This artifact uses glob to remove a registry key.
TypeRegex allows targeting of key or value. For service remediation key, for run key remediation SZ or .
WARNING: PLEASE SCOPE FIRST and use appropriate targeting.
name: Windows.Remediation.Registry
author: Matt Green - @mgreen27
description: |
This artifact uses glob to remove a registry key.
TypeRegex allows targeting of key or value. For service remediation key, for
run key remediation SZ or .
WARNING: PLEASE SCOPE FIRST and use appropriate targeting.
type: CLIENT
precondition:
SELECT * FROM info() where OS = 'windows'
parameters:
- name: TargetRegistryGlob
default: HKEY_LOCAL_MACHINE\SYSTEM\{CurrentControlSet,ControlSet*}\Services\ServiceName
description: Use a glob to define the keys that will be targetted.
- name: TypeRegex
default: key
description: Regex for Registry type. Usually key or SZ or .
- name: ReallyDoIt
description: When selected will really remove!
type: bool
sources:
- query: |
SELECT OSPath,
Name,
Data.type as Type,
Data.value as Value,
Mtime as Modified,
if(condition=ReallyDoIt,
then= if(condition= Data.type = 'key',
then= reg_rm_key(path=OSPath),
else= reg_rm_value(path=OSPath)),
else= FALSE ) as Deleted
FROM glob(globs=TargetRegistryGlob, accessor='registry')
WHERE Type =~ TypeRegex
column_types:
- name: Modified
type: timestamp