I have been trying to get a report (Analysis or task or filter) that will show the servers that have Notepad++ installed. It is coming back with Linux servers. Can anyone point to what I am doing incorrectly?
My relevance is:
exists keys whose (
exists value "DisplayName" of it
and (value "DisplayName" of it as string as lowercase contains "notepad++")
) of keys "HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall"
or
exists keys whose (
exists value "DisplayName" of it
and (value "DisplayName" of it as string as lowercase contains "notepad++")
) of keys "HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall"
Updates for Windows Applications (part of the Patch License) contains Fixlets that update Notepad++. Perhaps the applicability relevance there would help.
If you look at which computers are relevant to the “Notepad++ (x64) 8.9.1 Available“ fixlet in Updates for Windows Applications site, any computer that is relevant to it, would have it installed already. And should have a vulnerable version installed. Deploying this fixlet would update them to a version that is no longer vulnerable, but you don’t know if those systems could have been compromised.
Also, I posted a link to a fixlet and analysis that checks for indicators of compromise for Notepad++