From 006d00f4e62164d9c2dcda9c517fee3080d01242 Mon Sep 17 00:00:00 2001
From: hulto <7121375+hulto@users.noreply.github.com>
Date: Tue, 20 Feb 2024 21:40:18 -0800
Subject: [PATCH] Add get registry tome

---
 tavern/tomes/get_registry/main.eldritch | 15 +++++++++++++++
 tavern/tomes/get_registry/metadata.yml  | 14 ++++++++++++++
 2 files changed, 29 insertions(+)
 create mode 100644 tavern/tomes/get_registry/main.eldritch
 create mode 100644 tavern/tomes/get_registry/metadata.yml

diff --git a/tavern/tomes/get_registry/main.eldritch b/tavern/tomes/get_registry/main.eldritch
new file mode 100644
index 000000000..0bfd13cb1
--- /dev/null
+++ b/tavern/tomes/get_registry/main.eldritch
@@ -0,0 +1,15 @@
+def pad_key(key, max_len):
+    res = key+" "*(max_len-len(key))
+    return res
+
+def get_registry(hive, path):
+    res = sys.get_reg(hive, path)
+    max_len = max([ len(i) for i in res.keys()])
+    for k in res:
+        v = res[k]
+        pk = pad_key(k,max_len)
+        print(f"{pk} : {v}")
+
+get_registry(input_params['hive'], input_params['path'])
+print()
+
diff --git a/tavern/tomes/get_registry/metadata.yml b/tavern/tomes/get_registry/metadata.yml
new file mode 100644
index 000000000..525c6b5c9
--- /dev/null
+++ b/tavern/tomes/get_registry/metadata.yml
@@ -0,0 +1,14 @@
+name: Get Registry
+description: List the subkeys and their values at a provided hive and path.
+author: hulto
+support_model: FIRST_PARTY
+tactic: RECON
+paramdefs:
+- name: hive
+  type: string
+  label: Registry hive
+  placeholder: "HKEY_LOCAL_MACHINE"
+- name: path
+  type: string
+  label: Registry key path
+  placeholder: "SOFTWARE\\Microsoft\\Windows\\CurrentVersion" # Single backslash can be used too but you may encounter issues if you specify "\x64" as that's hex.