logo

Query Exchange

Built off the open source project Osquery

The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Registry Entries

Status: Under Review Submitted by on ‎06-27-2019 01:21 PM

Description: Values in Windows Registry Hives

What The Data Shows: could determine what registry values exist, this can be used to find installed software, or indicators of compromise; where registry could be used for persistence

SQL: 

SELECT key,path,name,data
 FROM (`registry`);

 

Tags (2)
Comment
1 Comment
jnelson
Carbon Black Employee
‎07-05-2019 02:49 PM
‎07-05-2019 02:49 PM
Status changed to: Under Review

@coreymaygard While this query works, it is too broad to be effective. You can some examples in the Query Exchange and the Recommended Queries in CB Live Query where we look for misconfigurations, persistence, and vulnerabilities.

logo