question

JanLinhart-5017 avatar image
0 Votes"
JanLinhart-5017 asked JanLinhart-5017 commented

Sysmon 13.10 creating excessive amounts of logs (event.code12)

Hi there,
first of all thanks for your amazing work with sysmon, it is really great tool for cyber defense. I have some issues though as we recently updated sysmon 13.02 to 13.10 with same config (OlafHartong modular and swift on security with few own rules added-smoothly working on v13.02). Until recent update, sysmon was operational just fine on all machines, but when upgraded to version 13.10, we experienced excessive amount of logs and especially eventID: 12 "Registry object added or deleted: EventType: CreateKey" with various images(ossec, spoolsv, sysmon64) , with registry key and paths such as:

registry.key:
System\CurrentControlSet\Services\Tcpip\Parameters
registry.path:
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters

or

registry.key
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
registry.path
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

(these are two man spammers)

when I say excessive I mean from 20hit per hour to 60thousand.

Anyone experienced such an issue or able to help? Many thanks!
JL

windows-sysinternals-sysmon
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

JanLinhart-5017 avatar image
0 Votes"
JanLinhart-5017 answered JanLinhart-5017 commented

This issue is solved and was caused by bug in Olaf Hartong modular config which was updated now:

https://github.com/olafhartong/sysmon-modular

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

So unfortunately the issue is on the side of sysmon where parsing is not working correctly. Please check on Olaf's github for more info:

https://github.com/olafhartong/sysmon-modular/issues/96

0 Votes 0 ·