Jump to content

Recommended Posts

Antipova Anna
Posted

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

When creating an IoC scan task, only the following registry branches are scanned.

<field name="predefined_keypaths" type="wstring" multi-valued="yes" default-value=
               '{
                  LR"(HKEY_CLASSES_ROOT\htafile)",
                  LR"(HKEY_CLASSES_ROOT\batfile)",
                  LR"(HKEY_CLASSES_ROOT\exefile)",
                  LR"(HKEY_CLASSES_ROOT\comfile)",
                  LR"(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa)",
                  LR"(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors)",
                  LR"(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider)",
                  LR"(HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class)",
                  LR"(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders)",
                  LR"(HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server)",
                  LR"(HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager)",
                  LR"(HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services)",
                  LR"(HKEY_LOCAL_MACHINE\Software\Classes\piffile)",
                  LR"(HKEY_LOCAL_MACHINE\Software\Classes\htafile)",
                  LR"(HKEY_LOCAL_MACHINE\Software\Classes\exefile)",
                  LR"(HKEY_LOCAL_MACHINE\Software\Classes\comfile)",
                  LR"(HKEY_LOCAL_MACHINE\Software\Classes\CLSID)",
                  LR"(HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run)",
                  LR"(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad)",
                  LR"(HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer)",
                  LR"(HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run)",
                  LR"((HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components)",
                  LR"(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows)",
                  LR"(HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options)",
                  LR"(HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Aedebug)",
                  LR"(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon)"
                }'
             tag-id="2" tag-name="PredefinedKeyPaths"/>

IoC tasks that are configured to scan other branches of the registry will not return any results.

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now


×
×
  • Create New...