Windows Registry Integrity Monitoring

Windows registry provides rich information about the installed application and a store to persist the data.

Compromised integrity of the Windows Registry is a valuable indicator of the presence of malware or the system is compromised.

As Security Analysts, we need to have the capability to monitor the changes to the registry and determine if the integrity is compromised. PIC and ISO mandates to have integrity monitoring solutions deployed on critical systems to be compliant.

Once an asset is installed from the cloud agent, activate the asset. You can view it under the Asset tab after activation.

From the Configurations tab, you can create a monitoring profile. For more information on creating a profile, refer here.

activate profile

Create rule(s) for the profile. While creating the rule, select Rule Type as Registry Key or Registry Value. For more information on creating a rule, refer here.

rule type

Selecting Registry Key as the Rule type:

Mention the Key path that you want to monitor. For example: HKEY_LOCAL_MACHINE\SOFTWARE\<username>

Select the other attributes which you want to monitor and Save the rule.

Selecting Registry Value as the Rule type:

Mention the value you want to monitor.

Two attributes are available for the user to select: Value Removal (Deletion) and Value Write Changes (Content Change).

Also add data for Key Path and Value Path. Where in Key Path, enter the registry base path to be monitored and in Value Path, enter the value to be monitored.

For Registry Key Full Path -

HKEY_LOCAL_MACHINE and HKEY_USERS, only these two hives are supported for Registry monitoring.

Do not use these special characters / " < > | * ? in registry key paths. Special characters allowed are [ ] {} ( ) .

At least one Inclusion filter required if you specify only an HKEY_LOCAL_MACHINE key without any subkey or value.

For Registry Value Name -

Do not use these special characters / " < > | * ? in registry value name. Special characters allowed are [ ] {} ( ).

Advanced Filters for Key -

Do not use these special characters / " < > | in key paths.

Although it can contain characters and numbers including spaces, slashes, commas(,) and [ ] {} ( ).

Registry Keypath should not start or end with a slash (/).

Advanced Filters for Value -

Do not use these special characters / " < > | in file names. Special characters allowed are [ ] {} ( ) * ? ' (? is a single character wildcard, and * is a multi-character wildcard).

It can contain characters and numbers including spaces and commas(,).

attributes

The newly created profile will appear as Inactive by default, activate the profile.

Note: To activate a profile, user must have at least one rule defined.

Instead of manually creating the rules, you can also import the rules from the library available.

- Select the option to Monitor Registry from the Rules tab and all the rules available in the library will be imported to your profile.

check monitor registry

 Don't forget to Save the profile after you select the option, as only after saving the profile your changes will be reflected.

- You can also select Import Registry Rules from the drop-down available in the Profiles tab.

import rules

  For the profiles where the Monitor Registry check-box is already selected, the Import Registry Rules option will be disabled.

- You can also import the Monitoring Profile for Windows Registry Settings from the Library tab.

import profiles

Once manifest is generated, it will start reporting the changes.

To learn more on importing a profile, see here.

Any kind of activity that is marked to be monitored will be reported. You can view the events on the UI.