I'm trying to build a software instance based on the existence of a registry key. This is part of some security work for the Spectre/Meltdown issue. I think it would have been just as easy to script something in powershell, but hey. So far I have the below. It uploads fine but when scanning a test server it doesn't seem to create the expected SI. I can confirm that the target server does indeed have the key outlined in the tpl.
First things first I guess. Since this is the first time I'm identifying reg keys and there doesn't seem to be an example tpl for this. I think it could be my code that's at fault. Would someone be kind enough to look over the below and see if it looks ok?
tpl 1.6 module McAfee_Spectre_Meltdown_Vulnerability_Registry_Key;
origin := 'Security Request';
tree_path := "James Wyatt", "McAfee_Spectre_Meltdown_Vulnerability_Registry_Key";
products := "McAfee Spectre/Meltdown Registry Key";
publishers := "James Wyatt";
pattern McAfee_Spectre_Meltdown_Vulnerability_Registry_Key 1.0
This pattern will attempt to identify the registry key that McAfee creates to tell Windows that it is safe to install patches relating to the Spectre / Meltdown vulnerabilities.
publishers := 'McAfee';
categories := 'Spectre Meltdown Vulnerability Registry Key';
tags McAfee, Spectre, Meltdown, Vulnerability, Registry, Key;
on host := Host created, confirmed where os_type = "Windows";
reg_query := discovery.registryKey(host, raw "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat");
if reg_query and reg_query.value and reg_query.value = 'cadca5fe-87d3-4b96-b7fb-a231484277cc' then
hosting_node := related.host(host);
key := 'McAfee Spectre/Meltdown Registry Key' + '/%hosting_node.key%',
type := 'McAfee Spectre/Meltdown Registry Key',
name := 'McAfee Spectre/Meltdown Registry Key' + ' on %hosting_node.name%',
short_name := 'McAfee Spectre/Meltdown Registry Key'