Windows registry provides rich information about the installed application and a store to persist the data.
Compromised integrity of the Windows Registry is a valuable indicator of the presence of malware or the system is compromised.
As Security Analysts, we need to have the capability to monitor the changes to the registry and determine if the integrity is compromised. Compliance standards such as PCI DSS, NERC CIP (CIP 010), FISMA, SOX, NIST (SI7), HIPAA, CIS controls, and GDPR mandates to have integrity monitoring solutions deployed on critical systems to be compliant.
Once an asset is installed from the cloud agent, activate the asset. You can view it under the Asset tab after activation.
From the Configurations tab, you can create a monitoring profile. For more information on creating a profile, refer here.
Create rule(s) for the profile. While creating the rule, select Rule Type as Registry Key or Registry Value. For more information on creating a rule, refer here.
Selecting Registry Key as the Rule type:
Mention the Key path that you want to monitor. For example: HKEY_LOCAL_MACHINE\SOFTWARE\<username>
Select the other attributes which you want to monitor and Save the rule.
Selecting Registry Value as the Rule type:
Mention the value you want to monitor.
Two attributes are available for the user to select: Value Removal (Deletion) and Value Write Changes (Content Change).
Also add data for Key Path and Value Path. Where in Key Path, enter the registry base path to be monitored and in Value Path, enter the value to be monitored.
For Registry Key Full Path -
HKEY_LOCAL_MACHINE and HKEY_USERS, only these two hives are supported for Registry monitoring.
Do not use these special characters / " < > | * ? in registry key paths. Special characters allowed are [ ] {} ( ) .
At least one Inclusion filter required if you specify only an HKEY_LOCAL_MACHINE key without any subkey or value.
For Registry Value Name -
Do not use these special characters / " < > | * ? in registry value name. Special characters allowed are [ ] {} ( ).
Advanced Filters for Key -
Do not use these special characters / " < > | in key paths.
Although it can contain characters and numbers including spaces, slashes, commas(,) and [ ] {} ( ).
Registry Keypath should not start or end with a slash (/).
Advanced Filters for Value -
Do not use these special characters \ / " < > | in file names. Special characters allowed are [ ] {} ( ) * ? ' (? is a single character wildcard, and * is a multi-character wildcard).
It can contain characters and numbers including spaces and commas(,).
The newly created profile will appear as Inactive by default, activate the profile.
Note: To activate a profile, user must have at least one rule defined.
Instead of manually creating the rules, you can also import the rules from the library available.
- Select the option Monitor Registry from the Rules tab and all the registry rules available in the library will be imported to your profile.
Don't forget to Save the profile after you select the option, as only after saving the profile your changes will be reflected.
- You can also select Import Registry Rules from the drop-down available in the Profiles tab.
For the profiles where the Monitor Registry check-box is already selected, the Import Registry Rules option will be disabled.
- You can also import the Monitoring Profile for Windows Registry Settings from the Library tab.
Once the manifest is generated, it will start reporting the changes.
To learn more about importing a profile, see here.
Any kind of activity that is marked to be monitored will be reported. You can view the events on the UI.