From 5554c69fe310bb2d78f4321f806b02001c7f9d20 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Fri, 15 Sep 2017 13:53:44 +0200
Subject: [PATCH] Add registry keys often used by malware and windows services

(cherry picked from commit c612d4239156f052a67ef7d2a740d1079013726c)
---
 sysmonconfig-export.xml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 8fdc2230..eb8e43d1 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -846,6 +846,9 @@
 			<TargetObject condition="contains">\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\</TargetObject>
 			<TargetObject condition="contains">\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths\</TargetObject>
 			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\services\DNS\Parameters\</TargetObject> <!--Microsoft:Windows:DNS: ServerLevelPluginDll Issue https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 -->
+			<!-- Testing - Unknown log volume but relevant registry keys -->
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_</TargetObject> <!-- Often used by malware -->
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\</TargetObject> <!--Windows Services -->
 		</RegistryEvent>
 	</RuleGroup>