Sysmon Event ID 14

SourceSysmon
Discussions on Event ID 14
Ask a question about this event

14: RegistryEvent (Key and Value Rename)

This is an event from Sysmon.

On this page

Registry key and value rename operations map to this event type, recording the new name of the key or value that was renamed.

Free Security Log Resources by Randy

Description Fields in 14

  • Log Name
  • Source
  • Date
  • Event ID
  • Task Category
  • Level
  • Keywords
  • User
  • Computer
  • Description
  • EventType
  • UtcTime
  • ProcessGuid
  • ProcessId
  • Image
  • TargetObject
  • NewName

Supercharger Free Edition


Your entire Windows Event Collection environment on a single pane of glass.

Free.

 

Examples of 14

Registry object renamed:
EventType: RenameKey
UtcTime: 2017-05-11 04:38:50.499
ProcessGuid: {a23eae89-e8bf-5913-0000-0010db9f7109}
ProcessId: 25228
Image: C:\Windows\regedit.exe
TargetObject: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\asdf
NewName: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BadWolf

 

Event XML:

 <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
        <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
        <EventID>14</EventID>
        <Version>2</Version>
        <Level>4</Level>
        <Task>14</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2017-05-11T04:38:50.499965200Z" />
        <EventRecordID>725980</EventRecordID>
        <Correlation />
        <Execution ProcessID="3188" ThreadID="3836" />
        <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
        <Computer>rfsH.lab.local</Computer>
        <Security UserID="S-1-5-18" />
    </System>
    <EventData>
        <Data Name="EventType">RenameKey</Data>
        <Data Name="UtcTime">2017-05-11 04:38:50.499</Data>
        <Data Name="ProcessGuid">{A23EAE89-E8BF-5913-0000-0010DB9F7109}</Data>
        <Data Name="ProcessId">25228</Data>
        <Data Name="Image">C:\Windows\regedit.exe</Data>
        <Data Name="TargetObject">\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\asdf</Data>
        <Data Name="NewName">\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BadWolf</Data>
    </EventData>
</Event>

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Additional Resources