CurrentControlSet\Services

(imported topic written by SecurityMG)

I’m looking to create a compound registry query to read the value “Type” of an unknown Services key and then display several values of that key. I cannot use the (DisplayName of it, Imagepath of it) of it as this is blocked by the services i am looking for. Malware also blocks SC Query and WMI requests.

So it must be done using Registry keys.

This part works:

Q: if exists ((values “Type” of keys of keys “HKLM\System\CurrentControlSet\Services” of x64 registry) as string) whose (it = “272”)

This part does not work: I want the DisplayName key data value of “Beep” to display

then ((values “DisplayName” of keys of keys “HKLM\System\CurrentControlSet\Services” of x64 registry) as string) whose (“Type” of “Beep” = “1”) else “No Key”

I used “Beep” as an example which has to be the Service Key the if exists finds. I would like to read the following values of each key with “Type value = 272” or any other value I am looking for. They can be four separate Properties in the analysis. Would be fine

  1. Services\unknown - Actual Key name whose Type value = 272 or 120 HEX

  2. Services\unknown\DisplayName

  3. Services\unknown\Imagepath

  4. services\unknown\Parameters\ServiceDll

Seems simple enough, but can’t get it.

Thoughts?

Thanks,

MG

(imported comment written by jgstew)

unique values of (it as string) of values “type” of keys of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services” of native registry

(imported comment written by jgstew)

names of keys whose(value “type” of it as string = “272”) of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services” of native registry

(imported comment written by jgstew)

(name of it, value “displayname” of it, value “imagepath” of it) of keys whose(value “type” of it as string = “272”) of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services” of native registry

(imported comment written by jgstew)

values “ServiceDLL” of keys “Parameters” of keys whose(exists key “Parameters” of it AND exists value “ServiceDLL” of key “Parameters” of it) of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services” of native registry

(imported comment written by SecurityMG)

WoW thanks ! #2 & #3 I was close, not sure why I didn’t get those.

Now on #4 - Any idea how to get the parameter key on ONLY the service keys whose value is “272” ?

This is not working:

values “ServiceDLL” of keys “Parameters” of keys whose(exists key “Parameters” of it AND exists value “ServiceDLL” of key “Parameters” of it) AND whose (value “type” of it as string = “272”) of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services” of native registry

(imported comment written by jgstew)

That last one does not work for me either because I did not have any services on my machine that had such entries, so that was purely a guess.

(imported comment written by SecurityMG)

How about change the TYPE value to 32 or any of the ones that worked under #1 that you do have.

The “Parameter\Services” value is the malware file that the TYPE value indicates something funky so the real trick is to link these two.

(imported comment written by jgstew)

(name of it, value “displayname” of it, value “imagepath” of it) of keys whose(value “type” of it as string = “32” AND exists key “Parameters” of it) of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services” of native registry

(imported comment written by jgstew)

keys “Parameters” of keys whose(value “type” of it as string = “272” AND exists key “Parameters” of it) of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services” of native registry

(imported comment written by jgstew)

(name of it, value “displayname” of it, value “imagepath” of it) of keys whose(value “type” of it as string = “272” AND exists key “Parameters” of it) of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services” of native registry

(imported comment written by jgstew)

number of keys “Parameters” of keys whose(value “type” of it as string = “272” AND exists key “Parameters” of it) of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services” of native registry

(imported comment written by dmoore21)

When I try your query, I get the following:

Q: keys “Parameters” of keys whose (value “Type” of it as string = “272” AND exists key “Parameters” of it) of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services” of native registry

E: This expression evaluates to an unrepresentable object of type “registry key”

(imported comment written by jgstew)

That is what you should get, that means you are getting a result.

Try this:

names of keys “Parameters” of keys whose (value “Type” of it as string = “272” AND exists key “Parameters” of it) of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services” of native registry

(imported comment written by SecurityMG)

This one just returns “Parameters” as the answer for all. Tried to play with it… just returns True

value “ServiceDll” of keys whose (value “Type” of it as string = “288” AND exists key “Parameters” of it) of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services” of native registry

Works to find the ServiceDll value for any key

It would be nice to combine the one above with below… :wink:

(name of it, value “displayname” of it, value “imagepath” of it) of keys whose(value “type” of it as string = “288” AND exists key “Parameters” of it) of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services” of native registry

Thanks for your assistance… for some reason this was eluding me.

(imported comment written by jgstew)

it was only supposed to return “Parameters”… I do not have this situation on any of my systems so I cannot come up with examples to extract the info that you desire without just guessing.

This is kind of what I’m trying to point you towards:

(value “whatever” of it, value “whatever2” of it) of keys “Parameters” of keys whose (value “Type” of it as string = “272” AND exists key “Parameters” of it) of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services” of native registry

(imported comment written by SecurityMG)

This is the query i was after.

value “ServiceDll” of keys whose (value “Type” of it as string = “288” AND exists key “Parameters” of it) of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services” of native registry

the TYPE value 288 is VERY odd and does not show up where you would expect. I look at the type to see if I need to know more and the above tells me the actual SERVERDLL that is being injected by the Imagepath which in the case of the malware is svchost netsvcs and that tells me nothing… but the subkey of the service Parameters has a ServiceDll value that lists the BAD JuJu dll I am trying to find.

(imported comment written by SecurityMG)

Scratch that…

Use ‘values’ in case there are multiple keys

values “ServiceDll” of keys whose (value “Type” of it as string = “32” AND exists key “Parameters” of it) of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services” of x64 registry

(imported comment written by jgstew)

You don’t need “x64 registry”, use “native registry” since it will work on 32bit or 64bit machines.

(in all truth, you don’t actually need “native registry” since it only makes a difference when looking at the software key, but I like to use it everywhere)

(imported comment written by SecurityMG)

True unless you are trying to refine it.