This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 46%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
Hi there,
first of all thanks for your amazing work with sysmon, it is really great tool for cyber defense. I have some issues though as we recently updated sysmon 13.02 to 13.10 with same config (OlafHartong modular and swift on security with few own rules added-smoothly working on v13.02). Until recent update, sysmon was operational just fine on all machines, but when upgraded to version 13.10, we experienced excessive amount of logs and especially eventID: 12 "Registry object added or deleted: EventType: CreateKey" with various images(ossec, spoolsv, sysmon64) , with registry key and paths such as:
registry.key:
System\CurrentControlSet\Services\Tcpip\Parameters
registry.path:
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
or
registry.key
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
registry.path
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
(these are two man spammers)
when I say excessive I mean from 20hit per hour to 60thousand.
Anyone experienced such an issue or able to help? Many thanks!
JL
This issue is solved and was caused by bug in Olaf Hartong modular config which was updated now:
So unfortunately the issue is on the side of sysmon where parsing is not working correctly. Please check on Olaf's github for more info: