1 2 Previous Next 17 Replies Latest reply on Feb 7, 2018 4:33 AM by James Wyatt

    Building An SI Based On The Registry Key

    James Wyatt

      Good Afternoon,

       

      I'm trying to build a software instance based on the existence of a registry key. This is part of some security work for the Spectre/Meltdown issue. I think it would have been just as easy to script something in powershell, but hey. So far I have the below. It uploads fine but when scanning a test server it doesn't seem to create the expected SI. I can confirm that the target server does indeed have the key outlined in the tpl.

       

      First things first I guess. Since this is the first time I'm identifying reg keys and there doesn't seem to be an example tpl for this. I think it could be my code that's at fault. Would someone be kind enough to look over the below and see if it looks ok?

       

      Best Regards,

       

      James

       

       

       

       

       

      tpl 1.6 module McAfee_Spectre_Meltdown_Vulnerability_Registry_Key;

       

      metadata

      origin := 'Security Request';

      tree_path := "James Wyatt", "McAfee_Spectre_Meltdown_Vulnerability_Registry_Key";

      products := "McAfee Spectre/Meltdown Registry Key";

      publishers := "James Wyatt";

      end metadata;

       

      pattern McAfee_Spectre_Meltdown_Vulnerability_Registry_Key 1.0

        """

        This pattern will attempt to identify the registry key that McAfee creates to tell Windows that it is safe to install patches relating to the Spectre / Meltdown vulnerabilities.

        """

       

         metadata

               publishers := 'McAfee';

               categories := 'Spectre Meltdown Vulnerability Registry Key';

        end metadata;

       

        overview

          tags McAfee, Spectre, Meltdown, Vulnerability, Registry, Key;

        end overview;

       

        triggers

          on host := Host created, confirmed where os_type = "Windows";

        end triggers;

       

        body

          reg_query := discovery.registryKey(host, raw "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat");

          if reg_query and reg_query.value and reg_query.value = 'cadca5fe-87d3-4b96-b7fb-a231484277cc' then

                  

                   hosting_node := related.host(host);

              

                   model.SoftwareInstance(

                   key := 'McAfee Spectre/Meltdown Registry Key' + '/%hosting_node.key%',

                   type := 'McAfee Spectre/Meltdown Registry Key',

                   name := 'McAfee Spectre/Meltdown Registry Key' + ' on %hosting_node.name%',

                   short_name := 'McAfee Spectre/Meltdown Registry Key'

               );

          end if;

       

        end body;

       

      end pattern;

        • 1. Re: Building An SI Based On The Registry Key
          Shane Smith

          Looks like you have the host node and created the software instance but haven't related them to each other.

           

          si_node := model.SoftwareInstance(

                                 key := 'McAfee Spectre/Meltdown Registry Key' + '/%hosting_node.key%',

                                 type := 'McAfee Spectre/Meltdown Registry Key',

                                 name := 'McAfee Spectre/Meltdown Registry Key' + ' on %hosting_node.name%',

                                 short_name := 'McAfee Spectre/Meltdown Registry Key');

           

          And then you have to create the relation between the si_node and the hosting_node.

           

          See examples at:  Model functions - BMC Discovery 11.0 - BMC Documentation

           

          log.debug(<text>); can help debugging as well.

          1 of 1 people found this helpful
          • 2. Re: Building An SI Based On The Registry Key
            Andrew Waters

            There is little point in doing hosting_node := related.host(host); as it will just return the original host.

             

            Are you sure there is no SoftwareInstance rather than it not being related to the Host. First order SoftwareInstance are automatically related to a Host but this is not a first order (due to the trigger being a Host). It means you would need to link it yourself.

             

            I would not recommend using a SoftwareInstance for this - it is not really running software. If you want a node (rather than just adding an attribute to the Host) then Detail is probably more appropriate.

             

            So something like

            detail := model.Detail(..attributes...);

            model.rel.Detail(ElementWithDetail := host, Detail := detaiil);

            3 of 3 people found this helpful
            • 3. Re: Building An SI Based On The Registry Key
              James Wyatt

              Ok. Thanks guys.

               

              I'm a TPL beginner and unfortunately creating non standard TPL is not my usual job. TPL was only touched upon in the classes I took with BMC. and as such I'm no expert. This is already taking longer to accomplish than I would have expected, again this is probably due to my lack of TPL skills, but the reality is, I'm looking to accomplish something seemingly simple, but it's taking much longer than my timetable will allow.

               

              We have a requirement to run Discovery reporting against any servers that have the above reg key set. Can you advise if there is an example I can follow somewhere? I've tried searching but I can't find anything suitable, but maybe due to my lack of understanding, I may be searching for the wrong material.

               

              Can you help?

              • 4. Re: Building An SI Based On The Registry Key
                Shane Smith

                It doesn't appear that you are very far off. The following is UNTESTED.  Use at your own discretion.

                 

                  body

                    reg_query := discovery.registryKey(host, raw "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat");

                 

                    if (reg_query) then

                         if (reg_query.value = 'cadca5fe-87d3-4b96-b7fb-a231484277cc') then

                            

                             detail := model.Detail ( key := 'McAfee Spectre/Meltdown Registry Key' + '/%host.key%',,

                                                                 type := 'McAfee Spectre/Meltdown Registry Key',

                                                                 name := 'McAfee Spectre/Meltdown Registry Key' + ' on %host.name%',

                                                                 short_name := 'McAfee Spectre/Meltdown Registry Key');

                         end if;

                    end if;

                 

                    model.rel.Detail(ElementWithDetail := host, Detail := detail);

                 

                  end body;

                 

                end pattern;

                 

                If you have a lot of problems getting the detail node created and related, you could stop the pattern after getting the registry key and then try creating a report on the raw discovered data.  This example could show multiple lines for one host but there may be a way to refine that.

                 

                search DiscoveredRegistryValue where value = "cadca5fe-87d3-4b96-b7fb-a231484277cc" and request_time > parseLocalTime('2018-1-1 00:00:00') and nodecount(traverse DiscoveryResult:DiscoveryAccessResult:DiscoveryAccess:DiscoveryAccess where nodecount(traverse Associate:Inference:InferredElement:Host where name defined)) show discovery_method, query, failure_reason, #DiscoveryResult:DiscoveryAccessResult:DiscoveryAccess:DiscoveryAccess.#Associate:Inference:InferredElement:Host.hostname)

                2 of 2 people found this helpful
                • 5. Re: Building An SI Based On The Registry Key
                  Bob Anderson

                  Try this modification to Shane's query:

                  I've split the query into multiple lines to make it easier to read and modify

                  I've added the _last_marker flag to filter out the multiple rows and added 2 more fields, value, and a combined field for value or failure_reason just to make it interesting

                   

                   

                  //search registry value = "cadca5fe-87d3-4b96-b7fb-a231484277cc" and request_time > parseLocalTime('2018-1-1 00:00:00') and _last_marker

                  search DiscoveredRegistryValue where

                  #DiscoveryResult:DiscoveryAccessResult:DiscoveryAccess:DiscoveryAccess._last_marker and

                  value = "cadca5fe-87d3-4b96-b7fb-a231484277cc" and

                  request_time > parseLocalTime('2018-1-1 00:00:00') and

                  nodecount(traverse DiscoveryResult:DiscoveryAccessResult:DiscoveryAccess:DiscoveryAccess where nodecount(traverse Associate:Inference:InferredElement:Host where name defined))

                  show

                  discovery_method as 'Discovery Method',

                  query as 'Query',

                  value as 'Value',

                  failure_reason as 'Failure Reason',

                  // combine result and failure_reason in one field:

                  (value or failure_reason) as 'Resullt'

                  #DiscoveryResult:DiscoveryAccessResult:DiscoveryAccess:DiscoveryAccess.#Associate:Inference:InferredElement:Host.hostname

                   

                  Also, when you get Shane's suggested code to compile and you have run some discoveries, you could search for hosts with these details added:

                   

                  //search for hosts with detail type

                  search Host where #:::Detail.type = 'McAfee Spectre/Meltdown Registry Key'

                  or

                  //search for Details, traverse to host

                  search Detail where type = 'McAfee Spectre/Meltdown Registry Key' traverse :::Host

                   

                  Additionally, you could also search for Windows Hosts without this detail

                   

                  search Host as all_windows_hosts where os_class = "Windows'

                  search Detail where type = 'McAfee Spectre/Meltdown Registry Key' traverse :::Host as key_ready

                  search in (all_windows_hosts - key_ready)

                   

                  HTH

                   

                  Bob

                  1 of 1 people found this helpful
                  • 6. Re: Building An SI Based On The Registry Key
                    Andrew Waters

                    This pattern is a little broken. You want the relationship creation only if you create the node.

                     

                    The other thing you may need to consider is the value changes you never remove the Detail.

                    1 of 1 people found this helpful
                    • 7. Re: Building An SI Based On The Registry Key
                      Bob Anderson

                      To address Andrew's points, here is the complete pattern - uploaded successfully, but otherwise not tested:

                      Also addressed log messages in cases where the 'if' condition failed ('else').

                      NOTE: Set the log messages to log.debug when testing is complete and moved into production to reduce the impact of the logging messages.

                       

                       

                      tpl 1.6 module McAfee_Spectre_Meltdown_Vulnerability_Registry_Key;

                       

                      metadata

                          origin := 'Security Request';

                          tree_path := "James Wyatt", "McAfee_Spectre_Meltdown_Vulnerability_Registry_Key";

                          products := "McAfee Spectre/Meltdown Registry Key";

                          publishers := "James Wyatt";

                      end metadata;

                       

                       

                      pattern McAfee_Spectre_Meltdown_Vulnerability_Registry_Key 1.0

                        """

                        This pattern will attempt to identify the registry key that McAfee creates to tell Windows that it is safe to install patches relating to the Spectre / Meltdown vulnerabilities.

                        """

                         metadata

                               publishers := 'McAfee';

                               categories := 'Spectre Meltdown Vulnerability Registry Key';

                        end metadata;

                       

                        overview

                          tags McAfee, Spectre, Meltdown, Vulnerability, Registry, Key;

                        end overview;

                       

                        triggers

                          on host := Host created, confirmed where os_type = "Windows";

                        end triggers;

                       

                        body

                          reg_query := discovery.registryKey(host, raw "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat");

                       

                          if (reg_query) then

                              if (reg_query.value = 'cadca5fe-87d3-4b96-b7fb-a231484277cc') then

                                  detail := model.Detail ( key := 'McAfee Spectre/Meltdown Registry Key' + '/%host.key%',

                                                          type := 'McAfee Spectre/Meltdown Registry Key',

                                                          name := 'McAfee Spectre/Meltdown Registry Key' + ' on %host.name%',

                                                          short_name := 'McAfee Spectre/Meltdown Registry Key');

                                                                      

                                  // if detail, relate to the host and set removal group

                                  if detail then

                                      model.rel.Detail(ElementWithDetail := host, Detail := detail);

                                      // setting the removal group

                                      model.setRemovalGroup(detail, 'Spectre:Meltdown_Registry');

                                  else

                                      log.info("*****McAfee_Spectre_Meltdown_Vulnerability_Registry_Key: Spectre:Meltdown registry detail not created");

                                  end if;

                              else

                                  log.info("*****McAfee_Spectre_Meltdown_Vulnerability_Registry_Key: Spectre:Meltdown registry key not found : -->%reg_query.query%<--");

                              end if;

                          else

                              log.info("*****McAfee_Spectre_Meltdown_Vulnerability_Registry_Key: Spectre:Meltdown registry key search failed");

                          end if;

                       

                        end body;

                       

                      end pattern;

                      1 of 1 people found this helpful
                      • 8. Re: Building An SI Based On The Registry Key
                        Andrew Waters

                        There is no need to check detail - model.Detail will always return a node.

                        1 of 1 people found this helpful
                        • 9. Re: Building An SI Based On The Registry Key
                          James Wyatt

                          Thanks Guys.

                           

                          Hi Bob - I uploaded the pattern without issue. When I run it against our current windows infrastructure and then attempt to query against it. I can't find any references except to the pattern itself.

                          • 10. Re: Building An SI Based On The Registry Key
                            Andrew Waters

                            On one of the Windows machine where the registry key is present can you see the registry request being made? It should appear under getRegisteyValue on the DiscoveryAccess. Is it successful with the expected value?

                            • 11. Re: Building An SI Based On The Registry Key
                              James Wyatt

                              Hi Andrew,

                               

                              It looks like it's trying but it doesn't appear to find it.

                               

                              getRegistryValue.PNG

                              • 12. Re: Building An SI Based On The Registry Key
                                Andrew Waters

                                You are not looking for the correct value. This is implicitly asking for the default (non-existent value).

                                 

                                This shows you need to look for the registry key

                                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat\cadca5fe-87d3-4b96-b7fb-a231484277cc

                                • 13. Re: Building An SI Based On The Registry Key
                                  James Wyatt

                                  Thanks Andrew.

                                   

                                  I updated the TPL to look for the full key and the value 0. It looks like we can now gain the registry key, but I cant find any query results. Also, running a general search for spectre only yields the TPL related kinds themselves.

                                   

                                  getRegistryValue2.PNG

                                  • 14. Re: Building An SI Based On The Registry Key
                                    Andrew Waters

                                    What does the TPL look like now? Did you remove the reg_query.value = 'cadca5fe-87d3-4b96-b7fb-a231484277cc' test as this will not be true and hence not build the Detail node.

                                    1 2 Previous Next