🧠 Project Overview

I built a Python-based Windows Registry anomaly detection tool using a 5-layer rule system to detect unauthorized changes.

Core Layers of Detection

1. Hash Verification – Detect any change by comparing stored vs current registry value hash
2. Timestamp Monitoring – Identify unusual modification times
3. User Activity Logging – Check which user made changes
4. Behavioral Patterns – Track irregular or unexpected change patterns
5. Access Frequency – Spot suspicious high-frequency access

Tools Used

• Python
• Windows Registry Access (winreg)
• Event Logs (via Sysmon)
• Log Analysis Scripts
• Planned SIEM integration (e.g., Wazuh)

Why I Built This

I wanted to explore how intrusion detection could be implemented at the registry level without relying on full EDR tools, as a lightweight research-based security project.

Future Plans

• Integrate with Wazuh for automated alerting
• Package as an open-source CLI utility
• Enhance with machine learning for anomaly classification

I'd love to hear your thoughts and suggestions.