Step 1: Preparing Windows for Registry Monitoring

Open Local Group Policy Editor (Win + R → type gpedit.msc → Enter).
Navigate to:\ Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Object Access → Audit Registry.
Enable Success + Failure for Audit Registry.
Run gpupdate /force to apply changes immediately.

✅ Windows now logs all Registry modifications.

Step 2: Installing Sysmon for Detailed Registry Monitoring

Download Sysmon64.zip and extract it to C:\Program Files\Sysmon.
Download Sysmon configuration XML from SwiftOnSecurity Sysmon config.
Modify the configuration to focus on Run/RunOnce keys:

<RegistryEvent onmatch="include">
    <TargetObject name="RunKey" condition="contains">CurrentVersion\Run</TargetObject>
    <TargetObject name="RunOnceKey" condition="contains">CurrentVersion\RunOnce</TargetObject>
    <TargetObject name="RunPolicy" condition="contains">Policies\Explorer\Run</TargetObject>
</RegistryEvent>

Installed Sysmon with the configuration:

PS C:\Program Files\Sysmon> .\Sysmon64.exe -accepteula -i sysmonconfig.xml

Verified Sysmon is running:

PS C:\Program Files\Sysmon> Get-Service Sysmon64

Status   Name               DisplayName
------   ----               -----------
Running  Sysmon64           Sysmon64

Sysmon is now actively monitoring Registry changes (Event ID 13).

Step 3: Testing Registry Modification

Open Registry Editor (regedit.exe).
Navigate to:\ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Create a new String Value named TestPersistence with value: C:\Windows\notepad.exe.

✅ This represents a simulated persistence attempt for testing purposes.

Step 4: Monitoring Sysmon Logs in Event Viewer

Opened Event Viewer (eventvwr.msc).
Navigated to:\ Applications and Services Logs → Microsoft → Windows → Sysmon → Operational
Observed Event ID 13 for the test value creation:
TargetObject: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\TestPersistence
Image: regedit.exe
Details: C:\Windows\notepad.exe

✅ Event ID 13 confirms Sysmon successfully logged the Registry change.

IN SIEM :

✅ Logs now flow to your SIEM (via Winlogbeat/Agent).

Step 5: Creating KQL Rule for Run/RunOnce Persistence

1️⃣ Index Pattern

Used winlogbeat-* as the index pattern.

2️⃣ KQL Query

event.provider:"Microsoft-Windows-Sysmon" and event.code:"13" and (registry.path.keyword:*\\CurrentVersion\\Run* or registry.path.keyword:*\\CurrentVersion\\RunOnce*)

Explanation:

event.provider: "Microsoft-Windows-Sysmon" → Filters Sysmon logs.
event.code: 13 → Registry SetValue events.
registry.path.keyword: "*\\CurrentVersion\\Run*" → Focus on Run/RunOnce keys.
project → Extract essential fields for alert context.

3️⃣ Rule Trigger Explanation

Triggers whenever any process attempts to create or modify a value in any Run or RunOnce Registry key.

Example Event:

TargetObject: HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\TESTTTTTTTTT
Image: C:\Windows\regedit.exe
Details: C:\Windows\TEST.exe

✅ Matches Event ID 13, triggering the KQL rule.

Step 6: Mapping to MITRE ATT\&CK

Open the "Mapping to MITRE ATT\&CK" interface within the rule settings.
Search for the technique T1547.001 – Registry Run Keys / Startup Folder.
Add this technique to the rule.
Assign the tactic: Persistence.

This ensures that the rule is linked to the MITRE ATT\&CK framework, facilitating consistent threat tracking and analysis.

Step 7: Summary

Field	Details
Scenario	Persistence via Registry Run/RunOnce Keys
Behavior	New registry value created under Run/RunOnce by process
Lab Environment	Windows 10 Pro N + Sysmon + Winlogbeat + Kibana
Detection Query	KQL as above
Rule Frequency	Every 1 minute
MITRE ATT\&CK	T1547.001 – Registry Run Keys / Startup Folder (Persistence)

Abdelwahab Ahmed Abdelwahab 20-09-2025