TYPE: VBS Script
PRIMARY LANGUAGE: VBScript
AUTHOR: Justin Grimes
ORIGINAL VERSION DATE: 9/5/2019
CURRENT VERSION DATE: 10/28/2019
DESCRIPTION: An application to enumerate registry keys and look for changes which constitute an indicator of compromise.
PURPOSE: To detect malicious registry operations early enough that they do not cause widespread damage to company equipment. To notify company IT if and when registry keys are modified on domain workstations.
- Install Registry_Monitor into a subdirectory of your Network-wide scripts folder.
- Open Registry_Monitor.vbs with a text editor and configure the variables at the start of the script to match your environment.
- Open sendmail.ini with a text editor and configure your email server settings.
- Run the script automatically with scheduled tasks at regular intervals.
- Use the -e argument to force the sending of warning emails.
- Use the -o argument to force the creation of warning log files.
- Use the -v argument to force the creation of a log file whenever the script is executed, regardless of detection status.
- Use the -f argument to force the execution of the script even when the session is not elevated (bypasses elevation checks, may cause errors).
- This script MUST be run with administrative rights.
- If this script is started in regular user mode, it will prompt for administrator elevation.
- Use absolute UNC paths for network addresses. DO NOT run this from a network drive letter. The restartAsAdmin() function will not work properly.
- "Fake Sendmail for Windows by Byron Jones" is required and included in the "Registry_Monitor" folder. The SendMail data files must be included in the same directory as "Registry_Monitor.vbs" in order for emails to be sent correctly.
- You can download your own copy of "Fake Sendmail for Windows by Byron Jones" by visiting: https://www.glob.com.au/sendmail/.