cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
jacob_bks
Champion Sweeper
Hello everyone:

I was wondering if we would have a thread of useful registry keys, and files to scan.


Example:

%programfiles(x86)%\Common Files\McAfee\Engine\avvscan.dat - McAfee virus definition file (old date = old definitions)

SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install - LastSuccessTime = last time windows updates applied to a computer/server

%windir%\CCM\CcmExec.exe = SCCM client installed


%windir%\system32\mictray.exe
%windir%\system32\mictray64.exe
C:\Users\Public\mictray.log
= Check for Hewlett Packard conextant audio version for the keylogger vulnerability


SOFTWARE\Wow6432Node\McAfee Endpoint Encryption\EEGo - Health = Status of McAfee hard disk encryption (missing, not healthy, etc)


I'm wondering what other neat things I can scan for that would prove very useful
15 REPLIES 15
ldockery
Engaged Sweeper II
TeamViewer ID:

SOFTWARE\Wow6432Node\Teamviewer [ClientID]
SOFTWARE\Teamviewer [ClientID
Hendrik_VE
Champion Sweeper III
Maybe some of them are posted already, but these are a few of the reg keys and files we scan:

Files:
c:\LS\LSPush.exe (to check the LSPush version)
c:\windows\system32\drivers\etc\hosts (to check for changes in the hosts file)
c:\pagefile.sys (to report on the size of the pagefile)

Registry Keys:

McAfee:
SOFTWARE\McAfee\AVSolution\DS\DS - dwContentMajorVersion
SOFTWARE\Wow6432Node\McAfee\AVEngine - AVDatVersion
SOFTWARE\McAfee\AVEngine - AVDatVersion
SOFTWARE\McAfee\AVSolution\MCSHIELDGLOBAL\GLOBAL - enableoas

VNC:
SOFTWARE\TightVNC\Server - RfbPort

RDP:
SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp - UserAuthentication
SYSTEM\CurrentControlSet\Control\Terminal Server - fDenyTSConnections
SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp - PortNumber

Defender:
SOFTWARE\Policies\Microsoft\Windows Defender - DisableAntiSpyware

WSUS:
Software\Policies\Microsoft\Windows\WindowsUpdate - WUServer
SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate - TargetGroup
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update - AUOptions
SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU - AUOptions
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Download - LastSuccessTime
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install - LastSuccessTime

And then a couple of custom registry keys that we set using PowerShell scripts which we use to monitor our backups:
eg. SOFTWARE\CUSTOMER_XYZ\Backup\LastSuccessfullTransfer - Date
nnewton
Engaged Sweeper III
SMB status:
HKLM    SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters    SMB1
HKLM SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters SMB2

Symantec Endpoint Protection virus definition update date
HKLM    SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate                LatestVirusDefsDate
HKLM SOFTWARE\WOW6432Node\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate LatestVirusDefsDate

SSL and TLS client default status
HKLM    SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client    DisabledByDefault
HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client DisabledByDefault

Windows OS build number
HKLM    SOFTWARE\Microsoft\Windows NT\CurrentVersion    ReleaseId
JacobH
Champion Sweeper III
Keep in mind if you put trash in your INSERTS, you could break everything, so back up your database/etc - or have undo/delete scripts for each insert that you do...


JacobH
Champion Sweeper III
Hockey: if you beg support, they might give you a query and say it's unsupported...


AT YOUR OWN RISK AND UNCONFIRMED:

TSysFiles - you can insert 'Searchfile' and 'Enabled' (1 or 0)


TsysRegistry - you can insert 'Rootkey' 'RegPath' 'Regvalue' and 'Enabled'


that should be everything you need as the other column is a unique autoincrement key that everything should then key off of afterwards.

JacobH
Champion Sweeper III
I forgot about this thread, I should update this with more useful keys to check..


Or files! Example -the hosts file! If its modified, have it email you as something sketchy might be going on!


I'll have to dig some up when I'm at work.
JacobH
Champion Sweeper III
Lol hockey you found my old post/handle
AZHockeyNut
Champion Sweeper III
entering all those registry keys can be a big pain in LS. Is there a way to speed it up with perhaps an import feature where we can take .reg file and feed it to LS and it would set up our scans for us>?
jacob_bks
Champion Sweeper
oh - sorry, you can remove domainrole > 1 as that just gets servers...

my bad