This should get you started (watch for wrapping):
Null Sessions: System\CurrentControlSet\Services\LanmanServer\Parameters\NullSession LSA: System\CurrentControlSet\Control\Lsa Run: Software\Microsoft\Windows\CurrentVersion\Run RunOnce: Software\Microsoft\Windows\CurrentVersion\RunOnce RunOnceEx: Software\Microsoft\Windows\CurrentVersion\RunOnceEx RunServices: Software\Microsoft\Windows\CurrentVersion\RunServices Services: System\CurrentControlSet\Services Known DLLs: System\CurrentControlSet\Control\Session Manager\KnownDLLs Remote Access: System\CurrentControlSet\Control\SecurePipeServers\winreg SessionManager-BootExecute: System\CurrentControlSet\Control\SessionManager\BootExecute Windows Appinit_DLLs: Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs Winlogin AutoAdminLogin: Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon Winlogin DefaultPassword: Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultPassword Winlogin-Shell: Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell There are some locations for Windows Certificate Server stuff I have somewhere. I'll try to get those to you, as well. Disclaimer: Most of the items on this list were taken from the config of a popular commercial HID. It's just registry locations, so I can't see how this would be a violation of any copyrights. Daniel Cid wrote:
Hello everyone, I just completed adding support for monitoring the Windows registry on ossec. It seems to be fairly stable right now and hopefully a beta version will be available soon (lots of tests will be required). The configuration will have the following options available: (inside the syscheck area): <windows_registry>HKEY_LOCAL_MACHINE,HKEY_LOCAL_MACHINE\Software, HKEY_USERS\Example</windows_registry> <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft<registry_ignore> Where the first option is a list (comma separated) of registry entries to monitor and the second is a list of entries to ignore. A question now for you guys (Windows users): -Which registry entries should we monitor by default? I was thinking on everything at HKEY_LOCAL_MACHINE\SYSTEM, HKEY_LOCAL_MACHINE\SECURITY and HKEY_LOCAL_MACHINE\SAM. Is there anything else worth checking too? Please let me know your comments... *btw, next version (1.0) is comming soon... Thanks, -- Daniel B. Cid dcid ( at ) ossec.net
