Thit artifact enables extracting Windows Defender configuration from SOFTWARE registry hive.
Availible parameters enable filtering on RegKey, KeyName or KeyValue.
name: Windows.Registry.DefenderConfig
author: Matt Green - @mgreen27
description: |
Thit artifact enables extracting Windows Defender configuration from
SOFTWARE registry hive.
Availible parameters enable filtering on RegKey, KeyName or KeyValue.
1. KeyRegex - Regex for string in registry key. For example we could use
Exclusions\\Process for process exclusions
2. NameRegex - Regex for KeyName. For example we could use process.exe
for a process in exclusions or specific setting name of interest.
3. ValueRegex - Regex for KeyValue.
type: CLIENT
parameters:
- name: TargetKey
default: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\**
- name: KeyRegex
default: .
description: Regex for string in registry key. For example we could use Exclusions\\Process for process exclusions
type: regex
- name: NameRegex
default: .
description: Regex for KeyName. For example we could use process.exe for a process in exclusions or specific setting.
type: regex
- name: ValueRegex
default: .
description: Regex for KeyValue.
type: regex
sources:
- precondition:
SELECT OS From info() where OS = 'windows'
query: |
SELECT
Mtime as LastWriteTime,
OSPath.dirname as RegKey,
OSPath.basename as KeyName,
Data.value as KeyValue,
Data.type as KeyType
FROM glob(globs=TargetKey, accessor="reg")
WHERE NOT KeyType = 'key'
AND RegKey=~ KeyRegex AND KeyName=~NameRegex AND KeyValue=~ValueRegex
ORDER BY RegKey