Registry Key Check - Relevance Issue

casmxg · October 16, 2024, 3:27pm

Greetings All,

I am trying to create an analysis to check the status of our security apps. One of the checks I would like to do involves looking at a specific registry key for Netskope. I can find the registry path using relevance, but I am unable to reference the values inside the path.

This is the base relevance I am working from. This works correctly.

(exists keys whose (exists values "DisplayName" whose (it as string contains "Google Chrome") of it) of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" of native registry)

And here is the new relevance I have created to find the Netskope key/value I am trying to verify:

(exists keys whose (exists values "NpaStatus" whose (it as string contains "Disconnected") of it) of keys "HKEY_LOCAL_MACHINE\SOFTWARE\NetSkope\NpaTunnel" of native registry

I have confirmed that the value exists in the registry of the system I am testing on.

Any assistance or suggestions you can provide would be greatly appreciated.

Thank you,
_mxg

Aram · October 16, 2024, 4:35pm

I think the issue has to do with the fact that you’re looking for keys within the ‘NpaTunnel’ key (but that key has the value you’re looking for).

Try something like:

(exists keys whose (name of it = "NpaTunnel" AND exists values "NpaStatus" whose (it as string contains "Disconnected") of it) of keys "HKEY_LOCAL_MACHINE\SOFTWARE\NetSkope" of native registry)

casmxg · October 16, 2024, 7:19pm

Thank you Aram! That’s what I was missing. Your relevance worked, but I was also able to correct my original relevance and that now gives me the results I want. I was just too far down the registry chain.

(exists keys whose (exists values "NpaStatus" whose (it as string contains "Disconnected") of it) of keys "HKEY_LOCAL_MACHINE\SOFTWARE\NetSkope" of native registry

Many thanks,
_mxg