Windows.Detection.Network.Changed

Detects when a new network is added or removed from the system via the NetworkList registry keys.

name: Windows.Detection.Network.Changed
author: Zane Gittins
description: |
   Detects when a new network is added or removed from the system via the NetworkList registry keys.

# Can be CLIENT, CLIENT_EVENT, SERVER, SERVER_EVENT
type: CLIENT_EVENT


parameters:
  - name: Period
    default: 60
    type: int64
    description: The period to check the registry.
  - name: Globs
    type: string
    default: "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Profiles\\**\\*"
    description: The registry path to search


sources:
  - precondition:
      SELECT OS From info() where OS = 'windows'


    query: |
      SELECT * FROM diff(key="NetworkName", period=Period, query={
          SELECT Data.value as NetworkName from glob(accessor="reg",globs=Globs) WHERE Name=~"ProfileName" 
      })