New upstream version 20201106
Samuel Henrique
3 years ago
0 | # Pylint 2.1.x - 2.2.x configuration file | |
0 | # Pylint 2.4.x configuration file | |
1 | 1 | # |
2 | 2 | # This file is generated by l2tdevtools update-dependencies.py, any dependency |
3 | 3 | # related changes should be made in dependencies.ini. |
5 | 5 | |
6 | 6 | # A comma-separated list of package or module names from where C extensions may |
7 | 7 | # be loaded. Extensions are loading into the active Python interpreter and may |
8 | # run arbitrary code | |
8 | # run arbitrary code. | |
9 | 9 | extension-pkg-whitelist= |
10 | 10 | |
11 | 11 | # Add files or directories to the blacklist. They should be base names, not |
20 | 20 | # pygtk.require(). |
21 | 21 | #init-hook= |
22 | 22 | |
23 | # Use multiple processes to speed up Pylint. | |
23 | # Use multiple processes to speed up Pylint. Specifying 0 will auto-detect the | |
24 | # number of processors available to use. | |
24 | 25 | jobs=1 |
25 | 26 | |
26 | # List of plugins (as comma separated values of python modules names) to load, | |
27 | # Control the amount of potential inferred values when inferring a single | |
28 | # object. This can help the performance when dealing with large functions or | |
29 | # complex, nested conditions. | |
30 | limit-inference-results=100 | |
31 | ||
32 | # List of plugins (as comma separated values of python module names) to load, | |
27 | 33 | # usually to register additional checkers. |
28 | 34 | load-plugins=pylint.extensions.docparams |
29 | 35 | |
32 | 38 | |
33 | 39 | # Specify a configuration file. |
34 | 40 | #rcfile= |
41 | ||
42 | # When enabled, pylint would attempt to guess common misconfiguration and emit | |
43 | # user-friendly hints instead of false-positive error messages. | |
44 | suggestion-mode=yes | |
35 | 45 | |
36 | 46 | # Allow loading of arbitrary C extensions. Extensions are imported into the |
37 | 47 | # active Python interpreter and may run arbitrary code. |
41 | 51 | [MESSAGES CONTROL] |
42 | 52 | |
43 | 53 | # Only show warnings with the listed confidence levels. Leave empty to show |
44 | # all. Valid levels: HIGH, INFERENCE, INFERENCE_FAILURE, UNDEFINED | |
54 | # all. Valid levels: HIGH, INFERENCE, INFERENCE_FAILURE, UNDEFINED. | |
45 | 55 | confidence= |
46 | 56 | |
47 | 57 | # Disable the message, report, category or checker with the given id(s). You |
48 | 58 | # can either give multiple identifiers separated by comma (,) or put this |
49 | 59 | # option multiple times (only on the command line, not in the configuration |
50 | # file where it should appear only once).You can also use "--disable=all" to | |
60 | # file where it should appear only once). You can also use "--disable=all" to | |
51 | 61 | # disable everything first and then reenable specific checks. For example, if |
52 | 62 | # you want to run only the similarities checker, you can use "--disable=all |
53 | 63 | # --enable=similarities". If you want to run only the classes checker, but have |
54 | # no Warning level messages displayed, use"--disable=all --enable=classes | |
55 | # --disable=W" | |
56 | # | |
57 | disable= | |
58 | assignment-from-none, | |
59 | bad-inline-option, | |
60 | deprecated-pragma, | |
61 | duplicate-code, | |
62 | eq-without-hash, | |
63 | file-ignored, | |
64 | fixme, | |
65 | locally-disabled, | |
66 | locally-enabled, | |
67 | logging-format-interpolation, | |
68 | metaclass-assignment, | |
69 | missing-param-doc, | |
70 | no-absolute-import, | |
71 | no-self-use, | |
72 | parameter-unpacking, | |
73 | raw-checker-failed, | |
74 | suppressed-message, | |
75 | too-few-public-methods, | |
76 | too-many-ancestors, | |
77 | too-many-boolean-expressions, | |
78 | too-many-branches, | |
79 | too-many-instance-attributes, | |
80 | too-many-lines, | |
81 | too-many-locals, | |
82 | too-many-nested-blocks, | |
83 | too-many-public-methods, | |
84 | too-many-return-statements, | |
85 | too-many-statements, | |
86 | unsubscriptable-object, | |
87 | useless-object-inheritance, | |
88 | useless-suppression | |
64 | # no Warning level messages displayed, use "--disable=all --enable=classes | |
65 | # --disable=W". | |
66 | disable=assignment-from-none, | |
67 | bad-inline-option, | |
68 | deprecated-pragma, | |
69 | duplicate-code, | |
70 | eq-without-hash, | |
71 | file-ignored, | |
72 | fixme, | |
73 | locally-disabled, | |
74 | locally-enabled, | |
75 | logging-format-interpolation, | |
76 | metaclass-assignment, | |
77 | missing-param-doc, | |
78 | no-absolute-import, | |
79 | no-self-use, | |
80 | parameter-unpacking, | |
81 | raw-checker-failed, | |
82 | suppressed-message, | |
83 | too-few-public-methods, | |
84 | too-many-ancestors, | |
85 | too-many-boolean-expressions, | |
86 | too-many-branches, | |
87 | too-many-instance-attributes, | |
88 | too-many-lines, | |
89 | too-many-locals, | |
90 | too-many-nested-blocks, | |
91 | too-many-public-methods, | |
92 | too-many-return-statements, | |
93 | too-many-statements, | |
94 | unsubscriptable-object, | |
95 | useless-object-inheritance, | |
96 | useless-suppression | |
89 | 97 | |
90 | 98 | # Enable the message, report, category or checker with the given id(s). You can |
91 | 99 | # either give multiple identifier separated by comma (,) or put this option |
92 | 100 | # multiple time (only on the command line, not in the configuration file where |
93 | 101 | # it should appear only once). See also the "--disable" option for examples. |
102 | # enable=c-extension-no-member | |
94 | 103 | enable= |
95 | 104 | |
96 | 105 | |
97 | 106 | [REPORTS] |
98 | 107 | |
99 | # Python expression which should return a note less than 10 (10 is the highest | |
100 | # note). You have access to the variables errors warning, statement which | |
101 | # respectively contain the number of errors / warnings messages and the total | |
102 | # number of statements analyzed. This is used by the global evaluation report | |
103 | # (RP0004). | |
108 | # Python expression which should return a score less than or equal to 10. You | |
109 | # have access to the variables 'error', 'warning', 'refactor', and 'convention' | |
110 | # which contain the number of messages in each category, as well as 'statement' | |
111 | # which is the total number of statements analyzed. This score is used by the | |
112 | # global evaluation report (RP0004). | |
104 | 113 | evaluation=10.0 - ((float(5 * error + warning + refactor + convention) / statement) * 10) |
105 | 114 | |
106 | 115 | # Template used to display messages. This is a python new-style format string |
107 | # used to format the message information. See doc for all details | |
116 | # used to format the message information. See doc for all details. | |
108 | 117 | #msg-template= |
109 | 118 | |
110 | 119 | # Set the output format. Available formats are text, parseable, colorized, json |
111 | # and msvs (visual studio).You can also give a reporter class, eg | |
120 | # and msvs (visual studio). You can also give a reporter class, e.g. | |
112 | 121 | # mypackage.mymodule.MyReporterClass. |
113 | 122 | output-format=text |
114 | 123 | |
115 | # Tells whether to display a full report or only the messages | |
124 | # Tells whether to display a full report or only the messages. | |
116 | 125 | reports=no |
117 | 126 | |
118 | 127 | # Activate the evaluation score. |
125 | 134 | # Maximum number of nested blocks for function / method body |
126 | 135 | max-nested-blocks=5 |
127 | 136 | |
137 | # Complete name of functions that never returns. When checking for | |
138 | # inconsistent-return-statements if a never returning function is called then | |
139 | # it will be considered as an explicit return statement and no message will be | |
140 | # printed. | |
141 | never-returning-functions=sys.exit | |
142 | ||
128 | 143 | |
129 | 144 | [VARIABLES] |
130 | 145 | |
131 | 146 | # List of additional names supposed to be defined in builtins. Remember that |
132 | # you should avoid to define new builtins when possible. | |
147 | # you should avoid defining new builtins when possible. | |
133 | 148 | additional-builtins= |
134 | 149 | |
135 | 150 | # Tells whether unused global variables should be treated as a violation. |
137 | 152 | |
138 | 153 | # List of strings which can identify a callback function by name. A callback |
139 | 154 | # name must start or end with one of those strings. |
140 | callbacks=cb_,_cb | |
141 | ||
142 | # A regular expression matching the name of dummy variables (i.e. expectedly | |
143 | # not used). | |
155 | callbacks=cb_, | |
156 | _cb | |
157 | ||
158 | # A regular expression matching the name of dummy variables (i.e. expected to | |
159 | # not be used). | |
144 | 160 | dummy-variables-rgx=_+$|(_[a-zA-Z0-9_]*[a-zA-Z0-9]+?$)|dummy|^ignored_|^unused_ |
145 | 161 | |
146 | 162 | # Argument names that match this expression will be ignored. Default to name |
147 | # with leading underscore | |
163 | # with leading underscore. | |
148 | 164 | ignored-argument-names=_.*|^ignored_|^unused_ |
149 | 165 | |
150 | 166 | # Tells whether we should check for unused import in __init__ files. |
152 | 168 | |
153 | 169 | # List of qualified module names which can have objects that can redefine |
154 | 170 | # builtins. |
155 | redefining-builtins-modules=six.moves,future.builtins | |
171 | redefining-builtins-modules=six.moves,past.builtins,future.builtins,builtins,io | |
156 | 172 | |
157 | 173 | |
158 | 174 | [TYPECHECK] |
170 | 186 | # Tells whether missing members accessed in mixin class should be ignored. A |
171 | 187 | # mixin class is detected if its name ends with "mixin" (case insensitive). |
172 | 188 | ignore-mixin-members=yes |
189 | ||
190 | # Tells whether to warn about missing members when the owner of the attribute | |
191 | # is inferred to be None. | |
192 | ignore-none=yes | |
173 | 193 | |
174 | 194 | # This flag controls whether pylint should warn about no-member and similar |
175 | 195 | # checks whenever an opaque object is returned when inferring. The inference |
186 | 206 | |
187 | 207 | # List of module names for which member attributes should not be checked |
188 | 208 | # (useful for modules/projects where namespaces are manipulated during runtime |
189 | # and thus existing member attributes cannot be deduced by static analysis. It | |
209 | # and thus existing member attributes cannot be deduced by static analysis). It | |
190 | 210 | # supports qualified module names, as well as Unix pattern matching. |
191 | 211 | ignored-modules= |
192 | 212 | |
202 | 222 | # showing a hint for a missing member. |
203 | 223 | missing-member-max-choices=1 |
204 | 224 | |
225 | # List of decorators that change the signature of a decorated function. | |
226 | signature-mutators= | |
227 | ||
205 | 228 | |
206 | 229 | [LOGGING] |
207 | 230 | |
231 | # Format style used to check logging format string. `old` means using % | |
232 | # formatting, `new` is for `{}` formatting,and `fstr` is for f-strings. | |
233 | logging-format-style=old | |
234 | ||
208 | 235 | # Logging modules to check that the string format arguments are in logging |
209 | # function parameter format | |
236 | # function parameter format. | |
210 | 237 | logging-modules=logging |
211 | 238 | |
212 | 239 | |
213 | 240 | [BASIC] |
214 | 241 | |
215 | # Naming hint for argument names | |
216 | # argument-name-hint=(([a-z][a-z0-9_]{2,30})|(_[a-z0-9_]*))$ | |
217 | argument-name-hint=(([a-z][a-z0-9_]*)|(_[a-z0-9_]*))$ | |
218 | ||
219 | # Regular expression matching correct argument names | |
220 | # argument-rgx=(([a-z][a-z0-9_]{2,30})|(_[a-z0-9_]*))$ | |
242 | # Naming style matching correct argument names. | |
243 | argument-naming-style=snake_case | |
244 | ||
245 | # Regular expression matching correct argument names. Overrides argument- | |
246 | # naming-style. | |
247 | #argument-rgx= | |
221 | 248 | argument-rgx=(([a-z][a-z0-9_]*)|(_[a-z0-9_]*))$ |
222 | 249 | |
223 | # Naming hint for attribute names | |
224 | # attr-name-hint=(([a-z][a-z0-9_]{2,30})|(_[a-z0-9_]*))$ | |
225 | attr-name-hint=(([a-z][a-z0-9_]*)|(_[a-z0-9_]*))$ | |
226 | ||
227 | # Regular expression matching correct attribute names | |
228 | # attr-rgx=(([a-z][a-z0-9_]{2,30})|(_[a-z0-9_]*))$ | |
250 | # Naming style matching correct attribute names. | |
251 | attr-naming-style=snake_case | |
252 | ||
253 | # Regular expression matching correct attribute names. Overrides attr-naming- | |
254 | # style. | |
255 | #attr-rgx= | |
229 | 256 | attr-rgx=(([a-z][a-z0-9_]*)|(_[a-z0-9_]*))$ |
230 | 257 | |
231 | # Bad variable names which should always be refused, separated by a comma | |
232 | bad-names=foo,bar,baz,toto,tutu,tata | |
233 | ||
234 | # Naming hint for class attribute names | |
235 | # class-attribute-name-hint=([A-Za-z_][A-Za-z0-9_]{2,30}|(__.*__))$ | |
236 | class-attribute-name-hint=([A-Za-z_][A-Za-z0-9_]*|(__.*__))$ | |
237 | ||
238 | # Regular expression matching correct class attribute names | |
239 | # class-attribute-rgx=([A-Za-z_][A-Za-z0-9_]{2,30}|(__.*__))$ | |
258 | # Bad variable names which should always be refused, separated by a comma. | |
259 | bad-names=foo, | |
260 | bar, | |
261 | baz, | |
262 | toto, | |
263 | tutu, | |
264 | tata | |
265 | ||
266 | # Naming style matching correct class attribute names. | |
267 | class-attribute-naming-style=any | |
268 | ||
269 | # Regular expression matching correct class attribute names. Overrides class- | |
270 | # attribute-naming-style. | |
271 | #class-attribute-rgx= | |
240 | 272 | class-attribute-rgx=([A-Za-z_][A-Za-z0-9_]*|(__.*__))$ |
241 | 273 | |
242 | # Naming hint for class names | |
243 | class-name-hint=[A-Z_][a-zA-Z0-9]+$ | |
244 | ||
245 | # Regular expression matching correct class names | |
274 | # Naming style matching correct class names. | |
275 | class-naming-style=PascalCase | |
276 | ||
277 | # Regular expression matching correct class names. Overrides class-naming- | |
278 | # style. | |
279 | #class-rgx= | |
246 | 280 | class-rgx=[A-Z_][a-zA-Z0-9]+$ |
247 | 281 | |
248 | # Naming hint for constant names | |
249 | # const-name-hint=(([A-Z_][A-Z0-9_]*)|(__.*__))$ | |
250 | const-name-hint=(([a-zA-Z_][a-zA-Z0-9_]*)|(__.*__))$ | |
251 | ||
252 | # Regular expression matching correct constant names | |
253 | # const-rgx=(([A-Z_][A-Z0-9_]*)|(__.*__))$ | |
282 | # Naming style matching correct constant names. | |
283 | const-naming-style=UPPER_CASE | |
284 | ||
285 | # Regular expression matching correct constant names. Overrides const-naming- | |
286 | # style. | |
287 | #const-rgx= | |
254 | 288 | const-rgx=(([a-zA-Z_][a-zA-Z0-9_]*)|(__.*__))$ |
255 | 289 | |
256 | 290 | # Minimum line length for functions/classes that require docstrings, shorter |
257 | 291 | # ones are exempt. |
258 | 292 | docstring-min-length=-1 |
259 | 293 | |
260 | # Naming hint for function names | |
261 | # function-name-hint=(([a-z][a-z0-9_]{2,30})|(_[a-z0-9_]*))$ | |
262 | function-name-hint=[A-Z_][a-zA-Z0-9_]*$ | |
263 | ||
264 | # Regular expression matching correct function names | |
265 | # function-rgx=(([a-z][a-z0-9_]{2,30})|(_[a-z0-9_]*))$ | |
294 | # Naming style matching correct function names. | |
295 | function-naming-style=snake_case | |
296 | ||
297 | # Regular expression matching correct function names. Overrides function- | |
298 | # naming-style. | |
299 | #function-rgx= | |
266 | 300 | function-rgx=[A-Z_][a-zA-Z0-9_]*$ |
267 | 301 | |
268 | # Good variable names which should always be accepted, separated by a comma | |
269 | good-names=i,j,k,ex,Run,_ | |
270 | ||
271 | # Include a hint for the correct naming format with invalid-name | |
302 | # Good variable names which should always be accepted, separated by a comma. | |
303 | good-names=i, | |
304 | j, | |
305 | k, | |
306 | ex, | |
307 | Run, | |
308 | _ | |
309 | ||
310 | # Include a hint for the correct naming format with invalid-name. | |
272 | 311 | include-naming-hint=no |
273 | 312 | |
274 | # Naming hint for inline iteration names | |
275 | inlinevar-name-hint=[A-Za-z_][A-Za-z0-9_]*$ | |
276 | ||
277 | # Regular expression matching correct inline iteration names | |
313 | # Naming style matching correct inline iteration names. | |
314 | inlinevar-naming-style=any | |
315 | ||
316 | # Regular expression matching correct inline iteration names. Overrides | |
317 | # inlinevar-naming-style. | |
318 | #inlinevar-rgx= | |
278 | 319 | inlinevar-rgx=[A-Za-z_][A-Za-z0-9_]*$ |
279 | 320 | |
280 | # Naming hint for method names | |
281 | # method-name-hint=(([a-z][a-z0-9_]{2,30})|(_[a-z0-9_]*))$ | |
282 | method-name-hint=(test|[A-Z_])[a-zA-Z0-9_]*$ | |
283 | ||
284 | # Regular expression matching correct method names | |
285 | # method-rgx=(([a-z][a-z0-9_]{2,30})|(_[a-z0-9_]*))$ | |
321 | # Naming style matching correct method names. | |
322 | method-naming-style=snake_case | |
323 | ||
324 | # Regular expression matching correct method names. Overrides method-naming- | |
325 | # style. | |
326 | #method-rgx= | |
286 | 327 | method-rgx=(test|[A-Z_])[a-zA-Z0-9_]*$ |
287 | 328 | |
288 | # Naming hint for module names | |
289 | module-name-hint=(([a-z_][a-z0-9_]*)|([A-Z][a-zA-Z0-9]+))$ | |
290 | ||
291 | # Regular expression matching correct module names | |
329 | # Naming style matching correct module names. | |
330 | module-naming-style=snake_case | |
331 | ||
332 | # Regular expression matching correct module names. Overrides module-naming- | |
333 | # style. | |
334 | #module-rgx= | |
292 | 335 | module-rgx=(([a-z_][a-z0-9_]*)|([A-Z][a-zA-Z0-9]+))$ |
293 | 336 | |
294 | 337 | # Colon-delimited sets of names that determine each other's naming style when |
301 | 344 | |
302 | 345 | # List of decorators that produce properties, such as abc.abstractproperty. Add |
303 | 346 | # to this list to register other decorators that produce valid properties. |
347 | # These decorators are taken in consideration only for invalid-name. | |
304 | 348 | property-classes=abc.abstractproperty |
305 | 349 | |
306 | # Naming hint for variable names | |
307 | # variable-name-hint=(([a-z][a-z0-9_]{2,30})|(_[a-z0-9_]*))$ | |
308 | variable-name-hint=(([a-z][a-z0-9_]*)|(_[a-z0-9_]*))$ | |
309 | ||
310 | # Regular expression matching correct variable names | |
311 | # variable-rgx=(([a-z][a-z0-9_]{2,30})|(_[a-z0-9_]*))$ | |
350 | # Naming style matching correct variable names. | |
351 | variable-naming-style=snake_case | |
352 | ||
353 | # Regular expression matching correct variable names. Overrides variable- | |
354 | # naming-style. | |
355 | #variable-rgx= | |
312 | 356 | variable-rgx=(([a-z][a-z0-9_]*)|(_[a-z0-9_]*))$ |
313 | 357 | |
314 | 358 | |
315 | 359 | [MISCELLANEOUS] |
316 | 360 | |
317 | 361 | # List of note tags to take in consideration, separated by a comma. |
318 | notes=FIXME,XXX,TODO | |
362 | notes=FIXME, | |
363 | XXX, | |
364 | TODO | |
319 | 365 | |
320 | 366 | |
321 | 367 | [FORMAT] |
326 | 372 | # Regexp for a line that is allowed to be longer than the limit. |
327 | 373 | ignore-long-lines=^\s*(# )?<?https?://\S+>?$ |
328 | 374 | |
329 | # Number of spaces of indent required inside a hanging or continued line. | |
375 | # Number of spaces of indent required inside a hanging or continued line. | |
330 | 376 | indent-after-paren=4 |
331 | 377 | |
332 | 378 | # String used as indentation unit. This is usually " " (4 spaces) or "\t" (1 |
338 | 384 | # max-line-length=100 |
339 | 385 | max-line-length=80 |
340 | 386 | |
341 | # Maximum number of lines in a module | |
387 | # Maximum number of lines in a module. | |
342 | 388 | max-module-lines=1000 |
343 | 389 | |
344 | 390 | # List of optional constructs for which whitespace checking is disabled. `dict- |
345 | 391 | # separator` is used to allow tabulation in dicts, etc.: {1 : 1,\n222: 2}. |
346 | 392 | # `trailing-comma` allows a space between comma and closing bracket: (a, ). |
347 | 393 | # `empty-line` allows space-only lines. |
348 | no-space-check=trailing-comma,dict-separator | |
394 | no-space-check=trailing-comma, | |
395 | dict-separator | |
349 | 396 | |
350 | 397 | # Allow the body of a class to be on the same line as the declaration if body |
351 | 398 | # contains single statement. |
358 | 405 | |
359 | 406 | [SPELLING] |
360 | 407 | |
361 | # Spelling dictionary name. Available dictionaries: en_US (myspell). | |
408 | # Limits count of emitted suggestions for spelling mistakes. | |
409 | max-spelling-suggestions=4 | |
410 | ||
411 | # Spelling dictionary name. Available dictionaries: en_NA (myspell), en_NZ | |
412 | # (myspell), en_ZM (myspell), en_CA (myspell), en_GH (myspell), en_IN | |
413 | # (myspell), en_TT (myspell), en_BS (myspell), en_DK (myspell), en_MW | |
414 | # (myspell), en_ZW (myspell), en_BW (myspell), en_ZA (myspell), en_BZ | |
415 | # (myspell), en_JM (myspell), en_US (myspell), en_PH (myspell), en_GB | |
416 | # (myspell), en_SG (myspell), en_IE (myspell), en_HK (myspell), en_AU | |
417 | # (myspell), en_AG (myspell), en_NG (myspell). | |
362 | 418 | spelling-dict= |
363 | 419 | |
364 | 420 | # List of comma separated words that should not be checked. |
365 | 421 | spelling-ignore-words= |
366 | 422 | |
367 | # A path to a file that contains private dictionary; one word per line. | |
423 | # A path to a file that contains the private dictionary; one word per line. | |
368 | 424 | spelling-private-dict-file= |
369 | 425 | |
370 | # Tells whether to store unknown words to indicated private dictionary in | |
371 | # --spelling-private-dict-file option instead of raising a message. | |
426 | # Tells whether to store unknown words to the private dictionary (see the | |
427 | # --spelling-private-dict-file option) instead of raising a message. | |
372 | 428 | spelling-store-unknown-words=no |
373 | 429 | |
374 | 430 | |
387 | 443 | min-similarity-lines=4 |
388 | 444 | |
389 | 445 | |
446 | [STRING] | |
447 | ||
448 | # This flag controls whether the implicit-str-concat-in-sequence should | |
449 | # generate a warning on implicit string concatenation in sequences defined over | |
450 | # several lines. | |
451 | check-str-concat-over-line-jumps=no | |
452 | ||
453 | ||
390 | 454 | [DESIGN] |
391 | 455 | |
392 | # Maximum number of arguments for function / method | |
456 | # Maximum number of arguments for function / method. | |
393 | 457 | # max-args=5 |
394 | 458 | max-args=10 |
395 | 459 | |
396 | 460 | # Maximum number of attributes for a class (see R0902). |
397 | 461 | max-attributes=7 |
398 | 462 | |
399 | # Maximum number of boolean expressions in a if statement | |
463 | # Maximum number of boolean expressions in an if statement (see R0916). | |
400 | 464 | max-bool-expr=5 |
401 | 465 | |
402 | # Maximum number of branch for function / method body | |
466 | # Maximum number of branch for function / method body. | |
403 | 467 | max-branches=12 |
404 | 468 | |
405 | # Maximum number of locals for function / method body | |
469 | # Maximum number of locals for function / method body. | |
406 | 470 | max-locals=15 |
407 | 471 | |
408 | 472 | # Maximum number of parents for a class (see R0901). |
411 | 475 | # Maximum number of public methods for a class (see R0904). |
412 | 476 | max-public-methods=20 |
413 | 477 | |
414 | # Maximum number of return / yield for function / method body | |
478 | # Maximum number of return / yield for function / method body. | |
415 | 479 | max-returns=6 |
416 | 480 | |
417 | # Maximum number of statements in function / method body | |
481 | # Maximum number of statements in function / method body. | |
418 | 482 | max-statements=50 |
419 | 483 | |
420 | 484 | # Minimum number of public methods for a class (see R0903). |
424 | 488 | [CLASSES] |
425 | 489 | |
426 | 490 | # List of method names used to declare (i.e. assign) instance attributes. |
427 | defining-attr-methods=__init__,__new__,setUp | |
491 | defining-attr-methods=__init__, | |
492 | __new__, | |
493 | setUp, | |
494 | __post_init__ | |
428 | 495 | |
429 | 496 | # List of member names, which should be excluded from the protected access |
430 | 497 | # warning. |
431 | exclude-protected=_asdict,_fields,_replace,_source,_make | |
498 | exclude-protected=_asdict, | |
499 | _fields, | |
500 | _replace, | |
501 | _source, | |
502 | _make | |
432 | 503 | |
433 | 504 | # List of valid names for the first argument in a class method. |
434 | 505 | valid-classmethod-first-arg=cls |
435 | 506 | |
436 | 507 | # List of valid names for the first argument in a metaclass class method. |
437 | valid-metaclass-classmethod-first-arg=mcs | |
508 | valid-metaclass-classmethod-first-arg=cls | |
438 | 509 | |
439 | 510 | |
440 | 511 | [IMPORTS] |
512 | ||
513 | # List of modules that can be imported at any level, not just the top level | |
514 | # one. | |
515 | allow-any-import-level= | |
441 | 516 | |
442 | 517 | # Allow wildcard imports from modules that define __all__. |
443 | 518 | allow-wildcard-with-all=no |
447 | 522 | # only in one or another interpreter, leading to false positives when analysed. |
448 | 523 | analyse-fallback-blocks=no |
449 | 524 | |
450 | # Deprecated modules which should not be used, separated by a comma | |
525 | # Deprecated modules which should not be used, separated by a comma. | |
451 | 526 | deprecated-modules=optparse,tkinter.tix |
452 | 527 | |
453 | 528 | # Create a graph of external dependencies in the given file (report RP0402 must |
454 | # not be disabled) | |
529 | # not be disabled). | |
455 | 530 | ext-import-graph= |
456 | 531 | |
457 | 532 | # Create a graph of every (i.e. internal and external) dependencies in the |
458 | # given file (report RP0402 must not be disabled) | |
533 | # given file (report RP0402 must not be disabled). | |
459 | 534 | import-graph= |
460 | 535 | |
461 | 536 | # Create a graph of internal dependencies in the given file (report RP0402 must |
462 | # not be disabled) | |
537 | # not be disabled). | |
463 | 538 | int-import-graph= |
464 | 539 | |
465 | 540 | # Force import order to recognize a module as part of the standard |
469 | 544 | # Force import order to recognize a module as part of a third party library. |
470 | 545 | known-third-party=enchant |
471 | 546 | |
547 | # Couples of modules and preferred modules, separated by a comma. | |
548 | preferred-modules= | |
549 | ||
472 | 550 | |
473 | 551 | [EXCEPTIONS] |
474 | 552 | |
475 | 553 | # Exceptions that will emit a warning when being caught. Defaults to |
476 | # "Exception" | |
477 | overgeneral-exceptions=Exception | |
554 | # "BaseException, Exception". | |
555 | overgeneral-exceptions=BaseException, | |
556 | Exception |
0 | matrix: | |
0 | version: ~> 1.0 | |
1 | language: generic | |
2 | arch: amd64 | |
3 | os: linux | |
4 | dist: focal | |
5 | jobs: | |
1 | 6 | include: |
2 | - name: "Pylint on Ubuntu Xenial (16.04) with Python 3.5" | |
3 | env: TARGET="pylint" | |
4 | os: linux | |
5 | dist: xenial | |
6 | sudo: required | |
7 | group: edge | |
8 | language: python | |
9 | python: 3.5 | |
10 | virtualenv: | |
11 | system_site_packages: true | |
12 | - name: "Ubuntu Xenial (16.04) with Python 2.7" | |
13 | env: TARGET="linux-python27" | |
14 | os: linux | |
15 | dist: xenial | |
16 | sudo: required | |
17 | group: edge | |
18 | language: python | |
19 | python: 2.7 | |
20 | virtualenv: | |
21 | system_site_packages: true | |
22 | - name: "Ubuntu Xenial (16.04) with Python 3.5" | |
23 | env: TARGET="linux-python35" | |
24 | os: linux | |
25 | dist: xenial | |
26 | sudo: required | |
27 | group: edge | |
28 | language: python | |
29 | python: 3.5 | |
30 | virtualenv: | |
31 | system_site_packages: true | |
32 | - name: "Fedora Core 29 (Docker) with Python 2.7" | |
33 | env: FEDORA_VERSION="29" | |
34 | os: linux | |
35 | dist: xenial | |
36 | sudo: required | |
37 | group: edge | |
38 | language: python | |
39 | python: 2.7 | |
40 | services: | |
41 | - docker | |
42 | - name: "Fedora Core 29 (Docker) with Python 3.7" | |
43 | env: FEDORA_VERSION="29" | |
44 | os: linux | |
45 | dist: xenial | |
46 | sudo: required | |
7 | - name: "Fedora 31 (Docker) with Python 3.7" | |
8 | env: FEDORA_VERSION="31" | |
47 | 9 | group: edge |
48 | 10 | language: python |
49 | 11 | python: 3.7 |
50 | 12 | services: |
51 | 13 | - docker |
52 | - name: "Ubuntu Bionic (18.04) (Docker) with Python 2.7" | |
53 | env: UBUNTU_VERSION="18.04" | |
54 | os: linux | |
55 | dist: xenial | |
56 | sudo: required | |
14 | - name: "Fedora 32 (Docker) with Python 3.8" | |
15 | env: FEDORA_VERSION="32" | |
57 | 16 | group: edge |
58 | 17 | language: python |
59 | python: 2.7 | |
18 | python: 3.8 | |
60 | 19 | services: |
61 | 20 | - docker |
62 | - name: "Ubuntu Bionic (18.04) (Docker) with Python 3.6" | |
21 | - name: "Fedora 33 (Docker) with Python 3.9" | |
22 | env: FEDORA_VERSION="33" | |
23 | group: edge | |
24 | language: python | |
25 | python: 3.9 | |
26 | services: | |
27 | - docker | |
28 | - name: "Ubuntu Bionic (18.04) (Docker) with Python 3.6 (amd64)" | |
63 | 29 | env: UBUNTU_VERSION="18.04" |
64 | os: linux | |
65 | dist: xenial | |
66 | sudo: required | |
67 | 30 | group: edge |
68 | 31 | language: python |
69 | 32 | python: 3.6 |
70 | 33 | services: |
71 | 34 | - docker |
72 | - name: "Ubuntu Bionic (18.04) (Docker) with Python 2.7 and tox" | |
73 | env: [TOXENV="py27", UBUNTU_VERSION="18.04"] | |
74 | os: linux | |
75 | dist: xenial | |
76 | sudo: required | |
77 | group: edge | |
78 | language: python | |
79 | python: 2.7 | |
80 | services: | |
81 | - docker | |
82 | - name: "Ubuntu Bionic (18.04) (Docker) with Python 3.4 and tox" | |
83 | env: [TOXENV="py34", UBUNTU_VERSION="18.04"] | |
84 | os: linux | |
85 | dist: xenial | |
86 | sudo: required | |
87 | group: edge | |
88 | language: python | |
89 | python: 3.4 | |
90 | services: | |
91 | - docker | |
92 | - name: "Ubuntu Bionic (18.04) (Docker) with Python 3.5 and tox" | |
93 | env: [TOXENV="py35", UBUNTU_VERSION="18.04"] | |
94 | os: linux | |
95 | dist: xenial | |
96 | sudo: required | |
97 | group: edge | |
98 | language: python | |
99 | python: 3.5 | |
100 | services: | |
101 | - docker | |
102 | - name: "Ubuntu Bionic (18.04) (Docker) with Python 3.6 and tox" | |
103 | env: [TOXENV="py36", UBUNTU_VERSION="18.04"] | |
104 | os: linux | |
105 | dist: xenial | |
106 | sudo: required | |
35 | - name: "Ubuntu Bionic (18.04) (Docker) with Python 3.6 (ppc64le)" | |
36 | env: UBUNTU_VERSION="18.04" | |
37 | arch: ppc64le | |
107 | 38 | group: edge |
108 | 39 | language: python |
109 | 40 | python: 3.6 |
110 | 41 | services: |
111 | 42 | - docker |
112 | - name: "Ubuntu Bionic (18.04) (Docker) with Python 3.7 and tox" | |
113 | env: [TOXENV="py37", UBUNTU_VERSION="18.04"] | |
114 | os: linux | |
115 | dist: xenial | |
116 | sudo: required | |
43 | - name: "Ubuntu Focal (20.04) (Docker) with Python 3.8 (amd64)" | |
44 | env: UBUNTU_VERSION="20.04" | |
45 | group: edge | |
46 | language: python | |
47 | python: 3.8 | |
48 | services: | |
49 | - docker | |
50 | - name: "Ubuntu Focal (20.04) (Docker) with Python 3.8 (ppc64le)" | |
51 | env: UBUNTU_VERSION="20.04" | |
52 | arch: ppc64le | |
53 | group: edge | |
54 | language: python | |
55 | python: 3.8 | |
56 | services: | |
57 | - docker | |
58 | - name: "Ubuntu Focal (20.04) (Docker) with Python 3.6 (tox)" | |
59 | env: | |
60 | - TOXENV="py36" | |
61 | - UBUNTU_VERSION="20.04" | |
62 | group: edge | |
63 | language: python | |
64 | python: 3.6 | |
65 | services: | |
66 | - docker | |
67 | - name: "Ubuntu Focal (20.04) (Docker) with Python 3.7 (tox)" | |
68 | env: | |
69 | - TOXENV="py37" | |
70 | - UBUNTU_VERSION="20.04" | |
117 | 71 | group: edge |
118 | 72 | language: python |
119 | 73 | python: 3.7 |
120 | 74 | services: |
121 | 75 | - docker |
122 | - name: "MacOS with Python 2.7.10" | |
123 | env: [TARGET="macos-python27", PYTHONPATH="/Library/Python/2.7/site-packages/"] | |
76 | - name: "Ubuntu Focal (20.04) (Docker) with Python 3.8 (tox)" | |
77 | env: | |
78 | - TOXENV="py38,coverage,codecov" | |
79 | - UBUNTU_VERSION="20.04" | |
80 | group: edge | |
81 | language: python | |
82 | python: 3.8 | |
83 | services: | |
84 | - docker | |
85 | - name: "Ubuntu Focal (20.04) (Docker) with Python 3.9 (tox)" | |
86 | env: | |
87 | - TOXENV="py39" | |
88 | - UBUNTU_VERSION="20.04" | |
89 | group: edge | |
90 | language: python | |
91 | python: 3.9 | |
92 | services: | |
93 | - docker | |
94 | - name: "Pylint on Ubuntu Focal (20.04) (Docker) with Python 3.8 (tox)" | |
95 | env: | |
96 | - TOXENV="pylint" | |
97 | - UBUNTU_VERSION="20.04" | |
98 | group: edge | |
99 | language: python | |
100 | python: 3.8 | |
101 | services: | |
102 | - docker | |
103 | - name: "MacOS 10.14 with Python 3.8 (tox)" | |
104 | env: TOXENV="py38" | |
124 | 105 | os: osx |
125 | osx_image: xcode9.2 | |
126 | language: generic | |
106 | osx_image: xcode11 | |
107 | - name: "MacOS 10.15 with Python 3.8 (tox)" | |
108 | env: TOXENV="py38" | |
109 | os: osx | |
110 | osx_image: xcode12 | |
127 | 111 | install: |
128 | 112 | - ./config/travis/install.sh |
129 | 113 | script: |
130 | - ./config/travis/run_with_timeout.sh 30 ./config/travis/runtests.sh | |
131 | after_success: | |
132 | - if ! test -f /usr/bin/coverage; then sudo ln -s /usr/bin/python-coverage /usr/bin/coverage; fi | |
133 | - if test ${TARGET} = "linux-python27"; then curl -o codecov.sh -s https://codecov.io/bash && /bin/bash ./codecov.sh; fi | |
114 | - ./config/travis/run_with_timeout.sh 45 ./config/travis/runtests.sh |
0 | ## Digital Forensics Artifact Repository Artifact Repository | |
0 | ## Digital Forensics Artifact Repository | |
1 | 1 | |
2 | 2 | A free, community-sourced, machine-readable knowledge base of digital forensic |
3 | 3 | artifacts that the world can use both as an information source and within other |
4 | 4 | tools. |
5 | 5 | |
6 | 6 | If you'd like to use the artifacts in your own tools, **all you need to be able |
7 | to do is read YAML**. That's it, no other dependencies. The Python code in | |
7 | to do is read YAML**. That is it, no other dependencies. The Python code in | |
8 | 8 | this project is just used to validate all the artifacts to make sure they |
9 | follow the specfication. | |
9 | follow the specification. | |
10 | 10 | |
11 | 11 | ### Project status |
12 | 12 | |
13 | [Travis-CI](https://travis-ci.org/) | [AppVeyor](https://ci.appveyor.com) | [Codecov](https://codecov.io/) | |
14 | --- | --- | --- | |
15 | [![Build Status](https://travis-ci.org/ForensicArtifacts/artifacts.svg?branch=master)](https://travis-ci.org/ForensicArtifacts/artifacts) | [![Build status](https://ci.appveyor.com/api/projects/status/7gv9fwr269527cj1?svg=true)](https://ci.appveyor.com/project/forensicartifacts/artifacts) | [![codecov](https://codecov.io/gh/ForensicArtifacts/artifacts/branch/master/graph/badge.svg)](https://codecov.io/gh/ForensicArtifacts/artifacts) | |
16 | ||
13 | [Travis-CI](https://travis-ci.com/) | [AppVeyor](https://ci.appveyor.com) | [Codecov](https://codecov.io/) | |
14 | --- | --- | --- | |
15 | [![Build Status](https://travis-ci.com/ForensicArtifacts/artifacts.svg?branch=master)](https://travis-ci.com/ForensicArtifacts/artifacts) | [![Build status](https://ci.appveyor.com/api/projects/status/7gv9fwr269527cj1?svg=true)](https://ci.appveyor.com/project/forensicartifacts/artifacts) | [![codecov](https://codecov.io/gh/ForensicArtifacts/artifacts/branch/master/graph/badge.svg)](https://codecov.io/gh/ForensicArtifacts/artifacts) | |
17 | 16 | |
18 | 17 | ## Artifact Definitions |
19 | 18 | |
20 | The artifact definitions can be found in the [data directory](https://github.com/ForensicArtifacts/artifacts/tree/master/data) and the format is described in detail in the [Style Guide](https://github.com/ForensicArtifacts/artifacts/blob/master/docs/Artifacts%20definition%20format%20and%20style%20guide.asciidoc). | |
19 | The artifact definitions can be found in the [data directory](https://github.com/ForensicArtifacts/artifacts/tree/master/data) | |
20 | and the format is described in detail in the [Style Guide](https://github.com/ForensicArtifacts/artifacts/blob/master/docs/Artifacts%20definition%20format%20and%20style%20guide.asciidoc). | |
21 | 21 | |
22 | As of 2015-11-20 the repository contains: | |
22 | As of 2019-06-10 the repository contains: | |
23 | 23 | |
24 | | **File paths covered** | **487** | | |
24 | | **File paths covered** | **1013** | | |
25 | 25 | | :------------------ | ------: | |
26 | | **Registry keys covered** | **289** | | |
27 | | **Total artifacts** | **345** | | |
26 | | **Registry keys covered** | **635** | | |
27 | | **Total artifacts** | **525** | | |
28 | 28 | |
29 | 29 | **Artifacts by type** |
30 | 30 | |
31 | | ARTIFACT | COMMAND | DIRECTORY | FILE | PATH | REGISTRY_KEY | REGISTRY_VALUE | WMI | | |
32 | | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | | |
33 | | 14 | 6 | 11 | 191 | 4 | 38 | 65 | 16 | | |
31 | | ARTIFACT_GROUP | COMMAND | DIRECTORY | FILE | PATH | REGISTRY_KEY | REGISTRY_VALUE | WMI | | |
32 | | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | | |
33 | | 21 | 9 | 14 | 283 | 8 | 50 | 114 | 26 | | |
34 | 34 | |
35 | 35 | **Artifacts by OS** |
36 | 36 | |
37 | | Darwin | Linux | Windows | | |
38 | | :---: | :---: | :---: | | |
39 | | 106 | 75 | 177 | | |
37 | | Darwin | Linux | Windows | | |
38 | | :---: | :---: | :---: | | |
39 | | 33 | 25 | 23 | | |
40 | 40 | |
41 | 41 | **Artifacts by label** |
42 | 42 | |
43 | | Antivirus | Authentication | Browser | Cloud | Cloud Storage | Configuration Files | External Media | ExternalAccount | IM | Logs | Mail | Network | Software | System | Users | iOS | | |
44 | | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | | |
45 | | 6 | 12 | 18 | 2 | 3 | 34 | 2 | 3 | 4 | 27 | 12 | 7 | 35 | 62 | 59 | 5 | | |
43 | | Antivirus | Authentication | Browser | Cloud | Cloud Storage | Configuration Files | Docker | External Media | ExternalAccount | Hadoop | History Files | Logs | Mail | Network | Software | System | Users | iOS | | |
44 | | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | | |
45 | | 6 | 18 | 21 | 2 | 4 | 41 | 2 | 2 | 3 | 1 | 3 | 46 | 15 | 15 | 43 | 104 | 68 | 5 | | |
46 | 46 | |
47 | 47 | ## Background/History |
48 | 48 | |
63 | 63 | |
64 | 64 | ## External links |
65 | 65 | |
66 | * [ForensicsArtifacts.com ... the definitive database](http://forensicartifacts.com/) | |
67 | 66 | * [GRR Artifacts](https://www.blackhat.com/docs/us-14/materials/us-14-Castle-GRR-Find-All-The-Badness-Collect-All-The-Things-WP.pdf), by Greg Castle, Blackhat 2014 |
68 | 67 | |
69 | 68 | ## Contact |
70 | 69 | |
71 | [forensicartifacts@googlegroups.com](https://groups.google.com/forum/#!forum/forensicartifacts) | |
70 | * [forensicartifacts@googlegroups.com](https://groups.google.com/forum/#!forum/forensicartifacts) | |
71 | * Artifacts channel of [Open Source DFIR Slack](https://github.com/open-source-dfir/slack) | |
72 | 72 |
0 | 0 | environment: |
1 | 1 | matrix: |
2 | - TARGET: windows_python27 | |
2 | - TARGET: unittests | |
3 | 3 | MACHINE_TYPE: "x86" |
4 | PYTHON: "C:\\Python27" | |
5 | - TARGET: windows_python27 | |
4 | PYTHON: "C:\\Python38" | |
5 | PYTHON_VERSION: "3.8" | |
6 | L2TBINARIES_TRACK: "dev" | |
7 | - TARGET: unittests | |
6 | 8 | MACHINE_TYPE: "amd64" |
7 | PYTHON: "C:\\Python27-x64" | |
8 | - TARGET: windows_python36 | |
9 | MACHINE_TYPE: "x86" | |
10 | PYTHON: "C:\\Python36" | |
11 | - TARGET: windows_python36 | |
12 | MACHINE_TYPE: "amd64" | |
13 | PYTHON: "C:\\Python36-x64" | |
9 | PYTHON: "C:\\Python38-x64" | |
10 | PYTHON_VERSION: "3.8" | |
11 | L2TBINARIES_TRACK: "dev" | |
14 | 12 | |
15 | 13 | install: |
16 | 14 | - cmd: '"C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\SetEnv.cmd" /x86 /release' |
17 | - cmd: "%PYTHON%\\python.exe -m pip install --upgrade pip" | |
15 | - cmd: "%PYTHON%\\python.exe -m pip install -U pip setuptools wheel" | |
18 | 16 | - cmd: "%PYTHON%\\python.exe -m pip install pywin32 WMI" |
19 | 17 | - cmd: "%PYTHON%\\python.exe %PYTHON%\\Scripts\\pywin32_postinstall.py -install" |
20 | 18 | - cmd: git clone https://github.com/log2timeline/l2tdevtools.git ..\l2tdevtools |
21 | - cmd: if [%TARGET%]==[windows_python27] ( | |
19 | - cmd: IF [%PYTHON_VERSION%]==[3.8] ( | |
22 | 20 | mkdir dependencies && |
23 | 21 | set PYTHONPATH=..\l2tdevtools && |
24 | "%PYTHON%\\python.exe" ..\l2tdevtools\tools\update.py --download-directory dependencies --machine-type %MACHINE_TYPE% --msi-targetdir "%PYTHON%" --track dev PyYAML funcsigs mock pbr six ) | |
25 | - cmd: if [%TARGET%]==[windows_python36] ( | |
26 | mkdir dependencies && | |
27 | set PYTHONPATH=..\l2tdevtools && | |
28 | "%PYTHON%\\python.exe" ..\l2tdevtools\tools\update.py --download-directory dependencies --machine-type %MACHINE_TYPE% --msi-targetdir "%PYTHON%" --track dev PyYAML mock pbr six ) | |
22 | "%PYTHON%\\python.exe" ..\l2tdevtools\tools\update.py --download-directory dependencies --machine-type %MACHINE_TYPE% --msi-targetdir "%PYTHON%" --track "%L2TBINARIES_TRACK%" PyYAML mock pbr six ) | |
29 | 23 | |
30 | 24 | build: off |
31 | 25 | |
32 | 26 | test_script: |
33 | - cmd: "%PYTHON%\\python.exe run_tests.py" | |
27 | - cmd: IF [%TARGET%]==[unittests] ( | |
28 | "%PYTHON%\\python.exe" run_tests.py && | |
29 | IF EXIST "tests\\end-to-end.py" ( | |
30 | set PYTHONPATH=. && | |
31 | "%PYTHON%\\python.exe" "tests\\end-to-end.py" --debug -c "config\\end-to-end.ini" ) ) |
0 | 0 | # -*- coding: utf-8 -*- |
1 | 1 | """ForensicArtifacts.com Artifact Repository.""" |
2 | 2 | |
3 | __version__ = '20190320' | |
3 | __version__ = '20201106' |
133 | 133 | separator (Optional[str]): path segment separator. |
134 | 134 | |
135 | 135 | Raises: |
136 | FormatError: when paths is not set. | |
136 | FormatError: when paths is not set or not a list type. | |
137 | 137 | """ |
138 | 138 | if not paths: |
139 | raise errors.FormatError('Missing directory value.') | |
139 | raise errors.FormatError('Missing paths value.') | |
140 | ||
141 | if not isinstance(paths, list): | |
142 | raise errors.FormatError('Invalid paths value, not a list.') | |
140 | 143 | |
141 | 144 | super(DirectorySourceType, self).__init__() |
142 | 145 | self.paths = paths |
168 | 171 | separator (Optional[str]): path segment separator. |
169 | 172 | |
170 | 173 | Raises: |
171 | FormatError: when paths is not set. | |
174 | FormatError: when paths is not set or not a list type. | |
172 | 175 | """ |
173 | 176 | if not paths: |
174 | 177 | raise errors.FormatError('Missing paths value.') |
178 | ||
179 | if not isinstance(paths, list): | |
180 | raise errors.FormatError('Invalid paths value, not a list.') | |
175 | 181 | |
176 | 182 | super(FileSourceType, self).__init__() |
177 | 183 | self.paths = paths |
203 | 209 | separator (Optional[str]): path segment separator. |
204 | 210 | |
205 | 211 | Raises: |
206 | FormatError: when paths is not set. | |
212 | FormatError: when paths is not set or not a list type. | |
207 | 213 | """ |
208 | 214 | if not paths: |
209 | 215 | raise errors.FormatError('Missing paths value.') |
216 | ||
217 | if not isinstance(paths, list): | |
218 | raise errors.FormatError('Invalid paths value, not a list.') | |
210 | 219 | |
211 | 220 | super(PathSourceType, self).__init__() |
212 | 221 | self.paths = paths |
0 | artifacts (20190320-1) unstable; urgency=low | |
0 | artifacts (20201106-1) unstable; urgency=low | |
1 | 1 | |
2 | 2 | * Auto-generated |
3 | 3 | |
4 | -- Forensic artifacts <forensicartifacts@googlegroups.com> Wed, 20 Mar 2019 05:20:33 +0100⏎ | |
4 | -- Forensic artifacts <forensicartifacts@googlegroups.com> Fri, 06 Nov 2020 05:50:46 +0100⏎ |
1 | 1 | Section: python |
2 | 2 | Priority: extra |
3 | 3 | Maintainer: Forensic artifacts <forensicartifacts@googlegroups.com> |
4 | Build-Depends: debhelper (>= 9), python-all (>= 2.7~), python-setuptools, python3-all (>= 3.4~), python3-setuptools | |
5 | Standards-Version: 3.9.5 | |
6 | X-Python-Version: >= 2.7 | |
7 | X-Python3-Version: >= 3.4 | |
4 | Build-Depends: debhelper (>= 9), dh-python, python3-all (>= 3.6~), python3-setuptools | |
5 | Standards-Version: 4.1.4 | |
6 | X-Python3-Version: >= 3.6 | |
8 | 7 | Homepage: https://github.com/ForensicArtifacts/artifacts |
9 | 8 | |
10 | 9 | Package: artifacts-data |
11 | 10 | Architecture: all |
12 | 11 | Depends: ${misc:Depends} |
13 | 12 | Description: Data files for ForensicArtifacts.com Artifact Repository |
14 | A free, community-sourced, machine-readable knowledge base of forensic | |
15 | artifacts that the world can use both as an information source and within other tools. | |
16 | ||
17 | Package: python-artifacts | |
18 | Architecture: all | |
19 | Depends: artifacts-data (>= ${binary:Version}), python-yaml (>= 3.10), ${python:Depends}, ${misc:Depends} | |
20 | Description: Python 2 module of ForensicArtifacts.com Artifact Repository | |
21 | 13 | A free, community-sourced, machine-readable knowledge base of forensic |
22 | 14 | artifacts that the world can use both as an information source and within other tools. |
23 | 15 | |
30 | 22 | |
31 | 23 | Package: artifacts-tools |
32 | 24 | Architecture: all |
33 | Depends: python-artifacts (>= ${binary:Version}), ${python:Depends}, ${misc:Depends} | |
25 | Depends: python3-artifacts (>= ${binary:Version}), ${python3:Depends}, ${misc:Depends} | |
34 | 26 | Description: Tools of ForensicArtifacts.com Artifact Repository |
35 | 27 | A free, community-sourced, machine-readable knowledge base of forensic |
36 | 28 | artifacts that the world can use both as an information source and within other tools. |
0 | usr/lib/python2*/dist-packages/artifacts/*.py | |
1 | usr/lib/python2*/dist-packages/artifacts*.egg-info/* |
0 | 0 | #!/usr/bin/make -f |
1 | 1 | |
2 | 2 | %: |
3 | dh $@ --buildsystem=python_distutils --with=python2,python3 | |
3 | dh $@ --buildsystem=pybuild --with=python3 | |
4 | 4 | |
5 | .PHONY: override_dh_auto_clean | |
6 | override_dh_auto_clean: | |
7 | dh_auto_clean | |
8 | rm -rf build artifacts.egg-info/SOURCES.txt artifacts.egg-info/PKG-INFO | |
5 | .PHONY: override_dh_auto_test | |
6 | override_dh_auto_test: | |
9 | 7 | |
10 | .PHONY: override_dh_auto_build | |
11 | override_dh_auto_build: | |
12 | dh_auto_build | |
13 | set -ex; for python in $(shell py3versions -r); do \ | |
14 | $$python setup.py build; \ | |
15 | done; | |
16 | ||
17 | .PHONY: override_dh_auto_install | |
18 | override_dh_auto_install: | |
19 | dh_auto_install --destdir $(CURDIR) | |
20 | set -ex; for python in $(shell py3versions -r); do \ | |
21 | $$python setup.py install --root=$(CURDIR) --install-layout=deb; \ | |
22 | done; | |
23 |
4 | 4 | # This file is generated by l2tdevtools update-dependencies.py any dependency |
5 | 5 | # related changes should be made in dependencies.ini. |
6 | 6 | |
7 | L2TBINARIES_DEPENDENCIES="PyYAML"; | |
8 | ||
9 | L2TBINARIES_TEST_DEPENDENCIES="funcsigs mock pbr six"; | |
10 | ||
11 | DPKG_PYTHON2_DEPENDENCIES="python-yaml"; | |
12 | ||
13 | DPKG_PYTHON2_TEST_DEPENDENCIES="python-coverage python-funcsigs python-mock python-pbr python-six"; | |
14 | ||
15 | 7 | DPKG_PYTHON3_DEPENDENCIES="python3-yaml"; |
16 | 8 | |
17 | DPKG_PYTHON3_TEST_DEPENDENCIES="python3-mock python3-pbr python3-setuptools python3-six"; | |
18 | ||
19 | RPM_PYTHON2_DEPENDENCIES="python2-pyyaml"; | |
20 | ||
21 | RPM_PYTHON2_TEST_DEPENDENCIES="python2-funcsigs python2-mock python2-pbr python2-six"; | |
9 | DPKG_PYTHON3_TEST_DEPENDENCIES="python3-coverage python3-distutils python3-mock python3-pbr python3-setuptools python3-six"; | |
22 | 10 | |
23 | 11 | RPM_PYTHON3_DEPENDENCIES="python3-pyyaml"; |
24 | 12 | |
25 | RPM_PYTHON3_TEST_DEPENDENCIES="python3-mock python3-pbr python3-six"; | |
13 | RPM_PYTHON3_TEST_DEPENDENCIES="python3-mock python3-pbr python3-setuptools python3-six"; | |
26 | 14 | |
27 | 15 | # Exit on error. |
28 | 16 | set -e; |
29 | 17 | |
30 | if test ${TRAVIS_OS_NAME} = "osx"; | |
31 | then | |
32 | git clone https://github.com/log2timeline/l2tbinaries.git -b dev; | |
33 | ||
34 | mv l2tbinaries ../; | |
35 | ||
36 | for PACKAGE in ${L2TBINARIES_DEPENDENCIES}; | |
37 | do | |
38 | echo "Installing: ${PACKAGE}"; | |
39 | sudo /usr/bin/hdiutil attach ../l2tbinaries/macos/${PACKAGE}-*.dmg; | |
40 | sudo /usr/sbin/installer -target / -pkg /Volumes/${PACKAGE}-*.pkg/${PACKAGE}-*.pkg; | |
41 | sudo /usr/bin/hdiutil detach /Volumes/${PACKAGE}-*.pkg | |
42 | done | |
43 | ||
44 | for PACKAGE in ${L2TBINARIES_TEST_DEPENDENCIES}; | |
45 | do | |
46 | echo "Installing: ${PACKAGE}"; | |
47 | sudo /usr/bin/hdiutil attach ../l2tbinaries/macos/${PACKAGE}-*.dmg; | |
48 | sudo /usr/sbin/installer -target / -pkg /Volumes/${PACKAGE}-*.pkg/${PACKAGE}-*.pkg; | |
49 | sudo /usr/bin/hdiutil detach /Volumes/${PACKAGE}-*.pkg | |
50 | done | |
51 | ||
52 | elif test -n "${FEDORA_VERSION}"; | |
18 | if test -n "${FEDORA_VERSION}"; | |
53 | 19 | then |
54 | 20 | CONTAINER_NAME="fedora${FEDORA_VERSION}"; |
55 | 21 | |
57 | 23 | |
58 | 24 | docker run --name=${CONTAINER_NAME} --detach -i registry.fedoraproject.org/fedora:${FEDORA_VERSION}; |
59 | 25 | |
60 | docker exec ${CONTAINER_NAME} dnf install -y dnf-plugins-core; | |
26 | # Install dnf-plugins-core and langpacks-en. | |
27 | docker exec ${CONTAINER_NAME} dnf install -y dnf-plugins-core langpacks-en; | |
61 | 28 | |
29 | # Add additional dnf repositories. | |
62 | 30 | docker exec ${CONTAINER_NAME} dnf copr -y enable @gift/dev; |
63 | 31 | |
64 | 32 | if test -n "${TOXENV}"; |
65 | 33 | then |
66 | docker exec ${CONTAINER_NAME} dnf install -y python3-tox; | |
34 | RPM_PACKAGES="python3-tox"; | |
67 | 35 | |
68 | elif test ${TRAVIS_PYTHON_VERSION} = "2.7"; | |
69 | then | |
70 | docker exec ${CONTAINER_NAME} dnf install -y git python2 ${RPM_PYTHON2_DEPENDENCIES} ${RPM_PYTHON2_TEST_DEPENDENCIES}; | |
71 | 36 | else |
72 | docker exec ${CONTAINER_NAME} dnf install -y git python3 ${RPM_PYTHON3_DEPENDENCIES} ${RPM_PYTHON3_TEST_DEPENDENCIES}; | |
37 | RPM_PACKAGES="python3 ${RPM_PYTHON3_DEPENDENCIES} ${RPM_PYTHON3_TEST_DEPENDENCIES}"; | |
73 | 38 | fi |
39 | docker exec ${CONTAINER_NAME} dnf install -y ${RPM_PACKAGES}; | |
74 | 40 | |
75 | 41 | docker cp ../artifacts ${CONTAINER_NAME}:/ |
76 | 42 | |
82 | 48 | |
83 | 49 | docker run --name=${CONTAINER_NAME} --detach -i ubuntu:${UBUNTU_VERSION}; |
84 | 50 | |
85 | docker exec ${CONTAINER_NAME} apt-get update -q; | |
86 | docker exec ${CONTAINER_NAME} sh -c "DEBIAN_FRONTEND=noninteractive apt-get install -y locales software-properties-common"; | |
51 | # Install add-apt-repository and locale-gen. | |
52 | docker exec -e "DEBIAN_FRONTEND=noninteractive" ${CONTAINER_NAME} sh -c "apt-get update -q"; | |
53 | docker exec -e "DEBIAN_FRONTEND=noninteractive" ${CONTAINER_NAME} sh -c "apt-get install -y locales software-properties-common"; | |
87 | 54 | |
88 | docker exec ${CONTAINER_NAME} add-apt-repository ppa:gift/dev -y; | |
89 | ||
90 | docker exec ${CONTAINER_NAME} locale-gen en_US.UTF-8; | |
91 | ||
55 | # Add additional apt repositories. | |
92 | 56 | if test -n "${TOXENV}"; |
93 | 57 | then |
94 | 58 | docker exec ${CONTAINER_NAME} add-apt-repository universe; |
95 | 59 | docker exec ${CONTAINER_NAME} add-apt-repository ppa:deadsnakes/ppa -y; |
60 | fi | |
61 | docker exec ${CONTAINER_NAME} add-apt-repository ppa:gift/dev -y; | |
96 | 62 | |
97 | DPKG_PYTHON="python${TRAVIS_PYTHON_VERSION} python${TRAVIS_PYTHON_VERSION}-dev"; | |
63 | docker exec -e "DEBIAN_FRONTEND=noninteractive" ${CONTAINER_NAME} sh -c "apt-get update -q"; | |
98 | 64 | |
99 | docker exec ${CONTAINER_NAME} sh -c "DEBIAN_FRONTEND=noninteractive apt-get install -y build-essential ${DPKG_PYTHON} tox"; | |
65 | # Set locale to US English and UTF-8. | |
66 | docker exec ${CONTAINER_NAME} locale-gen en_US.UTF-8; | |
100 | 67 | |
101 | elif test ${TRAVIS_PYTHON_VERSION} = "2.7"; | |
68 | # Install packages. | |
69 | if test -n "${TOXENV}"; | |
102 | 70 | then |
103 | docker exec ${CONTAINER_NAME} sh -c "DEBIAN_FRONTEND=noninteractive apt-get install -y git python ${DPKG_PYTHON2_DEPENDENCIES} ${DPKG_PYTHON2_TEST_DEPENDENCIES}"; | |
71 | DPKG_PACKAGES="build-essential curl git python${TRAVIS_PYTHON_VERSION} python${TRAVIS_PYTHON_VERSION}-dev tox"; | |
72 | ||
73 | elif test "${TARGET}" = "jenkins3"; | |
74 | then | |
75 | DPKG_PACKAGES="sudo"; | |
104 | 76 | else |
105 | docker exec ${CONTAINER_NAME} sh -c "DEBIAN_FRONTEND=noninteractive apt-get install -y git python3 ${DPKG_PYTHON3_DEPENDENCIES} ${DPKG_PYTHON3_TEST_DEPENDENCIES}"; | |
77 | DPKG_PACKAGES="python3 ${DPKG_PYTHON3_DEPENDENCIES} ${DPKG_PYTHON3_TEST_DEPENDENCIES}"; | |
106 | 78 | fi |
79 | docker exec -e "DEBIAN_FRONTEND=noninteractive" ${CONTAINER_NAME} sh -c "apt-get install -y ${DPKG_PACKAGES}"; | |
107 | 80 | |
108 | 81 | docker cp ../artifacts ${CONTAINER_NAME}:/ |
109 | 82 | |
110 | elif test ${TRAVIS_OS_NAME} = "linux" && test ${TARGET} != "jenkins"; | |
83 | elif test ${TRAVIS_OS_NAME} = "osx"; | |
111 | 84 | then |
112 | sudo rm -f /etc/apt/sources.list.d/travis_ci_zeromq3-source.list; | |
85 | brew update; | |
113 | 86 | |
114 | if test ${TARGET} = "pylint"; | |
115 | then | |
116 | sudo add-apt-repository ppa:gift/pylint3 -y; | |
117 | fi | |
118 | ||
119 | sudo add-apt-repository ppa:gift/dev -y; | |
120 | sudo apt-get update -q; | |
121 | ||
122 | if test ${TRAVIS_PYTHON_VERSION} = "2.7"; | |
123 | then | |
124 | sudo apt-get install -y ${DPKG_PYTHON2_DEPENDENCIES} ${DPKG_PYTHON2_TEST_DEPENDENCIES}; | |
125 | else | |
126 | sudo apt-get install -y ${DPKG_PYTHON3_DEPENDENCIES} ${DPKG_PYTHON3_TEST_DEPENDENCIES}; | |
127 | fi | |
128 | if test ${TARGET} = "pylint"; | |
129 | then | |
130 | sudo apt-get install -y pylint; | |
131 | fi | |
87 | # Brew will exit with 1 and print some diagnostic information | |
88 | # to prevent the CI test from failing || true is added. | |
89 | brew install tox || true; | |
132 | 90 | fi |
0 | #!/bin/bash | |
1 | # | |
2 | # Script to run Python 2 tests on Travis-CI. | |
3 | # | |
4 | # This file is generated by l2tdevtools update-dependencies.py, any dependency | |
5 | # related changes should be made in dependencies.ini. | |
6 | ||
7 | # Exit on error. | |
8 | set -e; | |
9 | ||
10 | python2 ./run_tests.py | |
11 | ||
12 | if test -f tests/end-to-end.py; | |
13 | then | |
14 | PYTHONPATH=. python2 ./tests/end-to-end.py --debug -c config/end-to-end.ini; | |
15 | fi | |
16 | ||
17 | python2 ./setup.py build | |
18 | ||
19 | python2 ./setup.py sdist | |
20 | ||
21 | python2 ./setup.py bdist | |
22 | ||
23 | python2 ./setup.py install |
0 | #!/bin/bash | |
1 | # | |
2 | # Script to run Python 3 tests on Travis-CI. | |
3 | # | |
4 | # This file is generated by l2tdevtools update-dependencies.py, any dependency | |
5 | # related changes should be made in dependencies.ini. | |
6 | ||
7 | # Exit on error. | |
8 | set -e; | |
9 | ||
10 | python3 ./run_tests.py | |
11 | ||
12 | if test -f tests/end-to-end.py; | |
13 | then | |
14 | PYTHONPATH=. python3 ./tests/end-to-end.py --debug -c config/end-to-end.ini; | |
15 | fi | |
16 | ||
17 | python3 ./setup.py build | |
18 | ||
19 | python3 ./setup.py sdist | |
20 | ||
21 | python3 ./setup.py bdist | |
22 | ||
23 | python3 ./setup.py install |
7 | 7 | # Exit on error. |
8 | 8 | set -e; |
9 | 9 | |
10 | if test "${TARGET}" = "jenkins"; | |
11 | then | |
12 | ./config/jenkins/linux/run_end_to_end_tests.sh "travis"; | |
13 | ||
14 | elif test "${TARGET}" = "pylint"; | |
15 | then | |
16 | pylint --version | |
17 | ||
18 | for FILE in `find setup.py artifacts config tests tools -name \*.py`; | |
19 | do | |
20 | echo "Checking: ${FILE}"; | |
21 | ||
22 | pylint --rcfile=.pylintrc ${FILE}; | |
23 | done | |
24 | ||
25 | elif test "${TRAVIS_OS_NAME}" = "osx"; | |
26 | then | |
27 | PYTHONPATH=/Library/Python/2.7/site-packages/ /usr/bin/python ./run_tests.py; | |
28 | ||
29 | python ./setup.py build | |
30 | ||
31 | python ./setup.py sdist | |
32 | ||
33 | python ./setup.py bdist | |
34 | ||
35 | if test -f tests/end-to-end.py; | |
36 | then | |
37 | PYTHONPATH=. python ./tests/end-to-end.py --debug -c config/end-to-end.ini; | |
38 | fi | |
39 | ||
40 | elif test -n "${FEDORA_VERSION}"; | |
10 | if test -n "${FEDORA_VERSION}"; | |
41 | 11 | then |
42 | 12 | CONTAINER_NAME="fedora${FEDORA_VERSION}"; |
13 | CONTAINER_OPTIONS="-e LANG=C.utf8"; | |
43 | 14 | |
44 | 15 | if test -n "${TOXENV}"; |
45 | 16 | then |
46 | docker exec ${CONTAINER_NAME} sh -c "export LANG=en_US.UTF-8; cd artifacts && tox -e ${TOXENV}"; | |
47 | ||
48 | elif test ${TRAVIS_PYTHON_VERSION} = "2.7"; | |
49 | then | |
50 | docker exec ${CONTAINER_NAME} sh -c "export LANG=en_US.UTF-8; cd artifacts && python2 run_tests.py"; | |
17 | TEST_COMMAND="tox -e ${TOXENV}"; | |
51 | 18 | else |
52 | docker exec ${CONTAINER_NAME} sh -c "export LANG=en_US.UTF-8; cd artifacts && python3 run_tests.py"; | |
19 | TEST_COMMAND="./config/travis/run_python3.sh"; | |
53 | 20 | fi |
21 | # Note that exec options need to be defined before the container name. | |
22 | docker exec ${CONTAINER_OPTIONS} ${CONTAINER_NAME} sh -c "cd artifacts && ${TEST_COMMAND}"; | |
54 | 23 | |
55 | 24 | elif test -n "${UBUNTU_VERSION}"; |
56 | 25 | then |
57 | 26 | CONTAINER_NAME="ubuntu${UBUNTU_VERSION}"; |
27 | CONTAINER_OPTIONS="-e LANG=en_US.UTF-8"; | |
58 | 28 | |
59 | 29 | if test -n "${TOXENV}"; |
60 | 30 | then |
61 | docker exec ${CONTAINER_NAME} sh -c "export LANG=en_US.UTF-8; cd artifacts && tox -e ${TOXENV}"; | |
31 | # Also see: https://docs.codecov.io/docs/testing-with-docker | |
32 | curl -o codecov_env.sh -s https://codecov.io/env; | |
62 | 33 | |
63 | elif test ${TRAVIS_PYTHON_VERSION} = "2.7"; | |
34 | # Generates a series of -e options. | |
35 | CODECOV_ENV=$(/bin/bash ./codecov_env.sh); | |
36 | ||
37 | CONTAINER_OPTIONS="${CODECOV_ENV} ${CONTAINER_OPTIONS}"; | |
38 | ||
39 | TEST_COMMAND="tox -e ${TOXENV}"; | |
40 | ||
41 | elif test "${TARGET}" = "jenkins3"; | |
64 | 42 | then |
65 | docker exec ${CONTAINER_NAME} sh -c "export LANG=en_US.UTF-8; cd artifacts && python2 run_tests.py"; | |
43 | TEST_COMMAND="./config/jenkins/linux/run_end_to_end_tests_py3.sh travis"; | |
66 | 44 | else |
67 | docker exec ${CONTAINER_NAME} sh -c "export LANG=en_US.UTF-8; cd artifacts && python3 run_tests.py"; | |
45 | TEST_COMMAND="./config/travis/run_python3.sh"; | |
68 | 46 | fi |
47 | # Note that exec options need to be defined before the container name. | |
48 | docker exec ${CONTAINER_OPTIONS} ${CONTAINER_NAME} sh -c "cd artifacts && ${TEST_COMMAND}"; | |
69 | 49 | |
70 | elif test "${TRAVIS_OS_NAME}" = "linux"; | |
50 | elif test "${TARGET}" = "dockerfile"; | |
71 | 51 | then |
72 | COVERAGE="/usr/bin/coverage"; | |
52 | SOURCE_PATH=${PWD}; | |
53 | CONTAINER_NAME="test"; | |
73 | 54 | |
74 | if ! test -x "${COVERAGE}"; | |
75 | then | |
76 | # Ubuntu has renamed coverage. | |
77 | COVERAGE="/usr/bin/python-coverage"; | |
78 | fi | |
55 | cd config/docker | |
79 | 56 | |
80 | if test -n "${TOXENV}"; | |
81 | then | |
82 | tox --sitepackages ${TOXENV}; | |
57 | docker build --build-arg PPA_TRACK="dev" -f Dockerfile -t ${CONTAINER_NAME} . | |
83 | 58 | |
84 | elif test "${TRAVIS_PYTHON_VERSION}" = "2.7"; | |
85 | then | |
86 | ${COVERAGE} erase | |
87 | ${COVERAGE} run --source=artifacts --omit="*_test*,*__init__*,*test_lib*" ./run_tests.py | |
88 | else | |
89 | python ./run_tests.py | |
59 | # TODO: add tests | |
90 | 60 | |
91 | python ./setup.py build | |
61 | elif test "${TRAVIS_OS_NAME}" = "osx"; | |
62 | then | |
63 | # Set the following environment variables to build pycrypto and yara-python. | |
64 | export CFLAGS="-I/usr/local/include -I/usr/local/opt/openssl@1.1/include ${CFLAGS}"; | |
65 | export LDFLAGS="-L/usr/local/lib -L/usr/local/opt/openssl@1.1/lib ${LDFLAGS}"; | |
66 | export TOX_TESTENV_PASSENV="CFLAGS LDFLAGS"; | |
92 | 67 | |
93 | python ./setup.py sdist | |
68 | # Set the following environment variables to ensure tox can find Python 3.8. | |
69 | export PATH="/usr/local/opt/python@3.8/bin:${PATH}"; | |
94 | 70 | |
95 | python ./setup.py bdist | |
96 | ||
97 | TMPDIR="${PWD}/tmp"; | |
98 | TMPSITEPACKAGES="${TMPDIR}/lib/python${TRAVIS_PYTHON_VERSION}/site-packages"; | |
99 | ||
100 | mkdir -p ${TMPSITEPACKAGES}; | |
101 | ||
102 | PYTHONPATH=${TMPSITEPACKAGES} python ./setup.py install --prefix=${TMPDIR}; | |
103 | ||
104 | if test -f tests/end-to-end.py; | |
105 | then | |
106 | PYTHONPATH=. python ./tests/end-to-end.py --debug -c config/end-to-end.ini; | |
107 | fi | |
108 | fi | |
71 | tox -e ${TOXENV}; | |
109 | 72 | fi |
13 | 13 | - type: FILE |
14 | 14 | attributes: |
15 | 15 | paths: |
16 | - '%%environ_allusersappdata%%\Microsoft\Microsoft Antimalware\Quarantine\**' | |
17 | - '%%environ_allusersappdata%%\Microsoft\Windows Defender\Quarantine\**' | |
16 | - '%%environ_allusersappdata%%\Microsoft\Microsoft Antimalware\Quarantine\**' | |
17 | - '%%environ_allusersappdata%%\Microsoft\Windows Defender\Quarantine\**' | |
18 | 18 | separator: '\' |
19 | 19 | supported_os: [Windows] |
20 | 20 | labels: [Antivirus] |
21 | --- | |
22 | name: WindowsDefenderExclusions | |
23 | doc: | | |
24 | Directories, processes, and extensions configured not to be scanned by Windows Defender. | |
25 | ||
26 | Certain malware families (for example, Tofsee) are known to add | |
27 | directories to the Paths list in order to avoid being detected by | |
28 | Windows Defender. | |
29 | sources: | |
30 | - type: REGISTRY_KEY | |
31 | attributes: | |
32 | keys: | |
33 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\Exclusions\Paths\*' | |
34 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\Exclusions\Processes\*' | |
35 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\Exclusions\Extensions\*' | |
36 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\Exclusions\TemporaryPaths\*' | |
37 | supported_os: [Windows] | |
38 | urls: | |
39 | - 'https://blog.malwarebytes.com/detections/pum-optional-msexclusion/' | |
40 | - 'https://answers.microsoft.com/en-us/protect/forum/all/windows-defender-how-to-remove-exclusions/2a0cc465-97b2-46ea-ae77-b87075ed124e' | |
41 | - 'https://blog.talosintelligence.com/2019/05/threat-roundup-0503-0510.html' | |
21 | 42 | --- |
22 | 43 | name: SophosAVLogs |
23 | 44 | doc: Sophos Anti-Virus log files. |
53 | 74 | - type: FILE |
54 | 75 | attributes: |
55 | 76 | paths: |
56 | - '%%environ_allusersappdata%%\Symantec\Symantec Endpoint Protection\*\Data\Logs\*.log' | |
57 | - '%%users.localappdata%%\Symantec\Symantec Endpoint Protection\Logs\*.log' | |
77 | - '%%environ_allusersappdata%%\Symantec\Symantec Endpoint Protection\*\Data\Logs\*.log' | |
78 | - '%%environ_allusersappdata%%\Symantec\Symantec Endpoint Protection\*\Data\Logs\AV\*.log' | |
79 | - '%%users.localappdata%%\Symantec\Symantec Endpoint Protection\Logs\*.log' | |
58 | 80 | separator: '\' |
59 | 81 | supported_os: [Windows] |
60 | 82 | supported_os: [Windows] |
65 | 87 | sources: |
66 | 88 | - type: FILE |
67 | 89 | attributes: |
68 | paths: ['%%environ_allusersappdata%%\Symantec\Symantec Endpoint Protection\**5.vbn'] | |
90 | paths: ['%%environ_allusersappdata%%\Symantec\Symantec Endpoint Protection\**5\*.vbn'] | |
69 | 91 | separator: '\' |
70 | 92 | supported_os: [Windows] |
71 | 93 | supported_os: [Windows] |
20 | 20 | - type: FILE |
21 | 21 | attributes: |
22 | 22 | paths: |
23 | - '%%users.homedir%%/Library/Preferences/com.microsoft.office.plist' | |
24 | - '%%users.homedir%%/Library/Containers/com.microsoft.*/Data/Library/Preferences/com.microsoft.*.securebookmarks.plist' | |
23 | - '%%users.homedir%%/Library/Preferences/com.microsoft.office.plist' | |
24 | - '%%users.homedir%%/Library/Containers/com.microsoft.*/Data/Library/Preferences/com.microsoft.*.securebookmarks.plist' | |
25 | 25 | separator: '/' |
26 | 26 | supported_os: [Darwin] |
27 | 27 | - type: REGISTRY_VALUE |
28 | 28 | attributes: |
29 | 29 | key_value_pairs: |
30 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Office\*\*\File MRU', value: 'Item *'} | |
31 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Office\*\*\Place MRU', value: 'Item *'} | |
30 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Office\*\*\File MRU', value: 'Item *'} | |
31 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Office\*\*\Place MRU', value: 'Item *'} | |
32 | 32 | supported_os: [Windows] |
33 | 33 | supported_os: [Darwin, Windows] |
34 | 34 | urls: ['https://github.com/mac4n6/macMRU-Parser'] |
39 | 39 | - type: FILE |
40 | 40 | attributes: |
41 | 41 | paths: |
42 | - '%%users.homedir%%/AppData/Local/Microsoft/Outlook/*.pab' | |
43 | - '%%users.homedir%%/Documents/Outlook Files/*.pab' | |
44 | separator: '/' | |
42 | - '%%users.localappdata%%\Microsoft\Outlook\*.pab' | |
43 | - '%%users.userprofile%%\Documents\Outlook Files\*.pab' | |
44 | separator: '\' | |
45 | 45 | labels: [Users, Mail] |
46 | 46 | supported_os: [Windows] |
47 | urls: ['http://www.forensicswiki.org/wiki/Personal_Folder_File_(PAB,_PST,_OST)'] | |
47 | urls: ['https://forensicswiki.xyz/wiki/index.php?title=Personal_Folder_File_(PAB,_PST,_OST)'] | |
48 | 48 | --- |
49 | 49 | name: MicrosoftOutlookPSTFiles |
50 | 50 | doc: Microsoft Outlook PST Files |
52 | 52 | - type: FILE |
53 | 53 | attributes: |
54 | 54 | paths: |
55 | - '%%users.homedir%%/AppData/Local/Microsoft/Outlook/*.pst' | |
56 | - '%%users.homedir%%/Documents/Outlook Files/*.pst' | |
57 | separator: '/' | |
55 | - '%%users.localappdata%%\Microsoft\Outlook\*.pst' | |
56 | - '%%users.userprofile%%\Documents\Outlook Files\*.pst' | |
57 | separator: '\' | |
58 | 58 | labels: [Users, Mail] |
59 | 59 | supported_os: [Windows] |
60 | urls: ['http://www.forensicswiki.org/wiki/Personal_Folder_File_(PAB,_PST,_OST)'] | |
60 | urls: ['https://forensicswiki.xyz/wiki/index.php?title=Personal_Folder_File_(PAB,_PST,_OST)'] | |
61 | 61 | --- |
62 | 62 | name: MicrosoftOutlookOSTFiles |
63 | 63 | doc: Microsoft Outlook OST Files |
65 | 65 | - type: FILE |
66 | 66 | attributes: |
67 | 67 | paths: |
68 | - '%%users.homedir%%/AppData/Local/Microsoft/Outlook/*.ost' | |
69 | - '%%users.homedir%%/Documents/Outlook Files/*.ost' | |
70 | separator: '/' | |
68 | - '%%users.localappdata%%\Microsoft\Outlook\*.ost' | |
69 | - '%%users.userprofile%%\Documents\Outlook Files\*.ost' | |
70 | separator: '\' | |
71 | 71 | labels: [Users, Mail] |
72 | 72 | supported_os: [Windows] |
73 | urls: ['http://www.forensicswiki.org/wiki/Personal_Folder_File_(PAB,_PST,_OST)'] | |
73 | urls: ['https://forensicswiki.xyz/wiki/index.php?title=Personal_Folder_File_(PAB,_PST,_OST)'] | |
74 | 74 | --- |
75 | 75 | name: WinRARExternalViewer |
76 | 76 | doc: Executable run when a file is opened by WinRAR inside an archive. |
5 | 5 | - type: ARTIFACT_GROUP |
6 | 6 | attributes: |
7 | 7 | names: |
8 | - 'DropboxClient' | |
9 | - 'GoogleDriveClient' | |
10 | - 'SkyDriveClient' | |
8 | - 'DropboxClient' | |
9 | - 'GoogleDriveClient' | |
10 | - 'SkyDriveClient' | |
11 | 11 | labels: [Cloud Storage] |
12 | 12 | supported_os: [Darwin,Linux,Windows] |
13 | 13 | --- |
17 | 17 | - type: FILE |
18 | 18 | attributes: |
19 | 19 | paths: |
20 | - '%%users.appdata%%\Dropbox\*.db*' | |
21 | - '%%users.localappdata%%\Dropbox\*.db*' | |
20 | - '%%users.appdata%%\Dropbox\*.db*' | |
21 | - '%%users.localappdata%%\Dropbox\*.db*' | |
22 | 22 | separator: '\' |
23 | 23 | supported_os: [Windows] |
24 | 24 | - type: FILE |
25 | 25 | attributes: |
26 | 26 | paths: |
27 | - '%%users.homedir%%/.dropbox/*.db*' | |
27 | - '%%users.homedir%%/.dropbox/*.db*' | |
28 | 28 | supported_os: [Darwin,Linux] |
29 | 29 | supported_os: [Darwin,Linux,Windows] |
30 | 30 | labels: [Cloud Storage] |
31 | urls: ['http://www.forensicswiki.org/wiki/Dropbox'] | |
31 | urls: ['https://forensicswiki.xyz/wiki/index.php?title=Dropbox'] | |
32 | 32 | --- |
33 | 33 | name: GoogleDriveClient |
34 | 34 | doc: Google Drive cloud storage client artifacts. |
36 | 36 | - type: FILE |
37 | 37 | attributes: |
38 | 38 | paths: |
39 | - '%%users.localappdata%%\Google\Drive\snapshot.db' | |
40 | - '%%users.localappdata%%\Google\Drive\sync_config.db' | |
41 | - '%%users.localappdata%%\Google\Drive\sync_config.log*' | |
42 | - '%%users.localappdata%%\Google\Drive\user_default\snapshot.db' | |
43 | - '%%users.localappdata%%\Google\Drive\user_default\sync_config.db' | |
44 | - '%%users.localappdata%%\Google\Drive\user_default\sync_config.log*' | |
39 | - '%%users.localappdata%%\Google\Drive\snapshot.db' | |
40 | - '%%users.localappdata%%\Google\Drive\sync_config.db' | |
41 | - '%%users.localappdata%%\Google\Drive\sync_config.log*' | |
42 | - '%%users.localappdata%%\Google\Drive\user_default\snapshot.db' | |
43 | - '%%users.localappdata%%\Google\Drive\user_default\sync_config.db' | |
44 | - '%%users.localappdata%%\Google\Drive\user_default\sync_config.log*' | |
45 | 45 | separator: '\' |
46 | 46 | supported_os: [Windows] |
47 | 47 | - type: FILE |
48 | 48 | attributes: |
49 | 49 | paths: |
50 | - '%%users.homedir%%/Library/Application Support/Google/Drive/snapshot.db' | |
51 | - '%%users.homedir%%/Library/Application Support/Google/Drive/sync_config.db' | |
52 | - '%%users.homedir%%/Library/Application Support/Google/Drive/sync_config.log*' | |
53 | - '%%users.homedir%%/Library/Application Support/Google/Drive/user_default/snapshot.db' | |
54 | - '%%users.homedir%%/Library/Application Support/Google/Drive/user_default/sync_config.db' | |
55 | - '%%users.homedir%%/Library/Application Support/Google/Drive/user_default/sync_config.log*' | |
50 | - '%%users.homedir%%/Library/Application Support/Google/Drive/snapshot.db' | |
51 | - '%%users.homedir%%/Library/Application Support/Google/Drive/sync_config.db' | |
52 | - '%%users.homedir%%/Library/Application Support/Google/Drive/sync_config.log*' | |
53 | - '%%users.homedir%%/Library/Application Support/Google/Drive/user_default/snapshot.db' | |
54 | - '%%users.homedir%%/Library/Application Support/Google/Drive/user_default/sync_config.db' | |
55 | - '%%users.homedir%%/Library/Application Support/Google/Drive/user_default/sync_config.log*' | |
56 | 56 | supported_os: [Darwin] |
57 | 57 | supported_os: [Darwin, Windows] |
58 | 58 | labels: [Cloud Storage] |
59 | urls: ['http://www.forensicswiki.org/wiki/Google_Drive'] | |
59 | urls: ['https://forensicswiki.xyz/wiki/index.php?title=Google_Drive'] | |
60 | 60 | --- |
61 | 61 | name: SkyDriveClient |
62 | 62 | doc: | |
67 | 67 | - type: FILE |
68 | 68 | attributes: |
69 | 69 | paths: |
70 | - '%%users.localappdata%%\Microsoft\SkyDrive\logs\*.log' | |
71 | - '%%users.localappdata%%\Microsoft\SkyDrive\setup\logs\*.log' | |
72 | - '%%users.localappdata%%\Microsoft\SkyDrive\settings\ApplicationSettings.xml' | |
73 | - '%%users.localappdata%%\Microsoft\SkyDrive\settings\*.dat' | |
74 | - '%%users.localappdata%%\Microsoft\SkyDrive\settings\*.ini' | |
70 | - '%%users.localappdata%%\Microsoft\SkyDrive\logs\*.log' | |
71 | - '%%users.localappdata%%\Microsoft\SkyDrive\setup\logs\*.log' | |
72 | - '%%users.localappdata%%\Microsoft\SkyDrive\settings\ApplicationSettings.xml' | |
73 | - '%%users.localappdata%%\Microsoft\SkyDrive\settings\*.dat' | |
74 | - '%%users.localappdata%%\Microsoft\SkyDrive\settings\*.ini' | |
75 | 75 | separator: '\' |
76 | 76 | supported_os: [Windows] |
77 | 77 | supported_os: [Windows] |
78 | 78 | labels: [Cloud Storage] |
79 | urls: ['http://forensicswiki.org/wiki/One_Drive#Sky_Drive_client'] | |
79 | urls: ['https://forensicswiki.xyz/wiki/index.php?title=One_Drive#Sky_Drive_client'] |
0 | 0 | # Configuration file artifacts. |
1 | 1 | |
2 | name: JupyterConfigFile | |
3 | doc: Jupyter notebook configuration file | |
4 | sources: | |
5 | - type: FILE | |
6 | attributes: {paths: ['%%users.homedir%%/.jupyter/jupyter_notebook_config.py']} | |
7 | labels: [Configuration Files] | |
8 | supported_os: [Linux] | |
9 | --- | |
2 | 10 | name: NfsExportsFile |
3 | 11 | doc: NFS Exports configuration |
4 | 12 | sources: |
13 | 21 | supported_os: [Linux] |
14 | 22 | labels: [Configuration Files] |
15 | 23 | supported_os: [Linux, Darwin] |
24 | --- | |
25 | name: RedisConfigFile | |
26 | doc: Redis configuration file | |
27 | sources: | |
28 | - type: FILE | |
29 | attributes: | |
30 | paths: | |
31 | - '%%environ_programfiles%%\Redis\conf\redis.windows.conf' | |
32 | - '%%environ_programfiles%%\Redis\conf\redis.conf' | |
33 | separator: '\' | |
34 | supported_os: [Windows] | |
35 | - type: FILE | |
36 | attributes: | |
37 | paths: | |
38 | - '/etc/redis/redis.conf' | |
39 | supported_os: [Linux] | |
40 | - type: FILE | |
41 | attributes: | |
42 | paths: | |
43 | - '/etc/redis/redis.conf' | |
44 | - '/private/etc/redis/redis.conf' | |
45 | supported_os: [Darwin] | |
46 | labels: [Configuration Files] | |
47 | supported_os: [Darwin, Linux, Windows] | |
16 | 48 | --- |
17 | 49 | name: SshdConfigFile |
18 | 50 | doc: Sshd configuration |
99 | 99 | - type: ARTIFACT_GROUP |
100 | 100 | attributes: |
101 | 101 | names: |
102 | - PythonDistInfo | |
103 | - PythonEggInfo | |
104 | - PythonWheelInfo | |
102 | - PythonDistInfo | |
103 | - PythonEggInfo | |
104 | - PythonWheelInfo | |
105 | 105 | labels: [Software] |
106 | 106 | --- |
107 | 107 | name: PythonWheelInfo |
8 | 8 | supported_os: [Darwin] |
9 | 9 | supported_os: [Darwin] |
10 | 10 | urls: |
11 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
12 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Skype' | |
11 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
12 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Skype' | |
13 | 13 | --- |
14 | 14 | name: SkypeDb |
15 | 15 | doc: Main Skype database |
20 | 20 | supported_os: [Darwin] |
21 | 21 | supported_os: [Darwin] |
22 | 22 | urls: |
23 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
24 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Skype' | |
23 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
24 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Skype' | |
25 | 25 | --- |
26 | 26 | name: SkypeMainDirectory |
27 | 27 | doc: Skype Directory |
41 | 41 | supported_os: [Darwin] |
42 | 42 | supported_os: [Darwin] |
43 | 43 | urls: |
44 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
45 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Skype' | |
44 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
45 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Skype' | |
46 | 46 | --- |
47 | 47 | name: SkypeUserProfile |
48 | 48 | doc: Skype User profile |
53 | 53 | supported_os: [Darwin] |
54 | 54 | supported_os: [Darwin] |
55 | 55 | urls: |
56 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
57 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Skype'⏎ | |
56 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
57 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Skype'⏎ |
11 | 11 | - type: FILE |
12 | 12 | attributes: |
13 | 13 | paths: |
14 | - '%%users.appdata%%\Sun\Java\Deployment\cache\**' | |
15 | - '%%users.userprofile%%\AppData\LocalLow\Sun\Java\Deployment\cache\**' | |
14 | - '%%users.appdata%%\Sun\Java\Deployment\cache\**' | |
15 | - '%%users.userprofile%%\AppData\LocalLow\Sun\Java\Deployment\cache\**' | |
16 | 16 | separator: '\' |
17 | 17 | supported_os: [Windows] |
18 | 18 | supported_os: [Windows, Linux, Darwin] |
5 | 5 | - type: FILE |
6 | 6 | attributes: |
7 | 7 | paths: |
8 | - /Applications/.DS_Store.app/**10 | |
9 | - /Library/LaunchAgents/com.apple.launchport.plist | |
8 | - /Applications/.DS_Store.app/**10 | |
9 | - /Library/LaunchAgents/com.apple.launchport.plist | |
10 | 10 | supported_os: [Darwin] |
11 | 11 | urls: ['http://www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf'] |
12 | 12 | --- |
16 | 16 | - type: ARTIFACT_GROUP |
17 | 17 | attributes: |
18 | 18 | names: |
19 | - KasperskyCaretoWindowsFiles | |
20 | - KasperskyCaretoWindowsRegKeys | |
21 | - KasperskyCaretoDarwinFiles | |
19 | - KasperskyCaretoWindowsFiles | |
20 | - KasperskyCaretoWindowsRegKeys | |
21 | - KasperskyCaretoDarwinFiles | |
22 | 22 | supported_os: [Windows, Darwin] |
23 | 23 | urls: ['http://www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf'] |
24 | 24 | --- |
28 | 28 | - type: FILE |
29 | 29 | attributes: |
30 | 30 | paths: |
31 | - '%%environ_systemroot%%\System32\objframe.dll' | |
32 | - '%%environ_systemroot%%\System32\shlink32.dll' | |
33 | - '%%environ_systemroot%%\System32\shlink64.dll' | |
34 | - '%%environ_systemroot%%\System32\cdllait32.dll' | |
35 | - '%%environ_systemroot%%\System32\cdllait64.dll' | |
36 | - '%%environ_systemroot%%\System32\cdlluninstallws32.dll' | |
37 | - '%%environ_systemroot%%\System32\cdlluninstallws64.dll' | |
38 | - '%%environ_systemroot%%\System32\cdlluninstallsgh32.dll' | |
39 | - '%%environ_systemroot%%\System32\cdlluninstallsgh64.dll' | |
40 | - '%%environ_systemroot%%\System32\c_50225.nls' | |
41 | - '%%environ_systemroot%%\System32\c_50227.nls' | |
42 | - '%%environ_systemroot%%\System32\c_50229.nls' | |
43 | - '%%environ_systemroot%%\System32\c_51932.nls' | |
44 | - '%%environ_systemroot%%\System32\c_51936.nls' | |
45 | - '%%environ_systemroot%%\System32\c_51949.nls' | |
46 | - '%%environ_systemroot%%\System32\c_51950.nls' | |
47 | - '%%environ_systemroot%%\System32\c_57002.nls' | |
48 | - '%%environ_systemroot%%\System32\c_57006.nls' | |
49 | - '%%environ_systemroot%%\System32\c_57008.nls' | |
50 | - '%%environ_systemroot%%\System32\c_57010.nls' | |
51 | - '%%environ_systemroot%%\System32\cdgext32.dll' | |
52 | - '%%environ_systemroot%%\System32\cfgbkmgrs.dll' | |
53 | - '%%environ_systemroot%%\System32\cfgmgr64.dll' | |
54 | - '%%environ_systemroot%%\System32\comsvrpcs.dll' | |
55 | - '%%environ_systemroot%%\System32\d3dx8_20.dll' | |
56 | - '%%environ_systemroot%%\System32\dllcomm.dll' | |
57 | - '%%environ_systemroot%%\System32\drivers\wmimgr.sys' | |
58 | - '%%environ_systemroot%%\System32\drvinfo.bin' | |
59 | - '%%environ_systemroot%%\System32\FCache.bin' | |
60 | - '%%environ_systemroot%%\System32\FFExtendedCommand.dll' | |
61 | - '%%environ_systemroot%%\System32\gpktcsp32.dll' | |
62 | - '%%environ_systemroot%%\System32\HPQueue.bin' | |
63 | - '%%environ_systemroot%%\System32\LPQueue.bin' | |
64 | - '%%environ_systemroot%%\System32\mdwmnsp.dll' | |
65 | - '%%environ_systemroot%%\System32\rpcdist.dll' | |
66 | - '%%environ_systemroot%%\System32\scsvrft.dll' | |
67 | - '%%environ_systemroot%%\System32\sdptbw.dll' | |
68 | - '%%environ_systemroot%%\System32\slbkbw.dll' | |
69 | - '%%environ_systemroot%%\System32\skypeie6plugin.dll' | |
70 | - '%%environ_systemroot%%\System32\wmspdmgr.dll' | |
71 | - '%%environ_systemroot%%\System32\mfcn30.dll' | |
72 | - '%%environ_systemroot%%\System32\siiw9x.dll' | |
73 | - '%%environ_systemroot%%\System32\nmwcdlog.dll' | |
74 | - '%%environ_systemroot%%\System32\WifiScan.dll' | |
75 | - '%%environ_systemroot%%\System32\awview32.dll' | |
76 | - '%%environ_systemroot%%\System32\awcodc32.dll' | |
77 | - '%%users.temp%%\~DF01AC74D8BE15EE01.tmp' | |
78 | - '%%users.temp%%\~DF23BF45A473C42B56.tmp' | |
79 | - '%%users.temp%%\~DFA0528CD81300F372.tmp' | |
80 | - '%%users.temp%%\~DF8471938479DA49221.tmp' | |
81 | - '%%users.appdata%%\microsoft\c_27803.nls' | |
82 | - '%%users.appdata%%\microsoft\objframe.dll' | |
83 | - '%%users.appdata%%\microsoft\shmgr.dll' | |
31 | - '%%environ_systemroot%%\System32\objframe.dll' | |
32 | - '%%environ_systemroot%%\System32\shlink32.dll' | |
33 | - '%%environ_systemroot%%\System32\shlink64.dll' | |
34 | - '%%environ_systemroot%%\System32\cdllait32.dll' | |
35 | - '%%environ_systemroot%%\System32\cdllait64.dll' | |
36 | - '%%environ_systemroot%%\System32\cdlluninstallws32.dll' | |
37 | - '%%environ_systemroot%%\System32\cdlluninstallws64.dll' | |
38 | - '%%environ_systemroot%%\System32\cdlluninstallsgh32.dll' | |
39 | - '%%environ_systemroot%%\System32\cdlluninstallsgh64.dll' | |
40 | - '%%environ_systemroot%%\System32\c_50225.nls' | |
41 | - '%%environ_systemroot%%\System32\c_50227.nls' | |
42 | - '%%environ_systemroot%%\System32\c_50229.nls' | |
43 | - '%%environ_systemroot%%\System32\c_51932.nls' | |
44 | - '%%environ_systemroot%%\System32\c_51936.nls' | |
45 | - '%%environ_systemroot%%\System32\c_51949.nls' | |
46 | - '%%environ_systemroot%%\System32\c_51950.nls' | |
47 | - '%%environ_systemroot%%\System32\c_57002.nls' | |
48 | - '%%environ_systemroot%%\System32\c_57006.nls' | |
49 | - '%%environ_systemroot%%\System32\c_57008.nls' | |
50 | - '%%environ_systemroot%%\System32\c_57010.nls' | |
51 | - '%%environ_systemroot%%\System32\cdgext32.dll' | |
52 | - '%%environ_systemroot%%\System32\cfgbkmgrs.dll' | |
53 | - '%%environ_systemroot%%\System32\cfgmgr64.dll' | |
54 | - '%%environ_systemroot%%\System32\comsvrpcs.dll' | |
55 | - '%%environ_systemroot%%\System32\d3dx8_20.dll' | |
56 | - '%%environ_systemroot%%\System32\dllcomm.dll' | |
57 | - '%%environ_systemroot%%\System32\drivers\wmimgr.sys' | |
58 | - '%%environ_systemroot%%\System32\drvinfo.bin' | |
59 | - '%%environ_systemroot%%\System32\FCache.bin' | |
60 | - '%%environ_systemroot%%\System32\FFExtendedCommand.dll' | |
61 | - '%%environ_systemroot%%\System32\gpktcsp32.dll' | |
62 | - '%%environ_systemroot%%\System32\HPQueue.bin' | |
63 | - '%%environ_systemroot%%\System32\LPQueue.bin' | |
64 | - '%%environ_systemroot%%\System32\mdwmnsp.dll' | |
65 | - '%%environ_systemroot%%\System32\rpcdist.dll' | |
66 | - '%%environ_systemroot%%\System32\scsvrft.dll' | |
67 | - '%%environ_systemroot%%\System32\sdptbw.dll' | |
68 | - '%%environ_systemroot%%\System32\slbkbw.dll' | |
69 | - '%%environ_systemroot%%\System32\skypeie6plugin.dll' | |
70 | - '%%environ_systemroot%%\System32\wmspdmgr.dll' | |
71 | - '%%environ_systemroot%%\System32\mfcn30.dll' | |
72 | - '%%environ_systemroot%%\System32\siiw9x.dll' | |
73 | - '%%environ_systemroot%%\System32\nmwcdlog.dll' | |
74 | - '%%environ_systemroot%%\System32\WifiScan.dll' | |
75 | - '%%environ_systemroot%%\System32\awview32.dll' | |
76 | - '%%environ_systemroot%%\System32\awcodc32.dll' | |
77 | - '%%users.temp%%\~DF01AC74D8BE15EE01.tmp' | |
78 | - '%%users.temp%%\~DF23BF45A473C42B56.tmp' | |
79 | - '%%users.temp%%\~DFA0528CD81300F372.tmp' | |
80 | - '%%users.temp%%\~DF8471938479DA49221.tmp' | |
81 | - '%%users.appdata%%\microsoft\c_27803.nls' | |
82 | - '%%users.appdata%%\microsoft\objframe.dll' | |
83 | - '%%users.appdata%%\microsoft\shmgr.dll' | |
84 | 84 | separator: '\' |
85 | 85 | supported_os: [Windows] |
86 | 86 | urls: ['http://www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf'] |
18 | 18 | - type: REGISTRY_KEY |
19 | 19 | attributes: |
20 | 20 | keys: |
21 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\ProfilesDirectory' | |
22 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\AllUsersProfile' | |
21 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\ProfilesDirectory' | |
22 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\AllUsersProfile' | |
23 | 23 | provides: [environ_allusersprofile] |
24 | 24 | supported_os: [Windows] |
25 | 25 | urls: ['http://support.microsoft.com/kb//214653'] |
31 | 31 | attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\SYSTEM\Select', value: 'Current'}]} |
32 | 32 | provides: [current_control_set] |
33 | 33 | supported_os: [Windows] |
34 | urls: ['https://github.com/libyal/winreg-kb/wiki/System-keys'] | |
34 | urls: ['https://github.com/libyal/winreg-kb/blob/master/documentation/System%20keys.asciidoc'] | |
35 | 35 | --- |
36 | 36 | name: LinuxRelease |
37 | 37 | doc: | |
43 | 43 | - type: FILE |
44 | 44 | attributes: |
45 | 45 | paths: |
46 | - '/etc/enterprise-release' | |
47 | - '/etc/lsb-release' | |
48 | - '/etc/oracle-release' | |
49 | - '/etc/redhat-release' | |
50 | - '/etc/system-release' | |
46 | - '/etc/enterprise-release' | |
47 | - '/etc/lsb-release' | |
48 | - '/etc/oracle-release' | |
49 | - '/etc/redhat-release' | |
50 | - '/etc/system-release' | |
51 | 51 | provides: [os_release, os_major_version, os_minor_version] |
52 | 52 | labels: [Software] |
53 | 53 | supported_os: [Linux] |
61 | 61 | supported_os: [Darwin] |
62 | 62 | provides: [users.username] |
63 | 63 | urls: |
64 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
65 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Users' | |
64 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
65 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Users' | |
66 | 66 | --- |
67 | 67 | name: ProgramFiles |
68 | 68 | doc: The %ProgramFiles% environment variable. |
111 | 111 | - type: PATH |
112 | 112 | attributes: |
113 | 113 | paths: |
114 | - '\Windows' | |
115 | - '\WinNT' | |
116 | - '\WINNT35' | |
117 | - '\WTSRV' | |
114 | - '\Windows' | |
115 | - '\WinNT' | |
116 | - '\WINNT35' | |
117 | - '\WTSRV' | |
118 | 118 | separator: '\' |
119 | 119 | - type: REGISTRY_VALUE |
120 | 120 | attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion', value: 'SystemRoot'}]} |
146 | 146 | - type: PATH |
147 | 147 | attributes: |
148 | 148 | paths: |
149 | - '\Windows' | |
150 | - '\WinNT' | |
151 | - '\WINNT35' | |
152 | - '\WTSRV' | |
149 | - '\Windows' | |
150 | - '\WinNT' | |
151 | - '\WINNT35' | |
152 | - '\WTSRV' | |
153 | 153 | separator: '\' |
154 | 154 | - type: REGISTRY_VALUE |
155 | 155 | attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment', value: 'windir'}]} |
171 | 171 | - type: REGISTRY_VALUE |
172 | 172 | attributes: |
173 | 173 | key_value_pairs: |
174 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'ProgramData'} | |
174 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'ProgramData'} | |
175 | 175 | provides: [environ_allusersappdata] |
176 | 176 | supported_os: [Windows] |
177 | 177 | urls: ['http://environmentvariables.org/ProgramData'] |
192 | 192 | attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation', value: 'StandardName'}]} |
193 | 193 | provides: [time_zone] |
194 | 194 | supported_os: [Windows] |
195 | urls: ['https://github.com/libyal/winreg-kb/wiki/Time-zone-keys'] | |
195 | urls: ['https://github.com/libyal/winreg-kb/blob/master/documentation/Time%20zone%20keys.asciidoc'] |
5 | 5 | - type: FILE |
6 | 6 | attributes: |
7 | 7 | paths: |
8 | - '/etc/anacrontab' | |
9 | - '/etc/cron.daily/*' | |
10 | - '/etc/cron.hourly/*' | |
11 | - '/etc/cron.monthly/*' | |
12 | - '/etc/cron.weekly/*' | |
13 | - '/var/spool/anacron/cron.daily' | |
14 | - '/var/spool/anacron/cron.hourly' | |
15 | - '/var/spool/anacron/cron.monthly' | |
16 | - '/var/spool/anacron/cron.weekly' | |
8 | - '/etc/anacrontab' | |
9 | - '/etc/cron.daily/*' | |
10 | - '/etc/cron.hourly/*' | |
11 | - '/etc/cron.monthly/*' | |
12 | - '/etc/cron.weekly/*' | |
13 | - '/var/spool/anacron/cron.daily' | |
14 | - '/var/spool/anacron/cron.hourly' | |
15 | - '/var/spool/anacron/cron.monthly' | |
16 | - '/var/spool/anacron/cron.weekly' | |
17 | 17 | labels: [Configuration Files] |
18 | 18 | supported_os: [Linux] |
19 | 19 | --- |
23 | 23 | - type: FILE |
24 | 24 | attributes: |
25 | 25 | paths: |
26 | - '/etc/apt/sources.list' | |
27 | - '/etc/apt/sources.list.d/*.list' | |
26 | - '/etc/apt/sources.list' | |
27 | - '/etc/apt/sources.list.d/*.list' | |
28 | 28 | labels: [Configuration Files, System] |
29 | 29 | supported_os: [Linux] |
30 | 30 | urls: ['http://manpages.ubuntu.com/manpages/trusty/en/man5/sources.list.5.html'] |
35 | 35 | - type: FILE |
36 | 36 | attributes: |
37 | 37 | paths: |
38 | - '/etc/apt/trusted.gpg' | |
39 | - '/etc/apt/trusted.gpg.d/*.gpg' | |
40 | - '/etc/apt/trustdb.gpg' | |
41 | - '/usr/share/keyrings/*.gpg' | |
38 | - '/etc/apt/trusted.gpg' | |
39 | - '/etc/apt/trusted.gpg.d/*.gpg' | |
40 | - '/etc/apt/trustdb.gpg' | |
41 | - '/usr/share/keyrings/*.gpg' | |
42 | 42 | labels: [Configuration Files, System] |
43 | 43 | supported_os: [Linux] |
44 | 44 | urls: ['https://wiki.debian.org/SecureApt'] |
49 | 49 | - type: FILE |
50 | 50 | attributes: |
51 | 51 | paths: |
52 | - '/etc/cron.allow' | |
53 | - '/etc/cron.deny' | |
54 | - '/etc/at.allow' | |
55 | - '/etc/at.deny' | |
52 | - '/etc/cron.allow' | |
53 | - '/etc/cron.deny' | |
54 | - '/etc/at.allow' | |
55 | - '/etc/at.deny' | |
56 | 56 | labels: [Configuration Files] |
57 | 57 | supported_os: [Linux] |
58 | 58 | urls: |
59 | - http://manpages.ubuntu.com/manpages/saucy/man5/at.allow.5.html | |
60 | - http://manpages.ubuntu.com/manpages/precise/en/man1/crontab.1.html | |
59 | - http://manpages.ubuntu.com/manpages/saucy/man5/at.allow.5.html | |
60 | - http://manpages.ubuntu.com/manpages/precise/en/man1/crontab.1.html | |
61 | 61 | --- |
62 | 62 | name: DebianPackagesLogFiles |
63 | 63 | doc: Linux dpkg log files. |
65 | 65 | - type: FILE |
66 | 66 | attributes: |
67 | 67 | paths: |
68 | - '/var/log/dpkg.log*' | |
69 | - '/var/log/apt/history.log*' | |
68 | - '/var/log/dpkg.log*' | |
69 | - '/var/log/apt/history.log*' | |
70 | 70 | labels: [Logs] |
71 | 71 | supported_os: [Linux] |
72 | 72 | --- |
102 | 102 | - type: FILE |
103 | 103 | attributes: |
104 | 104 | paths: |
105 | - '/etc/hosts.allow' | |
106 | - '/etc/hosts.deny' | |
105 | - '/etc/hosts.allow' | |
106 | - '/etc/hosts.deny' | |
107 | 107 | labels: [Configuration Files] |
108 | 108 | supported_os: [Linux] |
109 | 109 | --- |
123 | 123 | - type: FILE |
124 | 124 | attributes: |
125 | 125 | paths: |
126 | - '/etc/modules.conf' | |
127 | - '/etc/modprobe.d/*' | |
126 | - '/etc/modules.conf' | |
127 | - '/etc/modprobe.d/*' | |
128 | 128 | supported_os: [Linux] |
129 | 129 | --- |
130 | 130 | name: LinuxAtJobs |
144 | 144 | supported_os: [Linux] |
145 | 145 | --- |
146 | 146 | name: LinuxAuthLogs |
147 | doc: Linux auth log files. | |
148 | sources: | |
149 | - type: FILE | |
150 | attributes: {paths: ['/var/log/auth.log*']} | |
147 | doc: Linux authentication log files. | |
148 | sources: | |
149 | - type: FILE | |
150 | attributes: | |
151 | paths: | |
152 | - '/var/log/auth.log*' | |
153 | - '/var/log/secure.log*' | |
151 | 154 | labels: [Logs, Authentication] |
152 | 155 | supported_os: [Linux] |
153 | 156 | --- |
165 | 168 | - type: FILE |
166 | 169 | attributes: |
167 | 170 | paths: |
168 | - '/etc/crontab' | |
169 | - '/etc/cron.d/*' | |
170 | - '/var/spool/cron/**' | |
171 | - '/etc/crontab' | |
172 | - '/etc/cron.d/*' | |
173 | - '/var/spool/cron/**' | |
171 | 174 | labels: [Configuration Files] |
172 | 175 | supported_os: [Linux] |
173 | 176 | --- |
185 | 188 | - type: FILE |
186 | 189 | attributes: |
187 | 190 | paths: |
188 | - '/etc/enterprise-release' | |
189 | - '/etc/oracle-release' | |
190 | - '/etc/redhat-release' | |
191 | - '/etc/system-release' | |
191 | - '/etc/centos-release' | |
192 | - '/etc/enterprise-release' | |
193 | - '/etc/oracle-release' | |
194 | - '/etc/redhat-release' | |
195 | - '/etc/SuSE-release' | |
196 | - '/etc/system-release' | |
192 | 197 | provides: [os_release, os_major_version, os_minor_version] |
193 | 198 | labels: [Software] |
194 | 199 | supported_os: [Linux] |
217 | 222 | - type: FILE |
218 | 223 | attributes: |
219 | 224 | paths: |
220 | - '/boot/grub/grub.cfg' | |
221 | - '/boot/grub2/grub.cfg' | |
225 | - '/boot/grub/grub.cfg' | |
226 | - '/boot/grub2/grub.cfg' | |
222 | 227 | labels: [System, Configuration Files] |
223 | 228 | supported_os: [Linux] |
224 | 229 | urls: ['https://en.wikipedia.org/wiki/GNU_GRUB'] |
237 | 242 | - type: FILE |
238 | 243 | attributes: |
239 | 244 | paths: |
240 | - '/boot/initramfs*' | |
241 | - '/boot/initrd*' | |
245 | - '/boot/initramfs*' | |
246 | - '/boot/initrd*' | |
242 | 247 | labels: [Configuration Files, System] |
243 | 248 | supported_os: [Linux] |
244 | 249 | urls: |
245 | - 'http://en.wikipedia.org/wiki/Initrd' | |
246 | - 'https://www.kernel.org/doc/Documentation/initrd.txt' | |
250 | - 'http://en.wikipedia.org/wiki/Initrd' | |
251 | - 'https://www.kernel.org/doc/Documentation/initrd.txt' | |
247 | 252 | --- |
248 | 253 | name: LinuxIssueFile |
249 | 254 | doc: Linux prelogin message and identification (issue) file. |
251 | 256 | - type: FILE |
252 | 257 | attributes: |
253 | 258 | paths: |
254 | - '/etc/issue' | |
255 | - '/etc/issue.net' | |
259 | - '/etc/issue' | |
260 | - '/etc/issue.net' | |
256 | 261 | labels: [Configuration Files, System] |
257 | 262 | supported_os: [Linux] |
258 | 263 | urls: ['https://linux.die.net/man/5/issue'] |
273 | 278 | labels: [Logs, Authentication] |
274 | 279 | supported_os: [Linux] |
275 | 280 | --- |
281 | name: LinuxLoaderSystemPreloadFile | |
282 | doc: Linux dynamic linker/loader system-wide preload file (ld.so.preload). | |
283 | sources: | |
284 | - type: FILE | |
285 | attributes: {paths: ['/etc/ld.so.preload']} | |
286 | labels: [Configuration Files] | |
287 | supported_os: [Linux] | |
288 | urls: ['http://man7.org/linux/man-pages/man8/ld.so.8.html'] | |
289 | --- | |
276 | 290 | name: LinuxLSBInit |
277 | 291 | doc: Linux LSB-style init scripts. |
278 | 292 | sources: |
279 | 293 | - type: FILE |
280 | 294 | attributes: |
281 | 295 | paths: |
282 | - '/etc/init.d/*' | |
283 | - '/etc/insserv.conf' | |
284 | - '/etc/insserv.conf.d/**' | |
296 | - '/etc/init.d/*' | |
297 | - '/etc/insserv.conf' | |
298 | - '/etc/insserv.conf.d/**' | |
285 | 299 | labels: [Configuration Files, System] |
286 | 300 | supported_os: [Linux] |
287 | 301 | urls: ['https://wiki.debian.org/LSBInitScripts'] |
328 | 342 | - type: ARTIFACT_GROUP |
329 | 343 | attributes: |
330 | 344 | names: |
331 | - LinuxFstab | |
332 | - LinuxProcMounts | |
345 | - LinuxFstab | |
346 | - LinuxProcMounts | |
333 | 347 | labels: [System, Configuration Files] |
334 | 348 | supported_os: [Linux] |
335 | 349 | --- |
339 | 353 | - type: FILE |
340 | 354 | attributes: |
341 | 355 | paths: |
342 | - '/etc/pam.conf' | |
343 | - '/etc/pam.d' | |
344 | - '/etc/pam.d/*' | |
356 | - '/etc/pam.conf' | |
357 | - '/etc/pam.d' | |
358 | - '/etc/pam.d/*' | |
345 | 359 | labels: [Authentication, Configuration Files] |
346 | 360 | supported_os: [Linux] |
347 | 361 | urls: ['http://www.linux-pam.org/'] |
361 | 375 | name: LinuxReleaseInfo |
362 | 376 | doc: Release information for Linux platforms. |
363 | 377 | sources: |
364 | - type: ARTIFACT_GROUP | |
365 | attributes: | |
366 | names: | |
367 | - LinuxDistributionRelease | |
368 | - LinuxLSBRelease | |
369 | - LinuxSystemdOSRelease | |
378 | - type: ARTIFACT_GROUP | |
379 | attributes: | |
380 | names: | |
381 | - LinuxDistributionRelease | |
382 | - LinuxLSBRelease | |
383 | - LinuxSystemdOSRelease | |
370 | 384 | provides: [os_release, os_major_version, os_minor_version] |
371 | 385 | labels: [Software] |
372 | 386 | supported_os: [Linux] |
377 | 391 | - type: FILE |
378 | 392 | attributes: |
379 | 393 | paths: |
380 | - '/etc/rsyslog.conf' | |
381 | - '/etc/rsyslog.d' | |
382 | - '/etc/rsyslog.d/*' | |
394 | - '/etc/rsyslog.conf' | |
395 | - '/etc/rsyslog.d' | |
396 | - '/etc/rsyslog.d/*' | |
383 | 397 | labels: [Configuration Files, Logs] |
384 | 398 | supported_os: [Linux] |
385 | 399 | urls: ['http://www.rsyslog.com/doc/rsyslog_conf.html'] |
390 | 404 | - type: ARTIFACT_GROUP |
391 | 405 | attributes: |
392 | 406 | names: |
393 | - AnacronFiles | |
394 | - LinuxCronTabs | |
395 | - LinuxAtJobs | |
407 | - AnacronFiles | |
408 | - LinuxCronTabs | |
409 | - LinuxAtJobs | |
396 | 410 | labels: [Configuration Files] |
397 | 411 | supported_os: [Linux] |
398 | 412 | --- |
402 | 416 | - type: ARTIFACT_GROUP |
403 | 417 | attributes: |
404 | 418 | names: |
405 | - LinuxXinetd | |
406 | - LinuxLSBInit | |
407 | - LinuxSysVInit | |
419 | - LinuxXinetd | |
420 | - LinuxLSBInit | |
421 | - LinuxSysVInit | |
422 | - LinuxSystemdServices | |
408 | 423 | labels: [Configuration Files, System] |
409 | 424 | supported_os: [Linux] |
410 | 425 | --- |
417 | 432 | urls: ['https://www.kernel.org/doc/Documentation/acpi/initrd_table_override.txt'] |
418 | 433 | supported_os: [Linux] |
419 | 434 | --- |
435 | name: LinuxSudoReplayLogs | |
436 | doc: Linux sudoreplay log files. | |
437 | sources: | |
438 | - type: FILE | |
439 | attributes: {paths: ['/var/log/sudo-io/**']} | |
440 | labels: [Logs, Authentication] | |
441 | supported_os: [Linux] | |
442 | --- | |
420 | 443 | name: LinuxSysLogFiles |
421 | 444 | doc: Linux syslog log files. |
422 | 445 | sources: |
431 | 454 | - type: FILE |
432 | 455 | attributes: |
433 | 456 | paths: |
434 | - '/etc/syslog-ng/syslog-ng.conf' | |
435 | - '/etc/syslog-ng/conf-d/*.conf' | |
457 | - '/etc/syslog-ng/syslog-ng.conf' | |
458 | - '/etc/syslog-ng/conf-d/*.conf' | |
436 | 459 | labels: [Configuration Files, Logs] |
437 | 460 | supported_os: [Linux] |
438 | 461 | urls: ['http://linux.die.net/man/5/syslog-ng.conf'] |
443 | 466 | - type: FILE |
444 | 467 | attributes: |
445 | 468 | paths: |
446 | - '/etc/os-release' | |
447 | - '/usr/lib/os-release' | |
469 | - '/etc/os-release' | |
470 | - '/usr/lib/os-release' | |
448 | 471 | provides: [os_release, os_major_version, os_minor_version] |
449 | 472 | labels: [Software] |
450 | 473 | supported_os: [Linux] |
451 | 474 | urls: ['https://www.freedesktop.org/software/systemd/man/os-release.html'] |
452 | 475 | --- |
476 | name: LinuxSystemdServices | |
477 | doc: Linux systemd service unit files | |
478 | sources: | |
479 | - type: FILE | |
480 | attributes: | |
481 | paths: | |
482 | - '/etc/systemd/system.control/*.service' | |
483 | - '/etc/systemd/systemd.attached/*.service' | |
484 | - '/etc/systemd/system/*.service' | |
485 | - '/etc/systemd/user/*.service' | |
486 | - '/lib/systemd/system/*.service' | |
487 | - '/lib/systemd/user/*.service' | |
488 | - '/run/systemd/generator.early/*.service' | |
489 | - '/run/systemd/generator.late/*.service' | |
490 | - '/run/systemd/generator/*.service' | |
491 | - '/run/systemd/system.control/*.service' | |
492 | - '/run/systemd/systemd.attached/*.service' | |
493 | - '/run/systemd/system/*.service' | |
494 | - '/run/systemd/transient/*.service' | |
495 | - '/run/systemd/user/*.service' | |
496 | - '/run/user/*/systemd/generator.early/*.service' | |
497 | - '/run/user/*/systemd/generator.late/*.service' | |
498 | - '/run/user/*/systemd/generator/*.service' | |
499 | - '/run/user/*/systemd/transient/*.service' | |
500 | - '/run/user/*/systemd/user.control/*.service' | |
501 | - '/run/user/*/systemd/user/*.service' | |
502 | - '/usr/lib/systemd/system/*.service' | |
503 | - '/usr/lib/systemd/user/*.service' | |
504 | - '%%users.homedir%%/.config/systemd/user.control/*.service' | |
505 | - '%%users.homedir%%/.config/systemd/user/*.service' | |
506 | - '%%users.homedir%%/.local/share/systemd/user/*.service' | |
507 | labels: [Configuration Files, System] | |
508 | supported_os: [Linux] | |
509 | urls: ['https://https://www.freedesktop.org/software/systemd/man/systemd.unit.html#System%20Unit%20Search%20Path'] | |
510 | --- | |
453 | 511 | name: LinuxSysVInit |
454 | 512 | doc: Services started by sysv-style init scripts. |
455 | 513 | sources: |
456 | 514 | - type: FILE |
457 | 515 | attributes: |
458 | 516 | paths: |
459 | - '/etc/rc*.d' | |
460 | - '/etc/rc*.d/*' | |
461 | - '/etc/rc.d/rc*.d/*' | |
462 | - '/etc/rc.d/init.d/*' | |
517 | - '/etc/rc*.d' | |
518 | - '/etc/rc*.d/*' | |
519 | - '/etc/rc.d/rc*.d/*' | |
520 | - '/etc/rc.d/init.d/*' | |
463 | 521 | labels: [Configuration Files, System] |
464 | 522 | supported_os: [Linux] |
465 | 523 | urls: |
466 | - 'http://savannah.nongnu.org/projects/sysvinit' | |
467 | - 'http://docs.oracle.com/cd/E37670_01/E41138/html/ol_svcscripts.html' | |
524 | - 'http://savannah.nongnu.org/projects/sysvinit' | |
525 | - 'http://docs.oracle.com/cd/E37670_01/E41138/html/ol_svcscripts.html' | |
468 | 526 | --- |
469 | 527 | name: LinuxTimezoneFile |
470 | 528 | doc: Linux timezone file. |
480 | 538 | - type: FILE |
481 | 539 | attributes: |
482 | 540 | paths: |
483 | - '/var/log/btmp' | |
484 | - '/var/log/wtmp' | |
485 | - '/var/run/utmp' | |
541 | - '/var/log/btmp' | |
542 | - '/var/log/wtmp' | |
543 | - '/var/run/utmp' | |
486 | 544 | labels: [Logs, Authentication] |
487 | 545 | supported_os: [Linux] |
488 | 546 | urls: ['https://github.com/libyal/dtformats/blob/master/documentation/Utmp%20login%20records%20format.asciidoc'] |
503 | 561 | - type: FILE |
504 | 562 | attributes: |
505 | 563 | paths: |
506 | - '/etc/xinetd.conf' | |
507 | - '/etc/xinetd.d/**' | |
564 | - '/etc/xinetd.conf' | |
565 | - '/etc/xinetd.d/**' | |
508 | 566 | labels: [Configuration Files, System] |
509 | 567 | supported_os: [Linux] |
510 | 568 | urls: ['http://en.wikipedia.org/wiki/Xinetd'] |
534 | 592 | - type: FILE |
535 | 593 | attributes: |
536 | 594 | paths: |
537 | - '/etc/netgroup' | |
538 | - '/etc/nsswitch.conf' | |
539 | - '/etc/passwd' | |
540 | - '/etc/shadow' | |
541 | - '/etc/security/access.conf' | |
542 | - '/root/.k5login' | |
595 | - '/etc/netgroup' | |
596 | - '/etc/nsswitch.conf' | |
597 | - '/etc/passwd' | |
598 | - '/etc/shadow' | |
599 | - '/etc/security/access.conf' | |
600 | - '/root/.k5login' | |
543 | 601 | labels: [Authentication, Configuration Files] |
544 | 602 | supported_os: [Linux] |
545 | 603 | --- |
566 | 624 | sources: |
567 | 625 | - type: FILE |
568 | 626 | attributes: |
569 | paths: | |
570 | - '/sys/bus/pci/devices/*/vendor' | |
571 | - '/sys/bus/pci/devices/*/device' | |
572 | - '/sys/bus/pci/devices/*/class' | |
573 | - '/sys/bus/pci/devices/*/config' | |
627 | paths: | |
628 | - '/sys/bus/pci/devices/*/vendor' | |
629 | - '/sys/bus/pci/devices/*/device' | |
630 | - '/sys/bus/pci/devices/*/class' | |
631 | - '/sys/bus/pci/devices/*/config' | |
574 | 632 | labels: [Configuration Files, System] |
575 | 633 | urls: |
576 | - 'https://www.kernel.org/doc/Documentation/ABI/testing/sysfs-bus-pci' | |
577 | - 'https://www.kernel.org/doc/Documentation/filesystems/sysfs-pci.txt' | |
578 | - 'https://wiki.debian.org/HowToIdentifyADevice/PCI' | |
579 | supported_os: [Linux] | |
634 | - 'https://www.kernel.org/doc/Documentation/ABI/testing/sysfs-bus-pci' | |
635 | - 'https://www.kernel.org/doc/Documentation/filesystems/sysfs-pci.txt' | |
636 | - 'https://wiki.debian.org/HowToIdentifyADevice/PCI' | |
637 | supported_os: [Linux] | |
638 | --- | |
639 | name: SecretsServiceDatabaseFile | |
640 | doc: The System Security Services Daemon (SSSD) database file. | |
641 | sources: | |
642 | - type: FILE | |
643 | attributes: | |
644 | paths: | |
645 | - '/var/lib/sss/secrets/secrets.ldb' | |
646 | - '/var/lib/sss/secrets/.secrets.mkey' | |
647 | labels: [System, Configuration Files] | |
648 | supported_os: [Linux] | |
649 | urls: | |
650 | - 'https://docs.pagure.org/SSSD.sssd/design_pages/secrets_service.html' | |
651 | - 'https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html' | |
580 | 652 | --- |
581 | 653 | name: SSHHostPubKeys |
582 | 654 | doc: SSH host public keys |
584 | 656 | - type: FILE |
585 | 657 | attributes: |
586 | 658 | paths: |
587 | - '/etc/ssh/ssh_host_*_key.pub' | |
659 | - '/etc/ssh/ssh_host_*_key.pub' | |
588 | 660 | labels: [Authentication, Configuration Files] |
589 | 661 | supported_os: [Linux] |
590 | 662 | --- |
602 | 674 | - type: FILE |
603 | 675 | attributes: |
604 | 676 | paths: |
605 | - '/etc/yum.conf' | |
606 | - '/etc/yum.repos.d/*.repo' | |
677 | - '/etc/yum.conf' | |
678 | - '/etc/yum.repos.d/*.repo' | |
607 | 679 | labels: [Configuration Files, System] |
608 | 680 | supported_os: [Linux] |
609 | 681 | urls: ['https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-Configuring_Yum_and_Yum_Repositories.html'] |
612 | 684 | doc: Zeitgeist user activity database. |
613 | 685 | sources: |
614 | 686 | - type: FILE |
615 | attributes: {paths: ['%%users.homedir%%/.local/share/zeitgeist/activity.sqlite']} | |
687 | attributes: | |
688 | paths: | |
689 | - '%%users.homedir%%/.local/share/zeitgeist/activity.sqlite' | |
690 | - '%%users.homedir%%/.local/share/zeitgeist/activity.sqlite-wal' | |
616 | 691 | labels: [Users, Logs] |
617 | urls: ['http://forensicswiki.org/wiki/Zeitgeist'] | |
618 | supported_os: [Linux] | |
692 | urls: ['https://forensicswiki.xyz/wiki/index.php?title=Zeitgeist'] | |
693 | supported_os: [Linux] |
23 | 23 | - type: FILE |
24 | 24 | attributes: |
25 | 25 | paths: |
26 | - '/proc/sys/kernel/bootloader_type' | |
27 | - '/proc/sys/kernel/bootloader_version' | |
26 | - '/proc/sys/kernel/bootloader_type' | |
27 | - '/proc/sys/kernel/bootloader_version' | |
28 | 28 | labels: [System] |
29 | 29 | supported_os: [Linux] |
30 | 30 | urls: ['https://www.kernel.org/doc/Documentation/sysctl/kernel.txt'] |
35 | 35 | - type: FILE |
36 | 36 | attributes: |
37 | 37 | paths: |
38 | - '/proc/sys/kernel/kexec_load_disabled' | |
39 | - '/proc/sys/kernel/modules_disabled' | |
38 | - '/proc/sys/kernel/kexec_load_disabled' | |
39 | - '/proc/sys/kernel/modules_disabled' | |
40 | 40 | labels: [System] |
41 | 41 | supported_os: [Linux] |
42 | 42 | urls: ['https://www.kernel.org/doc/Documentation/sysctl/kernel.txt'] |
56 | 56 | - type: FILE |
57 | 57 | attributes: |
58 | 58 | paths: |
59 | - '/proc/sys/net/ipv*/conf/*/forwarding' | |
60 | - '/proc/sys/net/ipv4/conf/*/mc_forwarding' | |
61 | - '/proc/sys/net/ipv4/ip_forward' | |
59 | - '/proc/sys/net/ipv*/conf/*/forwarding' | |
60 | - '/proc/sys/net/ipv4/conf/*/mc_forwarding' | |
61 | - '/proc/sys/net/ipv4/ip_forward' | |
62 | 62 | labels: [Network, System] |
63 | 63 | supported_os: [Linux] |
64 | 64 | urls: ['https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt'] |
69 | 69 | - type: FILE |
70 | 70 | attributes: |
71 | 71 | paths: |
72 | - '/proc/sys/net/ipv*/conf/*/accept_source_route' | |
73 | - '/proc/sys/net/ipv4/conf/*/rp_filter' | |
74 | - '/proc/sys/net/ipv4/conf/*/log_martians' | |
72 | - '/proc/sys/net/ipv*/conf/*/accept_source_route' | |
73 | - '/proc/sys/net/ipv4/conf/*/rp_filter' | |
74 | - '/proc/sys/net/ipv4/conf/*/log_martians' | |
75 | 75 | labels: [Network, System] |
76 | 76 | supported_os: [Linux] |
77 | 77 | urls: ['https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt'] |
82 | 82 | - type: FILE |
83 | 83 | attributes: |
84 | 84 | paths: |
85 | - '/proc/sys/net/ipv*/conf/*/accept_redirects' | |
86 | - '/proc/sys/net/ipv4/conf/*/secure_redirects' | |
87 | - '/proc/sys/net/ipv4/conf/*/send_redirects' | |
85 | - '/proc/sys/net/ipv*/conf/*/accept_redirects' | |
86 | - '/proc/sys/net/ipv4/conf/*/secure_redirects' | |
87 | - '/proc/sys/net/ipv4/conf/*/send_redirects' | |
88 | 88 | labels: [Network, System] |
89 | 89 | supported_os: [Linux] |
90 | 90 | urls: ['https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt'] |
95 | 95 | - type: FILE |
96 | 96 | attributes: |
97 | 97 | paths: |
98 | - '/proc/net/arp' | |
98 | - '/proc/net/arp' | |
99 | 99 | labels: [Network] |
100 | 100 | supported_os: [Linux] |
101 | 101 | --- |
105 | 105 | - type: FILE |
106 | 106 | attributes: |
107 | 107 | paths: |
108 | - '/proc/mounts' | |
108 | - '/proc/mounts' | |
109 | 109 | labels: [System] |
110 | 110 | supported_os: [Linux] |
111 | 111 | urls: ['https://www.kernel.org/doc/Documentation/filesystems/proc.txt'] |
116 | 116 | - type: ARTIFACT_GROUP |
117 | 117 | attributes: |
118 | 118 | names: |
119 | - 'LinuxASLREnabled' | |
120 | - 'LinuxIgnoreICMPBroadcasts' | |
121 | - 'LinuxKernelBootloader' | |
122 | - 'LinuxKernelModuleTaintStatus' | |
123 | - 'LinuxKernelModuleRestrictions' | |
124 | - 'LinuxNetworkIpForwardingState' | |
125 | - 'LinuxNetworkPathFilteringSettings' | |
126 | - 'LinuxNetworkRedirectState' | |
127 | - 'LinuxRestrictedDmesgReadPrivileges' | |
128 | - 'LinuxRestrictedKernelPointerReadPrivileges' | |
129 | - 'LinuxSecureSuidCoreDumps' | |
130 | - 'LinuxSecureFsLinks' | |
131 | - 'LinuxSyncookieState' | |
119 | - 'LinuxASLREnabled' | |
120 | - 'LinuxIgnoreICMPBroadcasts' | |
121 | - 'LinuxKernelBootloader' | |
122 | - 'LinuxKernelModuleTaintStatus' | |
123 | - 'LinuxKernelModuleRestrictions' | |
124 | - 'LinuxNetworkIpForwardingState' | |
125 | - 'LinuxNetworkPathFilteringSettings' | |
126 | - 'LinuxNetworkRedirectState' | |
127 | - 'LinuxRestrictedDmesgReadPrivileges' | |
128 | - 'LinuxRestrictedKernelPointerReadPrivileges' | |
129 | - 'LinuxSecureSuidCoreDumps' | |
130 | - 'LinuxSecureFsLinks' | |
131 | - 'LinuxSyncookieState' | |
132 | 132 | labels: [System] |
133 | 133 | supported_os: [Linux] |
134 | 134 | --- |
138 | 138 | - type: FILE |
139 | 139 | attributes: |
140 | 140 | paths: |
141 | - '/proc/sys/kernel/dmesg_restrict' | |
141 | - '/proc/sys/kernel/dmesg_restrict' | |
142 | 142 | labels: [System] |
143 | 143 | supported_os: [Linux] |
144 | 144 | urls: ['https://www.kernel.org/doc/Documentation/sysctl/kernel.txt'] |
158 | 158 | - type: FILE |
159 | 159 | attributes: |
160 | 160 | paths: |
161 | - '/proc/sys/fs/protected_hardlinks' | |
162 | - '/proc/sys/fs/protected_symlinks' | |
161 | - '/proc/sys/fs/protected_hardlinks' | |
162 | - '/proc/sys/fs/protected_symlinks' | |
163 | 163 | labels: [System] |
164 | 164 | supported_os: [Linux] |
165 | 165 | urls: ['https://www.kernel.org/doc/Documentation/sysctl/fs.txt'] |
10 | 10 | labels: [System, Logs] |
11 | 11 | supported_os: [Darwin] |
12 | 12 | urls: |
13 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
14 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Logs' | |
13 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
14 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Logs' | |
15 | 15 | --- |
16 | 16 | name: MacOSApplications |
17 | 17 | doc: Applications |
21 | 21 | labels: [Users, Software] |
22 | 22 | supported_os: [Darwin] |
23 | 23 | urls: |
24 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
25 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#User_Directories' | |
24 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
25 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#User_Directories' | |
26 | 26 | --- |
27 | 27 | name: MacOSApplicationsRecentItems |
28 | 28 | doc: Recent Items application specific |
32 | 32 | labels: [Users, Software] |
33 | 33 | supported_os: [Darwin] |
34 | 34 | urls: |
35 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
36 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Recent_Items' | |
35 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
36 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Recent_Items' | |
37 | 37 | --- |
38 | 38 | name: MacOSApplicationSupport |
39 | 39 | doc: Application Support Directory |
43 | 43 | labels: [Users, Software] |
44 | 44 | supported_os: [Darwin] |
45 | 45 | urls: |
46 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
47 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Misc.' | |
46 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
47 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Misc.' | |
48 | 48 | --- |
49 | 49 | name: MacOSAtJobs |
50 | 50 | doc: MacOS at jobs |
54 | 54 | labels: [System] |
55 | 55 | supported_os: [Darwin] |
56 | 56 | urls: |
57 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
58 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Info_Misc.' | |
57 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
58 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Info_Misc.' | |
59 | 59 | - 'https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/at.1.html#//apple_ref/doc/man/1/at' |
60 | 60 | --- |
61 | 61 | name: MacOSAuditLogFiles |
69 | 69 | labels: [System, Logs] |
70 | 70 | supported_os: [Darwin] |
71 | 71 | urls: |
72 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
73 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Logs' | |
72 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
73 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Logs' | |
74 | 74 | --- |
75 | 75 | name: MacOSBashHistory |
76 | 76 | doc: Terminal Commands History |
80 | 80 | labels: [Users, Logs] |
81 | 81 | supported_os: [Darwin] |
82 | 82 | urls: |
83 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
84 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Logs' | |
83 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
84 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Logs' | |
85 | 85 | --- |
86 | 86 | name: MacOSBashSessions |
87 | 87 | doc: Terminal Commands Sessions |
100 | 100 | labels: [System, Logs] |
101 | 101 | supported_os: [Darwin] |
102 | 102 | urls: |
103 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
104 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Preferences' | |
103 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
104 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Preferences' | |
105 | 105 | --- |
106 | 106 | name: MacOSCoreAnalyticsFiles |
107 | 107 | doc: macOS 10.13 (High Sierra) CoreAnalytics log files. |
115 | 115 | labels: [Logs, System] |
116 | 116 | supported_os: [Darwin] |
117 | 117 | urls: |
118 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
119 | - 'http://forensicswiki.org/wiki/Mac_OS_X#Diagnostic_Reports' | |
118 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
119 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X#Diagnostic_Reports' | |
120 | 120 | - 'https://www.crowdstrike.com/blog/i-know-what-you-did-last-month-a-new-artifact-of-execution-on-macos-10-13/' |
121 | 121 | --- |
122 | 122 | name: MacOSCronTabs |
125 | 125 | - type: FILE |
126 | 126 | attributes: |
127 | 127 | paths: |
128 | - '/etc/crontab' | |
129 | - '/private/etc/crontab' | |
130 | - '/usr/lib/cron/tabs/*' | |
131 | labels: [System] | |
132 | supported_os: [Darwin] | |
133 | urls: | |
134 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
135 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Info_Misc.' | |
128 | - '/etc/crontab' | |
129 | - '/private/etc/crontab' | |
130 | - '/usr/lib/cron/tabs/*' | |
131 | labels: [System] | |
132 | supported_os: [Darwin] | |
133 | urls: | |
134 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
135 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Info_Misc.' | |
136 | 136 | --- |
137 | 137 | name: MacOSDock |
138 | 138 | doc: Dock database |
142 | 142 | labels: [Users] |
143 | 143 | supported_os: [Darwin] |
144 | 144 | urls: |
145 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
146 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Preferences' | |
145 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
146 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Preferences' | |
147 | 147 | --- |
148 | 148 | name: MacOSGlobalPreferencesPlistFile |
149 | 149 | doc: Global Preferences plist file |
153 | 153 | labels: [System] |
154 | 154 | supported_os: [Darwin] |
155 | 155 | urls: |
156 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
157 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Preferences' | |
156 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
157 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Preferences' | |
158 | 158 | --- |
159 | 159 | name: MacOSHostsFile |
160 | 160 | doc: Hosts file |
167 | 167 | labels: [System, Network] |
168 | 168 | supported_os: [Darwin] |
169 | 169 | urls: |
170 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
171 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Networking' | |
170 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
171 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Networking' | |
172 | 172 | --- |
173 | 173 | name: MacOSiCloudAccounts |
174 | 174 | doc: iCloud Accounts |
186 | 186 | labels: [Users, Cloud, ExternalAccount] |
187 | 187 | supported_os: [Darwin] |
188 | 188 | urls: |
189 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
190 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Preferences' | |
189 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
190 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Preferences' | |
191 | 191 | --- |
192 | 192 | name: MacOSiDevices |
193 | 193 | doc: Attached iDevices |
197 | 197 | labels: [Users, External Media] |
198 | 198 | supported_os: [Darwin] |
199 | 199 | urls: |
200 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
201 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Preferences' | |
200 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
201 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Preferences' | |
202 | 202 | --- |
203 | 203 | name: MacOSInstallationHistory |
204 | 204 | doc: Software Installation History |
208 | 208 | labels: [System] |
209 | 209 | supported_os: [Darwin] |
210 | 210 | urls: |
211 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
212 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Software_Installation' | |
211 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
212 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Software_Installation' | |
213 | 213 | --- |
214 | 214 | name: MacOSInstallationLogFile |
215 | 215 | doc: Installation log file |
222 | 222 | labels: [System, Logs] |
223 | 223 | supported_os: [Darwin] |
224 | 224 | urls: |
225 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
226 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Logs' | |
225 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
226 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Logs' | |
227 | 227 | --- |
228 | 228 | name: MacOSiOSBackupInfo |
229 | 229 | doc: iOS device backup information |
233 | 233 | labels: [Users, iOS] |
234 | 234 | supported_os: [Darwin] |
235 | 235 | urls: |
236 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
237 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#iDevice_Backup' | |
236 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
237 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#iDevice_Backup' | |
238 | 238 | --- |
239 | 239 | name: MacOSiOSBackupManifest |
240 | 240 | doc: iOS device backup apps information |
244 | 244 | labels: [Users, iOS] |
245 | 245 | supported_os: [Darwin] |
246 | 246 | urls: |
247 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
248 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#iDevice_Backup' | |
247 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
248 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#iDevice_Backup' | |
249 | 249 | --- |
250 | 250 | name: MacOSiOSBackupMbdb |
251 | 251 | doc: iOS device backup files information |
255 | 255 | labels: [Users, iOS] |
256 | 256 | supported_os: [Darwin] |
257 | 257 | urls: |
258 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
259 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#iDevice_Backup' | |
258 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
259 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#iDevice_Backup' | |
260 | 260 | --- |
261 | 261 | name: MacOSiOSBackupsMainDirectory |
262 | 262 | doc: iOS device backups directory |
266 | 266 | labels: [Users, iOS] |
267 | 267 | supported_os: [Darwin] |
268 | 268 | urls: |
269 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
270 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#iDevice_Backup' | |
269 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
270 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#iDevice_Backup' | |
271 | 271 | --- |
272 | 272 | name: MacOSiOSBackupStatus |
273 | 273 | doc: iOS device backup status information |
277 | 277 | labels: [Users, iOS] |
278 | 278 | supported_os: [Darwin] |
279 | 279 | urls: |
280 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
281 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#iDevice_Backup' | |
280 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
281 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#iDevice_Backup' | |
282 | 282 | --- |
283 | 283 | name: MacOSKeychains |
284 | 284 | doc: Keychain Directory |
288 | 288 | labels: [Users] |
289 | 289 | supported_os: [Darwin] |
290 | 290 | urls: |
291 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
292 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Misc.' | |
291 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
292 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Misc.' | |
293 | 293 | --- |
294 | 294 | name: MacOSKeyboardLayoutPlistFile |
295 | 295 | doc: Keyboard layout plist file |
305 | 305 | - type: FILE |
306 | 306 | attributes: |
307 | 307 | paths: |
308 | - '/System/Library/Extensions/*' | |
309 | - '/Library/Extensions/*' | |
310 | labels: [System] | |
311 | supported_os: [Darwin] | |
312 | urls: | |
313 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
314 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Kernel_Extension' | |
308 | - '/System/Library/Extensions/*' | |
309 | - '/Library/Extensions/*' | |
310 | labels: [System] | |
311 | supported_os: [Darwin] | |
312 | urls: | |
313 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
314 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Kernel_Extension' | |
315 | 315 | --- |
316 | 316 | name: MacOSDuetKnowledgeBase |
317 | 317 | doc: KnowledgeC User and Application usage database |
332 | 332 | - type: FILE |
333 | 333 | attributes: |
334 | 334 | paths: |
335 | - '/Library/LaunchAgents/*' | |
336 | - '/System/Library/LaunchAgents/*' | |
337 | - '%%users.homedir%%/Library/LaunchAgents/*' | |
338 | labels: [System] | |
339 | supported_os: [Darwin] | |
340 | urls: | |
341 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
342 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Autorun_Locations' | |
335 | - '/Library/LaunchAgents/*' | |
336 | - '/System/Library/LaunchAgents/*' | |
337 | - '%%users.homedir%%/Library/LaunchAgents/*' | |
338 | labels: [System] | |
339 | supported_os: [Darwin] | |
340 | urls: | |
341 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
342 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Autorun_Locations' | |
343 | 343 | --- |
344 | 344 | name: MacOSLaunchDaemonsPlistFiles |
345 | 345 | doc: Launch Daemons plist files |
347 | 347 | - type: FILE |
348 | 348 | attributes: |
349 | 349 | paths: |
350 | - '/Library/LaunchDaemons/*' | |
351 | - '/System/Library/LaunchDaemons/*' | |
352 | - '%%users.homedir%%/Library/LaunchDaemons/*' | |
353 | labels: [System] | |
354 | supported_os: [Darwin] | |
355 | urls: | |
356 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
357 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Autorun_Locations' | |
350 | - '/Library/LaunchDaemons/*' | |
351 | - '/System/Library/LaunchDaemons/*' | |
352 | - '%%users.homedir%%/Library/LaunchDaemons/*' | |
353 | labels: [System] | |
354 | supported_os: [Darwin] | |
355 | urls: | |
356 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
357 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Autorun_Locations' | |
358 | 358 | --- |
359 | 359 | name: MacOSLastlogFile |
360 | 360 | doc: Mac OS X lastlog file. |
383 | 383 | - type: FILE |
384 | 384 | attributes: |
385 | 385 | paths: |
386 | - '/etc/localtime' | |
387 | - '/private/etc/localtime' | |
388 | labels: [System] | |
389 | supported_os: [Darwin] | |
390 | urls: | |
391 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
392 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Info_Misc.' | |
386 | - '/etc/localtime' | |
387 | - '/private/etc/localtime' | |
388 | labels: [System] | |
389 | supported_os: [Darwin] | |
390 | urls: | |
391 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
392 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Info_Misc.' | |
393 | 393 | --- |
394 | 394 | name: MacOSLoginWindowPlistFile |
395 | 395 | doc: Log-in Window information plist file |
399 | 399 | labels: [System, Authentication] |
400 | 400 | supported_os: [Darwin] |
401 | 401 | urls: |
402 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
403 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Preferences' | |
402 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
403 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Preferences' | |
404 | 404 | --- |
405 | 405 | name: MacOSMailAccounts |
406 | 406 | doc: Mail Accounts. Until now only V2, V3 and V5 have been observed. |
410 | 410 | labels: [Users, Software, Mail] |
411 | 411 | supported_os: [Darwin] |
412 | 412 | urls: |
413 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
414 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Mail' | |
413 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
414 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Mail' | |
415 | 415 | --- |
416 | 416 | name: MacOSMailBackupTOC |
417 | 417 | doc: Mail Backup Table of Content. Until now only V2, V3 and V5 have been observed. |
421 | 421 | labels: [Users, Software, Mail] |
422 | 422 | supported_os: [Darwin] |
423 | 423 | urls: |
424 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
425 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Mail' | |
424 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
425 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Mail' | |
426 | 426 | --- |
427 | 427 | name: MacOSMailboxes |
428 | 428 | doc: Mail Mailbox Directory. Until now only V2, V3 and V5 have been observed. |
432 | 432 | labels: [Users, Software, Mail] |
433 | 433 | supported_os: [Darwin] |
434 | 434 | urls: |
435 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
436 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Mail' | |
435 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
436 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Mail' | |
437 | 437 | --- |
438 | 438 | name: MacOSMailDownloadAttachments |
439 | 439 | doc: Mail Downloads Directory |
443 | 443 | labels: [Users, Software, Mail] |
444 | 444 | supported_os: [Darwin] |
445 | 445 | urls: |
446 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
447 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Mail' | |
446 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
447 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Mail' | |
448 | 448 | --- |
449 | 449 | name: MacOSMailEnvelopIndex |
450 | 450 | doc: Mail Envelope Index. Until now only V2, V3 and V5 have been observed. |
454 | 454 | labels: [Users, Software, Mail] |
455 | 455 | supported_os: [Darwin] |
456 | 456 | urls: |
457 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
458 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Mail' | |
457 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
458 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Mail' | |
459 | 459 | --- |
460 | 460 | name: MacOSMailIMAP |
461 | 461 | doc: Mail IMAP Synched Mailboxes. Until now only V2, V3 and V5 have been observed. |
465 | 465 | labels: [Users, Software, Mail] |
466 | 466 | supported_os: [Darwin] |
467 | 467 | urls: |
468 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
469 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Mail' | |
468 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
469 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Mail' | |
470 | 470 | --- |
471 | 471 | name: MacOSMailMainDirectory |
472 | 472 | doc: Mail Main Folder. Until now only V2, V3 and V5 have been observed. |
476 | 476 | labels: [Users, Software, Mail] |
477 | 477 | supported_os: [Darwin] |
478 | 478 | urls: |
479 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
480 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Mail' | |
479 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
480 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Mail' | |
481 | 481 | --- |
482 | 482 | name: MacOSMailOpenedAttachments |
483 | 483 | doc: Mail Opened Attachments |
487 | 487 | labels: [Users, Software, Mail] |
488 | 488 | supported_os: [Darwin] |
489 | 489 | urls: |
490 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
491 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Mail' | |
490 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
491 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Mail' | |
492 | 492 | --- |
493 | 493 | name: MacOSMailPOP |
494 | 494 | doc: Mail POP Synched Mailboxes. Until now only V2, V3 and V5 have been observed. |
498 | 498 | labels: [Users, Software, Mail] |
499 | 499 | supported_os: [Darwin] |
500 | 500 | urls: |
501 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
502 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Mail' | |
501 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
502 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Mail' | |
503 | 503 | --- |
504 | 504 | name: MacOSMailPreferences |
505 | 505 | doc: Mail Preferences |
509 | 509 | labels: [Users, Software, Mail] |
510 | 510 | supported_os: [Darwin] |
511 | 511 | urls: |
512 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
513 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Mail' | |
512 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
513 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Mail' | |
514 | 514 | --- |
515 | 515 | name: MacOSMailRecentContacts |
516 | 516 | doc: Mail Recent Contacts |
520 | 520 | labels: [Users, Software, Mail] |
521 | 521 | supported_os: [Darwin] |
522 | 522 | urls: |
523 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
524 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Mail' | |
523 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
524 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Mail' | |
525 | 525 | --- |
526 | 526 | name: MacOSMailSignatures |
527 | 527 | doc: Mail Signatures by Account. Until now only V2, V3 and V5 have been observed. |
531 | 531 | labels: [Users, Software, Mail] |
532 | 532 | supported_os: [Darwin] |
533 | 533 | urls: |
534 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
535 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Mail' | |
534 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
535 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Mail' | |
536 | 536 | --- |
537 | 537 | name: MacOSMiscLogs |
538 | 538 | doc: Misc. Logs |
542 | 542 | labels: [Users, Logs] |
543 | 543 | supported_os: [Darwin] |
544 | 544 | urls: |
545 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
546 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Logs' | |
545 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
546 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Logs' | |
547 | 547 | --- |
548 | 548 | name: MacOSMountedDMGs |
549 | 549 | doc: MacOS Mounted DMG files. |
575 | 575 | - type: FILE |
576 | 576 | attributes: |
577 | 577 | paths: |
578 | - '/etc/daily.local/*' | |
579 | - '/etc/defaults/periodic.conf' | |
580 | - '/etc/monthly.local/*' | |
581 | - '/etc/periodic/**2' | |
582 | - '/etc/periodic.conf' | |
583 | - '/etc/periodic.conf.local' | |
584 | - '/etc/periodic/daily/*' | |
585 | - '/etc/periodic/monthly/*' | |
586 | - '/etc/periodic/weekly/*' | |
587 | - '/etc/weekly.local/*' | |
588 | - '/private/etc/daily.local/*' | |
589 | - '/private/etc/defaults/periodic.conf' | |
590 | - '/private/etc/monthly.local/*' | |
591 | - '/private/etc/periodic/**2' | |
592 | - '/private/etc/periodic.conf' | |
593 | - '/private/etc/periodic.conf.local' | |
594 | - '/private/etc/periodic/daily/*' | |
595 | - '/private/etc/periodic/monthly/*' | |
596 | - '/private/etc/periodic/weekly/*' | |
597 | - '/private/etc/weekly.local/*' | |
598 | - '/usr/local/etc/periodic/**2' | |
599 | labels: [System] | |
600 | supported_os: [Darwin] | |
601 | urls: | |
602 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
603 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Info_Misc.' | |
578 | - '/etc/daily.local/*' | |
579 | - '/etc/defaults/periodic.conf' | |
580 | - '/etc/monthly.local/*' | |
581 | - '/etc/periodic/**2' | |
582 | - '/etc/periodic.conf' | |
583 | - '/etc/periodic.conf.local' | |
584 | - '/etc/periodic/daily/*' | |
585 | - '/etc/periodic/monthly/*' | |
586 | - '/etc/periodic/weekly/*' | |
587 | - '/etc/weekly.local/*' | |
588 | - '/private/etc/daily.local/*' | |
589 | - '/private/etc/defaults/periodic.conf' | |
590 | - '/private/etc/monthly.local/*' | |
591 | - '/private/etc/periodic/**2' | |
592 | - '/private/etc/periodic.conf' | |
593 | - '/private/etc/periodic.conf.local' | |
594 | - '/private/etc/periodic/daily/*' | |
595 | - '/private/etc/periodic/monthly/*' | |
596 | - '/private/etc/periodic/weekly/*' | |
597 | - '/private/etc/weekly.local/*' | |
598 | - '/usr/local/etc/periodic/**2' | |
599 | labels: [System] | |
600 | supported_os: [Darwin] | |
601 | urls: | |
602 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
603 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Info_Misc.' | |
604 | 604 | - 'https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/periodic.8.html#//apple_ref/doc/man/8/periodic' |
605 | 605 | --- |
606 | 606 | name: MacOSQuarantineEvents |
609 | 609 | - type: FILE |
610 | 610 | attributes: |
611 | 611 | paths: |
612 | - '%%users.homedir%%/Library/Preferences/com.apple.LaunchServices.QuarantineEvents' | |
613 | - '%%users.homedir%%/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2' | |
612 | - '%%users.homedir%%/Library/Preferences/com.apple.LaunchServices.QuarantineEvents' | |
613 | - '%%users.homedir%%/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2' | |
614 | 614 | labels: [Users, Software] |
615 | 615 | supported_os: [Darwin] |
616 | 616 | urls: |
617 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
618 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Preferences' | |
617 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
618 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Preferences' | |
619 | 619 | --- |
620 | 620 | name: MacOSRecentItems |
621 | 621 | doc: Recent Items |
625 | 625 | labels: [Users] |
626 | 626 | supported_os: [Darwin] |
627 | 627 | urls: |
628 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
629 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Recent_Items' | |
628 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
629 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Recent_Items' | |
630 | --- | |
631 | name: MacOSRemoteDesktopAdministratorSystem | |
632 | doc: Apple Remote Desktop (ARD) was first released in 2002 and is Apple’s desktop management system for software distribution, asset management, and remote assistance. | |
633 | sources: | |
634 | - type: FILE | |
635 | attributes: | |
636 | paths: | |
637 | - '/private/var/db/RemoteManagement/ClientCaches/*' | |
638 | - '/var/db/RemoteManagement/ClientCaches/*' | |
639 | - '/private/var/db/RemoteManagement/RMDB/rmdb.sqlite3' | |
640 | - '/var/db/RemoteManagement/RMDB/rmdb.sqlite3' | |
641 | labels: [System, Network] | |
642 | supported_os: [Darwin] | |
643 | urls: | |
644 | - 'https://help.apple.com/remotedesktop/mac/3.9/' | |
645 | - 'https://www.fireeye.com/blog/threat-research/2019/10/leveraging-apple-remote-desktop-for-good-and-evil.html' | |
646 | - 'https://github.com/fireeye/ARDvark#ard-artifacts-to-parse' | |
647 | --- | |
648 | name: MacOSRemoteDesktopClientSystem | |
649 | doc: Apple Remote Desktop (ARD) was first released in 2002 and is Apple’s desktop management system for software distribution, asset management, and remote assistance. | |
650 | sources: | |
651 | - type: FILE | |
652 | attributes: | |
653 | paths: | |
654 | - '/private/var/db/RemoteManagement/caches/AppUsage.plist' | |
655 | - '/var/db/RemoteManagement/caches/AppUsage.plist' | |
656 | - '/private/var/db/RemoteManagement/caches/UserAcct.tmp' | |
657 | - '/var/db/RemoteManagement/caches/UserAcct.tmp' | |
658 | labels: [System, Network] | |
659 | supported_os: [Darwin] | |
660 | urls: | |
661 | - 'https://help.apple.com/remotedesktop/mac/3.9/' | |
662 | - 'https://www.fireeye.com/blog/threat-research/2019/10/leveraging-apple-remote-desktop-for-good-and-evil.html' | |
663 | - 'https://github.com/fireeye/ARDvark#ard-artifacts-to-parse' | |
630 | 664 | --- |
631 | 665 | name: MacOSSidebarLists |
632 | 666 | doc: | |
642 | 676 | labels: [Users, External Media] |
643 | 677 | supported_os: [Darwin] |
644 | 678 | urls: |
645 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
646 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Preferences' | |
679 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
680 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Preferences' | |
647 | 681 | --- |
648 | 682 | name: MacOSSleepimageFile |
649 | 683 | doc: Sleepimage file which contains the content of memory before going to sleep |
656 | 690 | labels: [System] |
657 | 691 | supported_os: [Darwin] |
658 | 692 | urls: |
659 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
660 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Sleep.2FHibernate_and_Swap_Image_File' | |
693 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
694 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Sleep.2FHibernate_and_Swap_Image_File' | |
661 | 695 | --- |
662 | 696 | name: MacOSStartupItemsPlistFiles |
663 | 697 | doc: Startup Items plist files |
665 | 699 | - type: FILE |
666 | 700 | attributes: |
667 | 701 | paths: |
668 | - '/Library/StartupItems/*' | |
669 | - '/System/Library/StartupItems/*' | |
670 | labels: [System] | |
671 | supported_os: [Darwin] | |
672 | urls: | |
673 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
674 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Autorun_Locations' | |
702 | - '/Library/StartupItems/*' | |
703 | - '/System/Library/StartupItems/*' | |
704 | labels: [System] | |
705 | supported_os: [Darwin] | |
706 | urls: | |
707 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
708 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Autorun_Locations' | |
675 | 709 | --- |
676 | 710 | name: MacOSSwapFiles |
677 | 711 | doc: Swap files |
684 | 718 | labels: [System] |
685 | 719 | supported_os: [Darwin] |
686 | 720 | urls: |
687 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
688 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Sleep.2FHibernate_and_Swap_Image_File' | |
721 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
722 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Sleep.2FHibernate_and_Swap_Image_File' | |
689 | 723 | --- |
690 | 724 | name: MacOSSystemConfigurationPreferencesPlistFile |
691 | 725 | doc: System configuration preferences plist file |
706 | 740 | labels: [System] |
707 | 741 | supported_os: [Darwin] |
708 | 742 | urls: |
709 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
710 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Settings_and_Informations' | |
743 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
744 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Settings_and_Informations' | |
711 | 745 | --- |
712 | 746 | name: MacOSSystemLogFiles |
713 | 747 | doc: System log files |
720 | 754 | labels: [System, Logs] |
721 | 755 | supported_os: [Darwin] |
722 | 756 | urls: |
723 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
724 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Logs' | |
757 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
758 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Logs' | |
725 | 759 | --- |
726 | 760 | name: MacOSSystemPreferencesPlistFiles |
727 | 761 | doc: System Preferences plist files |
731 | 765 | labels: [System] |
732 | 766 | supported_os: [Darwin] |
733 | 767 | urls: |
734 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
735 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Preferences' | |
768 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
769 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Preferences' | |
736 | 770 | --- |
737 | 771 | name: MacOSSystemVersionPlistFile |
738 | 772 | doc: Operating system name and version plist file |
742 | 776 | labels: [System] |
743 | 777 | supported_os: [Darwin] |
744 | 778 | urls: |
745 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
746 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Settings_and_Informations' | |
779 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
780 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Settings_and_Informations' | |
747 | 781 | --- |
748 | 782 | name: MacOSTimeMachinePlistFile |
749 | 783 | doc: Time Machine information plist file |
753 | 787 | labels: [System] |
754 | 788 | supported_os: [Darwin] |
755 | 789 | urls: |
756 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
757 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Preferences' | |
790 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
791 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Preferences' | |
758 | 792 | --- |
759 | 793 | name: MacOSUnifiedLogging |
760 | 794 | doc: Apple Unified Logging and Activity Tracing |
771 | 805 | labels: [System, Logs] |
772 | 806 | supported_os: [Darwin] |
773 | 807 | urls: |
774 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
808 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
775 | 809 | - 'https://github.com/mac4n6/Presentations/blob/master/Logs%20Unite!%20-%20Forensic%20Analysis%20of%20Apple%20Unified%20Logs/LogsUnite.pdf' |
776 | 810 | --- |
777 | 811 | name: MacOSUpdate |
782 | 816 | labels: [System] |
783 | 817 | supported_os: [Darwin] |
784 | 818 | urls: |
785 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
786 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Software_Installation' | |
819 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
820 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Software_Installation' | |
787 | 821 | --- |
788 | 822 | name: MacOSUserApplicationLogs |
789 | 823 | doc: User and Applications Logs Directory |
793 | 827 | labels: [Users, Logs] |
794 | 828 | supported_os: [Darwin] |
795 | 829 | urls: |
796 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
797 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Logs' | |
830 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
831 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Logs' | |
798 | 832 | --- |
799 | 833 | name: MacOSUserDesktopDirectory |
800 | 834 | doc: Desktop Directory |
804 | 838 | labels: [Users] |
805 | 839 | supported_os: [Darwin] |
806 | 840 | urls: |
807 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
808 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#User_Directories' | |
841 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
842 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#User_Directories' | |
809 | 843 | --- |
810 | 844 | name: MacOSUserDocumentsDirectory |
811 | 845 | doc: Documents Directory |
815 | 849 | labels: [Users] |
816 | 850 | supported_os: [Darwin] |
817 | 851 | urls: |
818 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
819 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#User_Directories' | |
852 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
853 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#User_Directories' | |
820 | 854 | --- |
821 | 855 | name: MacOSUserDownloadsDirectory |
822 | 856 | doc: User downloads directory |
826 | 860 | labels: [Users] |
827 | 861 | supported_os: [Darwin] |
828 | 862 | urls: |
829 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
830 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#User_Directories' | |
863 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
864 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#User_Directories' | |
831 | 865 | --- |
832 | 866 | name: MacOSUserGlobalPreferences |
833 | 867 | doc: User Global Preferences |
837 | 871 | labels: [Users] |
838 | 872 | supported_os: [Darwin] |
839 | 873 | urls: |
840 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
841 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Preferences' | |
874 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
875 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Preferences' | |
842 | 876 | --- |
843 | 877 | name: MacOSUserLibraryDirectory |
844 | 878 | doc: Library Directory |
848 | 882 | labels: [Users] |
849 | 883 | supported_os: [Darwin] |
850 | 884 | urls: |
851 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
852 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#User_Directories' | |
885 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
886 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#User_Directories' | |
853 | 887 | --- |
854 | 888 | name: MacOSUserLoginItems |
855 | 889 | doc: Login Items |
859 | 893 | labels: [Users] |
860 | 894 | supported_os: [Darwin] |
861 | 895 | urls: |
862 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
863 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Autorun_Locations_2' | |
896 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
897 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Autorun_Locations_2' | |
864 | 898 | --- |
865 | 899 | name: MacOSUserMoviesDirectory |
866 | 900 | doc: Movies Directory |
870 | 904 | labels: [Users] |
871 | 905 | supported_os: [Darwin] |
872 | 906 | urls: |
873 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
874 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#User_Directories' | |
907 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
908 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#User_Directories' | |
875 | 909 | --- |
876 | 910 | name: MacOSUserMusicDirectory |
877 | 911 | doc: Music Directory |
881 | 915 | labels: [Users] |
882 | 916 | supported_os: [Darwin] |
883 | 917 | urls: |
884 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
885 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#User_Directories' | |
918 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
919 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#User_Directories' | |
886 | 920 | --- |
887 | 921 | name: MacOSUserPasswordHashesPlistFiles |
888 | 922 | doc: User password hashes plist files |
890 | 924 | - type: FILE |
891 | 925 | attributes: |
892 | 926 | paths: |
893 | - '/private/var/db/dslocal/nodes/Default/users/*.plist' | |
894 | - '/var/db/dslocal/nodes/Default/users/*.plist' | |
927 | - '/private/var/db/dslocal/nodes/Default/users/*.plist' | |
928 | - '/var/db/dslocal/nodes/Default/users/*.plist' | |
895 | 929 | labels: [System, Users, Authentication] |
896 | 930 | supported_os: [Darwin] |
897 | 931 | urls: |
898 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
899 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Settings_and_Informations' | |
932 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
933 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Settings_and_Informations' | |
900 | 934 | --- |
901 | 935 | name: MacOSUserPicturesDirectory |
902 | 936 | doc: Pictures Directory |
906 | 940 | labels: [Users] |
907 | 941 | supported_os: [Darwin] |
908 | 942 | urls: |
909 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
910 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#User_Directories' | |
943 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
944 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#User_Directories' | |
911 | 945 | --- |
912 | 946 | name: MacOSUserPreferences |
913 | 947 | doc: User preferences directory |
917 | 951 | labels: [Users] |
918 | 952 | supported_os: [Darwin] |
919 | 953 | urls: |
920 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
921 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Preferences' | |
954 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
955 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Preferences' | |
922 | 956 | --- |
923 | 957 | name: MacOSUserPublicDirectory |
924 | 958 | doc: Public Directory |
928 | 962 | labels: [Users] |
929 | 963 | supported_os: [Darwin] |
930 | 964 | urls: |
931 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
932 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#User_Directories' | |
965 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
966 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#User_Directories' | |
933 | 967 | --- |
934 | 968 | name: MacOSUsers |
935 | 969 | doc: Users directories in /Users |
940 | 974 | supported_os: [Darwin] |
941 | 975 | provides: [users.username] |
942 | 976 | urls: |
943 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
944 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Users' | |
977 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
978 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Users' | |
945 | 979 | --- |
946 | 980 | name: MacOSUserSocialAccounts |
947 | 981 | doc: User's Social Accounts |
948 | 982 | sources: |
949 | 983 | - type: FILE |
950 | attributes: {paths: ['%%users.homedir%%/Library/Accounts/Accounts3.sqlite']} | |
984 | attributes: | |
985 | paths: | |
986 | - '%%users.homedir%%/Library/Accounts/Accounts3.sqlite' | |
987 | - '%%users.homedir%%/Library/Accounts/Accounts3.sqlite-wal' | |
988 | - '%%users.homedir%%/Library/Accounts/Accounts4.sqlite' | |
989 | - '%%users.homedir%%/Library/Accounts/Accounts4.sqlite-wal' | |
951 | 990 | labels: [Users, ExternalAccount] |
952 | 991 | supported_os: [Darwin] |
953 | 992 | urls: |
954 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
955 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#User.27s_Accounts' | |
993 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
994 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#User.27s_Accounts' | |
995 | - 'https://lab.wallarm.com/hunting-the-files-34caa0c1496' | |
956 | 996 | --- |
957 | 997 | name: MacOSUserTrash |
958 | 998 | doc: User Trash Folder |
962 | 1002 | labels: [Users] |
963 | 1003 | supported_os: [Darwin] |
964 | 1004 | urls: |
965 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
966 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Misc.' | |
1005 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
1006 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Misc.' | |
967 | 1007 | --- |
968 | 1008 | name: MacOSUtmpFile |
969 | 1009 | doc: Mac OS X utmp and wmtp login record file. |
971 | 1011 | - type: FILE |
972 | 1012 | attributes: |
973 | 1013 | paths: |
974 | - '/private/var/run/utmp' | |
975 | - '/private/var/log/wtmp' | |
976 | - '/var/run/utmp' | |
977 | - '/var/log/wtmp' | |
1014 | - '/private/var/run/utmp' | |
1015 | - '/private/var/log/wtmp' | |
1016 | - '/var/run/utmp' | |
1017 | - '/var/log/wtmp' | |
978 | 1018 | labels: [Logs, Authentication] |
979 | 1019 | supported_os: [Darwin] |
980 | 1020 | urls: ['https://github.com/libyal/dtformats/blob/master/documentation/Utmp%20login%20records%20format.asciidoc'] |
999 | 1039 | labels: [System, Network] |
1000 | 1040 | supported_os: [Darwin] |
1001 | 1041 | urls: |
1002 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
1003 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Networking' | |
1042 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
1043 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Networking' | |
1044 | --- | |
1045 | name: MacOSFSEvents | |
1046 | doc: Mac OS X file system event log | |
1047 | sources: | |
1048 | - type: FILE | |
1049 | attributes: {paths: ['/.fseventsd/*']} | |
1050 | labels: [Logs, System, Users] | |
1051 | supported_os: [Darwin] | |
1052 | urls: | |
1053 | - 'http://nicoleibrahim.com/apple-fsevents-forensics/' | |
1054 | - 'https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1498158287.pdf' | |
1055 | --- | |
1056 | name: MacOSTCC | |
1057 | doc: Apple's Transparency, Consent, Control (TCC) framework database | |
1058 | sources: | |
1059 | - type: FILE | |
1060 | attributes: | |
1061 | paths: | |
1062 | - '/Library/Application Support/com.apple.TCC/TCC.db' | |
1063 | - '%%users.homedir%%/Library/Application Support/com.apple.TCC/TCC.db' | |
1064 | labels: [System] | |
1065 | supported_os: [Darwin] | |
1066 | urls: | |
1067 | - https://blog.fleetsmith.com/tcc-a-quick-primer/ | |
1068 | - https://carlashley.com/2018/09/06/reading-tcc-logs-in-macos/ |
10 | 10 | - type: FILE |
11 | 11 | attributes: |
12 | 12 | paths: |
13 | - '%%environ_systemdrive%%\$MFT' | |
14 | - '%%environ_systemdrive%%\$MFTMirr' | |
13 | - '%%environ_systemdrive%%\$MFT' | |
14 | - '%%environ_systemdrive%%\$MFTMirr' | |
15 | 15 | separator: '\' |
16 | 16 | labels: [System] |
17 | 17 | supported_os: [Windows] |
5 | 5 | - type: ARTIFACT_GROUP |
6 | 6 | attributes: |
7 | 7 | names: |
8 | - 'TomcatLogFiles' | |
9 | - 'TomcatPasswordFile' | |
8 | - 'TomcatLogFiles' | |
9 | - 'TomcatPasswordFile' | |
10 | 10 | labels: [Software] |
11 | 11 | supported_os: [Darwin,Linux,Windows] |
12 | 12 | --- |
199 | 199 | supported_os: [Linux, Darwin] |
200 | 200 | --- |
201 | 201 | name: UsersShellConfigs |
202 | doc: Common unix user shell configuration files. | |
202 | doc: Common Unix user shell configuration files. | |
203 | 203 | sources: |
204 | 204 | - type: FILE |
205 | 205 | attributes: |
215 | 215 | - '%%users.homedir%%/.zlogin' |
216 | 216 | - '%%users.homedir%%/.zlogout' |
217 | 217 | - '%%users.homedir%%/.zprofile' |
218 | labels: [Configuration Files] | |
219 | supported_os: [Linux, Darwin] | |
218 | supported_os: [Linux, Darwin] | |
219 | - type: FILE | |
220 | attributes: | |
221 | paths: | |
222 | - '%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.bash_logout' | |
223 | - '%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.bash_profile' | |
224 | - '%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.bashrc' | |
225 | - '%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.cshrc' | |
226 | - '%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.ksh' | |
227 | - '%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.logout' | |
228 | - '%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.profile' | |
229 | - '%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.tcsh' | |
230 | - '%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.zlogin' | |
231 | - '%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.zlogout' | |
232 | - '%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.zprofile' | |
233 | separator: '\' | |
234 | supported_os: [Windows] | |
235 | labels: [Configuration Files] | |
236 | supported_os: [Linux, Darwin, Windows] | |
220 | 237 | --- |
221 | 238 | name: UsersShellHistory |
222 | doc: Common unix user shell history files. | |
239 | doc: Common Unix user shell history files. | |
223 | 240 | sources: |
224 | 241 | - type: FILE |
225 | 242 | attributes: |
228 | 245 | - '%%users.homedir%%/.sh_history' |
229 | 246 | - '%%users.homedir%%/.zhistory' |
230 | 247 | - '%%users.homedir%%/.zsh_history' |
248 | supported_os: [Linux, Darwin] | |
249 | - type: FILE | |
250 | attributes: | |
251 | paths: | |
252 | - '%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.bash_history' | |
253 | - '%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.sh_history' | |
254 | - '%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.zhistory' | |
255 | - '%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.zsh_history' | |
256 | separator: '\' | |
257 | supported_os: [Windows] | |
231 | 258 | labels: [History Files] |
232 | supported_os: [Linux, Darwin] | |
259 | supported_os: [Linux, Darwin, Windows] |
5 | 5 | - type: ARTIFACT_GROUP |
6 | 6 | attributes: |
7 | 7 | names: |
8 | - 'ChromeCache' | |
9 | - 'FirefoxCache' | |
10 | - 'InternetExplorerCache' | |
11 | - 'SafariCache' | |
8 | - 'ChromeCache' | |
9 | - 'FirefoxCache' | |
10 | - 'InternetExplorerCache' | |
11 | - 'SafariCache' | |
12 | 12 | labels: [Browser] |
13 | 13 | supported_os: [Darwin,Linux,Windows] |
14 | 14 | --- |
18 | 18 | - type: ARTIFACT_GROUP |
19 | 19 | attributes: |
20 | 20 | names: |
21 | - 'ChromeHistory' | |
22 | - 'FirefoxHistory' | |
23 | - 'InternetExplorerHistory' | |
24 | - 'OperaHistory' | |
25 | - 'SafariDownloads' | |
26 | - 'SafariHistory' | |
21 | - 'ChromeHistory' | |
22 | - 'FirefoxHistory' | |
23 | - 'InternetExplorerHistory' | |
24 | - 'OperaHistory' | |
25 | - 'SafariDownloads' | |
26 | - 'SafariHistory' | |
27 | 27 | labels: [Browser] |
28 | 28 | supported_os: [Darwin,Linux,Windows] |
29 | --- | |
30 | name: ChromeStorage | |
31 | doc: | | |
32 | Google Chrome, Canary and Chromium browser artifacts for Storage APIs. | |
33 | ||
34 | Includes Web Storage (sessionStorage for session-only data and | |
35 | localStorage for persistent data), IndexedDB (used for structured data), | |
36 | and FileSystem (object storage in a virtual file system). | |
37 | ||
38 | sources: | |
39 | - type: ARTIFACT_GROUP | |
40 | attributes: | |
41 | names: | |
42 | - 'ChromeLocalStorage' | |
43 | - 'ChromeSessionStorage' | |
44 | - 'ChromeFileSystem' | |
45 | - 'ChromeIndexedDB' | |
46 | labels: [Browser] | |
47 | supported_os: [Darwin,Linux,Windows] | |
48 | urls: | |
49 | - 'https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API' | |
50 | - 'https://developer.mozilla.org/en-US/docs/Web/API/IndexedDB_API' | |
51 | - 'https://developer.mozilla.org/en-US/docs/Web/API/FileSystem' | |
29 | 52 | --- |
30 | 53 | name: ChromeCache |
31 | 54 | doc: | |
42 | 65 | - type: FILE |
43 | 66 | attributes: |
44 | 67 | paths: |
45 | - '%%users.localappdata%%\Google\Chrome\User Data\*\Application Cache\Cache\*' | |
46 | - '%%users.localappdata%%\Google\Chrome\User Data\*\Cache\*' | |
47 | - '%%users.localappdata%%\Google\Chrome\User Data\*\Media Cache\*' | |
48 | - '%%users.localappdata%%\Google\Chrome\User Data\*\GPUCache\*' | |
49 | - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Application Cache\Cache\*' | |
50 | - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Cache\*' | |
51 | - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Media Cache\*' | |
52 | - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\GPUCache\*' | |
53 | - '%%users.localappdata%%\Chromium\User Data\*\Application Cache\Cache\*' | |
54 | - '%%users.localappdata%%\Chromium\User Data\*\Cache\*' | |
55 | - '%%users.localappdata%%\Chromium\User Data\*\Media Cache\*' | |
56 | - '%%users.localappdata%%\Chromium\User Data\*\GPUCache\*' | |
57 | separator: '\' | |
58 | supported_os: [Windows] | |
59 | - type: FILE | |
60 | attributes: | |
61 | paths: | |
62 | - '%%users.homedir%%/Caches/Google/Chrome/*/Cache/*' | |
63 | - '%%users.homedir%%/Library/Caches/Google/Chrome/*/Cache/*' | |
64 | - '%%users.homedir%%/Library/Caches/Google/Chrome/*/Media Cache/*' | |
65 | - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Application Cache/Cache/*' | |
66 | - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/GPUCache/*' | |
67 | - '%%users.homedir%%/Library/Caches/Google/Chrome/PnaclTranslationCache/*' | |
68 | - '%%users.homedir%%/Caches/Google/Chrome Canary/*/Cache/*' | |
69 | - '%%users.homedir%%/Library/Caches/Google/Chrome Canary/*/Cache/*' | |
70 | - '%%users.homedir%%/Library/Caches/Google/Chrome Canary/*/Media Cache/*' | |
71 | - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Application Cache/Cache/*' | |
72 | - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/GPUCache/*' | |
73 | - '%%users.homedir%%/Library/Caches/Google/Chrome Canary/PnaclTranslationCache/*' | |
74 | - '%%users.homedir%%/Caches/Chromium/*/Cache/*' | |
75 | - '%%users.homedir%%/Library/Caches/Chromium/*/Cache/*' | |
76 | - '%%users.homedir%%/Library/Caches/Chromium/*/Media Cache/*' | |
77 | - '%%users.homedir%%/Library/Application Support/Chromium/*/Application Cache/Cache/*' | |
78 | - '%%users.homedir%%/Library/Application Support/Chromium/*/GPUCache/*' | |
79 | - '%%users.homedir%%/Library/Caches/Chromium/PnaclTranslationCache/*' | |
80 | supported_os: [Darwin] | |
81 | - type: FILE | |
82 | attributes: | |
83 | paths: | |
84 | - '%%users.homedir%%/.cache/google-chrome/Cache/*' | |
85 | - '%%users.homedir%%/.cache/google-chrome/*/Cache/*' | |
86 | - '%%users.homedir%%/.cache/google-chrome/*/Media Cache/*' | |
87 | - '%%users.homedir%%/.cache/google-chrome/PnaclTranslationCache/*' | |
88 | - '%%users.homedir%%/.config/google-chrome/*/Application Cache/*' | |
89 | - '%%users.homedir%%/.config/google-chrome/*/Cache/*' | |
90 | - '%%users.homedir%%/.config/google-chrome/*/Media Cache/*' | |
91 | - '%%users.homedir%%/.config/google-chrome/*/GPUCache/*' | |
92 | - '%%users.homedir%%/.cache/chromium/Cache/*' | |
93 | - '%%users.homedir%%/.cache/chromium/*/Cache/*' | |
94 | - '%%users.homedir%%/.cache/chromium/*/Media Cache/*' | |
95 | - '%%users.homedir%%/.cache/chromium/PnaclTranslationCache/*' | |
96 | - '%%users.homedir%%/.config/chromium/*/Application Cache/*' | |
97 | - '%%users.homedir%%/.config/chromium/*/Cache/*' | |
98 | - '%%users.homedir%%/.config/chromium/*/Media Cache/*' | |
99 | - '%%users.homedir%%/.config/chromium/*/GPUCache/*' | |
68 | - '%%users.localappdata%%\Google\Chrome\User Data\*\Application Cache\Cache\*' | |
69 | - '%%users.localappdata%%\Google\Chrome\User Data\*\Cache\*' | |
70 | - '%%users.localappdata%%\Google\Chrome\User Data\*\Media Cache\*' | |
71 | - '%%users.localappdata%%\Google\Chrome\User Data\*\GPUCache\*' | |
72 | - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Application Cache\Cache\*' | |
73 | - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Cache\*' | |
74 | - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Media Cache\*' | |
75 | - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\GPUCache\*' | |
76 | - '%%users.localappdata%%\Chromium\User Data\*\Application Cache\Cache\*' | |
77 | - '%%users.localappdata%%\Chromium\User Data\*\Cache\*' | |
78 | - '%%users.localappdata%%\Chromium\User Data\*\Media Cache\*' | |
79 | - '%%users.localappdata%%\Chromium\User Data\*\GPUCache\*' | |
80 | separator: '\' | |
81 | supported_os: [Windows] | |
82 | - type: FILE | |
83 | attributes: | |
84 | paths: | |
85 | - '%%users.homedir%%/Caches/Google/Chrome/*/Cache/*' | |
86 | - '%%users.homedir%%/Library/Caches/Google/Chrome/*/Cache/*' | |
87 | - '%%users.homedir%%/Library/Caches/Google/Chrome/*/Media Cache/*' | |
88 | - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Application Cache/Cache/*' | |
89 | - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/GPUCache/*' | |
90 | - '%%users.homedir%%/Library/Caches/Google/Chrome/PnaclTranslationCache/*' | |
91 | - '%%users.homedir%%/Caches/Google/Chrome Canary/*/Cache/*' | |
92 | - '%%users.homedir%%/Library/Caches/Google/Chrome Canary/*/Cache/*' | |
93 | - '%%users.homedir%%/Library/Caches/Google/Chrome Canary/*/Media Cache/*' | |
94 | - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Application Cache/Cache/*' | |
95 | - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/GPUCache/*' | |
96 | - '%%users.homedir%%/Library/Caches/Google/Chrome Canary/PnaclTranslationCache/*' | |
97 | - '%%users.homedir%%/Caches/Chromium/*/Cache/*' | |
98 | - '%%users.homedir%%/Library/Caches/Chromium/*/Cache/*' | |
99 | - '%%users.homedir%%/Library/Caches/Chromium/*/Media Cache/*' | |
100 | - '%%users.homedir%%/Library/Application Support/Chromium/*/Application Cache/Cache/*' | |
101 | - '%%users.homedir%%/Library/Application Support/Chromium/*/GPUCache/*' | |
102 | - '%%users.homedir%%/Library/Caches/Chromium/PnaclTranslationCache/*' | |
103 | supported_os: [Darwin] | |
104 | - type: FILE | |
105 | attributes: | |
106 | paths: | |
107 | - '%%users.homedir%%/.cache/google-chrome/Cache/*' | |
108 | - '%%users.homedir%%/.cache/google-chrome/*/Cache/*' | |
109 | - '%%users.homedir%%/.cache/google-chrome/*/Media Cache/*' | |
110 | - '%%users.homedir%%/.cache/google-chrome/PnaclTranslationCache/*' | |
111 | - '%%users.homedir%%/.config/google-chrome/*/Application Cache/*' | |
112 | - '%%users.homedir%%/.config/google-chrome/*/Cache/*' | |
113 | - '%%users.homedir%%/.config/google-chrome/*/Media Cache/*' | |
114 | - '%%users.homedir%%/.config/google-chrome/*/GPUCache/*' | |
115 | - '%%users.homedir%%/.cache/chromium/Cache/*' | |
116 | - '%%users.homedir%%/.cache/chromium/*/Cache/*' | |
117 | - '%%users.homedir%%/.cache/chromium/*/Media Cache/*' | |
118 | - '%%users.homedir%%/.cache/chromium/PnaclTranslationCache/*' | |
119 | - '%%users.homedir%%/.config/chromium/*/Application Cache/*' | |
120 | - '%%users.homedir%%/.config/chromium/*/Cache/*' | |
121 | - '%%users.homedir%%/.config/chromium/*/Media Cache/*' | |
122 | - '%%users.homedir%%/.config/chromium/*/GPUCache/*' | |
123 | - '%%users.homedir%%/.cache/chrome-remote-desktop/chrome-profile/Cache/*' | |
124 | - '%%users.homedir%%/.cache/chrome-remote-desktop/chrome-profile/*/Cache/*' | |
125 | - '%%users.homedir%%/.cache/chrome-remote-desktop/chrome-profile/*/Media Cache/*' | |
126 | - '%%users.homedir%%/.cache/chrome-remote-desktop/chrome-profile/PnaclTranslationCache/*' | |
127 | - '%%users.homedir%%/.cache/chrome-remote-desktop/chrome-config/google-chrome/Cache/*' | |
128 | - '%%users.homedir%%/.cache/chrome-remote-desktop/chrome-config/google-chrome/*/Cache/*' | |
129 | - '%%users.homedir%%/.cache/chrome-remote-desktop/chrome-config/google-chrome/*/Media Cache/*' | |
130 | - '%%users.homedir%%/.cache/chrome-remote-desktop/chrome-config/google-chrome/PnaclTranslationCache/*' | |
131 | - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Application Cache/*' | |
132 | - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Cache/*' | |
133 | - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Media Cache/*' | |
134 | - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/GPUCache/*' | |
135 | - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Application Cache/*' | |
136 | - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Cache/*' | |
137 | - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Media Cache/*' | |
138 | - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/GPUCache/*' | |
100 | 139 | supported_os: [Linux] |
101 | 140 | supported_os: [Windows,Darwin,Linux] |
102 | 141 | labels: [Browser] |
103 | 142 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/webbrowser/ChromeCache.md'] |
143 | --- | |
144 | name: ChromeCookies | |
145 | doc: Chrome Cookies database. | |
146 | sources: | |
147 | - type: FILE | |
148 | attributes: | |
149 | paths: | |
150 | - '%%users.localappdata%%\Chromium\User Data\*\Cookies' | |
151 | - '%%users.localappdata%%\Chromium\User Data\*\Cookies-journal' | |
152 | - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Cookies' | |
153 | - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Cookies-journal' | |
154 | - '%%users.localappdata%%\Google\Chrome\User Data\*\Cookies' | |
155 | - '%%users.localappdata%%\Google\Chrome\User Data\*\Cookies-journal' | |
156 | separator: '\' | |
157 | supported_os: [Windows] | |
158 | - type: FILE | |
159 | attributes: | |
160 | paths: | |
161 | - '%%users.homedir%%/.config/google-chrome/*/Cookies' | |
162 | - '%%users.homedir%%/.config/google-chrome/*/Cookies-journal' | |
163 | - '%%users.homedir%%/.config/chromium/*/Cookies' | |
164 | - '%%users.homedir%%/.config/chromium/*/Cookies-journal' | |
165 | - '%%users.homedir%%/.config/google-chrome-beta/*/Cookies' | |
166 | - '%%users.homedir%%/.config/google-chrome-beta/*/Cookies-journal' | |
167 | - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Cookies' | |
168 | - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Cookies-journal' | |
169 | - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Cookies' | |
170 | - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Cookies-journal' | |
171 | supported_os: [Linux] | |
172 | - type: FILE | |
173 | attributes: | |
174 | paths: | |
175 | - '%%users.homedir%%/Library/Application Support/Chromium/*/Cookies' | |
176 | - '%%users.homedir%%/Library/Application Support/Chromium/*/Cookies-journal' | |
177 | - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Cookies' | |
178 | - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Cookies-journal' | |
179 | - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Cookies' | |
180 | - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Cookies-journal' | |
181 | supported_os: [Darwin] | |
182 | supported_os: [Windows,Darwin,Linux] | |
183 | labels: [Browser] | |
184 | --- | |
185 | name: ChromeExtensionActivity | |
186 | doc: Chrome Extension Activity database. | |
187 | sources: | |
188 | - type: FILE | |
189 | attributes: | |
190 | paths: | |
191 | - '%%users.localappdata%%\Google\Chrome\User Data\*\Extension Activity' | |
192 | - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Extension Activity' | |
193 | - '%%users.localappdata%%\Chromium\User Data\*\Extension Activity' | |
194 | separator: '\' | |
195 | supported_os: [Windows] | |
196 | - type: FILE | |
197 | attributes: | |
198 | paths: | |
199 | - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Extension Activity' | |
200 | - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Extension Activity' | |
201 | - '%%users.homedir%%/Library/Application Support/Chromium/*/Extension Activity' | |
202 | supported_os: [Darwin] | |
203 | - type: FILE | |
204 | attributes: | |
205 | paths: | |
206 | - '%%users.homedir%%/.config/google-chrome/*/Extension Activity' | |
207 | - '%%users.homedir%%/.config/chromium/*/Extension Activity' | |
208 | supported_os: [Linux] | |
209 | supported_os: [Windows,Darwin,Linux] | |
210 | labels: [Browser] | |
211 | urls: ['https://forensicswiki.xyz/wiki/index.php?title=Google_Chrome#Extension_Activity_database'] | |
212 | --- | |
213 | name: ChromeExtensions | |
214 | doc: Chrome browser extension files. | |
215 | sources: | |
216 | - type: FILE | |
217 | attributes: | |
218 | paths: | |
219 | - '%%users.localappdata%%\Google\Chrome\User Data\*\Extensions\**10' | |
220 | - '%%users.localappdata%%\Chromium\User Data\*\Extensions\**10' | |
221 | - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Extensions\**10' | |
222 | separator: '\' | |
223 | supported_os: [Windows] | |
224 | - type: FILE | |
225 | attributes: | |
226 | paths: | |
227 | - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Extensions/**10' | |
228 | - '%%users.homedir%%/Library/Application Support/Chromium/*/Extensions/**10' | |
229 | - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Extensions/**10' | |
230 | supported_os: [Darwin] | |
231 | - type: FILE | |
232 | attributes: | |
233 | paths: | |
234 | - '%%users.homedir%%/.config/google-chrome/*/Extensions/**10' | |
235 | - '%%users.homedir%%/.config/google-chrome-beta/*/Extensions/**10' | |
236 | - '%%users.homedir%%/.config/chromium/*/Extensions/**10' | |
237 | - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Extensions/**10' | |
238 | - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Extensions/**10' | |
239 | supported_os: [Linux] | |
240 | supported_os: [Windows, Darwin, Linux] | |
241 | labels: [Browser] | |
242 | urls: ['https://forensicswiki.xyz/wiki/index.php?title=Google_Chrome#Extensions'] | |
243 | --- | |
244 | name: ChromeExtensionRegistryKeys | |
245 | doc: Chrome extensions installed by writing windows registry keys. | |
246 | sources: | |
247 | - type: REGISTRY_KEY | |
248 | attributes: | |
249 | keys: | |
250 | - 'HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extensions\**5' | |
251 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Google\Chrome\Extensions\**5' | |
252 | labels: [Browser] | |
253 | supported_os: [Windows] | |
254 | urls: ['https://developer.chrome.com/extensions/external_extensions#registry'] | |
255 | --- | |
256 | name: ChromeFileSystem | |
257 | doc: | | |
258 | Google Chrome, Canary and Chromium File System files. | |
259 | ||
260 | The File System directory backs Chrome's fileSystem API. Inside this | |
261 | directory are a mixture of the data files saved using the fileSystem | |
262 | API and LevelDB directories that track the logical structure of the | |
263 | virtual file system. | |
264 | ||
265 | sources: | |
266 | - type: FILE | |
267 | attributes: | |
268 | paths: | |
269 | - '%%users.localappdata%%\Chromium\User Data\*\File System\**5' | |
270 | - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\File System\**5' | |
271 | - '%%users.localappdata%%\Google\Chrome\User Data\*\File System\**5' | |
272 | separator: '\' | |
273 | supported_os: [Windows] | |
274 | - type: FILE | |
275 | attributes: | |
276 | paths: | |
277 | - '%%users.homedir%%/.config/google-chrome/*/File System/**5' | |
278 | - '%%users.homedir%%/.config/chromium/*/File System/**5' | |
279 | - '%%users.homedir%%/.config/google-chrome-beta/*/File System/**5' | |
280 | - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/File System/**5' | |
281 | - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/File System/**5' | |
282 | supported_os: [Linux] | |
283 | - type: FILE | |
284 | attributes: | |
285 | paths: | |
286 | - '%%users.homedir%%/Library/Application Support/Chromium/*/File System/**5' | |
287 | - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/File System/**5' | |
288 | - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/File System/**5' | |
289 | supported_os: [Darwin] | |
290 | supported_os: [Windows,Darwin,Linux] | |
291 | labels: [Browser] | |
292 | urls: | |
293 | - 'https://developer.chrome.com/apps/fileSystem' | |
294 | - 'https://developer.mozilla.org/en-US/docs/Web/API/FileSystem' | |
295 | - 'https://dfir.blog/deciphering-browser-hieroglyphics-leveldb-filesystem/' | |
104 | 296 | --- |
105 | 297 | name: ChromeHistory |
106 | 298 | doc: Chrome browser history. |
108 | 300 | - type: FILE |
109 | 301 | attributes: |
110 | 302 | paths: |
111 | - '%%users.localappdata%%\Google\Chrome\User Data\*\Archived History' | |
112 | - '%%users.localappdata%%\Google\Chrome\User Data\*\History' | |
113 | - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Archived History' | |
114 | - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\History' | |
115 | - '%%users.localappdata%%\Chromium\User Data\*\Archived History' | |
116 | - '%%users.localappdata%%\Chromium\User Data\*\History' | |
117 | separator: '\' | |
118 | supported_os: [Windows] | |
119 | - type: FILE | |
120 | attributes: | |
121 | paths: | |
122 | - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Archived History' | |
123 | - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/History' | |
124 | - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Archived History' | |
125 | - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/History' | |
126 | - '%%users.homedir%%/Library/Application Support/Chromium/*/Archived History' | |
127 | - '%%users.homedir%%/Library/Application Support/Chromium/*/History' | |
128 | supported_os: [Darwin] | |
129 | - type: FILE | |
130 | attributes: | |
131 | paths: | |
132 | - '%%users.homedir%%/.config/google-chrome/*/Archived History' | |
133 | - '%%users.homedir%%/.config/google-chrome/*/History' | |
134 | - '%%users.homedir%%/.config/chromium/*/Archived History' | |
135 | - '%%users.homedir%%/.config/chromium/*/History' | |
136 | supported_os: [Linux] | |
137 | supported_os: [Windows,Darwin,Linux] | |
138 | labels: [Browser] | |
139 | urls: ['http://www.forensicswiki.org/wiki/Google_Chrome'] | |
140 | --- | |
141 | name: ChromeExtensionActivity | |
142 | doc: Chrome Extension Activity database. | |
143 | sources: | |
144 | - type: FILE | |
145 | attributes: | |
146 | paths: | |
147 | - '%%users.localappdata%%\Google\Chrome\User Data\*\Extension Activity' | |
148 | - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Extension Activity' | |
149 | - '%%users.localappdata%%\Chromium\User Data\*\Extension Activity' | |
150 | separator: '\' | |
151 | supported_os: [Windows] | |
152 | - type: FILE | |
153 | attributes: | |
154 | paths: | |
155 | - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Extension Activity' | |
156 | - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Extension Activity' | |
157 | - '%%users.homedir%%/Library/Application Support/Chromium/*/Extension Activity' | |
158 | supported_os: [Darwin] | |
159 | - type: FILE | |
160 | attributes: | |
161 | paths: | |
162 | - '%%users.homedir%%/.config/google-chrome/*/Extension Activity' | |
163 | - '%%users.homedir%%/.config/chromium/*/Extension Activity' | |
164 | supported_os: [Linux] | |
165 | supported_os: [Windows,Darwin,Linux] | |
166 | labels: [Browser] | |
167 | urls: ['http://forensicswiki.org/wiki/Google_Chrome#Extension_Activity_database'] | |
168 | --- | |
169 | name: ChromeExtensions | |
170 | doc: Chrome browser extension files. | |
171 | sources: | |
172 | - type: FILE | |
173 | attributes: | |
174 | paths: | |
175 | - '%%users.localappdata%%\Google\Chrome\User Data\*\Extensions\**10' | |
176 | - '%%users.localappdata%%\Chromium\User Data\*\Extensions\**10' | |
177 | - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Extensions\**10' | |
178 | separator: '\' | |
179 | supported_os: [Windows] | |
180 | - type: FILE | |
181 | attributes: | |
182 | paths: | |
183 | - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Extensions/**10' | |
184 | - '%%users.homedir%%/Library/Application Support/Chromium/*/Extensions/**10' | |
185 | - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Extensions/**10' | |
186 | supported_os: [Darwin] | |
187 | - type: FILE | |
188 | attributes: | |
189 | paths: | |
190 | - '%%users.homedir%%/.config/google-chrome/*/Extensions/**10' | |
191 | - '%%users.homedir%%/.config/google-chrome-beta/*/Extensions/**10' | |
192 | - '%%users.homedir%%/.config/chromium/*/Extensions/**10' | |
193 | supported_os: [Linux] | |
194 | supported_os: [Windows, Darwin, Linux] | |
195 | labels: [Browser] | |
196 | urls: ['http://forensicswiki.org/wiki/Google_Chrome#Extensions'] | |
197 | --- | |
198 | name: ChromeExtensionRegistryKeys | |
199 | doc: Chrome extensions installed by writing windows registry keys. | |
200 | sources: | |
201 | - type: REGISTRY_KEY | |
202 | attributes: | |
203 | keys: | |
204 | - 'HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extensions\**5' | |
205 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Google\Chrome\Extensions\**5' | |
206 | labels: [Browser] | |
207 | supported_os: [Windows] | |
208 | urls: ['https://developer.chrome.com/extensions/external_extensions#registry'] | |
303 | - '%%users.localappdata%%\Chromium\User Data\*\Archived History' | |
304 | - '%%users.localappdata%%\Chromium\User Data\*\Archived History-journal' | |
305 | - '%%users.localappdata%%\Chromium\User Data\*\History' | |
306 | - '%%users.localappdata%%\Chromium\User Data\*\History-journal' | |
307 | - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Archived History' | |
308 | - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Archived History-journal' | |
309 | - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\History' | |
310 | - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\History-journal' | |
311 | - '%%users.localappdata%%\Google\Chrome\User Data\*\Archived History' | |
312 | - '%%users.localappdata%%\Google\Chrome\User Data\*\Archived History-journal' | |
313 | - '%%users.localappdata%%\Google\Chrome\User Data\*\History' | |
314 | - '%%users.localappdata%%\Google\Chrome\User Data\*\History-journal' | |
315 | separator: '\' | |
316 | supported_os: [Windows] | |
317 | - type: FILE | |
318 | attributes: | |
319 | paths: | |
320 | - '%%users.homedir%%/Library/Application Support/Chromium/*/Archived History' | |
321 | - '%%users.homedir%%/Library/Application Support/Chromium/*/Archived History-journal' | |
322 | - '%%users.homedir%%/Library/Application Support/Chromium/*/History' | |
323 | - '%%users.homedir%%/Library/Application Support/Chromium/*/History-journal' | |
324 | - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Archived History' | |
325 | - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Archived History-journal' | |
326 | - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/History' | |
327 | - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/History-journal' | |
328 | - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Archived History' | |
329 | - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Archived History-journal' | |
330 | - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/History' | |
331 | - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/History-journal' | |
332 | supported_os: [Darwin] | |
333 | - type: FILE | |
334 | attributes: | |
335 | paths: | |
336 | - '%%users.homedir%%/.config/chromium/*/Archived History' | |
337 | - '%%users.homedir%%/.config/chromium/*/Archived History-journal' | |
338 | - '%%users.homedir%%/.config/chromium/*/History' | |
339 | - '%%users.homedir%%/.config/chromium/*/History-journal' | |
340 | - '%%users.homedir%%/.config/google-chrome/*/Archived History' | |
341 | - '%%users.homedir%%/.config/google-chrome/*/Archived History-journal' | |
342 | - '%%users.homedir%%/.config/google-chrome/*/History' | |
343 | - '%%users.homedir%%/.config/google-chrome/*/History-journal' | |
344 | - '%%users.homedir%%/.config/google-chrome-beta/*/Archived History' | |
345 | - '%%users.homedir%%/.config/google-chrome-beta/*/Archived History-journal' | |
346 | - '%%users.homedir%%/.config/google-chrome-beta/*/History' | |
347 | - '%%users.homedir%%/.config/google-chrome-beta/*/History-journal' | |
348 | - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Archived History' | |
349 | - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Archived History-journal' | |
350 | - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/History' | |
351 | - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/History-journal' | |
352 | - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Archived History' | |
353 | - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Archived History-journal' | |
354 | - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/History' | |
355 | - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/History-journal' | |
356 | supported_os: [Linux] | |
357 | supported_os: [Windows,Darwin,Linux] | |
358 | labels: [Browser] | |
359 | urls: ['https://forensicswiki.xyz/wiki/index.php?title=Google_Chrome'] | |
360 | --- | |
361 | name: ChromeIndexedDB | |
362 | doc: | | |
363 | Google Chrome, Canary and Chromium IndexedDB files. | |
364 | ||
365 | The IndexedDB directory contains one directory per origin that uses | |
366 | IndexedDB, named like https_www.example.com_0.indexeddb.leveldb, | |
367 | chrome-extension_app-id-xxx_0.indexeddb.leveldb, or | |
368 | https_www.example.com_0.indexeddb.blob. Inside each of the *.leveldb | |
369 | directories are the files the comprise a LevelDB database, which in turn | |
370 | holds IndexedDB data for that origin. There may be an accompanying .blob | |
371 | directory, which contains a nested folder structure of blobs. | |
372 | ||
373 | sources: | |
374 | - type: FILE | |
375 | attributes: | |
376 | paths: | |
377 | - '%%users.localappdata%%\Chromium\User Data\*\IndexedDB\**5' | |
378 | - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\IndexedDB\**5' | |
379 | - '%%users.localappdata%%\Google\Chrome\User Data\*\IndexedDB\**5' | |
380 | separator: '\' | |
381 | supported_os: [Windows] | |
382 | - type: FILE | |
383 | attributes: | |
384 | paths: | |
385 | - '%%users.homedir%%/.config/google-chrome/*/IndexedDB/**5' | |
386 | - '%%users.homedir%%/.config/chromium/*/IndexedDB/**5' | |
387 | - '%%users.homedir%%/.config/google-chrome-beta/*/IndexedDB/**5' | |
388 | - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/IndexedDB/**5' | |
389 | - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/IndexedDB/**5' | |
390 | supported_os: [Linux] | |
391 | - type: FILE | |
392 | attributes: | |
393 | paths: | |
394 | - '%%users.homedir%%/Library/Application Support/Chromium/*/IndexedDB/**5' | |
395 | - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/IndexedDB/**5' | |
396 | - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/IndexedDB/**5' | |
397 | supported_os: [Darwin] | |
398 | supported_os: [Windows,Darwin,Linux] | |
399 | labels: [Browser] | |
400 | urls: | |
401 | - 'https://developer.mozilla.org/en-US/docs/Web/API/IndexedDB_API' | |
402 | --- | |
403 | name: ChromeLocalStorage | |
404 | doc: | | |
405 | Google Chrome, Canary and Chromium Local Storage files. | |
406 | ||
407 | * Chrome v60 and below used individual .sqlite files per origin for Local Storage, | |
408 | stored in the Local Storage directory root. | |
409 | * In Chrome v61, a leveldb directory was added inside the root Local Storage directory, | |
410 | and new origins saved Local Storage data in a single LevelDB there. | |
411 | * Existing .sqlite files are kept (not moved to leveldb), so it is possible for a | |
412 | single Chrome profile to use both SQLite and LevelDB for Local Storage. | |
413 | ||
414 | sources: | |
415 | - type: FILE | |
416 | attributes: | |
417 | paths: | |
418 | - '%%users.localappdata%%\Chromium\User Data\*\Local Storage\**' | |
419 | - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Local Storage\**' | |
420 | - '%%users.localappdata%%\Google\Chrome\User Data\*\Local Storage\**' | |
421 | separator: '\' | |
422 | supported_os: [Windows] | |
423 | - type: FILE | |
424 | attributes: | |
425 | paths: | |
426 | - '%%users.homedir%%/.config/google-chrome/*/Local Storage/**' | |
427 | - '%%users.homedir%%/.config/chromium/*/Local Storage/**' | |
428 | - '%%users.homedir%%/.config/google-chrome-beta/*/Local Storage/**' | |
429 | - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Local Storage/**' | |
430 | - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Local Storage/**' | |
431 | supported_os: [Linux] | |
432 | - type: FILE | |
433 | attributes: | |
434 | paths: | |
435 | - '%%users.homedir%%/Library/Application Support/Chromium/*/Local Storage/**' | |
436 | - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Local Storage/**' | |
437 | - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Local Storage/**' | |
438 | supported_os: [Darwin] | |
439 | supported_os: [Windows,Darwin,Linux] | |
440 | labels: [Browser] | |
209 | 441 | --- |
210 | 442 | name: ChromePreferences |
211 | 443 | doc: Chrome Preferences file. |
213 | 445 | - type: FILE |
214 | 446 | attributes: |
215 | 447 | paths: |
216 | - '%%users.localappdata%%\Google\Chrome\User Data\*\Preferences' | |
217 | - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Preferences' | |
218 | - '%%users.localappdata%%\Chromium\User Data\*\Preferences' | |
219 | separator: '\' | |
220 | supported_os: [Windows] | |
221 | - type: FILE | |
222 | attributes: | |
223 | paths: | |
224 | - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Preferences' | |
225 | - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Preferences' | |
226 | - '%%users.homedir%%/Library/Application Support/Chromium/*/Preferences' | |
227 | supported_os: [Darwin] | |
228 | - type: FILE | |
229 | attributes: | |
230 | paths: | |
231 | - '%%users.homedir%%/.config/google-chrome/*/Preferences' | |
232 | - '%%users.homedir%%/.config/chromium/*/Preferences' | |
233 | supported_os: [Linux] | |
234 | supported_os: [Windows,Darwin,Linux] | |
235 | labels: [Browser] | |
236 | urls: ['http://forensicswiki.org/wiki/Google_Chrome#Configuration'] | |
448 | - '%%users.localappdata%%\Google\Chrome\User Data\*\Preferences' | |
449 | - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Preferences' | |
450 | - '%%users.localappdata%%\Chromium\User Data\*\Preferences' | |
451 | separator: '\' | |
452 | supported_os: [Windows] | |
453 | - type: FILE | |
454 | attributes: | |
455 | paths: | |
456 | - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Preferences' | |
457 | - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Preferences' | |
458 | - '%%users.homedir%%/Library/Application Support/Chromium/*/Preferences' | |
459 | supported_os: [Darwin] | |
460 | - type: FILE | |
461 | attributes: | |
462 | paths: | |
463 | - '%%users.homedir%%/.config/google-chrome/*/Preferences' | |
464 | - '%%users.homedir%%/.config/chromium/*/Preferences' | |
465 | - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Preferences' | |
466 | - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Preferences' | |
467 | supported_os: [Linux] | |
468 | supported_os: [Windows,Darwin,Linux] | |
469 | labels: [Browser] | |
470 | urls: ['https://forensicswiki.xyz/wiki/index.php?title=Google_Chrome#Configuration'] | |
471 | --- | |
472 | name: ChromeSessionStorage | |
473 | doc: | | |
474 | Google Chrome, Canary and Chromium Session Storage files. | |
475 | ||
476 | The Session Storage directory contains the files that comprise a LevelDB | |
477 | database, which in turn holds the Session Storage data. | |
478 | ||
479 | sources: | |
480 | - type: FILE | |
481 | attributes: | |
482 | paths: | |
483 | - '%%users.localappdata%%\Chromium\User Data\*\Session Storage\*' | |
484 | - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Session Storage\*' | |
485 | - '%%users.localappdata%%\Google\Chrome\User Data\*\Session Storage\*' | |
486 | separator: '\' | |
487 | supported_os: [Windows] | |
488 | - type: FILE | |
489 | attributes: | |
490 | paths: | |
491 | - '%%users.homedir%%/.config/google-chrome/*/Session Storage/*' | |
492 | - '%%users.homedir%%/.config/chromium/*/Session Storage/*' | |
493 | - '%%users.homedir%%/.config/google-chrome-beta/*/Session Storage/*' | |
494 | - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Session Storage/*' | |
495 | - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Session Storage/*' | |
496 | supported_os: [Linux] | |
497 | - type: FILE | |
498 | attributes: | |
499 | paths: | |
500 | - '%%users.homedir%%/Library/Application Support/Chromium/*/Session Storage/*' | |
501 | - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Session Storage/*' | |
502 | - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Session Storage/*' | |
503 | supported_os: [Darwin] | |
504 | supported_os: [Windows,Darwin,Linux] | |
505 | labels: [Browser] | |
237 | 506 | --- |
238 | 507 | name: FirefoxCache |
239 | 508 | doc: Mozilla Firefox browser caches. |
241 | 510 | - type: FILE |
242 | 511 | attributes: |
243 | 512 | paths: |
244 | - '%%users.localappdata%%\Mozilla\Firefox\Profiles\*.default\Cache\*' | |
245 | - '%%users.localappdata%%\Mozilla\Firefox\Profiles\*.default\cache2\*' | |
246 | - '%%users.localappdata%%\Mozilla\Firefox\Profiles\*.default\cache2\doomed\*' | |
247 | - '%%users.localappdata%%\Mozilla\Firefox\Profiles\*.default\cache2\entries\*' | |
248 | separator: '\' | |
249 | supported_os: [Windows] | |
250 | - type: FILE | |
251 | attributes: | |
252 | paths: | |
253 | - '%%users.homedir%%/Library/Caches/Firefox/Profiles/*.default/Cache/*' | |
254 | - '%%users.homedir%%/Library/Caches/Firefox/Profiles/*.default/cache2/*' | |
255 | - '%%users.homedir%%/Library/Caches/Firefox/Profiles/*.default/cache2/doomed/*' | |
256 | - '%%users.homedir%%/Library/Caches/Firefox/Profiles/*.default/cache2/entries/*' | |
257 | supported_os: [Darwin] | |
258 | - type: FILE | |
259 | attributes: | |
260 | paths: | |
261 | - '%%users.homedir%%/.mozilla/firefox/*.default/Cache/*' | |
262 | - '%%users.homedir%%/.cache/mozilla/firefox/*.default/Cache/*' | |
263 | - '%%users.homedir%%/.cache/mozilla/firefox/*.default/cache2/*' | |
264 | - '%%users.homedir%%/.cache/mozilla/firefox/*.default/cache2/doomed/*' | |
265 | - '%%users.homedir%%/.cache/mozilla/firefox/*.default/cache2/entries/*' | |
513 | - '%%users.localappdata%%\Mozilla\Firefox\Profiles\*.default\Cache\*' | |
514 | - '%%users.localappdata%%\Mozilla\Firefox\Profiles\*.default\cache2\*' | |
515 | - '%%users.localappdata%%\Mozilla\Firefox\Profiles\*.default\cache2\doomed\*' | |
516 | - '%%users.localappdata%%\Mozilla\Firefox\Profiles\*.default\cache2\entries\*' | |
517 | separator: '\' | |
518 | supported_os: [Windows] | |
519 | - type: FILE | |
520 | attributes: | |
521 | paths: | |
522 | - '%%users.homedir%%/Library/Caches/Firefox/Profiles/*.default/Cache/*' | |
523 | - '%%users.homedir%%/Library/Caches/Firefox/Profiles/*.default/cache2/*' | |
524 | - '%%users.homedir%%/Library/Caches/Firefox/Profiles/*.default/cache2/doomed/*' | |
525 | - '%%users.homedir%%/Library/Caches/Firefox/Profiles/*.default/cache2/entries/*' | |
526 | supported_os: [Darwin] | |
527 | - type: FILE | |
528 | attributes: | |
529 | paths: | |
530 | - '%%users.homedir%%/.mozilla/firefox/*.default/Cache/*' | |
531 | - '%%users.homedir%%/.cache/mozilla/firefox/*.default/Cache/*' | |
532 | - '%%users.homedir%%/.cache/mozilla/firefox/*.default/cache2/*' | |
533 | - '%%users.homedir%%/.cache/mozilla/firefox/*.default/cache2/doomed/*' | |
534 | - '%%users.homedir%%/.cache/mozilla/firefox/*.default/cache2/entries/*' | |
266 | 535 | supported_os: [Linux] |
267 | 536 | supported_os: [Windows,Darwin,Linux] |
268 | 537 | labels: [Browser] |
274 | 543 | - type: FILE |
275 | 544 | attributes: |
276 | 545 | paths: |
277 | - '%%users.localappdata%%\Mozilla\Firefox\Profiles\*\places.sqlite' | |
278 | - '%%users.appdata%%\Mozilla\Firefox\Profiles\*\places.sqlite' | |
279 | separator: '\' | |
280 | supported_os: [Windows] | |
281 | - type: FILE | |
282 | attributes: {paths: ['%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/places.sqlite']} | |
283 | supported_os: [Darwin] | |
284 | - type: FILE | |
285 | attributes: {paths: ['%%users.homedir%%/.mozilla/firefox/*/places.sqlite']} | |
286 | supported_os: [Linux] | |
287 | supported_os: [Windows,Darwin,Linux] | |
288 | labels: [Browser] | |
289 | urls: ['http://www.forensicswiki.org/wiki/Mozilla_Firefox'] | |
546 | - '%%users.localappdata%%\Mozilla\Firefox\Profiles\*\places.sqlite' | |
547 | - '%%users.localappdata%%\Mozilla\Firefox\Profiles\*\places.sqlite-wal' | |
548 | - '%%users.appdata%%\Mozilla\Firefox\Profiles\*\places.sqlite' | |
549 | - '%%users.localappdata%%\Mozilla\Firefox\Profiles\*\places.sqlite-wal' | |
550 | separator: '\' | |
551 | supported_os: [Windows] | |
552 | - type: FILE | |
553 | attributes: | |
554 | paths: | |
555 | - '%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/places.sqlite' | |
556 | - '%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/places.sqlite-wal' | |
557 | supported_os: [Darwin] | |
558 | - type: FILE | |
559 | attributes: | |
560 | paths: | |
561 | - '%%users.homedir%%/.mozilla/firefox/*/places.sqlite' | |
562 | - '%%users.homedir%%/.mozilla/firefox/*/places.sqlite-wal' | |
563 | supported_os: [Linux] | |
564 | supported_os: [Windows,Darwin,Linux] | |
565 | labels: [Browser] | |
566 | urls: ['https://forensicswiki.xyz/wiki/index.php?title=Mozilla_Firefox'] | |
290 | 567 | --- |
291 | 568 | name: InternetExplorerBrowserHelperObjects |
292 | 569 | doc: Loaded on Internet Explorer startup |
294 | 571 | - type: REGISTRY_KEY |
295 | 572 | attributes: |
296 | 573 | keys: |
297 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*' | |
298 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*' | |
574 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*' | |
575 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*' | |
299 | 576 | supported_os: [Windows] |
300 | 577 | urls: |
301 | 578 | - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' |
312 | 589 | - type: FILE |
313 | 590 | attributes: |
314 | 591 | paths: |
315 | - '%%users.localappdata%%\Microsoft\Windows\Temporary Internet Files\Content.IE5\*\*' | |
316 | - '%%users.localappdata%%\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\*\*' | |
317 | - '%%users.localappdata%%\Microsoft\Windows\INetCache\IE\*\*' | |
318 | - '%%users.localappdata%%\Microsoft\Windows\INetCache\Low\*\*' | |
592 | - '%%users.localappdata%%\Microsoft\Windows\Temporary Internet Files\Content.IE5\*\*' | |
593 | - '%%users.localappdata%%\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\*\*' | |
594 | - '%%users.localappdata%%\Microsoft\Windows\INetCache\IE\*\*' | |
595 | - '%%users.localappdata%%\Microsoft\Windows\INetCache\Low\*\*' | |
319 | 596 | separator: '\' |
320 | 597 | labels: [Browser] |
321 | 598 | supported_os: [Windows] |
322 | urls: ['http://www.forensicswiki.org/wiki/Internet_Explorer'] | |
599 | urls: ['https://forensicswiki.xyz/wiki/index.php?title=Internet_Explorer'] | |
323 | 600 | --- |
324 | 601 | name: InternetExplorerCookies |
325 | 602 | doc: | |
330 | 607 | - type: FILE |
331 | 608 | attributes: |
332 | 609 | paths: |
333 | - '%%users.appdata%%\Microsoft\Windows\Cookies\index.dat' | |
334 | - '%%users.appdata%%\Microsoft\Windows\Cookies\Low\index.dat' | |
610 | - '%%users.appdata%%\Microsoft\Windows\Cookies\index.dat' | |
611 | - '%%users.appdata%%\Microsoft\Windows\Cookies\Low\index.dat' | |
335 | 612 | separator: '\' |
336 | 613 | labels: [Browser] |
337 | 614 | supported_os: [Windows] |
338 | urls: ['http://www.forensicswiki.org/wiki/Internet_Explorer'] | |
615 | urls: ['https://forensicswiki.xyz/wiki/index.php?title=Internet_Explorer'] | |
339 | 616 | --- |
340 | 617 | name: InternetExplorerHistory |
341 | 618 | doc: | |
347 | 624 | - type: FILE |
348 | 625 | attributes: |
349 | 626 | paths: |
350 | - '%%users.appdata%%\Microsoft\Windows\IEDownloadHistory\index.dat' | |
351 | - '%%users.localappdata%%\Microsoft\Feeds Cache\index.dat' | |
352 | - '%%users.localappdata%%\Microsoft\Windows\History\History.IE5\*\index.dat' | |
353 | - '%%users.localappdata%%\Microsoft\Windows\History\History.IE5\index.dat' | |
354 | - '%%users.localappdata%%\Microsoft\Windows\History\Low\History.IE5\*\index.dat' | |
355 | - '%%users.localappdata%%\Microsoft\Windows\History\Low\History.IE5\index.dat' | |
356 | - '%%users.localappdata%%\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat' | |
357 | - '%%users.localappdata%%\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat' | |
358 | - '%%users.localappdata%%\Microsoft\Windows\WebCache\WebCacheV*.dat' | |
627 | - '%%users.appdata%%\Microsoft\Windows\IEDownloadHistory\index.dat' | |
628 | - '%%users.localappdata%%\Microsoft\Feeds Cache\index.dat' | |
629 | - '%%users.localappdata%%\Microsoft\Windows\History\History.IE5\*\index.dat' | |
630 | - '%%users.localappdata%%\Microsoft\Windows\History\History.IE5\index.dat' | |
631 | - '%%users.localappdata%%\Microsoft\Windows\History\Low\History.IE5\*\index.dat' | |
632 | - '%%users.localappdata%%\Microsoft\Windows\History\Low\History.IE5\index.dat' | |
633 | - '%%users.localappdata%%\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat' | |
634 | - '%%users.localappdata%%\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat' | |
635 | - '%%users.localappdata%%\Microsoft\Windows\WebCache\WebCacheV*.dat' | |
636 | - '%%users.userprofile%%\Local Settings\History\History.IE5\index.dat' | |
359 | 637 | separator: '\' |
360 | 638 | labels: [Browser] |
361 | 639 | supported_os: [Windows] |
362 | urls: ['http://www.forensicswiki.org/wiki/Internet_Explorer'] | |
640 | urls: ['https://forensicswiki.xyz/wiki/index.php?title=Internet_Explorer'] | |
363 | 641 | --- |
364 | 642 | name: InternetExplorerProtectedModeElevationPolicies |
365 | 643 | doc: | |
382 | 660 | - type: REGISTRY_VALUE |
383 | 661 | attributes: |
384 | 662 | key_value_pairs: |
385 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'Policy'} | |
386 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'AppName'} | |
387 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'AppPath'} | |
388 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'CLSID'} | |
389 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'Policy'} | |
390 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'AppName'} | |
391 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'AppPath'} | |
392 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'CLSID'} | |
663 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'Policy'} | |
664 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'AppName'} | |
665 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'AppPath'} | |
666 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'CLSID'} | |
667 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'Policy'} | |
668 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'AppName'} | |
669 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'AppPath'} | |
670 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'CLSID'} | |
393 | 671 | labels: [Browser] |
394 | 672 | supported_os: [Windows] |
395 | 673 | urls: |
415 | 693 | - type: REGISTRY_VALUE |
416 | 694 | attributes: |
417 | 695 | key_value_pairs: |
418 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', value: 'AboutURLs'} | |
419 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', value: 'UrlSearchHooks'} | |
420 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', value: 'Extensions'} | |
421 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', value: 'ExplorerBars'} | |
422 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', value: 'Toolbar'} | |
423 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', value: 'SearchURL'} | |
424 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main', value: 'Default_Page_URL'} | |
425 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main', value: 'Default_Search_URL'} | |
426 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main', value: 'Search Page'} | |
427 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main', value: 'Start Page'} | |
428 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main', value: 'Search Bar'} | |
429 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search', value: 'CustomizeSearch'} | |
430 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer', value: 'UrlSearchHooks'} | |
431 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer', value: 'Extensions'} | |
432 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer', value: 'ExplorerBars'} | |
433 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer', value: 'Toolbar'} | |
434 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer', value: 'SearchURL'} | |
435 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Main', value: 'Default_Page_URL'} | |
436 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Main', value: 'Default_Search_URL'} | |
437 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Main', value: 'Search Page'} | |
438 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Main', value: 'Start Page'} | |
439 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Main', value: 'Search Bar'} | |
696 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', value: 'AboutURLs'} | |
697 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', value: 'UrlSearchHooks'} | |
698 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', value: 'Extensions'} | |
699 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', value: 'ExplorerBars'} | |
700 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', value: 'Toolbar'} | |
701 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', value: 'SearchURL'} | |
702 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main', value: 'Default_Page_URL'} | |
703 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main', value: 'Default_Search_URL'} | |
704 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main', value: 'Search Page'} | |
705 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main', value: 'Start Page'} | |
706 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main', value: 'Search Bar'} | |
707 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search', value: 'CustomizeSearch'} | |
708 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer', value: 'UrlSearchHooks'} | |
709 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer', value: 'Extensions'} | |
710 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer', value: 'ExplorerBars'} | |
711 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer', value: 'Toolbar'} | |
712 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer', value: 'SearchURL'} | |
713 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Main', value: 'Default_Page_URL'} | |
714 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Main', value: 'Default_Search_URL'} | |
715 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Main', value: 'Search Page'} | |
716 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Main', value: 'Start Page'} | |
717 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Main', value: 'Search Bar'} | |
440 | 718 | labels: [Browser] |
441 | 719 | supported_os: [Windows] |
442 | 720 | urls: |
443 | - 'https://support.microsoft.com/en-us/kb/895339' | |
444 | - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' | |
721 | - 'https://support.microsoft.com/en-us/kb/895339' | |
722 | - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' | |
445 | 723 | --- |
446 | 724 | name: InternetExplorerTypedURLsKeys |
447 | 725 | doc: Microsoft Internet Explorer TypedUrls keys. |
450 | 728 | attributes: {keys: ['HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\TypedURLs\*']} |
451 | 729 | labels: [Browser] |
452 | 730 | supported_os: [Windows] |
453 | urls: ['http://www.forensicswiki.org/wiki/Internet_Explorer#Typed_URLs'] | |
731 | urls: ['https://forensicswiki.xyz/wiki/index.php?title=Internet_Explorer#Typed_URLs'] | |
454 | 732 | --- |
455 | 733 | name: OperaHistory |
456 | 734 | doc: Opera browser history (global_history.dat). |
464 | 742 | - type: FILE |
465 | 743 | attributes: |
466 | 744 | paths: |
467 | - '%%users.appdata%%\Opera\Opera\global_history.dat' | |
468 | - '%%users.appdata%%\Opera Software\Opera Stable\History' | |
469 | separator: '\' | |
470 | supported_os: [Windows] | |
471 | supported_os: [Windows,Darwin,Linux] | |
472 | labels: [Browser] | |
473 | urls: ['http://www.forensicswiki.org/wiki/Opera'] | |
745 | - '%%users.appdata%%\Opera\Opera\global_history.dat' | |
746 | - '%%users.appdata%%\Opera Software\Opera Stable\History' | |
747 | separator: '\' | |
748 | supported_os: [Windows] | |
749 | supported_os: [Windows,Darwin,Linux] | |
750 | labels: [Browser] | |
751 | urls: ['https://forensicswiki.xyz/wiki/index.php?title=Opera'] | |
474 | 752 | --- |
475 | 753 | name: SafariCache |
476 | 754 | doc: Safari browser cache (cache.db). |
481 | 759 | separator: '\' |
482 | 760 | supported_os: [Windows] |
483 | 761 | - type: FILE |
484 | attributes: {paths: ['%%users.homedir%%/Library/Caches/com.apple.Safari/cache.db']} | |
762 | attributes: | |
763 | paths: | |
764 | - '%%users.homedir%%/Library/Caches/com.apple.Safari/Cache.db' | |
765 | - '%%users.homedir%%/Library/Caches/com.apple.Safari/Cache.db-wal' | |
485 | 766 | supported_os: [Darwin] |
486 | 767 | supported_os: [Windows, Darwin] |
487 | 768 | labels: [Browser] |
488 | urls: ['http://www.forensicswiki.org/wiki/Apple_Safari'] | |
769 | urls: ['https://forensicswiki.xyz/wiki/index.php?title=Apple_Safari'] | |
489 | 770 | --- |
490 | 771 | name: SafariDownloads |
491 | 772 | doc: Safari downloads history (Downloads.plist). |
496 | 777 | - type: FILE |
497 | 778 | attributes: |
498 | 779 | paths: |
499 | - '%%users.localappdata%%\Apple Computer\Safari\Downloads.plist' | |
500 | - '%%users.appdata%%\Apple Computer\Safari\Downloads.plist' | |
780 | - '%%users.localappdata%%\Apple Computer\Safari\Downloads.plist' | |
781 | - '%%users.appdata%%\Apple Computer\Safari\Downloads.plist' | |
501 | 782 | separator: '\' |
502 | 783 | supported_os: [Windows] |
503 | 784 | labels: [Users, Browser] |
504 | 785 | supported_os: [Darwin, Windows] |
505 | 786 | urls: |
506 | - 'http://forensicswiki.org/wiki/Mac_OS_X' | |
507 | - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Safari' | |
787 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' | |
788 | - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Safari' | |
508 | 789 | - 'https://www.forensicswiki.org/wiki/Apple_Safari' |
509 | 790 | --- |
510 | 791 | name: SafariHistory |
513 | 794 | - type: FILE |
514 | 795 | attributes: |
515 | 796 | paths: |
516 | - '%%users.localappdata%%\Apple Computer\Safari\History.plist' | |
517 | - '%%users.appdata%%\Apple Computer\Safari\History.plist' | |
518 | separator: '\' | |
519 | supported_os: [Windows] | |
520 | - type: FILE | |
521 | attributes: | |
522 | paths: | |
523 | - '%%users.homedir%%/Library/Safari/History.plist' | |
524 | - '%%users.homedir%%/Library/Safari/History.db' | |
525 | - '%%users.homedir%%/Library/Safari/History.db-wal' | |
797 | - '%%users.localappdata%%\Apple Computer\Safari\History.plist' | |
798 | - '%%users.appdata%%\Apple Computer\Safari\History.plist' | |
799 | separator: '\' | |
800 | supported_os: [Windows] | |
801 | - type: FILE | |
802 | attributes: | |
803 | paths: | |
804 | - '%%users.homedir%%/Library/Safari/History.plist' | |
805 | - '%%users.homedir%%/Library/Safari/History.db' | |
806 | - '%%users.homedir%%/Library/Safari/History.db-wal' | |
526 | 807 | supported_os: [Darwin] |
527 | 808 | supported_os: [Windows, Darwin] |
528 | 809 | labels: [Browser] |
810 | urls: ['https://forensicswiki.xyz/wiki/index.php?title=Apple_Safari'] | |
811 | --- | |
812 | name: SafariExtensions | |
813 | doc: Safari browser Extensions. | |
814 | sources: | |
815 | - type: FILE | |
816 | attributes: {paths: ['%%users.homedir%%/Library/Safari/Extensions/**']} | |
817 | supported_os: [Darwin] | |
818 | supported_os: [Darwin] | |
819 | labels: [Browser] | |
529 | 820 | urls: ['http://www.forensicswiki.org/wiki/Apple_Safari'] |
0 | 0 | # Windows specific artifacts. |
1 | 1 | |
2 | 2 | name: WindowsActiveDesktop |
3 | doc: Windows Active Desktop executable paths, used for persistence. | |
3 | doc: Windows Active Desktop settings and components. | |
4 | 4 | sources: |
5 | 5 | - type: REGISTRY_KEY |
6 | 6 | attributes: |
7 | 7 | keys: |
8 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Desktop\Components\*' | |
9 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Desktop\General' | |
8 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Desktop\Components\*' | |
9 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Desktop\General' | |
10 | 10 | conditions: [os_major_version < 6] |
11 | 11 | supported_os: [Windows] |
12 | urls: | |
13 | - 'https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~DwnLdr-GWV/detailed-analysis.aspx' | |
14 | - 'https://support.microsoft.com/en-us/kb/929200' | |
15 | - 'https://en.wikipedia.org/wiki/Active_Desktop' | |
16 | --- | |
17 | name: WindowsActivitiesCache | |
18 | doc: | | |
19 | Windows activities cache SQLite database. | |
20 | ||
21 | This file is available since Windows 10 and version 1803. | |
12 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/ActiveDesktop.md'] | |
13 | --- | |
14 | name: WindowsActivitiesCacheDatabase | |
15 | doc: SQLite database containing the Windows activities cache. | |
22 | 16 | sources: |
23 | 17 | - type: FILE |
24 | 18 | attributes: |
26 | 20 | separator: '\' |
27 | 21 | labels: [Users] |
28 | 22 | supported_os: [Windows] |
29 | urls: | |
30 | - 'https://cclgroupltd.com/windows-10-timeline-forensic-artefacts/' | |
31 | - 'https://salt4n6.com/2018/05/03/windows-10-timeline-forensic-artefacts/amp/' | |
23 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/ActivitiesCacheDatabase.md'] | |
32 | 24 | --- |
33 | 25 | name: WindowsAlternateShell |
34 | 26 | doc: Alternate Shell to be run via Userinit. |
36 | 28 | - type: REGISTRY_VALUE |
37 | 29 | attributes: |
38 | 30 | key_value_pairs: |
39 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot', value: 'AlternateShell'} | |
40 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option', value: 'UseAlternateShell'} | |
31 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot', value: 'AlternateShell'} | |
32 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option', value: 'UseAlternateShell'} | |
41 | 33 | supported_os: [Windows] |
42 | 34 | urls: |
43 | 35 | - 'https://www.microsoftpressstore.com/articles/article.aspx' |
45 | 37 | - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' |
46 | 38 | --- |
47 | 39 | name: WindowsAMCacheHveFile |
48 | doc: The AMCache.hve Windows NT Registry file. | |
49 | sources: | |
50 | - type: FILE | |
51 | attributes: | |
52 | paths: ['%%environ_systemroot%%\AppCompat\Programs\Amcache.hve'] | |
40 | doc: The AMCache file, stored in the Windows NT Registry file format. | |
41 | sources: | |
42 | - type: FILE | |
43 | attributes: | |
44 | paths: | |
45 | - '%%environ_systemroot%%\AppCompat\Programs\Amcache.hve' | |
46 | - '%%environ_systemroot%%\AppCompat\Programs\Amcache.hve.LOG1' | |
47 | - '%%environ_systemroot%%\AppCompat\Programs\Amcache.hve.LOG2' | |
53 | 48 | separator: '\' |
54 | 49 | conditions: [os_major_version >= 6 AND os_minor_version >= 1] |
55 | 50 | supported_os: [Windows] |
56 | urls: ['http://www.swiftforensics.com/2013/12/amcachehve-in-windows-8-goldmine-for.html'] | |
51 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/AMCache.md'] | |
57 | 52 | --- |
58 | 53 | name: WindowsAppCertDLLs |
59 | 54 | doc: Windows AppCertDLLs persistence. |
70 | 65 | - type: REGISTRY_VALUE |
71 | 66 | attributes: |
72 | 67 | key_value_pairs: |
73 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility', value: 'AppCompatCache'} | |
74 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatCache', value: 'AppCompatCache'} | |
68 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility', value: 'AppCompatCache'} | |
69 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatCache', value: 'AppCompatCache'} | |
75 | 70 | supported_os: [Windows] |
76 | 71 | urls: ['https://github.com/libyal/winreg-kb/blob/master/documentation/Application%20Compatibility%20Cache%20key.asciidoc'] |
77 | 72 | --- |
85 | 80 | - type: REGISTRY_VALUE |
86 | 81 | attributes: |
87 | 82 | key_value_pairs: |
88 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows', value: 'AppInit_DLLs'} | |
89 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows', value: 'AppInit_DLLs'} | |
90 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Windows', value: 'AppInit_DLLs'} | |
91 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows', value: 'AppInit_DLLs'} | |
83 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows', value: 'AppInit_DLLs'} | |
84 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows', value: 'AppInit_DLLs'} | |
85 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Windows', value: 'AppInit_DLLs'} | |
86 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows', value: 'AppInit_DLLs'} | |
92 | 87 | supported_os: [Windows] |
93 | 88 | urls: |
94 | 89 | - 'https://msdn.microsoft.com/en-us/library/windows/desktop/dd744762(v=vs.85).aspx' |
107 | 102 | - 'https://github.com/keydet89/RegRipper2.8/blob/master/plugins/apppaths.pl' |
108 | 103 | - 'http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/' |
109 | 104 | - 'https://msdn.microsoft.com/en-us/library/windows/desktop/ee872121(v=vs.85).aspx' |
105 | --- | |
106 | name: WindowsApplicationCompatibilityInstalledShimDatabases | |
107 | doc: | | |
108 | Windows Application Compatibility Installed Shim Databases. | |
109 | ||
110 | drvmain.sdb, frxmain.sdb, msimain.sdb, pcamain.sdb, and sysmain.sdb are | |
111 | shim database files (SDB files) that are provided by Windows, and contain | |
112 | many predefined shims that address known application compability issues. | |
113 | Note that these database files are not signed. | |
114 | ||
115 | Windows also supports custom shim database. These are typically installed | |
116 | by the sdbinst.exe utility. Note, that shim database files can also exist | |
117 | elsewhere in the file system. | |
118 | ||
119 | Windows application shims provide a way for the operating system to | |
120 | apply patches to executables before they are run, ultimately providing | |
121 | a lightweight mechanism for applying hot fixes and making modifications to | |
122 | ensure compatibility across the various versions of Windows. This | |
123 | functionality can also be leveraged maliciously to change how certain | |
124 | programs operate, or to provide capabilities to malware, such as the | |
125 | ability to bypass UAC, gain persistence by injecting loading into legitimate | |
126 | processes, or avoid detection by disabling anti-virus software. | |
127 | sources: | |
128 | - type: FILE | |
129 | attributes: | |
130 | paths: | |
131 | - '%%environ_windir%%\AppPatch\drvmain.sdb' | |
132 | - '%%environ_windir%%\AppPatch\frxmain.sdb' | |
133 | - '%%environ_windir%%\AppPatch\msimain.sdb' | |
134 | - '%%environ_windir%%\AppPatch\pcamain.sdb' | |
135 | - '%%environ_windir%%\AppPatch\sysmain.sdb' | |
136 | - '%%environ_windir%%\AppPatch\AppPatch64\Custom\*' | |
137 | - '%%environ_windir%%\AppPatch\Custom\*' | |
138 | - '%%environ_windir%%\AppPatch\Custom\Custom64\*' | |
139 | - '%%environ_windir%%\AppPatch\CustomSDB\*' | |
140 | separator: '\' | |
141 | labels: [Users] | |
142 | supported_os: [Windows] | |
143 | urls: | |
144 | - 'https://attack.mitre.org/techniques/T1138/' | |
145 | - 'https://countercept.com/blog/hunting-for-application-shim-databases/' | |
146 | - 'http://files.brucon.org/2015/Tomczak_and_Ballenthin_Shims_for_the_Win.pdf' | |
147 | - 'https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf' | |
148 | --- | |
149 | name: WindowsApplicationCompatibilityShimDatabaseMappings | |
150 | doc: | | |
151 | Windows Application Compatibility Shim Database Mappings. | |
152 | ||
153 | Mappings between the Windows Application Compatibility shim database files and | |
154 | the programs that they apply to. | |
155 | ||
156 | Windows allows for custom application shims to be installed via the | |
157 | sdbinst.exe application. For example a mapping for 'notepad.exe': | |
158 | ||
159 | Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ | |
160 | AppCompatFlags\Custom\notepad.exe | |
161 | Value: {00000000-1111-2222-3333-444444444444}.sdb = 0 | |
162 | ||
163 | Key: AppCompatFlags\InstalledSDB\{00000000-1111-2222-3333-444444444444} | |
164 | Value: DatabasePath = | |
165 | "C:\Windows\AppPatch\Custom\{00000000-1111-2222-3333-444444444444}.sdb" | |
166 | ||
167 | Windows application shims provide a way for the operating system to | |
168 | apply patches to executables before they are run, ultimately providing | |
169 | a lightweight mechanism for applying hot fixes and making modifications to | |
170 | ensure compatibility across the various versions of Windows. This | |
171 | functionality can also be leveraged maliciously to change how certain | |
172 | programs operate, or to provide capabilities to malware, such as the | |
173 | ability to bypass UAC, gain persistence by injecting loading into legitimate | |
174 | processes, or avoid detection by disabling anti-virus software. | |
175 | sources: | |
176 | - type: REGISTRY_VALUE | |
177 | attributes: | |
178 | key_value_pairs: | |
179 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\*', value: 'DatabaseDescription'} | |
180 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\*', value: 'DatabasePath'} | |
181 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\*', value: '*'} | |
182 | supported_os: [Windows] | |
183 | urls: | |
184 | - 'https://attack.mitre.org/techniques/T1138/' | |
185 | - 'https://countercept.com/blog/hunting-for-application-shim-databases/' | |
186 | --- | |
187 | name: WindowsApplicationCompatibilityShims | |
188 | doc: Windows Application Compatibility Shim Database Files and Application Mappings | |
189 | sources: | |
190 | - type: ARTIFACT_GROUP | |
191 | attributes: | |
192 | names: | |
193 | - 'WindowsApplicationCompatibilityInstalledShimDatabases' | |
194 | - 'WindowsApplicationCompatibilityShimDatabaseMappings' | |
195 | labels: [System] | |
196 | supported_os: [Windows] | |
110 | 197 | --- |
111 | 198 | name: WinAppXRT |
112 | 199 | doc: WinAppXRT DLL loaded by .Net applications when the APPX_PROCESS environment variable is set. |
129 | 216 | - type: FILE |
130 | 217 | attributes: |
131 | 218 | paths: |
132 | - '%%environ_systemdrive%%\autoexec.bat' | |
133 | - '%%environ_windir%%\autoexec.nt' | |
219 | - '%%environ_systemdrive%%\autoexec.bat' | |
220 | - '%%environ_windir%%\autoexec.nt' | |
134 | 221 | separator: '\' |
135 | 222 | supported_os: [Windows] |
136 | 223 | --- |
140 | 227 | - type: REGISTRY_VALUE |
141 | 228 | attributes: |
142 | 229 | key_value_pairs: |
143 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug', value: 'Debugger'} | |
230 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug', value: 'Debugger'} | |
144 | 231 | supported_os: [Windows] |
145 | 232 | urls: |
146 | 233 | - 'https://msdn.microsoft.com/en-us/library/windows/desktop/bb204634(v=vs.85).aspx' |
168 | 255 | doc: Timezones available on a Windows system. |
169 | 256 | sources: |
170 | 257 | - type: REGISTRY_KEY |
171 | attributes: {keys: ['HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Time Zones\*\*']} | |
172 | supported_os: [Windows] | |
173 | urls: ['https://github.com/libyal/winreg-kb/wiki/Time-zone-keys'] | |
258 | attributes: {keys: ['HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Time Zones\*']} | |
259 | supported_os: [Windows] | |
260 | urls: ['https://github.com/libyal/winreg-kb/blob/master/documentation/Time%20zone%20keys.asciidoc'] | |
174 | 261 | --- |
175 | 262 | name: WindowsBITSQueueManagerDatabases |
176 | 263 | doc: Databases that contain the Windows BITS jobs definition and state. |
187 | 274 | sources: |
188 | 275 | - type: REGISTRY_VALUE |
189 | 276 | attributes: |
190 | key_value_pairs: | |
191 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\BootVerificationProgram', value: 'ImagePath'} | |
277 | key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\BootVerificationProgram', value: 'ImagePath'}] | |
192 | 278 | supported_os: [Windows] |
193 | 279 | urls: |
194 | 280 | - 'https://technet.microsoft.com/en-us/library/cc786702(WS.10).aspx' |
206 | 292 | - type: FILE |
207 | 293 | attributes: |
208 | 294 | paths: |
209 | # Windows 95 OSR 2.5, 98, Millennium Edition (Me) | |
210 | - '%%environ_windir%%\System\Wbem\Repository\cim.rep' | |
211 | # Windows NT4 and 2000 | |
212 | - '%%environ_systemroot%%\System32\wbem\Repository\CIM.REC' | |
213 | - '%%environ_systemroot%%\System32\wbem\Repository\CIM.REP' | |
214 | # Windows Vista and later | |
215 | - '%%environ_systemroot%%\System32\wbem\Repository\INDEX.BTR' | |
216 | - '%%environ_systemroot%%\System32\wbem\Repository\INDEX.MAP' | |
217 | - '%%environ_systemroot%%\System32\wbem\Repository\MAPPING.VER' | |
218 | - '%%environ_systemroot%%\System32\wbem\Repository\MAPPING[1-3].MAP' | |
219 | - '%%environ_systemroot%%\System32\wbem\Repository\OBJECTS.DATA' | |
220 | - '%%environ_systemroot%%\System32\wbem\Repository\OBJECTS.MAP' | |
221 | # Windows XP and Windows 2003 | |
222 | - '%%environ_systemroot%%\System32\wbem\Repository\FS\INDEX.BTR' | |
223 | - '%%environ_systemroot%%\System32\wbem\Repository\FS\INDEX.MAP' | |
224 | - '%%environ_systemroot%%\System32\wbem\Repository\FS\MAPPING.VER' | |
225 | - '%%environ_systemroot%%\System32\wbem\Repository\FS\MAPPING[1-2].MAP' | |
226 | - '%%environ_systemroot%%\System32\wbem\Repository\FS\OBJECTS.DATA' | |
227 | - '%%environ_systemroot%%\System32\wbem\Repository\FS\OBJECTS.MAP' | |
295 | # Windows 95 OSR 2.5, 98, Millennium Edition (Me) | |
296 | - '%%environ_windir%%\System\Wbem\Repository\cim.rep' | |
297 | # Windows NT4 and 2000 | |
298 | - '%%environ_systemroot%%\System32\wbem\Repository\CIM.REC' | |
299 | - '%%environ_systemroot%%\System32\wbem\Repository\CIM.REP' | |
300 | # Windows Vista and later | |
301 | - '%%environ_systemroot%%\System32\wbem\Repository\INDEX.BTR' | |
302 | - '%%environ_systemroot%%\System32\wbem\Repository\INDEX.MAP' | |
303 | - '%%environ_systemroot%%\System32\wbem\Repository\MAPPING.VER' | |
304 | - '%%environ_systemroot%%\System32\wbem\Repository\MAPPING[1-3].MAP' | |
305 | - '%%environ_systemroot%%\System32\wbem\Repository\OBJECTS.DATA' | |
306 | - '%%environ_systemroot%%\System32\wbem\Repository\OBJECTS.MAP' | |
307 | # Windows XP and Windows 2003 | |
308 | - '%%environ_systemroot%%\System32\wbem\Repository\FS\INDEX.BTR' | |
309 | - '%%environ_systemroot%%\System32\wbem\Repository\FS\INDEX.MAP' | |
310 | - '%%environ_systemroot%%\System32\wbem\Repository\FS\MAPPING.VER' | |
311 | - '%%environ_systemroot%%\System32\wbem\Repository\FS\MAPPING[1-2].MAP' | |
312 | - '%%environ_systemroot%%\System32\wbem\Repository\FS\OBJECTS.DATA' | |
313 | - '%%environ_systemroot%%\System32\wbem\Repository\FS\OBJECTS.MAP' | |
228 | 314 | separator: '\' |
229 | 315 | supported_os: [Windows] |
230 | 316 | urls: |
237 | 323 | - type: REGISTRY_VALUE |
238 | 324 | attributes: |
239 | 325 | key_value_pairs: |
240 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CodePage', value: 'ACP'} | |
326 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CodePage', value: 'ACP'} | |
241 | 327 | provides: [code_page] |
242 | 328 | supported_os: [Windows] |
243 | 329 | urls: ['http://en.wikipedia.org/wiki/Windows_code_page'] |
248 | 334 | - type: REGISTRY_VALUE |
249 | 335 | attributes: |
250 | 336 | key_value_pairs: |
251 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ComputerName', value: 'ComputerName'} | |
337 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ComputerName', value: 'ComputerName'} | |
252 | 338 | supported_os: [Windows] |
253 | 339 | --- |
254 | 340 | name: WindowsCommandProcessorAutoRun |
257 | 343 | - type: REGISTRY_VALUE |
258 | 344 | attributes: |
259 | 345 | key_value_pairs: |
260 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor', value: 'AutoRun'} | |
261 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Command Processor', value: 'AutoRun'} | |
262 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Command Processor', value: 'AutoRun'} | |
263 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Command Processor', value: 'AutoRun'} | |
346 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor', value: 'AutoRun'} | |
347 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Command Processor', value: 'AutoRun'} | |
348 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Command Processor', value: 'AutoRun'} | |
349 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Command Processor', value: 'AutoRun'} | |
264 | 350 | supported_os: [Windows] |
265 | 351 | urls: |
266 | 352 | - 'https://technet.microsoft.com/en-us/library/cc779439(v=ws.10).aspx' |
274 | 360 | - type: REGISTRY_VALUE |
275 | 361 | attributes: |
276 | 362 | key_value_pairs: |
277 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*', value: 'InprocHandler'} | |
278 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*', value: 'InprocHandler32'} | |
279 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*', value: 'InprocHandler'} | |
280 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*', value: 'InprocHandler32'} | |
281 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*', value: 'InprocHandler'} | |
282 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*', value: 'InprocHandler32'} | |
283 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*', value: 'InprocHandler'} | |
284 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*', value: 'InprocHandler32'} | |
363 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*', value: 'InprocHandler'} | |
364 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*', value: 'InprocHandler32'} | |
365 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*', value: 'InprocHandler'} | |
366 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*', value: 'InprocHandler32'} | |
367 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*', value: 'InprocHandler'} | |
368 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*', value: 'InprocHandler32'} | |
369 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*', value: 'InprocHandler'} | |
370 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*', value: 'InprocHandler32'} | |
285 | 371 | supported_os: [Windows] |
286 | 372 | urls: |
287 | 373 | - 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms694515(v=vs.85).aspx' |
294 | 380 | - type: REGISTRY_VALUE |
295 | 381 | attributes: |
296 | 382 | key_value_pairs: |
297 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\InprocServer', value: ''} | |
298 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\InprocServer32', value: ''} | |
299 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\InprocServer', value: ''} | |
300 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\InprocServer32', value: ''} | |
301 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*\InprocServer', value: ''} | |
302 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*\InprocServer32', value: ''} | |
303 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*\InprocServer', value: ''} | |
304 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*\InprocServer32', value: ''} | |
383 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\InprocServer', value: ''} | |
384 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\InprocServer32', value: ''} | |
385 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\InprocServer', value: ''} | |
386 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\InprocServer32', value: ''} | |
387 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*\InprocServer', value: ''} | |
388 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*\InprocServer32', value: ''} | |
389 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*\InprocServer', value: ''} | |
390 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*\InprocServer32', value: ''} | |
305 | 391 | supported_os: [Windows] |
306 | 392 | urls: |
307 | 393 | - 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms694515(v=vs.85).aspx' |
314 | 400 | - type: REGISTRY_VALUE |
315 | 401 | attributes: |
316 | 402 | key_value_pairs: |
317 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*', value: 'LocalServer'} | |
318 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\LocalServer32', value: ''} | |
319 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\LocalServer32', value: 'ServerExecutable'} | |
320 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*', value: 'LocalServer'} | |
321 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\LocalServer32', value: ''} | |
322 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\LocalServer32', value: 'ServerExecutable'} | |
323 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*', value: 'LocalServer'} | |
324 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*\LocalServer32', value: ''} | |
325 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*\LocalServer32', value: 'ServerExecutable'} | |
326 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*', value: 'LocalServer'} | |
327 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*\LocalServer32', value: ''} | |
328 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*\LocalServer32', value: 'ServerExecutable'} | |
403 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*', value: 'LocalServer'} | |
404 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\LocalServer32', value: ''} | |
405 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\LocalServer32', value: 'ServerExecutable'} | |
406 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*', value: 'LocalServer'} | |
407 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\LocalServer32', value: ''} | |
408 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\LocalServer32', value: 'ServerExecutable'} | |
409 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*', value: 'LocalServer'} | |
410 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*\LocalServer32', value: ''} | |
411 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*\LocalServer32', value: 'ServerExecutable'} | |
412 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*', value: 'LocalServer'} | |
413 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*\LocalServer32', value: ''} | |
414 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*\LocalServer32', value: 'ServerExecutable'} | |
329 | 415 | supported_os: [Windows] |
330 | 416 | urls: |
331 | 417 | - 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms694515(v=vs.85).aspx' |
332 | 418 | - 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms686595(v=vs.85).aspx' |
333 | 419 | --- |
420 | name: WindowsCOMProperties | |
421 | doc: | | |
422 | Various properties of Windows COM Objects. | |
423 | ||
424 | These artifacts are meant to highlight properties of COM objects that, | |
425 | although legitimate, are known to be associated with persistence techniques | |
426 | or other capabilities that malware can leverage. | |
427 | ||
428 | ShellFolder\HideOnDesktop, ShellFolder\Attributes (specifically with value | |
429 | 0xf090013d), and InprocServer\LoadWithoutCOM are associated with a technique | |
430 | to cause iexplore or explorer to load a malicious DLL by registering a COM | |
431 | object and invoking it through the use of Junction Folders. | |
432 | sources: | |
433 | - type: REGISTRY_VALUE | |
434 | attributes: | |
435 | key_value_pairs: | |
436 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\ShellFolder', value: 'Attributes'} | |
437 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*\ShellFolder', value: 'Attributes'} | |
438 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\ShellFolder', value: 'Attributes'} | |
439 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*\ShellFolder', value: 'Attributes'} | |
440 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\ShellFolder', value: 'HideOnDesktop'} | |
441 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*\ShellFolder', value: 'HideOnDesktop'} | |
442 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\ShellFolder', value: 'HideOnDesktop'} | |
443 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*\ShellFolder', value: 'HideOnDesktop'} | |
444 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\InprocServer32', value: 'LoadWithoutCOM'} | |
445 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*\InprocServer32', value: 'LoadWithoutCOM'} | |
446 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\InprocServer32', value: 'LoadWithoutCOM'} | |
447 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*\InprocServer32', value: 'LoadWithoutCOM'} | |
448 | supported_os: [Windows] | |
449 | urls: | |
450 | - 'https://ired.team/offensive-security/code-execution/forcing-iexplore.exe-to-load-a-malicious-dll-via-com-abuse' | |
451 | - 'https://labs.nettitude.com/blog/com-and-the-powerthief/' | |
452 | --- | |
334 | 453 | name: WindowsCOMRegisteredTypeLibraries |
335 | 454 | doc: Windows COM registered type libraries |
336 | 455 | sources: |
337 | 456 | - type: REGISTRY_VALUE |
338 | 457 | attributes: |
339 | 458 | key_value_pairs: |
340 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Typelib\*\*\*\*', value: ''} | |
341 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\Typelib\*\*\*\*', value: ''} | |
342 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Typelib\*\*\*\*', value: ''} | |
343 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\Typelib\*\*\*\*', value: ''} | |
459 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Typelib\*\*\*\*', value: ''} | |
460 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\Typelib\*\*\*\*', value: ''} | |
461 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Typelib\*\*\*\*', value: ''} | |
462 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\Typelib\*\*\*\*', value: ''} | |
344 | 463 | supported_os: [Windows] |
345 | 464 | urls: ['https://github.com/libyal/winreg-kb/blob/master/documentation/Component%20Object%20Model%20keys.asciidoc#type-libraries-key'] |
465 | --- | |
466 | name: WindowsSearchFilterHandlers | |
467 | doc: | | |
468 | Windows Search filter handlers configured for file types and applications. | |
469 | ||
470 | Windows Search loads DLLs that implement the IFilter interface in order to | |
471 | scan files for text and extract certain types of information. Malware can | |
472 | replace the filter handler for a given file type or CLSID with itself to gain | |
473 | execution when a search operation is performed on that file. Search | |
474 | operations can be performed indirectly in a number of cases; for instance, | |
475 | the .txt, .html, and .rtf filter handlers are invoked when indexing email | |
476 | message bodies. | |
477 | ||
478 | The filter handler to use is specified indirectly via a persistent handler. | |
479 | The persistent handler GUID is indicated via the PersistentHandler subkey for | |
480 | a file type or application GUID. The filter handler CLSID is indicated via | |
481 | the PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF} subkey | |
482 | under the persistent handler GUID key path. This artifact inspects both of | |
483 | these paths. | |
484 | ||
485 | NOTE: Only the HKEY_LOCAL_MACHINE root key needs be checked, because these | |
486 | are the only keys used. SearchFilterHost.exe runs under the SYSTEM account, | |
487 | which does not have access to HKEY_CURRENT_USER. | |
488 | sources: | |
489 | - type: REGISTRY_VALUE | |
490 | attributes: | |
491 | key_value_pairs: | |
492 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\*\PersistentHandler', value: ''} | |
493 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\PersistentHandler', value: ''} | |
494 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\PersistentHandler', value: ''} | |
495 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\PersistentHandler', value: ''} | |
496 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF}', value: ''} | |
497 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF}', value: ''} | |
498 | supported_os: [Windows] | |
499 | urls: | |
500 | - 'https://docs.microsoft.com/en-us/windows/desktop/search/-search-ifilter-about' | |
501 | - 'https://docs.microsoft.com/en-us/windows/desktop/search/-search-ifilter-implementations' | |
502 | - 'https://docs.microsoft.com/en-us/windows/desktop/search/-search-ifilter-registering-filters' | |
346 | 503 | --- |
347 | 504 | name: WindowsConfigSys |
348 | 505 | doc: Windows config.sys file |
350 | 507 | - type: FILE |
351 | 508 | attributes: |
352 | 509 | paths: |
353 | - '%%environ_systemdrive%%\config.sys' | |
354 | - '%%environ_windir%%\config.nt' | |
510 | - '%%environ_systemdrive%%\config.sys' | |
511 | - '%%environ_windir%%\config.nt' | |
355 | 512 | separator: '\' |
356 | 513 | supported_os: [Windows] |
357 | 514 | --- |
361 | 518 | - type: REGISTRY_KEY |
362 | 519 | attributes: |
363 | 520 | keys: |
364 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Control Panel\CPLs' | |
365 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Control Panel\CPLs' | |
366 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Control Panel\CPLs' | |
367 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Control Panel\CPLs' | |
521 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Control Panel\CPLs' | |
522 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Control Panel\CPLs' | |
523 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Control Panel\CPLs' | |
524 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Control Panel\CPLs' | |
368 | 525 | supported_os: [Windows] |
369 | 526 | urls: |
370 | 527 | - 'https://msdn.microsoft.com/en-us/library/windows/desktop/hh127454(v=vs.85).aspx' |
377 | 534 | - type: REGISTRY_KEY |
378 | 535 | attributes: |
379 | 536 | keys: |
380 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\*' | |
381 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\*' | |
537 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\*' | |
538 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\*' | |
382 | 539 | supported_os: [Windows] |
383 | 540 | urls: ['http://blog.leetsys.com/2012/01/02/capturing-windows-7-credentials-at-logon-using-custom-credential-provider/'] |
384 | 541 | --- |
388 | 545 | - type: REGISTRY_KEY |
389 | 546 | attributes: |
390 | 547 | keys: |
391 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\*' | |
392 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\*' | |
548 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\*' | |
549 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\*' | |
393 | 550 | supported_os: [Windows] |
394 | 551 | urls: |
395 | 552 | - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' |
403 | 560 | - type: FILE |
404 | 561 | attributes: |
405 | 562 | paths: |
406 | - '%%environ_programfiles%%\Internet Explorer\sxs.dll' | |
407 | - '%%environ_programfilesx86%%\Internet Explorer\sxs.dll' | |
408 | - '%%environ_systemdrive%%\explorer.exe' | |
409 | - '%%environ_systemdrive%%\program.exe' | |
410 | - '%%environ_systemroot%%\linkinfo.dll' | |
411 | - '%%environ_systemroot%%\ntshrui.dll' | |
412 | - '%%environ_systemroot%%\System32\oci.dll' | |
413 | - '%%environ_systemroot%%\System32\sysprep\cryptbase.dll' | |
414 | - '%%environ_systemroot%%\SysWOW64\oci.dll' | |
415 | - '%%environ_systemroot%%\SysWOW64\sysprep\cryptbase.dll' | |
563 | - '%%environ_programfiles%%\Internet Explorer\sxs.dll' | |
564 | - '%%environ_programfilesx86%%\Internet Explorer\sxs.dll' | |
565 | - '%%environ_systemdrive%%\explorer.exe' | |
566 | - '%%environ_systemdrive%%\program.exe' | |
567 | - '%%environ_systemroot%%\linkinfo.dll' | |
568 | - '%%environ_systemroot%%\ntshrui.dll' | |
569 | - '%%environ_systemroot%%\System32\oci.dll' | |
570 | - '%%environ_systemroot%%\System32\sysprep\cryptbase.dll' | |
571 | - '%%environ_systemroot%%\SysWOW64\oci.dll' | |
572 | - '%%environ_systemroot%%\SysWOW64\sysprep\cryptbase.dll' | |
416 | 573 | separator: '\' |
417 | 574 | supported_os: [Windows] |
418 | 575 | urls: |
420 | 577 | - 'https://www.mandiant.com/blog/fxsst/' |
421 | 578 | --- |
422 | 579 | name: WindowsCurrentVersion |
423 | doc: The Windows current verson | |
580 | doc: The Windows current version | |
424 | 581 | sources: |
425 | 582 | - type: REGISTRY_VALUE |
426 | 583 | attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion', value: 'CurrentVersion'}]} |
433 | 590 | - type: REGISTRY_VALUE |
434 | 591 | attributes: |
435 | 592 | key_value_pairs: |
436 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*', value: 'Debugger'} | |
437 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*', value: 'Debugger'} | |
438 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*', value: 'Debugger'} | |
439 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*', value: 'Debugger'} | |
593 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*', value: 'Debugger'} | |
594 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*', value: 'Debugger'} | |
595 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*', value: 'Debugger'} | |
596 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*', value: 'Debugger'} | |
440 | 597 | supported_os: [Windows] |
441 | 598 | urls: ['https://msdn.microsoft.com/en-us/library/a329t4ed%28VS.71%29.aspx'] |
599 | --- | |
600 | name: WindowsDomainCachedCredentials | |
601 | doc: Windows domain cached credentials | |
602 | sources: | |
603 | - type: REGISTRY_VALUE | |
604 | attributes: | |
605 | key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\Security\Cache', value: 'NL$*'}] | |
606 | supported_os: [Windows] | |
607 | urls: ['http://juggernaut.wikidot.com/cached-credentials'] | |
442 | 608 | --- |
443 | 609 | name: WindowsDomainName |
444 | 610 | doc: The domain the system is connected to. |
446 | 612 | - type: REGISTRY_VALUE |
447 | 613 | attributes: |
448 | 614 | key_value_pairs: |
449 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters', value: 'Domain'} | |
615 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters', value: 'Domain'} | |
450 | 616 | provides: [domain] |
451 | 617 | supported_os: [Windows] |
452 | 618 | --- |
456 | 622 | - type: REGISTRY_VALUE |
457 | 623 | attributes: |
458 | 624 | key_value_pairs: |
459 | - {key: 'HKEY_USERS\%%users.sid%%\Environment', value: 'UserInitLogonServer'} | |
460 | - {key: 'HKEY_USERS\%%users.sid%%\Environment', value: 'UserInitLogonScript'} | |
461 | - {key: 'HKEY_USERS\%%users.sid%%\Environment', value: 'UserMprLogonScript'} | |
625 | - {key: 'HKEY_USERS\%%users.sid%%\Environment', value: 'UserInitLogonServer'} | |
626 | - {key: 'HKEY_USERS\%%users.sid%%\Environment', value: 'UserInitLogonScript'} | |
627 | - {key: 'HKEY_USERS\%%users.sid%%\Environment', value: 'UserInitMprLogonScript'} | |
462 | 628 | supported_os: [Windows] |
463 | 629 | urls: |
464 | 630 | - 'http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/' |
465 | 631 | - 'https://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/cb6f1d6f-60a6-4369-803e-ec03d902e638/gina-how-to-run-domain-scripts-after-logon' |
466 | 632 | --- |
467 | 633 | name: WindowsEnvironmentVariableAllUsersProfile |
468 | doc: | | |
469 | The %AllUsersProfile% environment variable | |
470 | ||
471 | May or may not depend on registry keys - see urls | |
472 | sources: | |
473 | - type: REGISTRY_VALUE | |
474 | attributes: | |
475 | key_value_pairs: | |
476 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'AllUsersProfile'} | |
634 | doc: The system-wide %AllUsersProfile% environment variable contains the path of the of the "All Users" or "Common" profile directory. | |
635 | sources: | |
636 | - type: REGISTRY_VALUE | |
637 | attributes: | |
638 | key_value_pairs: | |
639 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'AllUsersProfile'} | |
477 | 640 | provides: [environ_allusersprofile] |
478 | 641 | supported_os: [Windows] |
479 | urls: | |
480 | - 'https://www.microsoft.com/en-us/wdsi/help/folder-variables' | |
481 | - 'https://github.com/mirror/reactos/blob/c6d2b35ffc91e09f50dfb214ea58237509329d6b/reactos/boot/bootdata/livecd.inf' | |
482 | - 'http://support.microsoft.com/kb//214653' | |
642 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md'] | |
483 | 643 | --- |
484 | 644 | name: WindowsEnvironmentVariableAppxProcess |
485 | 645 | doc: | |
486 | The %APPX_PROCESS% environment variable. | |
487 | ||
488 | If this variable is set, .NET applications will attempt to load WinAppXRT.dll | |
489 | from PATH, which is a potential persistence mechanism. | |
490 | sources: | |
491 | - type: REGISTRY_VALUE | |
492 | attributes: | |
493 | key_value_pairs: | |
494 | - {key: 'HKEY_USERS\%%users.sid%%\Environment', value: 'APPX_PROCESS'} | |
646 | The user-specific %APPX_PROCESS% environment variable is used for .NET applications. | |
647 | ||
648 | If set, a .NET applications will attempt to load WinAppXRT.dll from %PATH%, which can be used as a persistence mechanism by malware. | |
649 | sources: | |
650 | - type: REGISTRY_VALUE | |
651 | attributes: | |
652 | key_value_pairs: | |
653 | - {key: 'HKEY_USERS\%%users.sid%%\Environment', value: 'APPX_PROCESS'} | |
495 | 654 | supported_os: [Windows] |
496 | 655 | conditions: [os_major_version >= 6 AND os_minor_version >= 2] |
497 | urls: ['http://www.hexacorn.com/blog/2014/08/31/beyond-good-ol-run-key-part-17/'] | |
656 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md'] | |
657 | --- | |
658 | name: WindowsEnvironmentVariableCommonProgramFiles | |
659 | doc: The %COMMONPROGRAMFILES% environment variable contains the path of the common program files folder. | |
660 | sources: | |
661 | - type: REGISTRY_VALUE | |
662 | attributes: | |
663 | key_value_pairs: | |
664 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion', value: 'CommonFilesDir'} | |
665 | provides: [environ_commonprogramfiles] | |
666 | supported_os: [Windows] | |
667 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md'] | |
668 | --- | |
669 | name: WindowsEnvironmentVariableCommonProgramFilesX86 | |
670 | doc: The %COMMONPROGRAMFILES(X86)% environment variable contains the path of the 32-bit common program files folder on a 64-bit Windows installation. | |
671 | sources: | |
672 | - type: REGISTRY_VALUE | |
673 | attributes: | |
674 | key_value_pairs: | |
675 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion', value: 'CommonFilesDir (x86)'} | |
676 | provides: [environ_commonprogramfilesx86] | |
677 | supported_os: [Windows] | |
678 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md'] | |
679 | --- | |
680 | name: WindowsEnvironmentVariableComSpec | |
681 | doc: The %ComSpec% environment variable contains the path of the command processor, typically "cmd.exe". | |
682 | sources: | |
683 | - type: REGISTRY_VALUE | |
684 | attributes: | |
685 | key_value_pairs: | |
686 | - {key: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment', value: 'ComSpec'} | |
687 | provides: [environ_comspec] | |
688 | supported_os: [Windows] | |
689 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md'] | |
690 | --- | |
691 | name: WindowsEnvironmentVariableDriverData | |
692 | doc: The %DriverData% environment variable contains the path of the directory used for temporary state files of user-mode drivers. | |
693 | sources: | |
694 | - type: REGISTRY_VALUE | |
695 | attributes: | |
696 | key_value_pairs: | |
697 | - {key: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment', value: 'DriverData'} | |
698 | provides: [environ_driverdata] | |
699 | supported_os: [Windows] | |
700 | conditions: [os_major_version >= 10] | |
701 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md'] | |
498 | 702 | --- |
499 | 703 | name: WindowsEnvironmentVariablePath |
500 | doc: The %PATH% environment variable. | |
501 | sources: | |
502 | - type: REGISTRY_VALUE | |
503 | attributes: | |
504 | key_value_pairs: | |
505 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment', value: 'Path'} | |
704 | doc: The %PATH% environment variable contains an ordered list of paths of directories that will be searched on execution request without a specific path. | |
705 | sources: | |
706 | - type: REGISTRY_VALUE | |
707 | attributes: | |
708 | key_value_pairs: | |
709 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment', value: 'Path'} | |
506 | 710 | provides: [environ_path] |
507 | 711 | supported_os: [Windows] |
508 | urls: ['http://environmentvariables.org/Path'] | |
712 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md'] | |
509 | 713 | --- |
510 | 714 | name: WindowsEnvironmentVariableProfilesDirectory |
511 | doc: Folder that typically contains users' profile directories; default is '%SystemDrive%\Users' | |
512 | sources: | |
513 | - type: REGISTRY_VALUE | |
514 | attributes: | |
515 | key_value_pairs: | |
516 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'ProfilesDirectory'} | |
715 | doc: The %ProfilesDirectory% environment variable contain a path of a directory that contains the users' profile directories, typically "%SystemDrive%\Users". | |
716 | sources: | |
717 | - type: REGISTRY_VALUE | |
718 | attributes: | |
719 | key_value_pairs: | |
720 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'ProfilesDirectory'} | |
517 | 721 | provides: [environ_profilesdirectory] |
518 | 722 | supported_os: [Windows] |
519 | urls: | |
520 | - 'https://msdn.microsoft.com/en-us/library/windows/desktop/bb776892(v=vs.85).aspx' | |
521 | - 'https://docs.microsoft.com/en-us/windows/deployment/usmt/usmt-recognized-environment-variables' | |
522 | - 'http://support.microsoft.com/kb//214653' | |
723 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md'] | |
523 | 724 | --- |
524 | 725 | name: WindowsEnvironmentVariableProgramData |
525 | doc: The %ProgramData% environment variable. | |
526 | sources: | |
527 | - type: REGISTRY_VALUE | |
528 | attributes: | |
529 | key_value_pairs: | |
530 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'ProgramData'} | |
726 | doc: The %ProgramData% environment variable contains a path of the "Program Data" directory. | |
727 | sources: | |
728 | - type: REGISTRY_VALUE | |
729 | attributes: | |
730 | key_value_pairs: | |
731 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'ProgramData'} | |
531 | 732 | provides: [environ_programdata] |
532 | 733 | supported_os: [Windows] |
533 | urls: ['http://environmentvariables.org/ProgramData'] | |
734 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md'] | |
534 | 735 | --- |
535 | 736 | name: WindowsEnvironmentVariableProgramFiles |
536 | doc: The %ProgramFiles% environment variable. | |
737 | doc: The %ProgramFiles% environment variable contains a path of the "Program Files" directory. | |
537 | 738 | sources: |
538 | 739 | - type: PATH |
539 | 740 | attributes: |
542 | 743 | - type: REGISTRY_VALUE |
543 | 744 | attributes: |
544 | 745 | key_value_pairs: |
545 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion', value: 'ProgramFilesDir'} | |
746 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion', value: 'ProgramFilesDir'} | |
546 | 747 | provides: [environ_programfiles] |
547 | 748 | supported_os: [Windows] |
548 | urls: ['http://environmentvariables.org/ProgramFiles'] | |
749 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md'] | |
549 | 750 | --- |
550 | 751 | name: WindowsEnvironmentVariableProgramFilesX86 |
551 | doc: The %ProgramFiles(x86)% environment variable. | |
752 | doc: The %ProgramFiles(x86)% environment variable contains a path of the 32-bit "Program Files" directory on a 64-bit Windows installation. | |
552 | 753 | sources: |
553 | 754 | - type: PATH |
554 | 755 | attributes: |
557 | 758 | - type: REGISTRY_VALUE |
558 | 759 | attributes: |
559 | 760 | key_value_pairs: |
560 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion', value: 'ProgramFilesDir (x86)'} | |
761 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion', value: 'ProgramFilesDir (x86)'} | |
561 | 762 | provides: [environ_programfilesx86] |
562 | 763 | supported_os: [Windows] |
563 | urls: ['http://environmentvariables.org/ProgramFiles'] | |
764 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md'] | |
564 | 765 | --- |
565 | 766 | name: WindowsEnvironmentVariableSystemDrive |
566 | 767 | doc: | |
567 | The %SystemDrive% environment variable, usually "C:". | |
568 | ||
569 | This value isn't actually present in the Registry but with some parsing we | |
570 | can figure it out from SystemRoot. | |
768 | The %SystemDrive% environment variable contains the letter of the drive in which the system directory is located, typically "C:". | |
769 | ||
770 | This value is not present in the Windows Registry but can be derived from %SystemRoot%. | |
571 | 771 | sources: |
572 | 772 | - type: ARTIFACT_GROUP |
573 | 773 | attributes: {names: ['WindowsEnvironmentVariableSystemRoot']} |
574 | 774 | provides: [environ_systemdrive] |
575 | 775 | supported_os: [Windows] |
576 | urls: | |
577 | - 'http://environmentvariables.org/SystemDrive' | |
578 | - 'https://msdn.microsoft.com/en-us/library/cc231436.aspx' | |
776 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md'] | |
579 | 777 | --- |
580 | 778 | name: WindowsEnvironmentVariableSystemRoot |
581 | doc: The system root directory path, defined by %SystemRoot%, typically "C:\Windows". | |
779 | doc: The %SystemRoot%, environment variable contains the path of the system directory, typically "C:\Windows". | |
582 | 780 | sources: |
583 | 781 | - type: PATH |
584 | 782 | attributes: |
585 | 783 | paths: |
586 | - '\Windows' | |
587 | - '\WinNT' | |
588 | - '\WINNT35' | |
589 | - '\WTSRV' | |
590 | separator: '\' | |
591 | - type: REGISTRY_VALUE | |
592 | attributes: | |
593 | key_value_pairs: | |
594 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion', value: 'SystemRoot'} | |
784 | - '\Windows' | |
785 | - '\WinNT' | |
786 | - '\WINNT35' | |
787 | - '\WTSRV' | |
788 | separator: '\' | |
789 | - type: REGISTRY_VALUE | |
790 | attributes: | |
791 | key_value_pairs: | |
792 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion', value: 'SystemRoot'} | |
595 | 793 | provides: [environ_systemroot] |
596 | 794 | supported_os: [Windows] |
597 | urls: ['http://environmentvariables.org/SystemRoot'] | |
795 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md'] | |
598 | 796 | --- |
599 | 797 | name: WindowsEnvironmentVariableTemp |
600 | 798 | doc: The %TEMP% environment variable. |
602 | 800 | - type: REGISTRY_VALUE |
603 | 801 | attributes: |
604 | 802 | key_value_pairs: |
605 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment', value: 'TEMP'} | |
803 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment', value: 'TEMP'} | |
606 | 804 | provides: [environ_temp] |
607 | 805 | supported_os: [Windows] |
608 | urls: ['http://environmentvariables.org/Temp'] | |
806 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md'] | |
609 | 807 | --- |
610 | 808 | name: WindowsEnvironmentVariableWinDir |
611 | doc: The %WinDir% environment variable. | |
809 | doc: The %WinDir%, environment variable contains the path of the Windows directory, typically "C:\Windows". | |
612 | 810 | sources: |
613 | 811 | - type: PATH |
614 | 812 | attributes: |
615 | 813 | paths: |
616 | - '\Windows' | |
617 | - '\WinNT' | |
618 | - '\WINNT35' | |
619 | - '\WTSRV' | |
620 | separator: '\' | |
621 | - type: REGISTRY_VALUE | |
622 | attributes: | |
623 | key_value_pairs: | |
624 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment', value: 'windir'} | |
814 | - '\Windows' | |
815 | - '\WinNT' | |
816 | - '\WINNT35' | |
817 | - '\WTSRV' | |
818 | separator: '\' | |
819 | - type: REGISTRY_VALUE | |
820 | attributes: | |
821 | key_value_pairs: | |
822 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment', value: 'windir'} | |
625 | 823 | provides: [environ_windir] |
626 | 824 | supported_os: [Windows] |
627 | urls: ['http://environmentvariables.org/WinDir'] | |
825 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md'] | |
628 | 826 | --- |
629 | 827 | name: WindowsEventLogs |
630 | 828 | doc: Windows Event logs. |
632 | 830 | - type: ARTIFACT_GROUP |
633 | 831 | attributes: |
634 | 832 | names: |
635 | - 'WindowsEventLogApplication' | |
636 | - 'WindowsEventLogSecurity' | |
637 | - 'WindowsEventLogSystem' | |
638 | - 'WindowsXMLEventLogApplication' | |
639 | - 'WindowsXMLEventLogSecurity' | |
640 | - 'WindowsXMLEventLogSystem' | |
833 | - 'WindowsEventLogApplication' | |
834 | - 'WindowsEventLogSecurity' | |
835 | - 'WindowsEventLogSystem' | |
836 | - 'WindowsXMLEventLogApplication' | |
837 | - 'WindowsXMLEventLogSecurity' | |
838 | - 'WindowsXMLEventLogSysmon' | |
839 | - 'WindowsXMLEventLogSystem' | |
840 | - 'WindowsXMLEventLogTerminalServices' | |
641 | 841 | labels: [Logs] |
642 | 842 | supported_os: [Windows] |
843 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EventLog.md'] | |
643 | 844 | --- |
644 | 845 | name: WindowsEventLogApplication |
645 | 846 | doc: Application Windows Event Log. |
651 | 852 | conditions: [os_major_version < 6] |
652 | 853 | labels: [Logs] |
653 | 854 | supported_os: [Windows] |
654 | urls: ['http://www.forensicswiki.org/wiki/Windows_Event_Log_(EVT)'] | |
855 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EventLog.md'] | |
655 | 856 | --- |
656 | 857 | name: WindowsEventLogSecurity |
657 | 858 | doc: Security Windows Event Log. |
663 | 864 | conditions: [os_major_version < 6] |
664 | 865 | labels: [Logs] |
665 | 866 | supported_os: [Windows] |
666 | urls: ['http://www.forensicswiki.org/wiki/Windows_Event_Log_(EVT)'] | |
867 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EventLog.md'] | |
667 | 868 | --- |
668 | 869 | name: WindowsEventLogSystem |
669 | 870 | doc: System Windows Event Log. |
675 | 876 | conditions: [os_major_version < 6] |
676 | 877 | labels: [Logs] |
677 | 878 | supported_os: [Windows] |
678 | urls: ['http://www.forensicswiki.org/wiki/Windows_Event_Log_(EVT)'] | |
879 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EventLog.md'] | |
679 | 880 | --- |
680 | 881 | name: WindowsXMLEventLogApplication |
681 | 882 | doc: Application Windows XML Event Log. |
687 | 888 | conditions: [os_major_version >= 6] |
688 | 889 | labels: [Logs] |
689 | 890 | supported_os: [Windows] |
690 | urls: ['http://www.forensicswiki.org/wiki/Windows_XML_Event_Log_(EVTX)'] | |
891 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EventLog.md'] | |
691 | 892 | --- |
692 | 893 | name: WindowsXMLEventLogSecurity |
693 | 894 | doc: Security Windows XML Event Log. |
699 | 900 | conditions: [os_major_version >= 6] |
700 | 901 | labels: [Logs] |
701 | 902 | supported_os: [Windows] |
702 | urls: ['http://www.forensicswiki.org/wiki/Windows_XML_Event_Log_(EVTX)'] | |
903 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EventLog.md'] | |
703 | 904 | --- |
704 | 905 | name: WindowsXMLEventLogSysmon |
705 | 906 | doc: Sysmon Windows XML Event Log. |
710 | 911 | separator: '\' |
711 | 912 | labels: [Logs] |
712 | 913 | supported_os: [Windows] |
713 | urls: | |
714 | - 'https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon' | |
715 | - 'https://blogs.technet.microsoft.com/motiba/2016/10/18/sysinternals-sysmon-unleashed' | |
914 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EventLog.md'] | |
716 | 915 | --- |
717 | 916 | name: WindowsXMLEventLogSystem |
718 | 917 | doc: System Windows XML Event Log. |
724 | 923 | conditions: [os_major_version >= 6] |
725 | 924 | labels: [Logs] |
726 | 925 | supported_os: [Windows] |
727 | urls: ['http://www.forensicswiki.org/wiki/Windows_XML_Event_Log_(EVTX)'] | |
926 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EventLog.md'] | |
728 | 927 | --- |
729 | 928 | name: WindowsXMLEventLogTerminalServices |
730 | 929 | doc: TerminalServices Windows XML Event Log. |
736 | 935 | conditions: [os_major_version >= 6] |
737 | 936 | labels: [Logs] |
738 | 937 | supported_os: [Windows] |
739 | urls: ['http://www.forensicswiki.org/wiki/Windows_XML_Event_Log_(EVTX)'] | |
938 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EventLog.md'] | |
740 | 939 | --- |
741 | 940 | name: WindowsExcludeFromKnownDLLs |
742 | 941 | doc: ExcludeFromKnownDLLs can be used to bypass search order hijacking protection. |
753 | 952 | - type: REGISTRY_VALUE |
754 | 953 | attributes: |
755 | 954 | key_value_pairs: |
756 | - {key: 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AppKey\*', value: 'ShellExecute'} | |
955 | - {key: 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AppKey\*', value: 'ShellExecute'} | |
757 | 956 | supported_os: [Windows] |
758 | 957 | urls: |
759 | 958 | - 'http://answers.microsoft.com/en-us/windows/forum/windows_vista-hardware/assigning-the-special-keys-at-the-top-of-the/d1ab2e13-5297-457d-a8e8-bc2c883d8b58?db=5' |
776 | 975 | - type: REGISTRY_VALUE |
777 | 976 | attributes: |
778 | 977 | key_value_pairs: |
779 | - {key: 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CommandStore\shell\*', value: 'CommandStateHandler'} | |
780 | - {key: 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CommandStore\shell\*', value: 'ExplorerCommandHandler'} | |
781 | - {key: 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CommandStore\shell\*', value: 'command'} | |
782 | - {key: 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CommandStore\shell\*\command', value: 'DelegateExecute'} | |
978 | - {key: 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CommandStore\shell\*', value: 'CommandStateHandler'} | |
979 | - {key: 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CommandStore\shell\*', value: 'ExplorerCommandHandler'} | |
980 | - {key: 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CommandStore\shell\*', value: 'command'} | |
981 | - {key: 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CommandStore\shell\*\command', value: 'DelegateExecute'} | |
783 | 982 | supported_os: [Windows] |
784 | 983 | urls: |
785 | 984 | - 'https://msdn.microsoft.com/en-us/library/windows/desktop/hh127467(v=vs.85).aspx' |
793 | 992 | - type: REGISTRY_KEY |
794 | 993 | attributes: |
795 | 994 | keys: |
796 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace' | |
797 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace' | |
798 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace' | |
799 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace' | |
800 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace\DelegateFolders' | |
801 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace\DelegateFolders' | |
802 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace\DelegateFolders' | |
803 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace\DelegateFolders' | |
804 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\CommonPlaces\NameSpace' | |
805 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\CommonPlaces\NameSpace' | |
806 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\CommonPlaces\NameSpace\DelegateFolders' | |
807 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\CommonPlaces\NameSpace\DelegateFolders' | |
995 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace' | |
996 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace' | |
997 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace' | |
998 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace' | |
999 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace\DelegateFolders' | |
1000 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace\DelegateFolders' | |
1001 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace\DelegateFolders' | |
1002 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace\DelegateFolders' | |
1003 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\CommonPlaces\NameSpace' | |
1004 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\CommonPlaces\NameSpace' | |
1005 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\CommonPlaces\NameSpace\DelegateFolders' | |
1006 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\CommonPlaces\NameSpace\DelegateFolders' | |
808 | 1007 | supported_os: [Windows] |
809 | 1008 | urls: |
810 | 1009 | - 'https://msdn.microsoft.com/en-us/library/windows/desktop/hh127450(v=vs.85).aspx' |
817 | 1016 | - type: REGISTRY_KEY |
818 | 1017 | attributes: |
819 | 1018 | keys: |
820 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace' | |
821 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace' | |
822 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\DelegateFolders' | |
823 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\DelegateFolders' | |
824 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\ControlPanel\NameSpace' | |
825 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\ControlPanel\NameSpace\DelegateFolders' | |
826 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanelWOW64\NameSpace' | |
827 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanelWOW64\NameSpace' | |
828 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpaceWOW64\DelegateFolders' | |
829 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanelWOW64\NameSpace\DelegateFolders' | |
830 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\ControlPanelWOW64\NameSpace' | |
831 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\ControlPanelWOW64\NameSpace\DelegateFolders' | |
832 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace' | |
833 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace' | |
834 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\DelegateFolders' | |
835 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\DelegateFolders' | |
836 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\ControlPanel\NameSpace' | |
837 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\ControlPanel\NameSpace\DelegateFolders' | |
838 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ControlPanelWOW64\NameSpace' | |
839 | - 'HKEY_USERS\%%users.sid%%\Wow6432Node\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\ControlPanelWOW64\NameSpace\DelegateFolders' | |
1019 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace' | |
1020 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace' | |
1021 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\DelegateFolders' | |
1022 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\DelegateFolders' | |
1023 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\ControlPanel\NameSpace' | |
1024 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\ControlPanel\NameSpace\DelegateFolders' | |
1025 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanelWOW64\NameSpace' | |
1026 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanelWOW64\NameSpace' | |
1027 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpaceWOW64\DelegateFolders' | |
1028 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanelWOW64\NameSpace\DelegateFolders' | |
1029 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\ControlPanelWOW64\NameSpace' | |
1030 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\ControlPanelWOW64\NameSpace\DelegateFolders' | |
1031 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace' | |
1032 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace' | |
1033 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\DelegateFolders' | |
1034 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\DelegateFolders' | |
1035 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\ControlPanel\NameSpace' | |
1036 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\ControlPanel\NameSpace\DelegateFolders' | |
1037 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ControlPanelWOW64\NameSpace' | |
1038 | - 'HKEY_USERS\%%users.sid%%\Wow6432Node\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\ControlPanelWOW64\NameSpace\DelegateFolders' | |
840 | 1039 | supported_os: [Windows] |
841 | 1040 | urls: |
842 | 1041 | - 'https://msdn.microsoft.com/en-us/library/windows/desktop/hh127450(v=vs.85).aspx' |
848 | 1047 | - type: REGISTRY_KEY |
849 | 1048 | attributes: |
850 | 1049 | keys: |
851 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace' | |
852 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace' | |
853 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders' | |
854 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders' | |
855 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\Desktop\NameSpace' | |
856 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\Desktop\NameSpace\DelegateFolders' | |
857 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace' | |
858 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace' | |
859 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Wow6432Node\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders' | |
860 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders' | |
861 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\Desktop\NameSpace' | |
862 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\Desktop\NameSpace\DelegateFolders' | |
1050 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace' | |
1051 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace' | |
1052 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders' | |
1053 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders' | |
1054 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\Desktop\NameSpace' | |
1055 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\Desktop\NameSpace\DelegateFolders' | |
1056 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace' | |
1057 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace' | |
1058 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Wow6432Node\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders' | |
1059 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders' | |
1060 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\Desktop\NameSpace' | |
1061 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\Desktop\NameSpace\DelegateFolders' | |
863 | 1062 | supported_os: [Windows] |
864 | 1063 | urls: |
865 | 1064 | - 'https://social.technet.microsoft.com/Forums/windowsserver/en-US/2760309c-89d1-414c-a04c-ce4178e90787/hide-libraries-icon-from-desktop' |
873 | 1072 | - type: REGISTRY_KEY |
874 | 1073 | attributes: |
875 | 1074 | keys: |
876 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace' | |
877 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace' | |
878 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders' | |
879 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders' | |
880 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\MyComputer\NameSpace' | |
881 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\MyComputer\NameSpace\DelegateFolders' | |
882 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace' | |
883 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace' | |
884 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Wow6432Node\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders' | |
885 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders' | |
886 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\MyComputer\NameSpace' | |
887 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\MyComputer\NameSpace\DelegateFolders' | |
1075 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace' | |
1076 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace' | |
1077 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders' | |
1078 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders' | |
1079 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\MyComputer\NameSpace' | |
1080 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\MyComputer\NameSpace\DelegateFolders' | |
1081 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace' | |
1082 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace' | |
1083 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Wow6432Node\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders' | |
1084 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders' | |
1085 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\MyComputer\NameSpace' | |
1086 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\MyComputer\NameSpace\DelegateFolders' | |
888 | 1087 | supported_os: [Windows] |
889 | 1088 | urls: |
890 | 1089 | - 'http://www.geoffchappell.com/studies/windows/shell/shell32/classes/mycomputer.htm' |
897 | 1096 | - type: REGISTRY_KEY |
898 | 1097 | attributes: |
899 | 1098 | keys: |
900 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace' | |
901 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace' | |
902 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace\DelegateFolders' | |
903 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace\DelegateFolders' | |
904 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\NetworkNeighborhood\NameSpace' | |
905 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\NetworkNeighborhood\NameSpace\DelegateFolders' | |
906 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace' | |
907 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace' | |
908 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace\DelegateFolders' | |
909 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace\DelegateFolders' | |
910 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\NetworkNeighborhood\NameSpace' | |
911 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\NetworkNeighborhood\NameSpace\DelegateFolders' | |
1099 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace' | |
1100 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace' | |
1101 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace\DelegateFolders' | |
1102 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace\DelegateFolders' | |
1103 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\NetworkNeighborhood\NameSpace' | |
1104 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\NetworkNeighborhood\NameSpace\DelegateFolders' | |
1105 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace' | |
1106 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace' | |
1107 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace\DelegateFolders' | |
1108 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace\DelegateFolders' | |
1109 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\NetworkNeighborhood\NameSpace' | |
1110 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\NetworkNeighborhood\NameSpace\DelegateFolders' | |
912 | 1111 | supported_os: [Windows] |
913 | 1112 | urls: |
914 | 1113 | - 'http://www.geoffchappell.com/studies/windows/shell/shell32/classes/regfolder.htm' |
921 | 1120 | - type: REGISTRY_KEY |
922 | 1121 | attributes: |
923 | 1122 | keys: |
924 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace' | |
925 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace' | |
926 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace\DelegateFolders' | |
927 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace\DelegateFolders' | |
928 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\PrintersAndFaxes\NameSpace' | |
929 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\PrintersAndFaxes\NameSpace\DelegateFolders' | |
930 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace' | |
931 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace' | |
932 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace\DelegateFolders' | |
933 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace\DelegateFolders' | |
934 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\PrintersAndFaxes\NameSpace' | |
935 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\PrintersAndFaxes\NameSpace\DelegateFolders' | |
1123 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace' | |
1124 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace' | |
1125 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace\DelegateFolders' | |
1126 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace\DelegateFolders' | |
1127 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\PrintersAndFaxes\NameSpace' | |
1128 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\PrintersAndFaxes\NameSpace\DelegateFolders' | |
1129 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace' | |
1130 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace' | |
1131 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace\DelegateFolders' | |
1132 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace\DelegateFolders' | |
1133 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\PrintersAndFaxes\NameSpace' | |
1134 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\PrintersAndFaxes\NameSpace\DelegateFolders' | |
936 | 1135 | supported_os: [Windows] |
937 | 1136 | urls: |
938 | 1137 | - 'http://www.geoffchappell.com/studies/windows/shell/shell32/classes/printers.htm' |
941 | 1140 | doc: | |
942 | 1141 | Registry value for what application class identifier (CLSID) to launch for a file extension. |
943 | 1142 | |
944 | Extension subkeys start with a dot. | |
945 | sources: | |
946 | - type: REGISTRY_KEY | |
947 | attributes: | |
948 | keys: | |
949 | - 'HKEY_LOCAL_MACHINE\Software\Classes\.*' | |
950 | - 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\.*' | |
951 | - 'HKEY_USERS\%%users.sid%%\Software\Classes\.*' | |
952 | - 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\.*' | |
953 | supported_os: [Windows] | |
954 | urls: ['https://msdn.microsoft.com/en-us/library/windows/desktop/ms678415(v=vs.85).aspx'] | |
1143 | Extension subkeys start with a dot. The '(Default)' value will be a ProgID, | |
1144 | which points to another entry in HKCR specifying the command to run to open | |
1145 | a file of the given type. The WindowsShellOpenCommand artifact is associated | |
1146 | with these ProgID command invocations. | |
1147 | sources: | |
1148 | - type: REGISTRY_VALUE | |
1149 | attributes: | |
1150 | key_value_pairs: | |
1151 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\.*', value: ''} | |
1152 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\.*', value: ''} | |
1153 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\.*', value: ''} | |
1154 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\.*', value: ''} | |
1155 | supported_os: [Windows] | |
1156 | urls: | |
1157 | - 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms678415(v=vs.85).aspx' | |
1158 | - 'https://docs.microsoft.com/en-us/windows/desktop/shell/fa-file-types' | |
955 | 1159 | --- |
956 | 1160 | name: WindowsFirewallLogFile |
957 | 1161 | doc: Windows Firewall default logfile |
990 | 1194 | - type: FILE |
991 | 1195 | attributes: |
992 | 1196 | paths: |
993 | - '%%environ_systemroot%%\GroupPolicy\User\Scripts\scripts.ini' | |
1197 | - '%%environ_systemroot%%\System32\GroupPolicy\User\Scripts\psscripts.ini' | |
1198 | - '%%environ_systemroot%%\System32\GroupPolicy\User\Scripts\scripts.ini' | |
1199 | - '%%environ_systemroot%%\System32\GroupPolicy\User\Scripts\Logoff\*' | |
1200 | - '%%environ_systemroot%%\System32\GroupPolicy\User\Scripts\Logon\*' | |
1201 | - '%%environ_systemroot%%\System32\GroupPolicy\Machine\Scripts\psscripts.ini' | |
1202 | - '%%environ_systemroot%%\System32\GroupPolicy\Machine\Scripts\scripts.ini' | |
1203 | - '%%environ_systemroot%%\System32\GroupPolicy\Machine\Scripts\Shutdown\*' | |
1204 | - '%%environ_systemroot%%\System32\GroupPolicy\Machine\Scripts\Startup\*' | |
994 | 1205 | separator: '\' |
995 | 1206 | supported_os: [Windows] |
996 | 1207 | --- |
1000 | 1211 | - type: FILE |
1001 | 1212 | attributes: |
1002 | 1213 | paths: |
1003 | - '%%environ_systemroot%%\System32\Drivers\etc\Lmhosts' | |
1004 | - '%%environ_systemroot%%\System32\Drivers\etc\hosts' | |
1214 | - '%%environ_systemroot%%\System32\Drivers\etc\Lmhosts' | |
1215 | - '%%environ_systemroot%%\System32\Drivers\etc\hosts' | |
1005 | 1216 | separator: '\' |
1006 | 1217 | supported_os: [Windows] |
1007 | 1218 | --- |
1011 | 1222 | - type: FILE |
1012 | 1223 | attributes: |
1013 | 1224 | paths: |
1014 | - '%%environ_systemroot%%\System32\magnifier.exe' | |
1015 | - '%%environ_systemroot%%\System32\sethc.exe' | |
1016 | - '%%environ_systemroot%%\System32\utilman.exe' | |
1225 | - '%%environ_systemroot%%\System32\magnifier.exe' | |
1226 | - '%%environ_systemroot%%\System32\sethc.exe' | |
1227 | - '%%environ_systemroot%%\System32\utilman.exe' | |
1017 | 1228 | separator: '\' |
1018 | 1229 | supported_os: [Windows] |
1019 | 1230 | --- |
1023 | 1234 | - type: REGISTRY_VALUE |
1024 | 1235 | attributes: |
1025 | 1236 | key_value_pairs: |
1026 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion', value: 'InstallDate'} | |
1237 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion', value: 'InstallDate'} | |
1027 | 1238 | supported_os: [Windows] |
1028 | 1239 | --- |
1029 | 1240 | name: WindowsLogoffScript |
1032 | 1243 | - type: REGISTRY_VALUE |
1033 | 1244 | attributes: |
1034 | 1245 | key_value_pairs: |
1035 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\Windows\System\Scripts', value: 'Logoff'} | |
1036 | - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Scripts', value: 'Logoff'} | |
1246 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\Windows\System\Scripts', value: 'Logoff'} | |
1247 | - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Scripts', value: 'Logoff'} | |
1037 | 1248 | supported_os: [Windows] |
1038 | 1249 | urls: ['https://technet.microsoft.com/en-us/library/ff404236.aspx'] |
1039 | 1250 | --- |
1043 | 1254 | - type: REGISTRY_VALUE |
1044 | 1255 | attributes: |
1045 | 1256 | key_value_pairs: |
1046 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\Windows\System\Scripts', value: 'Logon'} | |
1047 | - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Scripts', value: 'Logon'} | |
1257 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\Windows\System\Scripts', value: 'Logon'} | |
1258 | - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Scripts', value: 'Logon'} | |
1048 | 1259 | supported_os: [Windows] |
1049 | 1260 | urls: ['https://technet.microsoft.com/en-us/library/ff404236.aspx'] |
1050 | 1261 | --- |
1054 | 1265 | - type: REGISTRY_VALUE |
1055 | 1266 | attributes: |
1056 | 1267 | key_value_pairs: |
1057 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa', value: 'Authentication Packages'} | |
1058 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig', value: 'Authentication Packages'} | |
1268 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa', value: 'Authentication Packages'} | |
1269 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig', value: 'Authentication Packages'} | |
1059 | 1270 | supported_os: [Windows] |
1060 | 1271 | urls: |
1061 | 1272 | - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' |
1067 | 1278 | - type: REGISTRY_VALUE |
1068 | 1279 | attributes: |
1069 | 1280 | key_value_pairs: |
1070 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa', value: 'Notification Packages'} | |
1071 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig', value: 'Notification Packages'} | |
1281 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa', value: 'Notification Packages'} | |
1282 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig', value: 'Notification Packages'} | |
1072 | 1283 | supported_os: [Windows] |
1073 | 1284 | urls: |
1074 | 1285 | - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' |
1080 | 1291 | - type: REGISTRY_VALUE |
1081 | 1292 | attributes: |
1082 | 1293 | key_value_pairs: |
1083 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa', value: 'Security Packages'} | |
1084 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig', value: 'Security Packages'} | |
1294 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa', value: 'Security Packages'} | |
1295 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig', value: 'Security Packages'} | |
1085 | 1296 | supported_os: [Windows] |
1086 | 1297 | urls: |
1087 | 1298 | - 'https://msdn.microsoft.com/en-us/library/windows/desktop/aa379392(v=vs.85).aspx' |
1137 | 1348 | - type: REGISTRY_VALUE |
1138 | 1349 | attributes: |
1139 | 1350 | key_value_pairs: |
1140 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\*\MostRecentApplication', value: 'Name'} | |
1141 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\*\MostRecentApplication', value: 'Name'} | |
1351 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\*\MostRecentApplication', value: 'Name'} | |
1352 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\*\MostRecentApplication', value: 'Name'} | |
1142 | 1353 | supported_os: [Windows] |
1143 | 1354 | urls: |
1144 | 1355 | - 'http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_ransom.smc7' |
1150 | 1361 | - type: REGISTRY_KEY |
1151 | 1362 | attributes: |
1152 | 1363 | keys: |
1153 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\MSDTC\MTxOCI\*' | |
1154 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\MSDTC\MTxOCI\*' | |
1364 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\MSDTC\MTxOCI\*' | |
1365 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\MSDTC\MTxOCI\*' | |
1155 | 1366 | supported_os: [Windows] |
1156 | 1367 | urls: ['https://www.mandiant.com/blog/hikit-rootkit-advanced-persistent-attack-techniques-part-1-2/'] |
1157 | 1368 | --- |
1160 | 1371 | sources: |
1161 | 1372 | - type: REGISTRY_KEY |
1162 | 1373 | attributes: |
1163 | keys: ['HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\*'] | |
1374 | keys: | |
1375 | - 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\*' | |
1376 | - 'HKEY_USERS\%%users.sid%%\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\*' | |
1377 | - 'HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32\*' | |
1378 | - 'HKEY_USERS\%%users.sid%%\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32\*' | |
1164 | 1379 | supported_os: [Windows] |
1165 | 1380 | urls: |
1166 | 1381 | - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' |
1167 | 1382 | - 'https://support.microsoft.com/en-us/kb/126054' |
1383 | - 'https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2' | |
1168 | 1384 | --- |
1169 | 1385 | name: WindowsNetworkShellHelpers |
1170 | 1386 | doc: Windows Network Shell (netsh) helpers are loaded on boot |
1172 | 1388 | - type: REGISTRY_KEY |
1173 | 1389 | attributes: |
1174 | 1390 | keys: |
1175 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Netsh' | |
1176 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Netsh' | |
1391 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Netsh' | |
1392 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Netsh' | |
1177 | 1393 | supported_os: [Windows] |
1178 | 1394 | urls: ['https://support.microsoft.com/en-us/kb/242468'] |
1179 | 1395 | --- |
1186 | 1402 | conditions: [os_major_version < 6] |
1187 | 1403 | supported_os: [Windows] |
1188 | 1404 | urls: |
1189 | - 'http://www.forensicswiki.org/wiki/OpenSaveMRU' | |
1405 | - 'https://forensicswiki.xyz/wiki/index.php?title=OpenSaveMRU' | |
1190 | 1406 | - 'https://digital-forensics.sans.org/blog/2010/04/02/openrunsavemru-lastvisitedmru' |
1191 | 1407 | --- |
1192 | 1408 | name: WindowsOpenSavePidlMRU |
1199 | 1415 | supported_os: [Windows] |
1200 | 1416 | urls: |
1201 | 1417 | - 'https://digital-forensics.sans.org/blog/2010/04/02/openrunsavemru-lastvisitedmru' |
1202 | - 'http://www.forensicswiki.org/wiki/OpenSavePidlMRU' | |
1418 | - 'https://forensicswiki.xyz/wiki/index.php?title=OpenSavePidlMRU' | |
1203 | 1419 | --- |
1204 | 1420 | name: WindowsPendingFileRenames |
1205 | 1421 | doc: Windows Pending file renames on reboot |
1207 | 1423 | - type: REGISTRY_VALUE |
1208 | 1424 | attributes: |
1209 | 1425 | key_value_pairs: |
1210 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager', value: 'PendingFileRenameOperations'} | |
1426 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager', value: 'PendingFileRenameOperations'} | |
1211 | 1427 | supported_os: [Windows] |
1212 | 1428 | urls: ['https://technet.microsoft.com/en-us/library/cc960241.aspx'] |
1429 | --- | |
1430 | name: WindowsPendingGPOs | |
1431 | doc: | | |
1432 | Windows Pending GPOs registry settings. | |
1433 | ||
1434 | This is a persistence mechanism known to be used by the Gootkit malware family. | |
1435 | sources: | |
1436 | - type: REGISTRY_VALUE | |
1437 | attributes: | |
1438 | key_value_pairs: | |
1439 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\IEAK\GroupPolicy\PendingGPOs', value: 'Path1'} | |
1440 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\IEAK\GroupPolicy\PendingGPOs', value: 'Path1'} | |
1441 | supported_os: [Windows] | |
1442 | urls: ['https://www.certego.net/en/news/malware-tales-gootkit/'] | |
1213 | 1443 | --- |
1214 | 1444 | name: WindowsPersistenceMechanisms |
1215 | 1445 | doc: Persistence mechanisms in Windows. |
1217 | 1447 | - type: ARTIFACT_GROUP |
1218 | 1448 | attributes: |
1219 | 1449 | names: |
1220 | - WindowsPersistenceRegistryKeys | |
1221 | - WindowsPowerShellDefaultProfiles | |
1222 | - WindowsServices | |
1450 | - WindowsPersistenceRegistryKeys | |
1451 | - WindowsPowerShellDefaultProfiles | |
1452 | - WindowsServices | |
1223 | 1453 | labels: [Software] |
1224 | 1454 | supported_os: [Windows] |
1225 | 1455 | --- |
1229 | 1459 | - type: ARTIFACT_GROUP |
1230 | 1460 | attributes: |
1231 | 1461 | names: |
1232 | - InternetExplorerBrowserHelperObjects | |
1233 | - WindowsActiveDesktop | |
1234 | - WindowsAlternateShell | |
1235 | - WindowsAppCertDLLs | |
1236 | - WindowsAppInitDLLs | |
1237 | - WindowsBootVerificationProgram | |
1238 | - WindowsCommandProcessorAutoRun | |
1239 | - WindowsCredentialProviderFilters | |
1240 | - WindowsCredentialProviders | |
1241 | - WindowsDebugger | |
1242 | - WindowsEnvironmentUserLoginScripts | |
1243 | - WindowsExplorerAutoplayHandlers | |
1244 | - WindowsFileTypeAutorunAssociations | |
1245 | - WindowsLSAAuthenticationPackages | |
1246 | - WindowsLSANotificationPackages | |
1247 | - WindowsLSASecurityPackages | |
1248 | - WindowsMSDTCDLLs | |
1249 | - WindowsMultiMediaDrivers | |
1250 | - WindowsNetworkShellHelpers | |
1251 | - WindowsPLAPProviders | |
1252 | - WindowsPrintMonitors | |
1253 | - WindowsRunGrpConv | |
1254 | - WindowsRunKeys | |
1255 | - WindowsRunServices | |
1256 | - WindowsScreenSaverExecutable | |
1257 | - WindowsSecurityProviders | |
1258 | - WindowsServiceControlManagerExtension | |
1259 | - WindowsSessionManagerBootExecute | |
1260 | - WindowsSessionManagerExecute | |
1261 | - WindowsSessionManagerSetupExecute | |
1262 | - WindowsSessionManagerSubSystems | |
1263 | - WindowsSessionManagerWOWCommandLine | |
1264 | - WindowsSharedTaskScheduler | |
1265 | - WindowsShellExecuteHooks | |
1266 | - WindowsShellExtensions | |
1267 | - WindowsShellIconOverlayIdentifiers | |
1268 | - WindowsShellLoadAndRun | |
1269 | - WindowsShellOpenCommand | |
1270 | - WindowsShellServiceObjects | |
1271 | - WindowsStubPaths | |
1272 | - WindowsSystemPolicyShell | |
1273 | - WindowsTerminalServerRunKeys | |
1274 | - WindowsTerminalServerStartupPrograms | |
1275 | - WindowsToolPaths | |
1276 | - WindowsWinlogonGinaDLL | |
1277 | - WindowsWinlogonNotify | |
1278 | - WindowsWinlogonShell | |
1279 | - WindowsWinlogonSystem | |
1280 | - WindowsWinlogonTaskman | |
1281 | - WindowsWinlogonUiHost | |
1282 | - WindowsWinlogonUserinit | |
1283 | - WindowsWinlogonVMApplet | |
1284 | - WinSock2LayeredServiceProviders | |
1285 | - WinSock2NamespaceProviders | |
1462 | - InternetExplorerBrowserHelperObjects | |
1463 | - WindowsActiveDesktop | |
1464 | - WindowsActiveSyncAutoStart | |
1465 | - WindowsAlternateShell | |
1466 | - WindowsAppCertDLLs | |
1467 | - WindowsAppInitDLLs | |
1468 | - WindowsBootVerificationProgram | |
1469 | - WindowsCommandProcessorAutoRun | |
1470 | - WindowsCredentialProviderFilters | |
1471 | - WindowsCredentialProviders | |
1472 | - WindowsDebugger | |
1473 | - WindowsEnvironmentUserLoginScripts | |
1474 | - WindowsExplorerAutoplayHandlers | |
1475 | - WindowsFileTypeAutorunAssociations | |
1476 | - WindowsFontDrivers | |
1477 | - WindowsIconServiceLib | |
1478 | - WindowsLSAAuthenticationPackages | |
1479 | - WindowsLSANotificationPackages | |
1480 | - WindowsLSASecurityPackages | |
1481 | - WindowsMSDTCDLLs | |
1482 | - WindowsMultiMediaDrivers | |
1483 | - WindowsNetworkShellHelpers | |
1484 | - WindowsPendingGPOs | |
1485 | - WindowsPLAPProviders | |
1486 | - WindowsPrintMonitors | |
1487 | - WindowsRunGrpConv | |
1488 | - WindowsRunKeys | |
1489 | - WindowsRunServices | |
1490 | - WindowsScreenSaverExecutable | |
1491 | - WindowsSearchFilterHandlers | |
1492 | - WindowsSecurityProviders | |
1493 | - WindowsServiceControlManagerExtension | |
1494 | - WindowsSessionManagerBootExecute | |
1495 | - WindowsSessionManagerExecute | |
1496 | - WindowsSessionManagerS0InitialCommand | |
1497 | - WindowsSessionManagerSetupExecute | |
1498 | - WindowsSessionManagerSubSystems | |
1499 | - WindowsSessionManagerWOWCommandLine | |
1500 | - WindowsSetupCommandLine | |
1501 | - WindowsSharedTaskScheduler | |
1502 | - WindowsShellExecuteHooks | |
1503 | - WindowsShellExtensions | |
1504 | - WindowsShellIconOverlayIdentifiers | |
1505 | - WindowsShellLoadAndRun | |
1506 | - WindowsShellOpenCommand | |
1507 | - WindowsShellRunasCommand | |
1508 | - WindowsShellServiceObjects | |
1509 | - WindowsStubPaths | |
1510 | - WindowsSystemPolicyShell | |
1511 | - WindowsTerminalServerInitialProgram | |
1512 | - WindowsTerminalServerRunKeys | |
1513 | - WindowsTerminalServerStartupPrograms | |
1514 | - WindowsToolPaths | |
1515 | - WindowsWinlogonAppSetup | |
1516 | - WindowsWinlogonAvailableShells | |
1517 | - WindowsWinlogonGinaDLL | |
1518 | - WindowsWinlogonGPExtensions | |
1519 | - WindowsWinlogonNotify | |
1520 | - WindowsWinlogonShell | |
1521 | - WindowsWinlogonSystem | |
1522 | - WindowsWinlogonTaskman | |
1523 | - WindowsWinlogonUiHost | |
1524 | - WindowsWinlogonUserinit | |
1525 | - WindowsWinlogonVMApplet | |
1526 | - WinSock2LayeredServiceProviders | |
1527 | - WinSock2NamespaceProviders | |
1286 | 1528 | labels: [Software] |
1287 | 1529 | supported_os: [Windows] |
1288 | 1530 | --- |
1292 | 1534 | - type: REGISTRY_KEY |
1293 | 1535 | attributes: |
1294 | 1536 | keys: |
1295 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\*' | |
1296 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\*' | |
1537 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\*' | |
1538 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\*' | |
1297 | 1539 | supported_os: [Windows] |
1298 | 1540 | urls: ['https://msdn.microsoft.com/en-us/library/windows/desktop/bb530584(v=vs.85).aspx'] |
1299 | 1541 | --- |
1302 | 1544 | sources: |
1303 | 1545 | - type: REGISTRY_KEY |
1304 | 1546 | attributes: |
1305 | keys: ['HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\*'] | |
1306 | labels: [Software] | |
1307 | supported_os: [Windows] | |
1308 | urls: ['https://support.microsoft.com/en-us/kb/323525'] | |
1547 | keys: | |
1548 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\*' | |
1549 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\*' | |
1550 | labels: [System] | |
1551 | supported_os: [Windows] | |
1552 | urls: | |
1553 | - 'https://support.microsoft.com/en-us/kb/323525' | |
1554 | - 'https://blog.malwarebytes.com/detections/pum-optional-disallowrun/' | |
1309 | 1555 | --- |
1310 | 1556 | name: WindowsPowerShellDefaultProfiles |
1311 | 1557 | doc: Default PowerShell Profile files. These files are executed by default when PowerShell starts up. |
1313 | 1559 | - type: FILE |
1314 | 1560 | attributes: |
1315 | 1561 | paths: |
1316 | - '%%environ_systemroot%%\system32\WindowsPowerShell\v1.0\profile.ps1' | |
1317 | - '%%environ_systemroot%%\system32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1' | |
1318 | - '%%users.userprofile%%\Documents\WindowsPowerShell\profile.ps1' | |
1319 | - '%%users.userprofile%%\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1' | |
1562 | - '%%environ_systemroot%%\system32\WindowsPowerShell\v1.0\profile.ps1' | |
1563 | - '%%environ_systemroot%%\system32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1' | |
1564 | - '%%users.userprofile%%\Documents\WindowsPowerShell\profile.ps1' | |
1565 | - '%%users.userprofile%%\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1' | |
1320 | 1566 | separator: '\' |
1321 | 1567 | supported_os: [Windows] |
1322 | 1568 | urls: |
1329 | 1575 | - type: REGISTRY_VALUE |
1330 | 1576 | attributes: |
1331 | 1577 | key_value_pairs: |
1332 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\Windows\PowerShell', value: 'EnableScripts'} | |
1333 | - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell', value: 'EnableScripts'} | |
1578 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\Windows\PowerShell', value: 'EnableScripts'} | |
1579 | - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell', value: 'EnableScripts'} | |
1334 | 1580 | supported_os: [Windows] |
1335 | 1581 | urls: |
1336 | 1582 | - 'https://technet.microsoft.com/library/hh847748.aspx' |
1342 | 1588 | - type: REGISTRY_VALUE |
1343 | 1589 | attributes: |
1344 | 1590 | key_value_pairs: |
1345 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\Windows\PowerShell', value: 'ExecutionPolicy'} | |
1346 | - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell', value: 'ExecutionPolicy'} | |
1591 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\Windows\PowerShell', value: 'ExecutionPolicy'} | |
1592 | - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell', value: 'ExecutionPolicy'} | |
1347 | 1593 | supported_os: [Windows] |
1348 | 1594 | urls: |
1349 | 1595 | - 'https://technet.microsoft.com/library/hh847748.aspx' |
1358 | 1604 | separator: '\' |
1359 | 1605 | labels: [System] |
1360 | 1606 | supported_os: [Windows] |
1361 | urls: ['http://www.forensicswiki.org/wiki/Prefetch'] | |
1607 | urls: ['https://forensicswiki.xyz/wiki/index.php?title=Prefetch'] | |
1362 | 1608 | --- |
1363 | 1609 | name: WindowsPrintMonitors |
1364 | 1610 | doc: Windows Print Monitor DLL config. |
1385 | 1631 | - type: REGISTRY_VALUE |
1386 | 1632 | attributes: |
1387 | 1633 | key_value_pairs: |
1388 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage', value: 'ProgramsCache'} | |
1389 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2', value: 'ProgramsCache'} | |
1634 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage', value: 'ProgramsCache'} | |
1635 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2', value: 'ProgramsCache'} | |
1390 | 1636 | supported_os: [Windows] |
1391 | 1637 | urls: ['https://github.com/libyal/winreg-kb/blob/master/documentation/Programs%20Cache%20values.asciidoc'] |
1638 | --- | |
1639 | name: WindowsProgramsCacheJumpLists | |
1640 | doc: Windows Programs Cache Jump Lists | |
1641 | sources: | |
1642 | - type: REGISTRY_VALUE | |
1643 | attributes: | |
1644 | key_value_pairs: | |
1645 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2', value: 'ProgramsCacheSMP'} | |
1646 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2', value: 'ProgramsCacheTBP'} | |
1647 | supported_os: [Windows] | |
1648 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/JumpLists.md'] | |
1392 | 1649 | --- |
1393 | 1650 | name: WindowsProxyPACAutoConfigURL |
1394 | 1651 | doc: Windows Proxy PAC AutoConfigURL. |
1396 | 1653 | - type: REGISTRY_VALUE |
1397 | 1654 | attributes: |
1398 | 1655 | key_value_pairs: |
1399 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Internet Settings', value: 'AutoConfigURL'} | |
1656 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Internet Settings', value: 'AutoConfigURL'} | |
1400 | 1657 | labels: [System, Network] |
1401 | 1658 | supported_os: [Windows] |
1402 | 1659 | urls: ['https://blogs.msdn.microsoft.com/askie/2015/07/17/how-can-i-configure-proxy-autoconfigurl-setting-using-group-policy-preference-gpp/'] |
1660 | --- | |
1661 | name: WindowsProxyServerSettings | |
1662 | doc: | | |
1663 | Windows Proxy Server Settings. | |
1664 | ||
1665 | Malware can modify these settings to redirect traffic through | |
1666 | a malicious program running on the machine (for instance, by | |
1667 | specifying 127.0.0.1 as the IP address of the proxy server to | |
1668 | use) or to a malicious host on the local network or internet. | |
1669 | sources: | |
1670 | - type: REGISTRY_VALUE | |
1671 | attributes: | |
1672 | key_value_pairs: | |
1673 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings', value: 'ProxyServer'} | |
1674 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Internet Settings', value: 'ProxyServer'} | |
1675 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings', value: 'ProxyServer'} | |
1676 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings', value: 'ProxyServer'} | |
1677 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet\ManualProxies', value: 'ProxyServer'} | |
1678 | - {key: 'HKEY_USERS\%%users.sid%%\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet\ManualProxies', value: 'ProxyServer'} | |
1679 | labels: [System, Network] | |
1680 | supported_os: [Windows] | |
1681 | urls: ['https://blog.malwarebytes.com/detections/pum-optional-proxyhijacker/'] | |
1403 | 1682 | --- |
1404 | 1683 | name: WindowsRecentFileCacheBCF |
1405 | 1684 | doc: The RecentFileCache.bcf file. |
1410 | 1689 | separator: '\' |
1411 | 1690 | conditions: [os_major_version >= 6 AND os_minor_version >= 1] |
1412 | 1691 | supported_os: [Windows] |
1413 | urls: ['https://github.com/libyal/assorted/blob/master/documentation/RecentFileCache.bcf%20format.asciidoc'] | |
1692 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/RecentFileCache.md'] | |
1414 | 1693 | --- |
1415 | 1694 | name: WindowsRecycleBin |
1416 | 1695 | doc: Windows Recycle Bin (Recyler, $Recycle.Bin) files. |
1418 | 1697 | - type: FILE |
1419 | 1698 | attributes: |
1420 | 1699 | paths: |
1421 | - '\$Recycle.Bin\**' | |
1422 | - '\Recycler\**' | |
1700 | - '\$Recycle.Bin\**' | |
1701 | - '\Recycler\**' | |
1423 | 1702 | separator: '\' |
1424 | 1703 | labels: [Users] |
1425 | 1704 | supported_os: [Windows] |
1426 | urls: ['http://www.forensicswiki.org/wiki/Windows#Recycle_Bin'] | |
1705 | urls: ['https://forensicswiki.xyz/wiki/index.php?title=Windows#Recycle_Bin'] | |
1427 | 1706 | --- |
1428 | 1707 | name: WindowsRegistryCurrentControlSet |
1429 | 1708 | doc: The current control set of the Windows Registry. |
1432 | 1711 | attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\Select', value: 'Current'}]} |
1433 | 1712 | provides: [current_control_set] |
1434 | 1713 | supported_os: [Windows] |
1435 | urls: ['https://github.com/libyal/winreg-kb/wiki/System-keys'] | |
1714 | urls: ['https://github.com/libyal/winreg-kb/blob/master/documentation/System%20keys.asciidoc'] | |
1436 | 1715 | --- |
1437 | 1716 | name: WindowsRegistryFilesAndTransactionLogs |
1438 | 1717 | doc: Windows user and system Registry files and transaction logs. |
1440 | 1719 | - type: ARTIFACT_GROUP |
1441 | 1720 | attributes: |
1442 | 1721 | names: |
1443 | - 'WindowsSystemRegistryFiles' | |
1444 | - 'WindowsSystemRegistryTransactionLogFiles' | |
1445 | - 'WindowsUserRegistryFiles' | |
1446 | - 'WindowsUserRegistryTransactionLogFiles' | |
1722 | - 'WindowsSystemRegistryFiles' | |
1723 | - 'WindowsSystemRegistryTransactionLogFiles' | |
1724 | - 'WindowsUserRegistryFiles' | |
1725 | - 'WindowsUserRegistryTransactionLogFiles' | |
1447 | 1726 | labels: [System,Users] |
1448 | 1727 | supported_os: [Windows] |
1728 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/RegistryFiles.md'] | |
1449 | 1729 | --- |
1450 | 1730 | name: WindowsRegistryProfiles |
1451 | 1731 | doc: | |
1522 | 1802 | - type: REGISTRY_KEY |
1523 | 1803 | attributes: |
1524 | 1804 | keys: |
1525 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*' | |
1526 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\*' | |
1527 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\*' | |
1528 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*' | |
1529 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\*' | |
1530 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\*' | |
1531 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\*' | |
1532 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*' | |
1533 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx\*' | |
1534 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*' | |
1535 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*' | |
1536 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Run\*' | |
1537 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\RunOnce\*' | |
1538 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*' | |
1539 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\*' | |
1540 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*' | |
1541 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\*' | |
1542 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\*' | |
1543 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*' | |
1544 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx\*' | |
1805 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*' | |
1806 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\*' | |
1807 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\*' | |
1808 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*' | |
1809 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\*' | |
1810 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\*' | |
1811 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\*' | |
1812 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*' | |
1813 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx\*' | |
1814 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*' | |
1815 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*' | |
1816 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Run\*' | |
1817 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\RunOnce\*' | |
1818 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*' | |
1819 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\*' | |
1820 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*' | |
1821 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\*' | |
1822 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\*' | |
1823 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*' | |
1824 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx\*' | |
1545 | 1825 | labels: [Software] |
1546 | 1826 | supported_os: [Windows] |
1547 | 1827 | urls: |
1556 | 1836 | - type: REGISTRY_KEY |
1557 | 1837 | attributes: |
1558 | 1838 | keys: |
1559 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\*' | |
1560 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\*' | |
1561 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce\*' | |
1562 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\*' | |
1563 | supported_os: [Windows] | |
1564 | urls: ['https://support.microsoft.com/en-us/kb/179365'] | |
1839 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\*' | |
1840 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\*' | |
1841 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce\*' | |
1842 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\*' | |
1843 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\*' | |
1844 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\RunServices\*' | |
1845 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce\*' | |
1846 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\*' | |
1847 | supported_os: [Windows] | |
1848 | urls: | |
1849 | - 'https://support.microsoft.com/en-us/kb/179365' | |
1850 | - 'https://threatvector.cylance.com/en_us/home/windows-registry-persistence-part-2-the-run-keys-and-search-order.html' | |
1565 | 1851 | --- |
1566 | 1852 | name: WindowsScheduledTasks |
1567 | 1853 | doc: Windows Scheduled Tasks. |
1569 | 1855 | - type: FILE |
1570 | 1856 | attributes: |
1571 | 1857 | paths: |
1572 | - '%%environ_systemroot%%\Tasks\**10' | |
1573 | - '%%environ_systemroot%%\System32\Tasks\**10' | |
1574 | - '%%environ_systemroot%%\SysWow64\Tasks\**10' | |
1575 | separator: '\' | |
1576 | supported_os: [Windows] | |
1577 | urls: ['http://forensicswiki.org/wiki/Windows#Scheduled_Tasks'] | |
1858 | - '%%environ_systemroot%%\Tasks\**10' | |
1859 | - '%%environ_systemroot%%\System32\Tasks\**10' | |
1860 | - '%%environ_systemroot%%\SysWow64\Tasks\**10' | |
1861 | separator: '\' | |
1862 | supported_os: [Windows] | |
1863 | urls: ['https://forensicswiki.xyz/wiki/index.php?title=Windows#Scheduled_Tasks'] | |
1578 | 1864 | --- |
1579 | 1865 | name: WindowsScreenSaverExecutable |
1580 | 1866 | doc: ScreenSaver Executable |
1582 | 1868 | - type: REGISTRY_VALUE |
1583 | 1869 | attributes: |
1584 | 1870 | key_value_pairs: |
1585 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\Windows\Control Panel\Desktop', value: 'scrnsave.exe'} | |
1586 | - {key: 'HKEY_USERS\%%users.sid%%\Control Panel\Desktop', value: 'scrnsave.exe'} | |
1871 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\Windows\Control Panel\Desktop', value: 'scrnsave.exe'} | |
1872 | - {key: 'HKEY_USERS\%%users.sid%%\Control Panel\Desktop', value: 'scrnsave.exe'} | |
1587 | 1873 | supported_os: [Windows] |
1588 | 1874 | urls: |
1589 | 1875 | - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' |
1599 | 1885 | separator: '\' |
1600 | 1886 | labels: [Software] |
1601 | 1887 | supported_os: [Windows] |
1602 | urls: ['http://www.forensicswiki.org/wiki/Windows_Desktop_Search'] | |
1888 | urls: ['https://forensicswiki.xyz/wiki/index.php?title=Windows_Desktop_Search'] | |
1603 | 1889 | --- |
1604 | 1890 | name: WindowsSecurityProviders |
1605 | 1891 | doc: Security Providers DLLs |
1627 | 1913 | - 'http://www.silentrunners.org/Silent%20Runners.vbs' |
1628 | 1914 | --- |
1629 | 1915 | name: WindowsServices |
1630 | doc: Windows services from the Registry. | |
1916 | doc: | | |
1917 | Windows services from the Registry. | |
1918 | ||
1919 | Malware can add new services to gain persistence, or modify | |
1920 | existing ones to avoid detection. For example, the ZeroAccess | |
1921 | rootkit will make the following changes to the WSCSVC (Windows | |
1922 | Security Service Center), WINDEFEND (Windows Defender), | |
1923 | and MPSSVC (Windows Firewall) services, among others | |
1924 | ||
1925 | * Set 'Start' to 4, indicating that the service should be disabled | |
1926 | * Set 'DeleteFlag' to 1, indicating that the service should be removed | |
1927 | * Set 'ErrorControl' to 0 and 'Type' to 32, causing it to fail to be | |
1928 | started by the Service Controller and no error messages generated | |
1631 | 1929 | sources: |
1632 | 1930 | - type: REGISTRY_KEY |
1633 | 1931 | attributes: |
1634 | 1932 | keys: |
1635 | - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\*\*' | |
1636 | - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\*\Parameters\*' | |
1933 | - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\*\*' | |
1934 | - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\*\Parameters\*' | |
1637 | 1935 | labels: [Software] |
1638 | 1936 | supported_os: [Windows] |
1639 | 1937 | urls: |
1640 | 1938 | - 'http://support.microsoft.com/kb/103000' |
1641 | - 'https://github.com/libyal/winreg-kb/wiki/System-keys' | |
1939 | - 'https://github.com/libyal/winreg-kb/blob/master/documentation/System%20keys.asciidoc' | |
1940 | --- | |
1941 | name: WindowsActionCenterSettings | |
1942 | doc: | | |
1943 | Windows Action Center Settings | |
1944 | ||
1945 | Malware can modify these keys to disable notifications that occur | |
1946 | when various security features are disabled. One malware family | |
1947 | known to modify these keys is Kovter, a well-known trojan. | |
1948 | sources: | |
1949 | - type: REGISTRY_VALUE | |
1950 | attributes: | |
1951 | key_value_pairs: | |
1952 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{e8433b72-5842-4d43-8645-bc2c35960837}.check.*', value: 'CheckSetting'} | |
1953 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Action Center\Checks\{e8433b72-5842-4d43-8645-bc2c35960837}.check.*', value: 'CheckSetting'} | |
1954 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance', value: 'Enabled'} | |
1955 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance', value: 'Enabled'} | |
1956 | labels: [System] | |
1957 | supported_os: [Windows] | |
1958 | urls: | |
1959 | - 'https://winaero.com/blog/registry-tweak-to-disable-action-center-notifications-in-windows-7/' | |
1960 | - 'https://blog.talosintelligence.com/2019/05/threat-roundup-0517-0524.html' | |
1961 | - 'https://blogs.technet.microsoft.com/platforms_lync_cloud/2017/05/05/disabling-windows-10-action-center-notifications/' | |
1962 | --- | |
1963 | name: WindowsBootConfigurationSettings | |
1964 | doc: | | |
1965 | Windows Boot Configuration Settings. | |
1966 | ||
1967 | These Windows Registry values are associated with the Windows Boot | |
1968 | Configuration Settings. Malware, like Cerber (ransomware), is known to | |
1969 | change the Windows Boot Configuration Settings and disable recovery options | |
1970 | like the ability to boot into safe mode. | |
1971 | ||
1972 | 'bcdedit.exe' can be used to modify the Windows Boot Configuration Settings. | |
1973 | The mappings of registry key to associated bcdedit commands is as | |
1974 | follows: | |
1975 | * 16000009: 'bcdedit.exe /set {default} recoveryenabled <yes|no>' | |
1976 | * 00 gets stored for 'no', 01 gets stored for 'yes' | |
1977 | * 250000e0: 'bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures' | |
1978 | * 01 00 00 00 00 00 00 00 gets stored. Otherwise, the key is not present | |
1979 | ||
1980 | The wildcard component of the Windows Registry key is the identifier | |
1981 | associated with the Windows Boot Loader instance on a given machine. This | |
1982 | identifier can be determined by running 'bcdedit.exe /v' and looking at the | |
1983 | 'identifier' under the Windows Boot Loader section (on Windows 7 and | |
1984 | Windows 10, '{default}' [used by Cerber] points to this instance). | |
1985 | sources: | |
1986 | - type: REGISTRY_VALUE | |
1987 | attributes: | |
1988 | key_value_pairs: | |
1989 | - {key: 'HKEY_LOCAL_MACHINE\BCD00000000\Objects\*\Elements\16000009', value: 'Element'} | |
1990 | - {key: 'HKEY_LOCAL_MACHINE\BCD00000000\Objects\*\Elements\250000e0', value: 'Element'} | |
1991 | labels: [System] | |
1992 | supported_os: [Windows] | |
1993 | urls: | |
1994 | - 'https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/bcd-system-store-settings-for-uefi' | |
1995 | - 'https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html' | |
1996 | --- | |
1997 | name: WindowsDisallowedSystemCertificates | |
1998 | doc: | | |
1999 | Windows Disallowed System Certificates | |
2000 | ||
2001 | Malware can add code-signing certificates associated with | |
2002 | antivirus programs to the disallowed list to prevent the | |
2003 | AV programs from running. | |
2004 | sources: | |
2005 | - type: REGISTRY_KEY | |
2006 | attributes: | |
2007 | keys: | |
2008 | - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates\*' | |
2009 | - 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates\*' | |
2010 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\Disallowed\Certificates\*' | |
2011 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\Disallowed\Certificates\*' | |
2012 | labels: [System] | |
2013 | supported_os: [Windows] | |
2014 | urls: | |
2015 | - 'https://blog.malwarebytes.com/detections/pum-optional-misplacedcertificate/' | |
2016 | --- | |
2017 | name: WindowsExplorerSettings | |
2018 | doc: | | |
2019 | Windows Explorer Settings | |
2020 | ||
2021 | Malware can modify these keys to make it more difficult for the | |
2022 | user to detect and remove malicious software. | |
2023 | sources: | |
2024 | - type: REGISTRY_VALUE | |
2025 | attributes: | |
2026 | key_value_pairs: | |
2027 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'Hidden'} | |
2028 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'Hidden'} | |
2029 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'Hidden'} | |
2030 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'Hidden'} | |
2031 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'HideFileExt'} | |
2032 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'HideFileExt'} | |
2033 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'HideFileExt'} | |
2034 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'HideFileExt'} | |
2035 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'ShowSuperHidden'} | |
2036 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'ShowSuperHidden'} | |
2037 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'ShowSuperHidden'} | |
2038 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'ShowSuperHidden'} | |
2039 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'HideSCAHealth'} | |
2040 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'HideSCAHealth'} | |
2041 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'HideSCAHealth'} | |
2042 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'HideSCAHealth'} | |
2043 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoControlPanel'} | |
2044 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoControlPanel'} | |
2045 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoControlPanel'} | |
2046 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoControlPanel'} | |
2047 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoFolderOptions'} | |
2048 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoFolderOptions'} | |
2049 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoFolderOptions'} | |
2050 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoFolderOptions'} | |
2051 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoRun'} | |
2052 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoRun'} | |
2053 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoRun'} | |
2054 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoRun'} | |
2055 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoViewContextMenu'} | |
2056 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoViewContextMenu'} | |
2057 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoViewContextMenu'} | |
2058 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoViewContextMenu'} | |
2059 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'ShowControlPanel'} | |
2060 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'ShowControlPanel'} | |
2061 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'ShowControlPanel'} | |
2062 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'ShowControlPanel'} | |
2063 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'TaskbarNoNotification'} | |
2064 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'TaskbarNoNotification'} | |
2065 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'TaskbarNoNotification'} | |
2066 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'TaskbarNoNotification'} | |
2067 | labels: [System] | |
2068 | supported_os: [Windows] | |
2069 | urls: | |
2070 | - 'https://www.sdkhere.com/2016/02/analysis-of-malware-using-wmi-query.html' | |
2071 | - 'https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_mandrom.e' | |
2072 | - 'https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_deleter.ah' | |
2073 | - 'https://blog.malwarebytes.com/detections/pum-optional-disabledrightclick/' | |
2074 | - 'https://blog.malwarebytes.com/detections/pum-optional-disableshowcontrolpanel/' | |
2075 | --- | |
2076 | name: WindowsSystemSettings | |
2077 | doc: | | |
2078 | Windows System Settings | |
2079 | ||
2080 | Malware can modify these keys to make it more difficult for the | |
2081 | user to detect and remove malicious software. | |
2082 | sources: | |
2083 | - type: REGISTRY_VALUE | |
2084 | attributes: | |
2085 | key_value_pairs: | |
2086 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System', value: 'DisableCAD'} | |
2087 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\System', value: 'DisableCAD'} | |
2088 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System', value: 'DisableCAD'} | |
2089 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System', value: 'DisableCAD'} | |
2090 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System', value: 'DisableRegistryTools'} | |
2091 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\System', value: 'DisableRegistryTools'} | |
2092 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System', value: 'DisableRegistryTools'} | |
2093 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System', value: 'DisableRegistryTools'} | |
2094 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System', value: 'DisableTaskMgr'} | |
2095 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\System', value: 'DisableTaskMgr'} | |
2096 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System', value: 'DisableTaskMgr'} | |
2097 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System', value: 'DisableTaskMgr'} | |
2098 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System', value: 'NoDispCPL'} | |
2099 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\System', value: 'NoDispCPL'} | |
2100 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System', value: 'NoDispCPL'} | |
2101 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System', value: 'NoDispCPL'} | |
2102 | - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System', value: 'DisableCMD'} | |
2103 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\Windows\System', value: 'DisableCMD'} | |
2104 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Policies\Microsoft\Windows\System', value: 'DisableCMD'} | |
2105 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Policies\Microsoft\Windows\System', value: 'DisableCMD'} | |
2106 | labels: [System] | |
2107 | supported_os: [Windows] | |
2108 | urls: | |
2109 | - 'https://www.sdkhere.com/2016/02/analysis-of-malware-using-wmi-query.html' | |
2110 | - 'https://www.thewindowsclub.com/enable-disable-command-prompt-windows' | |
2111 | - 'https://blog.malwarebytes.com/detections/pum-optional-disableregistrytools/' | |
2112 | - 'https://blog.malwarebytes.com/detections/pum-optional-disabletaskmgr/' | |
2113 | - 'https://www.stigviewer.com/stig/windows_7/2014-04-02/finding/V-1154' | |
2114 | - 'https://blog.malwarebytes.com/detections/pum-optional-nodispcpl/' | |
2115 | - 'https://blog.malwarebytes.com/detections/pum-optional-disablecmdprompt/' | |
2116 | --- | |
2117 | name: WindowsFirewallAuthorizedApplications | |
2118 | doc: | | |
2119 | Windows Firewall Authorized Applications | |
2120 | ||
2121 | Malware can add paths to this list to more easily communicate | |
2122 | over the network on an infected machine. For instance, Emotet | |
2123 | modifies some these settings after gaining execution. | |
2124 | sources: | |
2125 | - type: REGISTRY_KEY | |
2126 | attributes: | |
2127 | keys: | |
2128 | # Windows XP and 2003 | |
2129 | - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List\*' | |
2130 | - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\StandardProfile\AuthorizedApplications\List\*' | |
2131 | # Windows Vista and later | |
2132 | - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\*' | |
2133 | - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\AuthorizedApplications\List\*' | |
2134 | - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\*' | |
2135 | labels: [System] | |
2136 | supported_os: [Windows] | |
2137 | urls: | |
2138 | - 'https://threatvector.cylance.com/en_us/home/threat-spotlight-eyepyramid-malware.html' | |
2139 | - 'https://blog.talosintelligence.com/2019/05/threat-roundup-0524-0531.html' | |
2140 | --- | |
2141 | name: WindowsFirewallGloballyOpenPorts | |
2142 | doc: | | |
2143 | Windows Firewall Globally Open Ports | |
2144 | ||
2145 | Malware can add to the list of open ports to avoid | |
2146 | having to create Windows Firewall exceptions tied | |
2147 | to specific applications. | |
2148 | sources: | |
2149 | - type: REGISTRY_KEY | |
2150 | attributes: | |
2151 | keys: | |
2152 | # Windows XP and 2003 | |
2153 | - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List\*' | |
2154 | - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\StandardProfile\GloballyOpenPorts\List\*' | |
2155 | # Windows Vista and later | |
2156 | - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\*' | |
2157 | - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\GloballyOpenPorts\List\*' | |
2158 | - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\*' | |
2159 | labels: [System] | |
2160 | supported_os: [Windows] | |
2161 | urls: | |
2162 | - 'https://qaforce.wordpress.com/2009/10/06/windows-firewall-registry-keys/' | |
2163 | - 'https://github.com/steeve85/Malwares/wiki/Registry' | |
2164 | --- | |
2165 | name: WindowsFirewallPolicySettings | |
2166 | doc: | | |
2167 | Windows Firewall Policy Settings | |
2168 | ||
2169 | Malware can modify these settings to more easily communicate | |
2170 | over the network on an infected machine. For instance, Emotet | |
2171 | modifies some these settings after gaining execution. | |
2172 | sources: | |
2173 | - type: REGISTRY_VALUE | |
2174 | attributes: | |
2175 | key_value_pairs: | |
2176 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile', value: 'EnableFirewall'} | |
2177 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile', value: 'DisableNotifications'} | |
2178 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile', value: 'DoNotAllowExceptions'} | |
2179 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile', value: 'DefaultInboundAction'} | |
2180 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile', value: 'DefaultOutboundAction'} | |
2181 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile', value: 'EnableFirewall'} | |
2182 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile', value: 'DisableNotifications'} | |
2183 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile', value: 'DoNotAllowExceptions'} | |
2184 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile', value: 'DefaultInboundAction'} | |
2185 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile', value: 'DefaultOutboundAction'} | |
2186 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile', value: 'EnableFirewall'} | |
2187 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile', value: 'DisableNotifications'} | |
2188 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile', value: 'DoNotAllowExceptions'} | |
2189 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile', value: 'DefaultInboundAction'} | |
2190 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile', value: 'DefaultOutboundAction'} | |
2191 | labels: [System] | |
2192 | supported_os: [Windows] | |
2193 | urls: | |
2194 | - 'https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/networking-mpssvc-svc-privateprofile-enablefirewall' | |
2195 | - 'https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/networking-mpssvc-svc-privateprofile-disablenotifications' | |
2196 | - 'https://blog.talosintelligence.com/2019/05/threat-roundup-0503-0510.html' | |
2197 | --- | |
2198 | name: WindowsSecurityCenterSettings | |
2199 | doc: | | |
2200 | Windows Security Center Settings | |
2201 | ||
2202 | Malware can modify these settings to avoid detection on | |
2203 | an infected machine. For instance, Emotet modifies some of | |
2204 | these settings after gaining execution. | |
2205 | sources: | |
2206 | - type: REGISTRY_VALUE | |
2207 | attributes: | |
2208 | key_value_pairs: | |
2209 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center', value: 'AntiSpyWareDisableNotify'} | |
2210 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Security Center', value: 'AntiSpyWareDisableNotify'} | |
2211 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center', value: 'AntiVirusDisableNotify'} | |
2212 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Security Center', value: 'AntiVirusDisableNotify'} | |
2213 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center', value: 'AntiVirusOverride'} | |
2214 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Security Center', value: 'AntiVirusOverride'} | |
2215 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center', value: 'AutoUpdateDisableNotify'} | |
2216 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Security Center', value: 'AutoUpdateDisableNotify'} | |
2217 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center', value: 'FirewallDisableNotify'} | |
2218 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Security Center', value: 'FirewallDisableNotify'} | |
2219 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center', value: 'FirewallOverride'} | |
2220 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Security Center', value: 'FirewallOverride'} | |
2221 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center', value: 'UpdatesDisableNotify'} | |
2222 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Security Center', value: 'UpdatesDisableNotify'} | |
2223 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center', value: 'UpdatesOverride'} | |
2224 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Security Center', value: 'UpdatesOverride'} | |
2225 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center', value: 'UacDisableNotify'} | |
2226 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Security Center', value: 'UacDisableNotify'} | |
2227 | labels: [System] | |
2228 | supported_os: [Windows] | |
2229 | urls: | |
2230 | - 'https://blog.talosintelligence.com/2019/05/threat-roundup-0503-0510.html' | |
2231 | - 'https://blog.appriver.com/phorphiex/trik-botnet-campaign-leads-to-multiple-infections-ransomware-banking-trojan-cryptojacking' | |
2232 | - 'https://ccm.net/faq/1446-disabling-security-alerts-under-vista' | |
2233 | --- | |
2234 | name: WindowsSystemRestoreSettings | |
2235 | doc: | | |
2236 | Windows System Restore Settings | |
2237 | ||
2238 | Some malware, especially ransomware, will disable system restore | |
2239 | to make system recovery more difficult. | |
2240 | sources: | |
2241 | - type: REGISTRY_VALUE | |
2242 | attributes: | |
2243 | key_value_pairs: | |
2244 | - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore', value: 'DisableConfig'} | |
2245 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore', value: 'DisableConfig'} | |
2246 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Policies\Microsoft\Windows NT\SystemRestore', value: 'DisableConfig'} | |
2247 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\SystemRestore', value: 'DisableConfig'} | |
2248 | - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore', value: 'DisableSR'} | |
2249 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore', value: 'DisableSR'} | |
2250 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Policies\Microsoft\Windows NT\SystemRestore', value: 'DisableSR'} | |
2251 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\SystemRestore', value: 'DisableSR'} | |
2252 | - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer', value: 'LimitSystemRestoreCheckpointing'} | |
2253 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Policies\Microsoft\Windows\Installer', value: 'LimitSystemRestoreCheckpointing'} | |
2254 | labels: [System] | |
2255 | supported_os: [Windows] | |
2256 | urls: | |
2257 | - 'https://blog.talosintelligence.com/2019/05/threat-roundup-0503-0510.html' | |
2258 | - 'https://www.windows-commandline.com/enable-disable-system-restore-service/' | |
2259 | - 'https://docs.microsoft.com/en-us/windows/desktop/msi/limitsystemrestorecheckpointing' | |
2260 | --- | |
2261 | name: WindowsUserAccountControlSettings | |
2262 | doc: | | |
2263 | Windows User Account Control Settings | |
2264 | ||
2265 | Malware sometimes disables UAC to make it easier to perform | |
2266 | actions on an infected machine. | |
2267 | sources: | |
2268 | - type: REGISTRY_VALUE | |
2269 | attributes: | |
2270 | key_value_pairs: | |
2271 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System', value: 'EnableLUA'} | |
2272 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System', value: 'EnableLUA'} | |
2273 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System', value: 'ConsentPromptBehaviorAdmin'} | |
2274 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System', value: 'ConsentPromptBehaviorAdmin'} | |
2275 | labels: [System] | |
2276 | supported_os: [Windows] | |
2277 | urls: | |
2278 | - 'https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpsb/958053ae-5397-4f96-977f-b7700ee461ec' | |
2279 | - 'https://blog.talosintelligence.com/2019/05/threat-roundup-0503-0510.html' | |
2280 | - 'https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpsb/341747f5-6b5d-4d30-85fc-fa1cc04038d4' | |
2281 | --- | |
2282 | name: WindowsUpgradeSettings | |
2283 | doc: | | |
2284 | Windows Upgrade Settings | |
2285 | ||
2286 | Malware sometimes disables a machine ability to upgrade from | |
2287 | previous versions of Windows to Windows 10. One malware family | |
2288 | known to modify these keys is Kovter, a well-known trojan. | |
2289 | sources: | |
2290 | - type: REGISTRY_VALUE | |
2291 | attributes: | |
2292 | key_value_pairs: | |
2293 | - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate', value: 'DisableOSUpgrade'} | |
2294 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Policies\Microsoft\Windows\WindowsUpdate', value: 'DisableOSUpgrade'} | |
2295 | - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\OSUpgrade', value: 'ReservationsAllowed'} | |
2296 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Policies\Microsoft\Windows\WindowsUpdate\OSUpgrade', value: 'ReservationsAllowed'} | |
2297 | labels: [System] | |
2298 | supported_os: [Windows] | |
2299 | urls: | |
2300 | - 'https://www.ghacks.net/2016/01/08/disableosupgrade-prevents-the-upgrade-to-windows-10/' | |
2301 | - 'https://blog.talosintelligence.com/2019/05/threat-roundup-0517-0524.html' | |
2302 | --- | |
2303 | name: WindowsUpdateSettings | |
2304 | doc: Windows Update Settings | |
2305 | sources: | |
2306 | - type: REGISTRY_VALUE | |
2307 | attributes: | |
2308 | key_value_pairs: | |
2309 | - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU', value: 'NoAutoUpdate'} | |
2310 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Policies\Microsoft\Windows\WindowsUpdate\AU', value: 'NoAutoUpdate'} | |
2311 | labels: [System] | |
2312 | supported_os: [Windows] | |
2313 | urls: | |
2314 | - 'https://docs.microsoft.com/en-us/windows/deployment/update/waas-wu-settings' | |
2315 | - 'https://blog.talosintelligence.com/2019/06/threat-roundup-0531-0607.html' | |
2316 | --- | |
2317 | name: WindowsFontDrivers | |
2318 | doc: Windows font drivers from the Registry. | |
2319 | sources: | |
2320 | - type: REGISTRY_KEY | |
2321 | attributes: | |
2322 | keys: | |
2323 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Font Drivers\*' | |
2324 | labels: [Software] | |
2325 | supported_os: [Windows] | |
2326 | urls: | |
2327 | - 'https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2' | |
1642 | 2328 | --- |
1643 | 2329 | name: WindowsSessionManagerBootExecute |
1644 | 2330 | doc: Windows Session Manager BootExecute persistence. |
1650 | 2336 | urls: ['https://technet.microsoft.com/en-us/library/cc963230.aspx'] |
1651 | 2337 | --- |
1652 | 2338 | name: WindowsSessionManagerExecute |
1653 | doc: Windows Session Manager Execute persistence | |
2339 | doc: | | |
2340 | Windows Session Manager Execute persistence | |
2341 | ||
2342 | This entry shouldn't be populated after Windows has been installed | |
1654 | 2343 | sources: |
1655 | 2344 | - type: REGISTRY_VALUE |
1656 | 2345 | attributes: |
1657 | 2346 | key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager', value: 'Execute'}] |
1658 | 2347 | supported_os: [Windows] |
1659 | urls: ['https://technet.microsoft.com/en-us/library/cc976130.aspx'] | |
2348 | urls: | |
2349 | - 'https://technet.microsoft.com/en-us/library/cc976130.aspx' | |
2350 | - 'https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2' | |
2351 | --- | |
2352 | name: WindowsSessionManagerS0InitialCommand | |
2353 | doc: | | |
2354 | Windows Session Manager S0InitialCommand persistence | |
2355 | ||
2356 | This entry shouldn't be populated after Windows has been installed | |
2357 | sources: | |
2358 | - type: REGISTRY_VALUE | |
2359 | attributes: | |
2360 | key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager', value: 'S0InitialCommand'}] | |
2361 | supported_os: [Windows] | |
2362 | urls: | |
2363 | - 'https://msdn.microsoft.com/en-us/library/windows/desktop/dd392286%28v=vs.85%29.aspx' | |
2364 | - 'https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2' | |
1660 | 2365 | --- |
1661 | 2366 | name: WindowsSessionManagerSetupExecute |
1662 | doc: Windows Session Manager SetupExecute persistence | |
2367 | doc: | | |
2368 | Windows Session Manager SetupExecute persistence | |
2369 | ||
2370 | This entry shouldn't be populated after Windows has been installed | |
1663 | 2371 | sources: |
1664 | 2372 | - type: REGISTRY_VALUE |
1665 | 2373 | attributes: |
1666 | 2374 | key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager', value: 'SetupExecute'}] |
1667 | 2375 | supported_os: [Windows] |
1668 | urls: ['https://msdn.microsoft.com/en-us/library/windows/desktop/dd392286%28v=vs.85%29.aspx'] | |
2376 | urls: | |
2377 | - 'https://msdn.microsoft.com/en-us/library/windows/desktop/dd392286%28v=vs.85%29.aspx' | |
2378 | - 'https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2' | |
1669 | 2379 | --- |
1670 | 2380 | name: WindowsSessionManagerSubSystems |
1671 | 2381 | doc: Windows Session Manager SubSystems persistence |
1684 | 2394 | - type: REGISTRY_VALUE |
1685 | 2395 | attributes: |
1686 | 2396 | key_value_pairs: |
1687 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\WOW', value: 'cmdline'} | |
1688 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\WOW', value: 'wowcmdline'} | |
2397 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\WOW', value: 'cmdline'} | |
2398 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\WOW', value: 'wowcmdline'} | |
1689 | 2399 | supported_os: [Windows] |
1690 | 2400 | urls: ['https://support.microsoft.com/en-us/kb/102986'] |
2401 | --- | |
2402 | name: WindowsSetupCommandLine | |
2403 | doc: Command line invocation used for custom setup and deployment tasks | |
2404 | sources: | |
2405 | - type: REGISTRY_VALUE | |
2406 | attributes: | |
2407 | key_value_pairs: | |
2408 | - {key: 'HKEY_LOCAL_MACHINE\System\Setup', value: 'CmdLine'} | |
2409 | supported_os: [Windows] | |
2410 | urls: ['https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2'] | |
1691 | 2411 | --- |
1692 | 2412 | name: WindowsSharedTaskScheduler |
1693 | 2413 | doc: Runs on windows boot. |
1695 | 2415 | - type: REGISTRY_KEY |
1696 | 2416 | attributes: |
1697 | 2417 | keys: |
1698 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\*' | |
1699 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\*' | |
2418 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\*' | |
2419 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\*' | |
1700 | 2420 | supported_os: [Windows] |
1701 | 2421 | urls: |
1702 | 2422 | - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' |
1708 | 2428 | - type: REGISTRY_KEY |
1709 | 2429 | attributes: |
1710 | 2430 | keys: |
1711 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\*' | |
1712 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\*' | |
2431 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\*' | |
2432 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\*' | |
1713 | 2433 | supported_os: [Windows] |
1714 | 2434 | urls: |
1715 | 2435 | - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' |
1722 | 2442 | - type: REGISTRY_KEY |
1723 | 2443 | attributes: |
1724 | 2444 | keys: |
1725 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved' | |
1726 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved' | |
1727 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved' | |
1728 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved' | |
2445 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved' | |
2446 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved' | |
2447 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved' | |
2448 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved' | |
1729 | 2449 | supported_os: [Windows] |
1730 | 2450 | urls: ['https://msdn.microsoft.com/en-us/library/windows/desktop/cc144110(v=vs.85).aspx'] |
1731 | 2451 | --- |
1740 | 2460 | - type: REGISTRY_KEY |
1741 | 2461 | attributes: |
1742 | 2462 | keys: |
1743 | - 'HKEY_LOCAL_MACHINE\Software\Classes\*\ShellEx\ColumnHandlers\*' | |
1744 | - 'HKEY_LOCAL_MACHINE\Software\Classes\*\ShellEx\ContextMenuHandlers\*' | |
1745 | - 'HKEY_LOCAL_MACHINE\Software\Classes\*\ShellEx\CopyHookHandlers\*' | |
1746 | - 'HKEY_LOCAL_MACHINE\Software\Classes\*\ShellEx\DragDropHandlers\*' | |
1747 | - 'HKEY_LOCAL_MACHINE\Software\Classes\*\ShellEx\PropertySheetHandlers\*' | |
1748 | - 'HKEY_LOCAL_MACHINE\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\*' | |
1749 | - 'HKEY_LOCAL_MACHINE\Software\Classes\Directory\Background\ShellEx\CopyHookHandlers\*' | |
1750 | - 'HKEY_LOCAL_MACHINE\Software\Classes\Directory\Background\ShellEx\DragDropHandlers\*' | |
1751 | - 'HKEY_LOCAL_MACHINE\Software\Classes\Directory\Background\ShellEx\PropertySheetHandlers\*' | |
1752 | - 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\ShellEx\ColumnHandlers\*' | |
1753 | - 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\ShellEx\ContextMenuHandlers\*' | |
1754 | - 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\ShellEx\CopyHookHandlers\*' | |
1755 | - 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\ShellEx\DragDropHandlers\*' | |
1756 | - 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\ShellEx\PropertySheetHandlers\*' | |
1757 | - 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\Directory\Background\ShellEx\ContextMenuHandlers\*' | |
1758 | - 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\Directory\Background\ShellEx\CopyHookHandlers\*' | |
1759 | - 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\Directory\Background\ShellEx\DragDropHandlers\*' | |
1760 | - 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\Directory\Background\ShellEx\PropertySheetHandlers\*' | |
1761 | - 'HKEY_USERS\%%users.sid%%\Software\Classes\*\ShellEx\ColumnHandlers\*' | |
1762 | - 'HKEY_USERS\%%users.sid%%\Software\Classes\*\ShellEx\ContextMenuHandlers\*' | |
1763 | - 'HKEY_USERS\%%users.sid%%\Software\Classes\*\ShellEx\CopyHookHandlers\*' | |
1764 | - 'HKEY_USERS\%%users.sid%%\Software\Classes\*\ShellEx\DragDropHandlers\*' | |
1765 | - 'HKEY_USERS\%%users.sid%%\Software\Classes\*\ShellEx\PropertySheetHandlers\*' | |
1766 | - 'HKEY_USERS\%%users.sid%%\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\*' | |
1767 | - 'HKEY_USERS\%%users.sid%%\Software\Classes\Directory\Background\ShellEx\CopyHookHandlers\*' | |
1768 | - 'HKEY_USERS\%%users.sid%%\Software\Classes\Directory\Background\ShellEx\DragDropHandlers\*' | |
1769 | - 'HKEY_USERS\%%users.sid%%\Software\Classes\Directory\Background\ShellEx\PropertySheetHandlers\*' | |
1770 | - 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\*\ShellEx\ColumnHandlers\*' | |
1771 | - 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\*\ShellEx\ContextMenuHandlers\*' | |
1772 | - 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\*\ShellEx\CopyHookHandlers\*' | |
1773 | - 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\*\ShellEx\DragDropHandlers\*' | |
1774 | - 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\*\ShellEx\PropertySheetHandlers\*' | |
1775 | - 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\Directory\Background\ShellEx\ContextMenuHandlers\*' | |
1776 | - 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\Directory\Background\ShellEx\CopyHookHandlers\*' | |
1777 | - 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\Directory\Background\ShellEx\DragDropHandlers\*' | |
1778 | - 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\Directory\Background\ShellEx\PropertySheetHandlers\*' | |
2463 | - 'HKEY_LOCAL_MACHINE\Software\Classes\*\ShellEx\ColumnHandlers\*' | |
2464 | - 'HKEY_LOCAL_MACHINE\Software\Classes\*\ShellEx\ContextMenuHandlers\*' | |
2465 | - 'HKEY_LOCAL_MACHINE\Software\Classes\*\ShellEx\CopyHookHandlers\*' | |
2466 | - 'HKEY_LOCAL_MACHINE\Software\Classes\*\ShellEx\DragDropHandlers\*' | |
2467 | - 'HKEY_LOCAL_MACHINE\Software\Classes\*\ShellEx\PropertySheetHandlers\*' | |
2468 | - 'HKEY_LOCAL_MACHINE\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\*' | |
2469 | - 'HKEY_LOCAL_MACHINE\Software\Classes\Directory\Background\ShellEx\CopyHookHandlers\*' | |
2470 | - 'HKEY_LOCAL_MACHINE\Software\Classes\Directory\Background\ShellEx\DragDropHandlers\*' | |
2471 | - 'HKEY_LOCAL_MACHINE\Software\Classes\Directory\Background\ShellEx\PropertySheetHandlers\*' | |
2472 | - 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\ShellEx\ColumnHandlers\*' | |
2473 | - 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\ShellEx\ContextMenuHandlers\*' | |
2474 | - 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\ShellEx\CopyHookHandlers\*' | |
2475 | - 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\ShellEx\DragDropHandlers\*' | |
2476 | - 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\ShellEx\PropertySheetHandlers\*' | |
2477 | - 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\Directory\Background\ShellEx\ContextMenuHandlers\*' | |
2478 | - 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\Directory\Background\ShellEx\CopyHookHandlers\*' | |
2479 | - 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\Directory\Background\ShellEx\DragDropHandlers\*' | |
2480 | - 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\Directory\Background\ShellEx\PropertySheetHandlers\*' | |
2481 | - 'HKEY_USERS\%%users.sid%%\Software\Classes\*\ShellEx\ColumnHandlers\*' | |
2482 | - 'HKEY_USERS\%%users.sid%%\Software\Classes\*\ShellEx\ContextMenuHandlers\*' | |
2483 | - 'HKEY_USERS\%%users.sid%%\Software\Classes\*\ShellEx\CopyHookHandlers\*' | |
2484 | - 'HKEY_USERS\%%users.sid%%\Software\Classes\*\ShellEx\DragDropHandlers\*' | |
2485 | - 'HKEY_USERS\%%users.sid%%\Software\Classes\*\ShellEx\PropertySheetHandlers\*' | |
2486 | - 'HKEY_USERS\%%users.sid%%\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\*' | |
2487 | - 'HKEY_USERS\%%users.sid%%\Software\Classes\Directory\Background\ShellEx\CopyHookHandlers\*' | |
2488 | - 'HKEY_USERS\%%users.sid%%\Software\Classes\Directory\Background\ShellEx\DragDropHandlers\*' | |
2489 | - 'HKEY_USERS\%%users.sid%%\Software\Classes\Directory\Background\ShellEx\PropertySheetHandlers\*' | |
2490 | - 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\*\ShellEx\ColumnHandlers\*' | |
2491 | - 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\*\ShellEx\ContextMenuHandlers\*' | |
2492 | - 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\*\ShellEx\CopyHookHandlers\*' | |
2493 | - 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\*\ShellEx\DragDropHandlers\*' | |
2494 | - 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\*\ShellEx\PropertySheetHandlers\*' | |
2495 | - 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\Directory\Background\ShellEx\ContextMenuHandlers\*' | |
2496 | - 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\Directory\Background\ShellEx\CopyHookHandlers\*' | |
2497 | - 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\Directory\Background\ShellEx\DragDropHandlers\*' | |
2498 | - 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\Directory\Background\ShellEx\PropertySheetHandlers\*' | |
1779 | 2499 | supported_os: [Windows] |
1780 | 2500 | urls: |
1781 | 2501 | - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' |
1788 | 2508 | - type: REGISTRY_KEY |
1789 | 2509 | attributes: |
1790 | 2510 | keys: |
1791 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*' | |
1792 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*' | |
1793 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*' | |
1794 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*' | |
2511 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*' | |
2512 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*' | |
2513 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*' | |
2514 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*' | |
1795 | 2515 | supported_os: [Windows] |
1796 | 2516 | urls: |
1797 | 2517 | - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' |
1803 | 2523 | - type: REGISTRY_VALUE |
1804 | 2524 | attributes: |
1805 | 2525 | key_value_pairs: |
1806 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Windows', value: 'Load'} | |
1807 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Windows', value: 'Run'} | |
1808 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows', value: 'Load'} | |
1809 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows', value: 'Run'} | |
2526 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Windows', value: 'Load'} | |
2527 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Windows', value: 'Run'} | |
2528 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows', value: 'Load'} | |
2529 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows', value: 'Run'} | |
1810 | 2530 | supported_os: [Windows] |
1811 | 2531 | urls: ['https://support.microsoft.com/en-us/kb/103865'] |
1812 | 2532 | --- |
2533 | name: WindowsIconServiceLib | |
2534 | doc: | | |
2535 | Windows Icon Service Library Name | |
2536 | ||
2537 | The value should default to 'IconCodecService.dll' | |
2538 | sources: | |
2539 | - type: REGISTRY_VALUE | |
2540 | attributes: | |
2541 | key_value_pairs: | |
2542 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows', value: 'IconServiceLib'} | |
2543 | supported_os: [Windows] | |
2544 | urls: ['https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2'] | |
2545 | --- | |
1813 | 2546 | name: WindowsShellOpenCommand |
1814 | doc: Executed every time this file type is opened, should be "%1 %*". | |
1815 | sources: | |
1816 | - type: REGISTRY_KEY | |
1817 | attributes: | |
1818 | keys: | |
1819 | - 'HKEY_LOCAL_MACHINE\Software\Classes\*\shell\open\command' | |
1820 | - 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\shell\open\command' | |
1821 | supported_os: [Windows] | |
1822 | urls: ['http://gladiator-antivirus.com/forum/index.php?showtopic=24610'] | |
2547 | doc: Executed every time this file type is opened. For most file types, the value should be '"%1" %*'. | |
2548 | sources: | |
2549 | - type: REGISTRY_VALUE | |
2550 | attributes: | |
2551 | key_value_pairs: | |
2552 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\*\shell\open\command', value: ''} | |
2553 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\*\shell\open\command', value: 'IsolatedCommand'} | |
2554 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\shell\open\command', value: ''} | |
2555 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\shell\open\command', value: 'IsolatedCommand'} | |
2556 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\*\shell\open\command', value: ''} | |
2557 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\*\shell\open\command', value: 'IsolatedCommand'} | |
2558 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\*\shell\open\command', value: ''} | |
2559 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\*\shell\open\command', value: 'IsolatedCommand'} | |
2560 | supported_os: [Windows] | |
2561 | urls: | |
2562 | - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' | |
2563 | - 'https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2' | |
2564 | - 'https://pentestlab.blog/2017/06/09/uac-bypass-sdclt/' | |
2565 | --- | |
2566 | name: WindowsShellRunasCommand | |
2567 | doc: | | |
2568 | Executed every time an executable or script file type is run as administrator. | |
2569 | ||
2570 | For most file types, the value should be '"%1" %*' or something similar. | |
2571 | Example file type subkeys include 'exefile', 'batfile', and 'cmdfile'. These | |
2572 | keys can be modified by malware as a way to be periodically executed or to | |
2573 | bypass UAC. | |
2574 | sources: | |
2575 | - type: REGISTRY_VALUE | |
2576 | attributes: | |
2577 | key_value_pairs: | |
2578 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\*\shell\runas\command', value: ''} | |
2579 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\*\shell\runas\command', value: 'IsolatedCommand'} | |
2580 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\shell\runas\command', value: ''} | |
2581 | - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\shell\runas\command', value: 'IsolatedCommand'} | |
2582 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\*\shell\runas\command', value: ''} | |
2583 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\*\shell\runas\command', value: 'IsolatedCommand'} | |
2584 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\*\shell\runas\command', value: ''} | |
2585 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\*\shell\runas\command', value: 'IsolatedCommand'} | |
2586 | supported_os: [Windows] | |
2587 | urls: | |
2588 | - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' | |
2589 | - 'https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2' | |
2590 | - 'https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/' | |
1823 | 2591 | --- |
1824 | 2592 | name: WindowsShellServiceObjects |
1825 | 2593 | doc: Windows Shell (explorer.exe) service objects delayed load. |
1827 | 2595 | - type: REGISTRY_KEY |
1828 | 2596 | attributes: |
1829 | 2597 | keys: |
1830 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad' | |
1831 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad' | |
2598 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad' | |
2599 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad' | |
1832 | 2600 | supported_os: [Windows] |
1833 | 2601 | urls: ['http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=TrojanClicker:Win32/Zirit.X#tab=2'] |
1834 | 2602 | --- |
1843 | 2611 | - type: FILE |
1844 | 2612 | attributes: |
1845 | 2613 | paths: |
1846 | - '%%environ_systemroot%%\inf\setupapi.app.log' | |
1847 | - '%%environ_systemroot%%\inf\setupapi.dev.log' | |
1848 | - '%%environ_systemroot%%\inf\setupapi.offline.log' | |
2614 | - '%%environ_systemroot%%\inf\setupapi.app.log' | |
2615 | - '%%environ_systemroot%%\inf\setupapi.dev.log' | |
2616 | - '%%environ_systemroot%%\inf\setupapi.offline.log' | |
1849 | 2617 | separator: '\' |
1850 | 2618 | conditions: [os_major_version >= 6] |
1851 | 2619 | labels: [Logs] |
1852 | 2620 | supported_os: [Windows] |
1853 | urls: ['http://www.forensicswiki.org/wiki/Setup_API_Logs'] | |
2621 | urls: ['https://forensicswiki.xyz/wiki/index.php?title=Setup_API_Logs'] | |
1854 | 2622 | --- |
1855 | 2623 | name: WindowsShutdownScript |
1856 | 2624 | doc: Windows policy shutdown script |
1858 | 2626 | - type: REGISTRY_VALUE |
1859 | 2627 | attributes: |
1860 | 2628 | key_value_pairs: |
1861 | - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Scripts', value: 'Shutdown'} | |
1862 | supported_os: [Windows] | |
1863 | urls: ['https://technet.microsoft.com/en-us/library/ff404236.aspx'] | |
2629 | - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Scripts', value: 'Shutdown'} | |
2630 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\*\*', value: 'Script'} | |
2631 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\*\*', value: 'Parameters'} | |
2632 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown\*\*', value: 'Script'} | |
2633 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown\*\*', value: 'Parameters'} | |
2634 | supported_os: [Windows] | |
2635 | urls: | |
2636 | - 'https://technet.microsoft.com/en-us/library/ff404236.aspx' | |
2637 | - 'https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2' | |
1864 | 2638 | --- |
1865 | 2639 | name: WindowsStartupFolderModification |
1866 | 2640 | doc: Windows startup folder Registry values. |
1868 | 2642 | - type: REGISTRY_VALUE |
1869 | 2643 | attributes: |
1870 | 2644 | key_value_pairs: |
1871 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Common Startup'} | |
1872 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Startup'} | |
1873 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Common Startup'} | |
1874 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Startup'} | |
1875 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Common Startup'} | |
1876 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Startup'} | |
1877 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Common Startup'} | |
1878 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Startup'} | |
1879 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Common Startup'} | |
1880 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Startup'} | |
1881 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Common Startup'} | |
1882 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Startup'} | |
1883 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Common Startup'} | |
1884 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Startup'} | |
1885 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Common Startup'} | |
1886 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Startup'} | |
2645 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Common Startup'} | |
2646 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Startup'} | |
2647 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Common Startup'} | |
2648 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Startup'} | |
2649 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Common Startup'} | |
2650 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Startup'} | |
2651 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Common Startup'} | |
2652 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Startup'} | |
2653 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Common Startup'} | |
2654 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Startup'} | |
2655 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Common Startup'} | |
2656 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Startup'} | |
2657 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Common Startup'} | |
2658 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Startup'} | |
2659 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Common Startup'} | |
2660 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Startup'} | |
1887 | 2661 | supported_os: [Windows] |
1888 | 2662 | --- |
1889 | 2663 | name: WindowsStartupFolders |
1892 | 2666 | - type: FILE |
1893 | 2667 | attributes: |
1894 | 2668 | paths: |
1895 | - '%%environ_allusersprofile%%\Microsoft\Windows\Start Menu\Programs\Startup\*' | |
1896 | - '%%environ_allusersprofile%%\Start Menu\Programs\Startup\*' | |
1897 | - '%%users.appdata%%\Microsoft\Windows\Start Menu\Programs\Startup\*' | |
1898 | - '%%users.userprofile%%\Start Menu\Programs\Startup\*' | |
2669 | - '%%environ_allusersprofile%%\Microsoft\Windows\Start Menu\Programs\Startup\*' | |
2670 | - '%%environ_allusersprofile%%\Start Menu\Programs\Startup\*' | |
2671 | - '%%users.appdata%%\Microsoft\Windows\Start Menu\Programs\Startup\*' | |
2672 | - '%%users.userprofile%%\Start Menu\Programs\Startup\*' | |
1899 | 2673 | separator: '\' |
1900 | 2674 | supported_os: [Windows] |
1901 | 2675 | --- |
1905 | 2679 | - type: REGISTRY_VALUE |
1906 | 2680 | attributes: |
1907 | 2681 | key_value_pairs: |
1908 | - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Scripts', value: 'Startup'} | |
1909 | supported_os: [Windows] | |
1910 | urls: ['https://technet.microsoft.com/en-us/library/ff404236.aspx'] | |
2682 | - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Scripts', value: 'Startup'} | |
2683 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\*\*', value: 'Script'} | |
2684 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\*\*', value: 'Parameters'} | |
2685 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup\*\*', value: 'Script'} | |
2686 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup\*\*', value: 'Parameters'} | |
2687 | supported_os: [Windows] | |
2688 | urls: | |
2689 | - 'https://technet.microsoft.com/en-us/library/ff404236.aspx' | |
2690 | - 'https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2' | |
1911 | 2691 | --- |
1912 | 2692 | name: WindowsStubPaths |
1913 | doc: Windows StubPath persistence. | |
1914 | sources: | |
1915 | - type: REGISTRY_VALUE | |
1916 | attributes: | |
1917 | key_value_pairs: | |
1918 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\*', value: 'StubPath'} | |
1919 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\*', value: 'StubPath'} | |
1920 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Active Setup\Installed Components\*', value: 'StubPath'} | |
1921 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\*', value: 'StubPath'} | |
1922 | supported_os: [Windows] | |
2693 | doc: | | |
2694 | Windows StubPath persistence. | |
2695 | ||
2696 | Each time a user logs in, the Active Setup Installed Components in HKLM | |
2697 | are compared ot the ones in HKCU, and if any are missing, or if the | |
2698 | associated version is less, the program is executed. | |
2699 | sources: | |
2700 | - type: REGISTRY_VALUE | |
2701 | attributes: | |
2702 | key_value_pairs: | |
2703 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\*', value: 'StubPath'} | |
2704 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\*', value: 'Version'} | |
2705 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\*', value: 'StubPath'} | |
2706 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\*', value: 'Version'} | |
2707 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Active Setup\Installed Components\*', value: 'StubPath'} | |
2708 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Active Setup\Installed Components\*', value: 'Version'} | |
2709 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\*', value: 'StubPath'} | |
2710 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\*', value: 'Version'} | |
2711 | supported_os: [Windows] | |
2712 | urls: | |
2713 | - 'https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2' | |
2714 | - 'http://bonemanblog.blogspot.com/2004/12/active-setup-registry-keys-and-their.html' | |
1923 | 2715 | --- |
1924 | 2716 | name: WindowsSuperFetchFiles |
1925 | 2717 | doc: Windows SuperFetch files. |
1927 | 2719 | - type: FILE |
1928 | 2720 | attributes: |
1929 | 2721 | paths: |
1930 | - '%%environ_systemroot%%\Prefetch\Ag*.db' | |
1931 | - '%%environ_systemroot%%\Prefetch\Ag*.db.trx' | |
2722 | - '%%environ_systemroot%%\Prefetch\Ag*.db' | |
2723 | - '%%environ_systemroot%%\Prefetch\Ag*.db.trx' | |
1932 | 2724 | separator: '\' |
1933 | 2725 | labels: [System] |
1934 | 2726 | supported_os: [Windows] |
1935 | urls: ['http://www.forensicswiki.org/wiki/SuperFetch'] | |
2727 | urls: ['https://forensicswiki.xyz/wiki/index.php?title=SuperFetch'] | |
1936 | 2728 | --- |
1937 | 2729 | name: WindowsSystemIniFiles |
1938 | 2730 | doc: Windows system ini files |
1940 | 2732 | - type: FILE |
1941 | 2733 | attributes: |
1942 | 2734 | paths: |
1943 | - '%%environ_systemdrive%%\system.ini' | |
1944 | - '%%environ_windir%%\win.ini' | |
1945 | - '%%environ_windir%%\wininit.ini' | |
2735 | - '%%environ_systemdrive%%\system.ini' | |
2736 | - '%%environ_windir%%\win.ini' | |
2737 | - '%%environ_windir%%\wininit.ini' | |
1946 | 2738 | separator: '\' |
1947 | 2739 | supported_os: [Windows] |
1948 | 2740 | --- |
1952 | 2744 | - type: REGISTRY_VALUE |
1953 | 2745 | attributes: |
1954 | 2746 | key_value_pairs: |
1955 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System', value: 'Shell'} | |
1956 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System', value: 'Shell'} | |
2747 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System', value: 'Shell'} | |
2748 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System', value: 'Shell'} | |
1957 | 2749 | supported_os: [Windows] |
1958 | 2750 | urls: ['https://technet.microsoft.com/en-us/library/cc728472(v=ws.10).aspx'] |
1959 | 2751 | --- |
1963 | 2755 | - type: FILE |
1964 | 2756 | attributes: |
1965 | 2757 | paths: |
1966 | - '%%environ_systemroot%%\System32\config\RegBack\SAM' | |
1967 | - '%%environ_systemroot%%\System32\config\RegBack\SECURITY' | |
1968 | - '%%environ_systemroot%%\System32\config\RegBack\SOFTWARE' | |
1969 | - '%%environ_systemroot%%\System32\config\RegBack\SYSTEM' | |
2758 | - '%%environ_systemroot%%\System32\config\RegBack\SAM' | |
2759 | - '%%environ_systemroot%%\System32\config\RegBack\SECURITY' | |
2760 | - '%%environ_systemroot%%\System32\config\RegBack\SOFTWARE' | |
2761 | - '%%environ_systemroot%%\System32\config\RegBack\SYSTEM' | |
1970 | 2762 | separator: '\' |
1971 | 2763 | labels: [System] |
1972 | 2764 | supported_os: [Windows] |
1973 | urls: ['https://github.com/msuhanov/regf/blob/master/Windows%20registry%20file%20format%20specification.md#types-of-files'] | |
2765 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/RegistryFiles.md'] | |
1974 | 2766 | --- |
1975 | 2767 | name: WindowsSystemRegistryTransactionLogFilesBackup |
1976 | 2768 | doc: | |
1981 | 2773 | - type: FILE |
1982 | 2774 | attributes: |
1983 | 2775 | paths: |
1984 | - '%%environ_systemroot%%\System32\config\RegBack\SAM.LOG' | |
1985 | - '%%environ_systemroot%%\System32\config\RegBack\SAM.LOG1' | |
1986 | - '%%environ_systemroot%%\System32\config\RegBack\SAM.LOG2' | |
1987 | - '%%environ_systemroot%%\System32\config\RegBack\SECURITY.LOG' | |
1988 | - '%%environ_systemroot%%\System32\config\RegBack\SECURITY.LOG1' | |
1989 | - '%%environ_systemroot%%\System32\config\RegBack\SECURITY.LOG2' | |
1990 | - '%%environ_systemroot%%\System32\config\RegBack\SOFTWARE.LOG' | |
1991 | - '%%environ_systemroot%%\System32\config\RegBack\SOFTWARE.LOG1' | |
1992 | - '%%environ_systemroot%%\System32\config\RegBack\SOFTWARE.LOG2' | |
1993 | - '%%environ_systemroot%%\System32\config\RegBack\SYSTEM.LOG' | |
1994 | - '%%environ_systemroot%%\System32\config\RegBack\SYSTEM.LOG1' | |
1995 | - '%%environ_systemroot%%\System32\config\RegBack\SYSTEM.LOG2' | |
2776 | - '%%environ_systemroot%%\System32\config\RegBack\SAM.LOG' | |
2777 | - '%%environ_systemroot%%\System32\config\RegBack\SAM.LOG1' | |
2778 | - '%%environ_systemroot%%\System32\config\RegBack\SAM.LOG2' | |
2779 | - '%%environ_systemroot%%\System32\config\RegBack\SECURITY.LOG' | |
2780 | - '%%environ_systemroot%%\System32\config\RegBack\SECURITY.LOG1' | |
2781 | - '%%environ_systemroot%%\System32\config\RegBack\SECURITY.LOG2' | |
2782 | - '%%environ_systemroot%%\System32\config\RegBack\SOFTWARE.LOG' | |
2783 | - '%%environ_systemroot%%\System32\config\RegBack\SOFTWARE.LOG1' | |
2784 | - '%%environ_systemroot%%\System32\config\RegBack\SOFTWARE.LOG2' | |
2785 | - '%%environ_systemroot%%\System32\config\RegBack\SYSTEM.LOG' | |
2786 | - '%%environ_systemroot%%\System32\config\RegBack\SYSTEM.LOG1' | |
2787 | - '%%environ_systemroot%%\System32\config\RegBack\SYSTEM.LOG2' | |
1996 | 2788 | separator: '\' |
1997 | 2789 | labels: [System] |
1998 | 2790 | supported_os: [Windows] |
1999 | urls: ['https://github.com/msuhanov/regf/blob/master/Windows%20registry%20file%20format%20specification.md#types-of-files'] | |
2791 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/RegistryFiles.md'] | |
2000 | 2792 | --- |
2001 | 2793 | name: WindowsSystemRegistryFiles |
2002 | 2794 | doc: Windows system Registry files. |
2004 | 2796 | - type: FILE |
2005 | 2797 | attributes: |
2006 | 2798 | paths: |
2007 | - '%%environ_systemroot%%\System32\config\SAM' | |
2008 | - '%%environ_systemroot%%\System32\config\SECURITY' | |
2009 | - '%%environ_systemroot%%\System32\config\SOFTWARE' | |
2010 | - '%%environ_systemroot%%\System32\config\SYSTEM' | |
2011 | - '\System Volume Information\Syscache.hve' | |
2799 | - '%%environ_systemroot%%\System32\config\SAM' | |
2800 | - '%%environ_systemroot%%\System32\config\SECURITY' | |
2801 | - '%%environ_systemroot%%\System32\config\SOFTWARE' | |
2802 | - '%%environ_systemroot%%\System32\config\SYSTEM' | |
2803 | - '\System Volume Information\Syscache.hve' | |
2012 | 2804 | separator: '\' |
2013 | 2805 | labels: [System] |
2014 | 2806 | supported_os: [Windows] |
2015 | urls: ['https://github.com/libyal/winreg-kb/wiki/Registry-files'] | |
2807 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/RegistryFiles.md'] | |
2016 | 2808 | --- |
2017 | 2809 | name: WindowsSystemRegistryTransactionLogFiles |
2018 | 2810 | doc: Windows system Registry transaction log files. |
2020 | 2812 | - type: FILE |
2021 | 2813 | attributes: |
2022 | 2814 | paths: |
2023 | - '%%environ_systemroot%%\System32\config\SAM.LOG' | |
2024 | - '%%environ_systemroot%%\System32\config\SAM.LOG1' | |
2025 | - '%%environ_systemroot%%\System32\config\SAM.LOG2' | |
2026 | - '%%environ_systemroot%%\System32\config\SECURITY.LOG' | |
2027 | - '%%environ_systemroot%%\System32\config\SECURITY.LOG1' | |
2028 | - '%%environ_systemroot%%\System32\config\SECURITY.LOG2' | |
2029 | - '%%environ_systemroot%%\System32\config\SOFTWARE.LOG' | |
2030 | - '%%environ_systemroot%%\System32\config\SOFTWARE.LOG1' | |
2031 | - '%%environ_systemroot%%\System32\config\SOFTWARE.LOG2' | |
2032 | - '%%environ_systemroot%%\System32\config\SYSTEM.LOG' | |
2033 | - '%%environ_systemroot%%\System32\config\SYSTEM.LOG1' | |
2034 | - '%%environ_systemroot%%\System32\config\SYSTEM.LOG2' | |
2815 | - '%%environ_systemroot%%\System32\config\SAM.LOG' | |
2816 | - '%%environ_systemroot%%\System32\config\SAM.LOG1' | |
2817 | - '%%environ_systemroot%%\System32\config\SAM.LOG2' | |
2818 | - '%%environ_systemroot%%\System32\config\SECURITY.LOG' | |
2819 | - '%%environ_systemroot%%\System32\config\SECURITY.LOG1' | |
2820 | - '%%environ_systemroot%%\System32\config\SECURITY.LOG2' | |
2821 | - '%%environ_systemroot%%\System32\config\SOFTWARE.LOG' | |
2822 | - '%%environ_systemroot%%\System32\config\SOFTWARE.LOG1' | |
2823 | - '%%environ_systemroot%%\System32\config\SOFTWARE.LOG2' | |
2824 | - '%%environ_systemroot%%\System32\config\SYSTEM.LOG' | |
2825 | - '%%environ_systemroot%%\System32\config\SYSTEM.LOG1' | |
2826 | - '%%environ_systemroot%%\System32\config\SYSTEM.LOG2' | |
2035 | 2827 | separator: '\' |
2036 | 2828 | labels: [System] |
2037 | 2829 | supported_os: [Windows] |
2038 | urls: ['https://github.com/msuhanov/regf/blob/master/Windows%20registry%20file%20format%20specification.md#format-of-transaction-log-files'] | |
2830 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/RegistryFiles.md'] | |
2039 | 2831 | --- |
2040 | 2832 | name: WindowsSystemRegistryFilesAndTransactionLogs |
2041 | 2833 | doc: Windows system Registry files and transaction logs. |
2043 | 2835 | - type: ARTIFACT_GROUP |
2044 | 2836 | attributes: |
2045 | 2837 | names: |
2046 | - 'WindowsSystemRegistryFiles' | |
2047 | - 'WindowsSystemRegistryTransactionLogFiles' | |
2838 | - 'WindowsSystemRegistryFiles' | |
2839 | - 'WindowsSystemRegistryTransactionLogFiles' | |
2048 | 2840 | labels: [System] |
2049 | 2841 | supported_os: [Windows] |
2842 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/RegistryFiles.md'] | |
2050 | 2843 | --- |
2051 | 2844 | name: WindowsSystemResourceUsageMonitorDatabaseFile |
2052 | 2845 | doc: Windows System Resource Usage Monitor (SRUM) database file. |
2076 | 2869 | - type: REGISTRY_KEY |
2077 | 2870 | attributes: |
2078 | 2871 | keys: |
2079 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce\*' | |
2080 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx\*' | |
2081 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\*' | |
2082 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce\*' | |
2083 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx\*' | |
2084 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\*' | |
2085 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce\*' | |
2086 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx\*' | |
2087 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\*' | |
2088 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce\*' | |
2089 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx\*' | |
2090 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\*' | |
2872 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce\*' | |
2873 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx\*' | |
2874 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\*' | |
2875 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce\*' | |
2876 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx\*' | |
2877 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\*' | |
2878 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce\*' | |
2879 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx\*' | |
2880 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\*' | |
2881 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce\*' | |
2882 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx\*' | |
2883 | - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\*' | |
2091 | 2884 | supported_os: [Windows] |
2092 | 2885 | urls: ['http://gladiator-antivirus.com/forum/index.php?showtopic=24610'] |
2093 | 2886 | --- |
2097 | 2890 | - type: REGISTRY_VALUE |
2098 | 2891 | attributes: |
2099 | 2892 | key_value_pairs: |
2100 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd', value: 'StartupPrograms'} | |
2893 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd', value: 'StartupPrograms'} | |
2101 | 2894 | supported_os: [Windows] |
2102 | 2895 | urls: ['http://forum.sysinternals.com/rdpclip_topic4729.html'] |
2896 | --- | |
2897 | name: WindowsTerminalServerInitialProgram | |
2898 | doc: Windows Terminal Server Initial Program | |
2899 | sources: | |
2900 | - type: REGISTRY_VALUE | |
2901 | attributes: | |
2902 | key_value_pairs: | |
2903 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp', value: 'InitialProgram'} | |
2904 | - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services', value: 'InitialProgram'} | |
2905 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\Windows NT\Terminal Services', value: 'InitialProgram'} | |
2906 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Policies\Microsoft\Windows NT\Terminal Services', value: 'InitialProgram'} | |
2907 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Policies\Microsoft\Windows NT\Terminal Services', value: 'InitialProgram'} | |
2908 | supported_os: [Windows] | |
2909 | urls: ['https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2'] | |
2910 | --- | |
2911 | name: WindowsActiveSyncAutoStart | |
2912 | doc: Windows ActiveSync AutoStart entries | |
2913 | sources: | |
2914 | - type: REGISTRY_KEY | |
2915 | attributes: | |
2916 | keys: | |
2917 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows CE Services\AutoStartOnConnect\*' | |
2918 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows CE Services\AutoStartOnDisconnect\*' | |
2919 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows CE Services\AutoStartOnConnect\*' | |
2920 | - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows CE Services\AutoStartOnDisconnect\*' | |
2921 | supported_os: [Windows] | |
2922 | urls: ['https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2'] | |
2103 | 2923 | --- |
2104 | 2924 | name: WindowsTimezone |
2105 | 2925 | doc: The timezone of the system in Olson format. |
2106 | 2926 | sources: |
2107 | 2927 | - type: REGISTRY_VALUE |
2108 | attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation', value: 'StandardName'}]} | |
2928 | attributes: | |
2929 | key_value_pairs: | |
2930 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation', value: 'StandardName'} | |
2931 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation', value: 'TimeZoneKeyName'} | |
2109 | 2932 | provides: [time_zone] |
2110 | 2933 | supported_os: [Windows] |
2111 | urls: ['https://github.com/libyal/winreg-kb/wiki/Time-zone-keys'] | |
2934 | urls: ['https://github.com/libyal/winreg-kb/blob/master/documentation/Time%20zone%20keys.asciidoc'] | |
2112 | 2935 | --- |
2113 | 2936 | name: WindowsToolPaths |
2114 | 2937 | doc: Paths to windows tools such as defrag, chkdsk. |
2116 | 2939 | - type: REGISTRY_KEY |
2117 | 2940 | attributes: |
2118 | 2941 | keys: |
2119 | - 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\BackupPath' | |
2120 | - 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\ChkDskPath' | |
2121 | - 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\cleanuppath' | |
2122 | - 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\DefragPath' | |
2942 | - 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\BackupPath' | |
2943 | - 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\ChkDskPath' | |
2944 | - 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\cleanuppath' | |
2945 | - 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\DefragPath' | |
2123 | 2946 | supported_os: [Windows] |
2124 | 2947 | urls: |
2125 | 2948 | - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' |
2130 | 2953 | sources: |
2131 | 2954 | - type: REGISTRY_KEY |
2132 | 2955 | attributes: |
2133 | keys: | |
2134 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\*' | |
2135 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Userdata\%%users.sid%%\Products\*\InstallProperties' | |
2956 | keys: | |
2957 | - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\*\*' | |
2958 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Uninstall\*\*' | |
2136 | 2959 | supported_os: [Windows] |
2137 | 2960 | urls: ['https://msdn.microsoft.com/en-us/library/aa372105(v=vs.85).aspx'] |
2138 | 2961 | --- |
2153 | 2976 | - type: REGISTRY_VALUE |
2154 | 2977 | attributes: |
2155 | 2978 | key_value_pairs: |
2156 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Detect', value: 'LastError'} | |
2157 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Detect', value: 'LastSuccessTime'} | |
2158 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Download', value: 'LastError'} | |
2159 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Download', value: 'LastSuccessTime'} | |
2160 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install', value: 'LastError'} | |
2161 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install', value: 'LastSuccessTime'} | |
2162 | supported_os: [Windows] | |
2163 | urls: | |
2164 | - 'http://forensicswiki.org/wiki/Windows_Update' | |
2979 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Detect', value: 'LastError'} | |
2980 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Detect', value: 'LastSuccessTime'} | |
2981 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Download', value: 'LastError'} | |
2982 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Download', value: 'LastSuccessTime'} | |
2983 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install', value: 'LastError'} | |
2984 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install', value: 'LastSuccessTime'} | |
2985 | supported_os: [Windows] | |
2986 | urls: | |
2987 | - 'https://forensicswiki.xyz/wiki/index.php?title=Windows_Update' | |
2165 | 2988 | - 'http://blogs.msdn.com/b/aruns_blog/archive/2011/06/20/active-setup-registry-key-what-it-is-and-how-to-create-in-the-package-using-admin-studio-install-shield.aspx' |
2989 | --- | |
2990 | name: WindowsUserAutomaticDestinationsJumpLists | |
2991 | doc: Windows user AutomaticDestinations Jump Lists. | |
2992 | sources: | |
2993 | - type: FILE | |
2994 | attributes: | |
2995 | paths: ['%%users.appdata%%\Microsoft\Windows\Recent\AutomaticDestinations\*.automaticDestinations-ms'] | |
2996 | separator: '\' | |
2997 | labels: [Users] | |
2998 | supported_os: [Windows] | |
2999 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/JumpLists.md'] | |
3000 | --- | |
3001 | name: WindowsUserCustomDestinationsJumpLists | |
3002 | doc: Windows user CustomDestinations Jump Lists. | |
3003 | sources: | |
3004 | - type: FILE | |
3005 | attributes: | |
3006 | paths: ['%%users.appdata%%\Microsoft\Windows\Recent\CustomDestinations\*.customDestinations-ms'] | |
3007 | separator: '\' | |
3008 | labels: [Users] | |
3009 | supported_os: [Windows] | |
3010 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/JumpLists.md'] | |
2166 | 3011 | --- |
2167 | 3012 | name: WindowsUserDownloadsDirectory |
2168 | 3013 | doc: User downloads directory |
2174 | 3019 | labels: [Users] |
2175 | 3020 | supported_os: [Windows] |
2176 | 3021 | --- |
3022 | name: WindowsUserJumpLists | |
3023 | doc: Windows user Jump Lists. | |
3024 | sources: | |
3025 | - type: ARTIFACT_GROUP | |
3026 | attributes: | |
3027 | names: | |
3028 | - 'WindowsProgramsCacheJumpLists' | |
3029 | - 'WindowsUserAutomaticDestinationsJumpLists' | |
3030 | - 'WindowsUserCustomDestinationsJumpLists' | |
3031 | labels: [Users] | |
3032 | supported_os: [Windows] | |
3033 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/JumpLists.md'] | |
3034 | --- | |
2177 | 3035 | name: WindowsUserRecentFiles |
2178 | 3036 | doc: Windows user specific recent files. |
2179 | 3037 | sources: |
2180 | 3038 | - type: FILE |
2181 | 3039 | attributes: |
2182 | 3040 | paths: |
2183 | - '%%users.appdata%%\Microsoft\Office\Recent\*' | |
2184 | - '%%users.appdata%%\Microsoft\Windows\Recent\*' | |
3041 | - '%%users.appdata%%\Microsoft\Office\Recent\*' | |
3042 | - '%%users.appdata%%\Microsoft\Windows\Recent\*' | |
2185 | 3043 | separator: '\' |
2186 | 3044 | labels: [Users] |
2187 | 3045 | supported_os: [Windows] |
2192 | 3050 | - type: FILE |
2193 | 3051 | attributes: |
2194 | 3052 | paths: |
2195 | - '%%users.userprofile%%\NTUSER.DAT' | |
2196 | - '%%users.userprofile%%\NTUSER.MAN' | |
2197 | - '%%users.localappdata%%\Microsoft\Windows\UsrClass.dat' | |
3053 | - '%%users.userprofile%%\NTUSER.DAT' | |
3054 | - '%%users.userprofile%%\NTUSER.MAN' | |
3055 | - '%%users.localappdata%%\Microsoft\Windows\UsrClass.dat' | |
2198 | 3056 | separator: '\' |
2199 | 3057 | labels: [Users] |
2200 | 3058 | supported_os: [Windows] |
2201 | urls: ['https://github.com/libyal/winreg-kb/wiki/Registry-files'] | |
3059 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/RegistryFiles.md'] | |
2202 | 3060 | --- |
2203 | 3061 | name: WindowsUserRegistryTransactionLogFiles |
2204 | 3062 | doc: Windows user Registry transaction log files. |
2206 | 3064 | - type: FILE |
2207 | 3065 | attributes: |
2208 | 3066 | paths: |
2209 | - '%%users.userprofile%%\NTUSER.DAT.LOG' | |
2210 | - '%%users.userprofile%%\NTUSER.DAT.LOG1' | |
2211 | - '%%users.userprofile%%\NTUSER.DAT.LOG2' | |
2212 | - '%%users.localappdata%%\Microsoft\Windows\UsrClass.dat.LOG' | |
2213 | - '%%users.localappdata%%\Microsoft\Windows\UsrClass.dat.LOG1' | |
2214 | - '%%users.localappdata%%\Microsoft\Windows\UsrClass.dat.LOG2' | |
3067 | - '%%users.userprofile%%\NTUSER.DAT.LOG' | |
3068 | - '%%users.userprofile%%\NTUSER.DAT.LOG1' | |
3069 | - '%%users.userprofile%%\NTUSER.DAT.LOG2' | |
3070 | - '%%users.localappdata%%\Microsoft\Windows\UsrClass.dat.LOG' | |
3071 | - '%%users.localappdata%%\Microsoft\Windows\UsrClass.dat.LOG1' | |
3072 | - '%%users.localappdata%%\Microsoft\Windows\UsrClass.dat.LOG2' | |
2215 | 3073 | separator: '\' |
2216 | 3074 | labels: [Users] |
2217 | 3075 | supported_os: [Windows] |
2218 | urls: ['https://github.com/msuhanov/regf/blob/master/Windows%20registry%20file%20format%20specification.md#format-of-transaction-log-files'] | |
3076 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/RegistryFiles.md'] | |
2219 | 3077 | --- |
2220 | 3078 | name: WindowsUserRegistryFilesAndTransactionLogs |
2221 | 3079 | doc: Windows user Registry files and transaction logs. |
2223 | 3081 | - type: ARTIFACT_GROUP |
2224 | 3082 | attributes: |
2225 | 3083 | names: |
2226 | - 'WindowsUserRegistryFiles' | |
2227 | - 'WindowsUserRegistryTransactionLogFiles' | |
3084 | - 'WindowsUserRegistryFiles' | |
3085 | - 'WindowsUserRegistryTransactionLogFiles' | |
2228 | 3086 | labels: [Users] |
2229 | 3087 | supported_os: [Windows] |
3088 | urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/RegistryFiles.md'] | |
2230 | 3089 | --- |
2231 | 3090 | name: WindowsUserShellFolders |
2232 | 3091 | doc: The Shell Folders information for Windows users. |
2234 | 3093 | - type: REGISTRY_KEY |
2235 | 3094 | attributes: |
2236 | 3095 | keys: |
2237 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\*' | |
2238 | - 'HKEY_USERS\%%users.sid%%\Environment\*' | |
2239 | - 'HKEY_USERS\%%users.sid%%\Volatile Environment\*' | |
3096 | - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\*' | |
3097 | - 'HKEY_USERS\%%users.sid%%\Environment\*' | |
3098 | - 'HKEY_USERS\%%users.sid%%\Volatile Environment\*' | |
2240 | 3099 | provides: |
2241 | 3100 | - users.cookies |
2242 | 3101 | - users.appdata |
2258 | 3117 | - type: REGISTRY_VALUE |
2259 | 3118 | attributes: |
2260 | 3119 | key_value_pairs: |
2261 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'GinaDLL'} | |
2262 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'GinaDLL'} | |
3120 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'GinaDLL'} | |
3121 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'GinaDLL'} | |
2263 | 3122 | supported_os: [Windows] |
2264 | 3123 | urls: ['https://technet.microsoft.com/en-us/library/cc939701.aspx'] |
2265 | 3124 | --- |
2269 | 3128 | - type: REGISTRY_VALUE |
2270 | 3129 | attributes: |
2271 | 3130 | key_value_pairs: |
2272 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\*', value: 'DLLName'} | |
2273 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\*', value: 'DLLName'} | |
3131 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\*', value: 'DLLName'} | |
3132 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\*', value: 'DLLName'} | |
2274 | 3133 | supported_os: [Windows] |
2275 | 3134 | urls: ['https://msdn.microsoft.com/en-us/library/windows/desktop/aa379402(v=vs.85).aspx'] |
2276 | 3135 | --- |
2280 | 3139 | - type: REGISTRY_VALUE |
2281 | 3140 | attributes: |
2282 | 3141 | key_value_pairs: |
2283 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Shell'} | |
2284 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Shell'} | |
3142 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Shell'} | |
3143 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Shell'} | |
2285 | 3144 | supported_os: [Windows] |
2286 | 3145 | urls: ['https://msdn.microsoft.com/en-us/library/ms838576%28v=winembedded.5%29.aspx'] |
2287 | 3146 | --- |
2291 | 3150 | - type: REGISTRY_VALUE |
2292 | 3151 | attributes: |
2293 | 3152 | key_value_pairs: |
2294 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'System'} | |
2295 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'System'} | |
3153 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'System'} | |
3154 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'System'} | |
2296 | 3155 | supported_os: [Windows] |
2297 | 3156 | urls: |
2298 | 3157 | - 'https://code.google.com/p/regripper/wiki/ASEPs' |
2305 | 3164 | - type: REGISTRY_VALUE |
2306 | 3165 | attributes: |
2307 | 3166 | key_value_pairs: |
2308 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Taskman'} | |
2309 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Taskman'} | |
3167 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Taskman'} | |
3168 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Taskman'} | |
2310 | 3169 | supported_os: [Windows] |
2311 | 3170 | urls: ['https://technet.microsoft.com/en-us/library/cc939701.aspx'] |
2312 | 3171 | --- |
2316 | 3175 | - type: REGISTRY_VALUE |
2317 | 3176 | attributes: |
2318 | 3177 | key_value_pairs: |
2319 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'UiHost'} | |
2320 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'UiHost'} | |
3178 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'UiHost'} | |
3179 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'UiHost'} | |
2321 | 3180 | supported_os: [Windows] |
2322 | 3181 | urls: |
2323 | 3182 | - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' |
2329 | 3188 | - type: REGISTRY_VALUE |
2330 | 3189 | attributes: |
2331 | 3190 | key_value_pairs: |
2332 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Userinit'} | |
2333 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Userinit'} | |
3191 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Userinit'} | |
3192 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Userinit'} | |
2334 | 3193 | supported_os: [Windows] |
2335 | 3194 | urls: ['https://technet.microsoft.com/en-us/library/cc939862.aspx'] |
3195 | --- | |
3196 | name: WindowsWinlogonAvailableShells | |
3197 | doc: | | |
3198 | Windows Server Winlogon Available Shells | |
3199 | ||
3200 | Used to specify an alternate shell application to be launched when | |
3201 | logging into Windows Server 2012 and later. Legitimate keys under | |
3202 | AvailableShells should just cause cmd.exe or explorer.exe to be executed, | |
3203 | whereas malicious programs may create keys that cause malware to be run | |
3204 | when a user logs in. | |
3205 | sources: | |
3206 | - type: REGISTRY_KEY | |
3207 | attributes: | |
3208 | keys: ['HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells\AvailableShells\*'] | |
3209 | supported_os: [Windows] | |
3210 | urls: | |
3211 | - https://andymorgan.wordpress.com/2012/03/30/changing-the-default-shell-of-windows-server-8-core/ | |
3212 | - https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2 | |
2336 | 3213 | --- |
2337 | 3214 | name: WindowsWinlogonVMApplet |
2338 | 3215 | doc: Windows VMApplet replacement. |
2340 | 3217 | - type: REGISTRY_VALUE |
2341 | 3218 | attributes: |
2342 | 3219 | key_value_pairs: |
2343 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'VMApplet'} | |
2344 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'VMApplet'} | |
3220 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'VMApplet'} | |
3221 | - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'VMApplet'} | |
2345 | 3222 | supported_os: [Windows] |
2346 | 3223 | urls: ['https://technet.microsoft.com/en-us/library/cc939701.aspx'] |
2347 | 3224 | --- |
2351 | 3228 | - type: FILE |
2352 | 3229 | attributes: |
2353 | 3230 | paths: |
2354 | - '%%environ_windir%%\winstart.bat' | |
2355 | - '%%environ_windir%%\dosstart.bat' | |
3231 | - '%%environ_windir%%\winstart.bat' | |
3232 | - '%%environ_windir%%\dosstart.bat' | |
2356 | 3233 | separator: '\' |
2357 | 3234 | supported_os: [Windows] |
2358 | 3235 | --- |
2362 | 3239 | - type: REGISTRY_VALUE |
2363 | 3240 | attributes: |
2364 | 3241 | key_value_pairs: |
2365 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'AppSetup'} | |
3242 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'AppSetup'} | |
2366 | 3243 | supported_os: [Windows] |
2367 | 3244 | urls: ['https://technet.microsoft.com/en-us/library/cc939701.aspx'] |
3245 | --- | |
3246 | name: WindowsWinlogonGPExtensions | |
3247 | doc: | | |
3248 | Windows Winlogon Group Policy Extensions | |
3249 | ||
3250 | These keys specifiy DLLs that should be loaded when the group policy | |
3251 | engine loads, and can act as a persistence mechanism for malware. | |
3252 | sources: | |
3253 | - type: REGISTRY_VALUE | |
3254 | attributes: | |
3255 | key_value_pairs: | |
3256 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\*', value: ''} | |
3257 | - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\*', value: 'DllName'} | |
3258 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\*', value: ''} | |
3259 | - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\*', value: 'DllName'} | |
3260 | supported_os: [Windows] | |
3261 | urls: ['https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2'] | |
2368 | 3262 | --- |
2369 | 3263 | name: WinSock2LayeredServiceProviders |
2370 | 3264 | doc: Used to filter TCP/IP traffic through WinSock2. |
2371 | 3265 | sources: |
2372 | 3266 | - type: REGISTRY_KEY |
2373 | 3267 | attributes: |
2374 | keys: ['HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\*'] | |
3268 | keys: | |
3269 | - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\*' | |
3270 | - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\*' | |
2375 | 3271 | supported_os: [Windows] |
2376 | 3272 | urls: |
2377 | 3273 | - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' |
2378 | 3274 | - 'https://en.wikipedia.org/wiki/Layered_Service_Provider' |
3275 | - 'https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2' | |
2379 | 3276 | --- |
2380 | 3277 | name: WinSock2NamespaceProviders |
2381 | doc: WinSock2NamespaceProviders | |
2382 | sources: | |
2383 | - type: REGISTRY_VALUE | |
2384 | attributes: | |
2385 | key_value_pairs: | |
2386 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters\namespace_catalog5\catalog_entries\*', value: 'LibraryPath'} | |
3278 | doc: Used to provide name-resolution services through WinSock2 | |
3279 | sources: | |
3280 | - type: REGISTRY_VALUE | |
3281 | attributes: | |
3282 | key_value_pairs: | |
3283 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\*', value: 'LibraryPath'} | |
3284 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\*', value: 'LibraryPath'} | |
2387 | 3285 | supported_os: [Windows] |
2388 | 3286 | urls: |
2389 | 3287 | - 'https://www.symantec.com/security_response/writeup.jsp?docid=2012-020609-4221-99&tabid=2' |
2390 | 3288 | - 'http://www.nirsoft.net/utils/winsock_service_providers.html' |
2391 | 3289 | - 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms739923(v=vs.85).aspx' |
3290 | - 'https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2' | |
2392 | 3291 | --- |
2393 | 3292 | name: WindowsDNSSettings |
2394 | 3293 | doc: Windows Registry Keys that contain DNS and DHCP settings. |
2396 | 3295 | - type: REGISTRY_VALUE |
2397 | 3296 | attributes: |
2398 | 3297 | key_value_pairs: |
2399 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters', value: 'NameServer'} | |
2400 | - {key: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\*', value: 'NameServer'} | |
2401 | - {key: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrenControlSet\Services\Dnscache\Parameters', value: 'NameServer'} | |
2402 | - {key: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\*', value: 'DhcpNameServer'} | |
2403 | - {key: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\*', value: 'DhcpServer'} | |
3298 | - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters', value: 'NameServer'} | |
3299 | - {key: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\*', value: 'NameServer'} | |
3300 | - {key: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters', value: 'NameServer'} | |
3301 | - {key: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\*', value: 'DhcpNameServer'} | |
3302 | - {key: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\*', value: 'DhcpServer'} | |
2404 | 3303 | labels: [System, Network] |
2405 | 3304 | supported_os: [Windows] |
2406 | 3305 | urls: ['https://technet.microsoft.com/en-us/library/dd197418(v=ws.10).aspx'] |
0 | # DLL Hijack Locations | |
1 | ||
0 | 2 | name: DLLHijackLocations |
1 | 3 | doc: DLL search order hijacking locations collected from base Windows 7. |
2 | 4 | urls: ['https://www.fireeye.com/blog/threat-research/2010/07/malware-persistence-windows-registry.html'] |
4 | 6 | - type: FILE |
5 | 7 | attributes: |
6 | 8 | paths: |
7 | - '%%environ_windir%%\EXPLORERFRAME.dll' | |
8 | - '%%environ_windir%%\DUser.dll' | |
9 | - '%%environ_windir%%\DUI70.dll' | |
10 | - '%%environ_windir%%\UxTheme.dll' | |
11 | - '%%environ_windir%%\POWRPROF.dll' | |
12 | - '%%environ_windir%%\dwmapi.dll' | |
13 | - '%%environ_windir%%\slc.dll' | |
14 | - '%%environ_windir%%\gdiplus.dll' | |
15 | - '%%environ_windir%%\Secur32.dll' | |
16 | - '%%environ_windir%%\SSPICLI.dll' | |
17 | - '%%environ_windir%%\PROPSYS.dll' | |
18 | - '%%environ_windir%%\WINSTA.dll' | |
19 | - '%%environ_windir%%\CRYPTBASE.dll' | |
20 | - '%%environ_windir%%\WindowsCodecs.dll' | |
21 | - '%%environ_windir%%\profapi.dll' | |
22 | - '%%environ_windir%%\apphelp.dll' | |
23 | - '%%environ_windir%%\EhStorShell.dll' | |
24 | - '%%environ_windir%%\cscui.dll' | |
25 | - '%%environ_windir%%\CSCDLL.dll' | |
26 | - '%%environ_windir%%\CSCAPI.dll' | |
27 | - '%%environ_windir%%\ntshrui.dll' | |
28 | - '%%environ_windir%%\srvcli.dll' | |
29 | - '%%environ_windir%%\IconCodecService.dll' | |
30 | - '%%environ_windir%%\CRYPTSP.dll' | |
31 | - '%%environ_windir%%\rsaenh.dll' | |
32 | - '%%environ_windir%%\RpcRtRemote.dll' | |
33 | - '%%environ_windir%%\SndVolSSO.dll' | |
34 | - '%%environ_windir%%\HID.dll' | |
35 | - '%%environ_windir%%\MMDevApi.dll' | |
36 | - '%%environ_windir%%\timedate.cpl' | |
37 | - '%%environ_windir%%\ATL.dll' | |
38 | - '%%environ_windir%%\actxprxy.dll' | |
39 | - '%%environ_windir%%\ntmarta.dll' | |
40 | - '%%environ_windir%%\shdocvw.dll' | |
41 | - '%%environ_windir%%\LINKINFO.dll' | |
42 | - '%%environ_windir%%\USERENV.dll' | |
43 | - '%%environ_windir%%\shacct.dll' | |
44 | - '%%environ_windir%%\gameux.dll' | |
45 | - '%%environ_windir%%\XmlLite.dll' | |
46 | - '%%environ_windir%%\wer.dll' | |
47 | - '%%environ_windir%%\SAMLIB.dll' | |
48 | - '%%environ_windir%%\msls31.dll' | |
49 | - '%%environ_windir%%\tiptsf.dll' | |
50 | - '%%environ_windir%%\authui.dll' | |
51 | - '%%environ_windir%%\CRYPTUI.dll' | |
52 | - '%%environ_windir%%\msiltcfg.dll' | |
53 | - '%%environ_windir%%\VERSION.dll' | |
54 | - '%%environ_windir%%\msi.dll' | |
55 | - '%%environ_windir%%\NetworkExplorer.dll' | |
56 | - '%%environ_windir%%\WINMM.dll' | |
57 | - '%%environ_windir%%\wdmaud.drv' | |
58 | - '%%environ_windir%%\ksuser.dll' | |
59 | - '%%environ_windir%%\AVRT.dll' | |
60 | - '%%environ_windir%%\AUDIOSES.dll' | |
61 | - '%%environ_windir%%\msacm32.drv' | |
62 | - '%%environ_windir%%\MSACM32.dll' | |
63 | - '%%environ_windir%%\midimap.dll' | |
64 | - '%%environ_windir%%\netutils.dll' | |
65 | - '%%environ_windir%%\stobject.dll' | |
66 | - '%%environ_windir%%\BatMeter.dll' | |
67 | - '%%environ_windir%%\WTSAPI32.dll' | |
68 | - '%%environ_windir%%\es.dll' | |
69 | - '%%environ_windir%%\prnfldr.dll' | |
70 | - '%%environ_windir%%\WINSPOOL.DRV' | |
71 | - '%%environ_windir%%\dxp.dll' | |
72 | - '%%environ_windir%%\Syncreg.dll' | |
73 | - '%%environ_windir%%\netshell.dll' | |
74 | - '%%environ_windir%%\IPHLPAPI.dll' | |
75 | - '%%environ_windir%%\WINNSI.dll' | |
76 | - '%%environ_windir%%\nlaapi.dll' | |
77 | - '%%environ_windir%%\AltTab.dll' | |
78 | - '%%environ_windir%%\pnidui.dll' | |
79 | - '%%environ_windir%%\QUtil.dll' | |
80 | - '%%environ_windir%%\wevtapi.dll' | |
81 | - '%%environ_windir%%\dhcpcsvc6.dll' | |
82 | - '%%environ_windir%%\dhcpcsvc.dll' | |
83 | - '%%environ_windir%%\credssp.dll' | |
84 | - '%%environ_windir%%\npmproxy.dll' | |
85 | - '%%environ_windir%%\cscobj.dll' | |
86 | - '%%environ_windir%%\Wlanapi.dll' | |
87 | - '%%environ_windir%%\wlanutil.dll' | |
88 | - '%%environ_windir%%\wwanapi.dll' | |
89 | - '%%environ_windir%%\wwapi.dll' | |
90 | - '%%environ_windir%%\QAgent.dll' | |
91 | - '%%environ_windir%%\srchadmin.dll' | |
92 | - '%%environ_windir%%\mssprxy.dll' | |
93 | - '%%environ_windir%%\bthprops.cpl' | |
94 | - '%%environ_windir%%\ieframe.dll' | |
95 | - '%%environ_windir%%\OLEACC.dll' | |
96 | - '%%environ_windir%%\SyncCenter.dll' | |
97 | - '%%environ_windir%%\Actioncenter.dll' | |
98 | - '%%environ_windir%%\imapi2.dll' | |
99 | - '%%environ_windir%%\SXS.dll' | |
100 | - '%%environ_windir%%\hgcpl.dll' | |
101 | - '%%environ_windir%%\provsvc.dll' | |
102 | - '%%environ_windir%%\wkscli.dll' | |
103 | - '%%environ_windir%%\fxsst.dll' | |
104 | - '%%environ_windir%%\FXSAPI.dll' | |
105 | - '%%environ_windir%%\FXSRESM.dll' | |
106 | - '%%environ_windir%%\ieproxy.dll' | |
107 | - '%%environ_windir%%\thumbcache.dll' | |
108 | - '%%environ_windir%%\rasadhlp.dll' | |
109 | - '%%environ_windir%%\MPR.dll' | |
110 | - '%%environ_windir%%\vmhgfs.dll' | |
111 | - '%%environ_windir%%\drprov.dll' | |
112 | - '%%environ_windir%%\ntlanman.dll' | |
113 | - '%%environ_windir%%\davclnt.dll' | |
114 | - '%%environ_windir%%\DAVHLPR.dll' | |
115 | - '%%environ_windir%%\StructuredQuery.dll' | |
116 | - '%%environ_windir%%\UIAnimation.dll' | |
117 | - '%%environ_windir%%\DEVRTL.dll' | |
118 | - '%%environ_windir%%\MLANG.dll' | |
119 | - '%%environ_windir%%\wscinterop.dll' | |
120 | - '%%environ_windir%%\WSCAPI.dll' | |
121 | - '%%environ_windir%%\wscui.cpl' | |
122 | - '%%environ_windir%%\werconcpl.dll' | |
123 | - '%%environ_windir%%\framedynos.dll' | |
124 | - '%%environ_windir%%\wercplsupport.dll' | |
125 | - '%%environ_windir%%\msxml6.dll' | |
126 | - '%%environ_windir%%\hcproviders.dll' | |
127 | - '%%environ_windir%%\zipfldr.dll' | |
128 | - '%%environ_windir%%\rarext.dll' | |
129 | - '%%environ_windir%%\7-zip.dll' | |
130 | - '%%environ_windir%%\twext.dll' | |
131 | - '%%environ_windir%%\WinCDEmuContextMenu.dll' | |
132 | - '%%environ_windir%%\syncui.dll' | |
133 | - '%%environ_windir%%\SYNCENG.dll' | |
134 | - '%%environ_windir%%\shlext010.dll' | |
135 | - '%%environ_windir%%\ATL90.dll' | |
136 | - '%%environ_windir%%\acppage.dll' | |
137 | - '%%environ_windir%%\sfc.dll' | |
138 | - '%%environ_windir%%\sfc_os.dll' | |
139 | - '%%environ_windir%%\dsrole.dll' | |
140 | - '%%environ_windir%%\ACLUI.dll' | |
141 | - '%%environ_windir%%\NTDSAPI.dll' | |
142 | - '%%environ_windir%%\PhotoBase.dll' | |
143 | - '%%environ_windir%%\sbdrop.dll' | |
144 | - '%%environ_windir%%\tquery.dll' | |
145 | - '%%environ_windir%%\EhStorAPI.dll' | |
146 | - '%%environ_windir%%\SearchFolder.dll' | |
147 | - '%%environ_windir%%\NaturalLanguage6.dll' | |
148 | - '%%environ_windir%%\NLSData0009.dll' | |
149 | - '%%environ_windir%%\NLSLexicons0009.dll' | |
150 | - '%%environ_windir%%\MsftEdit.dll' | |
151 | - '%%environ_windir%%\dnsapi.dll' | |
152 | - '%%environ_windir%%\RASAPI32.dll' | |
153 | - '%%environ_windir%%\rasman.dll' | |
154 | - '%%environ_windir%%\rtutils.dll' | |
155 | - '%%environ_windir%%\sensapi.dll' | |
9 | - '%%environ_windir%%\EXPLORERFRAME.dll' | |
10 | - '%%environ_windir%%\DUser.dll' | |
11 | - '%%environ_windir%%\DUI70.dll' | |
12 | - '%%environ_windir%%\UxTheme.dll' | |
13 | - '%%environ_windir%%\POWRPROF.dll' | |
14 | - '%%environ_windir%%\dwmapi.dll' | |
15 | - '%%environ_windir%%\slc.dll' | |
16 | - '%%environ_windir%%\gdiplus.dll' | |
17 | - '%%environ_windir%%\Secur32.dll' | |
18 | - '%%environ_windir%%\SSPICLI.dll' | |
19 | - '%%environ_windir%%\PROPSYS.dll' | |
20 | - '%%environ_windir%%\WINSTA.dll' | |
21 | - '%%environ_windir%%\CRYPTBASE.dll' | |
22 | - '%%environ_windir%%\WindowsCodecs.dll' | |
23 | - '%%environ_windir%%\profapi.dll' | |
24 | - '%%environ_windir%%\apphelp.dll' | |
25 | - '%%environ_windir%%\EhStorShell.dll' | |
26 | - '%%environ_windir%%\cscui.dll' | |
27 | - '%%environ_windir%%\CSCDLL.dll' | |
28 | - '%%environ_windir%%\CSCAPI.dll' | |
29 | - '%%environ_windir%%\ntshrui.dll' | |
30 | - '%%environ_windir%%\srvcli.dll' | |
31 | - '%%environ_windir%%\IconCodecService.dll' | |
32 | - '%%environ_windir%%\CRYPTSP.dll' | |
33 | - '%%environ_windir%%\rsaenh.dll' | |
34 | - '%%environ_windir%%\RpcRtRemote.dll' | |
35 | - '%%environ_windir%%\SndVolSSO.dll' | |
36 | - '%%environ_windir%%\HID.dll' | |
37 | - '%%environ_windir%%\MMDevApi.dll' | |
38 | - '%%environ_windir%%\timedate.cpl' | |
39 | - '%%environ_windir%%\ATL.dll' | |
40 | - '%%environ_windir%%\actxprxy.dll' | |
41 | - '%%environ_windir%%\ntmarta.dll' | |
42 | - '%%environ_windir%%\shdocvw.dll' | |
43 | - '%%environ_windir%%\LINKINFO.dll' | |
44 | - '%%environ_windir%%\USERENV.dll' | |
45 | - '%%environ_windir%%\shacct.dll' | |
46 | - '%%environ_windir%%\gameux.dll' | |
47 | - '%%environ_windir%%\XmlLite.dll' | |
48 | - '%%environ_windir%%\wer.dll' | |
49 | - '%%environ_windir%%\SAMLIB.dll' | |
50 | - '%%environ_windir%%\msls31.dll' | |
51 | - '%%environ_windir%%\tiptsf.dll' | |
52 | - '%%environ_windir%%\authui.dll' | |
53 | - '%%environ_windir%%\CRYPTUI.dll' | |
54 | - '%%environ_windir%%\msiltcfg.dll' | |
55 | - '%%environ_windir%%\VERSION.dll' | |
56 | - '%%environ_windir%%\msi.dll' | |
57 | - '%%environ_windir%%\NetworkExplorer.dll' | |
58 | - '%%environ_windir%%\WINMM.dll' | |
59 | - '%%environ_windir%%\wdmaud.drv' | |
60 | - '%%environ_windir%%\ksuser.dll' | |
61 | - '%%environ_windir%%\AVRT.dll' | |
62 | - '%%environ_windir%%\AUDIOSES.dll' | |
63 | - '%%environ_windir%%\msacm32.drv' | |
64 | - '%%environ_windir%%\MSACM32.dll' | |
65 | - '%%environ_windir%%\midimap.dll' | |
66 | - '%%environ_windir%%\netutils.dll' | |
67 | - '%%environ_windir%%\stobject.dll' | |
68 | - '%%environ_windir%%\BatMeter.dll' | |
69 | - '%%environ_windir%%\WTSAPI32.dll' | |
70 | - '%%environ_windir%%\es.dll' | |
71 | - '%%environ_windir%%\prnfldr.dll' | |
72 | - '%%environ_windir%%\WINSPOOL.DRV' | |
73 | - '%%environ_windir%%\dxp.dll' | |
74 | - '%%environ_windir%%\Syncreg.dll' | |
75 | - '%%environ_windir%%\netshell.dll' | |
76 | - '%%environ_windir%%\IPHLPAPI.dll' | |
77 | - '%%environ_windir%%\WINNSI.dll' | |
78 | - '%%environ_windir%%\nlaapi.dll' | |
79 | - '%%environ_windir%%\AltTab.dll' | |
80 | - '%%environ_windir%%\pnidui.dll' | |
81 | - '%%environ_windir%%\QUtil.dll' | |
82 | - '%%environ_windir%%\wevtapi.dll' | |
83 | - '%%environ_windir%%\dhcpcsvc6.dll' | |
84 | - '%%environ_windir%%\dhcpcsvc.dll' | |
85 | - '%%environ_windir%%\credssp.dll' | |
86 | - '%%environ_windir%%\npmproxy.dll' | |
87 | - '%%environ_windir%%\cscobj.dll' | |
88 | - '%%environ_windir%%\Wlanapi.dll' | |
89 | - '%%environ_windir%%\wlanutil.dll' | |
90 | - '%%environ_windir%%\wwanapi.dll' | |
91 | - '%%environ_windir%%\wwapi.dll' | |
92 | - '%%environ_windir%%\QAgent.dll' | |
93 | - '%%environ_windir%%\srchadmin.dll' | |
94 | - '%%environ_windir%%\mssprxy.dll' | |
95 | - '%%environ_windir%%\bthprops.cpl' | |
96 | - '%%environ_windir%%\ieframe.dll' | |
97 | - '%%environ_windir%%\OLEACC.dll' | |
98 | - '%%environ_windir%%\SyncCenter.dll' | |
99 | - '%%environ_windir%%\Actioncenter.dll' | |
100 | - '%%environ_windir%%\imapi2.dll' | |
101 | - '%%environ_windir%%\SXS.dll' | |
102 | - '%%environ_windir%%\hgcpl.dll' | |
103 | - '%%environ_windir%%\provsvc.dll' | |
104 | - '%%environ_windir%%\wkscli.dll' | |
105 | - '%%environ_windir%%\fxsst.dll' | |
106 | - '%%environ_windir%%\FXSAPI.dll' | |
107 | - '%%environ_windir%%\FXSRESM.dll' | |
108 | - '%%environ_windir%%\ieproxy.dll' | |
109 | - '%%environ_windir%%\thumbcache.dll' | |
110 | - '%%environ_windir%%\rasadhlp.dll' | |
111 | - '%%environ_windir%%\MPR.dll' | |
112 | - '%%environ_windir%%\vmhgfs.dll' | |
113 | - '%%environ_windir%%\drprov.dll' | |
114 | - '%%environ_windir%%\ntlanman.dll' | |
115 | - '%%environ_windir%%\davclnt.dll' | |
116 | - '%%environ_windir%%\DAVHLPR.dll' | |
117 | - '%%environ_windir%%\StructuredQuery.dll' | |
118 | - '%%environ_windir%%\UIAnimation.dll' | |
119 | - '%%environ_windir%%\DEVRTL.dll' | |
120 | - '%%environ_windir%%\MLANG.dll' | |
121 | - '%%environ_windir%%\wscinterop.dll' | |
122 | - '%%environ_windir%%\WSCAPI.dll' | |
123 | - '%%environ_windir%%\wscui.cpl' | |
124 | - '%%environ_windir%%\werconcpl.dll' | |
125 | - '%%environ_windir%%\framedynos.dll' | |
126 | - '%%environ_windir%%\wercplsupport.dll' | |
127 | - '%%environ_windir%%\msxml6.dll' | |
128 | - '%%environ_windir%%\hcproviders.dll' | |
129 | - '%%environ_windir%%\zipfldr.dll' | |
130 | - '%%environ_windir%%\rarext.dll' | |
131 | - '%%environ_windir%%\7-zip.dll' | |
132 | - '%%environ_windir%%\twext.dll' | |
133 | - '%%environ_windir%%\WinCDEmuContextMenu.dll' | |
134 | - '%%environ_windir%%\syncui.dll' | |
135 | - '%%environ_windir%%\SYNCENG.dll' | |
136 | - '%%environ_windir%%\shlext010.dll' | |
137 | - '%%environ_windir%%\ATL90.dll' | |
138 | - '%%environ_windir%%\acppage.dll' | |
139 | - '%%environ_windir%%\sfc.dll' | |
140 | - '%%environ_windir%%\sfc_os.dll' | |
141 | - '%%environ_windir%%\dsrole.dll' | |
142 | - '%%environ_windir%%\ACLUI.dll' | |
143 | - '%%environ_windir%%\NTDSAPI.dll' | |
144 | - '%%environ_windir%%\PhotoBase.dll' | |
145 | - '%%environ_windir%%\sbdrop.dll' | |
146 | - '%%environ_windir%%\tquery.dll' | |
147 | - '%%environ_windir%%\EhStorAPI.dll' | |
148 | - '%%environ_windir%%\SearchFolder.dll' | |
149 | - '%%environ_windir%%\NaturalLanguage6.dll' | |
150 | - '%%environ_windir%%\NLSData0009.dll' | |
151 | - '%%environ_windir%%\NLSLexicons0009.dll' | |
152 | - '%%environ_windir%%\MsftEdit.dll' | |
153 | - '%%environ_windir%%\dnsapi.dll' | |
154 | - '%%environ_windir%%\RASAPI32.dll' | |
155 | - '%%environ_windir%%\rasman.dll' | |
156 | - '%%environ_windir%%\rtutils.dll' | |
157 | - '%%environ_windir%%\sensapi.dll' | |
156 | 158 | separator: '\' |
157 | 159 | supported_os: [Windows] |
36 | 36 | supported_os: [Windows] |
37 | 37 | urls: ['http://msdn.microsoft.com/en-us/library/aa394105(v=vs.85).aspx'] |
38 | 38 | --- |
39 | name: WMIDNSClientCache | |
40 | doc: DNS client cache via Windows Management Instrumentation (WMI). | |
41 | sources: | |
42 | - type: WMI | |
43 | attributes: {query: SELECT * from MSFT_DNSClientCache, base_object: 'winmgmts:\root\StandardCimv2'} | |
44 | conditions: [os_major_version >= 6 AND os_minor_version >= 2] | |
45 | labels: [Network] | |
46 | supported_os: [Windows] | |
47 | urls: ['https://docs.microsoft.com/en-us/previous-versions/windows/desktop/dnsclientcimprov/msft-dnsclientcache'] | |
48 | --- | |
39 | 49 | name: WMIDrivers |
40 | 50 | doc: Installed drivers via Windows Management Instrumentation (WMI). |
41 | 51 | sources: |
123 | 133 | conditions: [os_major_version >= 6] |
124 | 134 | labels: [Software] |
125 | 135 | supported_os: [Windows] |
136 | --- | |
137 | name: WMINetNeighbors | |
138 | doc: TCP/IP neighbors via Windows Management Instrumentation (WMI). | |
139 | sources: | |
140 | - type: WMI | |
141 | attributes: {query: SELECT * from MSFT_NetNeighbor, base_object: 'winmgmts:\root\StandardCimv2'} | |
142 | conditions: [os_major_version >= 6 AND os_minor_version >= 2] | |
143 | labels: [Network] | |
144 | supported_os: [Windows] | |
145 | urls: ['https://docs.microsoft.com/en-us/previous-versions/windows/desktop/nettcpipprov/msft-netneighbor'] | |
146 | --- | |
147 | name: WMINetTCPConnections | |
148 | doc: TCP connections via Windows Management Instrumentation (WMI). | |
149 | sources: | |
150 | - type: WMI | |
151 | attributes: {query: SELECT * from MSFT_NetTCPConnection, base_object: 'winmgmts:\root\StandardCimv2'} | |
152 | conditions: [os_major_version >= 6 AND os_minor_version >= 2] | |
153 | labels: [Network] | |
154 | supported_os: [Windows] | |
155 | urls: ['https://docs.microsoft.com/en-us/previous-versions/windows/desktop/nettcpipprov/msft-nettcpconnection'] | |
156 | --- | |
157 | name: WMINetUDPEndpoints | |
158 | doc: UDP endpoints via Windows Management Instrumentation (WMI). | |
159 | sources: | |
160 | - type: WMI | |
161 | attributes: {query: SELECT * from MSFT_NetUDPEndpoint, base_object: 'winmgmts:\root\StandardCimv2'} | |
162 | conditions: [os_major_version >= 6 AND os_minor_version >= 2] | |
163 | labels: [Network] | |
164 | supported_os: [Windows] | |
165 | urls: ['https://docs.microsoft.com/en-us/previous-versions/windows/desktop/nettcpipprov/msft-netudpendpoint'] | |
166 | --- | |
167 | name: WMIOperatingSystem | |
168 | doc: Operating system installed on the computer via Windows Management Instrumentation (WMI). | |
169 | sources: | |
170 | - type: WMI | |
171 | attributes: {query: SELECT * from Win32_OperatingSystem} | |
172 | conditions: [os_major_version >= 6] | |
173 | labels: [System] | |
174 | supported_os: [Windows] | |
175 | urls: ['https://docs.microsoft.com/en-us/windows/desktop/cimwin32prov/win32-operatingsystem'] | |
126 | 176 | --- |
127 | 177 | name: WMIPhysicalMemory |
128 | 178 | doc: Physical memory information via Windows Management Instrumentation (WMI). |
158 | 208 | supported_os: [Windows] |
159 | 209 | urls: ['http://msdn.microsoft.com/en-us/library/windows/desktop/ee886409(v=vs.85).aspx'] |
160 | 210 | --- |
211 | name: WMIScheduledTasks | |
212 | doc: Scheduled tasks that are registered on the computer via Windows Management Instrumentation (WMI). | |
213 | sources: | |
214 | - type: WMI | |
215 | attributes: {query: SELECT * from MSFT_ScheduledTask, base_object: 'winmgmts:\root\Microsoft\Windows\TaskScheduler'} | |
216 | conditions: [os_major_version >= 6 AND os_minor_version >= 2] | |
217 | labels: [System] | |
218 | supported_os: [Windows] | |
219 | urls: ['https://wutils.com/wmi/root/microsoft/windows/taskscheduler/msft_scheduledtask/'] | |
220 | --- | |
161 | 221 | name: WMIServices |
162 | 222 | doc: Services queried from WMI. |
163 | 223 | sources: |
164 | 224 | - type: WMI |
165 | 225 | attributes: {query: SELECT * FROM Win32_Service} |
166 | 226 | supported_os: [Windows] |
227 | --- | |
228 | name: WMIStartupCommands | |
229 | doc: Commands that run automatically when a user logs onto the computer system via Windows Management Instrumentation (WMI). | |
230 | sources: | |
231 | - type: WMI | |
232 | attributes: {query: SELECT * from Win32_StartupCommand} | |
233 | conditions: [os_major_version >= 6] | |
234 | labels: [System] | |
235 | supported_os: [Windows] | |
236 | urls: ['https://docs.microsoft.com/en-us/windows/desktop/cimwin32prov/win32-startupcommand'] | |
167 | 237 | --- |
168 | 238 | name: WMIUsers |
169 | 239 | doc: | |
277 | 277 | | paths | A list of file paths that can potentially be collected. + |
278 | 278 | The paths can use parameter expansion e.g. `%%environ_systemroot%%`. + |
279 | 279 | See section: <<parameter_expansion,Parameter expansion and globs>> |
280 | | separator | Optional path segment seperator e.g. '\' for Windows systems. + | |
281 | When not specified the default path segment separator is '/'. | |
280 | 282 | |=== |
281 | 283 | |
282 | 284 | === Path source |
299 | 301 | | paths | A list of file paths that can potentially be collected. + |
300 | 302 | The paths can use parameter expansion e.g. `%%environ_systemroot%%`. + |
301 | 303 | See section: <<parameter_expansion,Parameter expansion and globs>> |
304 | | separator | Optional path segment seperator e.g. '\' for Windows systems. + | |
305 | When not specified the default path segment separator is '/'. | |
302 | 306 | |=== |
303 | 307 | |
304 | 308 | === Windows Registry key source |
365 | 369 | [cols="1,5",options="header"] |
366 | 370 | |=== |
367 | 371 | | Value | Description |
372 | | base_object | Optional WMI base object e.g. `winmgmts:\root\SecurityCenter2` | |
368 | 373 | | query | The Windows Management Instrumentation (WMI) query. + |
369 | 374 | The query can use parameter expansion e.g. `%%users.username%%`. + |
370 | 375 | See section: <<parameter_expansion,Parameter expansion and globs>> |
7 | 7 | AUTHORS |
8 | 8 | LICENSE |
9 | 9 | README |
10 | build_requires = python2-setuptools | |
11 | requires = python2-pyyaml >= 3.10 | |
10 | build_requires = python3-setuptools | |
11 | requires = python3-pyyaml >= 3.10 | |
12 | 12 | |
13 | 13 | [bdist_wheel] |
14 | 14 | universal = 1 |
4 | 4 | from __future__ import print_function |
5 | 5 | |
6 | 6 | import glob |
7 | import locale | |
8 | 7 | import os |
9 | 8 | import sys |
10 | 9 | |
24 | 23 | bdist_rpm = None |
25 | 24 | |
26 | 25 | version_tuple = (sys.version_info[0], sys.version_info[1]) |
27 | if version_tuple[0] not in (2, 3): | |
28 | print('Unsupported Python version: {0:s}.'.format(sys.version)) | |
29 | sys.exit(1) | |
30 | ||
31 | elif version_tuple[0] == 2 and version_tuple < (2, 7): | |
26 | if version_tuple < (3, 6): | |
32 | 27 | print(( |
33 | 'Unsupported Python 2 version: {0:s}, version 2.7 or higher ' | |
34 | 'required.').format(sys.version)) | |
35 | sys.exit(1) | |
36 | ||
37 | elif version_tuple[0] == 3 and version_tuple < (3, 4): | |
38 | print(( | |
39 | 'Unsupported Python 3 version: {0:s}, version 3.4 or higher ' | |
28 | 'Unsupported Python version: {0:s}, version 3.6 or higher ' | |
40 | 29 | 'required.').format(sys.version)) |
41 | 30 | sys.exit(1) |
42 | 31 | |
52 | 41 | class BdistMSICommand(bdist_msi): |
53 | 42 | """Custom handler for the bdist_msi command.""" |
54 | 43 | |
44 | # pylint: disable=invalid-name | |
55 | 45 | def run(self): |
56 | 46 | """Builds an MSI.""" |
57 | 47 | # Command bdist_msi does not support the library version, neither a date |
67 | 57 | class BdistRPMCommand(bdist_rpm): |
68 | 58 | """Custom handler for the bdist_rpm command.""" |
69 | 59 | |
60 | # pylint: disable=invalid-name | |
70 | 61 | def _make_spec_file(self): |
71 | 62 | """Generates the text of an RPM spec file. |
72 | 63 | |
79 | 70 | else: |
80 | 71 | spec_file = bdist_rpm._make_spec_file(self) |
81 | 72 | |
82 | if sys.version_info[0] < 3: | |
83 | python_package = 'python2' | |
84 | else: | |
85 | python_package = 'python3' | |
73 | python_package = 'python3' | |
86 | 74 | |
87 | 75 | description = [] |
88 | 76 | requires = '' |
100 | 88 | |
101 | 89 | elif line.startswith('Requires: '): |
102 | 90 | requires = line[10:] |
103 | if python_package == 'python3': | |
104 | requires = requires.replace('python-', 'python3-') | |
105 | requires = requires.replace('python2-', 'python3-') | |
106 | 91 | continue |
107 | 92 | |
108 | 93 | elif line.startswith('%description'): |
121 | 106 | line = '%py2_install' |
122 | 107 | |
123 | 108 | elif line.startswith('%files'): |
124 | python_spec_file.extend([ | |
125 | '%package -n %{name}-tools', | |
126 | 'Requires: {0:s}-artifacts >= %{{version}}'.format( | |
127 | python_package), | |
128 | 'Summary: Tools for {0:s}'.format(summary), | |
129 | '', | |
130 | '%description -n %{name}-tools']) | |
131 | ||
132 | python_spec_file.extend(description) | |
133 | ||
134 | 109 | lines = [ |
135 | 110 | '%files -n %{name}-data', |
136 | 111 | '%defattr(644,root,root,755)', |
143 | 118 | '%license LICENSE', |
144 | 119 | '%doc ACKNOWLEDGEMENTS AUTHORS README'] |
145 | 120 | |
146 | if python_package == 'python3': | |
147 | lines.extend([ | |
148 | '%{python3_sitelib}/artifacts/*.py', | |
149 | '%{python3_sitelib}/artifacts*.egg-info/*', | |
150 | '', | |
151 | '%exclude %{_prefix}/share/doc/*', | |
152 | '%exclude %{python3_sitelib}/artifacts/__pycache__/*']) | |
153 | ||
154 | else: | |
155 | lines.extend([ | |
156 | '%{python2_sitelib}/artifacts/*.py', | |
157 | '%{python2_sitelib}/artifacts*.egg-info/*', | |
158 | '', | |
159 | '%exclude %{_prefix}/share/doc/*', | |
160 | '%exclude %{python2_sitelib}/artifacts/*.pyc', | |
161 | '%exclude %{python2_sitelib}/artifacts/*.pyo']) | |
121 | lines.extend([ | |
122 | '%{python3_sitelib}/artifacts/*.py', | |
123 | '%{python3_sitelib}/artifacts*.egg-info/*', | |
124 | '', | |
125 | '%exclude %{_prefix}/share/doc/*', | |
126 | '%exclude %{python3_sitelib}/artifacts/__pycache__/*']) | |
162 | 127 | |
163 | 128 | python_spec_file.extend(lines) |
164 | 129 | break |
176 | 141 | |
177 | 142 | python_spec_file.append( |
178 | 143 | '%package -n {0:s}-%{{name}}'.format(python_package)) |
179 | if python_package == 'python2': | |
180 | python_spec_file.extend([ | |
181 | 'Obsoletes: python-artifacts < %{version}', | |
182 | 'Provides: python-artifacts = %{version}']) | |
183 | python_summary = 'Python 2 module of {0:s}'.format(summary) | |
184 | else: | |
185 | python_summary = 'Python 3 module of {0:s}'.format(summary) | |
144 | python_summary = 'Python 3 module of {0:s}'.format(summary) | |
186 | 145 | |
187 | 146 | python_spec_file.extend([ |
188 | 147 | 'Requires: artifacts-data >= %{{version}} {0:s}'.format( |
193 | 152 | |
194 | 153 | python_spec_file.extend(description) |
195 | 154 | |
155 | python_spec_file.extend([ | |
156 | '%package -n %{name}-tools', | |
157 | 'Requires: {0:s}-artifacts >= %{{version}}'.format( | |
158 | python_package), | |
159 | 'Summary: Tools for {0:s}'.format(summary), | |
160 | '', | |
161 | '%description -n %{name}-tools']) | |
162 | ||
163 | python_spec_file.extend(description) | |
164 | ||
196 | 165 | elif in_description: |
197 | 166 | # Ignore leading white lines in the description. |
198 | 167 | if not description and not line: |
208 | 177 | '%{_bindir}/*.py']) |
209 | 178 | |
210 | 179 | return python_spec_file |
211 | ||
212 | ||
213 | if version_tuple[0] == 2: | |
214 | encoding = sys.stdin.encoding # pylint: disable=invalid-name | |
215 | ||
216 | # Note that sys.stdin.encoding can be None. | |
217 | if not encoding: | |
218 | encoding = locale.getpreferredencoding() | |
219 | ||
220 | # Make sure the default encoding is set correctly otherwise on Python 2 | |
221 | # setup.py sdist will fail to include filenames with Unicode characters. | |
222 | reload(sys) # pylint: disable=undefined-variable | |
223 | ||
224 | sys.setdefaultencoding(encoding) # pylint: disable=no-member | |
225 | 180 | |
226 | 181 | |
227 | 182 | artifacts_description = ( |
112 | 112 | supported_os: [Windows] |
113 | 113 | """ |
114 | 114 | |
115 | @test_lib.skipUnlessHasTestFile(['definitions.yaml']) | |
116 | 115 | def testReadFileObject(self): |
117 | 116 | """Tests the ReadFileObject function.""" |
118 | artifact_reader = reader.YamlArtifactsReader() | |
119 | 117 | test_file = self._GetTestFilePath(['definitions.yaml']) |
118 | self._SkipIfPathNotExists(test_file) | |
119 | ||
120 | artifact_reader = reader.YamlArtifactsReader() | |
120 | 121 | |
121 | 122 | with open(test_file, 'rb') as file_object: |
122 | 123 | artifact_definitions = list(artifact_reader.ReadFileObject(file_object)) |
314 | 315 | with self.assertRaises(errors.FormatError): |
315 | 316 | _ = list(artifact_reader.ReadFileObject(file_object)) |
316 | 317 | |
317 | @test_lib.skipUnlessHasTestFile(['definitions.yaml']) | |
318 | 318 | def testReadYamlFile(self): |
319 | 319 | """Tests the ReadFile function.""" |
320 | artifact_reader = reader.YamlArtifactsReader() | |
321 | 320 | test_file = self._GetTestFilePath(['definitions.yaml']) |
321 | self._SkipIfPathNotExists(test_file) | |
322 | ||
323 | artifact_reader = reader.YamlArtifactsReader() | |
322 | 324 | |
323 | 325 | artifact_definitions = list(artifact_reader.ReadFile(test_file)) |
324 | 326 | self.assertEqual(len(artifact_definitions), 7) |
331 | 333 | artifact_definitions = list(artifact_reader.ReadDirectory(test_file)) |
332 | 334 | self.assertEqual(len(artifact_definitions), 7) |
333 | 335 | |
334 | @test_lib.skipUnlessHasTestFile(['definitions.yaml']) | |
335 | 336 | def testArtifactAsDict(self): |
336 | 337 | """Tests the AsDict function.""" |
337 | artifact_reader = reader.YamlArtifactsReader() | |
338 | 338 | test_file = self._GetTestFilePath(['definitions.yaml']) |
339 | self._SkipIfPathNotExists(test_file) | |
340 | ||
341 | artifact_reader = reader.YamlArtifactsReader() | |
339 | 342 | |
340 | 343 | with open(test_file, 'r') as file_object: |
341 | 344 | for artifact_definition in yaml.safe_load_all(file_object): |
364 | 367 | class JsonArtifactsReaderTest(test_lib.BaseTestCase): |
365 | 368 | """JSON artifacts reader tests.""" |
366 | 369 | |
367 | @test_lib.skipUnlessHasTestFile(['definitions.json']) | |
368 | 370 | def testReadJsonFile(self): |
369 | 371 | """Tests the ReadFile function.""" |
372 | test_file = self._GetTestFilePath(['definitions.json']) | |
373 | self._SkipIfPathNotExists(test_file) | |
374 | ||
370 | 375 | artifact_reader = reader.JsonArtifactsReader() |
371 | test_file = self._GetTestFilePath(['definitions.json']) | |
372 | 376 | |
373 | 377 | artifact_definitions = list(artifact_reader.ReadFile(test_file)) |
374 | 378 |
47 | 47 | |
48 | 48 | # pylint: disable=protected-access |
49 | 49 | |
50 | @test_lib.skipUnlessHasTestFile(['definitions.yaml']) | |
51 | 50 | def testArtifactDefinitionsRegistry(self): |
52 | 51 | """Tests the ArtifactDefinitionsRegistry functions.""" |
52 | test_file = self._GetTestFilePath(['definitions.yaml']) | |
53 | self._SkipIfPathNotExists(test_file) | |
54 | ||
53 | 55 | artifact_registry = registry.ArtifactDefinitionsRegistry() |
54 | 56 | |
55 | 57 | artifact_reader = reader.YamlArtifactsReader() |
56 | test_file = self._GetTestFilePath(['definitions.yaml']) | |
57 | 58 | |
58 | 59 | for artifact_definition in artifact_reader.ReadFile(test_file): |
59 | 60 | artifact_registry.RegisterDefinition(artifact_definition) |
59 | 59 | source_type.FileSourceType(paths=['test']) |
60 | 60 | source_type.FileSourceType(paths=['test'], separator='\\') |
61 | 61 | |
62 | with self.assertRaises(errors.FormatError): | |
63 | source_type.FileSourceType() | |
64 | ||
65 | with self.assertRaises(errors.FormatError): | |
66 | source_type.FileSourceType(paths='test') | |
67 | ||
62 | 68 | |
63 | 69 | class PathSourceTypeTest(test_lib.BaseTestCase): |
64 | 70 | """Class to test the paths source type.""" |
67 | 73 | """Tests the __init__ function.""" |
68 | 74 | source_type.PathSourceType(paths=['test']) |
69 | 75 | source_type.PathSourceType(paths=['test'], separator='\\') |
76 | ||
77 | with self.assertRaises(errors.FormatError): | |
78 | source_type.PathSourceType() | |
79 | ||
80 | with self.assertRaises(errors.FormatError): | |
81 | source_type.PathSourceType(paths='test') | |
70 | 82 | |
71 | 83 | |
72 | 84 | class WindowsRegistryKeySourceTypeTest(test_lib.BaseTestCase): |
4 | 4 | |
5 | 5 | import os |
6 | 6 | import shutil |
7 | import sys | |
8 | 7 | import tempfile |
9 | 8 | import unittest |
10 | ||
11 | ||
12 | def skipUnlessHasTestFile(path_segments): # pylint: disable=invalid-name | |
13 | """Decorator to skip a test if the test file does not exist. | |
14 | ||
15 | Args: | |
16 | path_segments (list[str]): path segments inside the test data directory. | |
17 | ||
18 | Returns: | |
19 | function: to invoke. | |
20 | """ | |
21 | fail_unless_has_test_file = getattr( | |
22 | unittest, 'fail_unless_has_test_file', False) | |
23 | ||
24 | path = os.path.join('test_data', *path_segments) | |
25 | if fail_unless_has_test_file or os.path.exists(path): | |
26 | return lambda function: function | |
27 | ||
28 | if sys.version_info[0] < 3: | |
29 | path = path.encode('utf-8') | |
30 | ||
31 | # Note that the message should be of type str which is different for | |
32 | # different versions of Python. | |
33 | return unittest.skip('missing test file: {0:s}'.format(path)) | |
34 | ||
35 | ||
36 | def GetTestFilePath(path_segments): | |
37 | """Retrieves the path of a test file in the test data directory. | |
38 | ||
39 | Args: | |
40 | path_segments (list[str]): path segments inside the test data directory. | |
41 | ||
42 | Returns: | |
43 | str: path of the test file. | |
44 | """ | |
45 | # Note that we need to pass the individual path segments to os.path.join | |
46 | # and not a list. | |
47 | return os.path.join(os.getcwd(), 'test_data', *path_segments) | |
48 | 9 | |
49 | 10 | |
50 | 11 | class BaseTestCase(unittest.TestCase): |
70 | 31 | # and not a list. |
71 | 32 | return os.path.join(self._TEST_DATA_PATH, *path_segments) |
72 | 33 | |
34 | def _SkipIfPathNotExists(self, path): | |
35 | """Skips the test if the path does not exist. | |
36 | ||
37 | Args: | |
38 | path (str): path of a test file. | |
39 | ||
40 | Raises: | |
41 | SkipTest: if the path path does not exist and the test should be skipped. | |
42 | """ | |
43 | if not os.path.exists(path): | |
44 | filename = os.path.basename(path) | |
45 | raise unittest.SkipTest('missing test file: {0:s}'.format(filename)) | |
46 | ||
73 | 47 | |
74 | 48 | class TempDirectory(object): |
75 | 49 | """Class that implements a temporary directory.""" |
24 | 24 | filename (str): name of the file to convert. |
25 | 25 | """ |
26 | 26 | test_file = self._GetTestFilePath([filename]) |
27 | self._SkipIfPathNotExists(test_file) | |
28 | ||
27 | 29 | artifact_definitions = list(artifact_reader.ReadFile(test_file)) |
28 | 30 | |
29 | 31 | with test_lib.TempDirectory() as temporary_directory: |
38 | 40 | [artifact.AsDict() for artifact in artifact_definitions], |
39 | 41 | [artifact.AsDict() for artifact in converted_artifact_definitions]) |
40 | 42 | |
41 | @test_lib.skipUnlessHasTestFile(['definitions.json']) | |
42 | 43 | def testJsonWriter(self): |
43 | 44 | """Tests conversion with the JsonArtifactsWriter.""" |
44 | 45 | artifact_reader = reader.JsonArtifactsReader() |
46 | 47 | self._TestArtifactsConversion( |
47 | 48 | artifact_reader, artifact_writer, 'definitions.json') |
48 | 49 | |
49 | @test_lib.skipUnlessHasTestFile(['definitions.yaml']) | |
50 | 50 | def testYamlWriter(self): |
51 | 51 | """Tests conversion with the YamlArtifactsWriter.""" |
52 | 52 | artifact_reader = reader.YamlArtifactsReader() |
17 | 17 | def __init__(self): |
18 | 18 | """Initializes artifact statistics.""" |
19 | 19 | super(ArtifactStatistics, self).__init__() |
20 | self.label_counts = {} | |
21 | self.os_counts = {} | |
22 | self.path_count = 0 | |
23 | self.reg_key_count = 0 | |
24 | self.source_type_counts = {} | |
25 | self.total_count = 0 | |
20 | self._label_counts = {} | |
21 | self._os_counts = {} | |
22 | self._path_count = 0 | |
23 | self._reg_key_count = 0 | |
24 | self._source_type_counts = {} | |
25 | self._total_count = 0 | |
26 | 26 | |
27 | 27 | def _PrintDictAsTable(self, src_dict): |
28 | 28 | """Prints a table of artifact definitions. |
51 | 51 | def PrintOSTable(self): |
52 | 52 | """Prints a table of artifact definitions by operating system.""" |
53 | 53 | print('**Artifacts by OS**\n') |
54 | self._PrintDictAsTable(self.os_counts) | |
54 | self._PrintDictAsTable(self._os_counts) | |
55 | 55 | |
56 | 56 | def PrintLabelTable(self): |
57 | 57 | """Prints a table of artifact definitions by label.""" |
58 | 58 | print('**Artifacts by label**\n') |
59 | self._PrintDictAsTable(self.label_counts) | |
59 | self._PrintDictAsTable(self._label_counts) | |
60 | 60 | |
61 | 61 | def PrintSourceTypeTable(self): |
62 | 62 | """Prints a table of artifact definitions by source type.""" |
63 | 63 | print('**Artifacts by type**\n') |
64 | self._PrintDictAsTable(self.source_type_counts) | |
64 | self._PrintDictAsTable(self._source_type_counts) | |
65 | 65 | |
66 | 66 | def PrintSummaryTable(self): |
67 | 67 | """Prints a summary table.""" |
74 | 74 | | **Registry keys covered** | **{2:d}** | |
75 | 75 | | **Total artifacts** | **{3:d}** | |
76 | 76 | """.format( |
77 | time.strftime('%Y-%m-%d'), self.path_count, self.reg_key_count, | |
78 | self.total_count)) | |
77 | time.strftime('%Y-%m-%d'), self._path_count, self._reg_key_count, | |
78 | self._total_count)) | |
79 | 79 | |
80 | 80 | def BuildStats(self): |
81 | 81 | """Builds the statistics.""" |
82 | 82 | artifact_reader = reader.YamlArtifactsReader() |
83 | self.label_counts = {} | |
84 | self.os_counts = {} | |
85 | self.path_count = 0 | |
86 | self.reg_key_count = 0 | |
87 | self.source_type_counts = {} | |
88 | self.total_count = 0 | |
83 | self._label_counts = {} | |
84 | self._os_counts = {} | |
85 | self._path_count = 0 | |
86 | self._reg_key_count = 0 | |
87 | self._source_type_counts = {} | |
88 | self._total_count = 0 | |
89 | 89 | |
90 | 90 | for artifact_definition in artifact_reader.ReadDirectory('data'): |
91 | 91 | if hasattr(artifact_definition, 'labels'): |
92 | 92 | for label in artifact_definition.labels: |
93 | self.label_counts[label] = self.label_counts.get(label, 0) + 1 | |
93 | self._label_counts[label] = self._label_counts.get(label, 0) + 1 | |
94 | 94 | |
95 | 95 | for source in artifact_definition.sources: |
96 | self.total_count += 1 | |
96 | self._total_count += 1 | |
97 | 97 | source_type = source.type_indicator |
98 | self.source_type_counts[source_type] = self.source_type_counts.get( | |
98 | self._source_type_counts[source_type] = self._source_type_counts.get( | |
99 | 99 | source_type, 0) + 1 |
100 | 100 | |
101 | 101 | if source_type == definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY: |
102 | self.reg_key_count += len(source.keys) | |
102 | self._reg_key_count += len(source.keys) | |
103 | 103 | elif source_type == definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE: |
104 | self.reg_key_count += len(source.key_value_pairs) | |
104 | self._reg_key_count += len(source.key_value_pairs) | |
105 | 105 | elif source_type in (definitions.TYPE_INDICATOR_FILE, |
106 | 106 | definitions.TYPE_INDICATOR_DIRECTORY): |
107 | self.path_count += len(source.paths) | |
107 | self._path_count += len(source.paths) | |
108 | 108 | |
109 | 109 | os_list = source.supported_os |
110 | 110 | for os_str in os_list: |
111 | self.os_counts[os_str] = self.os_counts.get(os_str, 0) + 1 | |
111 | self._os_counts[os_str] = self._os_counts.get(os_str, 0) + 1 | |
112 | 112 | |
113 | 113 | def PrintStats(self): |
114 | 114 | """Build stats and print in MarkDown format.""" |
5 | 5 | from __future__ import unicode_literals |
6 | 6 | |
7 | 7 | import argparse |
8 | import glob | |
8 | 9 | import logging |
9 | 10 | import os |
10 | 11 | import sys |
21 | 22 | LEGACY_PATH = os.path.join('data', 'legacy.yaml') |
22 | 23 | |
23 | 24 | _MACOS_PRIVATE_SUB_PATHS = ('etc', 'tftpboot', 'tmp', 'var') |
25 | ||
26 | _SUPPORTED_POSIX_USERS_VARIABLES = [ | |
27 | '%%users.homedir%%'] | |
28 | ||
29 | _SUPPORTED_WINDOWS_ENVIRONMENT_VARIABLES = [ | |
30 | '%%environ_allusersappdata%%', | |
31 | '%%environ_allusersprofile%%', | |
32 | '%%environ_programfiles%%', | |
33 | '%%environ_programfilesx86%%', | |
34 | '%%environ_systemdrive%%', | |
35 | '%%environ_systemroot%%', | |
36 | '%%environ_windir%%'] | |
37 | ||
38 | _SUPPORTED_WINDOWS_USERS_VARIABLES = [ | |
39 | '%%users.appdata%%', | |
40 | '%%users.localappdata%%', | |
41 | '%%users.sid%%', | |
42 | '%%users.temp%%', | |
43 | '%%users.username%%', | |
44 | '%%users.userprofile%%'] | |
24 | 45 | |
25 | 46 | def __init__(self): |
26 | 47 | """Initializes an artifact definitions validator.""" |
28 | 49 | self._artifact_registry = registry.ArtifactDefinitionsRegistry() |
29 | 50 | self._artifact_registry_key_paths = set() |
30 | 51 | |
31 | def _CheckRegistryKeyPath(self, filename, artifact_definition, key_path): | |
32 | """Checks a Windows Registry key path. | |
52 | def _CheckGlobstarInPathSegment( | |
53 | self, filename, artifact_definition, path, path_segment): | |
54 | """Checks if a globstar in a path segment is valid. | |
33 | 55 | |
34 | 56 | Args: |
35 | 57 | filename (str): name of the artifacts definition file. |
36 | 58 | artifact_definition (ArtifactDefinition): artifact definition. |
37 | key_path (str): key path. | |
38 | ||
39 | Returns: | |
40 | bool: True if the Registry key path is valid. | |
41 | """ | |
42 | result = True | |
43 | key_path = key_path.upper() | |
44 | ||
45 | if key_path.startswith('%%CURRENT_CONTROL_SET%%'): | |
46 | result = False | |
47 | logging.warning(( | |
48 | 'Artifact definition: {0:s} in file: {1:s} contains Windows ' | |
49 | 'Registry key path that starts with ' | |
50 | '%%CURRENT_CONTROL_SET%%. Replace %%CURRENT_CONTROL_SET%% with ' | |
51 | 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet').format( | |
52 | artifact_definition.name, filename)) | |
53 | ||
54 | return result | |
59 | path (str): path of which the path segment originated. | |
60 | path_segment (str): path segment to validate. | |
61 | ||
62 | Returns: | |
63 | bool: True if the globstar is valid. | |
64 | """ | |
65 | if not path_segment.startswith('**'): | |
66 | logging.warning(( | |
67 | 'Unuspported globstar with prefix: {0:s} for path: {1:s} defined by ' | |
68 | 'artifact definition: {2:s} in file: {3:s}').format( | |
69 | path_segment, path, artifact_definition.name, filename)) | |
70 | return False | |
71 | ||
72 | if len(path_segment) > 2: | |
73 | try: | |
74 | recursion_depth = int(path_segment[2:], 10) | |
75 | except (TypeError, ValueError): | |
76 | logging.warning(( | |
77 | 'Unuspported globstar with suffix: {0:s} for path: {1:s} defined ' | |
78 | 'by artifact definition: {2:s} in file: {3:s}').format( | |
79 | path_segment, path, artifact_definition.name, filename)) | |
80 | return False | |
81 | ||
82 | if recursion_depth <= 0 or recursion_depth > 10: | |
83 | logging.warning(( | |
84 | 'Globstar with unsupported recursion depth: {0:s} for path: {1:s} ' | |
85 | 'defined by artifact definition: {2:s} in file: {3:s}').format( | |
86 | path_segment, path, artifact_definition.name, filename)) | |
87 | return False | |
88 | ||
89 | return True | |
55 | 90 | |
56 | 91 | def _CheckMacOSPaths(self, filename, artifact_definition, source, paths): |
57 | 92 | """Checks if the paths are valid MacOS paths. |
96 | 131 | path, artifact_definition.name, filename)) |
97 | 132 | result = False |
98 | 133 | |
134 | has_globstar = False | |
135 | for path_segment in path_segments: | |
136 | if '**' in path_segment: | |
137 | if has_globstar: | |
138 | logging.warning(( | |
139 | 'Unsupported path: {0:s} with multiple globstars defined by ' | |
140 | 'artifact definition: {1:s} in file: {2:s}').format( | |
141 | path, artifact_definition.name, filename)) | |
142 | result = False | |
143 | break | |
144 | ||
145 | has_globstar = True | |
146 | if not self._CheckGlobstarInPathSegment( | |
147 | filename, artifact_definition, path, path_segment): | |
148 | result = False | |
149 | ||
150 | if has_globstar and path.endswith(source.separator): | |
151 | logging.warning(( | |
152 | 'Unsupported path: {0:s} with globstar and trailing path ' | |
153 | 'separator defined by artifact definition: {1:s} in file: ' | |
154 | '{2:s}').format(path, artifact_definition.name, filename)) | |
155 | result = False | |
156 | ||
99 | 157 | for private_path in paths_with_private: |
100 | 158 | if private_path[8:] not in paths_with_symbolic_link_to_private: |
101 | 159 | logging.warning(( |
116 | 174 | |
117 | 175 | return result |
118 | 176 | |
177 | def _CheckPath(self, filename, artifact_definition, source, path): | |
178 | """Checks if a path is valid. | |
179 | ||
180 | Args: | |
181 | filename (str): name of the artifacts definition file. | |
182 | artifact_definition (ArtifactDefinition): artifact definition. | |
183 | source (SourceType): source definition. | |
184 | path (str): path to validate. | |
185 | ||
186 | Returns: | |
187 | bool: True if the path is valid. | |
188 | """ | |
189 | result = True | |
190 | ||
191 | path_segments = path.split(source.separator) | |
192 | ||
193 | has_globstar = False | |
194 | for path_segment in path_segments: | |
195 | if '**' in path_segment: | |
196 | if has_globstar: | |
197 | logging.warning(( | |
198 | 'Unsupported path: {0:s} with multiple globstars defined by ' | |
199 | 'artifact definition: {1:s} in file: {2:s}').format( | |
200 | path, artifact_definition.name, filename)) | |
201 | result = False | |
202 | break | |
203 | ||
204 | has_globstar = True | |
205 | if not self._CheckGlobstarInPathSegment( | |
206 | filename, artifact_definition, path, path_segment): | |
207 | result = False | |
208 | ||
209 | if has_globstar and path.endswith(source.separator): | |
210 | logging.warning(( | |
211 | 'Unsupported path: {0:s} with globstar and trailing path ' | |
212 | 'separator defined by artifact definition: {1:s} in file: ' | |
213 | '{2:s}').format(path, artifact_definition.name, filename)) | |
214 | result = False | |
215 | ||
216 | return result | |
217 | ||
119 | 218 | def _CheckWindowsPath(self, filename, artifact_definition, source, path): |
120 | 219 | """Checks if a path is a valid Windows path. |
121 | 220 | |
200 | 299 | 'definition: {1:s} in file: {2:s}').format( |
201 | 300 | path, artifact_definition.name, filename)) |
202 | 301 | result = False |
302 | ||
303 | has_globstar = False | |
304 | for path_segment in path_segments: | |
305 | if path_segment.startswith('%%') and path_segment.endswith('%%'): | |
306 | if (path_segment.startswith('%%environ_') and | |
307 | path_segment not in self._SUPPORTED_WINDOWS_ENVIRONMENT_VARIABLES): | |
308 | result = False | |
309 | logging.warning(( | |
310 | 'Artifact definition: {0:s} in file: {1:s} contains Windows ' | |
311 | 'path that contains an unuspported environment variable: ' | |
312 | '"{2:s}".').format( | |
313 | artifact_definition.name, filename, path_segment)) | |
314 | ||
315 | elif (path_segment.startswith('%%users.') and | |
316 | path_segment not in self._SUPPORTED_WINDOWS_USERS_VARIABLES): | |
317 | result = False | |
318 | logging.warning(( | |
319 | 'Artifact definition: {0:s} in file: {1:s} contains Windows ' | |
320 | 'path that contains an unsupported users variable: ' | |
321 | '"{2:s}". ').format( | |
322 | artifact_definition.name, filename, path_segment)) | |
323 | ||
324 | elif '**' in path_segment: | |
325 | if has_globstar: | |
326 | logging.warning(( | |
327 | 'Unsupported path: {0:s} with multiple globstars defined by ' | |
328 | 'artifact definition: {1:s} in file: {2:s}').format( | |
329 | path, artifact_definition.name, filename)) | |
330 | result = False | |
331 | break | |
332 | ||
333 | has_globstar = True | |
334 | if not self._CheckGlobstarInPathSegment( | |
335 | filename, artifact_definition, path, path_segment): | |
336 | result = False | |
337 | ||
338 | if has_globstar and path.endswith(source.separator): | |
339 | logging.warning(( | |
340 | 'Unsupported path: {0:s} with globstar and trailing path ' | |
341 | 'separator defined by artifact definition: {1:s} in file: ' | |
342 | '{2:s}').format(path, artifact_definition.name, filename)) | |
343 | result = False | |
344 | ||
345 | return result | |
346 | ||
347 | def _CheckWindowsRegistryKeyPath( | |
348 | self, filename, artifact_definition, key_path): | |
349 | """Checks if a path is a valid Windows Registry key path. | |
350 | ||
351 | Args: | |
352 | filename (str): name of the artifacts definition file. | |
353 | artifact_definition (ArtifactDefinition): artifact definition. | |
354 | key_path (str): Windows Registry key path to validate. | |
355 | ||
356 | Returns: | |
357 | bool: True if the Windows Registry key path is valid. | |
358 | """ | |
359 | result = True | |
360 | key_path_segments = key_path.lower().split('\\') | |
361 | ||
362 | if key_path_segments[0] == '%%current_control_set%%': | |
363 | result = False | |
364 | logging.warning(( | |
365 | 'Artifact definition: {0:s} in file: {1:s} contains Windows ' | |
366 | 'Registry key path that starts with ' | |
367 | '%%CURRENT_CONTROL_SET%%. Replace %%CURRENT_CONTROL_SET%% with ' | |
368 | 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet').format( | |
369 | artifact_definition.name, filename)) | |
370 | ||
371 | for segment_index, key_path_segment in enumerate(key_path_segments): | |
372 | if key_path_segment.startswith('%%') and key_path_segment.endswith('%%'): | |
373 | if (segment_index == 1 and key_path_segment == '%%users.sid%%' and | |
374 | key_path_segments[0] == 'hkey_users'): | |
375 | continue | |
376 | ||
377 | if key_path_segment.startswith('%%environ_'): | |
378 | result = False | |
379 | logging.warning(( | |
380 | 'Artifact definition: {0:s} in file: {1:s} contains Windows ' | |
381 | 'Registry key path that contains an environment variable: ' | |
382 | '"{2:s}". Usage of environment variables in key paths is not ' | |
383 | 'encouraged at this time.').format( | |
384 | artifact_definition.name, filename, key_path_segment)) | |
385 | ||
386 | elif key_path_segment.startswith('%%users.'): | |
387 | result = False | |
388 | logging.warning(( | |
389 | 'Artifact definition: {0:s} in file: {1:s} contains Windows ' | |
390 | 'Registry key path that contains a users variable: "{2:s}". ' | |
391 | 'Usage of users variables in key paths, except for ' | |
392 | '"HKEY_USERS\\%%users.sid%%", is not encouraged at this ' | |
393 | 'time.').format( | |
394 | artifact_definition.name, filename, key_path_segment)) | |
203 | 395 | |
204 | 396 | return result |
205 | 397 | |
231 | 423 | result = True |
232 | 424 | |
233 | 425 | self._artifact_registry_key_paths.update(source.keys) |
426 | return result | |
427 | ||
428 | def CheckDirectory(self, path): | |
429 | """Validates the artifacts definition in a specific directory. | |
430 | ||
431 | Args: | |
432 | path (str): path of the directory containing the artifacts definition | |
433 | files. | |
434 | ||
435 | Returns: | |
436 | bool: True if the file contains valid artifacts definitions. | |
437 | """ | |
438 | for filename in glob.glob(os.path.join(path, '*.yaml')): | |
439 | result = self.CheckFile(filename) | |
440 | if not result: | |
441 | break | |
442 | ||
234 | 443 | return result |
235 | 444 | |
236 | 445 | def CheckFile(self, filename): |
280 | 489 | filename, artifact_definition, source, path): |
281 | 490 | result = False |
282 | 491 | |
492 | else: | |
493 | for path in source.paths: | |
494 | if not self._CheckPath( | |
495 | filename, artifact_definition, source, path): | |
496 | result = False | |
497 | ||
283 | 498 | elif source.type_indicator == ( |
284 | 499 | definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY): |
285 | 500 | |
291 | 506 | result = False |
292 | 507 | |
293 | 508 | for key_path in source.keys: |
294 | if not self._CheckRegistryKeyPath( | |
509 | if not self._CheckWindowsRegistryKeyPath( | |
295 | 510 | filename, artifact_definition, key_path): |
296 | 511 | result = False |
297 | 512 | |
299 | 514 | definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE): |
300 | 515 | |
301 | 516 | for key_value_pair in source.key_value_pairs: |
302 | if not self._CheckRegistryKeyPath( | |
517 | if not self._CheckWindowsRegistryKeyPath( | |
303 | 518 | filename, artifact_definition, key_value_pair['key']): |
304 | 519 | result = False |
305 | 520 | |
330 | 545 | description='Validates an artifact definitions file.') |
331 | 546 | |
332 | 547 | args_parser.add_argument( |
333 | 'filename', | |
334 | nargs='?', | |
335 | action='store', | |
336 | metavar='artifacts.yaml', | |
337 | default=None, | |
338 | help=('path of the file that contains the artifact ' | |
548 | 'definitions', nargs='?', action='store', metavar='PATH', default=None, | |
549 | help=('path of the file or directory that contains the artifact ' | |
339 | 550 | 'definitions.')) |
340 | 551 | |
341 | 552 | options = args_parser.parse_args() |
342 | 553 | |
343 | if not options.filename: | |
554 | if not options.definitions: | |
344 | 555 | print('Source value is missing.') |
345 | 556 | print('') |
346 | 557 | args_parser.print_help() |
347 | 558 | print('') |
348 | 559 | return False |
349 | 560 | |
350 | if not os.path.isfile(options.filename): | |
351 | print('No such file: {0:s}'.format(options.filename)) | |
561 | if not os.path.exists(options.definitions): | |
562 | print('No such file or directory: {0:s}'.format(options.definitions)) | |
352 | 563 | print('') |
353 | 564 | return False |
354 | 565 | |
355 | print('Validating: {0:s}'.format(options.filename)) | |
356 | 566 | validator = ArtifactDefinitionsValidator() |
357 | if not validator.CheckFile(options.filename): | |
567 | ||
568 | if os.path.isdir(options.definitions): | |
569 | print('Validating definitions in: {0:s}/*.yaml'.format(options.definitions)) | |
570 | result = validator.CheckDirectory(options.definitions) | |
571 | ||
572 | elif os.path.isfile(options.definitions): | |
573 | print('Validating definitions in: {0:s}'.format(options.definitions)) | |
574 | result = validator.CheckFile(options.definitions) | |
575 | ||
576 | if not result: | |
358 | 577 | print('FAILURE') |
359 | 578 | return False |
360 | 579 |
0 | 0 | [tox] |
1 | envlist = py2, py3 | |
1 | envlist = py3{6,7,8},coverage,pylint | |
2 | 2 | |
3 | 3 | [testenv] |
4 | 4 | pip_pre = True |
7 | 7 | deps = |
8 | 8 | -rrequirements.txt |
9 | 9 | -rtest_requirements.txt |
10 | coverage: coverage | |
10 | 11 | commands = |
11 | ./run_tests.py | |
12 | py3{6,7,8}: ./run_tests.py | |
13 | coverage: coverage erase | |
14 | coverage: coverage run --source=artifacts --omit="*_test*,*__init__*,*test_lib*" run_tests.py | |
12 | 15 | |
13 | [testenv:py27] | |
16 | [testenv:codecov] | |
17 | skip_install = true | |
18 | passenv = | |
19 | CI | |
20 | TRAVIS_BUILD_ID | |
21 | TRAVIS_COMMIT | |
22 | TRAVIS_JOB_ID | |
23 | TRAVIS_JOB_NUMBER | |
24 | TRAVIS_PULL_REQUEST | |
25 | TRAVIS_REPO_SLUG | |
26 | TRAVIS TRAVIS_BRANCH | |
27 | deps = | |
28 | codecov | |
29 | commands = | |
30 | codecov | |
31 | ||
32 | [testenv:pylint] | |
33 | skipsdist=True | |
14 | 34 | pip_pre = True |
15 | 35 | setenv = |
16 | 36 | PYTHONPATH = {toxinidir} |
17 | 37 | deps = |
18 | 38 | -rrequirements.txt |
19 | 39 | -rtest_requirements.txt |
20 | coverage | |
40 | pylint >= 2.4.0, < 2.5.0 | |
21 | 41 | commands = |
22 | coverage erase | |
23 | coverage run --source=artifacts --omit="*_test*,*__init__*,*test_lib*" run_tests.py | |
42 | pylint --version | |
43 | # Ignore setup.py for now due to: | |
44 | # setup.py:15:0: E0001: Cannot import 'distutils.command.bdist_msi' due to | |
45 | # syntax error 'expected an indented block (<unknown>, line 347)' (syntax-error) | |
46 | pylint --rcfile=.pylintrc artifacts tests tools |
3 | 3 | from __future__ import print_function |
4 | 4 | from __future__ import unicode_literals |
5 | 5 | |
6 | import configparser | |
6 | 7 | import re |
7 | ||
8 | try: | |
9 | import ConfigParser as configparser | |
10 | except ImportError: | |
11 | import configparser # pylint: disable=import-error | |
12 | 8 | |
13 | 9 | |
14 | 10 | class DependencyDefinition(object): |
21 | 17 | provides the dependency. |
22 | 18 | l2tbinaries_name (str): name of the l2tbinaries package that provides |
23 | 19 | the dependency. |
24 | maximum_version (str): maximum supported version. | |
25 | minimum_version (str): minimum supported version. | |
20 | maximum_version (str): maximum supported version, a greater or equal | |
21 | version is not supported. | |
22 | minimum_version (str): minimum supported version, a lesser version is | |
23 | not supported. | |
26 | 24 | name (str): name of (the Python module that provides) the dependency. |
27 | 25 | pypi_name (str): name of the PyPI package that provides the dependency. |
28 | 26 | python2_only (bool): True if the dependency is only supported by Python 2. |
29 | 27 | python3_only (bool): True if the dependency is only supported by Python 3. |
30 | 28 | rpm_name (str): name of the rpm package that provides the dependency. |
29 | skip_check (bool): True if the dependency should be skipped by the | |
30 | CheckDependencies or CheckTestDependencies methods of DependencyHelper. | |
31 | 31 | version_property (str): name of the version attribute or function. |
32 | 32 | """ |
33 | 33 | |
49 | 49 | self.python2_only = False |
50 | 50 | self.python3_only = False |
51 | 51 | self.rpm_name = None |
52 | self.skip_check = None | |
52 | 53 | self.version_property = None |
53 | 54 | |
54 | 55 | |
66 | 67 | 'python2_only', |
67 | 68 | 'python3_only', |
68 | 69 | 'rpm_name', |
70 | 'skip_check', | |
69 | 71 | 'version_property']) |
70 | 72 | |
71 | 73 | def _GetConfigValue(self, config_parser, section_name, value_name): |
93 | 95 | Yields: |
94 | 96 | DependencyDefinition: dependency definition. |
95 | 97 | """ |
96 | config_parser = configparser.RawConfigParser() | |
97 | # pylint: disable=deprecated-method | |
98 | # TODO: replace readfp by read_file, check if Python 2 compatible | |
99 | config_parser.readfp(file_object) | |
98 | config_parser = configparser.ConfigParser(interpolation=None) | |
99 | config_parser.read_file(file_object) | |
100 | 100 | |
101 | 101 | for section_name in config_parser.sections(): |
102 | 102 | dependency_definition = DependencyDefinition(section_name) |
146 | 146 | dependency (DependencyDefinition): dependency definition. |
147 | 147 | |
148 | 148 | Returns: |
149 | tuple: consists: | |
149 | tuple: containing: | |
150 | 150 | |
151 | 151 | bool: True if the Python module is available and conforms to |
152 | 152 | the minimum required version, False otherwise. |
177 | 177 | maximum_version (str): maximum version. |
178 | 178 | |
179 | 179 | Returns: |
180 | tuple: consists: | |
180 | tuple: containing: | |
181 | 181 | |
182 | 182 | bool: True if the Python module is available and conforms to |
183 | 183 | the minimum required version, False otherwise. |
251 | 251 | status_message = '{0:s} version: {1!s}'.format(module_name, module_version) |
252 | 252 | return True, status_message |
253 | 253 | |
254 | def _CheckSQLite3(self): | |
255 | """Checks the availability of sqlite3. | |
256 | ||
257 | Returns: | |
258 | tuple: consists: | |
259 | ||
260 | bool: True if the Python module is available and conforms to | |
261 | the minimum required version, False otherwise. | |
262 | str: status message. | |
263 | """ | |
264 | # On Windows sqlite3 can be provided by both pysqlite2.dbapi2 and | |
265 | # sqlite3. sqlite3 is provided with the Python installation and | |
266 | # pysqlite2.dbapi2 by the pysqlite2 Python module. Typically | |
267 | # pysqlite2.dbapi2 would contain a newer version of sqlite3, hence | |
268 | # we check for its presence first. | |
269 | module_name = 'pysqlite2.dbapi2' | |
270 | minimum_version = '3.7.8' | |
271 | ||
272 | module_object = self._ImportPythonModule(module_name) | |
273 | if not module_object: | |
274 | module_name = 'sqlite3' | |
275 | ||
276 | module_object = self._ImportPythonModule(module_name) | |
277 | if not module_object: | |
278 | status_message = 'missing: {0:s}.'.format(module_name) | |
279 | return False, status_message | |
280 | ||
281 | return self._CheckPythonModuleVersion( | |
282 | module_name, module_object, 'sqlite_version', minimum_version, None) | |
283 | ||
284 | 254 | def _ImportPythonModule(self, module_name): |
285 | 255 | """Imports a Python module. |
286 | 256 | |
336 | 306 | print('Checking availability and versions of dependencies.') |
337 | 307 | check_result = True |
338 | 308 | |
339 | for module_name, dependency in sorted(self.dependencies.items()): | |
340 | if module_name == 'sqlite3': | |
341 | result, status_message = self._CheckSQLite3() | |
342 | else: | |
343 | result, status_message = self._CheckPythonModule(dependency) | |
344 | ||
345 | if not result and module_name == 'lzma': | |
346 | dependency.name = 'backports.lzma' | |
347 | result, status_message = self._CheckPythonModule(dependency) | |
309 | for _, dependency in sorted(self.dependencies.items()): | |
310 | if dependency.skip_check: | |
311 | continue | |
312 | ||
313 | result, status_message = self._CheckPythonModule(dependency) | |
348 | 314 | |
349 | 315 | if not result and not dependency.is_optional: |
350 | 316 | check_result = False |
376 | 342 | for dependency in sorted( |
377 | 343 | self._test_dependencies.values(), |
378 | 344 | key=lambda dependency: dependency.name): |
345 | if dependency.skip_check: | |
346 | continue | |
347 | ||
379 | 348 | result, status_message = self._CheckPythonModule(dependency) |
380 | 349 | if not result: |
381 | 350 | check_result = False |