search

microsoft / AttackSurfaceAnalyzer

Attack Surface Analyzer can help you analyze your operating system's security configuration for changes during software installation.
MIT License
2.68k stars 271 forks source link

Cannot detect registry created, deleted and modified by myself. #700

Closed XYujie closed 10 months ago

XYujie commented 10 months ago

Used command: {asaPath} collect --registry --hives LocalMachine --runid Base001

I've first run it as baseline scan and then created a registry key under "HKEY_LOCAL_MACHINE" and also a value in that key.

After that, run command: {asaPath} collect --registry --hives LocalMachine --runid Pdt001 Finally run the command: {asaPath} export-collect --firstrunid Base001 --secondrunid Pdt001 --outputpath {ExportPath} ** {ExportPath} stands for the actual export path I cannot find any object of REGISTRY_DELETED, REGISTRY_MODIFIED, REGISTRY_CREATED in JSON file. I have tried many times, delete existing keys and values or modify them, just not being scanned whatsoever. Am I using the wrong hives option? or steps. Please kindly give me some advice, I need your expertise.

I am using ASA_win_2.3.297 on Windows Server 2022 Standard. Thank you in advance.

gfs commented 10 months ago

Hello, to confirm are you running ASA as administrator? A lot (most) of registry data isn't visible to standard user.

XYujie commented 10 months ago

Hello, I am running ASA as an administrator, and by waiting your reply I have run it without assigning any hives, and after baseline scan, I created some keys under LocalMachine, and then I run it again. I got a json file only contains some REGISTRY_MODIFIED objects, and all of them are from HKEY_CLASSES_ROOT.

gfs commented 10 months ago

Thanks for the confirmation. In that case the behavior you describe is not what I'd expect.

Ill take some time to investigate this next week. I'll have to set up a VM with Server 2022 to see if it's an OS specific issue, I haven't noticed the same issues on standard Windows 10/11.

XYujie commented 10 months ago

Appreciate for that, and I am planning to do the same in Win10 to check if it is OS-specific issue, I'll let you know by this week. To confirm, if I want to scan registry in LocalMachine, what is the correct arguments of --hives? HKEY_LOCAL_MACHINE or HkeyLocalMachine or LocalMachine?

XYujie commented 10 months ago

BaselineScan001_vs_SecondScan001_summary.json.txt I have run the ASA again with more information, hope this can be helpful for your investigation. Here is the detail and steps I took.

OS Info:

ASA running Info in CMD(Run CMD as an Admin user):

C:\Users\root\Desktop\ASA_win_2.3.297\ASA_win_2.3.297>Asa.exe collect -r --runid BaselineScan001 [09:56:32 INF] AttackSurfaceAnalyzer v.2.3.297+8f3ee6911a [09:56:32 INF] Begin BaselineScan001. [09:56:32 INF] Starting 1 Collectors. [09:56:37 INF] Starting RegistryCollector. [09:58:04 INF] Completed RegistryCollector in 00h:01m:26s:628ms.

C:\Users\root\Desktop\ASA_win_2.3.297\ASA_win_2.3.297>Asa.exe collect -r --runid SecondScan001 [09:59:41 INF] AttackSurfaceAnalyzer v.2.3.297+8f3ee6911a [09:59:41 INF] Begin SecondScan001. [09:59:41 INF] Starting 1 Collectors. [09:59:46 INF] Starting RegistryCollector. [10:01:16 INF] Completed RegistryCollector in 00h:01m:30s:093ms.

C:\Users\root\Desktop\ASA_win_2.3.297\ASA_win_2.3.297>Asa.exe export-collect --firstrunid BaselineScan001 --secondrunid SecondScan001 [10:01:53 INF] AttackSurfaceAnalyzer v.2.3.297+8f3ee6911a [10:01:53 INF] Comparing BaselineScan001 vs SecondScan001. [10:02:03 INF] Completed Comparing in 00h:00m:09s:544ms. [10:02:03 INF] Completed Analysis in 00h:00m:00s:070ms. [10:02:03 INF] Output written to: C:\Users\root\Desktop\ASA_win_2.3.297\ASA_win_2.3.297\BaselineScan001_vs_SecondScan001_summary.json.txt

Manually created registry timing:

After the BaselineScan001 completes, I created a Test registry key: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\AfterBaseline And a registry name: TestValue under the test registry key. Then I run the SecondScan001, I got a result file without any regitry creation info of above although it contains some other registry activities which should be the system activity(always happening on backend)?

JSON file I got: Check the attachment file.

BaselineScan001_vs_SecondScan001_summary.json.txt

gfs commented 10 months ago

@XYujie Thank you again for your detailed report, particularly the registry locations you were having trouble gathering. I developed a fix in #701 that I believe will now resolve the issues you were experiencing with the Registry Collector. image

XYujie commented 10 months ago

@gfs Thanks for your improvement, and would you kindly tell me how to apply your fix? Should I download a particular stuff or something like that?

gfs commented 10 months ago

@XYujie

We should be able to merge the PR today after which a new version will be published to nuget/as a zip.

gfs commented 10 months ago

PR has been merged. New release with the fix should be available in about an hour. Thanks again for your report and feel free to reach out again should you encounter any further issues.

XYujie commented 10 months ago

Checked the new released version and it works well. Thank you for your quick fix!