This query is one you are recommended to read the FULL context of the post to use. It is not simply a copy and paste query, like others in the forum. It is valuable under the right situation.

Live Discover Query - Artifacts of infection - Registry and other strings

  REVIEWED by Sophos 

Given that malicious software is designed to evade detection and thwart the ability to remediate; there are plenty of registry keys that could provide some insight into prior infections or ongoing ones. I mention prior infections as often a cleanup routine (if there even is one) may not be aware of or choose not to revert a system policy change. Unless the security product recorded all policy options in advance, it might revert a user-specified value and cause an issue.  It could reset everything to an operating system default state but with the possibility that defaults change over time, it soon gets unmanageable.  To expect security products to put everything back where it was is a little unrealistic. At least with Sophos RCA, you get an idea of what was changed.

Note: Some of these upcoming examples may be expected for your environment as these can be legitimately deployed, often by Group Policy, to configure a device for a specific user or role. 

Ones that spring to mind the "registry" table can be used for are:

  • DisableTaskMgr DWORD, value 1 under: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
  • DisableMFUTracking DWORD, value 1 under: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\EdgeUI
  • Start DWORD, value 4 under: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc
  • DisableRegistryTools, value 1 under: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
  • UpdatesDisableNotify, value 1 under: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
  • FirewallDisableNotify=1, value 1 under: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
  • AntiVirusDisableNotify=1, value 1 under: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center

Note: Many of these values can also be set for the current user, i.e. under HKEY_CURRENT_USER so worth bearing in mind.

Others might include changes to the 'Userinit' or 'Shell' value under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, of course, there are defaults:

  • Userinit = "C:\Windows\system32\userinit.exe,"
    • A query might be:
      select path,data from registry where path like 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit' and data <> 'C:\Windows\system32\userinit.exe,';
  • Shell = "explorer.exe"
    • A query might be:
      select path,data from registry where path like 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell' and data <> 'explorer.exe';

To help prioritize a "hunt" you might find it helpful to search the web-based auto-analysis engines for such values as they will often list strings that are found within malware which might include reg keys but strings can also be:

  • Mutexes, E.g.
    select * from winbaseobj where object_type='Mutant' limit 10;

    : Malware authors are pretty wise to not hardcoding strings of this type so this may be less fruitful than it once may have been but I assume this why osquery includes such a table. Information on this topic: 

  • Pipe names, E.g.
    select * from pipes limit 10;
    These are process-specific rather than a global synchronization primitive such as a mutex in the example above.  Again I can only think the pipes table exists because it has been insightful but as per the mutex example, 'strings may vary'.

Clearly, if you are already searching for something specific it is worth being aware of strings and how you might author queries to find them.