Skip to content

feat(etw): Windows Kernel Registry provider for captured value data enrichment #527

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
rabbitstack merged 6 commits into from
Jul 29, 2025
Merged

feat(etw): Windows Kernel Registry provider for captured value data enrichment #527

rabbitstack merged 6 commits into from
Jul 29, 2025

Conversation

@rabbitstack
Copy link
Owner

@rabbitstack rabbitstack commented Jul 22, 2025

What is the purpose of this PR / why it is needed?

This PR enables the Windows Kernel Registry provider session with a hidden filter flag to instruct the session to dump captured registry value data (strings, binary data, DWORD/QWORD values). The events published by the provider are correlated with the
NT Kernel Logger RegSetValue event to enrich the event with registry value payload obtained directly in the kernel.

What type of change does this PR introduce?

Uncomment one or more /kind <> lines:

/kind feature (non-breaking change which adds functionality)

/kind bug-fix (non-breaking change which fixes an issue)

/kind refactor (non-breaking change that restructures the code, while not changing the original functionality)

/kind breaking (fix or feature that would cause existing functionality to not work as expected

/kind cleanup

/kind improvement

/kind design

/kind documentation

/kind other (change that doesn't pertain to any of the above categories)

Any specific area of the project related to this PR?

Uncomment one or more /area <> lines:

/area instrumentation

/area telemetry

/area rule-engine

/area filters

/area yara

/area event

/area captures

/area alertsenders

/area outputs

/area rules

/area filaments

/area config

/area cli

/area tests

/area ci

/area build

/area docs

/area deps

/area other

Special notes for the reviewer

Does this PR introduce a user-facing change?

@rabbitstack rabbitstack force-pushed the use-reg-value-payload-from-event-param branch 2 times, most recently from 78b15e8 to 6872c0b Compare July 29, 2025 17:34
@rabbitstack
feat(etw): Enable Windows Kernel Registry provider
4ee2050 
This provider is enabled with the hidden filter flag
to make the ETW session write captured registry data.
The registry event processor keeps the queue of received
internal set value events and enriches subsequent RegSetValue
events emitted by the NT Kernel Logger provider.
@rabbitstack
refactor(yara): Use the new registry data parameter name
05f493a
@rabbitstack
refactor(filter): Change registry.value filter field semantics
6872c0b 
The registry.value filter field yields the name of the created
or modified registry value. The new registry.data field returns
the captured value data.
@rabbitstack rabbitstack merged commit e0e4541 into master Jul 29, 2025
11 checks passed
@rabbitstack rabbitstack deleted the use-reg-value-payload-from-event-param branch July 29, 2025 19:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rabbitstack