Data Source: Sysmon EventID 12

Date: 2026-05-13

ID: 3ef28798-8eaa-4fd2-b074-6f36d08a1b33

Author: Patrick Bareiss, Splunk

Description

Logs the creation of a new registry key, including details about the key name, registry path, and associated process metadata.

Details

Property	Value
Source	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sourcetype	`XmlWinEventLog`
Separator	EventID

Name ▲▼	Technique ▲▼	Type ▲▼
WSReset UAC Bypass	Bypass User Account Control	TTP
Sdclt UAC Bypass	Bypass User Account Control	TTP
Windows Downdate Registry Activity	Modify Registry, Downgrade Attack	Anomaly
Windows Registry Delete Task SD	Scheduled Task, Disable or Modify Tools	Anomaly
Windows WPDBusEnum Registry Key Modification	Data from Removable Media, Replication Through Removable Media, Hardware Additions	Anomaly
Revil Registry Entry	Modify Registry	TTP
Malicious InProcServer32 Modification	Modify Registry, Regsvr32	TTP
Windows RunMRU Registry Key or Value Deleted	Modify Registry	Anomaly
Remcos client registry install entry	Modify Registry	TTP
Windows RDP Server Registry Deletion	File Deletion	Anomaly
Add DefaultUser And Password In Registry	Credentials in Registry	Anomaly
Windows USBSTOR Registry Key Modification	Data from Removable Media, Replication Through Removable Media, Hardware Additions	Anomaly
Windows Deleted Registry By A Non Critical Process File Path	Modify Registry	Anomaly
Windows Modify Registry Delete Firewall Rules	Modify Registry	TTP
Windows CrowdStrike Agent Registry Key Removal	Disable or Modify Tools	Anomaly

Supported Apps

Splunk Add-on for Sysmon (version 5.0.0)

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">Channel</span>
  
  <span class="pill kill-chain">Computer</span>
  
  <span class="pill kill-chain">EventChannel</span>
  
  <span class="pill kill-chain">EventCode</span>
  
  <span class="pill kill-chain">EventData_Xml</span>
  
  <span class="pill kill-chain">EventDescription</span>
  
  <span class="pill kill-chain">EventID</span>
  
  <span class="pill kill-chain">EventRecordID</span>
  
  <span class="pill kill-chain">EventType</span>
  
  <span class="pill kill-chain">Guid</span>
  
  <span class="pill kill-chain">Image</span>
  
  <span class="pill kill-chain">Keywords</span>
  
  <span class="pill kill-chain">Level</span>
  
  <span class="pill kill-chain">Name</span>
  
  <span class="pill kill-chain">Opcode</span>
  
  <span class="pill kill-chain">ProcessGuid</span>
  
  <span class="pill kill-chain">ProcessID</span>
  
  <span class="pill kill-chain">ProcessId</span>
  
  <span class="pill kill-chain">RecordID</span>
  
  <span class="pill kill-chain">RecordNumber</span>
  
  <span class="pill kill-chain">RuleName</span>
  
  <span class="pill kill-chain">SecurityID</span>
  
  <span class="pill kill-chain">SystemTime</span>
  
  <span class="pill kill-chain">System_Props_Xml</span>
  
  <span class="pill kill-chain">TargetObject</span>
  
  <span class="pill kill-chain">Task</span>
  
  <span class="pill kill-chain">ThreadID</span>
  
  <span class="pill kill-chain">TimeCreated</span>
  
  <span class="pill kill-chain">UserID</span>
  
  <span class="pill kill-chain">UtcTime</span>
  
  <span class="pill kill-chain">Version</span>
  
  <span class="pill kill-chain">action</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">dvc_nt_host</span>
  
  <span class="pill kill-chain">event_id</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">id</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">object_category</span>
  
  <span class="pill kill-chain">object_path</span>
  
  <span class="pill kill-chain">process_exec</span>
  
  <span class="pill kill-chain">process_guid</span>
  
  <span class="pill kill-chain">process_id</span>
  
  <span class="pill kill-chain">process_name</span>
  
  <span class="pill kill-chain">process_path</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">registry_hive</span>
  
  <span class="pill kill-chain">registry_key_name</span>
  
  <span class="pill kill-chain">registry_path</span>
  
  <span class="pill kill-chain">severity_id</span>
  
  <span class="pill kill-chain">signature</span>
  
  <span class="pill kill-chain">signature_id</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">status</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">tag::object_category</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">user_id</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
</div>

Example Log

1<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>12</EventID><Version>2</Version><Level>4</Level><Task>12</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2021-07-12T08:10:32.607068200Z'/><EventRecordID>1055579</EventRecordID><Correlation/><Execution ProcessID='1152' ThreadID='1212'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-dc-890.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='EventType'>DeleteKey</Data><Data Name='UtcTime'>2021-07-12 08:10:32.592</Data><Data Name='ProcessGuid'>{466BC892-F8F2-60EB-107E-00000000CF01}</Data><Data Name='ProcessId'>10188</Data><Data Name='Image'>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data><Data Name='TargetObject'>HKU\S-1-5-21-2333072374-3391925831-3197092227-1112_Classes\exefile\shell\runas\command</Data></EventData></Event>

Required Output Fields

action
dest
process_guid
process_id
registry_hive
registry_path
registry_key_name
status
user
vendor_product

Source: GitHub | Version: 4