I am experiencing an issue where I am trying to audit a specific registry key via Windows Event ID 4657.
TL; DR: I have tried to setup auditing on a registry key when a new subkey is created under it, but it does not log when this action is performed. After creating the subkey, any changes to the key are then logged. My objective, however, is to log the initial creation of the subkey “\Run” so that I may catch this well know ASEP (Auto-start Extension Point) for signs of malicious activity.
The registry key in question is:
As you can see in the below screen shot, this specific path does not exist (the “run” subkey has yet to be created).
Figure 1 – registry before change
The auditing permissions (Right-click -> Permissions -> Advanced -> Auditing -> Add) set on this registry subkey are as follows:
Applies to: This key and subkeys
Advanced permissions: Full Control (Query Value, Set Value, Create Subkey, Enumerate Subkeys, Notify, Create link, Delete, Write DAC, Write Owner, and Read Control)
For “Only these audit settings to objects and/or containers within this container” check box, I have tested with and without it checked. ->OK->Apply->OK
Figure 2 – Auditing Entry for “Explorer” subkey
Not sure if this is entirely necessary but also running “gpupdate /force” via admin privileged cmd.exe
Figure 3 – lack of logs
No logs appear to have been generated as a result of the registry change on the registry key (HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run) which has inherited the auditing settings from its parent key “Explorer”.
GPO settings are as follows:
Figure 4 – Active Directory Users and Computers settings showing the host being tested has this GP applied
Figure 5 – Group Policy Management showing Link Enabled
Figure 6 – Group Policy Management Editor showing Audit Registry is set to log Success and Failure
Please note that further modifications appear to be logged as expected; creating additional key values & modifying them (under the \Run subkey):
Figure 7 – further modifications are logged
Figure 8 – Only log is generated after subkey creation
So as shown above, once the key is created and new values are added under the newly created key it logs this, but it does not log when the new key itself is created.
Am I missing something here? Any and all help is greatly appreciated in advance!
DC where GPO is managed is a Microsoft Windows Server 2012 R2 Standard – 6.3.9600 Build 9600 and is configured as the Primary Domain Controller. The machine I am testing these registry changes on is also a Microsoft Windows Server 2012 R2 Standard – 6.3.9600 Build 9600 configured as a Member Server.
Using Sysmon is not an option for my current situation.