Monitor Windows Registry Changes
The Windows registry is a database that stores configurations for the Windows operating system and applications installed on Windows. Threat actors could modify the Windows registry to automatically execute applications when Windows starts, a user logs in, or an application is launched. The Lacework Windows agent monitors such registry changes on hosts and reports them in the Lacework Console so that you can quickly act on malicious registry changes.
Lacework monitors a set of default registry paths that could be modified to automatically execute applications. You cannot override these default registry paths.
note
The list of default registry paths has been omitted for security reasons. Contact Lacework Support for the list of default registry paths.
Enable or Disable Registry Monitoring
By default, registry monitoring is enabled.
Disable Registry Monitoring
To disable registry monitoring, do the following:
- Add the following to the config.json file:
"registry": {
"enabled": "false",
} - Restart the Windows agent to enable the config.json file changes. For instructions, see Restart Windows Agent.
Enable Registry Monitoring
If registry monitoring is disabled, do the following to enable it:
- Do one of the following:
- Modify the
registry
property in the config.json file as shown below:"registry": {
"enabled": "true",
} - Remove the following in the config.json file:
"registry": {
"enabled": "false",
}
- Modify the
- Restart the Windows agent to enable the config.json file changes. For instructions, see Restart Windows Agent.
View Registry Monitoring Alerts
To view the registry monitoring alerts:
- In the Lacework Console, go to Resources > Host > Files (FIM).
- Navigate to the New Registry Autoruns table.