๐ง Project Overview
I built a Python-based Windows Registry anomaly detection tool using a 5-layer rule system to detect unauthorized changes.
Core Layers of Detection
- Hash Verification โ Detect any change by comparing stored vs current registry value hash
- Timestamp Monitoring โ Identify unusual modification times
- User Activity Logging โ Check which user made changes
- Behavioral Patterns โ Track irregular or unexpected change patterns
- Access Frequency โ Spot suspicious high-frequency access
Tools Used
- Python
- Windows Registry Access (
winreg) - Event Logs (via Sysmon)
- Log Analysis Scripts
- Planned SIEM integration (e.g., Wazuh)
Why I Built This
I wanted to explore how intrusion detection could be implemented at the registry level without relying on full EDR tools, as a lightweight research-based security project.
Future Plans
- Integrate with Wazuh for automated alerting
- Package as an open-source CLI utility
- Enhance with machine learning for anomaly classification
I'd love to hear your thoughts and suggestions.
Top comments (0)