Share via

Sysmon - Event-12 EventType-CreateValue event only not triggered in event viewer

Kishore R 1 Reputation point
2022-06-09T10:10:02.01+00:00

Have installed the Sysmon application for monitoring registry events. Registry Event-12 EventTypes - CreateKey, DeleteKey, SetValue, and DeleteValue events are triggered in the Event Viewer.
but I can't able to generate Event-12 EventType - CreateValue in the Event Viewer.

Help me to configure the sysmon and audit settings to generate Event-12 CreateValue event.

Please find the Microsoft doc screenshot and the configuration file I have used

209881-image-1.png

209729-sysmonconfig.xml

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,341 questions
Sysinternals
Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,107 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 39,441 Reputation points
    2022-06-13T08:24:37.88+00:00

    Hi there,

    Check for the Registry root key names and see if you can find them as these helps in triggering these events. You can also use Procmon and see if these events are triggered.

    The below thread discusses the same issue and you can try out some troubleshooting steps from this and see if that helps you to sort the Issue. Certain rule combinations seem to prevent logging of Sysmon events https://learn.microsoft.com/en-us/answers/questions/421115/certain-rule-combinations-seems-to-prevent-logging.html

    Sysmon 12.03 not logging EventID:2 https://learn.microsoft.com/en-us/answers/questions/203717/sysmon-1203-not-logging-eventid2-file-creation-tim.html

    -----------------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept it as an answer–

    0 comments
  2. dstaulcu 351 Reputation points
    2022-06-15T00:11:20.797+00:00

    Here is a sample section of configuration xml which includes logging of a registry change event when the eventtype is createkey, the image path ends with a specified exectuable name, and the process owner (user) ends with a specified name. 

     <RuleGroup name="" groupRelation="or">  
 <RegistryEvent onmatch="include">  
 <Rule groupRelation="and" name="">  
 <EventType condition="is">CreateKey</EventType>  
 <Image condition="end with">SysmonSimulator.exe</Image>  
 <User condition="end with">david</User>  
 </Rule>  
 </RegistryEvent>  
 </RuleGroup>

    Fields available to filter on include: RuleName, EventType, UtcTime, ProcessGuid, ProcessId, Image, TargetObject, NewName, User

    Filter conditions available for use are: is,is not,contains,contains any,is any,contains all,excludes,excludes any,excludes all,begin with,not begin with,end with,not end with,less than,more than,image

    To integrate that rule group into your sample config file copy lines 3-7 from the code block above to your own configuration XML file just below line 1399.

    If you are having trouble generating events for sysmon to possibly detect check out the sysmonsimulator project on github.

    0 comments