π§ Project Overview
I built a Python-based Windows Registry anomaly detection tool using a 5-layer rule system to detect unauthorized changes.
Core Layers of Detection
- Hash Verification β Detect any change by comparing stored vs current registry value hash
- Timestamp Monitoring β Identify unusual modification times
- User Activity Logging β Check which user made changes
- Behavioral Patterns β Track irregular or unexpected change patterns
- Access Frequency β Spot suspicious high-frequency access
Tools Used
- Python
- Windows Registry Access (
winreg) - Event Logs (via Sysmon)
- Log Analysis Scripts
- Planned SIEM integration (e.g., Wazuh)
Why I Built This
I wanted to explore how intrusion detection could be implemented at the registry level without relying on full EDR tools, as a lightweight research-based security project.
Future Plans
- Integrate with Wazuh for automated alerting
- Package as an open-source CLI utility
- Enhance with machine learning for anomaly classification
I'd love to hear your thoughts and suggestions.
Top comments (0)