Sysmon 13.10 creating excessive amounts of logs (event.code12)

JL 141 Reputation points
2021-05-14T12:20:38.317+00:00

Hi there,
first of all thanks for your amazing work with sysmon, it is really great tool for cyber defense. I have some issues though as we recently updated sysmon 13.02 to 13.10 with same config (OlafHartong modular and swift on security with few own rules added-smoothly working on v13.02). Until recent update, sysmon was operational just fine on all machines, but when upgraded to version 13.10, we experienced excessive amount of logs and especially eventID: 12 "Registry object added or deleted: EventType: CreateKey" with various images(ossec, spoolsv, sysmon64) , with registry key and paths such as:

registry.key:
System\CurrentControlSet\Services\Tcpip\Parameters
registry.path:
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters

or

registry.key
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
registry.path
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

(these are two man spammers)

when I say excessive I mean from 20hit per hour to 60thousand.

Anyone experienced such an issue or able to help? Many thanks!
JL

Sysinternals
Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,067 questions
0 comments No comments
{count} votes

Accepted answer
  1. JL 141 Reputation points
    2021-05-18T07:08:05.863+00:00

    This issue is solved and was caused by bug in Olaf Hartong modular config which was updated now:

    https://github.com/olafhartong/sysmon-modular


0 additional answers

Sort by: Most helpful