This issue is solved and was caused by bug in Olaf Hartong modular config which was updated now:
Sysmon 13.10 creating excessive amounts of logs (event.code12)
Hi there,
first of all thanks for your amazing work with sysmon, it is really great tool for cyber defense. I have some issues though as we recently updated sysmon 13.02 to 13.10 with same config (OlafHartong modular and swift on security with few own rules added-smoothly working on v13.02). Until recent update, sysmon was operational just fine on all machines, but when upgraded to version 13.10, we experienced excessive amount of logs and especially eventID: 12 "Registry object added or deleted: EventType: CreateKey" with various images(ossec, spoolsv, sysmon64) , with registry key and paths such as:
registry.key:
System\CurrentControlSet\Services\Tcpip\Parameters
registry.path:
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
or
registry.key
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
registry.path
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
(these are two man spammers)
when I say excessive I mean from 20hit per hour to 60thousand.
Anyone experienced such an issue or able to help? Many thanks!
JL