Forum Discussion
Silver IIIRansomware: Bad Rabbit - Registry key
So - I managed to work out the answer using OSINT, since the lab didn't seem to be working at the time I looked at it (August). Though, annoyingly, I didn't record specifically where I found it. The actual answer, is like your obvious answer, but with another word (technically, two words added together like "TwoWords") added after "...Services\cscc\".
My notes from the time:
"Cheated. ;-p Googled and found something saying you can find it in the results of searching for "cscc registry" - however, that search returns zero hits for me... is this lab still working?".
Checking today - that search does return results which seem to include the answer you need...
Silver IIISo, basically it's asking for the 2nd registry key set (at least in the Splunk logs I see). And the question would be as good as: "What's the second registry key set? Include the complete hierarchy in the answer."
I have to admin that "key" is not concise, but "the path" is really confusing:
- Two keys are created in the Splunk log. (Did the author see only one? How did the other keys (five in total) end up in the registry?)
- The registry has no paths, and if you play the analogy with folders than the entry holding a value doesn't belong to that path.
And I have to admit, I keep notes only if I think it's worth it (not straightforward), otherwise I'd just re-do. And ofc notes of general interest, e.g. event codes in Splunk).
