This issue is solved and was caused by bug in Olaf Hartong modular config which was updated now:
Sysmon 13.10 creating excessive amounts of logs (event.code12)
first of all thanks for your amazing work with sysmon, it is really great tool for cyber defense. I have some issues though as we recently updated sysmon 13.02 to 13.10 with same config (OlafHartong modular and swift on security with few own rules added-smoothly working on v13.02). Until recent update, sysmon was operational just fine on all machines, but when upgraded to version 13.10, we experienced excessive amount of logs and especially eventID: 12 "Registry object added or deleted: EventType: CreateKey" with various images(ossec, spoolsv, sysmon64) , with registry key and paths such as:
(these are two man spammers)
when I say excessive I mean from 20hit per hour to 60thousand.
Anyone experienced such an issue or able to help? Many thanks!
So unfortunately the issue is on the side of sysmon where parsing is not working correctly. Please check on Olaf's github for more info:
Sign in to comment