Closed XYujie closed 10 months ago
Hello, to confirm are you running ASA as administrator? A lot (most) of registry data isn't visible to standard user.
Hello, I am running ASA as an administrator, and by waiting your reply I have run it without assigning any hives, and after baseline scan, I created some keys under LocalMachine, and then I run it again. I got a json file only contains some REGISTRY_MODIFIED objects, and all of them are from HKEY_CLASSES_ROOT.
Thanks for the confirmation. In that case the behavior you describe is not what I'd expect.
Ill take some time to investigate this next week. I'll have to set up a VM with Server 2022 to see if it's an OS specific issue, I haven't noticed the same issues on standard Windows 10/11.
Appreciate for that, and I am planning to do the same in Win10 to check if it is OS-specific issue, I'll let you know by this week.
To confirm, if I want to scan registry in LocalMachine, what is the correct arguments of --hives
? HKEY_LOCAL_MACHINE
or HkeyLocalMachine
or LocalMachine
?
BaselineScan001_vs_SecondScan001_summary.json.txt I have run the ASA again with more information, hope this can be helpful for your investigation. Here is the detail and steps I took.
OS Info:
ASA running Info in CMD(Run CMD as an Admin user):
C:\Users\root\Desktop\ASA_win_2.3.297\ASA_win_2.3.297>Asa.exe collect -r --runid BaselineScan001 [09:56:32 INF] AttackSurfaceAnalyzer v.2.3.297+8f3ee6911a [09:56:32 INF] Begin BaselineScan001. [09:56:32 INF] Starting 1 Collectors. [09:56:37 INF] Starting RegistryCollector. [09:58:04 INF] Completed RegistryCollector in 00h:01m:26s:628ms.
C:\Users\root\Desktop\ASA_win_2.3.297\ASA_win_2.3.297>Asa.exe collect -r --runid SecondScan001 [09:59:41 INF] AttackSurfaceAnalyzer v.2.3.297+8f3ee6911a [09:59:41 INF] Begin SecondScan001. [09:59:41 INF] Starting 1 Collectors. [09:59:46 INF] Starting RegistryCollector. [10:01:16 INF] Completed RegistryCollector in 00h:01m:30s:093ms.
C:\Users\root\Desktop\ASA_win_2.3.297\ASA_win_2.3.297>Asa.exe export-collect --firstrunid BaselineScan001 --secondrunid SecondScan001 [10:01:53 INF] AttackSurfaceAnalyzer v.2.3.297+8f3ee6911a [10:01:53 INF] Comparing BaselineScan001 vs SecondScan001. [10:02:03 INF] Completed Comparing in 00h:00m:09s:544ms. [10:02:03 INF] Completed Analysis in 00h:00m:00s:070ms. [10:02:03 INF] Output written to: C:\Users\root\Desktop\ASA_win_2.3.297\ASA_win_2.3.297\BaselineScan001_vs_SecondScan001_summary.json.txt
Manually created registry timing:
After the BaselineScan001 completes, I created a Test registry key:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\AfterBaseline
And a registry name: TestValue
under the test registry key.
Then I run the SecondScan001, I got a result file without any regitry creation info of above although it contains some other registry activities which should be the system activity(always happening on backend)?
JSON file I got: Check the attachment file.
@XYujie Thank you again for your detailed report, particularly the registry locations you were having trouble gathering. I developed a fix in #701 that I believe will now resolve the issues you were experiencing with the Registry Collector.
@gfs Thanks for your improvement, and would you kindly tell me how to apply your fix? Should I download a particular stuff or something like that?
@XYujie
We should be able to merge the PR today after which a new version will be published to nuget/as a zip.
PR has been merged. New release with the fix should be available in about an hour. Thanks again for your report and feel free to reach out again should you encounter any further issues.
Checked the new released version and it works well. Thank you for your quick fix!
Used command:
{asaPath} collect --registry --hives LocalMachine --runid Base001
I've first run it as baseline scan and then created a registry key under "HKEY_LOCAL_MACHINE" and also a value in that key.
After that, run command:
{asaPath} collect --registry --hives LocalMachine --runid Pdt001
Finally run the command:{asaPath} export-collect --firstrunid Base001 --secondrunid Pdt001 --outputpath {ExportPath}
** {ExportPath} stands for the actual export path I cannot find any object of REGISTRY_DELETED, REGISTRY_MODIFIED, REGISTRY_CREATED in JSON file. I have tried many times, delete existing keys and values or modify them, just not being scanned whatsoever. Am I using the wrong hives option? or steps. Please kindly give me some advice, I need your expertise.I am using ASA_win_2.3.297 on Windows Server 2022 Standard. Thank you in advance.