forked from Velocidex/registry_hunter
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit f7e768d
Showing
39 changed files
with
17,488 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| reghunter |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| The MIT License (MIT) | ||
|
|
||
| Copyright (c) 2024 Mike Cohen | ||
|
|
||
| Permission is hereby granted, free of charge, to any person obtaining a copy | ||
| of this software and associated documentation files (the "Software"), to deal | ||
| in the Software without restriction, including without limitation the rights | ||
| to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | ||
| copies of the Software, and to permit persons to whom the Software is | ||
| furnished to do so, subject to the following conditions: | ||
|
|
||
| The above copyright notice and this permission notice shall be included in all | ||
| copies or substantial portions of the Software. | ||
|
|
||
| THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | ||
| IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | ||
| FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | ||
| AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | ||
| LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | ||
| OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE | ||
| SOFTWARE. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| all: | ||
| go build -o reghunter ./bin/ | ||
|
|
||
| # Convert the RECMD batch files to Registry Hunter yaml files. | ||
| recmd: | ||
| ./reghunter convert --output Rules/RECmdBatch.yaml RECmd_Batch/*.reb | ||
|
|
||
|
|
||
| artifact: | ||
| ./reghunter compile --output output/Windows.Registry.Hunter.yaml Rules/*.yaml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,39 @@ | ||
| # Registry Hunter | ||
|
|
||
| This repository aims to simplify the process of inspecting the | ||
| Registry for forensically relevant details. | ||
|
|
||
| This project is inspired by the RECmd Batch files project | ||
| (https://github.com/EricZimmerman/RECmd/tree/master/BatchExamples) | ||
|
|
||
| ## How does it work? | ||
|
|
||
| This project maintains a set of `Rules` which are YAML files following | ||
| a simple format. This project implements a compiler which compiles | ||
| these rules into a VQL artifact that may be consumed by Velociraptor. | ||
|
|
||
| The Rule file starts with the attibute Rules and contains a list of | ||
| rules: | ||
|
|
||
| ``` | ||
| Rules: | ||
| - Author: Andrew Rathbun | ||
| Description: Prefetch Status | ||
| Category: System Info | ||
| Comment: 0 = Disabled, 1 = Application Prefetching Enabled, 2 = Boot Prefetching | ||
| Enabled, 3 = Application and Boot Prefetching Enabled | ||
| Glob: ControlSet00*\Control\Session Manager\Memory Management\PrefetchParameters\EnablePrefetcher | ||
| Root: HKEY_LOCAL_MACHINE\System | ||
| ``` | ||
|
|
||
| * Author: This is the name of the author or the rule (optional) | ||
| * Description: The description will be shown in the generated artifact | ||
| output | ||
| * Category: The category will be shown in the generated artifact | ||
| output | ||
| * Comment: The comment will be shown in the generated artifact output | ||
| * Glob: The glob represents a search expression (See | ||
| https://docs.velociraptor.app/vql_reference/plugin/glob/ ) the will | ||
| search the registry under the Root key. | ||
| * Root: The is a root registry path. This can only be one of the | ||
| following values as described below |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,90 @@ | ||
| Description: RECmd Batch File Guide | ||
| Author: Andrew Rathbun | ||
| Version: 1.0 | ||
| Id: dcd4e1da-4039-42dc-a7e6-358150dc6fe3 | ||
| Keys: | ||
| # A Batch file is used to filter out the contents of the registry and only display the most USEFUL artifacts within the CSV output | ||
| # If you're looking for a raw dump of a registry hive's entire contents, you can dump a hive recursively from the top via ROOT or * to JSON and search freely for any potential artifacts of interest | ||
| # This guide is simply the RECmd Batch Template but populated with many comments to provide further context | ||
| # Mandatory fields: Description, HiveType, Category, KeyPath, and Recursive | ||
|
|
||
| # SYSTEM hive with KeyPath wildcard (not explained), IncludeBinary, and BinaryConvert (FILETIME) examples | ||
|
|
||
| - | ||
| Description: Shutdown Time # This value populates the Description column in the RECmd CSV output for this artifact. It is helpful to the end user to be as descriptive as possible with this value | ||
| HiveType: SYSTEM # This value must match the hive where the artifact listed in KeyPath below resides | ||
| Category: System Info # This value populates the Category column in the RECmd CSV output for this artifact. It is helpful to the end user for the purpose of filtering to be as broad as possible with this value. Try to categorize similar artifacts together under the same Category. If you have too many Categories, then why have a Description value? | ||
| KeyPath: ControlSet00*\Control\Windows # This value should match the KeyPath of the data within the Windows Registry that you want RECmd to parse | ||
| ValueName: ShutdownTime # This value coincides with the ValueName found at the KeyPath listed above. By specifying this ValueName, you only want the date stored under this specific ValueName to display in the RECmd CSV output | ||
| Recursive: false # Recursion on the KeyPath specificed will not occur since this is marked false. That means RECmd will not look for data stored within the ValueName specified beyond the KeyPath address specified | ||
| IncludeBinary: true # Without this value here, RECmd would output (Binary Data) without the actual binary data. If you only had this value without BinaryConvert, as seen below, the raw binary values would be included in the RECmd CSV output. However, in this example, we're setting up for a conversion into a timestamp just below this | ||
| BinaryConvert: FILETIME # RECmd can handle basic timestamp conversions, including but not limited to Windows Filetime. The particular value stored under the specified ValueName at the KeyPath address specified above happens to be stored in binary as Windows Filetime, therefore, setting FILETIME as our value for BinaryConvert will make this a human readable timestamp within the RECmd CSV output | ||
| Comment: "Last system shutdown time" # This value populates the Comment column within the RECmd CSV output. This is completely optional and can be deleted entirely, if desired | ||
|
|
||
| #SOFTWARE hive with IncludeBinary and BinaryConvert (EPOCH) examples | ||
|
|
||
| - | ||
| Description: System Info (Current) | ||
| HiveType: SOFTWARE | ||
| Category: System Info | ||
| KeyPath: Microsoft\Windows NT\CurrentVersion | ||
| ValueName: InstallDate | ||
| IncludeBinary: true | ||
| BinaryConvert: EPOCH | ||
| Recursive: false | ||
| Comment: "Current OS install date" | ||
|
|
||
| # SYSTEM hive with KeyPath wildcard (explained) example | ||
|
|
||
| - | ||
| Description: Virtual Memory Pagefile Encryption Status | ||
| HiveType: SYSTEM | ||
| Category: System Info | ||
| KeyPath: ControlSet*\Control\FileSystem # Notice the *, this serves as a wildcard. That means there exists ControlSet001 and ControlSet002, in this instance, and in one fell swoop we can cover both KeyPaths by using a wildcard at the appropriate location within our KeyPath. Also, note that a wildcard can be used in place of an entire section of a folder path. For instance, Folder1\*\Folder3\ | ||
| ValueName: NtfsEncryptPagingFile | ||
| Recursive: false | ||
| Comment: "Virtual Memory Pagefile Encryption, 0 = Disabled, 1 = Enabled" | ||
|
|
||
| # NTUSER hive with Recursive:true example | ||
|
|
||
| - | ||
| Description: MountPoints2 | ||
| HiveType: NTUSER | ||
| Category: Devices | ||
| KeyPath: Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 | ||
| Recursive: true # This will grab everything beyond the last Key specified in the KeyPath above, even if there's 10 Keys and SubKeys and 100+ ValueNames beyond that level in the registry, it will grab it and display it within the RECmd CSV output | ||
| Comment: "Mount Points - NTUSER" | ||
|
|
||
| # NTUSER hive with Plugin (SevenZip) example | ||
|
|
||
| - | ||
| Description: 7-Zip | ||
| HiveType: NTUSER | ||
| Category: Third Party Applications | ||
| KeyPath: Software\7-Zip\Compression | ||
| ValueName: ArcHistory | ||
| Recursive: false # Please note that when you're trying to activate a Plugin's output, you should see (Plugin) in the ValueType column | ||
| Comment: "Displays list of files and folders that were used with 7-Zip" | ||
|
|
||
| # SECURITY hive with KeyPath wildcard example | ||
|
|
||
| - | ||
| Description: User Accounts (SECURITY) | ||
| HiveType: SECURITY | ||
| Category: User Accounts | ||
| KeyPath: Policy\Accounts\* # This wildcard will grab the Key that is beyond Policy\Accounts\, whatever it may be | ||
| IncludeBinary: true # Not only will it grab that Key, but also everything beyond whatever Key that * relates to. Please note that sometimes its better to scale back from Recursive:true to limit useless rows of binary data that cannot be converted or even null values | ||
| Recursive: false | ||
| Comment: "Built-in accounts in SECURITY hive" | ||
|
|
||
| # SAM hive example that utilizes the UserAccounts plugin | ||
|
|
||
| - | ||
| Description: User Accounts (SAM) | ||
| HiveType: SAM | ||
| Category: User Accounts | ||
| KeyPath: SAM\Domains\Account\Users # There is a plugin for this path, which can be verified either within Registry Explorer (View -> Plugins) or on GitHub (https://github.com/EricZimmerman/RegistryPlugins). Plugins allow for the ValueData2 and ValueData3 columns to be utilized. This saves the amount of rows in the CSV output and allows for relevant data within a KeyPath to be visualized in a more sensible manner within the CSV output | ||
| Recursive: false | ||
| Comment: "User accounts in SAM hive" | ||
|
|
||
| # When in doubt, try something out and see how it looks in the CSV output and adjust as necessary. Run with --debug to see verbose console output so you know if RECmd was able to locate a KeyPath or ValueName you specified |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,73 @@ | ||
| Description: RECmd Batch File Template | ||
| Author: Andrew Rathbun | ||
| Version: 1.0 | ||
| Id: 9bc106b8-efd0-44bb-b2a7-cbfddd99b2bb | ||
| Keys: | ||
| - | ||
| Description: Shutdown Time | ||
| HiveType: SYSTEM | ||
| Category: System Info | ||
| KeyPath: ControlSet00*\Control\Windows | ||
| ValueName: ShutdownTime | ||
| Recursive: false | ||
| IncludeBinary: true | ||
| BinaryConvert: FILETIME | ||
| Comment: "Last system shutdown time" | ||
| - | ||
| Description: System Info (Current) | ||
| HiveType: SOFTWARE | ||
| Category: System Info | ||
| KeyPath: Microsoft\Windows NT\CurrentVersion | ||
| ValueName: InstallTime | ||
| IncludeBinary: true | ||
| BinaryConvert: FILETIME | ||
| Recursive: false | ||
| Comment: "Current OS install time" | ||
| - | ||
| Description: System Info (Current) | ||
| HiveType: SOFTWARE | ||
| Category: System Info | ||
| KeyPath: Microsoft\Windows NT\CurrentVersion | ||
| ValueName: InstallDate | ||
| IncludeBinary: true | ||
| BinaryConvert: EPOCH | ||
| Recursive: false | ||
| Comment: "Current OS install date" | ||
| - | ||
| Description: Virtual Memory Pagefile Encryption Status | ||
| HiveType: SYSTEM | ||
| Category: System Info | ||
| KeyPath: ControlSet*\Control\FileSystem | ||
| ValueName: NtfsEncryptPagingFile | ||
| Recursive: false | ||
| Comment: "Virtual Memory Pagefile Encryption, 0 = Disabled, 1 = Enabled" | ||
| - | ||
| Description: MountPoints2 | ||
| HiveType: NTUSER | ||
| Category: Devices | ||
| KeyPath: Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 | ||
| Recursive: true | ||
| Comment: "Mount Points - NTUSER" | ||
| - | ||
| Description: 7-Zip | ||
| HiveType: NTUSER | ||
| Category: Third Party Applications | ||
| KeyPath: Software\7-Zip\Compression | ||
| ValueName: ArcHistory | ||
| Recursive: false | ||
| Comment: "Displays list of files and folders that were used with 7-Zip" | ||
| - | ||
| Description: User Accounts (SECURITY) | ||
| HiveType: SECURITY | ||
| Category: User Accounts | ||
| KeyPath: Policy\Accounts\* | ||
| IncludeBinary: true | ||
| Recursive: false | ||
| Comment: "Built-in accounts in SECURITY hive" | ||
| - | ||
| Description: User Accounts (SAM) | ||
| HiveType: SAM | ||
| Category: User Accounts | ||
| KeyPath: SAM\Domains\Account\Users | ||
| Recursive: false | ||
| Comment: "User accounts in SAM hive" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,132 @@ | ||
| Description: Executables discovered or used | ||
| Author: Troyla | ||
| Version: 1 | ||
| Id: 230a19c6-4234-459e-a4da-fb10b19e8101 | ||
| Keys: | ||
| - | ||
| Description: AppCompatFlags CIT System | ||
| HiveType: Software | ||
| Category: Executables | ||
| KeyPath: Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System | ||
| Recursive: false | ||
| Comment: | ||
| - | ||
| Description: AppCompatFlags CIT Module | ||
| HiveType: Software | ||
| Category: Executables | ||
| KeyPath: Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module | ||
| Recursive: true | ||
| Comment: | ||
| - | ||
| Description: Bam | ||
| HiveType: System | ||
| Category: Executables | ||
| KeyPath: ControlSet*\Services\bam\State\UserSettings\* | ||
| Recursive: false | ||
| Comment: | ||
| - | ||
| Description: Bam | ||
| HiveType: System | ||
| Category: Executables | ||
| KeyPath: ControlSet*\Services\bam\UserSettings\* | ||
| Recursive: false | ||
| Comment: | ||
| - | ||
| Description: Dam | ||
| HiveType: System | ||
| Category: Executables | ||
| KeyPath: ControlSet*\Services\dam\State\UserSettings\* | ||
| Recursive: false | ||
| Comment: | ||
| - | ||
| Description: Dam | ||
| HiveType: System | ||
| Category: Executables | ||
| KeyPath: ControlSet*\Services\dam\UserSettings\* | ||
| Recursive: false | ||
| Comment: | ||
| - | ||
| Description: Regedit.exe Last Run | ||
| HiveType: NtUser | ||
| Category: Executables | ||
| KeyPath: Software\Microsoft\Windows\CurrentVersion\Applets\Regedit | ||
| Recursive: false | ||
| Comment: | ||
| - | ||
| Description: Explorer ComDlg32 LastVisitedPidlMRU | ||
| HiveType: NtUser | ||
| Category: Executables | ||
| KeyPath: Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU | ||
| Recursive: false | ||
| Comment: | ||
| - | ||
| Description: Explorer ComDlg32 LastVisitedPidlMRULegacy | ||
| HiveType: NtUser | ||
| Category: Executables | ||
| KeyPath: Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRULegacy | ||
| Recursive: false | ||
| Comment: | ||
| - | ||
| Description: Explorer RunMRU | ||
| HiveType: NtUser | ||
| Category: Executables | ||
| KeyPath: Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU | ||
| Recursive: false | ||
| Comment: | ||
| - | ||
| Description: UserAssist Executables | ||
| HiveType: NtUser | ||
| Category: Executables | ||
| KeyPath: Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count | ||
| Recursive: false | ||
| Comment: | ||
| - | ||
| Description: UserAssist .lnk | ||
| HiveType: NtUser | ||
| Category: Executables | ||
| KeyPath: Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count | ||
| Recursive: false | ||
| Comment: | ||
| - | ||
| Description: Search RecentApps | ||
| HiveType: NtUser | ||
| Category: Executables | ||
| KeyPath: Software\Microsoft\Windows\CurrentVersion\Search\RecentApps\* | ||
| Recursive: false | ||
| Comment: | ||
| - | ||
| Description: AppCompatFlags Compatibility Assistant Persisted | ||
| HiveType: NtUser | ||
| Category: Executables | ||
| KeyPath: Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted | ||
| Recursive: false | ||
| Comment: | ||
| - | ||
| Description: AppCompatFlags Compatibility Assistant Store | ||
| HiveType: NtUser | ||
| Category: Executables | ||
| KeyPath: Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store | ||
| Recursive: false | ||
| Comment: | ||
| - | ||
| Description: AppCompatFlags Layers | ||
| HiveType: NtUser | ||
| Category: Executables | ||
| KeyPath: Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers | ||
| Recursive: false | ||
| Comment: | ||
| - | ||
| Description: Sysinternals Tools Run | ||
| HiveType: NtUser | ||
| Category: Executables | ||
| KeyPath: Software\Sysinternals\* | ||
| ValueName: EulaAccepted | ||
| Recursive: false | ||
| Comment: | ||
| - | ||
| Description: FeatureUsage | ||
| HiveType: NtUser | ||
| Category: Executables | ||
| KeyPath: Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage | ||
| Recursive: true | ||
| Comment: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| Description: Boot Config | ||
| Author: Troy Larson | ||
| Version: 1 | ||
| Id: 7884cf1a-1fea-4efd-821c-87790ea11663 | ||
| Keys: | ||
| - | ||
| Description: Boot Volume(s) | ||
| HiveType: BCD | ||
| Category: System Info | ||
| KeyPath: Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\24000001 | ||
| ValueName: Element | ||
| Recursive: false | ||
| Comment: For BCD hive at \boot\bcd, more than one GUID in value data means multi-boot system. |
Oops, something went wrong.