Handy files or registry items to scan

Maybe some of them are posted already, but these are a few of the reg keys and files we scan:

Files:
c:\LS\LSPush.exe (to check the LSPush version)
c:\windows\system32\drivers\etc\hosts (to check for changes in the hosts file)
c:\pagefile.sys (to report on the size of the pagefile)

Registry Keys:

McAfee:
SOFTWARE\McAfee\AVSolution\DS\DS - dwContentMajorVersion
SOFTWARE\Wow6432Node\McAfee\AVEngine - AVDatVersion
SOFTWARE\McAfee\AVEngine - AVDatVersion
SOFTWARE\McAfee\AVSolution\MCSHIELDGLOBAL\GLOBAL - enableoas

VNC:
SOFTWARE\TightVNC\Server - RfbPort

RDP:
SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp - UserAuthentication
SYSTEM\CurrentControlSet\Control\Terminal Server - fDenyTSConnections
SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp - PortNumber

Defender:
SOFTWARE\Policies\Microsoft\Windows Defender - DisableAntiSpyware

WSUS:
Software\Policies\Microsoft\Windows\WindowsUpdate - WUServer
SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate - TargetGroup
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update - AUOptions
SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU - AUOptions
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Download - LastSuccessTime
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install - LastSuccessTime

And then a couple of custom registry keys that we set using PowerShell scripts which we use to monitor our backups:
eg. SOFTWARE\CUSTOMER_XYZ\Backup\LastSuccessfullTransfer - Date

SMB status:

HKLM    SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters    SMB1
HKLM    SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters    SMB2

Symantec Endpoint Protection virus definition update date

HKLM    SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate                LatestVirusDefsDate
HKLM    SOFTWARE\WOW6432Node\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate    LatestVirusDefsDate

SSL and TLS client default status

HKLM    SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client    DisabledByDefault
HKLM    SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client    DisabledByDefault

Windows OS build number

HKLM    SOFTWARE\Microsoft\Windows NT\CurrentVersion    ReleaseId

Keep in mind if you put trash in your INSERTS, you could break everything, so back up your database/etc - or have undo/delete scripts for each insert that you do...

Hockey: if you beg support, they might give you a query and say it's unsupported...


AT YOUR OWN RISK AND UNCONFIRMED:

TSysFiles - you can insert 'Searchfile' and 'Enabled' (1 or 0)


TsysRegistry - you can insert 'Rootkey' 'RegPath' 'Regvalue' and 'Enabled'


that should be everything you need as the other column is a unique autoincrement key that everything should then key off of afterwards.

I forgot about this thread, I should update this with more useful keys to check..


Or files! Example -the hosts file! If its modified, have it email you as something sketchy might be going on!


I'll have to dig some up when I'm at work.

Lol hockey you found my old post/handle

entering all those registry keys can be a big pain in LS. Is there a way to speed it up with perhaps an import feature where we can take .reg file and feed it to LS and it would set up our scans for us>?

oh - sorry, you can remove domainrole > 1 as that just gets servers...

my bad