search

SwiftOnSecurity / sysmon-config

Sysmon configuration file template with default high-quality event tracing
4.8k stars 1.71k forks source link

TargetObect "HKLM\..." with condition"end with" #21

Closed ManfMert closed 7 years ago

ManfMert commented 7 years ago

There are some TargetObjects like HKLM\SYSTEM... with condition="end with". Is this correct?

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\AuditPolicy HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System Shouldn´t it be "begin with"?
SwiftOnSecurity commented 7 years ago

Hello, This is done based on the theory that with pattern matching, it's easier to filter text strings based on the most unique attributes. Obviously, tons of registry changes start with HKLM\SYSTEM\CurrentControlSet, so you're wasting CPU having it match that.

However, if you start at the end, very few registry keys end with T, then I, the D, then U, then A, so unmatching keys are discarded earlier in the text matching process.

It's a very tiny performance optimization. I hope that makes sense!