfec-4ee4-9a5c-c257c05b578c",
      "version": "7.16.2",
      "snapshot": false
    },
    "rule": {
      "name": "Test"
    },
    "message": "Registry value set:\nRuleName: Test\nEventType: SetValue\nUtcTime: 2022-02-14 13:04:56.021\nProcessGuid: {cf593be5-5063-620a-a40c-000000001100}\nProcessId: 2128\nImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\NPTest\\NetworkProvider\\ProviderPath\nDetails: C:\\Windows\\System32\\IEProxy.dll\nUser: EXCC\\Exchanger",
    "input": {
      "type": "winlog"
    },
    "@timestamp": "2022-02-14T13:04:56.021Z",
    "ecs": {
      "version": "1.12.0"
    },
    "related": {
      "user": [
        "Exchanger"
      ]
    },
    "data_stream": {
      "namespace": "default",
      "type": "logs",
      "dataset": "windows.sysmon_operational"
    },
    "host": {
      "hostname": "EXCC",
      "os": {
        "build": "19043.1526",
        "kernel": "10.0.19041.1526 (WinBuild.160101.0800)",
        "name": "Windows 10 Enterprise Evaluation",
        "type": "windows",
        "family": "windows",
        "version": "10.0",
        "platform": "windows"
      },
      "ip": [
        "2804:431:cfd0:16:f560:1edf:121e:a9d3",
        "2804:431:cfd0:16:9c3:5455:a9ea:d44a",
        "2804:431:cfd0:16:41b6:71b:db42:60ab",
        "2804:431:cfd0:16:74da:f20f:2f30:77c",
        "2804:431:cfd0:16:bc79:9658:1fcf:efd0",
        "fe80::f560:1edf:121e:a9d3",
        "192.168.15.35",
        "fe80::4081:6a0e:a82d:768b",
        "10.0.3.15"
      ],
      "name": "EXCC",
      "id": "cf593be5-65d6-4dfc-b8fd-ae790c3d8f93",
      "mac": [
        "08:00:27:ba:5e:64",
        "08:00:27:53:fa:ae"
      ],
      "architecture": "x86_64"
    },
    "event": {
      "agent_id_status": "verified",
      "ingested": "2022-02-14T13:04:57Z",
      "code": "13",
      "provider": "Microsoft-Windows-Sysmon",
      "created": "2022-02-14T13:04:57.494Z",
      "kind": "event",
      "action": "Registry value set (rule: RegistryEvent)",
      "category": [
        "configuration",
        "registry"
      ],
      "type": [
        "change"
      ],
      "dataset": "windows.sysmon_operational"
    },
    "user": {
      "domain": "EXCC",
      "name": "Exchanger",
      "id": "S-1-5-18"
    }
  },
  "fields": {
    "elastic_agent.version": [
      "7.16.2"
    ],
    "event.category": [
      "configuration",
      "registry"
    ],
    "host.os.name.text": [
      "Windows 10 Enterprise Evaluation"
    ],
    "winlog.provider_guid": [
      "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"
    ],
    "winlog.provider_name": [
      "Microsoft-Windows-Sysmon"
    ],
    "host.hostname": [
      "EXCC"
    ],
    "winlog.computer_name": [
      "EXCC"
    ],
    "process.pid": [
      2128
    ],
    "host.mac": [
      "08:00:27:ba:5e:64",
      "08:00:27:53:fa:ae"
    ],
    "winlog.process.pid": [
      1640
    ],
    "registry.hive": [
      "HKLM"
    ],
    "host.os.version": [
      "10.0"
    ],
    "winlog.record_id": [
      "2061581"
    ],
    "host.os.name": [
      "Windows 10 Enterprise Evaluation"
    ],
    "registry.key": [
      "System\\CurrentControlSet\\Services\\NPTest\\NetworkProvider\\ProviderPath"
    ],
    "log.level": [
      "information"
    ],
    "agent.name": [
      "EXCC"
    ],
    "host.name": [
      "EXCC"
    ],
    "event.agent_id_status": [
      "verified"
    ],
    "event.kind": [
      "event"
    ],
    "registry.path": [
      "HKLM\\System\\CurrentControlSet\\Services\\NPTest\\NetworkProvider\\ProviderPath"
    ],
    "winlog.version": [
      2
    ],
    "host.os.type": [
      "windows"
    ],
    "rule.name": [
      "Test"
    ],
    "user.id": [
      "S-1-5-18"
    ],
    "input.type": [
      "winlog"
    ],
    "agent.hostname": [
      "EXCC"
    ],
    "data_stream.type": [
      "logs"
    ],
    "related.user": [
      "Exchanger"
    ],
    "host.architecture": [
      "x86_64"
    ],
    "process.name": [
      "powershell.exe"
    ],
    "event.provider": [
      "Microsoft-Windows-Sysmon"
    ],
    "event.code": [
      "13"
    ],
    "agent.id": [
      "3832aecf-bfec-4ee4-9a5c-c257c05b578c"
    ],
    "ecs.version": [
      "1.12.0"
    ],
    "event.created": [
      "2022-02-14T13:04:57.494Z"
    ],
    "agent.version": [
      "7.16.2"
    ],
    "host.os.family": [
      "windows"
    ],
    "winlog.process.thread.id": [
      4916
    ],
    "user.name": [
      "Exchanger"
    ],
    "process.entity_id": [
      "{cf593be5-5063-620a-a40c-000000001100}"
    ],
    "host.os.build": [
      "19043.1526"
    ],
    "winlog.user.type": [
      "User"
    ],
    "host.ip": [
      "2804:431:cfd0:16:f560:1edf:121e:a9d3",
      "2804:431:cfd0:16:9c3:5455:a9ea:d44a",
      "2804:431:cfd0:16:41b6:71b:db42:60ab",
      "2804:431:cfd0:16:74da:f20f:2f30:77c",
      "2804:431:cfd0:16:bc79:9658:1fcf:efd0",
      "fe80::f560:1edf:121e:a9d3",
      "192.168.15.35",
      "fe80::4081:6a0e:a82d:768b",
      "10.0.3.15"
    ],
    "agent.type": [
      "filebeat"
    ],
    "event.module": [
      "windows"
    ],
    "host.os.kernel": [
      "10.0.19041.1526 (WinBuild.160101.0800)"
    ],
    "winlog.api": [
      "wineventlog"
    ],
    "elastic_agent.snapshot": [
      false
    ],
    "user.domain": [
      "EXCC"
    ],
    "host.id": [
      "cf593be5-65d6-4dfc-b8fd-ae790c3d8f93"
    ],
    "process.executable": [
      "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
    ],
    "winlog.user.identifier": [
      "S-1-5-18"
    ],
    "winlog.task": [
      "Registry value set (rule: RegistryEvent)"
    ],
    "winlog.user.domain": [
      "NT AUTHORITY"
    ],
    "elastic_agent.id": [
      "3832aecf-bfec-4ee4-9a5c-c257c05b578c"
    ],
    "data_stream.namespace": [
      "default"
    ],
    "message": [
      "Registry value set:\nRuleName: Test\nEventType: SetValue\nUtcTime: 2022-02-14 13:04:56.021\nProcessGuid: {cf593be5-5063-620a-a40c-000000001100}\nProcessId: 2128\nImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\NPTest\\NetworkProvider\\ProviderPath\nDetails: C:\\Windows\\System32\\IEProxy.dll\nUser: EXCC\\Exchanger"
    ],
    "winlog.user.name": [
      "SYSTEM"
    ],
    "winlog.event_id": [
      "13"
    ],
    "event.ingested": [
      "2022-02-14T13:04:57.000Z"
    ],
    "event.action": [
      "Registry value set (rule: RegistryEvent)"
    ],
    "@timestamp": [
      "2022-02-14T13:04:56.021Z"
    ],
    "winlog.channel": [
      "Microsoft-Windows-Sysmon/Operational"
    ],
    "host.os.platform": [
      "windows"
    ],
    "winlog.event_data.EventType": [
      "SetValue"
    ],
    "data_stream.dataset": [
      "windows.sysmon_operational"
    ],
    "event.type": [
      "change"
    ],
    "winlog.opcode": [
      "Info"
    ],
    "agent.ephemeral_id": [
      "aba42cbf-4e1a-49e6-857b-be90f31c2683"
    ],
    "event.dataset": [
      "windows.sysmon_operational"
    ],
    "registry.value": [
      "ProviderPath"
    ]
  }
}

[r00tu53r]

Thanks @w0rk3r that helped! I've raised a PR with the changes.