From 58a9eb3c3efee8ee57860f9793c6954b0eb466a0 Mon Sep 17 00:00:00 2001 From: sravanigannavarapu <95500630+sravanigannavarapu@users.noreply.github.com> Date: Mon, 6 Dec 2021 13:35:18 -0800 Subject: [PATCH 1/5] Update audit-registry.md Add a note about expected events on Create Subkey. --- .../security/threat-protection/auditing/audit-registry.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/auditing/audit-registry.md b/windows/security/threat-protection/auditing/audit-registry.md index 6ab435279c..bc39c3d697 100644 --- a/windows/security/threat-protection/auditing/audit-registry.md +++ b/windows/security/threat-protection/auditing/audit-registry.md @@ -46,6 +46,7 @@ If success auditing is enabled, an audit entry is generated each time any accoun - [4670](event-4670.md)(S): Permissions on an object were changed. -> [!NOTE] -> On creating a subkey for a parent, the expectation is to see a 4656 event for the newly created subkey. You will see this event only when "Audit Object Access" is enabled under **Local Policies** > **Audit Policy** in Local Security Policy. This event is not generated while using advanced audit policy configurations for registry specific events, such as using "auditpol.exe /set /subcategory:{0CCE921E-69AE-11D9-BED3-505054503030} /success:enable". While using regedit.exe for creating subkeys you will see an additional 4663 event because you perform NtEnumerateKeys on the newly created subkey. You might additionally see a 4663 event on the newly created key if you try to rename the subkey. While using reg.exe for creating subkeys you'll see an additional 4663 event because you perform NtSetValueKey on the newly created subkey. We recommend not relying on 4663 events for subkey creation as they are dependent on the type of permissions enabled on the parent and are not consistent across regedit.exe and reg.exe. +> [!NOTE] +> On creating a subkey for a parent (RegCreateKey), the expectation is to see an event for opening a handle for the newly created object (Event 4656) issued by the object manager. We see this event only when "Audit Object Access" is enabled under **Local Policies** > **Audit Policy** in Local Security Policy. This event is not generated while using precisely defined settings for seeing only registry related events under **Advanced Audit Policy Configurations** > **Object Access** > **Audit Registry** in Local Security Policy. For example, we do not see this event with the setting to just see the registry related auditing events using "auditpol.exe /set /subcategory:{0CCE921E-69AE-11D9-BED3-505054503030} /success:enable". +Calls to Registry APIs which involve accessing the key to perform any operations like RegSetValue, RegEnumValue, RegRenameKey etc. would trigger an event to access the object (Event 4663). So for example, creating a subkey using regedit.exe would not trigger a 4663 event, but renaming it would. From 5b6c9a109afd42e4d8defd11eb61c6086761822e Mon Sep 17 00:00:00 2001 From: sravanigannavarapu <95500630+sravanigannavarapu@users.noreply.github.com> Date: Wed, 8 Dec 2021 14:25:58 -0800 Subject: [PATCH 2/5] Update audit-registry.md --- windows/security/threat-protection/auditing/audit-registry.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/audit-registry.md b/windows/security/threat-protection/auditing/audit-registry.md index bc39c3d697..f24a23d4fc 100644 --- a/windows/security/threat-protection/auditing/audit-registry.md +++ b/windows/security/threat-protection/auditing/audit-registry.md @@ -49,4 +49,4 @@ If success auditing is enabled, an audit entry is generated each time any accoun > [!NOTE] > On creating a subkey for a parent (RegCreateKey), the expectation is to see an event for opening a handle for the newly created object (Event 4656) issued by the object manager. We see this event only when "Audit Object Access" is enabled under **Local Policies** > **Audit Policy** in Local Security Policy. This event is not generated while using precisely defined settings for seeing only registry related events under **Advanced Audit Policy Configurations** > **Object Access** > **Audit Registry** in Local Security Policy. For example, we do not see this event with the setting to just see the registry related auditing events using "auditpol.exe /set /subcategory:{0CCE921E-69AE-11D9-BED3-505054503030} /success:enable". -Calls to Registry APIs which involve accessing the key to perform any operations like RegSetValue, RegEnumValue, RegRenameKey etc. would trigger an event to access the object (Event 4663). So for example, creating a subkey using regedit.exe would not trigger a 4663 event, but renaming it would. +Calls to Registry API's to access an open key object to perform an operation like RegSetValue, RegEnumValue, RegRenameKey etc. would trigger an event to access the object (Event 4663). So for example, creating a subkey using regedit.exe would not trigger a 4663 event, but renaming it would. From e25e95d5e0a5da97f567510907689330ffaf03e0 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 16 Dec 2021 11:19:26 -0800 Subject: [PATCH 3/5] Update audit-registry.md --- windows/security/threat-protection/auditing/audit-registry.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/audit-registry.md b/windows/security/threat-protection/auditing/audit-registry.md index f24a23d4fc..31014f7b9a 100644 --- a/windows/security/threat-protection/auditing/audit-registry.md +++ b/windows/security/threat-protection/auditing/audit-registry.md @@ -11,7 +11,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 09/06/2021 +ms.date: 12/16/2021 ms.technology: windows-sec --- From 6eaa1b9928818f8aa2dbf6ac28dcab5d324dfb02 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 16 Dec 2021 11:20:27 -0800 Subject: [PATCH 4/5] Update windows/security/threat-protection/auditing/audit-registry.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/security/threat-protection/auditing/audit-registry.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/audit-registry.md b/windows/security/threat-protection/auditing/audit-registry.md index 31014f7b9a..ff99ab6148 100644 --- a/windows/security/threat-protection/auditing/audit-registry.md +++ b/windows/security/threat-protection/auditing/audit-registry.md @@ -48,5 +48,6 @@ If success auditing is enabled, an audit entry is generated each time any accoun > [!NOTE] -> On creating a subkey for a parent (RegCreateKey), the expectation is to see an event for opening a handle for the newly created object (Event 4656) issued by the object manager. We see this event only when "Audit Object Access" is enabled under **Local Policies** > **Audit Policy** in Local Security Policy. This event is not generated while using precisely defined settings for seeing only registry related events under **Advanced Audit Policy Configurations** > **Object Access** > **Audit Registry** in Local Security Policy. For example, we do not see this event with the setting to just see the registry related auditing events using "auditpol.exe /set /subcategory:{0CCE921E-69AE-11D9-BED3-505054503030} /success:enable". +> On creating a subkey for a parent (RegCreateKey), the expectation is to see an event for opening a handle for the newly created object (event 4656) issued by the object manager. You will see this event only when "Audit Object Access" is enabled under **Local Policies** > **Audit Policy** in Local Security Policy. This event is not generated while using precisely defined settings for seeing only registry-related events under **Advanced Audit Policy Configurations** > **Object Access** > **Audit Registry** in Local Security Policy. For example, you will not see this event with the setting to just see the registry-related auditing events using "auditpol.exe /set /subcategory:{0CCE921E-69AE-11D9-BED3-505054503030} /success:enable". + Calls to Registry API's to access an open key object to perform an operation like RegSetValue, RegEnumValue, RegRenameKey etc. would trigger an event to access the object (Event 4663). So for example, creating a subkey using regedit.exe would not trigger a 4663 event, but renaming it would. From 88ee40a7f3dbef9fe969623332417b2a1a95bea4 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 16 Dec 2021 11:20:49 -0800 Subject: [PATCH 5/5] Update windows/security/threat-protection/auditing/audit-registry.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/security/threat-protection/auditing/audit-registry.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/audit-registry.md b/windows/security/threat-protection/auditing/audit-registry.md index ff99ab6148..306872fcbc 100644 --- a/windows/security/threat-protection/auditing/audit-registry.md +++ b/windows/security/threat-protection/auditing/audit-registry.md @@ -50,4 +50,4 @@ If success auditing is enabled, an audit entry is generated each time any accoun > [!NOTE] > On creating a subkey for a parent (RegCreateKey), the expectation is to see an event for opening a handle for the newly created object (event 4656) issued by the object manager. You will see this event only when "Audit Object Access" is enabled under **Local Policies** > **Audit Policy** in Local Security Policy. This event is not generated while using precisely defined settings for seeing only registry-related events under **Advanced Audit Policy Configurations** > **Object Access** > **Audit Registry** in Local Security Policy. For example, you will not see this event with the setting to just see the registry-related auditing events using "auditpol.exe /set /subcategory:{0CCE921E-69AE-11D9-BED3-505054503030} /success:enable". -Calls to Registry API's to access an open key object to perform an operation like RegSetValue, RegEnumValue, RegRenameKey etc. would trigger an event to access the object (Event 4663). So for example, creating a subkey using regedit.exe would not trigger a 4663 event, but renaming it would. +Calls to Registry APIs to access an open key object to perform an operation such as RegSetValue, RegEnumValue, and RegRenameKey would trigger an event to access the object (event 4663). For example, creating a subkey using regedit.exe would not trigger a 4663 event, but renaming it would.