Data Source: Sysmon EventID 13

Date: 2025-07-10

ID: 19cd00ee-f65f-48ca-bb08-64aac28638ce

Author: Patrick Bareiss, Splunk

Description

Logs changes to a registry key, including details about the modified key, value, and associated process.

Details

Property	Value
Source	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sourcetype	`XmlWinEventLog`
Separator	EventID

Name ▲▼	Technique ▲▼	Type ▲▼
Active Setup Registry Autostart	Active Setup	TTP
Add DefaultUser And Password In Registry	Credentials in Registry	Anomaly
Allow Inbound Traffic By Firewall Rule Registry	Remote Desktop Protocol	TTP
Allow Operation with Consent Admin	Abuse Elevation Control Mechanism	TTP
Auto Admin Logon Registry Entry	Credentials in Registry	TTP
Detect Remote Access Software Usage Registry	Remote Access Tools	Anomaly
Disable AMSI Through Registry	Disable or Modify Tools	TTP
Disable Defender AntiVirus Registry	Disable or Modify Tools	TTP
Disable Defender BlockAtFirstSeen Feature	Disable or Modify Tools	TTP
Disable Defender Enhanced Notification	Disable or Modify Tools	TTP
Disable Defender MpEngine Registry	Disable or Modify Tools	TTP
Disable Defender Spynet Reporting	Disable or Modify Tools	TTP
Disable Defender Submit Samples Consent Feature	Disable or Modify Tools	TTP
Disable ETW Through Registry	Disable or Modify Tools	TTP
Disable Registry Tool	Modify Registry, Disable or Modify Tools	TTP
Disable Security Logs Using MiniNt Registry	Modify Registry	TTP
Disable Show Hidden Files	Modify Registry, Disable or Modify Tools, Hidden Files and Directories	Anomaly
Disable UAC Remote Restriction	Bypass User Account Control	TTP
Disable Windows App Hotkeys	Modify Registry, Disable or Modify Tools	TTP
Disable Windows Behavior Monitoring	Disable or Modify Tools	TTP
Disable Windows SmartScreen Protection	Disable or Modify Tools	TTP
Disabling CMD Application	Modify Registry, Disable or Modify Tools	TTP
Disabling ControlPanel	Modify Registry, Disable or Modify Tools	TTP
Disabling Defender Services	Disable or Modify Tools	TTP
Disabling FolderOptions Windows Feature	Disable or Modify Tools	TTP
Disabling NoRun Windows App	Modify Registry, Disable or Modify Tools	TTP
Disabling Remote User Account Control	Bypass User Account Control	TTP
Disabling SystemRestore In Registry	Inhibit System Recovery	TTP
Disabling Task Manager	Disable or Modify Tools	TTP
Disabling Windows Local Security Authority Defences via Registry	Modify Authentication Process	TTP
Enable RDP In Other Port Number	Remote Services	TTP
Enable WDigest UseLogonCredential Registry	Modify Registry, OS Credential Dumping	TTP
ETW Registry Disabled	Trusted Developer Utilities Proxy Execution, Indicator Blocking	TTP
Eventvwr UAC Bypass	Bypass User Account Control	TTP
Hide User Account From Sign-In Screen	Disable or Modify Tools	TTP
Logon Script Event Trigger Execution	Logon Script (Windows)	TTP
Malicious InProcServer32 Modification	Regsvr32, Modify Registry	TTP
Modification Of Wallpaper	Defacement	TTP
Monitor Registry Keys for Print Monitors	Port Monitors	TTP
NET Profiler UAC bypass	Bypass User Account Control	TTP
Print Processor Registry Autostart	Print Processors	TTP
Registry Keys for Creating SHIM Databases	Application Shimming	TTP
Registry Keys Used For Persistence	Registry Run Keys / Startup Folder	TTP
Registry Keys Used For Privilege Escalation	Image File Execution Options Injection	TTP
Remcos client registry install entry	Modify Registry	TTP
Revil Registry Entry	Modify Registry	TTP
Screensaver Event Trigger Execution	Screensaver	TTP
Sdclt UAC Bypass	Bypass User Account Control	TTP
Set Default PowerShell Execution Policy To Unrestricted or Bypass	PowerShell	TTP
SilentCleanup UAC Bypass	Bypass User Account Control	TTP
Time Provider Persistence Registry	Time Providers	TTP
Windows AD DSRM Account Changes	Account Manipulation	TTP
Windows Audit Policy Auditing Option Modified - Registry	Active Setup	Anomaly
Windows Autostart Execution LSASS Driver Registry Modification	LSASS Driver	TTP
Windows Chrome Auto-Update Disabled via Registry	Browser Session Hijacking	Anomaly
Windows Chrome Extension Allowed Registry Modification	Browser Session Hijacking	Anomaly
Windows Compatibility Telemetry Tampering Through Registry	Event Triggered Execution, Scheduled Task	TTP
Windows Defender Exclusion Registry Entry	Disable or Modify Tools	TTP
Windows Disable Change Password Through Registry	Modify Registry	Anomaly
Windows Disable Lock Workstation Feature Through Registry	Modify Registry	Anomaly
Windows Disable LogOff Button Through Registry	Modify Registry	Anomaly
Windows Disable Memory Crash Dump	Data Destruction	TTP
Windows Disable Notification Center	Modify Registry	Anomaly
Windows Disable Shutdown Button Through Registry	Modify Registry	Anomaly
Windows Disable Windows Group Policy Features Through Registry	Modify Registry	Anomaly
Windows DisableAntiSpyware Registry	Disable or Modify Tools	TTP
Windows Enable Win32 ScheduledJob via Registry	Scheduled Task	Anomaly
Windows Hide Notification Features Through Registry	Modify Registry	Anomaly
Windows Impair Defense Change Win Defender Health Check Intervals	Disable or Modify Tools	TTP
Windows Impair Defense Change Win Defender Quick Scan Interval	Disable or Modify Tools	TTP
Windows Impair Defense Change Win Defender Throttle Rate	Disable or Modify Tools	TTP
Windows Impair Defense Change Win Defender Tracing Level	Disable or Modify Tools	TTP
Windows Impair Defense Configure App Install Control	Disable or Modify Tools	TTP
Windows Impair Defense Define Win Defender Threat Action	Disable or Modify Tools	TTP
Windows Impair Defense Delete Win Defender Context Menu	Disable or Modify Tools	Hunting
Windows Impair Defense Delete Win Defender Profile Registry	Disable or Modify Tools	Anomaly
Windows Impair Defense Deny Security Software With Applocker	Disable or Modify Tools	TTP
Windows Impair Defense Disable Controlled Folder Access	Disable or Modify Tools	TTP
Windows Impair Defense Disable Defender Firewall And Network	Disable or Modify Tools	TTP
Windows Impair Defense Disable Defender Protocol Recognition	Disable or Modify Tools	TTP
Windows Impair Defense Disable PUA Protection	Disable or Modify Tools	TTP
Windows Impair Defense Disable Realtime Signature Delivery	Disable or Modify Tools	TTP
Windows Impair Defense Disable Web Evaluation	Disable or Modify Tools	TTP
Windows Impair Defense Disable Win Defender App Guard	Disable or Modify Tools	TTP
Windows Impair Defense Disable Win Defender Compute File Hashes	Disable or Modify Tools	TTP
Windows Impair Defense Disable Win Defender Gen reports	Disable or Modify Tools	TTP
Windows Impair Defense Disable Win Defender Network Protection	Disable or Modify Tools	TTP
Windows Impair Defense Disable Win Defender Report Infection	Disable or Modify Tools	TTP
Windows Impair Defense Disable Win Defender Scan On Update	Disable or Modify Tools	TTP
Windows Impair Defense Disable Win Defender Signature Retirement	Disable or Modify Tools	TTP
Windows Impair Defense Overide Win Defender Phishing Filter	Disable or Modify Tools	TTP
Windows Impair Defense Override SmartScreen Prompt	Disable or Modify Tools	TTP
Windows Impair Defense Set Win Defender Smart Screen Level To Warn	Disable or Modify Tools	TTP
Windows Impair Defenses Disable Auto Logger Session	Disable or Modify Tools	Anomaly
Windows Impair Defenses Disable AV AutoStart via Registry	Modify Registry	TTP
Windows Impair Defenses Disable HVCI	Disable or Modify Tools	TTP
Windows Impair Defenses Disable Win Defender Auto Logging	Disable or Modify Tools	Anomaly
Windows InProcServer32 New Outlook Form	Phishing, Modify Registry	Anomaly
Windows LSA Secrets NoLMhash Registry	LSA Secrets	TTP
Windows Modify Registry AuthenticationLevelOverride	Modify Registry	Anomaly
Windows Modify Registry Auto Minor Updates	Modify Registry	Hunting
Windows Modify Registry Auto Update Notif	Modify Registry	Anomaly
Windows Modify Registry Configure BitLocker	Modify Registry	TTP
Windows Modify Registry Default Icon Setting	Modify Registry	Anomaly
Windows Modify Registry Disable RDP	Modify Registry	Anomaly
Windows Modify Registry Disable Restricted Admin	Modify Registry	TTP
Windows Modify Registry Disable Toast Notifications	Modify Registry	Anomaly
Windows Modify Registry Disable Win Defender Raw Write Notif	Modify Registry	Anomaly
Windows Modify Registry Disable WinDefender Notifications	Modify Registry	TTP
Windows Modify Registry Disable Windows Security Center Notif	Modify Registry	Anomaly
Windows Modify Registry DisableRemoteDesktopAntiAlias	Modify Registry	TTP
Windows Modify Registry DisableSecuritySettings	Modify Registry	TTP
Windows Modify Registry Disabling WER Settings	Modify Registry	TTP
Windows Modify Registry DisAllow Windows App	Modify Registry	TTP
Windows Modify Registry Do Not Connect To Win Update	Modify Registry	Anomaly
Windows Modify Registry DontShowUI	Modify Registry	TTP
Windows Modify Registry EnableLinkedConnections	Modify Registry	TTP
Windows Modify Registry LongPathsEnabled	Modify Registry	Anomaly
Windows Modify Registry MaxConnectionPerServer	Modify Registry	Anomaly
Windows Modify Registry No Auto Reboot With Logon User	Modify Registry	Anomaly
Windows Modify Registry No Auto Update	Modify Registry	Anomaly
Windows Modify Registry NoChangingWallPaper	Modify Registry	TTP
Windows Modify Registry on Smart Card Group Policy	Modify Registry	Anomaly
Windows Modify Registry ProxyEnable	Modify Registry	Anomaly
Windows Modify Registry ProxyServer	Modify Registry	Anomaly
Windows Modify Registry Qakbot Binary Data Registry	Modify Registry	Anomaly
Windows Modify Registry Suppress Win Defender Notif	Modify Registry	Anomaly
Windows Modify Registry Tamper Protection	Modify Registry	TTP
Windows Modify Registry to Add or Modify Firewall Rule	Modify Registry	Anomaly
Windows Modify Registry UpdateServiceUrlAlternate	Modify Registry	Anomaly
Windows Modify Registry USeWuServer	Modify Registry	Hunting
Windows Modify Registry Utilize ProgIDs	Modify Registry	Anomaly
Windows Modify Registry ValleyRAT C2 Config	Modify Registry	TTP
Windows Modify Registry ValleyRat PWN Reg Entry	Modify Registry	TTP
Windows Modify Registry With MD5 Reg Key Name	Modify Registry	TTP
Windows Modify Registry WuServer	Modify Registry	Hunting
Windows Modify Registry wuStatusServer	Modify Registry	Hunting
Windows Modify Show Compress Color And Info Tip Registry	Modify Registry	TTP
Windows Mshta Execution In Registry	Mshta	TTP
Windows New Custom Security Descriptor Set On EventLog Channel	Disable Windows Event Logging	Anomaly
Windows New Default File Association Value Set	Change Default File Association	Hunting
Windows New EventLog ChannelAccess Registry Value Set	Disable Windows Event Logging	Anomaly
Windows New InProcServer32 Added	Modify Registry	Hunting
Windows Njrat Fileless Storage via Registry	Fileless Storage	TTP
Windows Outlook Dialogs Disabled from Unusual Process	Modify Registry, Impair Defenses	TTP
Windows Outlook LoadMacroProviderOnBoot Persistence	Modify Registry, Office Application Startup	TTP
Windows Outlook Macro Security Modified	Office Application Startup, Fallback Channels	TTP
Windows Outlook WebView Registry Modification	Modify Registry	Anomaly
Windows Phishing Recent ISO Exec Registry	Spearphishing Attachment	Hunting
Windows Process Executed From Removable Media	Hardware Additions, Data from Removable Media, Replication Through Removable Media	Anomaly
Windows Proxy Via Registry	Internal Proxy	Anomaly
Windows RDP Server Registry Deletion	File Deletion	Anomaly
Windows RDP Server Registry Entry Created	Remote Desktop Protocol	Anomaly
Windows Registry BootExecute Modification	Pre-OS Boot, Registry Run Keys / Startup Folder	TTP
Windows Registry Certificate Added	Install Root Certificate	Anomaly
Windows Registry Dotnet ETW Disabled Via ENV Variable	Indicator Blocking	TTP
Windows Registry Modification for Safe Mode Persistence	Registry Run Keys / Startup Folder	TTP
Windows Registry Payload Injection	Fileless Storage	TTP
Windows Registry SIP Provider Modification	SIP and Trust Provider Hijacking	TTP
Windows Remote Access Software RMS Registry	Remote Access Tools	TTP
Windows Remote Services Allow Remote Assistance	Remote Desktop Protocol	Anomaly
Windows Remote Services Rdp Enable	Remote Desktop Protocol	TTP
Windows RunMRU Command Execution	Indirect Command Execution	Anomaly
Windows Service Creation Using Registry Entry	Services Registry Permissions Weakness	Anomaly
Windows Service Deletion In Registry	Service Stop	Anomaly
Windows Set Network Profile Category to Private via Registry	Modify Registry	Anomaly
Windows Snake Malware Registry Modification wav OpenWithProgIds	Modify Registry	TTP
Windows SnappyBee Create Test Registry	Modify Registry	TTP
Windows USBSTOR Registry Key Modification	Hardware Additions, Data from Removable Media, Replication Through Removable Media	Anomaly
Windows WPDBusEnum Registry Key Modification	Hardware Additions, Data from Removable Media, Replication Through Removable Media	Anomaly
WSReset UAC Bypass	Bypass User Account Control	TTP

Supported Apps

Splunk Add-on for Sysmon (version 5.0.0)

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">Channel</span>
  
  <span class="pill kill-chain">Computer</span>
  
  <span class="pill kill-chain">Details</span>
  
  <span class="pill kill-chain">EventChannel</span>
  
  <span class="pill kill-chain">EventCode</span>
  
  <span class="pill kill-chain">EventData_Xml</span>
  
  <span class="pill kill-chain">EventDescription</span>
  
  <span class="pill kill-chain">EventID</span>
  
  <span class="pill kill-chain">EventRecordID</span>
  
  <span class="pill kill-chain">EventType</span>
  
  <span class="pill kill-chain">Guid</span>
  
  <span class="pill kill-chain">Image</span>
  
  <span class="pill kill-chain">Keywords</span>
  
  <span class="pill kill-chain">Level</span>
  
  <span class="pill kill-chain">Name</span>
  
  <span class="pill kill-chain">Opcode</span>
  
  <span class="pill kill-chain">ProcessGuid</span>
  
  <span class="pill kill-chain">ProcessID</span>
  
  <span class="pill kill-chain">ProcessId</span>
  
  <span class="pill kill-chain">RecordID</span>
  
  <span class="pill kill-chain">RecordNumber</span>
  
  <span class="pill kill-chain">RegistryValueData</span>
  
  <span class="pill kill-chain">RegistryValueType</span>
  
  <span class="pill kill-chain">RuleName</span>
  
  <span class="pill kill-chain">SecurityID</span>
  
  <span class="pill kill-chain">SystemTime</span>
  
  <span class="pill kill-chain">System_Props_Xml</span>
  
  <span class="pill kill-chain">TargetObject</span>
  
  <span class="pill kill-chain">Task</span>
  
  <span class="pill kill-chain">ThreadID</span>
  
  <span class="pill kill-chain">TimeCreated</span>
  
  <span class="pill kill-chain">UserID</span>
  
  <span class="pill kill-chain">UtcTime</span>
  
  <span class="pill kill-chain">Version</span>
  
  <span class="pill kill-chain">action</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">dvc</span>
  
  <span class="pill kill-chain">dvc_nt_host</span>
  
  <span class="pill kill-chain">event_id</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">id</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">object_category</span>
  
  <span class="pill kill-chain">object_path</span>
  
  <span class="pill kill-chain">process_exec</span>
  
  <span class="pill kill-chain">process_guid</span>
  
  <span class="pill kill-chain">process_id</span>
  
  <span class="pill kill-chain">process_name</span>
  
  <span class="pill kill-chain">process_path</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">registry_hive</span>
  
  <span class="pill kill-chain">registry_key_name</span>
  
  <span class="pill kill-chain">registry_path</span>
  
  <span class="pill kill-chain">registry_value_data</span>
  
  <span class="pill kill-chain">registry_value_name</span>
  
  <span class="pill kill-chain">registry_value_type</span>
  
  <span class="pill kill-chain">severity_id</span>
  
  <span class="pill kill-chain">signature</span>
  
  <span class="pill kill-chain">signature_id</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">status</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">tag::object_category</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">user_id</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
</div>

Example Log

1<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>13</EventID><Version>2</Version><Level>4</Level><Task>13</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2021-07-12T08:11:04.548083500Z'/><EventRecordID>810987</EventRecordID><Correlation/><Execution ProcessID='2012' ThreadID='2712'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-host-623.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='EventType'>SetValue</Data><Data Name='UtcTime'>2021-07-12 08:11:04.547</Data><Data Name='ProcessGuid'>{0C1E0330-048F-60E8-0B00-00000000D001}</Data><Data Name='ProcessId'>628</Data><Data Name='Image'>C:\Windows\system32\lsass.exe</Data><Data Name='TargetObject'>HKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHigh</Data><Data Name='Details'>QWORD (0x01d776fd-0xd724b8c5)</Data></EventData></Event>

Required Output Fields

action
dest
process_guid
process_id
registry_hive
registry_path
registry_key_name
registry_value_data
registry_value_name
status
user
vendor_product

Source: GitHub | Version: 3