Hello.
I'm trying to create a custom definition in LD 9.5 SP1 to detect if a certain registry key is set to a certain value.
Since the "Registry Settings" function is hardcoded to only support HKEY_LOCAL_MACHINE, I need to use a "Custom script" instead since the key I'm looking for is placed in HKEY_CLASSES_ROOT.
I'm using the built-in function "ReadRegValue" to get the value, but whenever I try to read a value below HKEY_CLASSES_ROOT\CLSID I get an empty result. I can read other keys in HKEY_CLASSES_ROOT without any issues.
Example:
For testing, I import the following keys on a test device:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\{dummy}]
"Test2"="val_test2"
@="dummyval2"
[HKEY_CLASSES_ROOT\{dummy}\shell]
[HKEY_CLASSES_ROOT\{dummy}\shell\open]
[HKEY_CLASSES_ROOT\{dummy}\shell\open\command]
@="c:\\dummy1.exe"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{dummy}]
"Test2"="val_test2"
@="dummyval2"
[HKEY_CLASSES_ROOT\CLSID\{dummy}\shell]
[HKEY_CLASSES_ROOT\CLSID\{dummy}\shell\open]
[HKEY_CLASSES_ROOT\CLSID\{dummy}\shell\open\command]
@="c:\\dummy1.exe"
I have a rule in my custom definition that is using the following script:
Log "CLSID testing"
stringRegVal = ReadRegValue("HKEY_CLASSES_ROOT\CLSID\{dummy}\")
Log stringRegVal
stringRegVal = ReadRegValue("HKEY_CLASSES_ROOT\CLSID\{dummy}\shell\open\command\")
Log stringRegVal
Log "Non CLSID testing"
stringRegVal = ReadRegValue("HKEY_CLASSES_ROOT\{dummy}\")
Log stringRegVal
stringRegVal = ReadRegValue("HKEY_CLASSES_ROOT\{dummy}\shell\open\command\")
Log stringRegVal
The result in my vulscan log file is the following:
Running detection script CLSID testing Non CLSID testing dummyval2 c:\dummy1.exe
The keys in CLSID are not read as they should.
Has anyone experienced this before and/or know how to solve it?
Thanks in advance.