Commit 89711721bbdd97e951b8f153535bd8cae12d5e14 - forensic-artifacts

New upstream version 20201106 Samuel Henrique 3 years ago

46 changed file(s) with 4007 addition(s) and 2351 deletion(s). Raw diff Collapse all Expand all

+221

-142

.pylintrc less more

0		# Pylint 2.1.x - 2.2.x configuration file
	0	# Pylint 2.4.x configuration file
1	1	#
2	2	# This file is generated by l2tdevtools update-dependencies.py, any dependency
3	3	# related changes should be made in dependencies.ini.

5	5
6	6	# A comma-separated list of package or module names from where C extensions may
7	7	# be loaded. Extensions are loading into the active Python interpreter and may
8		# run arbitrary code
	8	# run arbitrary code.
9	9	extension-pkg-whitelist=
10	10
11	11	# Add files or directories to the blacklist. They should be base names, not

20	20	# pygtk.require().
21	21	#init-hook=
22	22
23		# Use multiple processes to speed up Pylint.
	23	# Use multiple processes to speed up Pylint. Specifying 0 will auto-detect the
	24	# number of processors available to use.
24	25	jobs=1
25	26
26		# List of plugins (as comma separated values of python modules names) to load,
	27	# Control the amount of potential inferred values when inferring a single
	28	# object. This can help the performance when dealing with large functions or
	29	# complex, nested conditions.
	30	limit-inference-results=100
	31
	32	# List of plugins (as comma separated values of python module names) to load,
27	33	# usually to register additional checkers.
28	34	load-plugins=pylint.extensions.docparams
29	35

32	38
33	39	# Specify a configuration file.
34	40	#rcfile=
	41
	42	# When enabled, pylint would attempt to guess common misconfiguration and emit
	43	# user-friendly hints instead of false-positive error messages.
	44	suggestion-mode=yes
35	45
36	46	# Allow loading of arbitrary C extensions. Extensions are imported into the
37	47	# active Python interpreter and may run arbitrary code.

41	51	[MESSAGES CONTROL]
42	52
43	53	# Only show warnings with the listed confidence levels. Leave empty to show
44		# all. Valid levels: HIGH, INFERENCE, INFERENCE_FAILURE, UNDEFINED
	54	# all. Valid levels: HIGH, INFERENCE, INFERENCE_FAILURE, UNDEFINED.
45	55	confidence=
46	56
47	57	# Disable the message, report, category or checker with the given id(s). You
48	58	# can either give multiple identifiers separated by comma (,) or put this
49	59	# option multiple times (only on the command line, not in the configuration
50		# file where it should appear only once).You can also use "--disable=all" to
	60	# file where it should appear only once). You can also use "--disable=all" to
51	61	# disable everything first and then reenable specific checks. For example, if
52	62	# you want to run only the similarities checker, you can use "--disable=all
53	63	# --enable=similarities". If you want to run only the classes checker, but have
54		# no Warning level messages displayed, use"--disable=all --enable=classes
55		# --disable=W"
56		#
57		disable=
58		assignment-from-none,
59		bad-inline-option,
60		deprecated-pragma,
61		duplicate-code,
62		eq-without-hash,
63		file-ignored,
64		fixme,
65		locally-disabled,
66		locally-enabled,
67		logging-format-interpolation,
68		metaclass-assignment,
69		missing-param-doc,
70		no-absolute-import,
71		no-self-use,
72		parameter-unpacking,
73		raw-checker-failed,
74		suppressed-message,
75		too-few-public-methods,
76		too-many-ancestors,
77		too-many-boolean-expressions,
78		too-many-branches,
79		too-many-instance-attributes,
80		too-many-lines,
81		too-many-locals,
82		too-many-nested-blocks,
83		too-many-public-methods,
84		too-many-return-statements,
85		too-many-statements,
86		unsubscriptable-object,
87		useless-object-inheritance,
88		useless-suppression
	64	# no Warning level messages displayed, use "--disable=all --enable=classes
	65	# --disable=W".
	66	disable=assignment-from-none,
	67	bad-inline-option,
	68	deprecated-pragma,
	69	duplicate-code,
	70	eq-without-hash,
	71	file-ignored,
	72	fixme,
	73	locally-disabled,
	74	locally-enabled,
	75	logging-format-interpolation,
	76	metaclass-assignment,
	77	missing-param-doc,
	78	no-absolute-import,
	79	no-self-use,
	80	parameter-unpacking,
	81	raw-checker-failed,
	82	suppressed-message,
	83	too-few-public-methods,
	84	too-many-ancestors,
	85	too-many-boolean-expressions,
	86	too-many-branches,
	87	too-many-instance-attributes,
	88	too-many-lines,
	89	too-many-locals,
	90	too-many-nested-blocks,
	91	too-many-public-methods,
	92	too-many-return-statements,
	93	too-many-statements,
	94	unsubscriptable-object,
	95	useless-object-inheritance,
	96	useless-suppression
89	97
90	98	# Enable the message, report, category or checker with the given id(s). You can
91	99	# either give multiple identifier separated by comma (,) or put this option
92	100	# multiple time (only on the command line, not in the configuration file where
93	101	# it should appear only once). See also the "--disable" option for examples.
	102	# enable=c-extension-no-member
94	103	enable=
95	104
96	105
97	106	[REPORTS]
98	107
99		# Python expression which should return a note less than 10 (10 is the highest
100		# note). You have access to the variables errors warning, statement which
101		# respectively contain the number of errors / warnings messages and the total
102		# number of statements analyzed. This is used by the global evaluation report
103		# (RP0004).
	108	# Python expression which should return a score less than or equal to 10. You
	109	# have access to the variables 'error', 'warning', 'refactor', and 'convention'
	110	# which contain the number of messages in each category, as well as 'statement'
	111	# which is the total number of statements analyzed. This score is used by the
	112	# global evaluation report (RP0004).
104	113	evaluation=10.0 - ((float(5 * error + warning + refactor + convention) / statement) * 10)
105	114
106	115	# Template used to display messages. This is a python new-style format string
107		# used to format the message information. See doc for all details
	116	# used to format the message information. See doc for all details.
108	117	#msg-template=
109	118
110	119	# Set the output format. Available formats are text, parseable, colorized, json
111		# and msvs (visual studio).You can also give a reporter class, eg
	120	# and msvs (visual studio). You can also give a reporter class, e.g.
112	121	# mypackage.mymodule.MyReporterClass.
113	122	output-format=text
114	123
115		# Tells whether to display a full report or only the messages
	124	# Tells whether to display a full report or only the messages.
116	125	reports=no
117	126
118	127	# Activate the evaluation score.

125	134	# Maximum number of nested blocks for function / method body
126	135	max-nested-blocks=5
127	136
	137	# Complete name of functions that never returns. When checking for
	138	# inconsistent-return-statements if a never returning function is called then
	139	# it will be considered as an explicit return statement and no message will be
	140	# printed.
	141	never-returning-functions=sys.exit
	142
128	143
129	144	[VARIABLES]
130	145
131	146	# List of additional names supposed to be defined in builtins. Remember that
132		# you should avoid to define new builtins when possible.
	147	# you should avoid defining new builtins when possible.
133	148	additional-builtins=
134	149
135	150	# Tells whether unused global variables should be treated as a violation.

137	152
138	153	# List of strings which can identify a callback function by name. A callback
139	154	# name must start or end with one of those strings.
140		callbacks=cb_,_cb
141
142		# A regular expression matching the name of dummy variables (i.e. expectedly
143		# not used).
	155	callbacks=cb_,
	156	_cb
	157
	158	# A regular expression matching the name of dummy variables (i.e. expected to
	159	# not be used).
144	160	dummy-variables-rgx=_+$\|(_[a-zA-Z0-9_]*[a-zA-Z0-9]+?$)\|dummy\|^ignored_\|^unused_
145	161
146	162	# Argument names that match this expression will be ignored. Default to name
147		# with leading underscore
	163	# with leading underscore.
148	164	ignored-argument-names=_.*\|^ignored_\|^unused_
149	165
150	166	# Tells whether we should check for unused import in __init__ files.

152	168
153	169	# List of qualified module names which can have objects that can redefine
154	170	# builtins.
155		redefining-builtins-modules=six.moves,future.builtins
	171	redefining-builtins-modules=six.moves,past.builtins,future.builtins,builtins,io
156	172
157	173
158	174	[TYPECHECK]

170	186	# Tells whether missing members accessed in mixin class should be ignored. A
171	187	# mixin class is detected if its name ends with "mixin" (case insensitive).
172	188	ignore-mixin-members=yes
	189
	190	# Tells whether to warn about missing members when the owner of the attribute
	191	# is inferred to be None.
	192	ignore-none=yes
173	193
174	194	# This flag controls whether pylint should warn about no-member and similar
175	195	# checks whenever an opaque object is returned when inferring. The inference

186	206
187	207	# List of module names for which member attributes should not be checked
188	208	# (useful for modules/projects where namespaces are manipulated during runtime
189		# and thus existing member attributes cannot be deduced by static analysis. It
	209	# and thus existing member attributes cannot be deduced by static analysis). It
190	210	# supports qualified module names, as well as Unix pattern matching.
191	211	ignored-modules=
192	212

202	222	# showing a hint for a missing member.
203	223	missing-member-max-choices=1
204	224
	225	# List of decorators that change the signature of a decorated function.
	226	signature-mutators=
	227
205	228
206	229	[LOGGING]
207	230
	231	# Format style used to check logging format string. `old` means using %
	232	# formatting, `new` is for `{}` formatting,and `fstr` is for f-strings.
	233	logging-format-style=old
	234
208	235	# Logging modules to check that the string format arguments are in logging
209		# function parameter format
	236	# function parameter format.
210	237	logging-modules=logging
211	238
212	239
213	240	[BASIC]
214	241
215		# Naming hint for argument names
216		# argument-name-hint=(([a-z][a-z0-9_]{2,30})\|(_[a-z0-9_]*))$
217		argument-name-hint=(([a-z][a-z0-9_])\|(_[a-z0-9_]))$
218
219		# Regular expression matching correct argument names
220		# argument-rgx=(([a-z][a-z0-9_]{2,30})\|(_[a-z0-9_]*))$
	242	# Naming style matching correct argument names.
	243	argument-naming-style=snake_case
	244
	245	# Regular expression matching correct argument names. Overrides argument-
	246	# naming-style.
	247	#argument-rgx=
221	248	argument-rgx=(([a-z][a-z0-9_])\|(_[a-z0-9_]))$
222	249
223		# Naming hint for attribute names
224		# attr-name-hint=(([a-z][a-z0-9_]{2,30})\|(_[a-z0-9_]*))$
225		attr-name-hint=(([a-z][a-z0-9_])\|(_[a-z0-9_]))$
226
227		# Regular expression matching correct attribute names
228		# attr-rgx=(([a-z][a-z0-9_]{2,30})\|(_[a-z0-9_]*))$
	250	# Naming style matching correct attribute names.
	251	attr-naming-style=snake_case
	252
	253	# Regular expression matching correct attribute names. Overrides attr-naming-
	254	# style.
	255	#attr-rgx=
229	256	attr-rgx=(([a-z][a-z0-9_])\|(_[a-z0-9_]))$
230	257
231		# Bad variable names which should always be refused, separated by a comma
232		bad-names=foo,bar,baz,toto,tutu,tata
233
234		# Naming hint for class attribute names
235		# class-attribute-name-hint=([A-Za-z_][A-Za-z0-9_]{2,30}\|(__.*__))$
236		class-attribute-name-hint=([A-Za-z_][A-Za-z0-9_]\|(__.__))$
237
238		# Regular expression matching correct class attribute names
239		# class-attribute-rgx=([A-Za-z_][A-Za-z0-9_]{2,30}\|(__.*__))$
	258	# Bad variable names which should always be refused, separated by a comma.
	259	bad-names=foo,
	260	bar,
	261	baz,
	262	toto,
	263	tutu,
	264	tata
	265
	266	# Naming style matching correct class attribute names.
	267	class-attribute-naming-style=any
	268
	269	# Regular expression matching correct class attribute names. Overrides class-
	270	# attribute-naming-style.
	271	#class-attribute-rgx=
240	272	class-attribute-rgx=([A-Za-z_][A-Za-z0-9_]\|(__.__))$
241	273
242		# Naming hint for class names
243		class-name-hint=[A-Z_][a-zA-Z0-9]+$
244
245		# Regular expression matching correct class names
	274	# Naming style matching correct class names.
	275	class-naming-style=PascalCase
	276
	277	# Regular expression matching correct class names. Overrides class-naming-
	278	# style.
	279	#class-rgx=
246	280	class-rgx=[A-Z_][a-zA-Z0-9]+$
247	281
248		# Naming hint for constant names
249		# const-name-hint=(([A-Z_][A-Z0-9_])\|(__.__))$
250		const-name-hint=(([a-zA-Z_][a-zA-Z0-9_])\|(__.__))$
251
252		# Regular expression matching correct constant names
253		# const-rgx=(([A-Z_][A-Z0-9_])\|(__.__))$
	282	# Naming style matching correct constant names.
	283	const-naming-style=UPPER_CASE
	284
	285	# Regular expression matching correct constant names. Overrides const-naming-
	286	# style.
	287	#const-rgx=
254	288	const-rgx=(([a-zA-Z_][a-zA-Z0-9_])\|(__.__))$
255	289
256	290	# Minimum line length for functions/classes that require docstrings, shorter
257	291	# ones are exempt.
258	292	docstring-min-length=-1
259	293
260		# Naming hint for function names
261		# function-name-hint=(([a-z][a-z0-9_]{2,30})\|(_[a-z0-9_]*))$
262		function-name-hint=[A-Z_][a-zA-Z0-9_]*$
263
264		# Regular expression matching correct function names
265		# function-rgx=(([a-z][a-z0-9_]{2,30})\|(_[a-z0-9_]*))$
	294	# Naming style matching correct function names.
	295	function-naming-style=snake_case
	296
	297	# Regular expression matching correct function names. Overrides function-
	298	# naming-style.
	299	#function-rgx=
266	300	function-rgx=[A-Z_][a-zA-Z0-9_]*$
267	301
268		# Good variable names which should always be accepted, separated by a comma
269		good-names=i,j,k,ex,Run,_
270
271		# Include a hint for the correct naming format with invalid-name
	302	# Good variable names which should always be accepted, separated by a comma.
	303	good-names=i,
	304	j,
	305	k,
	306	ex,
	307	Run,
	308	_
	309
	310	# Include a hint for the correct naming format with invalid-name.
272	311	include-naming-hint=no
273	312
274		# Naming hint for inline iteration names
275		inlinevar-name-hint=[A-Za-z_][A-Za-z0-9_]*$
276
277		# Regular expression matching correct inline iteration names
	313	# Naming style matching correct inline iteration names.
	314	inlinevar-naming-style=any
	315
	316	# Regular expression matching correct inline iteration names. Overrides
	317	# inlinevar-naming-style.
	318	#inlinevar-rgx=
278	319	inlinevar-rgx=[A-Za-z_][A-Za-z0-9_]*$
279	320
280		# Naming hint for method names
281		# method-name-hint=(([a-z][a-z0-9_]{2,30})\|(_[a-z0-9_]*))$
282		method-name-hint=(test\|[A-Z_])[a-zA-Z0-9_]*$
283
284		# Regular expression matching correct method names
285		# method-rgx=(([a-z][a-z0-9_]{2,30})\|(_[a-z0-9_]*))$
	321	# Naming style matching correct method names.
	322	method-naming-style=snake_case
	323
	324	# Regular expression matching correct method names. Overrides method-naming-
	325	# style.
	326	#method-rgx=
286	327	method-rgx=(test\|[A-Z_])[a-zA-Z0-9_]*$
287	328
288		# Naming hint for module names
289		module-name-hint=(([a-z_][a-z0-9_]*)\|([A-Z][a-zA-Z0-9]+))$
290
291		# Regular expression matching correct module names
	329	# Naming style matching correct module names.
	330	module-naming-style=snake_case
	331
	332	# Regular expression matching correct module names. Overrides module-naming-
	333	# style.
	334	#module-rgx=
292	335	module-rgx=(([a-z_][a-z0-9_]*)\|([A-Z][a-zA-Z0-9]+))$
293	336
294	337	# Colon-delimited sets of names that determine each other's naming style when

301	344
302	345	# List of decorators that produce properties, such as abc.abstractproperty. Add
303	346	# to this list to register other decorators that produce valid properties.
	347	# These decorators are taken in consideration only for invalid-name.
304	348	property-classes=abc.abstractproperty
305	349
306		# Naming hint for variable names
307		# variable-name-hint=(([a-z][a-z0-9_]{2,30})\|(_[a-z0-9_]*))$
308		variable-name-hint=(([a-z][a-z0-9_])\|(_[a-z0-9_]))$
309
310		# Regular expression matching correct variable names
311		# variable-rgx=(([a-z][a-z0-9_]{2,30})\|(_[a-z0-9_]*))$
	350	# Naming style matching correct variable names.
	351	variable-naming-style=snake_case
	352
	353	# Regular expression matching correct variable names. Overrides variable-
	354	# naming-style.
	355	#variable-rgx=
312	356	variable-rgx=(([a-z][a-z0-9_])\|(_[a-z0-9_]))$
313	357
314	358
315	359	[MISCELLANEOUS]
316	360
317	361	# List of note tags to take in consideration, separated by a comma.
318		notes=FIXME,XXX,TODO
	362	notes=FIXME,
	363	XXX,
	364	TODO
319	365
320	366
321	367	[FORMAT]

326	372	# Regexp for a line that is allowed to be longer than the limit.
327	373	ignore-long-lines=^\s*(# )?<?https?://\S+>?$
328	374
329		# Number of spaces of indent required inside a hanging or continued line.
	375	# Number of spaces of indent required inside a hanging or continued line.
330	376	indent-after-paren=4
331	377
332	378	# String used as indentation unit. This is usually " " (4 spaces) or "\t" (1

338	384	# max-line-length=100
339	385	max-line-length=80
340	386
341		# Maximum number of lines in a module
	387	# Maximum number of lines in a module.
342	388	max-module-lines=1000
343	389
344	390	# List of optional constructs for which whitespace checking is disabled. `dict-
345	391	# separator` is used to allow tabulation in dicts, etc.: {1 : 1,\n222: 2}.
346	392	# `trailing-comma` allows a space between comma and closing bracket: (a, ).
347	393	# `empty-line` allows space-only lines.
348		no-space-check=trailing-comma,dict-separator
	394	no-space-check=trailing-comma,
	395	dict-separator
349	396
350	397	# Allow the body of a class to be on the same line as the declaration if body
351	398	# contains single statement.

358	405
359	406	[SPELLING]
360	407
361		# Spelling dictionary name. Available dictionaries: en_US (myspell).
	408	# Limits count of emitted suggestions for spelling mistakes.
	409	max-spelling-suggestions=4
	410
	411	# Spelling dictionary name. Available dictionaries: en_NA (myspell), en_NZ
	412	# (myspell), en_ZM (myspell), en_CA (myspell), en_GH (myspell), en_IN
	413	# (myspell), en_TT (myspell), en_BS (myspell), en_DK (myspell), en_MW
	414	# (myspell), en_ZW (myspell), en_BW (myspell), en_ZA (myspell), en_BZ
	415	# (myspell), en_JM (myspell), en_US (myspell), en_PH (myspell), en_GB
	416	# (myspell), en_SG (myspell), en_IE (myspell), en_HK (myspell), en_AU
	417	# (myspell), en_AG (myspell), en_NG (myspell).
362	418	spelling-dict=
363	419
364	420	# List of comma separated words that should not be checked.
365	421	spelling-ignore-words=
366	422
367		# A path to a file that contains private dictionary; one word per line.
	423	# A path to a file that contains the private dictionary; one word per line.
368	424	spelling-private-dict-file=
369	425
370		# Tells whether to store unknown words to indicated private dictionary in
371		# --spelling-private-dict-file option instead of raising a message.
	426	# Tells whether to store unknown words to the private dictionary (see the
	427	# --spelling-private-dict-file option) instead of raising a message.
372	428	spelling-store-unknown-words=no
373	429
374	430

387	443	min-similarity-lines=4
388	444
389	445
	446	[STRING]
	447
	448	# This flag controls whether the implicit-str-concat-in-sequence should
	449	# generate a warning on implicit string concatenation in sequences defined over
	450	# several lines.
	451	check-str-concat-over-line-jumps=no
	452
	453
390	454	[DESIGN]
391	455
392		# Maximum number of arguments for function / method
	456	# Maximum number of arguments for function / method.
393	457	# max-args=5
394	458	max-args=10
395	459
396	460	# Maximum number of attributes for a class (see R0902).
397	461	max-attributes=7
398	462
399		# Maximum number of boolean expressions in a if statement
	463	# Maximum number of boolean expressions in an if statement (see R0916).
400	464	max-bool-expr=5
401	465
402		# Maximum number of branch for function / method body
	466	# Maximum number of branch for function / method body.
403	467	max-branches=12
404	468
405		# Maximum number of locals for function / method body
	469	# Maximum number of locals for function / method body.
406	470	max-locals=15
407	471
408	472	# Maximum number of parents for a class (see R0901).

411	475	# Maximum number of public methods for a class (see R0904).
412	476	max-public-methods=20
413	477
414		# Maximum number of return / yield for function / method body
	478	# Maximum number of return / yield for function / method body.
415	479	max-returns=6
416	480
417		# Maximum number of statements in function / method body
	481	# Maximum number of statements in function / method body.
418	482	max-statements=50
419	483
420	484	# Minimum number of public methods for a class (see R0903).

424	488	[CLASSES]
425	489
426	490	# List of method names used to declare (i.e. assign) instance attributes.
427		defining-attr-methods=__init__,__new__,setUp
	491	defining-attr-methods=__init__,
	492	__new__,
	493	setUp,
	494	__post_init__
428	495
429	496	# List of member names, which should be excluded from the protected access
430	497	# warning.
431		exclude-protected=_asdict,_fields,_replace,_source,_make
	498	exclude-protected=_asdict,
	499	_fields,
	500	_replace,
	501	_source,
	502	_make
432	503
433	504	# List of valid names for the first argument in a class method.
434	505	valid-classmethod-first-arg=cls
435	506
436	507	# List of valid names for the first argument in a metaclass class method.
437		valid-metaclass-classmethod-first-arg=mcs
	508	valid-metaclass-classmethod-first-arg=cls
438	509
439	510
440	511	[IMPORTS]
	512
	513	# List of modules that can be imported at any level, not just the top level
	514	# one.
	515	allow-any-import-level=
441	516
442	517	# Allow wildcard imports from modules that define __all__.
443	518	allow-wildcard-with-all=no

447	522	# only in one or another interpreter, leading to false positives when analysed.
448	523	analyse-fallback-blocks=no
449	524
450		# Deprecated modules which should not be used, separated by a comma
	525	# Deprecated modules which should not be used, separated by a comma.
451	526	deprecated-modules=optparse,tkinter.tix
452	527
453	528	# Create a graph of external dependencies in the given file (report RP0402 must
454		# not be disabled)
	529	# not be disabled).
455	530	ext-import-graph=
456	531
457	532	# Create a graph of every (i.e. internal and external) dependencies in the
458		# given file (report RP0402 must not be disabled)
	533	# given file (report RP0402 must not be disabled).
459	534	import-graph=
460	535
461	536	# Create a graph of internal dependencies in the given file (report RP0402 must
462		# not be disabled)
	537	# not be disabled).
463	538	int-import-graph=
464	539
465	540	# Force import order to recognize a module as part of the standard

469	544	# Force import order to recognize a module as part of a third party library.
470	545	known-third-party=enchant
471	546
	547	# Couples of modules and preferred modules, separated by a comma.
	548	preferred-modules=
	549
472	550
473	551	[EXCEPTIONS]
474	552
475	553	# Exceptions that will emit a warning when being caught. Defaults to
476		# "Exception"
477		overgeneral-exceptions=Exception
	554	# "BaseException, Exception".
	555	overgeneral-exceptions=BaseException,
	556	Exception

+85

-104

.travis.yml less more

0		matrix:
	0	version: ~> 1.0
	1	language: generic
	2	arch: amd64
	3	os: linux
	4	dist: focal
	5	jobs:
1	6	include:
2		- name: "Pylint on Ubuntu Xenial (16.04) with Python 3.5"
3		env: TARGET="pylint"
4		os: linux
5		dist: xenial
6		sudo: required
7		group: edge
8		language: python
9		python: 3.5
10		virtualenv:
11		system_site_packages: true
12		- name: "Ubuntu Xenial (16.04) with Python 2.7"
13		env: TARGET="linux-python27"
14		os: linux
15		dist: xenial
16		sudo: required
17		group: edge
18		language: python
19		python: 2.7
20		virtualenv:
21		system_site_packages: true
22		- name: "Ubuntu Xenial (16.04) with Python 3.5"
23		env: TARGET="linux-python35"
24		os: linux
25		dist: xenial
26		sudo: required
27		group: edge
28		language: python
29		python: 3.5
30		virtualenv:
31		system_site_packages: true
32		- name: "Fedora Core 29 (Docker) with Python 2.7"
33		env: FEDORA_VERSION="29"
34		os: linux
35		dist: xenial
36		sudo: required
37		group: edge
38		language: python
39		python: 2.7
40		services:
41		- docker
42		- name: "Fedora Core 29 (Docker) with Python 3.7"
43		env: FEDORA_VERSION="29"
44		os: linux
45		dist: xenial
46		sudo: required
	7	- name: "Fedora 31 (Docker) with Python 3.7"
	8	env: FEDORA_VERSION="31"
47	9	group: edge
48	10	language: python
49	11	python: 3.7
50	12	services:
51	13	- docker
52		- name: "Ubuntu Bionic (18.04) (Docker) with Python 2.7"
53		env: UBUNTU_VERSION="18.04"
54		os: linux
55		dist: xenial
56		sudo: required
	14	- name: "Fedora 32 (Docker) with Python 3.8"
	15	env: FEDORA_VERSION="32"
57	16	group: edge
58	17	language: python
59		python: 2.7
	18	python: 3.8
60	19	services:
61	20	- docker
62		- name: "Ubuntu Bionic (18.04) (Docker) with Python 3.6"
	21	- name: "Fedora 33 (Docker) with Python 3.9"
	22	env: FEDORA_VERSION="33"
	23	group: edge
	24	language: python
	25	python: 3.9
	26	services:
	27	- docker
	28	- name: "Ubuntu Bionic (18.04) (Docker) with Python 3.6 (amd64)"
63	29	env: UBUNTU_VERSION="18.04"
64		os: linux
65		dist: xenial
66		sudo: required
67	30	group: edge
68	31	language: python
69	32	python: 3.6
70	33	services:
71	34	- docker
72		- name: "Ubuntu Bionic (18.04) (Docker) with Python 2.7 and tox"
73		env: [TOXENV="py27", UBUNTU_VERSION="18.04"]
74		os: linux
75		dist: xenial
76		sudo: required
77		group: edge
78		language: python
79		python: 2.7
80		services:
81		- docker
82		- name: "Ubuntu Bionic (18.04) (Docker) with Python 3.4 and tox"
83		env: [TOXENV="py34", UBUNTU_VERSION="18.04"]
84		os: linux
85		dist: xenial
86		sudo: required
87		group: edge
88		language: python
89		python: 3.4
90		services:
91		- docker
92		- name: "Ubuntu Bionic (18.04) (Docker) with Python 3.5 and tox"
93		env: [TOXENV="py35", UBUNTU_VERSION="18.04"]
94		os: linux
95		dist: xenial
96		sudo: required
97		group: edge
98		language: python
99		python: 3.5
100		services:
101		- docker
102		- name: "Ubuntu Bionic (18.04) (Docker) with Python 3.6 and tox"
103		env: [TOXENV="py36", UBUNTU_VERSION="18.04"]
104		os: linux
105		dist: xenial
106		sudo: required
	35	- name: "Ubuntu Bionic (18.04) (Docker) with Python 3.6 (ppc64le)"
	36	env: UBUNTU_VERSION="18.04"
	37	arch: ppc64le
107	38	group: edge
108	39	language: python
109	40	python: 3.6
110	41	services:
111	42	- docker
112		- name: "Ubuntu Bionic (18.04) (Docker) with Python 3.7 and tox"
113		env: [TOXENV="py37", UBUNTU_VERSION="18.04"]
114		os: linux
115		dist: xenial
116		sudo: required
	43	- name: "Ubuntu Focal (20.04) (Docker) with Python 3.8 (amd64)"
	44	env: UBUNTU_VERSION="20.04"
	45	group: edge
	46	language: python
	47	python: 3.8
	48	services:
	49	- docker
	50	- name: "Ubuntu Focal (20.04) (Docker) with Python 3.8 (ppc64le)"
	51	env: UBUNTU_VERSION="20.04"
	52	arch: ppc64le
	53	group: edge
	54	language: python
	55	python: 3.8
	56	services:
	57	- docker
	58	- name: "Ubuntu Focal (20.04) (Docker) with Python 3.6 (tox)"
	59	env:
	60	- TOXENV="py36"
	61	- UBUNTU_VERSION="20.04"
	62	group: edge
	63	language: python
	64	python: 3.6
	65	services:
	66	- docker
	67	- name: "Ubuntu Focal (20.04) (Docker) with Python 3.7 (tox)"
	68	env:
	69	- TOXENV="py37"
	70	- UBUNTU_VERSION="20.04"
117	71	group: edge
118	72	language: python
119	73	python: 3.7
120	74	services:
121	75	- docker
122		- name: "MacOS with Python 2.7.10"
123		env: [TARGET="macos-python27", PYTHONPATH="/Library/Python/2.7/site-packages/"]
	76	- name: "Ubuntu Focal (20.04) (Docker) with Python 3.8 (tox)"
	77	env:
	78	- TOXENV="py38,coverage,codecov"
	79	- UBUNTU_VERSION="20.04"
	80	group: edge
	81	language: python
	82	python: 3.8
	83	services:
	84	- docker
	85	- name: "Ubuntu Focal (20.04) (Docker) with Python 3.9 (tox)"
	86	env:
	87	- TOXENV="py39"
	88	- UBUNTU_VERSION="20.04"
	89	group: edge
	90	language: python
	91	python: 3.9
	92	services:
	93	- docker
	94	- name: "Pylint on Ubuntu Focal (20.04) (Docker) with Python 3.8 (tox)"
	95	env:
	96	- TOXENV="pylint"
	97	- UBUNTU_VERSION="20.04"
	98	group: edge
	99	language: python
	100	python: 3.8
	101	services:
	102	- docker
	103	- name: "MacOS 10.14 with Python 3.8 (tox)"
	104	env: TOXENV="py38"
124	105	os: osx
125		osx_image: xcode9.2
126		language: generic
	106	osx_image: xcode11
	107	- name: "MacOS 10.15 with Python 3.8 (tox)"
	108	env: TOXENV="py38"
	109	os: osx
	110	osx_image: xcode12
127	111	install:
128	112	- ./config/travis/install.sh
129	113	script:
130		- ./config/travis/run_with_timeout.sh 30 ./config/travis/runtests.sh
131		after_success:
132		- if ! test -f /usr/bin/coverage; then sudo ln -s /usr/bin/python-coverage /usr/bin/coverage; fi
133		- if test ${TARGET} = "linux-python27"; then curl -o codecov.sh -s https://codecov.io/bash && /bin/bash ./codecov.sh; fi
	114	- ./config/travis/run_with_timeout.sh 45 ./config/travis/runtests.sh

-0

ACKNOWLEDGEMENTS less more

4	4	Sean Gillespie
5	5	Andreas Moser
6	6	Sebastian Welsh
	7	Andrew Williams

+23

-23

README.md less more

0		## Digital Forensics Artifact Repository Artifact Repository
	0	## Digital Forensics Artifact Repository
1	1
2	2	A free, community-sourced, machine-readable knowledge base of digital forensic
3	3	artifacts that the world can use both as an information source and within other
4	4	tools.
5	5
6	6	If you'd like to use the artifacts in your own tools, **all you need to be able
7		to do is read YAML**. That's it, no other dependencies. The Python code in
	7	to do is read YAML**. That is it, no other dependencies. The Python code in
8	8	this project is just used to validate all the artifacts to make sure they
9		follow the specfication.
	9	follow the specification.
10	10
11	11	### Project status
12	12
13		[Travis-CI](https://travis-ci.org/) \| [AppVeyor](https://ci.appveyor.com) \| [Codecov](https://codecov.io/)
14		--- \| --- \| ---
15		[![Build Status](https://travis-ci.org/ForensicArtifacts/artifacts.svg?branch=master)](https://travis-ci.org/ForensicArtifacts/artifacts) \| [![Build status](https://ci.appveyor.com/api/projects/status/7gv9fwr269527cj1?svg=true)](https://ci.appveyor.com/project/forensicartifacts/artifacts) \| [![codecov](https://codecov.io/gh/ForensicArtifacts/artifacts/branch/master/graph/badge.svg)](https://codecov.io/gh/ForensicArtifacts/artifacts)
16
	13	[Travis-CI](https://travis-ci.com/) \| [AppVeyor](https://ci.appveyor.com) \| [Codecov](https://codecov.io/)
	14	--- \| --- \| ---
	15	[![Build Status](https://travis-ci.com/ForensicArtifacts/artifacts.svg?branch=master)](https://travis-ci.com/ForensicArtifacts/artifacts) \| [![Build status](https://ci.appveyor.com/api/projects/status/7gv9fwr269527cj1?svg=true)](https://ci.appveyor.com/project/forensicartifacts/artifacts) \| [![codecov](https://codecov.io/gh/ForensicArtifacts/artifacts/branch/master/graph/badge.svg)](https://codecov.io/gh/ForensicArtifacts/artifacts)
17	16
18	17	## Artifact Definitions
19	18
20		The artifact definitions can be found in the [data directory](https://github.com/ForensicArtifacts/artifacts/tree/master/data) and the format is described in detail in the [Style Guide](https://github.com/ForensicArtifacts/artifacts/blob/master/docs/Artifacts%20definition%20format%20and%20style%20guide.asciidoc).
	19	The artifact definitions can be found in the [data directory](https://github.com/ForensicArtifacts/artifacts/tree/master/data)
	20	and the format is described in detail in the [Style Guide](https://github.com/ForensicArtifacts/artifacts/blob/master/docs/Artifacts%20definition%20format%20and%20style%20guide.asciidoc).
21	21
22		As of 2015-11-20 the repository contains:
	22	As of 2019-06-10 the repository contains:
23	23
24		\| File paths covered \| 487 \|
	24	\| File paths covered \| 1013 \|
25	25	\| :------------------ \| ------: \|
26		\| Registry keys covered \| 289 \|
27		\| Total artifacts \| 345 \|
	26	\| Registry keys covered \| 635 \|
	27	\| Total artifacts \| 525 \|
28	28
29	29	Artifacts by type
30	30
31		\| ARTIFACT \| COMMAND \| DIRECTORY \| FILE \| PATH \| REGISTRY_KEY \| REGISTRY_VALUE \| WMI \|
32		\| :---: \| :---: \| :---: \| :---: \| :---: \| :---: \| :---: \| :---: \|
33		\| 14 \| 6 \| 11 \| 191 \| 4 \| 38 \| 65 \| 16 \|
	31	\| ARTIFACT_GROUP \| COMMAND \| DIRECTORY \| FILE \| PATH \| REGISTRY_KEY \| REGISTRY_VALUE \| WMI \|
	32	\| :---: \| :---: \| :---: \| :---: \| :---: \| :---: \| :---: \| :---: \|
	33	\| 21 \| 9 \| 14 \| 283 \| 8 \| 50 \| 114 \| 26 \|
34	34
35	35	Artifacts by OS
36	36
37		\| Darwin \| Linux \| Windows \|
38		\| :---: \| :---: \| :---: \|
39		\| 106 \| 75 \| 177 \|
	37	\| Darwin \| Linux \| Windows \|
	38	\| :---: \| :---: \| :---: \|
	39	\| 33 \| 25 \| 23 \|
40	40
41	41	Artifacts by label
42	42
43		\| Antivirus \| Authentication \| Browser \| Cloud \| Cloud Storage \| Configuration Files \| External Media \| ExternalAccount \| IM \| Logs \| Mail \| Network \| Software \| System \| Users \| iOS \|
44		\| :---: \| :---: \| :---: \| :---: \| :---: \| :---: \| :---: \| :---: \| :---: \| :---: \| :---: \| :---: \| :---: \| :---: \| :---: \| :---: \|
45		\| 6 \| 12 \| 18 \| 2 \| 3 \| 34 \| 2 \| 3 \| 4 \| 27 \| 12 \| 7 \| 35 \| 62 \| 59 \| 5 \|
	43	\| Antivirus \| Authentication \| Browser \| Cloud \| Cloud Storage \| Configuration Files \| Docker \| External Media \| ExternalAccount \| Hadoop \| History Files \| Logs \| Mail \| Network \| Software \| System \| Users \| iOS \|
	44	\| :---: \| :---: \| :---: \| :---: \| :---: \| :---: \| :---: \| :---: \| :---: \| :---: \| :---: \| :---: \| :---: \| :---: \| :---: \| :---: \| :---: \| :---: \|
	45	\| 6 \| 18 \| 21 \| 2 \| 4 \| 41 \| 2 \| 2 \| 3 \| 1 \| 3 \| 46 \| 15 \| 15 \| 43 \| 104 \| 68 \| 5 \|
46	46
47	47	## Background/History
48	48

63	63
64	64	## External links
65	65
66		* [ForensicsArtifacts.com ... the definitive database](http://forensicartifacts.com/)
67	66	* [GRR Artifacts](https://www.blackhat.com/docs/us-14/materials/us-14-Castle-GRR-Find-All-The-Badness-Collect-All-The-Things-WP.pdf), by Greg Castle, Blackhat 2014
68	67
69	68	## Contact
70	69
71		[forensicartifacts@googlegroups.com](https://groups.google.com/forum/#!forum/forensicartifacts)
	70	* [forensicartifacts@googlegroups.com](https://groups.google.com/forum/#!forum/forensicartifacts)
	71	* Artifacts channel of [Open Source DFIR Slack](https://github.com/open-source-dfir/slack)
72	72

+16

-18

appveyor.yml less more

0	0	environment:
1	1	matrix:
2		- TARGET: windows_python27
	2	- TARGET: unittests
3	3	MACHINE_TYPE: "x86"
4		PYTHON: "C:\\Python27"
5		- TARGET: windows_python27
	4	PYTHON: "C:\\Python38"
	5	PYTHON_VERSION: "3.8"
	6	L2TBINARIES_TRACK: "dev"
	7	- TARGET: unittests
6	8	MACHINE_TYPE: "amd64"
7		PYTHON: "C:\\Python27-x64"
8		- TARGET: windows_python36
9		MACHINE_TYPE: "x86"
10		PYTHON: "C:\\Python36"
11		- TARGET: windows_python36
12		MACHINE_TYPE: "amd64"
13		PYTHON: "C:\\Python36-x64"
	9	PYTHON: "C:\\Python38-x64"
	10	PYTHON_VERSION: "3.8"
	11	L2TBINARIES_TRACK: "dev"
14	12
15	13	install:
16	14	- cmd: '"C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\SetEnv.cmd" /x86 /release'
17		- cmd: "%PYTHON%\\python.exe -m pip install --upgrade pip"
	15	- cmd: "%PYTHON%\\python.exe -m pip install -U pip setuptools wheel"
18	16	- cmd: "%PYTHON%\\python.exe -m pip install pywin32 WMI"
19	17	- cmd: "%PYTHON%\\python.exe %PYTHON%\\Scripts\\pywin32_postinstall.py -install"
20	18	- cmd: git clone https://github.com/log2timeline/l2tdevtools.git ..\l2tdevtools
21		- cmd: if [%TARGET%]==[windows_python27] (
	19	- cmd: IF [%PYTHON_VERSION%]==[3.8] (
22	20	mkdir dependencies &&
23	21	set PYTHONPATH=..\l2tdevtools &&
24		"%PYTHON%\\python.exe" ..\l2tdevtools\tools\update.py --download-directory dependencies --machine-type %MACHINE_TYPE% --msi-targetdir "%PYTHON%" --track dev PyYAML funcsigs mock pbr six )
25		- cmd: if [%TARGET%]==[windows_python36] (
26		mkdir dependencies &&
27		set PYTHONPATH=..\l2tdevtools &&
28		"%PYTHON%\\python.exe" ..\l2tdevtools\tools\update.py --download-directory dependencies --machine-type %MACHINE_TYPE% --msi-targetdir "%PYTHON%" --track dev PyYAML mock pbr six )
	22	"%PYTHON%\\python.exe" ..\l2tdevtools\tools\update.py --download-directory dependencies --machine-type %MACHINE_TYPE% --msi-targetdir "%PYTHON%" --track "%L2TBINARIES_TRACK%" PyYAML mock pbr six )
29	23
30	24	build: off
31	25
32	26	test_script:
33		- cmd: "%PYTHON%\\python.exe run_tests.py"
	27	- cmd: IF [%TARGET%]==[unittests] (
	28	"%PYTHON%\\python.exe" run_tests.py &&
	29	IF EXIST "tests\\end-to-end.py" (
	30	set PYTHONPATH=. &&
	31	"%PYTHON%\\python.exe" "tests\\end-to-end.py" --debug -c "config\\end-to-end.ini" ) )

-1

artifacts/__init__.py less more

0	0	# -- coding: utf-8 --
1	1	"""ForensicArtifacts.com Artifact Repository."""
2	2
3		__version__ = '20190320'
	3	__version__ = '20201106'

+13

-4

artifacts/source_type.py less more

133	133	separator (Optional[str]): path segment separator.
134	134
135	135	Raises:
136		FormatError: when paths is not set.
	136	FormatError: when paths is not set or not a list type.
137	137	"""
138	138	if not paths:
139		raise errors.FormatError('Missing directory value.')
	139	raise errors.FormatError('Missing paths value.')
	140
	141	if not isinstance(paths, list):
	142	raise errors.FormatError('Invalid paths value, not a list.')
140	143
141	144	super(DirectorySourceType, self).__init__()
142	145	self.paths = paths

168	171	separator (Optional[str]): path segment separator.
169	172
170	173	Raises:
171		FormatError: when paths is not set.
	174	FormatError: when paths is not set or not a list type.
172	175	"""
173	176	if not paths:
174	177	raise errors.FormatError('Missing paths value.')
	178
	179	if not isinstance(paths, list):
	180	raise errors.FormatError('Invalid paths value, not a list.')
175	181
176	182	super(FileSourceType, self).__init__()
177	183	self.paths = paths

203	209	separator (Optional[str]): path segment separator.
204	210
205	211	Raises:
206		FormatError: when paths is not set.
	212	FormatError: when paths is not set or not a list type.
207	213	"""
208	214	if not paths:
209	215	raise errors.FormatError('Missing paths value.')
	216
	217	if not isinstance(paths, list):
	218	raise errors.FormatError('Invalid paths value, not a list.')
210	219
211	220	super(PathSourceType, self).__init__()
212	221	self.paths = paths

-2

config/dpkg/changelog less more

0		artifacts (20190320-1) unstable; urgency=low
	0	artifacts (20201106-1) unstable; urgency=low
1	1
2	2	* Auto-generated
3	3
4		-- Forensic artifacts <forensicartifacts@googlegroups.com> Wed, 20 Mar 2019 05:20:33 +0100⏎
	4	-- Forensic artifacts <forensicartifacts@googlegroups.com> Fri, 06 Nov 2020 05:50:46 +0100⏎

-12

config/dpkg/control less more

1	1	Section: python
2	2	Priority: extra
3	3	Maintainer: Forensic artifacts <forensicartifacts@googlegroups.com>
4		Build-Depends: debhelper (>= 9), python-all (>= 2.7~), python-setuptools, python3-all (>= 3.4~), python3-setuptools
5		Standards-Version: 3.9.5
6		X-Python-Version: >= 2.7
7		X-Python3-Version: >= 3.4
	4	Build-Depends: debhelper (>= 9), dh-python, python3-all (>= 3.6~), python3-setuptools
	5	Standards-Version: 4.1.4
	6	X-Python3-Version: >= 3.6
8	7	Homepage: https://github.com/ForensicArtifacts/artifacts
9	8
10	9	Package: artifacts-data
11	10	Architecture: all
12	11	Depends: ${misc:Depends}
13	12	Description: Data files for ForensicArtifacts.com Artifact Repository
14		A free, community-sourced, machine-readable knowledge base of forensic
15		artifacts that the world can use both as an information source and within other tools.
16
17		Package: python-artifacts
18		Architecture: all
19		Depends: artifacts-data (>= ${binary:Version}), python-yaml (>= 3.10), ${python:Depends}, ${misc:Depends}
20		Description: Python 2 module of ForensicArtifacts.com Artifact Repository
21	13	A free, community-sourced, machine-readable knowledge base of forensic
22	14	artifacts that the world can use both as an information source and within other tools.
23	15

30	22
31	23	Package: artifacts-tools
32	24	Architecture: all
33		Depends: python-artifacts (>= ${binary:Version}), ${python:Depends}, ${misc:Depends}
	25	Depends: python3-artifacts (>= ${binary:Version}), ${python3:Depends}, ${misc:Depends}
34	26	Description: Tools of ForensicArtifacts.com Artifact Repository
35	27	A free, community-sourced, machine-readable knowledge base of forensic
36	28	artifacts that the world can use both as an information source and within other tools.

-2

~~config/dpkg/python-artifacts.install~~ less more

0		usr/lib/python2/dist-packages/artifacts/.py
1		usr/lib/python2/dist-packages/artifacts.egg-info/*

-19

config/dpkg/rules less more

0	0	#!/usr/bin/make -f
1	1
2	2	%:
3		dh $@ --buildsystem=python_distutils --with=python2,python3
	3	dh $@ --buildsystem=pybuild --with=python3
4	4
5		.PHONY: override_dh_auto_clean
6		override_dh_auto_clean:
7		dh_auto_clean
8		rm -rf build artifacts.egg-info/SOURCES.txt artifacts.egg-info/PKG-INFO
	5	.PHONY: override_dh_auto_test
	6	override_dh_auto_test:
9	7
10		.PHONY: override_dh_auto_build
11		override_dh_auto_build:
12		dh_auto_build
13		set -ex; for python in $(shell py3versions -r); do \
14		$$python setup.py build; \
15		done;
16
17		.PHONY: override_dh_auto_install
18		override_dh_auto_install:
19		dh_auto_install --destdir $(CURDIR)
20		set -ex; for python in $(shell py3versions -r); do \
21		$$python setup.py install --root=$(CURDIR) --install-layout=deb; \
22		done;
23

+32

-74

config/travis/install.sh less more

4	4	# This file is generated by l2tdevtools update-dependencies.py any dependency
5	5	# related changes should be made in dependencies.ini.
6	6
7		L2TBINARIES_DEPENDENCIES="PyYAML";
8
9		L2TBINARIES_TEST_DEPENDENCIES="funcsigs mock pbr six";
10
11		DPKG_PYTHON2_DEPENDENCIES="python-yaml";
12
13		DPKG_PYTHON2_TEST_DEPENDENCIES="python-coverage python-funcsigs python-mock python-pbr python-six";
14
15	7	DPKG_PYTHON3_DEPENDENCIES="python3-yaml";
16	8
17		DPKG_PYTHON3_TEST_DEPENDENCIES="python3-mock python3-pbr python3-setuptools python3-six";
18
19		RPM_PYTHON2_DEPENDENCIES="python2-pyyaml";
20
21		RPM_PYTHON2_TEST_DEPENDENCIES="python2-funcsigs python2-mock python2-pbr python2-six";
	9	DPKG_PYTHON3_TEST_DEPENDENCIES="python3-coverage python3-distutils python3-mock python3-pbr python3-setuptools python3-six";
22	10
23	11	RPM_PYTHON3_DEPENDENCIES="python3-pyyaml";
24	12
25		RPM_PYTHON3_TEST_DEPENDENCIES="python3-mock python3-pbr python3-six";
	13	RPM_PYTHON3_TEST_DEPENDENCIES="python3-mock python3-pbr python3-setuptools python3-six";
26	14
27	15	# Exit on error.
28	16	set -e;
29	17
30		if test ${TRAVIS_OS_NAME} = "osx";
31		then
32		git clone https://github.com/log2timeline/l2tbinaries.git -b dev;
33
34		mv l2tbinaries ../;
35
36		for PACKAGE in ${L2TBINARIES_DEPENDENCIES};
37		do
38		echo "Installing: ${PACKAGE}";
39		sudo /usr/bin/hdiutil attach ../l2tbinaries/macos/${PACKAGE}-*.dmg;
40		sudo /usr/sbin/installer -target / -pkg /Volumes/${PACKAGE}-.pkg/${PACKAGE}-.pkg;
41		sudo /usr/bin/hdiutil detach /Volumes/${PACKAGE}-*.pkg
42		done
43
44		for PACKAGE in ${L2TBINARIES_TEST_DEPENDENCIES};
45		do
46		echo "Installing: ${PACKAGE}";
47		sudo /usr/bin/hdiutil attach ../l2tbinaries/macos/${PACKAGE}-*.dmg;
48		sudo /usr/sbin/installer -target / -pkg /Volumes/${PACKAGE}-.pkg/${PACKAGE}-.pkg;
49		sudo /usr/bin/hdiutil detach /Volumes/${PACKAGE}-*.pkg
50		done
51
52		elif test -n "${FEDORA_VERSION}";
	18	if test -n "${FEDORA_VERSION}";
53	19	then
54	20	CONTAINER_NAME="fedora${FEDORA_VERSION}";
55	21

57	23
58	24	docker run --name=${CONTAINER_NAME} --detach -i registry.fedoraproject.org/fedora:${FEDORA_VERSION};
59	25
60		docker exec ${CONTAINER_NAME} dnf install -y dnf-plugins-core;
	26	# Install dnf-plugins-core and langpacks-en.
	27	docker exec ${CONTAINER_NAME} dnf install -y dnf-plugins-core langpacks-en;
61	28
	29	# Add additional dnf repositories.
62	30	docker exec ${CONTAINER_NAME} dnf copr -y enable @gift/dev;
63	31
64	32	if test -n "${TOXENV}";
65	33	then
66		docker exec ${CONTAINER_NAME} dnf install -y python3-tox;
	34	RPM_PACKAGES="python3-tox";
67	35
68		elif test ${TRAVIS_PYTHON_VERSION} = "2.7";
69		then
70		docker exec ${CONTAINER_NAME} dnf install -y git python2 ${RPM_PYTHON2_DEPENDENCIES} ${RPM_PYTHON2_TEST_DEPENDENCIES};
71	36	else
72		docker exec ${CONTAINER_NAME} dnf install -y git python3 ${RPM_PYTHON3_DEPENDENCIES} ${RPM_PYTHON3_TEST_DEPENDENCIES};
	37	RPM_PACKAGES="python3 ${RPM_PYTHON3_DEPENDENCIES} ${RPM_PYTHON3_TEST_DEPENDENCIES}";
73	38	fi
	39	docker exec ${CONTAINER_NAME} dnf install -y ${RPM_PACKAGES};
74	40
75	41	docker cp ../artifacts ${CONTAINER_NAME}:/
76	42

82	48
83	49	docker run --name=${CONTAINER_NAME} --detach -i ubuntu:${UBUNTU_VERSION};
84	50
85		docker exec ${CONTAINER_NAME} apt-get update -q;
86		docker exec ${CONTAINER_NAME} sh -c "DEBIAN_FRONTEND=noninteractive apt-get install -y locales software-properties-common";
	51	# Install add-apt-repository and locale-gen.
	52	docker exec -e "DEBIAN_FRONTEND=noninteractive" ${CONTAINER_NAME} sh -c "apt-get update -q";
	53	docker exec -e "DEBIAN_FRONTEND=noninteractive" ${CONTAINER_NAME} sh -c "apt-get install -y locales software-properties-common";
87	54
88		docker exec ${CONTAINER_NAME} add-apt-repository ppa:gift/dev -y;
89
90		docker exec ${CONTAINER_NAME} locale-gen en_US.UTF-8;
91
	55	# Add additional apt repositories.
92	56	if test -n "${TOXENV}";
93	57	then
94	58	docker exec ${CONTAINER_NAME} add-apt-repository universe;
95	59	docker exec ${CONTAINER_NAME} add-apt-repository ppa:deadsnakes/ppa -y;
	60	fi
	61	docker exec ${CONTAINER_NAME} add-apt-repository ppa:gift/dev -y;
96	62
97		DPKG_PYTHON="python${TRAVIS_PYTHON_VERSION} python${TRAVIS_PYTHON_VERSION}-dev";
	63	docker exec -e "DEBIAN_FRONTEND=noninteractive" ${CONTAINER_NAME} sh -c "apt-get update -q";
98	64
99		docker exec ${CONTAINER_NAME} sh -c "DEBIAN_FRONTEND=noninteractive apt-get install -y build-essential ${DPKG_PYTHON} tox";
	65	# Set locale to US English and UTF-8.
	66	docker exec ${CONTAINER_NAME} locale-gen en_US.UTF-8;
100	67
101		elif test ${TRAVIS_PYTHON_VERSION} = "2.7";
	68	# Install packages.
	69	if test -n "${TOXENV}";
102	70	then
103		docker exec ${CONTAINER_NAME} sh -c "DEBIAN_FRONTEND=noninteractive apt-get install -y git python ${DPKG_PYTHON2_DEPENDENCIES} ${DPKG_PYTHON2_TEST_DEPENDENCIES}";
	71	DPKG_PACKAGES="build-essential curl git python${TRAVIS_PYTHON_VERSION} python${TRAVIS_PYTHON_VERSION}-dev tox";
	72
	73	elif test "${TARGET}" = "jenkins3";
	74	then
	75	DPKG_PACKAGES="sudo";
104	76	else
105		docker exec ${CONTAINER_NAME} sh -c "DEBIAN_FRONTEND=noninteractive apt-get install -y git python3 ${DPKG_PYTHON3_DEPENDENCIES} ${DPKG_PYTHON3_TEST_DEPENDENCIES}";
	77	DPKG_PACKAGES="python3 ${DPKG_PYTHON3_DEPENDENCIES} ${DPKG_PYTHON3_TEST_DEPENDENCIES}";
106	78	fi
	79	docker exec -e "DEBIAN_FRONTEND=noninteractive" ${CONTAINER_NAME} sh -c "apt-get install -y ${DPKG_PACKAGES}";
107	80
108	81	docker cp ../artifacts ${CONTAINER_NAME}:/
109	82
110		elif test ${TRAVIS_OS_NAME} = "linux" && test ${TARGET} != "jenkins";
	83	elif test ${TRAVIS_OS_NAME} = "osx";
111	84	then
112		sudo rm -f /etc/apt/sources.list.d/travis_ci_zeromq3-source.list;
	85	brew update;
113	86
114		if test ${TARGET} = "pylint";
115		then
116		sudo add-apt-repository ppa:gift/pylint3 -y;
117		fi
118
119		sudo add-apt-repository ppa:gift/dev -y;
120		sudo apt-get update -q;
121
122		if test ${TRAVIS_PYTHON_VERSION} = "2.7";
123		then
124		sudo apt-get install -y ${DPKG_PYTHON2_DEPENDENCIES} ${DPKG_PYTHON2_TEST_DEPENDENCIES};
125		else
126		sudo apt-get install -y ${DPKG_PYTHON3_DEPENDENCIES} ${DPKG_PYTHON3_TEST_DEPENDENCIES};
127		fi
128		if test ${TARGET} = "pylint";
129		then
130		sudo apt-get install -y pylint;
131		fi
	87	# Brew will exit with 1 and print some diagnostic information
	88	# to prevent the CI test from failing \|\| true is added.
	89	brew install tox \|\| true;
132	90	fi

+24

-0

config/travis/run_python2.sh less more

	0	#!/bin/bash
	1	#
	2	# Script to run Python 2 tests on Travis-CI.
	3	#
	4	# This file is generated by l2tdevtools update-dependencies.py, any dependency
	5	# related changes should be made in dependencies.ini.
	6
	7	# Exit on error.
	8	set -e;
	9
	10	python2 ./run_tests.py
	11
	12	if test -f tests/end-to-end.py;
	13	then
	14	PYTHONPATH=. python2 ./tests/end-to-end.py --debug -c config/end-to-end.ini;
	15	fi
	16
	17	python2 ./setup.py build
	18
	19	python2 ./setup.py sdist
	20
	21	python2 ./setup.py bdist
	22
	23	python2 ./setup.py install

+24

-0

config/travis/run_python3.sh less more

	0	#!/bin/bash
	1	#
	2	# Script to run Python 3 tests on Travis-CI.
	3	#
	4	# This file is generated by l2tdevtools update-dependencies.py, any dependency
	5	# related changes should be made in dependencies.ini.
	6
	7	# Exit on error.
	8	set -e;
	9
	10	python3 ./run_tests.py
	11
	12	if test -f tests/end-to-end.py;
	13	then
	14	PYTHONPATH=. python3 ./tests/end-to-end.py --debug -c config/end-to-end.ini;
	15	fi
	16
	17	python3 ./setup.py build
	18
	19	python3 ./setup.py sdist
	20
	21	python3 ./setup.py bdist
	22
	23	python3 ./setup.py install

+36

-73

config/travis/runtests.sh less more

7	7	# Exit on error.
8	8	set -e;
9	9
10		if test "${TARGET}" = "jenkins";
11		then
12		./config/jenkins/linux/run_end_to_end_tests.sh "travis";
13
14		elif test "${TARGET}" = "pylint";
15		then
16		pylint --version
17
18		for FILE in `find setup.py artifacts config tests tools -name \*.py`;
19		do
20		echo "Checking: ${FILE}";
21
22		pylint --rcfile=.pylintrc ${FILE};
23		done
24
25		elif test "${TRAVIS_OS_NAME}" = "osx";
26		then
27		PYTHONPATH=/Library/Python/2.7/site-packages/ /usr/bin/python ./run_tests.py;
28
29		python ./setup.py build
30
31		python ./setup.py sdist
32
33		python ./setup.py bdist
34
35		if test -f tests/end-to-end.py;
36		then
37		PYTHONPATH=. python ./tests/end-to-end.py --debug -c config/end-to-end.ini;
38		fi
39
40		elif test -n "${FEDORA_VERSION}";
	10	if test -n "${FEDORA_VERSION}";
41	11	then
42	12	CONTAINER_NAME="fedora${FEDORA_VERSION}";
	13	CONTAINER_OPTIONS="-e LANG=C.utf8";
43	14
44	15	if test -n "${TOXENV}";
45	16	then
46		docker exec ${CONTAINER_NAME} sh -c "export LANG=en_US.UTF-8; cd artifacts && tox -e ${TOXENV}";
47
48		elif test ${TRAVIS_PYTHON_VERSION} = "2.7";
49		then
50		docker exec ${CONTAINER_NAME} sh -c "export LANG=en_US.UTF-8; cd artifacts && python2 run_tests.py";
	17	TEST_COMMAND="tox -e ${TOXENV}";
51	18	else
52		docker exec ${CONTAINER_NAME} sh -c "export LANG=en_US.UTF-8; cd artifacts && python3 run_tests.py";
	19	TEST_COMMAND="./config/travis/run_python3.sh";
53	20	fi
	21	# Note that exec options need to be defined before the container name.
	22	docker exec ${CONTAINER_OPTIONS} ${CONTAINER_NAME} sh -c "cd artifacts && ${TEST_COMMAND}";
54	23
55	24	elif test -n "${UBUNTU_VERSION}";
56	25	then
57	26	CONTAINER_NAME="ubuntu${UBUNTU_VERSION}";
	27	CONTAINER_OPTIONS="-e LANG=en_US.UTF-8";
58	28
59	29	if test -n "${TOXENV}";
60	30	then
61		docker exec ${CONTAINER_NAME} sh -c "export LANG=en_US.UTF-8; cd artifacts && tox -e ${TOXENV}";
	31	# Also see: https://docs.codecov.io/docs/testing-with-docker
	32	curl -o codecov_env.sh -s https://codecov.io/env;
62	33
63		elif test ${TRAVIS_PYTHON_VERSION} = "2.7";
	34	# Generates a series of -e options.
	35	CODECOV_ENV=$(/bin/bash ./codecov_env.sh);
	36
	37	CONTAINER_OPTIONS="${CODECOV_ENV} ${CONTAINER_OPTIONS}";
	38
	39	TEST_COMMAND="tox -e ${TOXENV}";
	40
	41	elif test "${TARGET}" = "jenkins3";
64	42	then
65		docker exec ${CONTAINER_NAME} sh -c "export LANG=en_US.UTF-8; cd artifacts && python2 run_tests.py";
	43	TEST_COMMAND="./config/jenkins/linux/run_end_to_end_tests_py3.sh travis";
66	44	else
67		docker exec ${CONTAINER_NAME} sh -c "export LANG=en_US.UTF-8; cd artifacts && python3 run_tests.py";
	45	TEST_COMMAND="./config/travis/run_python3.sh";
68	46	fi
	47	# Note that exec options need to be defined before the container name.
	48	docker exec ${CONTAINER_OPTIONS} ${CONTAINER_NAME} sh -c "cd artifacts && ${TEST_COMMAND}";
69	49
70		elif test "${TRAVIS_OS_NAME}" = "linux";
	50	elif test "${TARGET}" = "dockerfile";
71	51	then
72		COVERAGE="/usr/bin/coverage";
	52	SOURCE_PATH=${PWD};
	53	CONTAINER_NAME="test";
73	54
74		if ! test -x "${COVERAGE}";
75		then
76		# Ubuntu has renamed coverage.
77		COVERAGE="/usr/bin/python-coverage";
78		fi
	55	cd config/docker
79	56
80		if test -n "${TOXENV}";
81		then
82		tox --sitepackages ${TOXENV};
	57	docker build --build-arg PPA_TRACK="dev" -f Dockerfile -t ${CONTAINER_NAME} .
83	58
84		elif test "${TRAVIS_PYTHON_VERSION}" = "2.7";
85		then
86		${COVERAGE} erase
87		${COVERAGE} run --source=artifacts --omit="_test,__init__,test_lib" ./run_tests.py
88		else
89		python ./run_tests.py
	59	# TODO: add tests
90	60
91		python ./setup.py build
	61	elif test "${TRAVIS_OS_NAME}" = "osx";
	62	then
	63	# Set the following environment variables to build pycrypto and yara-python.
	64	export CFLAGS="-I/usr/local/include -I/usr/local/opt/openssl@1.1/include ${CFLAGS}";
	65	export LDFLAGS="-L/usr/local/lib -L/usr/local/opt/openssl@1.1/lib ${LDFLAGS}";
	66	export TOX_TESTENV_PASSENV="CFLAGS LDFLAGS";
92	67
93		python ./setup.py sdist
	68	# Set the following environment variables to ensure tox can find Python 3.8.
	69	export PATH="/usr/local/opt/python@3.8/bin:${PATH}";
94	70
95		python ./setup.py bdist
96
97		TMPDIR="${PWD}/tmp";
98		TMPSITEPACKAGES="${TMPDIR}/lib/python${TRAVIS_PYTHON_VERSION}/site-packages";
99
100		mkdir -p ${TMPSITEPACKAGES};
101
102		PYTHONPATH=${TMPSITEPACKAGES} python ./setup.py install --prefix=${TMPDIR};
103
104		if test -f tests/end-to-end.py;
105		then
106		PYTHONPATH=. python ./tests/end-to-end.py --debug -c config/end-to-end.ini;
107		fi
108		fi
	71	tox -e ${TOXENV};
109	72	fi

+27

-5

data/antivirus.yaml less more

13	13	- type: FILE
14	14	attributes:
15	15	paths:
16		- '%%environ_allusersappdata%%\Microsoft\Microsoft Antimalware\Quarantine\**'
17		- '%%environ_allusersappdata%%\Microsoft\Windows Defender\Quarantine\**'
	16	- '%%environ_allusersappdata%%\Microsoft\Microsoft Antimalware\Quarantine\**'
	17	- '%%environ_allusersappdata%%\Microsoft\Windows Defender\Quarantine\**'
18	18	separator: '\'
19	19	supported_os: [Windows]
20	20	labels: [Antivirus]
	21	---
	22	name: WindowsDefenderExclusions
	23	doc: \|
	24	Directories, processes, and extensions configured not to be scanned by Windows Defender.
	25
	26	Certain malware families (for example, Tofsee) are known to add
	27	directories to the Paths list in order to avoid being detected by
	28	Windows Defender.
	29	sources:
	30	- type: REGISTRY_KEY
	31	attributes:
	32	keys:
	33	- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\Exclusions\Paths\*'
	34	- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\Exclusions\Processes\*'
	35	- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\Exclusions\Extensions\*'
	36	- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\Exclusions\TemporaryPaths\*'
	37	supported_os: [Windows]
	38	urls:
	39	- 'https://blog.malwarebytes.com/detections/pum-optional-msexclusion/'
	40	- 'https://answers.microsoft.com/en-us/protect/forum/all/windows-defender-how-to-remove-exclusions/2a0cc465-97b2-46ea-ae77-b87075ed124e'
	41	- 'https://blog.talosintelligence.com/2019/05/threat-roundup-0503-0510.html'
21	42	---
22	43	name: SophosAVLogs
23	44	doc: Sophos Anti-Virus log files.

53	74	- type: FILE
54	75	attributes:
55	76	paths:
56		- '%%environ_allusersappdata%%\Symantec\Symantec Endpoint Protection\\Data\Logs\.log'
57		- '%%users.localappdata%%\Symantec\Symantec Endpoint Protection\Logs\*.log'
	77	- '%%environ_allusersappdata%%\Symantec\Symantec Endpoint Protection\\Data\Logs\.log'
	78	- '%%environ_allusersappdata%%\Symantec\Symantec Endpoint Protection\\Data\Logs\AV\.log'
	79	- '%%users.localappdata%%\Symantec\Symantec Endpoint Protection\Logs\*.log'
58	80	separator: '\'
59	81	supported_os: [Windows]
60	82	supported_os: [Windows]

65	87	sources:
66	88	- type: FILE
67	89	attributes:
68		paths: ['%%environ_allusersappdata%%\Symantec\Symantec Endpoint Protection\**5.vbn']
	90	paths: ['%%environ_allusersappdata%%\Symantec\Symantec Endpoint Protection\*5\.vbn']
69	91	separator: '\'
70	92	supported_os: [Windows]
71	93	supported_os: [Windows]

+16

-16

data/applications.yaml less more

20	20	- type: FILE
21	21	attributes:
22	22	paths:
23		- '%%users.homedir%%/Library/Preferences/com.microsoft.office.plist'
24		- '%%users.homedir%%/Library/Containers/com.microsoft./Data/Library/Preferences/com.microsoft..securebookmarks.plist'
	23	- '%%users.homedir%%/Library/Preferences/com.microsoft.office.plist'
	24	- '%%users.homedir%%/Library/Containers/com.microsoft./Data/Library/Preferences/com.microsoft..securebookmarks.plist'
25	25	separator: '/'
26	26	supported_os: [Darwin]
27	27	- type: REGISTRY_VALUE
28	28	attributes:
29	29	key_value_pairs:
30		- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Office\\\File MRU', value: 'Item *'}
31		- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Office\\\Place MRU', value: 'Item *'}
	30	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Office\\\File MRU', value: 'Item *'}
	31	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Office\\\Place MRU', value: 'Item *'}
32	32	supported_os: [Windows]
33	33	supported_os: [Darwin, Windows]
34	34	urls: ['https://github.com/mac4n6/macMRU-Parser']

39	39	- type: FILE
40	40	attributes:
41	41	paths:
42		- '%%users.homedir%%/AppData/Local/Microsoft/Outlook/*.pab'
43		- '%%users.homedir%%/Documents/Outlook Files/*.pab'
44		separator: '/'
	42	- '%%users.localappdata%%\Microsoft\Outlook\*.pab'
	43	- '%%users.userprofile%%\Documents\Outlook Files\*.pab'
	44	separator: '\'
45	45	labels: [Users, Mail]
46	46	supported_os: [Windows]
47		urls: ['http://www.forensicswiki.org/wiki/Personal_Folder_File_(PAB,_PST,_OST)']
	47	urls: ['https://forensicswiki.xyz/wiki/index.php?title=Personal_Folder_File_(PAB,_PST,_OST)']
48	48	---
49	49	name: MicrosoftOutlookPSTFiles
50	50	doc: Microsoft Outlook PST Files

52	52	- type: FILE
53	53	attributes:
54	54	paths:
55		- '%%users.homedir%%/AppData/Local/Microsoft/Outlook/*.pst'
56		- '%%users.homedir%%/Documents/Outlook Files/*.pst'
57		separator: '/'
	55	- '%%users.localappdata%%\Microsoft\Outlook\*.pst'
	56	- '%%users.userprofile%%\Documents\Outlook Files\*.pst'
	57	separator: '\'
58	58	labels: [Users, Mail]
59	59	supported_os: [Windows]
60		urls: ['http://www.forensicswiki.org/wiki/Personal_Folder_File_(PAB,_PST,_OST)']
	60	urls: ['https://forensicswiki.xyz/wiki/index.php?title=Personal_Folder_File_(PAB,_PST,_OST)']
61	61	---
62	62	name: MicrosoftOutlookOSTFiles
63	63	doc: Microsoft Outlook OST Files

65	65	- type: FILE
66	66	attributes:
67	67	paths:
68		- '%%users.homedir%%/AppData/Local/Microsoft/Outlook/*.ost'
69		- '%%users.homedir%%/Documents/Outlook Files/*.ost'
70		separator: '/'
	68	- '%%users.localappdata%%\Microsoft\Outlook\*.ost'
	69	- '%%users.userprofile%%\Documents\Outlook Files\*.ost'
	70	separator: '\'
71	71	labels: [Users, Mail]
72	72	supported_os: [Windows]
73		urls: ['http://www.forensicswiki.org/wiki/Personal_Folder_File_(PAB,_PST,_OST)']
	73	urls: ['https://forensicswiki.xyz/wiki/index.php?title=Personal_Folder_File_(PAB,_PST,_OST)']
74	74	---
75	75	name: WinRARExternalViewer
76	76	doc: Executable run when a file is opened by WinRAR inside an archive.

+26

-26

data/cloud_services.yaml less more

5	5	- type: ARTIFACT_GROUP
6	6	attributes:
7	7	names:
8		- 'DropboxClient'
9		- 'GoogleDriveClient'
10		- 'SkyDriveClient'
	8	- 'DropboxClient'
	9	- 'GoogleDriveClient'
	10	- 'SkyDriveClient'
11	11	labels: [Cloud Storage]
12	12	supported_os: [Darwin,Linux,Windows]
13	13	---

17	17	- type: FILE
18	18	attributes:
19	19	paths:
20		- '%%users.appdata%%\Dropbox\.db'
21		- '%%users.localappdata%%\Dropbox\.db'
	20	- '%%users.appdata%%\Dropbox\.db'
	21	- '%%users.localappdata%%\Dropbox\.db'
22	22	separator: '\'
23	23	supported_os: [Windows]
24	24	- type: FILE
25	25	attributes:
26	26	paths:
27		- '%%users.homedir%%/.dropbox/.db'
	27	- '%%users.homedir%%/.dropbox/.db'
28	28	supported_os: [Darwin,Linux]
29	29	supported_os: [Darwin,Linux,Windows]
30	30	labels: [Cloud Storage]
31		urls: ['http://www.forensicswiki.org/wiki/Dropbox']
	31	urls: ['https://forensicswiki.xyz/wiki/index.php?title=Dropbox']
32	32	---
33	33	name: GoogleDriveClient
34	34	doc: Google Drive cloud storage client artifacts.

36	36	- type: FILE
37	37	attributes:
38	38	paths:
39		- '%%users.localappdata%%\Google\Drive\snapshot.db'
40		- '%%users.localappdata%%\Google\Drive\sync_config.db'
41		- '%%users.localappdata%%\Google\Drive\sync_config.log*'
42		- '%%users.localappdata%%\Google\Drive\user_default\snapshot.db'
43		- '%%users.localappdata%%\Google\Drive\user_default\sync_config.db'
44		- '%%users.localappdata%%\Google\Drive\user_default\sync_config.log*'
	39	- '%%users.localappdata%%\Google\Drive\snapshot.db'
	40	- '%%users.localappdata%%\Google\Drive\sync_config.db'
	41	- '%%users.localappdata%%\Google\Drive\sync_config.log*'
	42	- '%%users.localappdata%%\Google\Drive\user_default\snapshot.db'
	43	- '%%users.localappdata%%\Google\Drive\user_default\sync_config.db'
	44	- '%%users.localappdata%%\Google\Drive\user_default\sync_config.log*'
45	45	separator: '\'
46	46	supported_os: [Windows]
47	47	- type: FILE
48	48	attributes:
49	49	paths:
50		- '%%users.homedir%%/Library/Application Support/Google/Drive/snapshot.db'
51		- '%%users.homedir%%/Library/Application Support/Google/Drive/sync_config.db'
52		- '%%users.homedir%%/Library/Application Support/Google/Drive/sync_config.log*'
53		- '%%users.homedir%%/Library/Application Support/Google/Drive/user_default/snapshot.db'
54		- '%%users.homedir%%/Library/Application Support/Google/Drive/user_default/sync_config.db'
55		- '%%users.homedir%%/Library/Application Support/Google/Drive/user_default/sync_config.log*'
	50	- '%%users.homedir%%/Library/Application Support/Google/Drive/snapshot.db'
	51	- '%%users.homedir%%/Library/Application Support/Google/Drive/sync_config.db'
	52	- '%%users.homedir%%/Library/Application Support/Google/Drive/sync_config.log*'
	53	- '%%users.homedir%%/Library/Application Support/Google/Drive/user_default/snapshot.db'
	54	- '%%users.homedir%%/Library/Application Support/Google/Drive/user_default/sync_config.db'
	55	- '%%users.homedir%%/Library/Application Support/Google/Drive/user_default/sync_config.log*'
56	56	supported_os: [Darwin]
57	57	supported_os: [Darwin, Windows]
58	58	labels: [Cloud Storage]
59		urls: ['http://www.forensicswiki.org/wiki/Google_Drive']
	59	urls: ['https://forensicswiki.xyz/wiki/index.php?title=Google_Drive']
60	60	---
61	61	name: SkyDriveClient
62	62	doc: \|

67	67	- type: FILE
68	68	attributes:
69	69	paths:
70		- '%%users.localappdata%%\Microsoft\SkyDrive\logs\*.log'
71		- '%%users.localappdata%%\Microsoft\SkyDrive\setup\logs\*.log'
72		- '%%users.localappdata%%\Microsoft\SkyDrive\settings\ApplicationSettings.xml'
73		- '%%users.localappdata%%\Microsoft\SkyDrive\settings\*.dat'
74		- '%%users.localappdata%%\Microsoft\SkyDrive\settings\*.ini'
	70	- '%%users.localappdata%%\Microsoft\SkyDrive\logs\*.log'
	71	- '%%users.localappdata%%\Microsoft\SkyDrive\setup\logs\*.log'
	72	- '%%users.localappdata%%\Microsoft\SkyDrive\settings\ApplicationSettings.xml'
	73	- '%%users.localappdata%%\Microsoft\SkyDrive\settings\*.dat'
	74	- '%%users.localappdata%%\Microsoft\SkyDrive\settings\*.ini'
75	75	separator: '\'
76	76	supported_os: [Windows]
77	77	supported_os: [Windows]
78	78	labels: [Cloud Storage]
79		urls: ['http://forensicswiki.org/wiki/One_Drive#Sky_Drive_client']
	79	urls: ['https://forensicswiki.xyz/wiki/index.php?title=One_Drive#Sky_Drive_client']

+32

-0

data/config_files.yaml less more

0	0	# Configuration file artifacts.
1	1
	2	name: JupyterConfigFile
	3	doc: Jupyter notebook configuration file
	4	sources:
	5	- type: FILE
	6	attributes: {paths: ['%%users.homedir%%/.jupyter/jupyter_notebook_config.py']}
	7	labels: [Configuration Files]
	8	supported_os: [Linux]
	9	---
2	10	name: NfsExportsFile
3	11	doc: NFS Exports configuration
4	12	sources:

13	21	supported_os: [Linux]
14	22	labels: [Configuration Files]
15	23	supported_os: [Linux, Darwin]
	24	---
	25	name: RedisConfigFile
	26	doc: Redis configuration file
	27	sources:
	28	- type: FILE
	29	attributes:
	30	paths:
	31	- '%%environ_programfiles%%\Redis\conf\redis.windows.conf'
	32	- '%%environ_programfiles%%\Redis\conf\redis.conf'
	33	separator: '\'
	34	supported_os: [Windows]
	35	- type: FILE
	36	attributes:
	37	paths:
	38	- '/etc/redis/redis.conf'
	39	supported_os: [Linux]
	40	- type: FILE
	41	attributes:
	42	paths:
	43	- '/etc/redis/redis.conf'
	44	- '/private/etc/redis/redis.conf'
	45	supported_os: [Darwin]
	46	labels: [Configuration Files]
	47	supported_os: [Darwin, Linux, Windows]
16	48	---
17	49	name: SshdConfigFile
18	50	doc: Sshd configuration

-3

data/installed_modules.yaml less more

99	99	- type: ARTIFACT_GROUP
100	100	attributes:
101	101	names:
102		- PythonDistInfo
103		- PythonEggInfo
104		- PythonWheelInfo
	102	- PythonDistInfo
	103	- PythonEggInfo
	104	- PythonWheelInfo
105	105	labels: [Software]
106	106	---
107	107	name: PythonWheelInfo

-8

data/instant_messaging.yaml less more

8	8	supported_os: [Darwin]
9	9	supported_os: [Darwin]
10	10	urls:
11		- 'http://forensicswiki.org/wiki/Mac_OS_X'
12		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Skype'
	11	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	12	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Skype'
13	13	---
14	14	name: SkypeDb
15	15	doc: Main Skype database

20	20	supported_os: [Darwin]
21	21	supported_os: [Darwin]
22	22	urls:
23		- 'http://forensicswiki.org/wiki/Mac_OS_X'
24		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Skype'
	23	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	24	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Skype'
25	25	---
26	26	name: SkypeMainDirectory
27	27	doc: Skype Directory

41	41	supported_os: [Darwin]
42	42	supported_os: [Darwin]
43	43	urls:
44		- 'http://forensicswiki.org/wiki/Mac_OS_X'
45		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Skype'
	44	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	45	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Skype'
46	46	---
47	47	name: SkypeUserProfile
48	48	doc: Skype User profile

53	53	supported_os: [Darwin]
54	54	supported_os: [Darwin]
55	55	urls:
56		- 'http://forensicswiki.org/wiki/Mac_OS_X'
57		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Skype'⏎
	56	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	57	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Skype'⏎

-2

data/java.yaml less more

11	11	- type: FILE
12	12	attributes:
13	13	paths:
14		- '%%users.appdata%%\Sun\Java\Deployment\cache\**'
15		- '%%users.userprofile%%\AppData\LocalLow\Sun\Java\Deployment\cache\**'
	14	- '%%users.appdata%%\Sun\Java\Deployment\cache\**'
	15	- '%%users.userprofile%%\AppData\LocalLow\Sun\Java\Deployment\cache\**'
16	16	separator: '\'
17	17	supported_os: [Windows]
18	18	supported_os: [Windows, Linux, Darwin]

+58

-58

data/kaspersky_careto.yaml less more

5	5	- type: FILE
6	6	attributes:
7	7	paths:
8		- /Applications/.DS_Store.app/**10
9		- /Library/LaunchAgents/com.apple.launchport.plist
	8	- /Applications/.DS_Store.app/**10
	9	- /Library/LaunchAgents/com.apple.launchport.plist
10	10	supported_os: [Darwin]
11	11	urls: ['http://www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf']
12	12	---

16	16	- type: ARTIFACT_GROUP
17	17	attributes:
18	18	names:
19		- KasperskyCaretoWindowsFiles
20		- KasperskyCaretoWindowsRegKeys
21		- KasperskyCaretoDarwinFiles
	19	- KasperskyCaretoWindowsFiles
	20	- KasperskyCaretoWindowsRegKeys
	21	- KasperskyCaretoDarwinFiles
22	22	supported_os: [Windows, Darwin]
23	23	urls: ['http://www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf']
24	24	---

28	28	- type: FILE
29	29	attributes:
30	30	paths:
31		- '%%environ_systemroot%%\System32\objframe.dll'
32		- '%%environ_systemroot%%\System32\shlink32.dll'
33		- '%%environ_systemroot%%\System32\shlink64.dll'
34		- '%%environ_systemroot%%\System32\cdllait32.dll'
35		- '%%environ_systemroot%%\System32\cdllait64.dll'
36		- '%%environ_systemroot%%\System32\cdlluninstallws32.dll'
37		- '%%environ_systemroot%%\System32\cdlluninstallws64.dll'
38		- '%%environ_systemroot%%\System32\cdlluninstallsgh32.dll'
39		- '%%environ_systemroot%%\System32\cdlluninstallsgh64.dll'
40		- '%%environ_systemroot%%\System32\c_50225.nls'
41		- '%%environ_systemroot%%\System32\c_50227.nls'
42		- '%%environ_systemroot%%\System32\c_50229.nls'
43		- '%%environ_systemroot%%\System32\c_51932.nls'
44		- '%%environ_systemroot%%\System32\c_51936.nls'
45		- '%%environ_systemroot%%\System32\c_51949.nls'
46		- '%%environ_systemroot%%\System32\c_51950.nls'
47		- '%%environ_systemroot%%\System32\c_57002.nls'
48		- '%%environ_systemroot%%\System32\c_57006.nls'
49		- '%%environ_systemroot%%\System32\c_57008.nls'
50		- '%%environ_systemroot%%\System32\c_57010.nls'
51		- '%%environ_systemroot%%\System32\cdgext32.dll'
52		- '%%environ_systemroot%%\System32\cfgbkmgrs.dll'
53		- '%%environ_systemroot%%\System32\cfgmgr64.dll'
54		- '%%environ_systemroot%%\System32\comsvrpcs.dll'
55		- '%%environ_systemroot%%\System32\d3dx8_20.dll'
56		- '%%environ_systemroot%%\System32\dllcomm.dll'
57		- '%%environ_systemroot%%\System32\drivers\wmimgr.sys'
58		- '%%environ_systemroot%%\System32\drvinfo.bin'
59		- '%%environ_systemroot%%\System32\FCache.bin'
60		- '%%environ_systemroot%%\System32\FFExtendedCommand.dll'
61		- '%%environ_systemroot%%\System32\gpktcsp32.dll'
62		- '%%environ_systemroot%%\System32\HPQueue.bin'
63		- '%%environ_systemroot%%\System32\LPQueue.bin'
64		- '%%environ_systemroot%%\System32\mdwmnsp.dll'
65		- '%%environ_systemroot%%\System32\rpcdist.dll'
66		- '%%environ_systemroot%%\System32\scsvrft.dll'
67		- '%%environ_systemroot%%\System32\sdptbw.dll'
68		- '%%environ_systemroot%%\System32\slbkbw.dll'
69		- '%%environ_systemroot%%\System32\skypeie6plugin.dll'
70		- '%%environ_systemroot%%\System32\wmspdmgr.dll'
71		- '%%environ_systemroot%%\System32\mfcn30.dll'
72		- '%%environ_systemroot%%\System32\siiw9x.dll'
73		- '%%environ_systemroot%%\System32\nmwcdlog.dll'
74		- '%%environ_systemroot%%\System32\WifiScan.dll'
75		- '%%environ_systemroot%%\System32\awview32.dll'
76		- '%%environ_systemroot%%\System32\awcodc32.dll'
77		- '%%users.temp%%\~DF01AC74D8BE15EE01.tmp'
78		- '%%users.temp%%\~DF23BF45A473C42B56.tmp'
79		- '%%users.temp%%\~DFA0528CD81300F372.tmp'
80		- '%%users.temp%%\~DF8471938479DA49221.tmp'
81		- '%%users.appdata%%\microsoft\c_27803.nls'
82		- '%%users.appdata%%\microsoft\objframe.dll'
83		- '%%users.appdata%%\microsoft\shmgr.dll'
	31	- '%%environ_systemroot%%\System32\objframe.dll'
	32	- '%%environ_systemroot%%\System32\shlink32.dll'
	33	- '%%environ_systemroot%%\System32\shlink64.dll'
	34	- '%%environ_systemroot%%\System32\cdllait32.dll'
	35	- '%%environ_systemroot%%\System32\cdllait64.dll'
	36	- '%%environ_systemroot%%\System32\cdlluninstallws32.dll'
	37	- '%%environ_systemroot%%\System32\cdlluninstallws64.dll'
	38	- '%%environ_systemroot%%\System32\cdlluninstallsgh32.dll'
	39	- '%%environ_systemroot%%\System32\cdlluninstallsgh64.dll'
	40	- '%%environ_systemroot%%\System32\c_50225.nls'
	41	- '%%environ_systemroot%%\System32\c_50227.nls'
	42	- '%%environ_systemroot%%\System32\c_50229.nls'
	43	- '%%environ_systemroot%%\System32\c_51932.nls'
	44	- '%%environ_systemroot%%\System32\c_51936.nls'
	45	- '%%environ_systemroot%%\System32\c_51949.nls'
	46	- '%%environ_systemroot%%\System32\c_51950.nls'
	47	- '%%environ_systemroot%%\System32\c_57002.nls'
	48	- '%%environ_systemroot%%\System32\c_57006.nls'
	49	- '%%environ_systemroot%%\System32\c_57008.nls'
	50	- '%%environ_systemroot%%\System32\c_57010.nls'
	51	- '%%environ_systemroot%%\System32\cdgext32.dll'
	52	- '%%environ_systemroot%%\System32\cfgbkmgrs.dll'
	53	- '%%environ_systemroot%%\System32\cfgmgr64.dll'
	54	- '%%environ_systemroot%%\System32\comsvrpcs.dll'
	55	- '%%environ_systemroot%%\System32\d3dx8_20.dll'
	56	- '%%environ_systemroot%%\System32\dllcomm.dll'
	57	- '%%environ_systemroot%%\System32\drivers\wmimgr.sys'
	58	- '%%environ_systemroot%%\System32\drvinfo.bin'
	59	- '%%environ_systemroot%%\System32\FCache.bin'
	60	- '%%environ_systemroot%%\System32\FFExtendedCommand.dll'
	61	- '%%environ_systemroot%%\System32\gpktcsp32.dll'
	62	- '%%environ_systemroot%%\System32\HPQueue.bin'
	63	- '%%environ_systemroot%%\System32\LPQueue.bin'
	64	- '%%environ_systemroot%%\System32\mdwmnsp.dll'
	65	- '%%environ_systemroot%%\System32\rpcdist.dll'
	66	- '%%environ_systemroot%%\System32\scsvrft.dll'
	67	- '%%environ_systemroot%%\System32\sdptbw.dll'
	68	- '%%environ_systemroot%%\System32\slbkbw.dll'
	69	- '%%environ_systemroot%%\System32\skypeie6plugin.dll'
	70	- '%%environ_systemroot%%\System32\wmspdmgr.dll'
	71	- '%%environ_systemroot%%\System32\mfcn30.dll'
	72	- '%%environ_systemroot%%\System32\siiw9x.dll'
	73	- '%%environ_systemroot%%\System32\nmwcdlog.dll'
	74	- '%%environ_systemroot%%\System32\WifiScan.dll'
	75	- '%%environ_systemroot%%\System32\awview32.dll'
	76	- '%%environ_systemroot%%\System32\awcodc32.dll'
	77	- '%%users.temp%%\~DF01AC74D8BE15EE01.tmp'
	78	- '%%users.temp%%\~DF23BF45A473C42B56.tmp'
	79	- '%%users.temp%%\~DFA0528CD81300F372.tmp'
	80	- '%%users.temp%%\~DF8471938479DA49221.tmp'
	81	- '%%users.appdata%%\microsoft\c_27803.nls'
	82	- '%%users.appdata%%\microsoft\objframe.dll'
	83	- '%%users.appdata%%\microsoft\shmgr.dll'
84	84	separator: '\'
85	85	supported_os: [Windows]
86	86	urls: ['http://www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf']

+20

-20

data/legacy.yaml less more

18	18	- type: REGISTRY_KEY
19	19	attributes:
20	20	keys:
21		- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\ProfilesDirectory'
22		- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\AllUsersProfile'
	21	- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\ProfilesDirectory'
	22	- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\AllUsersProfile'
23	23	provides: [environ_allusersprofile]
24	24	supported_os: [Windows]
25	25	urls: ['http://support.microsoft.com/kb//214653']

31	31	attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\SYSTEM\Select', value: 'Current'}]}
32	32	provides: [current_control_set]
33	33	supported_os: [Windows]
34		urls: ['https://github.com/libyal/winreg-kb/wiki/System-keys']
	34	urls: ['https://github.com/libyal/winreg-kb/blob/master/documentation/System%20keys.asciidoc']
35	35	---
36	36	name: LinuxRelease
37	37	doc: \|

43	43	- type: FILE
44	44	attributes:
45	45	paths:
46		- '/etc/enterprise-release'
47		- '/etc/lsb-release'
48		- '/etc/oracle-release'
49		- '/etc/redhat-release'
50		- '/etc/system-release'
	46	- '/etc/enterprise-release'
	47	- '/etc/lsb-release'
	48	- '/etc/oracle-release'
	49	- '/etc/redhat-release'
	50	- '/etc/system-release'
51	51	provides: [os_release, os_major_version, os_minor_version]
52	52	labels: [Software]
53	53	supported_os: [Linux]

61	61	supported_os: [Darwin]
62	62	provides: [users.username]
63	63	urls:
64		- 'http://forensicswiki.org/wiki/Mac_OS_X'
65		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Users'
	64	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	65	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Users'
66	66	---
67	67	name: ProgramFiles
68	68	doc: The %ProgramFiles% environment variable.

111	111	- type: PATH
112	112	attributes:
113	113	paths:
114		- '\Windows'
115		- '\WinNT'
116		- '\WINNT35'
117		- '\WTSRV'
	114	- '\Windows'
	115	- '\WinNT'
	116	- '\WINNT35'
	117	- '\WTSRV'
118	118	separator: '\'
119	119	- type: REGISTRY_VALUE
120	120	attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion', value: 'SystemRoot'}]}

146	146	- type: PATH
147	147	attributes:
148	148	paths:
149		- '\Windows'
150		- '\WinNT'
151		- '\WINNT35'
152		- '\WTSRV'
	149	- '\Windows'
	150	- '\WinNT'
	151	- '\WINNT35'
	152	- '\WTSRV'
153	153	separator: '\'
154	154	- type: REGISTRY_VALUE
155	155	attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment', value: 'windir'}]}

171	171	- type: REGISTRY_VALUE
172	172	attributes:
173	173	key_value_pairs:
174		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'ProgramData'}
	174	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'ProgramData'}
175	175	provides: [environ_allusersappdata]
176	176	supported_os: [Windows]
177	177	urls: ['http://environmentvariables.org/ProgramData']

192	192	attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation', value: 'StandardName'}]}
193	193	provides: [time_zone]
194	194	supported_os: [Windows]
195		urls: ['https://github.com/libyal/winreg-kb/wiki/Time-zone-keys']
	195	urls: ['https://github.com/libyal/winreg-kb/blob/master/documentation/Time%20zone%20keys.asciidoc']

+180

-105

data/linux.yaml less more

5	5	- type: FILE
6	6	attributes:
7	7	paths:
8		- '/etc/anacrontab'
9		- '/etc/cron.daily/*'
10		- '/etc/cron.hourly/*'
11		- '/etc/cron.monthly/*'
12		- '/etc/cron.weekly/*'
13		- '/var/spool/anacron/cron.daily'
14		- '/var/spool/anacron/cron.hourly'
15		- '/var/spool/anacron/cron.monthly'
16		- '/var/spool/anacron/cron.weekly'
	8	- '/etc/anacrontab'
	9	- '/etc/cron.daily/*'
	10	- '/etc/cron.hourly/*'
	11	- '/etc/cron.monthly/*'
	12	- '/etc/cron.weekly/*'
	13	- '/var/spool/anacron/cron.daily'
	14	- '/var/spool/anacron/cron.hourly'
	15	- '/var/spool/anacron/cron.monthly'
	16	- '/var/spool/anacron/cron.weekly'
17	17	labels: [Configuration Files]
18	18	supported_os: [Linux]
19	19	---

23	23	- type: FILE
24	24	attributes:
25	25	paths:
26		- '/etc/apt/sources.list'
27		- '/etc/apt/sources.list.d/*.list'
	26	- '/etc/apt/sources.list'
	27	- '/etc/apt/sources.list.d/*.list'
28	28	labels: [Configuration Files, System]
29	29	supported_os: [Linux]
30	30	urls: ['http://manpages.ubuntu.com/manpages/trusty/en/man5/sources.list.5.html']

35	35	- type: FILE
36	36	attributes:
37	37	paths:
38		- '/etc/apt/trusted.gpg'
39		- '/etc/apt/trusted.gpg.d/*.gpg'
40		- '/etc/apt/trustdb.gpg'
41		- '/usr/share/keyrings/*.gpg'
	38	- '/etc/apt/trusted.gpg'
	39	- '/etc/apt/trusted.gpg.d/*.gpg'
	40	- '/etc/apt/trustdb.gpg'
	41	- '/usr/share/keyrings/*.gpg'
42	42	labels: [Configuration Files, System]
43	43	supported_os: [Linux]
44	44	urls: ['https://wiki.debian.org/SecureApt']

49	49	- type: FILE
50	50	attributes:
51	51	paths:
52		- '/etc/cron.allow'
53		- '/etc/cron.deny'
54		- '/etc/at.allow'
55		- '/etc/at.deny'
	52	- '/etc/cron.allow'
	53	- '/etc/cron.deny'
	54	- '/etc/at.allow'
	55	- '/etc/at.deny'
56	56	labels: [Configuration Files]
57	57	supported_os: [Linux]
58	58	urls:
59		- http://manpages.ubuntu.com/manpages/saucy/man5/at.allow.5.html
60		- http://manpages.ubuntu.com/manpages/precise/en/man1/crontab.1.html
	59	- http://manpages.ubuntu.com/manpages/saucy/man5/at.allow.5.html
	60	- http://manpages.ubuntu.com/manpages/precise/en/man1/crontab.1.html
61	61	---
62	62	name: DebianPackagesLogFiles
63	63	doc: Linux dpkg log files.

65	65	- type: FILE
66	66	attributes:
67	67	paths:
68		- '/var/log/dpkg.log*'
69		- '/var/log/apt/history.log*'
	68	- '/var/log/dpkg.log*'
	69	- '/var/log/apt/history.log*'
70	70	labels: [Logs]
71	71	supported_os: [Linux]
72	72	---

102	102	- type: FILE
103	103	attributes:
104	104	paths:
105		- '/etc/hosts.allow'
106		- '/etc/hosts.deny'
	105	- '/etc/hosts.allow'
	106	- '/etc/hosts.deny'
107	107	labels: [Configuration Files]
108	108	supported_os: [Linux]
109	109	---

123	123	- type: FILE
124	124	attributes:
125	125	paths:
126		- '/etc/modules.conf'
127		- '/etc/modprobe.d/*'
	126	- '/etc/modules.conf'
	127	- '/etc/modprobe.d/*'
128	128	supported_os: [Linux]
129	129	---
130	130	name: LinuxAtJobs

144	144	supported_os: [Linux]
145	145	---
146	146	name: LinuxAuthLogs
147		doc: Linux auth log files.
148		sources:
149		- type: FILE
150		attributes: {paths: ['/var/log/auth.log*']}
	147	doc: Linux authentication log files.
	148	sources:
	149	- type: FILE
	150	attributes:
	151	paths:
	152	- '/var/log/auth.log*'
	153	- '/var/log/secure.log*'
151	154	labels: [Logs, Authentication]
152	155	supported_os: [Linux]
153	156	---

165	168	- type: FILE
166	169	attributes:
167	170	paths:
168		- '/etc/crontab'
169		- '/etc/cron.d/*'
170		- '/var/spool/cron/**'
	171	- '/etc/crontab'
	172	- '/etc/cron.d/*'
	173	- '/var/spool/cron/**'
171	174	labels: [Configuration Files]
172	175	supported_os: [Linux]
173	176	---

185	188	- type: FILE
186	189	attributes:
187	190	paths:
188		- '/etc/enterprise-release'
189		- '/etc/oracle-release'
190		- '/etc/redhat-release'
191		- '/etc/system-release'
	191	- '/etc/centos-release'
	192	- '/etc/enterprise-release'
	193	- '/etc/oracle-release'
	194	- '/etc/redhat-release'
	195	- '/etc/SuSE-release'
	196	- '/etc/system-release'
192	197	provides: [os_release, os_major_version, os_minor_version]
193	198	labels: [Software]
194	199	supported_os: [Linux]

217	222	- type: FILE
218	223	attributes:
219	224	paths:
220		- '/boot/grub/grub.cfg'
221		- '/boot/grub2/grub.cfg'
	225	- '/boot/grub/grub.cfg'
	226	- '/boot/grub2/grub.cfg'
222	227	labels: [System, Configuration Files]
223	228	supported_os: [Linux]
224	229	urls: ['https://en.wikipedia.org/wiki/GNU_GRUB']

237	242	- type: FILE
238	243	attributes:
239	244	paths:
240		- '/boot/initramfs*'
241		- '/boot/initrd*'
	245	- '/boot/initramfs*'
	246	- '/boot/initrd*'
242	247	labels: [Configuration Files, System]
243	248	supported_os: [Linux]
244	249	urls:
245		- 'http://en.wikipedia.org/wiki/Initrd'
246		- 'https://www.kernel.org/doc/Documentation/initrd.txt'
	250	- 'http://en.wikipedia.org/wiki/Initrd'
	251	- 'https://www.kernel.org/doc/Documentation/initrd.txt'
247	252	---
248	253	name: LinuxIssueFile
249	254	doc: Linux prelogin message and identification (issue) file.

251	256	- type: FILE
252	257	attributes:
253	258	paths:
254		- '/etc/issue'
255		- '/etc/issue.net'
	259	- '/etc/issue'
	260	- '/etc/issue.net'
256	261	labels: [Configuration Files, System]
257	262	supported_os: [Linux]
258	263	urls: ['https://linux.die.net/man/5/issue']

273	278	labels: [Logs, Authentication]
274	279	supported_os: [Linux]
275	280	---
	281	name: LinuxLoaderSystemPreloadFile
	282	doc: Linux dynamic linker/loader system-wide preload file (ld.so.preload).
	283	sources:
	284	- type: FILE
	285	attributes: {paths: ['/etc/ld.so.preload']}
	286	labels: [Configuration Files]
	287	supported_os: [Linux]
	288	urls: ['http://man7.org/linux/man-pages/man8/ld.so.8.html']
	289	---
276	290	name: LinuxLSBInit
277	291	doc: Linux LSB-style init scripts.
278	292	sources:
279	293	- type: FILE
280	294	attributes:
281	295	paths:
282		- '/etc/init.d/*'
283		- '/etc/insserv.conf'
284		- '/etc/insserv.conf.d/**'
	296	- '/etc/init.d/*'
	297	- '/etc/insserv.conf'
	298	- '/etc/insserv.conf.d/**'
285	299	labels: [Configuration Files, System]
286	300	supported_os: [Linux]
287	301	urls: ['https://wiki.debian.org/LSBInitScripts']

328	342	- type: ARTIFACT_GROUP
329	343	attributes:
330	344	names:
331		- LinuxFstab
332		- LinuxProcMounts
	345	- LinuxFstab
	346	- LinuxProcMounts
333	347	labels: [System, Configuration Files]
334	348	supported_os: [Linux]
335	349	---

339	353	- type: FILE
340	354	attributes:
341	355	paths:
342		- '/etc/pam.conf'
343		- '/etc/pam.d'
344		- '/etc/pam.d/*'
	356	- '/etc/pam.conf'
	357	- '/etc/pam.d'
	358	- '/etc/pam.d/*'
345	359	labels: [Authentication, Configuration Files]
346	360	supported_os: [Linux]
347	361	urls: ['http://www.linux-pam.org/']

361	375	name: LinuxReleaseInfo
362	376	doc: Release information for Linux platforms.
363	377	sources:
364		- type: ARTIFACT_GROUP
365		attributes:
366		names:
367		- LinuxDistributionRelease
368		- LinuxLSBRelease
369		- LinuxSystemdOSRelease
	378	- type: ARTIFACT_GROUP
	379	attributes:
	380	names:
	381	- LinuxDistributionRelease
	382	- LinuxLSBRelease
	383	- LinuxSystemdOSRelease
370	384	provides: [os_release, os_major_version, os_minor_version]
371	385	labels: [Software]
372	386	supported_os: [Linux]

377	391	- type: FILE
378	392	attributes:
379	393	paths:
380		- '/etc/rsyslog.conf'
381		- '/etc/rsyslog.d'
382		- '/etc/rsyslog.d/*'
	394	- '/etc/rsyslog.conf'
	395	- '/etc/rsyslog.d'
	396	- '/etc/rsyslog.d/*'
383	397	labels: [Configuration Files, Logs]
384	398	supported_os: [Linux]
385	399	urls: ['http://www.rsyslog.com/doc/rsyslog_conf.html']

390	404	- type: ARTIFACT_GROUP
391	405	attributes:
392	406	names:
393		- AnacronFiles
394		- LinuxCronTabs
395		- LinuxAtJobs
	407	- AnacronFiles
	408	- LinuxCronTabs
	409	- LinuxAtJobs
396	410	labels: [Configuration Files]
397	411	supported_os: [Linux]
398	412	---

402	416	- type: ARTIFACT_GROUP
403	417	attributes:
404	418	names:
405		- LinuxXinetd
406		- LinuxLSBInit
407		- LinuxSysVInit
	419	- LinuxXinetd
	420	- LinuxLSBInit
	421	- LinuxSysVInit
	422	- LinuxSystemdServices
408	423	labels: [Configuration Files, System]
409	424	supported_os: [Linux]
410	425	---

417	432	urls: ['https://www.kernel.org/doc/Documentation/acpi/initrd_table_override.txt']
418	433	supported_os: [Linux]
419	434	---
	435	name: LinuxSudoReplayLogs
	436	doc: Linux sudoreplay log files.
	437	sources:
	438	- type: FILE
	439	attributes: {paths: ['/var/log/sudo-io/**']}
	440	labels: [Logs, Authentication]
	441	supported_os: [Linux]
	442	---
420	443	name: LinuxSysLogFiles
421	444	doc: Linux syslog log files.
422	445	sources:

431	454	- type: FILE
432	455	attributes:
433	456	paths:
434		- '/etc/syslog-ng/syslog-ng.conf'
435		- '/etc/syslog-ng/conf-d/*.conf'
	457	- '/etc/syslog-ng/syslog-ng.conf'
	458	- '/etc/syslog-ng/conf-d/*.conf'
436	459	labels: [Configuration Files, Logs]
437	460	supported_os: [Linux]
438	461	urls: ['http://linux.die.net/man/5/syslog-ng.conf']

443	466	- type: FILE
444	467	attributes:
445	468	paths:
446		- '/etc/os-release'
447		- '/usr/lib/os-release'
	469	- '/etc/os-release'
	470	- '/usr/lib/os-release'
448	471	provides: [os_release, os_major_version, os_minor_version]
449	472	labels: [Software]
450	473	supported_os: [Linux]
451	474	urls: ['https://www.freedesktop.org/software/systemd/man/os-release.html']
452	475	---
	476	name: LinuxSystemdServices
	477	doc: Linux systemd service unit files
	478	sources:
	479	- type: FILE
	480	attributes:
	481	paths:
	482	- '/etc/systemd/system.control/*.service'
	483	- '/etc/systemd/systemd.attached/*.service'
	484	- '/etc/systemd/system/*.service'
	485	- '/etc/systemd/user/*.service'
	486	- '/lib/systemd/system/*.service'
	487	- '/lib/systemd/user/*.service'
	488	- '/run/systemd/generator.early/*.service'
	489	- '/run/systemd/generator.late/*.service'
	490	- '/run/systemd/generator/*.service'
	491	- '/run/systemd/system.control/*.service'
	492	- '/run/systemd/systemd.attached/*.service'
	493	- '/run/systemd/system/*.service'
	494	- '/run/systemd/transient/*.service'
	495	- '/run/systemd/user/*.service'
	496	- '/run/user//systemd/generator.early/.service'
	497	- '/run/user//systemd/generator.late/.service'
	498	- '/run/user//systemd/generator/.service'
	499	- '/run/user//systemd/transient/.service'
	500	- '/run/user//systemd/user.control/.service'
	501	- '/run/user//systemd/user/.service'
	502	- '/usr/lib/systemd/system/*.service'
	503	- '/usr/lib/systemd/user/*.service'
	504	- '%%users.homedir%%/.config/systemd/user.control/*.service'
	505	- '%%users.homedir%%/.config/systemd/user/*.service'
	506	- '%%users.homedir%%/.local/share/systemd/user/*.service'
	507	labels: [Configuration Files, System]
	508	supported_os: [Linux]
	509	urls: ['https://https://www.freedesktop.org/software/systemd/man/systemd.unit.html#System%20Unit%20Search%20Path']
	510	---
453	511	name: LinuxSysVInit
454	512	doc: Services started by sysv-style init scripts.
455	513	sources:
456	514	- type: FILE
457	515	attributes:
458	516	paths:
459		- '/etc/rc*.d'
460		- '/etc/rc.d/'
461		- '/etc/rc.d/rc.d/'
462		- '/etc/rc.d/init.d/*'
	517	- '/etc/rc*.d'
	518	- '/etc/rc.d/'
	519	- '/etc/rc.d/rc.d/'
	520	- '/etc/rc.d/init.d/*'
463	521	labels: [Configuration Files, System]
464	522	supported_os: [Linux]
465	523	urls:
466		- 'http://savannah.nongnu.org/projects/sysvinit'
467		- 'http://docs.oracle.com/cd/E37670_01/E41138/html/ol_svcscripts.html'
	524	- 'http://savannah.nongnu.org/projects/sysvinit'
	525	- 'http://docs.oracle.com/cd/E37670_01/E41138/html/ol_svcscripts.html'
468	526	---
469	527	name: LinuxTimezoneFile
470	528	doc: Linux timezone file.

480	538	- type: FILE
481	539	attributes:
482	540	paths:
483		- '/var/log/btmp'
484		- '/var/log/wtmp'
485		- '/var/run/utmp'
	541	- '/var/log/btmp'
	542	- '/var/log/wtmp'
	543	- '/var/run/utmp'
486	544	labels: [Logs, Authentication]
487	545	supported_os: [Linux]
488	546	urls: ['https://github.com/libyal/dtformats/blob/master/documentation/Utmp%20login%20records%20format.asciidoc']

503	561	- type: FILE
504	562	attributes:
505	563	paths:
506		- '/etc/xinetd.conf'
507		- '/etc/xinetd.d/**'
	564	- '/etc/xinetd.conf'
	565	- '/etc/xinetd.d/**'
508	566	labels: [Configuration Files, System]
509	567	supported_os: [Linux]
510	568	urls: ['http://en.wikipedia.org/wiki/Xinetd']

534	592	- type: FILE
535	593	attributes:
536	594	paths:
537		- '/etc/netgroup'
538		- '/etc/nsswitch.conf'
539		- '/etc/passwd'
540		- '/etc/shadow'
541		- '/etc/security/access.conf'
542		- '/root/.k5login'
	595	- '/etc/netgroup'
	596	- '/etc/nsswitch.conf'
	597	- '/etc/passwd'
	598	- '/etc/shadow'
	599	- '/etc/security/access.conf'
	600	- '/root/.k5login'
543	601	labels: [Authentication, Configuration Files]
544	602	supported_os: [Linux]
545	603	---

566	624	sources:
567	625	- type: FILE
568	626	attributes:
569		paths:
570		- '/sys/bus/pci/devices/*/vendor'
571		- '/sys/bus/pci/devices/*/device'
572		- '/sys/bus/pci/devices/*/class'
573		- '/sys/bus/pci/devices/*/config'
	627	paths:
	628	- '/sys/bus/pci/devices/*/vendor'
	629	- '/sys/bus/pci/devices/*/device'
	630	- '/sys/bus/pci/devices/*/class'
	631	- '/sys/bus/pci/devices/*/config'
574	632	labels: [Configuration Files, System]
575	633	urls:
576		- 'https://www.kernel.org/doc/Documentation/ABI/testing/sysfs-bus-pci'
577		- 'https://www.kernel.org/doc/Documentation/filesystems/sysfs-pci.txt'
578		- 'https://wiki.debian.org/HowToIdentifyADevice/PCI'
579		supported_os: [Linux]
	634	- 'https://www.kernel.org/doc/Documentation/ABI/testing/sysfs-bus-pci'
	635	- 'https://www.kernel.org/doc/Documentation/filesystems/sysfs-pci.txt'
	636	- 'https://wiki.debian.org/HowToIdentifyADevice/PCI'
	637	supported_os: [Linux]
	638	---
	639	name: SecretsServiceDatabaseFile
	640	doc: The System Security Services Daemon (SSSD) database file.
	641	sources:
	642	- type: FILE
	643	attributes:
	644	paths:
	645	- '/var/lib/sss/secrets/secrets.ldb'
	646	- '/var/lib/sss/secrets/.secrets.mkey'
	647	labels: [System, Configuration Files]
	648	supported_os: [Linux]
	649	urls:
	650	- 'https://docs.pagure.org/SSSD.sssd/design_pages/secrets_service.html'
	651	- 'https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html'
580	652	---
581	653	name: SSHHostPubKeys
582	654	doc: SSH host public keys

584	656	- type: FILE
585	657	attributes:
586	658	paths:
587		- '/etc/ssh/ssh_host_*_key.pub'
	659	- '/etc/ssh/ssh_host_*_key.pub'
588	660	labels: [Authentication, Configuration Files]
589	661	supported_os: [Linux]
590	662	---

602	674	- type: FILE
603	675	attributes:
604	676	paths:
605		- '/etc/yum.conf'
606		- '/etc/yum.repos.d/*.repo'
	677	- '/etc/yum.conf'
	678	- '/etc/yum.repos.d/*.repo'
607	679	labels: [Configuration Files, System]
608	680	supported_os: [Linux]
609	681	urls: ['https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-Configuring_Yum_and_Yum_Repositories.html']

612	684	doc: Zeitgeist user activity database.
613	685	sources:
614	686	- type: FILE
615		attributes: {paths: ['%%users.homedir%%/.local/share/zeitgeist/activity.sqlite']}
	687	attributes:
	688	paths:
	689	- '%%users.homedir%%/.local/share/zeitgeist/activity.sqlite'
	690	- '%%users.homedir%%/.local/share/zeitgeist/activity.sqlite-wal'
616	691	labels: [Users, Logs]
617		urls: ['http://forensicswiki.org/wiki/Zeitgeist']
618		supported_os: [Linux]
	692	urls: ['https://forensicswiki.xyz/wiki/index.php?title=Zeitgeist']
	693	supported_os: [Linux]

+31

-31

data/linux_proc.yaml less more

23	23	- type: FILE
24	24	attributes:
25	25	paths:
26		- '/proc/sys/kernel/bootloader_type'
27		- '/proc/sys/kernel/bootloader_version'
	26	- '/proc/sys/kernel/bootloader_type'
	27	- '/proc/sys/kernel/bootloader_version'
28	28	labels: [System]
29	29	supported_os: [Linux]
30	30	urls: ['https://www.kernel.org/doc/Documentation/sysctl/kernel.txt']

35	35	- type: FILE
36	36	attributes:
37	37	paths:
38		- '/proc/sys/kernel/kexec_load_disabled'
39		- '/proc/sys/kernel/modules_disabled'
	38	- '/proc/sys/kernel/kexec_load_disabled'
	39	- '/proc/sys/kernel/modules_disabled'
40	40	labels: [System]
41	41	supported_os: [Linux]
42	42	urls: ['https://www.kernel.org/doc/Documentation/sysctl/kernel.txt']

56	56	- type: FILE
57	57	attributes:
58	58	paths:
59		- '/proc/sys/net/ipv/conf//forwarding'
60		- '/proc/sys/net/ipv4/conf/*/mc_forwarding'
61		- '/proc/sys/net/ipv4/ip_forward'
	59	- '/proc/sys/net/ipv/conf//forwarding'
	60	- '/proc/sys/net/ipv4/conf/*/mc_forwarding'
	61	- '/proc/sys/net/ipv4/ip_forward'
62	62	labels: [Network, System]
63	63	supported_os: [Linux]
64	64	urls: ['https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt']

69	69	- type: FILE
70	70	attributes:
71	71	paths:
72		- '/proc/sys/net/ipv/conf//accept_source_route'
73		- '/proc/sys/net/ipv4/conf/*/rp_filter'
74		- '/proc/sys/net/ipv4/conf/*/log_martians'
	72	- '/proc/sys/net/ipv/conf//accept_source_route'
	73	- '/proc/sys/net/ipv4/conf/*/rp_filter'
	74	- '/proc/sys/net/ipv4/conf/*/log_martians'
75	75	labels: [Network, System]
76	76	supported_os: [Linux]
77	77	urls: ['https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt']

82	82	- type: FILE
83	83	attributes:
84	84	paths:
85		- '/proc/sys/net/ipv/conf//accept_redirects'
86		- '/proc/sys/net/ipv4/conf/*/secure_redirects'
87		- '/proc/sys/net/ipv4/conf/*/send_redirects'
	85	- '/proc/sys/net/ipv/conf//accept_redirects'
	86	- '/proc/sys/net/ipv4/conf/*/secure_redirects'
	87	- '/proc/sys/net/ipv4/conf/*/send_redirects'
88	88	labels: [Network, System]
89	89	supported_os: [Linux]
90	90	urls: ['https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt']

95	95	- type: FILE
96	96	attributes:
97	97	paths:
98		- '/proc/net/arp'
	98	- '/proc/net/arp'
99	99	labels: [Network]
100	100	supported_os: [Linux]
101	101	---

105	105	- type: FILE
106	106	attributes:
107	107	paths:
108		- '/proc/mounts'
	108	- '/proc/mounts'
109	109	labels: [System]
110	110	supported_os: [Linux]
111	111	urls: ['https://www.kernel.org/doc/Documentation/filesystems/proc.txt']

116	116	- type: ARTIFACT_GROUP
117	117	attributes:
118	118	names:
119		- 'LinuxASLREnabled'
120		- 'LinuxIgnoreICMPBroadcasts'
121		- 'LinuxKernelBootloader'
122		- 'LinuxKernelModuleTaintStatus'
123		- 'LinuxKernelModuleRestrictions'
124		- 'LinuxNetworkIpForwardingState'
125		- 'LinuxNetworkPathFilteringSettings'
126		- 'LinuxNetworkRedirectState'
127		- 'LinuxRestrictedDmesgReadPrivileges'
128		- 'LinuxRestrictedKernelPointerReadPrivileges'
129		- 'LinuxSecureSuidCoreDumps'
130		- 'LinuxSecureFsLinks'
131		- 'LinuxSyncookieState'
	119	- 'LinuxASLREnabled'
	120	- 'LinuxIgnoreICMPBroadcasts'
	121	- 'LinuxKernelBootloader'
	122	- 'LinuxKernelModuleTaintStatus'
	123	- 'LinuxKernelModuleRestrictions'
	124	- 'LinuxNetworkIpForwardingState'
	125	- 'LinuxNetworkPathFilteringSettings'
	126	- 'LinuxNetworkRedirectState'
	127	- 'LinuxRestrictedDmesgReadPrivileges'
	128	- 'LinuxRestrictedKernelPointerReadPrivileges'
	129	- 'LinuxSecureSuidCoreDumps'
	130	- 'LinuxSecureFsLinks'
	131	- 'LinuxSyncookieState'
132	132	labels: [System]
133	133	supported_os: [Linux]
134	134	---

138	138	- type: FILE
139	139	attributes:
140	140	paths:
141		- '/proc/sys/kernel/dmesg_restrict'
	141	- '/proc/sys/kernel/dmesg_restrict'
142	142	labels: [System]
143	143	supported_os: [Linux]
144	144	urls: ['https://www.kernel.org/doc/Documentation/sysctl/kernel.txt']

158	158	- type: FILE
159	159	attributes:
160	160	paths:
161		- '/proc/sys/fs/protected_hardlinks'
162		- '/proc/sys/fs/protected_symlinks'
	161	- '/proc/sys/fs/protected_hardlinks'
	162	- '/proc/sys/fs/protected_symlinks'
163	163	labels: [System]
164	164	supported_os: [Linux]
165	165	urls: ['https://www.kernel.org/doc/Documentation/sysctl/fs.txt']

+274

-209

data/macos.yaml less more

10	10	labels: [System, Logs]
11	11	supported_os: [Darwin]
12	12	urls:
13		- 'http://forensicswiki.org/wiki/Mac_OS_X'
14		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Logs'
	13	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	14	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Logs'
15	15	---
16	16	name: MacOSApplications
17	17	doc: Applications

21	21	labels: [Users, Software]
22	22	supported_os: [Darwin]
23	23	urls:
24		- 'http://forensicswiki.org/wiki/Mac_OS_X'
25		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#User_Directories'
	24	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	25	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#User_Directories'
26	26	---
27	27	name: MacOSApplicationsRecentItems
28	28	doc: Recent Items application specific

32	32	labels: [Users, Software]
33	33	supported_os: [Darwin]
34	34	urls:
35		- 'http://forensicswiki.org/wiki/Mac_OS_X'
36		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Recent_Items'
	35	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	36	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Recent_Items'
37	37	---
38	38	name: MacOSApplicationSupport
39	39	doc: Application Support Directory

43	43	labels: [Users, Software]
44	44	supported_os: [Darwin]
45	45	urls:
46		- 'http://forensicswiki.org/wiki/Mac_OS_X'
47		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Misc.'
	46	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	47	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Misc.'
48	48	---
49	49	name: MacOSAtJobs
50	50	doc: MacOS at jobs

54	54	labels: [System]
55	55	supported_os: [Darwin]
56	56	urls:
57		- 'http://forensicswiki.org/wiki/Mac_OS_X'
58		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Info_Misc.'
	57	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	58	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Info_Misc.'
59	59	- 'https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/at.1.html#//apple_ref/doc/man/1/at'
60	60	---
61	61	name: MacOSAuditLogFiles

69	69	labels: [System, Logs]
70	70	supported_os: [Darwin]
71	71	urls:
72		- 'http://forensicswiki.org/wiki/Mac_OS_X'
73		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Logs'
	72	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	73	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Logs'
74	74	---
75	75	name: MacOSBashHistory
76	76	doc: Terminal Commands History

80	80	labels: [Users, Logs]
81	81	supported_os: [Darwin]
82	82	urls:
83		- 'http://forensicswiki.org/wiki/Mac_OS_X'
84		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Logs'
	83	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	84	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Logs'
85	85	---
86	86	name: MacOSBashSessions
87	87	doc: Terminal Commands Sessions

100	100	labels: [System, Logs]
101	101	supported_os: [Darwin]
102	102	urls:
103		- 'http://forensicswiki.org/wiki/Mac_OS_X'
104		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Preferences'
	103	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	104	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Preferences'
105	105	---
106	106	name: MacOSCoreAnalyticsFiles
107	107	doc: macOS 10.13 (High Sierra) CoreAnalytics log files.

115	115	labels: [Logs, System]
116	116	supported_os: [Darwin]
117	117	urls:
118		- 'http://forensicswiki.org/wiki/Mac_OS_X'
119		- 'http://forensicswiki.org/wiki/Mac_OS_X#Diagnostic_Reports'
	118	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	119	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X#Diagnostic_Reports'
120	120	- 'https://www.crowdstrike.com/blog/i-know-what-you-did-last-month-a-new-artifact-of-execution-on-macos-10-13/'
121	121	---
122	122	name: MacOSCronTabs

125	125	- type: FILE
126	126	attributes:
127	127	paths:
128		- '/etc/crontab'
129		- '/private/etc/crontab'
130		- '/usr/lib/cron/tabs/*'
131		labels: [System]
132		supported_os: [Darwin]
133		urls:
134		- 'http://forensicswiki.org/wiki/Mac_OS_X'
135		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Info_Misc.'
	128	- '/etc/crontab'
	129	- '/private/etc/crontab'
	130	- '/usr/lib/cron/tabs/*'
	131	labels: [System]
	132	supported_os: [Darwin]
	133	urls:
	134	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	135	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Info_Misc.'
136	136	---
137	137	name: MacOSDock
138	138	doc: Dock database

142	142	labels: [Users]
143	143	supported_os: [Darwin]
144	144	urls:
145		- 'http://forensicswiki.org/wiki/Mac_OS_X'
146		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Preferences'
	145	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	146	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Preferences'
147	147	---
148	148	name: MacOSGlobalPreferencesPlistFile
149	149	doc: Global Preferences plist file

153	153	labels: [System]
154	154	supported_os: [Darwin]
155	155	urls:
156		- 'http://forensicswiki.org/wiki/Mac_OS_X'
157		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Preferences'
	156	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	157	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Preferences'
158	158	---
159	159	name: MacOSHostsFile
160	160	doc: Hosts file

167	167	labels: [System, Network]
168	168	supported_os: [Darwin]
169	169	urls:
170		- 'http://forensicswiki.org/wiki/Mac_OS_X'
171		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Networking'
	170	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	171	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Networking'
172	172	---
173	173	name: MacOSiCloudAccounts
174	174	doc: iCloud Accounts

186	186	labels: [Users, Cloud, ExternalAccount]
187	187	supported_os: [Darwin]
188	188	urls:
189		- 'http://forensicswiki.org/wiki/Mac_OS_X'
190		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Preferences'
	189	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	190	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Preferences'
191	191	---
192	192	name: MacOSiDevices
193	193	doc: Attached iDevices

197	197	labels: [Users, External Media]
198	198	supported_os: [Darwin]
199	199	urls:
200		- 'http://forensicswiki.org/wiki/Mac_OS_X'
201		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Preferences'
	200	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	201	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Preferences'
202	202	---
203	203	name: MacOSInstallationHistory
204	204	doc: Software Installation History

208	208	labels: [System]
209	209	supported_os: [Darwin]
210	210	urls:
211		- 'http://forensicswiki.org/wiki/Mac_OS_X'
212		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Software_Installation'
	211	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	212	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Software_Installation'
213	213	---
214	214	name: MacOSInstallationLogFile
215	215	doc: Installation log file

222	222	labels: [System, Logs]
223	223	supported_os: [Darwin]
224	224	urls:
225		- 'http://forensicswiki.org/wiki/Mac_OS_X'
226		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Logs'
	225	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	226	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Logs'
227	227	---
228	228	name: MacOSiOSBackupInfo
229	229	doc: iOS device backup information

233	233	labels: [Users, iOS]
234	234	supported_os: [Darwin]
235	235	urls:
236		- 'http://forensicswiki.org/wiki/Mac_OS_X'
237		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#iDevice_Backup'
	236	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	237	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#iDevice_Backup'
238	238	---
239	239	name: MacOSiOSBackupManifest
240	240	doc: iOS device backup apps information

244	244	labels: [Users, iOS]
245	245	supported_os: [Darwin]
246	246	urls:
247		- 'http://forensicswiki.org/wiki/Mac_OS_X'
248		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#iDevice_Backup'
	247	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	248	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#iDevice_Backup'
249	249	---
250	250	name: MacOSiOSBackupMbdb
251	251	doc: iOS device backup files information

255	255	labels: [Users, iOS]
256	256	supported_os: [Darwin]
257	257	urls:
258		- 'http://forensicswiki.org/wiki/Mac_OS_X'
259		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#iDevice_Backup'
	258	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	259	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#iDevice_Backup'
260	260	---
261	261	name: MacOSiOSBackupsMainDirectory
262	262	doc: iOS device backups directory

266	266	labels: [Users, iOS]
267	267	supported_os: [Darwin]
268	268	urls:
269		- 'http://forensicswiki.org/wiki/Mac_OS_X'
270		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#iDevice_Backup'
	269	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	270	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#iDevice_Backup'
271	271	---
272	272	name: MacOSiOSBackupStatus
273	273	doc: iOS device backup status information

277	277	labels: [Users, iOS]
278	278	supported_os: [Darwin]
279	279	urls:
280		- 'http://forensicswiki.org/wiki/Mac_OS_X'
281		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#iDevice_Backup'
	280	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	281	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#iDevice_Backup'
282	282	---
283	283	name: MacOSKeychains
284	284	doc: Keychain Directory

288	288	labels: [Users]
289	289	supported_os: [Darwin]
290	290	urls:
291		- 'http://forensicswiki.org/wiki/Mac_OS_X'
292		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Misc.'
	291	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	292	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Misc.'
293	293	---
294	294	name: MacOSKeyboardLayoutPlistFile
295	295	doc: Keyboard layout plist file

305	305	- type: FILE
306	306	attributes:
307	307	paths:
308		- '/System/Library/Extensions/*'
309		- '/Library/Extensions/*'
310		labels: [System]
311		supported_os: [Darwin]
312		urls:
313		- 'http://forensicswiki.org/wiki/Mac_OS_X'
314		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Kernel_Extension'
	308	- '/System/Library/Extensions/*'
	309	- '/Library/Extensions/*'
	310	labels: [System]
	311	supported_os: [Darwin]
	312	urls:
	313	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	314	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Kernel_Extension'
315	315	---
316	316	name: MacOSDuetKnowledgeBase
317	317	doc: KnowledgeC User and Application usage database

332	332	- type: FILE
333	333	attributes:
334	334	paths:
335		- '/Library/LaunchAgents/*'
336		- '/System/Library/LaunchAgents/*'
337		- '%%users.homedir%%/Library/LaunchAgents/*'
338		labels: [System]
339		supported_os: [Darwin]
340		urls:
341		- 'http://forensicswiki.org/wiki/Mac_OS_X'
342		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Autorun_Locations'
	335	- '/Library/LaunchAgents/*'
	336	- '/System/Library/LaunchAgents/*'
	337	- '%%users.homedir%%/Library/LaunchAgents/*'
	338	labels: [System]
	339	supported_os: [Darwin]
	340	urls:
	341	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	342	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Autorun_Locations'
343	343	---
344	344	name: MacOSLaunchDaemonsPlistFiles
345	345	doc: Launch Daemons plist files

347	347	- type: FILE
348	348	attributes:
349	349	paths:
350		- '/Library/LaunchDaemons/*'
351		- '/System/Library/LaunchDaemons/*'
352		- '%%users.homedir%%/Library/LaunchDaemons/*'
353		labels: [System]
354		supported_os: [Darwin]
355		urls:
356		- 'http://forensicswiki.org/wiki/Mac_OS_X'
357		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Autorun_Locations'
	350	- '/Library/LaunchDaemons/*'
	351	- '/System/Library/LaunchDaemons/*'
	352	- '%%users.homedir%%/Library/LaunchDaemons/*'
	353	labels: [System]
	354	supported_os: [Darwin]
	355	urls:
	356	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	357	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Autorun_Locations'
358	358	---
359	359	name: MacOSLastlogFile
360	360	doc: Mac OS X lastlog file.

383	383	- type: FILE
384	384	attributes:
385	385	paths:
386		- '/etc/localtime'
387		- '/private/etc/localtime'
388		labels: [System]
389		supported_os: [Darwin]
390		urls:
391		- 'http://forensicswiki.org/wiki/Mac_OS_X'
392		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Info_Misc.'
	386	- '/etc/localtime'
	387	- '/private/etc/localtime'
	388	labels: [System]
	389	supported_os: [Darwin]
	390	urls:
	391	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	392	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Info_Misc.'
393	393	---
394	394	name: MacOSLoginWindowPlistFile
395	395	doc: Log-in Window information plist file

399	399	labels: [System, Authentication]
400	400	supported_os: [Darwin]
401	401	urls:
402		- 'http://forensicswiki.org/wiki/Mac_OS_X'
403		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Preferences'
	402	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	403	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Preferences'
404	404	---
405	405	name: MacOSMailAccounts
406	406	doc: Mail Accounts. Until now only V2, V3 and V5 have been observed.

410	410	labels: [Users, Software, Mail]
411	411	supported_os: [Darwin]
412	412	urls:
413		- 'http://forensicswiki.org/wiki/Mac_OS_X'
414		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Mail'
	413	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	414	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Mail'
415	415	---
416	416	name: MacOSMailBackupTOC
417	417	doc: Mail Backup Table of Content. Until now only V2, V3 and V5 have been observed.

421	421	labels: [Users, Software, Mail]
422	422	supported_os: [Darwin]
423	423	urls:
424		- 'http://forensicswiki.org/wiki/Mac_OS_X'
425		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Mail'
	424	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	425	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Mail'
426	426	---
427	427	name: MacOSMailboxes
428	428	doc: Mail Mailbox Directory. Until now only V2, V3 and V5 have been observed.

432	432	labels: [Users, Software, Mail]
433	433	supported_os: [Darwin]
434	434	urls:
435		- 'http://forensicswiki.org/wiki/Mac_OS_X'
436		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Mail'
	435	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	436	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Mail'
437	437	---
438	438	name: MacOSMailDownloadAttachments
439	439	doc: Mail Downloads Directory

443	443	labels: [Users, Software, Mail]
444	444	supported_os: [Darwin]
445	445	urls:
446		- 'http://forensicswiki.org/wiki/Mac_OS_X'
447		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Mail'
	446	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	447	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Mail'
448	448	---
449	449	name: MacOSMailEnvelopIndex
450	450	doc: Mail Envelope Index. Until now only V2, V3 and V5 have been observed.

454	454	labels: [Users, Software, Mail]
455	455	supported_os: [Darwin]
456	456	urls:
457		- 'http://forensicswiki.org/wiki/Mac_OS_X'
458		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Mail'
	457	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	458	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Mail'
459	459	---
460	460	name: MacOSMailIMAP
461	461	doc: Mail IMAP Synched Mailboxes. Until now only V2, V3 and V5 have been observed.

465	465	labels: [Users, Software, Mail]
466	466	supported_os: [Darwin]
467	467	urls:
468		- 'http://forensicswiki.org/wiki/Mac_OS_X'
469		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Mail'
	468	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	469	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Mail'
470	470	---
471	471	name: MacOSMailMainDirectory
472	472	doc: Mail Main Folder. Until now only V2, V3 and V5 have been observed.

476	476	labels: [Users, Software, Mail]
477	477	supported_os: [Darwin]
478	478	urls:
479		- 'http://forensicswiki.org/wiki/Mac_OS_X'
480		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Mail'
	479	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	480	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Mail'
481	481	---
482	482	name: MacOSMailOpenedAttachments
483	483	doc: Mail Opened Attachments

487	487	labels: [Users, Software, Mail]
488	488	supported_os: [Darwin]
489	489	urls:
490		- 'http://forensicswiki.org/wiki/Mac_OS_X'
491		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Mail'
	490	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	491	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Mail'
492	492	---
493	493	name: MacOSMailPOP
494	494	doc: Mail POP Synched Mailboxes. Until now only V2, V3 and V5 have been observed.

498	498	labels: [Users, Software, Mail]
499	499	supported_os: [Darwin]
500	500	urls:
501		- 'http://forensicswiki.org/wiki/Mac_OS_X'
502		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Mail'
	501	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	502	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Mail'
503	503	---
504	504	name: MacOSMailPreferences
505	505	doc: Mail Preferences

509	509	labels: [Users, Software, Mail]
510	510	supported_os: [Darwin]
511	511	urls:
512		- 'http://forensicswiki.org/wiki/Mac_OS_X'
513		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Mail'
	512	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	513	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Mail'
514	514	---
515	515	name: MacOSMailRecentContacts
516	516	doc: Mail Recent Contacts

520	520	labels: [Users, Software, Mail]
521	521	supported_os: [Darwin]
522	522	urls:
523		- 'http://forensicswiki.org/wiki/Mac_OS_X'
524		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Mail'
	523	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	524	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Mail'
525	525	---
526	526	name: MacOSMailSignatures
527	527	doc: Mail Signatures by Account. Until now only V2, V3 and V5 have been observed.

531	531	labels: [Users, Software, Mail]
532	532	supported_os: [Darwin]
533	533	urls:
534		- 'http://forensicswiki.org/wiki/Mac_OS_X'
535		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Mail'
	534	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	535	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Mail'
536	536	---
537	537	name: MacOSMiscLogs
538	538	doc: Misc. Logs

542	542	labels: [Users, Logs]
543	543	supported_os: [Darwin]
544	544	urls:
545		- 'http://forensicswiki.org/wiki/Mac_OS_X'
546		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Logs'
	545	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	546	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Logs'
547	547	---
548	548	name: MacOSMountedDMGs
549	549	doc: MacOS Mounted DMG files.

575	575	- type: FILE
576	576	attributes:
577	577	paths:
578		- '/etc/daily.local/*'
579		- '/etc/defaults/periodic.conf'
580		- '/etc/monthly.local/*'
581		- '/etc/periodic/**2'
582		- '/etc/periodic.conf'
583		- '/etc/periodic.conf.local'
584		- '/etc/periodic/daily/*'
585		- '/etc/periodic/monthly/*'
586		- '/etc/periodic/weekly/*'
587		- '/etc/weekly.local/*'
588		- '/private/etc/daily.local/*'
589		- '/private/etc/defaults/periodic.conf'
590		- '/private/etc/monthly.local/*'
591		- '/private/etc/periodic/**2'
592		- '/private/etc/periodic.conf'
593		- '/private/etc/periodic.conf.local'
594		- '/private/etc/periodic/daily/*'
595		- '/private/etc/periodic/monthly/*'
596		- '/private/etc/periodic/weekly/*'
597		- '/private/etc/weekly.local/*'
598		- '/usr/local/etc/periodic/**2'
599		labels: [System]
600		supported_os: [Darwin]
601		urls:
602		- 'http://forensicswiki.org/wiki/Mac_OS_X'
603		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Info_Misc.'
	578	- '/etc/daily.local/*'
	579	- '/etc/defaults/periodic.conf'
	580	- '/etc/monthly.local/*'
	581	- '/etc/periodic/**2'
	582	- '/etc/periodic.conf'
	583	- '/etc/periodic.conf.local'
	584	- '/etc/periodic/daily/*'
	585	- '/etc/periodic/monthly/*'
	586	- '/etc/periodic/weekly/*'
	587	- '/etc/weekly.local/*'
	588	- '/private/etc/daily.local/*'
	589	- '/private/etc/defaults/periodic.conf'
	590	- '/private/etc/monthly.local/*'
	591	- '/private/etc/periodic/**2'
	592	- '/private/etc/periodic.conf'
	593	- '/private/etc/periodic.conf.local'
	594	- '/private/etc/periodic/daily/*'
	595	- '/private/etc/periodic/monthly/*'
	596	- '/private/etc/periodic/weekly/*'
	597	- '/private/etc/weekly.local/*'
	598	- '/usr/local/etc/periodic/**2'
	599	labels: [System]
	600	supported_os: [Darwin]
	601	urls:
	602	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	603	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Info_Misc.'
604	604	- 'https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/periodic.8.html#//apple_ref/doc/man/8/periodic'
605	605	---
606	606	name: MacOSQuarantineEvents

609	609	- type: FILE
610	610	attributes:
611	611	paths:
612		- '%%users.homedir%%/Library/Preferences/com.apple.LaunchServices.QuarantineEvents'
613		- '%%users.homedir%%/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2'
	612	- '%%users.homedir%%/Library/Preferences/com.apple.LaunchServices.QuarantineEvents'
	613	- '%%users.homedir%%/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2'
614	614	labels: [Users, Software]
615	615	supported_os: [Darwin]
616	616	urls:
617		- 'http://forensicswiki.org/wiki/Mac_OS_X'
618		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Preferences'
	617	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	618	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Preferences'
619	619	---
620	620	name: MacOSRecentItems
621	621	doc: Recent Items

625	625	labels: [Users]
626	626	supported_os: [Darwin]
627	627	urls:
628		- 'http://forensicswiki.org/wiki/Mac_OS_X'
629		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Recent_Items'
	628	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	629	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Recent_Items'
	630	---
	631	name: MacOSRemoteDesktopAdministratorSystem
	632	doc: Apple Remote Desktop (ARD) was first released in 2002 and is Apple’s desktop management system for software distribution, asset management, and remote assistance.
	633	sources:
	634	- type: FILE
	635	attributes:
	636	paths:
	637	- '/private/var/db/RemoteManagement/ClientCaches/*'
	638	- '/var/db/RemoteManagement/ClientCaches/*'
	639	- '/private/var/db/RemoteManagement/RMDB/rmdb.sqlite3'
	640	- '/var/db/RemoteManagement/RMDB/rmdb.sqlite3'
	641	labels: [System, Network]
	642	supported_os: [Darwin]
	643	urls:
	644	- 'https://help.apple.com/remotedesktop/mac/3.9/'
	645	- 'https://www.fireeye.com/blog/threat-research/2019/10/leveraging-apple-remote-desktop-for-good-and-evil.html'
	646	- 'https://github.com/fireeye/ARDvark#ard-artifacts-to-parse'
	647	---
	648	name: MacOSRemoteDesktopClientSystem
	649	doc: Apple Remote Desktop (ARD) was first released in 2002 and is Apple’s desktop management system for software distribution, asset management, and remote assistance.
	650	sources:
	651	- type: FILE
	652	attributes:
	653	paths:
	654	- '/private/var/db/RemoteManagement/caches/AppUsage.plist'
	655	- '/var/db/RemoteManagement/caches/AppUsage.plist'
	656	- '/private/var/db/RemoteManagement/caches/UserAcct.tmp'
	657	- '/var/db/RemoteManagement/caches/UserAcct.tmp'
	658	labels: [System, Network]
	659	supported_os: [Darwin]
	660	urls:
	661	- 'https://help.apple.com/remotedesktop/mac/3.9/'
	662	- 'https://www.fireeye.com/blog/threat-research/2019/10/leveraging-apple-remote-desktop-for-good-and-evil.html'
	663	- 'https://github.com/fireeye/ARDvark#ard-artifacts-to-parse'
630	664	---
631	665	name: MacOSSidebarLists
632	666	doc: \|

642	676	labels: [Users, External Media]
643	677	supported_os: [Darwin]
644	678	urls:
645		- 'http://forensicswiki.org/wiki/Mac_OS_X'
646		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Preferences'
	679	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	680	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Preferences'
647	681	---
648	682	name: MacOSSleepimageFile
649	683	doc: Sleepimage file which contains the content of memory before going to sleep

656	690	labels: [System]
657	691	supported_os: [Darwin]
658	692	urls:
659		- 'http://forensicswiki.org/wiki/Mac_OS_X'
660		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Sleep.2FHibernate_and_Swap_Image_File'
	693	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	694	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Sleep.2FHibernate_and_Swap_Image_File'
661	695	---
662	696	name: MacOSStartupItemsPlistFiles
663	697	doc: Startup Items plist files

665	699	- type: FILE
666	700	attributes:
667	701	paths:
668		- '/Library/StartupItems/*'
669		- '/System/Library/StartupItems/*'
670		labels: [System]
671		supported_os: [Darwin]
672		urls:
673		- 'http://forensicswiki.org/wiki/Mac_OS_X'
674		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Autorun_Locations'
	702	- '/Library/StartupItems/*'
	703	- '/System/Library/StartupItems/*'
	704	labels: [System]
	705	supported_os: [Darwin]
	706	urls:
	707	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	708	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Autorun_Locations'
675	709	---
676	710	name: MacOSSwapFiles
677	711	doc: Swap files

684	718	labels: [System]
685	719	supported_os: [Darwin]
686	720	urls:
687		- 'http://forensicswiki.org/wiki/Mac_OS_X'
688		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Sleep.2FHibernate_and_Swap_Image_File'
	721	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	722	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Sleep.2FHibernate_and_Swap_Image_File'
689	723	---
690	724	name: MacOSSystemConfigurationPreferencesPlistFile
691	725	doc: System configuration preferences plist file

706	740	labels: [System]
707	741	supported_os: [Darwin]
708	742	urls:
709		- 'http://forensicswiki.org/wiki/Mac_OS_X'
710		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Settings_and_Informations'
	743	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	744	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Settings_and_Informations'
711	745	---
712	746	name: MacOSSystemLogFiles
713	747	doc: System log files

720	754	labels: [System, Logs]
721	755	supported_os: [Darwin]
722	756	urls:
723		- 'http://forensicswiki.org/wiki/Mac_OS_X'
724		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Logs'
	757	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	758	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Logs'
725	759	---
726	760	name: MacOSSystemPreferencesPlistFiles
727	761	doc: System Preferences plist files

731	765	labels: [System]
732	766	supported_os: [Darwin]
733	767	urls:
734		- 'http://forensicswiki.org/wiki/Mac_OS_X'
735		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Preferences'
	768	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	769	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Preferences'
736	770	---
737	771	name: MacOSSystemVersionPlistFile
738	772	doc: Operating system name and version plist file

742	776	labels: [System]
743	777	supported_os: [Darwin]
744	778	urls:
745		- 'http://forensicswiki.org/wiki/Mac_OS_X'
746		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Settings_and_Informations'
	779	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	780	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Settings_and_Informations'
747	781	---
748	782	name: MacOSTimeMachinePlistFile
749	783	doc: Time Machine information plist file

753	787	labels: [System]
754	788	supported_os: [Darwin]
755	789	urls:
756		- 'http://forensicswiki.org/wiki/Mac_OS_X'
757		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Preferences'
	790	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	791	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Preferences'
758	792	---
759	793	name: MacOSUnifiedLogging
760	794	doc: Apple Unified Logging and Activity Tracing

771	805	labels: [System, Logs]
772	806	supported_os: [Darwin]
773	807	urls:
774		- 'http://forensicswiki.org/wiki/Mac_OS_X'
	808	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
775	809	- 'https://github.com/mac4n6/Presentations/blob/master/Logs%20Unite!%20-%20Forensic%20Analysis%20of%20Apple%20Unified%20Logs/LogsUnite.pdf'
776	810	---
777	811	name: MacOSUpdate

782	816	labels: [System]
783	817	supported_os: [Darwin]
784	818	urls:
785		- 'http://forensicswiki.org/wiki/Mac_OS_X'
786		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Software_Installation'
	819	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	820	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Software_Installation'
787	821	---
788	822	name: MacOSUserApplicationLogs
789	823	doc: User and Applications Logs Directory

793	827	labels: [Users, Logs]
794	828	supported_os: [Darwin]
795	829	urls:
796		- 'http://forensicswiki.org/wiki/Mac_OS_X'
797		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Logs'
	830	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	831	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Logs'
798	832	---
799	833	name: MacOSUserDesktopDirectory
800	834	doc: Desktop Directory

804	838	labels: [Users]
805	839	supported_os: [Darwin]
806	840	urls:
807		- 'http://forensicswiki.org/wiki/Mac_OS_X'
808		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#User_Directories'
	841	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	842	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#User_Directories'
809	843	---
810	844	name: MacOSUserDocumentsDirectory
811	845	doc: Documents Directory

815	849	labels: [Users]
816	850	supported_os: [Darwin]
817	851	urls:
818		- 'http://forensicswiki.org/wiki/Mac_OS_X'
819		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#User_Directories'
	852	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	853	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#User_Directories'
820	854	---
821	855	name: MacOSUserDownloadsDirectory
822	856	doc: User downloads directory

826	860	labels: [Users]
827	861	supported_os: [Darwin]
828	862	urls:
829		- 'http://forensicswiki.org/wiki/Mac_OS_X'
830		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#User_Directories'
	863	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	864	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#User_Directories'
831	865	---
832	866	name: MacOSUserGlobalPreferences
833	867	doc: User Global Preferences

837	871	labels: [Users]
838	872	supported_os: [Darwin]
839	873	urls:
840		- 'http://forensicswiki.org/wiki/Mac_OS_X'
841		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Preferences'
	874	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	875	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Preferences'
842	876	---
843	877	name: MacOSUserLibraryDirectory
844	878	doc: Library Directory

848	882	labels: [Users]
849	883	supported_os: [Darwin]
850	884	urls:
851		- 'http://forensicswiki.org/wiki/Mac_OS_X'
852		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#User_Directories'
	885	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	886	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#User_Directories'
853	887	---
854	888	name: MacOSUserLoginItems
855	889	doc: Login Items

859	893	labels: [Users]
860	894	supported_os: [Darwin]
861	895	urls:
862		- 'http://forensicswiki.org/wiki/Mac_OS_X'
863		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Autorun_Locations_2'
	896	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	897	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Autorun_Locations_2'
864	898	---
865	899	name: MacOSUserMoviesDirectory
866	900	doc: Movies Directory

870	904	labels: [Users]
871	905	supported_os: [Darwin]
872	906	urls:
873		- 'http://forensicswiki.org/wiki/Mac_OS_X'
874		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#User_Directories'
	907	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	908	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#User_Directories'
875	909	---
876	910	name: MacOSUserMusicDirectory
877	911	doc: Music Directory

881	915	labels: [Users]
882	916	supported_os: [Darwin]
883	917	urls:
884		- 'http://forensicswiki.org/wiki/Mac_OS_X'
885		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#User_Directories'
	918	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	919	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#User_Directories'
886	920	---
887	921	name: MacOSUserPasswordHashesPlistFiles
888	922	doc: User password hashes plist files

890	924	- type: FILE
891	925	attributes:
892	926	paths:
893		- '/private/var/db/dslocal/nodes/Default/users/*.plist'
894		- '/var/db/dslocal/nodes/Default/users/*.plist'
	927	- '/private/var/db/dslocal/nodes/Default/users/*.plist'
	928	- '/var/db/dslocal/nodes/Default/users/*.plist'
895	929	labels: [System, Users, Authentication]
896	930	supported_os: [Darwin]
897	931	urls:
898		- 'http://forensicswiki.org/wiki/Mac_OS_X'
899		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Settings_and_Informations'
	932	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	933	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Settings_and_Informations'
900	934	---
901	935	name: MacOSUserPicturesDirectory
902	936	doc: Pictures Directory

906	940	labels: [Users]
907	941	supported_os: [Darwin]
908	942	urls:
909		- 'http://forensicswiki.org/wiki/Mac_OS_X'
910		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#User_Directories'
	943	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	944	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#User_Directories'
911	945	---
912	946	name: MacOSUserPreferences
913	947	doc: User preferences directory

917	951	labels: [Users]
918	952	supported_os: [Darwin]
919	953	urls:
920		- 'http://forensicswiki.org/wiki/Mac_OS_X'
921		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Preferences'
	954	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	955	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Preferences'
922	956	---
923	957	name: MacOSUserPublicDirectory
924	958	doc: Public Directory

928	962	labels: [Users]
929	963	supported_os: [Darwin]
930	964	urls:
931		- 'http://forensicswiki.org/wiki/Mac_OS_X'
932		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#User_Directories'
	965	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	966	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#User_Directories'
933	967	---
934	968	name: MacOSUsers
935	969	doc: Users directories in /Users

940	974	supported_os: [Darwin]
941	975	provides: [users.username]
942	976	urls:
943		- 'http://forensicswiki.org/wiki/Mac_OS_X'
944		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Users'
	977	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	978	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Users'
945	979	---
946	980	name: MacOSUserSocialAccounts
947	981	doc: User's Social Accounts
948	982	sources:
949	983	- type: FILE
950		attributes: {paths: ['%%users.homedir%%/Library/Accounts/Accounts3.sqlite']}
	984	attributes:
	985	paths:
	986	- '%%users.homedir%%/Library/Accounts/Accounts3.sqlite'
	987	- '%%users.homedir%%/Library/Accounts/Accounts3.sqlite-wal'
	988	- '%%users.homedir%%/Library/Accounts/Accounts4.sqlite'
	989	- '%%users.homedir%%/Library/Accounts/Accounts4.sqlite-wal'
951	990	labels: [Users, ExternalAccount]
952	991	supported_os: [Darwin]
953	992	urls:
954		- 'http://forensicswiki.org/wiki/Mac_OS_X'
955		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#User.27s_Accounts'
	993	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	994	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#User.27s_Accounts'
	995	- 'https://lab.wallarm.com/hunting-the-files-34caa0c1496'
956	996	---
957	997	name: MacOSUserTrash
958	998	doc: User Trash Folder

962	1002	labels: [Users]
963	1003	supported_os: [Darwin]
964	1004	urls:
965		- 'http://forensicswiki.org/wiki/Mac_OS_X'
966		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Misc.'
	1005	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	1006	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Misc.'
967	1007	---
968	1008	name: MacOSUtmpFile
969	1009	doc: Mac OS X utmp and wmtp login record file.

971	1011	- type: FILE
972	1012	attributes:
973	1013	paths:
974		- '/private/var/run/utmp'
975		- '/private/var/log/wtmp'
976		- '/var/run/utmp'
977		- '/var/log/wtmp'
	1014	- '/private/var/run/utmp'
	1015	- '/private/var/log/wtmp'
	1016	- '/var/run/utmp'
	1017	- '/var/log/wtmp'
978	1018	labels: [Logs, Authentication]
979	1019	supported_os: [Darwin]
980	1020	urls: ['https://github.com/libyal/dtformats/blob/master/documentation/Utmp%20login%20records%20format.asciidoc']

999	1039	labels: [System, Network]
1000	1040	supported_os: [Darwin]
1001	1041	urls:
1002		- 'http://forensicswiki.org/wiki/Mac_OS_X'
1003		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Networking'
	1042	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	1043	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Networking'
	1044	---
	1045	name: MacOSFSEvents
	1046	doc: Mac OS X file system event log
	1047	sources:
	1048	- type: FILE
	1049	attributes: {paths: ['/.fseventsd/*']}
	1050	labels: [Logs, System, Users]
	1051	supported_os: [Darwin]
	1052	urls:
	1053	- 'http://nicoleibrahim.com/apple-fsevents-forensics/'
	1054	- 'https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1498158287.pdf'
	1055	---
	1056	name: MacOSTCC
	1057	doc: Apple's Transparency, Consent, Control (TCC) framework database
	1058	sources:
	1059	- type: FILE
	1060	attributes:
	1061	paths:
	1062	- '/Library/Application Support/com.apple.TCC/TCC.db'
	1063	- '%%users.homedir%%/Library/Application Support/com.apple.TCC/TCC.db'
	1064	labels: [System]
	1065	supported_os: [Darwin]
	1066	urls:
	1067	- https://blog.fleetsmith.com/tcc-a-quick-primer/
	1068	- https://carlashley.com/2018/09/06/reading-tcc-logs-in-macos/

-2

data/ntfs.yaml less more

10	10	- type: FILE
11	11	attributes:
12	12	paths:
13		- '%%environ_systemdrive%%\$MFT'
14		- '%%environ_systemdrive%%\$MFTMirr'
	13	- '%%environ_systemdrive%%\$MFT'
	14	- '%%environ_systemdrive%%\$MFTMirr'
15	15	separator: '\'
16	16	labels: [System]
17	17	supported_os: [Windows]

-2

data/tomcat.yaml less more

5	5	- type: ARTIFACT_GROUP
6	6	attributes:
7	7	names:
8		- 'TomcatLogFiles'
9		- 'TomcatPasswordFile'
	8	- 'TomcatLogFiles'
	9	- 'TomcatPasswordFile'
10	10	labels: [Software]
11	11	supported_os: [Darwin,Linux,Windows]
12	12	---

+32

-5

data/unix_common.yaml less more

199	199	supported_os: [Linux, Darwin]
200	200	---
201	201	name: UsersShellConfigs
202		doc: Common unix user shell configuration files.
	202	doc: Common Unix user shell configuration files.
203	203	sources:
204	204	- type: FILE
205	205	attributes:

215	215	- '%%users.homedir%%/.zlogin'
216	216	- '%%users.homedir%%/.zlogout'
217	217	- '%%users.homedir%%/.zprofile'
218		labels: [Configuration Files]
219		supported_os: [Linux, Darwin]
	218	supported_os: [Linux, Darwin]
	219	- type: FILE
	220	attributes:
	221	paths:
	222	- '%%users.localappdata%%\Packages\\LocalState\rootfs\home\\.bash_logout'
	223	- '%%users.localappdata%%\Packages\\LocalState\rootfs\home\\.bash_profile'
	224	- '%%users.localappdata%%\Packages\\LocalState\rootfs\home\\.bashrc'
	225	- '%%users.localappdata%%\Packages\\LocalState\rootfs\home\\.cshrc'
	226	- '%%users.localappdata%%\Packages\\LocalState\rootfs\home\\.ksh'
	227	- '%%users.localappdata%%\Packages\\LocalState\rootfs\home\\.logout'
	228	- '%%users.localappdata%%\Packages\\LocalState\rootfs\home\\.profile'
	229	- '%%users.localappdata%%\Packages\\LocalState\rootfs\home\\.tcsh'
	230	- '%%users.localappdata%%\Packages\\LocalState\rootfs\home\\.zlogin'
	231	- '%%users.localappdata%%\Packages\\LocalState\rootfs\home\\.zlogout'
	232	- '%%users.localappdata%%\Packages\\LocalState\rootfs\home\\.zprofile'
	233	separator: '\'
	234	supported_os: [Windows]
	235	labels: [Configuration Files]
	236	supported_os: [Linux, Darwin, Windows]
220	237	---
221	238	name: UsersShellHistory
222		doc: Common unix user shell history files.
	239	doc: Common Unix user shell history files.
223	240	sources:
224	241	- type: FILE
225	242	attributes:

228	245	- '%%users.homedir%%/.sh_history'
229	246	- '%%users.homedir%%/.zhistory'
230	247	- '%%users.homedir%%/.zsh_history'
	248	supported_os: [Linux, Darwin]
	249	- type: FILE
	250	attributes:
	251	paths:
	252	- '%%users.localappdata%%\Packages\\LocalState\rootfs\home\\.bash_history'
	253	- '%%users.localappdata%%\Packages\\LocalState\rootfs\home\\.sh_history'
	254	- '%%users.localappdata%%\Packages\\LocalState\rootfs\home\\.zhistory'
	255	- '%%users.localappdata%%\Packages\\LocalState\rootfs\home\\.zsh_history'
	256	separator: '\'
	257	supported_os: [Windows]
231	258	labels: [History Files]
232		supported_os: [Linux, Darwin]
	259	supported_os: [Linux, Darwin, Windows]

+586

-295

data/webbrowser.yaml less more

5	5	- type: ARTIFACT_GROUP
6	6	attributes:
7	7	names:
8		- 'ChromeCache'
9		- 'FirefoxCache'
10		- 'InternetExplorerCache'
11		- 'SafariCache'
	8	- 'ChromeCache'
	9	- 'FirefoxCache'
	10	- 'InternetExplorerCache'
	11	- 'SafariCache'
12	12	labels: [Browser]
13	13	supported_os: [Darwin,Linux,Windows]
14	14	---

18	18	- type: ARTIFACT_GROUP
19	19	attributes:
20	20	names:
21		- 'ChromeHistory'
22		- 'FirefoxHistory'
23		- 'InternetExplorerHistory'
24		- 'OperaHistory'
25		- 'SafariDownloads'
26		- 'SafariHistory'
	21	- 'ChromeHistory'
	22	- 'FirefoxHistory'
	23	- 'InternetExplorerHistory'
	24	- 'OperaHistory'
	25	- 'SafariDownloads'
	26	- 'SafariHistory'
27	27	labels: [Browser]
28	28	supported_os: [Darwin,Linux,Windows]
	29	---
	30	name: ChromeStorage
	31	doc: \|
	32	Google Chrome, Canary and Chromium browser artifacts for Storage APIs.
	33
	34	Includes Web Storage (sessionStorage for session-only data and
	35	localStorage for persistent data), IndexedDB (used for structured data),
	36	and FileSystem (object storage in a virtual file system).
	37
	38	sources:
	39	- type: ARTIFACT_GROUP
	40	attributes:
	41	names:
	42	- 'ChromeLocalStorage'
	43	- 'ChromeSessionStorage'
	44	- 'ChromeFileSystem'
	45	- 'ChromeIndexedDB'
	46	labels: [Browser]
	47	supported_os: [Darwin,Linux,Windows]
	48	urls:
	49	- 'https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API'
	50	- 'https://developer.mozilla.org/en-US/docs/Web/API/IndexedDB_API'
	51	- 'https://developer.mozilla.org/en-US/docs/Web/API/FileSystem'
29	52	---
30	53	name: ChromeCache
31	54	doc: \|

42	65	- type: FILE
43	66	attributes:
44	67	paths:
45		- '%%users.localappdata%%\Google\Chrome\User Data\\Application Cache\Cache\'
46		- '%%users.localappdata%%\Google\Chrome\User Data\\Cache\'
47		- '%%users.localappdata%%\Google\Chrome\User Data\\Media Cache\'
48		- '%%users.localappdata%%\Google\Chrome\User Data\\GPUCache\'
49		- '%%users.localappdata%%\Google\Chrome SxS\User Data\\Application Cache\Cache\'
50		- '%%users.localappdata%%\Google\Chrome SxS\User Data\\Cache\'
51		- '%%users.localappdata%%\Google\Chrome SxS\User Data\\Media Cache\'
52		- '%%users.localappdata%%\Google\Chrome SxS\User Data\\GPUCache\'
53		- '%%users.localappdata%%\Chromium\User Data\\Application Cache\Cache\'
54		- '%%users.localappdata%%\Chromium\User Data\\Cache\'
55		- '%%users.localappdata%%\Chromium\User Data\\Media Cache\'
56		- '%%users.localappdata%%\Chromium\User Data\\GPUCache\'
57		separator: '\'
58		supported_os: [Windows]
59		- type: FILE
60		attributes:
61		paths:
62		- '%%users.homedir%%/Caches/Google/Chrome//Cache/'
63		- '%%users.homedir%%/Library/Caches/Google/Chrome//Cache/'
64		- '%%users.homedir%%/Library/Caches/Google/Chrome//Media Cache/'
65		- '%%users.homedir%%/Library/Application Support/Google/Chrome//Application Cache/Cache/'
66		- '%%users.homedir%%/Library/Application Support/Google/Chrome//GPUCache/'
67		- '%%users.homedir%%/Library/Caches/Google/Chrome/PnaclTranslationCache/*'
68		- '%%users.homedir%%/Caches/Google/Chrome Canary//Cache/'
69		- '%%users.homedir%%/Library/Caches/Google/Chrome Canary//Cache/'
70		- '%%users.homedir%%/Library/Caches/Google/Chrome Canary//Media Cache/'
71		- '%%users.homedir%%/Library/Application Support/Google/Chrome Canary//Application Cache/Cache/'
72		- '%%users.homedir%%/Library/Application Support/Google/Chrome Canary//GPUCache/'
73		- '%%users.homedir%%/Library/Caches/Google/Chrome Canary/PnaclTranslationCache/*'
74		- '%%users.homedir%%/Caches/Chromium//Cache/'
75		- '%%users.homedir%%/Library/Caches/Chromium//Cache/'
76		- '%%users.homedir%%/Library/Caches/Chromium//Media Cache/'
77		- '%%users.homedir%%/Library/Application Support/Chromium//Application Cache/Cache/'
78		- '%%users.homedir%%/Library/Application Support/Chromium//GPUCache/'
79		- '%%users.homedir%%/Library/Caches/Chromium/PnaclTranslationCache/*'
80		supported_os: [Darwin]
81		- type: FILE
82		attributes:
83		paths:
84		- '%%users.homedir%%/.cache/google-chrome/Cache/*'
85		- '%%users.homedir%%/.cache/google-chrome//Cache/'
86		- '%%users.homedir%%/.cache/google-chrome//Media Cache/'
87		- '%%users.homedir%%/.cache/google-chrome/PnaclTranslationCache/*'
88		- '%%users.homedir%%/.config/google-chrome//Application Cache/'
89		- '%%users.homedir%%/.config/google-chrome//Cache/'
90		- '%%users.homedir%%/.config/google-chrome//Media Cache/'
91		- '%%users.homedir%%/.config/google-chrome//GPUCache/'
92		- '%%users.homedir%%/.cache/chromium/Cache/*'
93		- '%%users.homedir%%/.cache/chromium//Cache/'
94		- '%%users.homedir%%/.cache/chromium//Media Cache/'
95		- '%%users.homedir%%/.cache/chromium/PnaclTranslationCache/*'
96		- '%%users.homedir%%/.config/chromium//Application Cache/'
97		- '%%users.homedir%%/.config/chromium//Cache/'
98		- '%%users.homedir%%/.config/chromium//Media Cache/'
99		- '%%users.homedir%%/.config/chromium//GPUCache/'
	68	- '%%users.localappdata%%\Google\Chrome\User Data\\Application Cache\Cache\'
	69	- '%%users.localappdata%%\Google\Chrome\User Data\\Cache\'
	70	- '%%users.localappdata%%\Google\Chrome\User Data\\Media Cache\'
	71	- '%%users.localappdata%%\Google\Chrome\User Data\\GPUCache\'
	72	- '%%users.localappdata%%\Google\Chrome SxS\User Data\\Application Cache\Cache\'
	73	- '%%users.localappdata%%\Google\Chrome SxS\User Data\\Cache\'
	74	- '%%users.localappdata%%\Google\Chrome SxS\User Data\\Media Cache\'
	75	- '%%users.localappdata%%\Google\Chrome SxS\User Data\\GPUCache\'
	76	- '%%users.localappdata%%\Chromium\User Data\\Application Cache\Cache\'
	77	- '%%users.localappdata%%\Chromium\User Data\\Cache\'
	78	- '%%users.localappdata%%\Chromium\User Data\\Media Cache\'
	79	- '%%users.localappdata%%\Chromium\User Data\\GPUCache\'
	80	separator: '\'
	81	supported_os: [Windows]
	82	- type: FILE
	83	attributes:
	84	paths:
	85	- '%%users.homedir%%/Caches/Google/Chrome//Cache/'
	86	- '%%users.homedir%%/Library/Caches/Google/Chrome//Cache/'
	87	- '%%users.homedir%%/Library/Caches/Google/Chrome//Media Cache/'
	88	- '%%users.homedir%%/Library/Application Support/Google/Chrome//Application Cache/Cache/'
	89	- '%%users.homedir%%/Library/Application Support/Google/Chrome//GPUCache/'
	90	- '%%users.homedir%%/Library/Caches/Google/Chrome/PnaclTranslationCache/*'
	91	- '%%users.homedir%%/Caches/Google/Chrome Canary//Cache/'
	92	- '%%users.homedir%%/Library/Caches/Google/Chrome Canary//Cache/'
	93	- '%%users.homedir%%/Library/Caches/Google/Chrome Canary//Media Cache/'
	94	- '%%users.homedir%%/Library/Application Support/Google/Chrome Canary//Application Cache/Cache/'
	95	- '%%users.homedir%%/Library/Application Support/Google/Chrome Canary//GPUCache/'
	96	- '%%users.homedir%%/Library/Caches/Google/Chrome Canary/PnaclTranslationCache/*'
	97	- '%%users.homedir%%/Caches/Chromium//Cache/'
	98	- '%%users.homedir%%/Library/Caches/Chromium//Cache/'
	99	- '%%users.homedir%%/Library/Caches/Chromium//Media Cache/'
	100	- '%%users.homedir%%/Library/Application Support/Chromium//Application Cache/Cache/'
	101	- '%%users.homedir%%/Library/Application Support/Chromium//GPUCache/'
	102	- '%%users.homedir%%/Library/Caches/Chromium/PnaclTranslationCache/*'
	103	supported_os: [Darwin]
	104	- type: FILE
	105	attributes:
	106	paths:
	107	- '%%users.homedir%%/.cache/google-chrome/Cache/*'
	108	- '%%users.homedir%%/.cache/google-chrome//Cache/'
	109	- '%%users.homedir%%/.cache/google-chrome//Media Cache/'
	110	- '%%users.homedir%%/.cache/google-chrome/PnaclTranslationCache/*'
	111	- '%%users.homedir%%/.config/google-chrome//Application Cache/'
	112	- '%%users.homedir%%/.config/google-chrome//Cache/'
	113	- '%%users.homedir%%/.config/google-chrome//Media Cache/'
	114	- '%%users.homedir%%/.config/google-chrome//GPUCache/'
	115	- '%%users.homedir%%/.cache/chromium/Cache/*'
	116	- '%%users.homedir%%/.cache/chromium//Cache/'
	117	- '%%users.homedir%%/.cache/chromium//Media Cache/'
	118	- '%%users.homedir%%/.cache/chromium/PnaclTranslationCache/*'
	119	- '%%users.homedir%%/.config/chromium//Application Cache/'
	120	- '%%users.homedir%%/.config/chromium//Cache/'
	121	- '%%users.homedir%%/.config/chromium//Media Cache/'
	122	- '%%users.homedir%%/.config/chromium//GPUCache/'
	123	- '%%users.homedir%%/.cache/chrome-remote-desktop/chrome-profile/Cache/*'
	124	- '%%users.homedir%%/.cache/chrome-remote-desktop/chrome-profile//Cache/'
	125	- '%%users.homedir%%/.cache/chrome-remote-desktop/chrome-profile//Media Cache/'
	126	- '%%users.homedir%%/.cache/chrome-remote-desktop/chrome-profile/PnaclTranslationCache/*'
	127	- '%%users.homedir%%/.cache/chrome-remote-desktop/chrome-config/google-chrome/Cache/*'
	128	- '%%users.homedir%%/.cache/chrome-remote-desktop/chrome-config/google-chrome//Cache/'
	129	- '%%users.homedir%%/.cache/chrome-remote-desktop/chrome-config/google-chrome//Media Cache/'
	130	- '%%users.homedir%%/.cache/chrome-remote-desktop/chrome-config/google-chrome/PnaclTranslationCache/*'
	131	- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile//Application Cache/'
	132	- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile//Cache/'
	133	- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile//Media Cache/'
	134	- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile//GPUCache/'
	135	- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome//Application Cache/'
	136	- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome//Cache/'
	137	- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome//Media Cache/'
	138	- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome//GPUCache/'
100	139	supported_os: [Linux]
101	140	supported_os: [Windows,Darwin,Linux]
102	141	labels: [Browser]
103	142	urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/webbrowser/ChromeCache.md']
	143	---
	144	name: ChromeCookies
	145	doc: Chrome Cookies database.
	146	sources:
	147	- type: FILE
	148	attributes:
	149	paths:
	150	- '%%users.localappdata%%\Chromium\User Data\*\Cookies'
	151	- '%%users.localappdata%%\Chromium\User Data\*\Cookies-journal'
	152	- '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Cookies'
	153	- '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Cookies-journal'
	154	- '%%users.localappdata%%\Google\Chrome\User Data\*\Cookies'
	155	- '%%users.localappdata%%\Google\Chrome\User Data\*\Cookies-journal'
	156	separator: '\'
	157	supported_os: [Windows]
	158	- type: FILE
	159	attributes:
	160	paths:
	161	- '%%users.homedir%%/.config/google-chrome/*/Cookies'
	162	- '%%users.homedir%%/.config/google-chrome/*/Cookies-journal'
	163	- '%%users.homedir%%/.config/chromium/*/Cookies'
	164	- '%%users.homedir%%/.config/chromium/*/Cookies-journal'
	165	- '%%users.homedir%%/.config/google-chrome-beta/*/Cookies'
	166	- '%%users.homedir%%/.config/google-chrome-beta/*/Cookies-journal'
	167	- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Cookies'
	168	- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Cookies-journal'
	169	- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Cookies'
	170	- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Cookies-journal'
	171	supported_os: [Linux]
	172	- type: FILE
	173	attributes:
	174	paths:
	175	- '%%users.homedir%%/Library/Application Support/Chromium/*/Cookies'
	176	- '%%users.homedir%%/Library/Application Support/Chromium/*/Cookies-journal'
	177	- '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Cookies'
	178	- '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Cookies-journal'
	179	- '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Cookies'
	180	- '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Cookies-journal'
	181	supported_os: [Darwin]
	182	supported_os: [Windows,Darwin,Linux]
	183	labels: [Browser]
	184	---
	185	name: ChromeExtensionActivity
	186	doc: Chrome Extension Activity database.
	187	sources:
	188	- type: FILE
	189	attributes:
	190	paths:
	191	- '%%users.localappdata%%\Google\Chrome\User Data\*\Extension Activity'
	192	- '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Extension Activity'
	193	- '%%users.localappdata%%\Chromium\User Data\*\Extension Activity'
	194	separator: '\'
	195	supported_os: [Windows]
	196	- type: FILE
	197	attributes:
	198	paths:
	199	- '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Extension Activity'
	200	- '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Extension Activity'
	201	- '%%users.homedir%%/Library/Application Support/Chromium/*/Extension Activity'
	202	supported_os: [Darwin]
	203	- type: FILE
	204	attributes:
	205	paths:
	206	- '%%users.homedir%%/.config/google-chrome/*/Extension Activity'
	207	- '%%users.homedir%%/.config/chromium/*/Extension Activity'
	208	supported_os: [Linux]
	209	supported_os: [Windows,Darwin,Linux]
	210	labels: [Browser]
	211	urls: ['https://forensicswiki.xyz/wiki/index.php?title=Google_Chrome#Extension_Activity_database']
	212	---
	213	name: ChromeExtensions
	214	doc: Chrome browser extension files.
	215	sources:
	216	- type: FILE
	217	attributes:
	218	paths:
	219	- '%%users.localappdata%%\Google\Chrome\User Data\\Extensions\*10'
	220	- '%%users.localappdata%%\Chromium\User Data\\Extensions\*10'
	221	- '%%users.localappdata%%\Google\Chrome SxS\User Data\\Extensions\*10'
	222	separator: '\'
	223	supported_os: [Windows]
	224	- type: FILE
	225	attributes:
	226	paths:
	227	- '%%users.homedir%%/Library/Application Support/Google/Chrome//Extensions/*10'
	228	- '%%users.homedir%%/Library/Application Support/Chromium//Extensions/*10'
	229	- '%%users.homedir%%/Library/Application Support/Google/Chrome Canary//Extensions/*10'
	230	supported_os: [Darwin]
	231	- type: FILE
	232	attributes:
	233	paths:
	234	- '%%users.homedir%%/.config/google-chrome//Extensions/*10'
	235	- '%%users.homedir%%/.config/google-chrome-beta//Extensions/*10'
	236	- '%%users.homedir%%/.config/chromium//Extensions/*10'
	237	- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile//Extensions/*10'
	238	- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome//Extensions/*10'
	239	supported_os: [Linux]
	240	supported_os: [Windows, Darwin, Linux]
	241	labels: [Browser]
	242	urls: ['https://forensicswiki.xyz/wiki/index.php?title=Google_Chrome#Extensions']
	243	---
	244	name: ChromeExtensionRegistryKeys
	245	doc: Chrome extensions installed by writing windows registry keys.
	246	sources:
	247	- type: REGISTRY_KEY
	248	attributes:
	249	keys:
	250	- 'HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extensions\**5'
	251	- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Google\Chrome\Extensions\**5'
	252	labels: [Browser]
	253	supported_os: [Windows]
	254	urls: ['https://developer.chrome.com/extensions/external_extensions#registry']
	255	---
	256	name: ChromeFileSystem
	257	doc: \|
	258	Google Chrome, Canary and Chromium File System files.
	259
	260	The File System directory backs Chrome's fileSystem API. Inside this
	261	directory are a mixture of the data files saved using the fileSystem
	262	API and LevelDB directories that track the logical structure of the
	263	virtual file system.
	264
	265	sources:
	266	- type: FILE
	267	attributes:
	268	paths:
	269	- '%%users.localappdata%%\Chromium\User Data\\File System\*5'
	270	- '%%users.localappdata%%\Google\Chrome SxS\User Data\\File System\*5'
	271	- '%%users.localappdata%%\Google\Chrome\User Data\\File System\*5'
	272	separator: '\'
	273	supported_os: [Windows]
	274	- type: FILE
	275	attributes:
	276	paths:
	277	- '%%users.homedir%%/.config/google-chrome//File System/*5'
	278	- '%%users.homedir%%/.config/chromium//File System/*5'
	279	- '%%users.homedir%%/.config/google-chrome-beta//File System/*5'
	280	- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile//File System/*5'
	281	- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome//File System/*5'
	282	supported_os: [Linux]
	283	- type: FILE
	284	attributes:
	285	paths:
	286	- '%%users.homedir%%/Library/Application Support/Chromium//File System/*5'
	287	- '%%users.homedir%%/Library/Application Support/Google/Chrome Canary//File System/*5'
	288	- '%%users.homedir%%/Library/Application Support/Google/Chrome//File System/*5'
	289	supported_os: [Darwin]
	290	supported_os: [Windows,Darwin,Linux]
	291	labels: [Browser]
	292	urls:
	293	- 'https://developer.chrome.com/apps/fileSystem'
	294	- 'https://developer.mozilla.org/en-US/docs/Web/API/FileSystem'
	295	- 'https://dfir.blog/deciphering-browser-hieroglyphics-leveldb-filesystem/'
104	296	---
105	297	name: ChromeHistory
106	298	doc: Chrome browser history.

108	300	- type: FILE
109	301	attributes:
110	302	paths:
111		- '%%users.localappdata%%\Google\Chrome\User Data\*\Archived History'
112		- '%%users.localappdata%%\Google\Chrome\User Data\*\History'
113		- '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Archived History'
114		- '%%users.localappdata%%\Google\Chrome SxS\User Data\*\History'
115		- '%%users.localappdata%%\Chromium\User Data\*\Archived History'
116		- '%%users.localappdata%%\Chromium\User Data\*\History'
117		separator: '\'
118		supported_os: [Windows]
119		- type: FILE
120		attributes:
121		paths:
122		- '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Archived History'
123		- '%%users.homedir%%/Library/Application Support/Google/Chrome/*/History'
124		- '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Archived History'
125		- '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/History'
126		- '%%users.homedir%%/Library/Application Support/Chromium/*/Archived History'
127		- '%%users.homedir%%/Library/Application Support/Chromium/*/History'
128		supported_os: [Darwin]
129		- type: FILE
130		attributes:
131		paths:
132		- '%%users.homedir%%/.config/google-chrome/*/Archived History'
133		- '%%users.homedir%%/.config/google-chrome/*/History'
134		- '%%users.homedir%%/.config/chromium/*/Archived History'
135		- '%%users.homedir%%/.config/chromium/*/History'
136		supported_os: [Linux]
137		supported_os: [Windows,Darwin,Linux]
138		labels: [Browser]
139		urls: ['http://www.forensicswiki.org/wiki/Google_Chrome']
140		---
141		name: ChromeExtensionActivity
142		doc: Chrome Extension Activity database.
143		sources:
144		- type: FILE
145		attributes:
146		paths:
147		- '%%users.localappdata%%\Google\Chrome\User Data\*\Extension Activity'
148		- '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Extension Activity'
149		- '%%users.localappdata%%\Chromium\User Data\*\Extension Activity'
150		separator: '\'
151		supported_os: [Windows]
152		- type: FILE
153		attributes:
154		paths:
155		- '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Extension Activity'
156		- '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Extension Activity'
157		- '%%users.homedir%%/Library/Application Support/Chromium/*/Extension Activity'
158		supported_os: [Darwin]
159		- type: FILE
160		attributes:
161		paths:
162		- '%%users.homedir%%/.config/google-chrome/*/Extension Activity'
163		- '%%users.homedir%%/.config/chromium/*/Extension Activity'
164		supported_os: [Linux]
165		supported_os: [Windows,Darwin,Linux]
166		labels: [Browser]
167		urls: ['http://forensicswiki.org/wiki/Google_Chrome#Extension_Activity_database']
168		---
169		name: ChromeExtensions
170		doc: Chrome browser extension files.
171		sources:
172		- type: FILE
173		attributes:
174		paths:
175		- '%%users.localappdata%%\Google\Chrome\User Data\\Extensions\*10'
176		- '%%users.localappdata%%\Chromium\User Data\\Extensions\*10'
177		- '%%users.localappdata%%\Google\Chrome SxS\User Data\\Extensions\*10'
178		separator: '\'
179		supported_os: [Windows]
180		- type: FILE
181		attributes:
182		paths:
183		- '%%users.homedir%%/Library/Application Support/Google/Chrome//Extensions/*10'
184		- '%%users.homedir%%/Library/Application Support/Chromium//Extensions/*10'
185		- '%%users.homedir%%/Library/Application Support/Google/Chrome Canary//Extensions/*10'
186		supported_os: [Darwin]
187		- type: FILE
188		attributes:
189		paths:
190		- '%%users.homedir%%/.config/google-chrome//Extensions/*10'
191		- '%%users.homedir%%/.config/google-chrome-beta//Extensions/*10'
192		- '%%users.homedir%%/.config/chromium//Extensions/*10'
193		supported_os: [Linux]
194		supported_os: [Windows, Darwin, Linux]
195		labels: [Browser]
196		urls: ['http://forensicswiki.org/wiki/Google_Chrome#Extensions']
197		---
198		name: ChromeExtensionRegistryKeys
199		doc: Chrome extensions installed by writing windows registry keys.
200		sources:
201		- type: REGISTRY_KEY
202		attributes:
203		keys:
204		- 'HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extensions\**5'
205		- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Google\Chrome\Extensions\**5'
206		labels: [Browser]
207		supported_os: [Windows]
208		urls: ['https://developer.chrome.com/extensions/external_extensions#registry']
	303	- '%%users.localappdata%%\Chromium\User Data\*\Archived History'
	304	- '%%users.localappdata%%\Chromium\User Data\*\Archived History-journal'
	305	- '%%users.localappdata%%\Chromium\User Data\*\History'
	306	- '%%users.localappdata%%\Chromium\User Data\*\History-journal'
	307	- '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Archived History'
	308	- '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Archived History-journal'
	309	- '%%users.localappdata%%\Google\Chrome SxS\User Data\*\History'
	310	- '%%users.localappdata%%\Google\Chrome SxS\User Data\*\History-journal'
	311	- '%%users.localappdata%%\Google\Chrome\User Data\*\Archived History'
	312	- '%%users.localappdata%%\Google\Chrome\User Data\*\Archived History-journal'
	313	- '%%users.localappdata%%\Google\Chrome\User Data\*\History'
	314	- '%%users.localappdata%%\Google\Chrome\User Data\*\History-journal'
	315	separator: '\'
	316	supported_os: [Windows]
	317	- type: FILE
	318	attributes:
	319	paths:
	320	- '%%users.homedir%%/Library/Application Support/Chromium/*/Archived History'
	321	- '%%users.homedir%%/Library/Application Support/Chromium/*/Archived History-journal'
	322	- '%%users.homedir%%/Library/Application Support/Chromium/*/History'
	323	- '%%users.homedir%%/Library/Application Support/Chromium/*/History-journal'
	324	- '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Archived History'
	325	- '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Archived History-journal'
	326	- '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/History'
	327	- '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/History-journal'
	328	- '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Archived History'
	329	- '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Archived History-journal'
	330	- '%%users.homedir%%/Library/Application Support/Google/Chrome/*/History'
	331	- '%%users.homedir%%/Library/Application Support/Google/Chrome/*/History-journal'
	332	supported_os: [Darwin]
	333	- type: FILE
	334	attributes:
	335	paths:
	336	- '%%users.homedir%%/.config/chromium/*/Archived History'
	337	- '%%users.homedir%%/.config/chromium/*/Archived History-journal'
	338	- '%%users.homedir%%/.config/chromium/*/History'
	339	- '%%users.homedir%%/.config/chromium/*/History-journal'
	340	- '%%users.homedir%%/.config/google-chrome/*/Archived History'
	341	- '%%users.homedir%%/.config/google-chrome/*/Archived History-journal'
	342	- '%%users.homedir%%/.config/google-chrome/*/History'
	343	- '%%users.homedir%%/.config/google-chrome/*/History-journal'
	344	- '%%users.homedir%%/.config/google-chrome-beta/*/Archived History'
	345	- '%%users.homedir%%/.config/google-chrome-beta/*/Archived History-journal'
	346	- '%%users.homedir%%/.config/google-chrome-beta/*/History'
	347	- '%%users.homedir%%/.config/google-chrome-beta/*/History-journal'
	348	- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Archived History'
	349	- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Archived History-journal'
	350	- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/History'
	351	- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/History-journal'
	352	- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Archived History'
	353	- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Archived History-journal'
	354	- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/History'
	355	- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/History-journal'
	356	supported_os: [Linux]
	357	supported_os: [Windows,Darwin,Linux]
	358	labels: [Browser]
	359	urls: ['https://forensicswiki.xyz/wiki/index.php?title=Google_Chrome']
	360	---
	361	name: ChromeIndexedDB
	362	doc: \|
	363	Google Chrome, Canary and Chromium IndexedDB files.
	364
	365	The IndexedDB directory contains one directory per origin that uses
	366	IndexedDB, named like https_www.example.com_0.indexeddb.leveldb,
	367	chrome-extension_app-id-xxx_0.indexeddb.leveldb, or
	368	https_www.example.com_0.indexeddb.blob. Inside each of the *.leveldb
	369	directories are the files the comprise a LevelDB database, which in turn
	370	holds IndexedDB data for that origin. There may be an accompanying .blob
	371	directory, which contains a nested folder structure of blobs.
	372
	373	sources:
	374	- type: FILE
	375	attributes:
	376	paths:
	377	- '%%users.localappdata%%\Chromium\User Data\\IndexedDB\*5'
	378	- '%%users.localappdata%%\Google\Chrome SxS\User Data\\IndexedDB\*5'
	379	- '%%users.localappdata%%\Google\Chrome\User Data\\IndexedDB\*5'
	380	separator: '\'
	381	supported_os: [Windows]
	382	- type: FILE
	383	attributes:
	384	paths:
	385	- '%%users.homedir%%/.config/google-chrome//IndexedDB/*5'
	386	- '%%users.homedir%%/.config/chromium//IndexedDB/*5'
	387	- '%%users.homedir%%/.config/google-chrome-beta//IndexedDB/*5'
	388	- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile//IndexedDB/*5'
	389	- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome//IndexedDB/*5'
	390	supported_os: [Linux]
	391	- type: FILE
	392	attributes:
	393	paths:
	394	- '%%users.homedir%%/Library/Application Support/Chromium//IndexedDB/*5'
	395	- '%%users.homedir%%/Library/Application Support/Google/Chrome Canary//IndexedDB/*5'
	396	- '%%users.homedir%%/Library/Application Support/Google/Chrome//IndexedDB/*5'
	397	supported_os: [Darwin]
	398	supported_os: [Windows,Darwin,Linux]
	399	labels: [Browser]
	400	urls:
	401	- 'https://developer.mozilla.org/en-US/docs/Web/API/IndexedDB_API'
	402	---
	403	name: ChromeLocalStorage
	404	doc: \|
	405	Google Chrome, Canary and Chromium Local Storage files.
	406
	407	* Chrome v60 and below used individual .sqlite files per origin for Local Storage,
	408	stored in the Local Storage directory root.
	409	* In Chrome v61, a leveldb directory was added inside the root Local Storage directory,
	410	and new origins saved Local Storage data in a single LevelDB there.
	411	* Existing .sqlite files are kept (not moved to leveldb), so it is possible for a
	412	single Chrome profile to use both SQLite and LevelDB for Local Storage.
	413
	414	sources:
	415	- type: FILE
	416	attributes:
	417	paths:
	418	- '%%users.localappdata%%\Chromium\User Data\\Local Storage\*'
	419	- '%%users.localappdata%%\Google\Chrome SxS\User Data\\Local Storage\*'
	420	- '%%users.localappdata%%\Google\Chrome\User Data\\Local Storage\*'
	421	separator: '\'
	422	supported_os: [Windows]
	423	- type: FILE
	424	attributes:
	425	paths:
	426	- '%%users.homedir%%/.config/google-chrome//Local Storage/*'
	427	- '%%users.homedir%%/.config/chromium//Local Storage/*'
	428	- '%%users.homedir%%/.config/google-chrome-beta//Local Storage/*'
	429	- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile//Local Storage/*'
	430	- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome//Local Storage/*'
	431	supported_os: [Linux]
	432	- type: FILE
	433	attributes:
	434	paths:
	435	- '%%users.homedir%%/Library/Application Support/Chromium//Local Storage/*'
	436	- '%%users.homedir%%/Library/Application Support/Google/Chrome Canary//Local Storage/*'
	437	- '%%users.homedir%%/Library/Application Support/Google/Chrome//Local Storage/*'
	438	supported_os: [Darwin]
	439	supported_os: [Windows,Darwin,Linux]
	440	labels: [Browser]
209	441	---
210	442	name: ChromePreferences
211	443	doc: Chrome Preferences file.

213	445	- type: FILE
214	446	attributes:
215	447	paths:
216		- '%%users.localappdata%%\Google\Chrome\User Data\*\Preferences'
217		- '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Preferences'
218		- '%%users.localappdata%%\Chromium\User Data\*\Preferences'
219		separator: '\'
220		supported_os: [Windows]
221		- type: FILE
222		attributes:
223		paths:
224		- '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Preferences'
225		- '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Preferences'
226		- '%%users.homedir%%/Library/Application Support/Chromium/*/Preferences'
227		supported_os: [Darwin]
228		- type: FILE
229		attributes:
230		paths:
231		- '%%users.homedir%%/.config/google-chrome/*/Preferences'
232		- '%%users.homedir%%/.config/chromium/*/Preferences'
233		supported_os: [Linux]
234		supported_os: [Windows,Darwin,Linux]
235		labels: [Browser]
236		urls: ['http://forensicswiki.org/wiki/Google_Chrome#Configuration']
	448	- '%%users.localappdata%%\Google\Chrome\User Data\*\Preferences'
	449	- '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Preferences'
	450	- '%%users.localappdata%%\Chromium\User Data\*\Preferences'
	451	separator: '\'
	452	supported_os: [Windows]
	453	- type: FILE
	454	attributes:
	455	paths:
	456	- '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Preferences'
	457	- '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Preferences'
	458	- '%%users.homedir%%/Library/Application Support/Chromium/*/Preferences'
	459	supported_os: [Darwin]
	460	- type: FILE
	461	attributes:
	462	paths:
	463	- '%%users.homedir%%/.config/google-chrome/*/Preferences'
	464	- '%%users.homedir%%/.config/chromium/*/Preferences'
	465	- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Preferences'
	466	- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Preferences'
	467	supported_os: [Linux]
	468	supported_os: [Windows,Darwin,Linux]
	469	labels: [Browser]
	470	urls: ['https://forensicswiki.xyz/wiki/index.php?title=Google_Chrome#Configuration']
	471	---
	472	name: ChromeSessionStorage
	473	doc: \|
	474	Google Chrome, Canary and Chromium Session Storage files.
	475
	476	The Session Storage directory contains the files that comprise a LevelDB
	477	database, which in turn holds the Session Storage data.
	478
	479	sources:
	480	- type: FILE
	481	attributes:
	482	paths:
	483	- '%%users.localappdata%%\Chromium\User Data\\Session Storage\'
	484	- '%%users.localappdata%%\Google\Chrome SxS\User Data\\Session Storage\'
	485	- '%%users.localappdata%%\Google\Chrome\User Data\\Session Storage\'
	486	separator: '\'
	487	supported_os: [Windows]
	488	- type: FILE
	489	attributes:
	490	paths:
	491	- '%%users.homedir%%/.config/google-chrome//Session Storage/'
	492	- '%%users.homedir%%/.config/chromium//Session Storage/'
	493	- '%%users.homedir%%/.config/google-chrome-beta//Session Storage/'
	494	- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile//Session Storage/'
	495	- '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome//Session Storage/'
	496	supported_os: [Linux]
	497	- type: FILE
	498	attributes:
	499	paths:
	500	- '%%users.homedir%%/Library/Application Support/Chromium//Session Storage/'
	501	- '%%users.homedir%%/Library/Application Support/Google/Chrome Canary//Session Storage/'
	502	- '%%users.homedir%%/Library/Application Support/Google/Chrome//Session Storage/'
	503	supported_os: [Darwin]
	504	supported_os: [Windows,Darwin,Linux]
	505	labels: [Browser]
237	506	---
238	507	name: FirefoxCache
239	508	doc: Mozilla Firefox browser caches.

241	510	- type: FILE
242	511	attributes:
243	512	paths:
244		- '%%users.localappdata%%\Mozilla\Firefox\Profiles\.default\Cache\'
245		- '%%users.localappdata%%\Mozilla\Firefox\Profiles\.default\cache2\'
246		- '%%users.localappdata%%\Mozilla\Firefox\Profiles\.default\cache2\doomed\'
247		- '%%users.localappdata%%\Mozilla\Firefox\Profiles\.default\cache2\entries\'
248		separator: '\'
249		supported_os: [Windows]
250		- type: FILE
251		attributes:
252		paths:
253		- '%%users.homedir%%/Library/Caches/Firefox/Profiles/.default/Cache/'
254		- '%%users.homedir%%/Library/Caches/Firefox/Profiles/.default/cache2/'
255		- '%%users.homedir%%/Library/Caches/Firefox/Profiles/.default/cache2/doomed/'
256		- '%%users.homedir%%/Library/Caches/Firefox/Profiles/.default/cache2/entries/'
257		supported_os: [Darwin]
258		- type: FILE
259		attributes:
260		paths:
261		- '%%users.homedir%%/.mozilla/firefox/.default/Cache/'
262		- '%%users.homedir%%/.cache/mozilla/firefox/.default/Cache/'
263		- '%%users.homedir%%/.cache/mozilla/firefox/.default/cache2/'
264		- '%%users.homedir%%/.cache/mozilla/firefox/.default/cache2/doomed/'
265		- '%%users.homedir%%/.cache/mozilla/firefox/.default/cache2/entries/'
	513	- '%%users.localappdata%%\Mozilla\Firefox\Profiles\.default\Cache\'
	514	- '%%users.localappdata%%\Mozilla\Firefox\Profiles\.default\cache2\'
	515	- '%%users.localappdata%%\Mozilla\Firefox\Profiles\.default\cache2\doomed\'
	516	- '%%users.localappdata%%\Mozilla\Firefox\Profiles\.default\cache2\entries\'
	517	separator: '\'
	518	supported_os: [Windows]
	519	- type: FILE
	520	attributes:
	521	paths:
	522	- '%%users.homedir%%/Library/Caches/Firefox/Profiles/.default/Cache/'
	523	- '%%users.homedir%%/Library/Caches/Firefox/Profiles/.default/cache2/'
	524	- '%%users.homedir%%/Library/Caches/Firefox/Profiles/.default/cache2/doomed/'
	525	- '%%users.homedir%%/Library/Caches/Firefox/Profiles/.default/cache2/entries/'
	526	supported_os: [Darwin]
	527	- type: FILE
	528	attributes:
	529	paths:
	530	- '%%users.homedir%%/.mozilla/firefox/.default/Cache/'
	531	- '%%users.homedir%%/.cache/mozilla/firefox/.default/Cache/'
	532	- '%%users.homedir%%/.cache/mozilla/firefox/.default/cache2/'
	533	- '%%users.homedir%%/.cache/mozilla/firefox/.default/cache2/doomed/'
	534	- '%%users.homedir%%/.cache/mozilla/firefox/.default/cache2/entries/'
266	535	supported_os: [Linux]
267	536	supported_os: [Windows,Darwin,Linux]
268	537	labels: [Browser]

274	543	- type: FILE
275	544	attributes:
276	545	paths:
277		- '%%users.localappdata%%\Mozilla\Firefox\Profiles\*\places.sqlite'
278		- '%%users.appdata%%\Mozilla\Firefox\Profiles\*\places.sqlite'
279		separator: '\'
280		supported_os: [Windows]
281		- type: FILE
282		attributes: {paths: ['%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/places.sqlite']}
283		supported_os: [Darwin]
284		- type: FILE
285		attributes: {paths: ['%%users.homedir%%/.mozilla/firefox/*/places.sqlite']}
286		supported_os: [Linux]
287		supported_os: [Windows,Darwin,Linux]
288		labels: [Browser]
289		urls: ['http://www.forensicswiki.org/wiki/Mozilla_Firefox']
	546	- '%%users.localappdata%%\Mozilla\Firefox\Profiles\*\places.sqlite'
	547	- '%%users.localappdata%%\Mozilla\Firefox\Profiles\*\places.sqlite-wal'
	548	- '%%users.appdata%%\Mozilla\Firefox\Profiles\*\places.sqlite'
	549	- '%%users.localappdata%%\Mozilla\Firefox\Profiles\*\places.sqlite-wal'
	550	separator: '\'
	551	supported_os: [Windows]
	552	- type: FILE
	553	attributes:
	554	paths:
	555	- '%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/places.sqlite'
	556	- '%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/places.sqlite-wal'
	557	supported_os: [Darwin]
	558	- type: FILE
	559	attributes:
	560	paths:
	561	- '%%users.homedir%%/.mozilla/firefox/*/places.sqlite'
	562	- '%%users.homedir%%/.mozilla/firefox/*/places.sqlite-wal'
	563	supported_os: [Linux]
	564	supported_os: [Windows,Darwin,Linux]
	565	labels: [Browser]
	566	urls: ['https://forensicswiki.xyz/wiki/index.php?title=Mozilla_Firefox']
290	567	---
291	568	name: InternetExplorerBrowserHelperObjects
292	569	doc: Loaded on Internet Explorer startup

294	571	- type: REGISTRY_KEY
295	572	attributes:
296	573	keys:
297		- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*'
298		- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*'
	574	- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*'
	575	- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*'
299	576	supported_os: [Windows]
300	577	urls:
301	578	- 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610'

312	589	- type: FILE
313	590	attributes:
314	591	paths:
315		- '%%users.localappdata%%\Microsoft\Windows\Temporary Internet Files\Content.IE5\\'
316		- '%%users.localappdata%%\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\\'
317		- '%%users.localappdata%%\Microsoft\Windows\INetCache\IE\\'
318		- '%%users.localappdata%%\Microsoft\Windows\INetCache\Low\\'
	592	- '%%users.localappdata%%\Microsoft\Windows\Temporary Internet Files\Content.IE5\\'
	593	- '%%users.localappdata%%\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\\'
	594	- '%%users.localappdata%%\Microsoft\Windows\INetCache\IE\\'
	595	- '%%users.localappdata%%\Microsoft\Windows\INetCache\Low\\'
319	596	separator: '\'
320	597	labels: [Browser]
321	598	supported_os: [Windows]
322		urls: ['http://www.forensicswiki.org/wiki/Internet_Explorer']
	599	urls: ['https://forensicswiki.xyz/wiki/index.php?title=Internet_Explorer']
323	600	---
324	601	name: InternetExplorerCookies
325	602	doc: \|

330	607	- type: FILE
331	608	attributes:
332	609	paths:
333		- '%%users.appdata%%\Microsoft\Windows\Cookies\index.dat'
334		- '%%users.appdata%%\Microsoft\Windows\Cookies\Low\index.dat'
	610	- '%%users.appdata%%\Microsoft\Windows\Cookies\index.dat'
	611	- '%%users.appdata%%\Microsoft\Windows\Cookies\Low\index.dat'
335	612	separator: '\'
336	613	labels: [Browser]
337	614	supported_os: [Windows]
338		urls: ['http://www.forensicswiki.org/wiki/Internet_Explorer']
	615	urls: ['https://forensicswiki.xyz/wiki/index.php?title=Internet_Explorer']
339	616	---
340	617	name: InternetExplorerHistory
341	618	doc: \|

347	624	- type: FILE
348	625	attributes:
349	626	paths:
350		- '%%users.appdata%%\Microsoft\Windows\IEDownloadHistory\index.dat'
351		- '%%users.localappdata%%\Microsoft\Feeds Cache\index.dat'
352		- '%%users.localappdata%%\Microsoft\Windows\History\History.IE5\*\index.dat'
353		- '%%users.localappdata%%\Microsoft\Windows\History\History.IE5\index.dat'
354		- '%%users.localappdata%%\Microsoft\Windows\History\Low\History.IE5\*\index.dat'
355		- '%%users.localappdata%%\Microsoft\Windows\History\Low\History.IE5\index.dat'
356		- '%%users.localappdata%%\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat'
357		- '%%users.localappdata%%\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat'
358		- '%%users.localappdata%%\Microsoft\Windows\WebCache\WebCacheV*.dat'
	627	- '%%users.appdata%%\Microsoft\Windows\IEDownloadHistory\index.dat'
	628	- '%%users.localappdata%%\Microsoft\Feeds Cache\index.dat'
	629	- '%%users.localappdata%%\Microsoft\Windows\History\History.IE5\*\index.dat'
	630	- '%%users.localappdata%%\Microsoft\Windows\History\History.IE5\index.dat'
	631	- '%%users.localappdata%%\Microsoft\Windows\History\Low\History.IE5\*\index.dat'
	632	- '%%users.localappdata%%\Microsoft\Windows\History\Low\History.IE5\index.dat'
	633	- '%%users.localappdata%%\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat'
	634	- '%%users.localappdata%%\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat'
	635	- '%%users.localappdata%%\Microsoft\Windows\WebCache\WebCacheV*.dat'
	636	- '%%users.userprofile%%\Local Settings\History\History.IE5\index.dat'
359	637	separator: '\'
360	638	labels: [Browser]
361	639	supported_os: [Windows]
362		urls: ['http://www.forensicswiki.org/wiki/Internet_Explorer']
	640	urls: ['https://forensicswiki.xyz/wiki/index.php?title=Internet_Explorer']
363	641	---
364	642	name: InternetExplorerProtectedModeElevationPolicies
365	643	doc: \|

382	660	- type: REGISTRY_VALUE
383	661	attributes:
384	662	key_value_pairs:
385		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'Policy'}
386		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'AppName'}
387		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'AppPath'}
388		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'CLSID'}
389		- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'Policy'}
390		- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'AppName'}
391		- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'AppPath'}
392		- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'CLSID'}
	663	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'Policy'}
	664	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'AppName'}
	665	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'AppPath'}
	666	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'CLSID'}
	667	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'Policy'}
	668	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'AppName'}
	669	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'AppPath'}
	670	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'CLSID'}
393	671	labels: [Browser]
394	672	supported_os: [Windows]
395	673	urls:

415	693	- type: REGISTRY_VALUE
416	694	attributes:
417	695	key_value_pairs:
418		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', value: 'AboutURLs'}
419		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', value: 'UrlSearchHooks'}
420		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', value: 'Extensions'}
421		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', value: 'ExplorerBars'}
422		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', value: 'Toolbar'}
423		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', value: 'SearchURL'}
424		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main', value: 'Default_Page_URL'}
425		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main', value: 'Default_Search_URL'}
426		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main', value: 'Search Page'}
427		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main', value: 'Start Page'}
428		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main', value: 'Search Bar'}
429		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search', value: 'CustomizeSearch'}
430		- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer', value: 'UrlSearchHooks'}
431		- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer', value: 'Extensions'}
432		- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer', value: 'ExplorerBars'}
433		- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer', value: 'Toolbar'}
434		- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer', value: 'SearchURL'}
435		- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Main', value: 'Default_Page_URL'}
436		- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Main', value: 'Default_Search_URL'}
437		- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Main', value: 'Search Page'}
438		- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Main', value: 'Start Page'}
439		- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Main', value: 'Search Bar'}
	696	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', value: 'AboutURLs'}
	697	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', value: 'UrlSearchHooks'}
	698	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', value: 'Extensions'}
	699	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', value: 'ExplorerBars'}
	700	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', value: 'Toolbar'}
	701	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', value: 'SearchURL'}
	702	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main', value: 'Default_Page_URL'}
	703	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main', value: 'Default_Search_URL'}
	704	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main', value: 'Search Page'}
	705	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main', value: 'Start Page'}
	706	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main', value: 'Search Bar'}
	707	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search', value: 'CustomizeSearch'}
	708	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer', value: 'UrlSearchHooks'}
	709	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer', value: 'Extensions'}
	710	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer', value: 'ExplorerBars'}
	711	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer', value: 'Toolbar'}
	712	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer', value: 'SearchURL'}
	713	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Main', value: 'Default_Page_URL'}
	714	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Main', value: 'Default_Search_URL'}
	715	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Main', value: 'Search Page'}
	716	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Main', value: 'Start Page'}
	717	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Main', value: 'Search Bar'}
440	718	labels: [Browser]
441	719	supported_os: [Windows]
442	720	urls:
443		- 'https://support.microsoft.com/en-us/kb/895339'
444		- 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610'
	721	- 'https://support.microsoft.com/en-us/kb/895339'
	722	- 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610'
445	723	---
446	724	name: InternetExplorerTypedURLsKeys
447	725	doc: Microsoft Internet Explorer TypedUrls keys.

450	728	attributes: {keys: ['HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\TypedURLs\*']}
451	729	labels: [Browser]
452	730	supported_os: [Windows]
453		urls: ['http://www.forensicswiki.org/wiki/Internet_Explorer#Typed_URLs']
	731	urls: ['https://forensicswiki.xyz/wiki/index.php?title=Internet_Explorer#Typed_URLs']
454	732	---
455	733	name: OperaHistory
456	734	doc: Opera browser history (global_history.dat).

464	742	- type: FILE
465	743	attributes:
466	744	paths:
467		- '%%users.appdata%%\Opera\Opera\global_history.dat'
468		- '%%users.appdata%%\Opera Software\Opera Stable\History'
469		separator: '\'
470		supported_os: [Windows]
471		supported_os: [Windows,Darwin,Linux]
472		labels: [Browser]
473		urls: ['http://www.forensicswiki.org/wiki/Opera']
	745	- '%%users.appdata%%\Opera\Opera\global_history.dat'
	746	- '%%users.appdata%%\Opera Software\Opera Stable\History'
	747	separator: '\'
	748	supported_os: [Windows]
	749	supported_os: [Windows,Darwin,Linux]
	750	labels: [Browser]
	751	urls: ['https://forensicswiki.xyz/wiki/index.php?title=Opera']
474	752	---
475	753	name: SafariCache
476	754	doc: Safari browser cache (cache.db).

481	759	separator: '\'
482	760	supported_os: [Windows]
483	761	- type: FILE
484		attributes: {paths: ['%%users.homedir%%/Library/Caches/com.apple.Safari/cache.db']}
	762	attributes:
	763	paths:
	764	- '%%users.homedir%%/Library/Caches/com.apple.Safari/Cache.db'
	765	- '%%users.homedir%%/Library/Caches/com.apple.Safari/Cache.db-wal'
485	766	supported_os: [Darwin]
486	767	supported_os: [Windows, Darwin]
487	768	labels: [Browser]
488		urls: ['http://www.forensicswiki.org/wiki/Apple_Safari']
	769	urls: ['https://forensicswiki.xyz/wiki/index.php?title=Apple_Safari']
489	770	---
490	771	name: SafariDownloads
491	772	doc: Safari downloads history (Downloads.plist).

496	777	- type: FILE
497	778	attributes:
498	779	paths:
499		- '%%users.localappdata%%\Apple Computer\Safari\Downloads.plist'
500		- '%%users.appdata%%\Apple Computer\Safari\Downloads.plist'
	780	- '%%users.localappdata%%\Apple Computer\Safari\Downloads.plist'
	781	- '%%users.appdata%%\Apple Computer\Safari\Downloads.plist'
501	782	separator: '\'
502	783	supported_os: [Windows]
503	784	labels: [Users, Browser]
504	785	supported_os: [Darwin, Windows]
505	786	urls:
506		- 'http://forensicswiki.org/wiki/Mac_OS_X'
507		- 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Safari'
	787	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X'
	788	- 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Safari'
508	789	- 'https://www.forensicswiki.org/wiki/Apple_Safari'
509	790	---
510	791	name: SafariHistory

513	794	- type: FILE
514	795	attributes:
515	796	paths:
516		- '%%users.localappdata%%\Apple Computer\Safari\History.plist'
517		- '%%users.appdata%%\Apple Computer\Safari\History.plist'
518		separator: '\'
519		supported_os: [Windows]
520		- type: FILE
521		attributes:
522		paths:
523		- '%%users.homedir%%/Library/Safari/History.plist'
524		- '%%users.homedir%%/Library/Safari/History.db'
525		- '%%users.homedir%%/Library/Safari/History.db-wal'
	797	- '%%users.localappdata%%\Apple Computer\Safari\History.plist'
	798	- '%%users.appdata%%\Apple Computer\Safari\History.plist'
	799	separator: '\'
	800	supported_os: [Windows]
	801	- type: FILE
	802	attributes:
	803	paths:
	804	- '%%users.homedir%%/Library/Safari/History.plist'
	805	- '%%users.homedir%%/Library/Safari/History.db'
	806	- '%%users.homedir%%/Library/Safari/History.db-wal'
526	807	supported_os: [Darwin]
527	808	supported_os: [Windows, Darwin]
528	809	labels: [Browser]
	810	urls: ['https://forensicswiki.xyz/wiki/index.php?title=Apple_Safari']
	811	---
	812	name: SafariExtensions
	813	doc: Safari browser Extensions.
	814	sources:
	815	- type: FILE
	816	attributes: {paths: ['%%users.homedir%%/Library/Safari/Extensions/**']}
	817	supported_os: [Darwin]
	818	supported_os: [Darwin]
	819	labels: [Browser]
529	820	urls: ['http://www.forensicswiki.org/wiki/Apple_Safari']

+1605

-706

data/windows.yaml less more

0	0	# Windows specific artifacts.
1	1
2	2	name: WindowsActiveDesktop
3		doc: Windows Active Desktop executable paths, used for persistence.
	3	doc: Windows Active Desktop settings and components.
4	4	sources:
5	5	- type: REGISTRY_KEY
6	6	attributes:
7	7	keys:
8		- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Desktop\Components\*'
9		- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Desktop\General'
	8	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Desktop\Components\*'
	9	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Desktop\General'
10	10	conditions: [os_major_version < 6]
11	11	supported_os: [Windows]
12		urls:
13		- 'https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~DwnLdr-GWV/detailed-analysis.aspx'
14		- 'https://support.microsoft.com/en-us/kb/929200'
15		- 'https://en.wikipedia.org/wiki/Active_Desktop'
16		---
17		name: WindowsActivitiesCache
18		doc: \|
19		Windows activities cache SQLite database.
20
21		This file is available since Windows 10 and version 1803.
	12	urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/ActiveDesktop.md']
	13	---
	14	name: WindowsActivitiesCacheDatabase
	15	doc: SQLite database containing the Windows activities cache.
22	16	sources:
23	17	- type: FILE
24	18	attributes:

26	20	separator: '\'
27	21	labels: [Users]
28	22	supported_os: [Windows]
29		urls:
30		- 'https://cclgroupltd.com/windows-10-timeline-forensic-artefacts/'
31		- 'https://salt4n6.com/2018/05/03/windows-10-timeline-forensic-artefacts/amp/'
	23	urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/ActivitiesCacheDatabase.md']
32	24	---
33	25	name: WindowsAlternateShell
34	26	doc: Alternate Shell to be run via Userinit.

36	28	- type: REGISTRY_VALUE
37	29	attributes:
38	30	key_value_pairs:
39		- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot', value: 'AlternateShell'}
40		- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option', value: 'UseAlternateShell'}
	31	- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot', value: 'AlternateShell'}
	32	- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option', value: 'UseAlternateShell'}
41	33	supported_os: [Windows]
42	34	urls:
43	35	- 'https://www.microsoftpressstore.com/articles/article.aspx'

45	37	- 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610'
46	38	---
47	39	name: WindowsAMCacheHveFile
48		doc: The AMCache.hve Windows NT Registry file.
49		sources:
50		- type: FILE
51		attributes:
52		paths: ['%%environ_systemroot%%\AppCompat\Programs\Amcache.hve']
	40	doc: The AMCache file, stored in the Windows NT Registry file format.
	41	sources:
	42	- type: FILE
	43	attributes:
	44	paths:
	45	- '%%environ_systemroot%%\AppCompat\Programs\Amcache.hve'
	46	- '%%environ_systemroot%%\AppCompat\Programs\Amcache.hve.LOG1'
	47	- '%%environ_systemroot%%\AppCompat\Programs\Amcache.hve.LOG2'
53	48	separator: '\'
54	49	conditions: [os_major_version >= 6 AND os_minor_version >= 1]
55	50	supported_os: [Windows]
56		urls: ['http://www.swiftforensics.com/2013/12/amcachehve-in-windows-8-goldmine-for.html']
	51	urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/AMCache.md']
57	52	---
58	53	name: WindowsAppCertDLLs
59	54	doc: Windows AppCertDLLs persistence.

70	65	- type: REGISTRY_VALUE
71	66	attributes:
72	67	key_value_pairs:
73		- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility', value: 'AppCompatCache'}
74		- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatCache', value: 'AppCompatCache'}
	68	- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility', value: 'AppCompatCache'}
	69	- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatCache', value: 'AppCompatCache'}
75	70	supported_os: [Windows]
76	71	urls: ['https://github.com/libyal/winreg-kb/blob/master/documentation/Application%20Compatibility%20Cache%20key.asciidoc']
77	72	---

85	80	- type: REGISTRY_VALUE
86	81	attributes:
87	82	key_value_pairs:
88		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows', value: 'AppInit_DLLs'}
89		- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows', value: 'AppInit_DLLs'}
90		- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Windows', value: 'AppInit_DLLs'}
91		- {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows', value: 'AppInit_DLLs'}
	83	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows', value: 'AppInit_DLLs'}
	84	- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows', value: 'AppInit_DLLs'}
	85	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Windows', value: 'AppInit_DLLs'}
	86	- {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows', value: 'AppInit_DLLs'}
92	87	supported_os: [Windows]
93	88	urls:
94	89	- 'https://msdn.microsoft.com/en-us/library/windows/desktop/dd744762(v=vs.85).aspx'

107	102	- 'https://github.com/keydet89/RegRipper2.8/blob/master/plugins/apppaths.pl'
108	103	- 'http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/'
109	104	- 'https://msdn.microsoft.com/en-us/library/windows/desktop/ee872121(v=vs.85).aspx'
	105	---
	106	name: WindowsApplicationCompatibilityInstalledShimDatabases
	107	doc: \|
	108	Windows Application Compatibility Installed Shim Databases.
	109
	110	drvmain.sdb, frxmain.sdb, msimain.sdb, pcamain.sdb, and sysmain.sdb are
	111	shim database files (SDB files) that are provided by Windows, and contain
	112	many predefined shims that address known application compability issues.
	113	Note that these database files are not signed.
	114
	115	Windows also supports custom shim database. These are typically installed
	116	by the sdbinst.exe utility. Note, that shim database files can also exist
	117	elsewhere in the file system.
	118
	119	Windows application shims provide a way for the operating system to
	120	apply patches to executables before they are run, ultimately providing
	121	a lightweight mechanism for applying hot fixes and making modifications to
	122	ensure compatibility across the various versions of Windows. This
	123	functionality can also be leveraged maliciously to change how certain
	124	programs operate, or to provide capabilities to malware, such as the
	125	ability to bypass UAC, gain persistence by injecting loading into legitimate
	126	processes, or avoid detection by disabling anti-virus software.
	127	sources:
	128	- type: FILE
	129	attributes:
	130	paths:
	131	- '%%environ_windir%%\AppPatch\drvmain.sdb'
	132	- '%%environ_windir%%\AppPatch\frxmain.sdb'
	133	- '%%environ_windir%%\AppPatch\msimain.sdb'
	134	- '%%environ_windir%%\AppPatch\pcamain.sdb'
	135	- '%%environ_windir%%\AppPatch\sysmain.sdb'
	136	- '%%environ_windir%%\AppPatch\AppPatch64\Custom\*'
	137	- '%%environ_windir%%\AppPatch\Custom\*'
	138	- '%%environ_windir%%\AppPatch\Custom\Custom64\*'
	139	- '%%environ_windir%%\AppPatch\CustomSDB\*'
	140	separator: '\'
	141	labels: [Users]
	142	supported_os: [Windows]
	143	urls:
	144	- 'https://attack.mitre.org/techniques/T1138/'
	145	- 'https://countercept.com/blog/hunting-for-application-shim-databases/'
	146	- 'http://files.brucon.org/2015/Tomczak_and_Ballenthin_Shims_for_the_Win.pdf'
	147	- 'https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf'
	148	---
	149	name: WindowsApplicationCompatibilityShimDatabaseMappings
	150	doc: \|
	151	Windows Application Compatibility Shim Database Mappings.
	152
	153	Mappings between the Windows Application Compatibility shim database files and
	154	the programs that they apply to.
	155
	156	Windows allows for custom application shims to be installed via the
	157	sdbinst.exe application. For example a mapping for 'notepad.exe':
	158
	159	Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\
	160	AppCompatFlags\Custom\notepad.exe
	161	Value: {00000000-1111-2222-3333-444444444444}.sdb = 0
	162
	163	Key: AppCompatFlags\InstalledSDB\{00000000-1111-2222-3333-444444444444}
	164	Value: DatabasePath =
	165	"C:\Windows\AppPatch\Custom\{00000000-1111-2222-3333-444444444444}.sdb"
	166
	167	Windows application shims provide a way for the operating system to
	168	apply patches to executables before they are run, ultimately providing
	169	a lightweight mechanism for applying hot fixes and making modifications to
	170	ensure compatibility across the various versions of Windows. This
	171	functionality can also be leveraged maliciously to change how certain
	172	programs operate, or to provide capabilities to malware, such as the
	173	ability to bypass UAC, gain persistence by injecting loading into legitimate
	174	processes, or avoid detection by disabling anti-virus software.
	175	sources:
	176	- type: REGISTRY_VALUE
	177	attributes:
	178	key_value_pairs:
	179	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\*', value: 'DatabaseDescription'}
	180	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\*', value: 'DatabasePath'}
	181	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\', value: ''}
	182	supported_os: [Windows]
	183	urls:
	184	- 'https://attack.mitre.org/techniques/T1138/'
	185	- 'https://countercept.com/blog/hunting-for-application-shim-databases/'
	186	---
	187	name: WindowsApplicationCompatibilityShims
	188	doc: Windows Application Compatibility Shim Database Files and Application Mappings
	189	sources:
	190	- type: ARTIFACT_GROUP
	191	attributes:
	192	names:
	193	- 'WindowsApplicationCompatibilityInstalledShimDatabases'
	194	- 'WindowsApplicationCompatibilityShimDatabaseMappings'
	195	labels: [System]
	196	supported_os: [Windows]
110	197	---
111	198	name: WinAppXRT
112	199	doc: WinAppXRT DLL loaded by .Net applications when the APPX_PROCESS environment variable is set.

129	216	- type: FILE
130	217	attributes:
131	218	paths:
132		- '%%environ_systemdrive%%\autoexec.bat'
133		- '%%environ_windir%%\autoexec.nt'
	219	- '%%environ_systemdrive%%\autoexec.bat'
	220	- '%%environ_windir%%\autoexec.nt'
134	221	separator: '\'
135	222	supported_os: [Windows]
136	223	---

140	227	- type: REGISTRY_VALUE
141	228	attributes:
142	229	key_value_pairs:
143		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug', value: 'Debugger'}
	230	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug', value: 'Debugger'}
144	231	supported_os: [Windows]
145	232	urls:
146	233	- 'https://msdn.microsoft.com/en-us/library/windows/desktop/bb204634(v=vs.85).aspx'

168	255	doc: Timezones available on a Windows system.
169	256	sources:
170	257	- type: REGISTRY_KEY
171		attributes: {keys: ['HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Time Zones\\']}
172		supported_os: [Windows]
173		urls: ['https://github.com/libyal/winreg-kb/wiki/Time-zone-keys']
	258	attributes: {keys: ['HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Time Zones\*']}
	259	supported_os: [Windows]
	260	urls: ['https://github.com/libyal/winreg-kb/blob/master/documentation/Time%20zone%20keys.asciidoc']
174	261	---
175	262	name: WindowsBITSQueueManagerDatabases
176	263	doc: Databases that contain the Windows BITS jobs definition and state.

187	274	sources:
188	275	- type: REGISTRY_VALUE
189	276	attributes:
190		key_value_pairs:
191		- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\BootVerificationProgram', value: 'ImagePath'}
	277	key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\BootVerificationProgram', value: 'ImagePath'}]
192	278	supported_os: [Windows]
193	279	urls:
194	280	- 'https://technet.microsoft.com/en-us/library/cc786702(WS.10).aspx'

206	292	- type: FILE
207	293	attributes:
208	294	paths:
209		# Windows 95 OSR 2.5, 98, Millennium Edition (Me)
210		- '%%environ_windir%%\System\Wbem\Repository\cim.rep'
211		# Windows NT4 and 2000
212		- '%%environ_systemroot%%\System32\wbem\Repository\CIM.REC'
213		- '%%environ_systemroot%%\System32\wbem\Repository\CIM.REP'
214		# Windows Vista and later
215		- '%%environ_systemroot%%\System32\wbem\Repository\INDEX.BTR'
216		- '%%environ_systemroot%%\System32\wbem\Repository\INDEX.MAP'
217		- '%%environ_systemroot%%\System32\wbem\Repository\MAPPING.VER'
218		- '%%environ_systemroot%%\System32\wbem\Repository\MAPPING[1-3].MAP'
219		- '%%environ_systemroot%%\System32\wbem\Repository\OBJECTS.DATA'
220		- '%%environ_systemroot%%\System32\wbem\Repository\OBJECTS.MAP'
221		# Windows XP and Windows 2003
222		- '%%environ_systemroot%%\System32\wbem\Repository\FS\INDEX.BTR'
223		- '%%environ_systemroot%%\System32\wbem\Repository\FS\INDEX.MAP'
224		- '%%environ_systemroot%%\System32\wbem\Repository\FS\MAPPING.VER'
225		- '%%environ_systemroot%%\System32\wbem\Repository\FS\MAPPING[1-2].MAP'
226		- '%%environ_systemroot%%\System32\wbem\Repository\FS\OBJECTS.DATA'
227		- '%%environ_systemroot%%\System32\wbem\Repository\FS\OBJECTS.MAP'
	295	# Windows 95 OSR 2.5, 98, Millennium Edition (Me)
	296	- '%%environ_windir%%\System\Wbem\Repository\cim.rep'
	297	# Windows NT4 and 2000
	298	- '%%environ_systemroot%%\System32\wbem\Repository\CIM.REC'
	299	- '%%environ_systemroot%%\System32\wbem\Repository\CIM.REP'
	300	# Windows Vista and later
	301	- '%%environ_systemroot%%\System32\wbem\Repository\INDEX.BTR'
	302	- '%%environ_systemroot%%\System32\wbem\Repository\INDEX.MAP'
	303	- '%%environ_systemroot%%\System32\wbem\Repository\MAPPING.VER'
	304	- '%%environ_systemroot%%\System32\wbem\Repository\MAPPING[1-3].MAP'
	305	- '%%environ_systemroot%%\System32\wbem\Repository\OBJECTS.DATA'
	306	- '%%environ_systemroot%%\System32\wbem\Repository\OBJECTS.MAP'
	307	# Windows XP and Windows 2003
	308	- '%%environ_systemroot%%\System32\wbem\Repository\FS\INDEX.BTR'
	309	- '%%environ_systemroot%%\System32\wbem\Repository\FS\INDEX.MAP'
	310	- '%%environ_systemroot%%\System32\wbem\Repository\FS\MAPPING.VER'
	311	- '%%environ_systemroot%%\System32\wbem\Repository\FS\MAPPING[1-2].MAP'
	312	- '%%environ_systemroot%%\System32\wbem\Repository\FS\OBJECTS.DATA'
	313	- '%%environ_systemroot%%\System32\wbem\Repository\FS\OBJECTS.MAP'
228	314	separator: '\'
229	315	supported_os: [Windows]
230	316	urls:

237	323	- type: REGISTRY_VALUE
238	324	attributes:
239	325	key_value_pairs:
240		- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CodePage', value: 'ACP'}
	326	- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CodePage', value: 'ACP'}
241	327	provides: [code_page]
242	328	supported_os: [Windows]
243	329	urls: ['http://en.wikipedia.org/wiki/Windows_code_page']

248	334	- type: REGISTRY_VALUE
249	335	attributes:
250	336	key_value_pairs:
251		- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ComputerName', value: 'ComputerName'}
	337	- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ComputerName', value: 'ComputerName'}
252	338	supported_os: [Windows]
253	339	---
254	340	name: WindowsCommandProcessorAutoRun

257	343	- type: REGISTRY_VALUE
258	344	attributes:
259	345	key_value_pairs:
260		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor', value: 'AutoRun'}
261		- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Command Processor', value: 'AutoRun'}
262		- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Command Processor', value: 'AutoRun'}
263		- {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Command Processor', value: 'AutoRun'}
	346	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor', value: 'AutoRun'}
	347	- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Command Processor', value: 'AutoRun'}
	348	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Command Processor', value: 'AutoRun'}
	349	- {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Command Processor', value: 'AutoRun'}
264	350	supported_os: [Windows]
265	351	urls:
266	352	- 'https://technet.microsoft.com/en-us/library/cc779439(v=ws.10).aspx'

274	360	- type: REGISTRY_VALUE
275	361	attributes:
276	362	key_value_pairs:
277		- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*', value: 'InprocHandler'}
278		- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*', value: 'InprocHandler32'}
279		- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*', value: 'InprocHandler'}
280		- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*', value: 'InprocHandler32'}
281		- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*', value: 'InprocHandler'}
282		- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*', value: 'InprocHandler32'}
283		- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*', value: 'InprocHandler'}
284		- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*', value: 'InprocHandler32'}
	363	- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*', value: 'InprocHandler'}
	364	- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*', value: 'InprocHandler32'}
	365	- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*', value: 'InprocHandler'}
	366	- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*', value: 'InprocHandler32'}
	367	- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*', value: 'InprocHandler'}
	368	- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*', value: 'InprocHandler32'}
	369	- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*', value: 'InprocHandler'}
	370	- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*', value: 'InprocHandler32'}
285	371	supported_os: [Windows]
286	372	urls:
287	373	- 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms694515(v=vs.85).aspx'

294	380	- type: REGISTRY_VALUE
295	381	attributes:
296	382	key_value_pairs:
297		- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\InprocServer', value: ''}
298		- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\InprocServer32', value: ''}
299		- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\InprocServer', value: ''}
300		- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\InprocServer32', value: ''}
301		- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*\InprocServer', value: ''}
302		- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*\InprocServer32', value: ''}
303		- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*\InprocServer', value: ''}
304		- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*\InprocServer32', value: ''}
	383	- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\InprocServer', value: ''}
	384	- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\InprocServer32', value: ''}
	385	- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\InprocServer', value: ''}
	386	- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\InprocServer32', value: ''}
	387	- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*\InprocServer', value: ''}
	388	- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*\InprocServer32', value: ''}
	389	- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*\InprocServer', value: ''}
	390	- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*\InprocServer32', value: ''}
305	391	supported_os: [Windows]
306	392	urls:
307	393	- 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms694515(v=vs.85).aspx'

314	400	- type: REGISTRY_VALUE
315	401	attributes:
316	402	key_value_pairs:
317		- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*', value: 'LocalServer'}
318		- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\LocalServer32', value: ''}
319		- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\LocalServer32', value: 'ServerExecutable'}
320		- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*', value: 'LocalServer'}
321		- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\LocalServer32', value: ''}
322		- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\LocalServer32', value: 'ServerExecutable'}
323		- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*', value: 'LocalServer'}
324		- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*\LocalServer32', value: ''}
325		- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*\LocalServer32', value: 'ServerExecutable'}
326		- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*', value: 'LocalServer'}
327		- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*\LocalServer32', value: ''}
328		- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*\LocalServer32', value: 'ServerExecutable'}
	403	- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*', value: 'LocalServer'}
	404	- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\LocalServer32', value: ''}
	405	- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\LocalServer32', value: 'ServerExecutable'}
	406	- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*', value: 'LocalServer'}
	407	- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\LocalServer32', value: ''}
	408	- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\LocalServer32', value: 'ServerExecutable'}
	409	- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*', value: 'LocalServer'}
	410	- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*\LocalServer32', value: ''}
	411	- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*\LocalServer32', value: 'ServerExecutable'}
	412	- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*', value: 'LocalServer'}
	413	- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*\LocalServer32', value: ''}
	414	- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*\LocalServer32', value: 'ServerExecutable'}
329	415	supported_os: [Windows]
330	416	urls:
331	417	- 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms694515(v=vs.85).aspx'
332	418	- 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms686595(v=vs.85).aspx'
333	419	---
	420	name: WindowsCOMProperties
	421	doc: \|
	422	Various properties of Windows COM Objects.
	423
	424	These artifacts are meant to highlight properties of COM objects that,
	425	although legitimate, are known to be associated with persistence techniques
	426	or other capabilities that malware can leverage.
	427
	428	ShellFolder\HideOnDesktop, ShellFolder\Attributes (specifically with value
	429	0xf090013d), and InprocServer\LoadWithoutCOM are associated with a technique
	430	to cause iexplore or explorer to load a malicious DLL by registering a COM
	431	object and invoking it through the use of Junction Folders.
	432	sources:
	433	- type: REGISTRY_VALUE
	434	attributes:
	435	key_value_pairs:
	436	- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\ShellFolder', value: 'Attributes'}
	437	- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*\ShellFolder', value: 'Attributes'}
	438	- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\ShellFolder', value: 'Attributes'}
	439	- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*\ShellFolder', value: 'Attributes'}
	440	- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\ShellFolder', value: 'HideOnDesktop'}
	441	- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*\ShellFolder', value: 'HideOnDesktop'}
	442	- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\ShellFolder', value: 'HideOnDesktop'}
	443	- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*\ShellFolder', value: 'HideOnDesktop'}
	444	- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\InprocServer32', value: 'LoadWithoutCOM'}
	445	- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*\InprocServer32', value: 'LoadWithoutCOM'}
	446	- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\InprocServer32', value: 'LoadWithoutCOM'}
	447	- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*\InprocServer32', value: 'LoadWithoutCOM'}
	448	supported_os: [Windows]
	449	urls:
	450	- 'https://ired.team/offensive-security/code-execution/forcing-iexplore.exe-to-load-a-malicious-dll-via-com-abuse'
	451	- 'https://labs.nettitude.com/blog/com-and-the-powerthief/'
	452	---
334	453	name: WindowsCOMRegisteredTypeLibraries
335	454	doc: Windows COM registered type libraries
336	455	sources:
337	456	- type: REGISTRY_VALUE
338	457	attributes:
339	458	key_value_pairs:
340		- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Typelib\\\\', value: ''}
341		- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\Typelib\\\\', value: ''}
342		- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Typelib\\\\', value: ''}
343		- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\Typelib\\\\', value: ''}
	459	- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Typelib\\\\', value: ''}
	460	- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\Typelib\\\\', value: ''}
	461	- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Typelib\\\\', value: ''}
	462	- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\Typelib\\\\', value: ''}
344	463	supported_os: [Windows]
345	464	urls: ['https://github.com/libyal/winreg-kb/blob/master/documentation/Component%20Object%20Model%20keys.asciidoc#type-libraries-key']
	465	---
	466	name: WindowsSearchFilterHandlers
	467	doc: \|
	468	Windows Search filter handlers configured for file types and applications.
	469
	470	Windows Search loads DLLs that implement the IFilter interface in order to
	471	scan files for text and extract certain types of information. Malware can
	472	replace the filter handler for a given file type or CLSID with itself to gain
	473	execution when a search operation is performed on that file. Search
	474	operations can be performed indirectly in a number of cases; for instance,
	475	the .txt, .html, and .rtf filter handlers are invoked when indexing email
	476	message bodies.
	477
	478	The filter handler to use is specified indirectly via a persistent handler.
	479	The persistent handler GUID is indicated via the PersistentHandler subkey for
	480	a file type or application GUID. The filter handler CLSID is indicated via
	481	the PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF} subkey
	482	under the persistent handler GUID key path. This artifact inspects both of
	483	these paths.
	484
	485	NOTE: Only the HKEY_LOCAL_MACHINE root key needs be checked, because these
	486	are the only keys used. SearchFilterHost.exe runs under the SYSTEM account,
	487	which does not have access to HKEY_CURRENT_USER.
	488	sources:
	489	- type: REGISTRY_VALUE
	490	attributes:
	491	key_value_pairs:
	492	- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\*\PersistentHandler', value: ''}
	493	- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\PersistentHandler', value: ''}
	494	- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\PersistentHandler', value: ''}
	495	- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\PersistentHandler', value: ''}
	496	- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF}', value: ''}
	497	- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF}', value: ''}
	498	supported_os: [Windows]
	499	urls:
	500	- 'https://docs.microsoft.com/en-us/windows/desktop/search/-search-ifilter-about'
	501	- 'https://docs.microsoft.com/en-us/windows/desktop/search/-search-ifilter-implementations'
	502	- 'https://docs.microsoft.com/en-us/windows/desktop/search/-search-ifilter-registering-filters'
346	503	---
347	504	name: WindowsConfigSys
348	505	doc: Windows config.sys file

350	507	- type: FILE
351	508	attributes:
352	509	paths:
353		- '%%environ_systemdrive%%\config.sys'
354		- '%%environ_windir%%\config.nt'
	510	- '%%environ_systemdrive%%\config.sys'
	511	- '%%environ_windir%%\config.nt'
355	512	separator: '\'
356	513	supported_os: [Windows]
357	514	---

361	518	- type: REGISTRY_KEY
362	519	attributes:
363	520	keys:
364		- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Control Panel\CPLs'
365		- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Control Panel\CPLs'
366		- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Control Panel\CPLs'
367		- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Control Panel\CPLs'
	521	- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Control Panel\CPLs'
	522	- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Control Panel\CPLs'
	523	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Control Panel\CPLs'
	524	- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Control Panel\CPLs'
368	525	supported_os: [Windows]
369	526	urls:
370	527	- 'https://msdn.microsoft.com/en-us/library/windows/desktop/hh127454(v=vs.85).aspx'

377	534	- type: REGISTRY_KEY
378	535	attributes:
379	536	keys:
380		- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\*'
381		- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\*'
	537	- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\*'
	538	- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\*'
382	539	supported_os: [Windows]
383	540	urls: ['http://blog.leetsys.com/2012/01/02/capturing-windows-7-credentials-at-logon-using-custom-credential-provider/']
384	541	---

388	545	- type: REGISTRY_KEY
389	546	attributes:
390	547	keys:
391		- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\*'
392		- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\*'
	548	- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\*'
	549	- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\*'
393	550	supported_os: [Windows]
394	551	urls:
395	552	- 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610'

403	560	- type: FILE
404	561	attributes:
405	562	paths:
406		- '%%environ_programfiles%%\Internet Explorer\sxs.dll'
407		- '%%environ_programfilesx86%%\Internet Explorer\sxs.dll'
408		- '%%environ_systemdrive%%\explorer.exe'
409		- '%%environ_systemdrive%%\program.exe'
410		- '%%environ_systemroot%%\linkinfo.dll'
411		- '%%environ_systemroot%%\ntshrui.dll'
412		- '%%environ_systemroot%%\System32\oci.dll'
413		- '%%environ_systemroot%%\System32\sysprep\cryptbase.dll'
414		- '%%environ_systemroot%%\SysWOW64\oci.dll'
415		- '%%environ_systemroot%%\SysWOW64\sysprep\cryptbase.dll'
	563	- '%%environ_programfiles%%\Internet Explorer\sxs.dll'
	564	- '%%environ_programfilesx86%%\Internet Explorer\sxs.dll'
	565	- '%%environ_systemdrive%%\explorer.exe'
	566	- '%%environ_systemdrive%%\program.exe'
	567	- '%%environ_systemroot%%\linkinfo.dll'
	568	- '%%environ_systemroot%%\ntshrui.dll'
	569	- '%%environ_systemroot%%\System32\oci.dll'
	570	- '%%environ_systemroot%%\System32\sysprep\cryptbase.dll'
	571	- '%%environ_systemroot%%\SysWOW64\oci.dll'
	572	- '%%environ_systemroot%%\SysWOW64\sysprep\cryptbase.dll'
416	573	separator: '\'
417	574	supported_os: [Windows]
418	575	urls:

420	577	- 'https://www.mandiant.com/blog/fxsst/'
421	578	---
422	579	name: WindowsCurrentVersion
423		doc: The Windows current verson
	580	doc: The Windows current version
424	581	sources:
425	582	- type: REGISTRY_VALUE
426	583	attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion', value: 'CurrentVersion'}]}

433	590	- type: REGISTRY_VALUE
434	591	attributes:
435	592	key_value_pairs:
436		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*', value: 'Debugger'}
437		- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*', value: 'Debugger'}
438		- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*', value: 'Debugger'}
439		- {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*', value: 'Debugger'}
	593	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*', value: 'Debugger'}
	594	- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*', value: 'Debugger'}
	595	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*', value: 'Debugger'}
	596	- {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*', value: 'Debugger'}
440	597	supported_os: [Windows]
441	598	urls: ['https://msdn.microsoft.com/en-us/library/a329t4ed%28VS.71%29.aspx']
	599	---
	600	name: WindowsDomainCachedCredentials
	601	doc: Windows domain cached credentials
	602	sources:
	603	- type: REGISTRY_VALUE
	604	attributes:
	605	key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\Security\Cache', value: 'NL$*'}]
	606	supported_os: [Windows]
	607	urls: ['http://juggernaut.wikidot.com/cached-credentials']
442	608	---
443	609	name: WindowsDomainName
444	610	doc: The domain the system is connected to.

446	612	- type: REGISTRY_VALUE
447	613	attributes:
448	614	key_value_pairs:
449		- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters', value: 'Domain'}
	615	- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters', value: 'Domain'}
450	616	provides: [domain]
451	617	supported_os: [Windows]
452	618	---

456	622	- type: REGISTRY_VALUE
457	623	attributes:
458	624	key_value_pairs:
459		- {key: 'HKEY_USERS\%%users.sid%%\Environment', value: 'UserInitLogonServer'}
460		- {key: 'HKEY_USERS\%%users.sid%%\Environment', value: 'UserInitLogonScript'}
461		- {key: 'HKEY_USERS\%%users.sid%%\Environment', value: 'UserMprLogonScript'}
	625	- {key: 'HKEY_USERS\%%users.sid%%\Environment', value: 'UserInitLogonServer'}
	626	- {key: 'HKEY_USERS\%%users.sid%%\Environment', value: 'UserInitLogonScript'}
	627	- {key: 'HKEY_USERS\%%users.sid%%\Environment', value: 'UserInitMprLogonScript'}
462	628	supported_os: [Windows]
463	629	urls:
464	630	- 'http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/'
465	631	- 'https://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/cb6f1d6f-60a6-4369-803e-ec03d902e638/gina-how-to-run-domain-scripts-after-logon'
466	632	---
467	633	name: WindowsEnvironmentVariableAllUsersProfile
468		doc: \|
469		The %AllUsersProfile% environment variable
470
471		May or may not depend on registry keys - see urls
472		sources:
473		- type: REGISTRY_VALUE
474		attributes:
475		key_value_pairs:
476		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'AllUsersProfile'}
	634	doc: The system-wide %AllUsersProfile% environment variable contains the path of the of the "All Users" or "Common" profile directory.
	635	sources:
	636	- type: REGISTRY_VALUE
	637	attributes:
	638	key_value_pairs:
	639	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'AllUsersProfile'}
477	640	provides: [environ_allusersprofile]
478	641	supported_os: [Windows]
479		urls:
480		- 'https://www.microsoft.com/en-us/wdsi/help/folder-variables'
481		- 'https://github.com/mirror/reactos/blob/c6d2b35ffc91e09f50dfb214ea58237509329d6b/reactos/boot/bootdata/livecd.inf'
482		- 'http://support.microsoft.com/kb//214653'
	642	urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md']
483	643	---
484	644	name: WindowsEnvironmentVariableAppxProcess
485	645	doc: \|
486		The %APPX_PROCESS% environment variable.
487
488		If this variable is set, .NET applications will attempt to load WinAppXRT.dll
489		from PATH, which is a potential persistence mechanism.
490		sources:
491		- type: REGISTRY_VALUE
492		attributes:
493		key_value_pairs:
494		- {key: 'HKEY_USERS\%%users.sid%%\Environment', value: 'APPX_PROCESS'}
	646	The user-specific %APPX_PROCESS% environment variable is used for .NET applications.
	647
	648	If set, a .NET applications will attempt to load WinAppXRT.dll from %PATH%, which can be used as a persistence mechanism by malware.
	649	sources:
	650	- type: REGISTRY_VALUE
	651	attributes:
	652	key_value_pairs:
	653	- {key: 'HKEY_USERS\%%users.sid%%\Environment', value: 'APPX_PROCESS'}
495	654	supported_os: [Windows]
496	655	conditions: [os_major_version >= 6 AND os_minor_version >= 2]
497		urls: ['http://www.hexacorn.com/blog/2014/08/31/beyond-good-ol-run-key-part-17/']
	656	urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md']
	657	---
	658	name: WindowsEnvironmentVariableCommonProgramFiles
	659	doc: The %COMMONPROGRAMFILES% environment variable contains the path of the common program files folder.
	660	sources:
	661	- type: REGISTRY_VALUE
	662	attributes:
	663	key_value_pairs:
	664	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion', value: 'CommonFilesDir'}
	665	provides: [environ_commonprogramfiles]
	666	supported_os: [Windows]
	667	urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md']
	668	---
	669	name: WindowsEnvironmentVariableCommonProgramFilesX86
	670	doc: The %COMMONPROGRAMFILES(X86)% environment variable contains the path of the 32-bit common program files folder on a 64-bit Windows installation.
	671	sources:
	672	- type: REGISTRY_VALUE
	673	attributes:
	674	key_value_pairs:
	675	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion', value: 'CommonFilesDir (x86)'}
	676	provides: [environ_commonprogramfilesx86]
	677	supported_os: [Windows]
	678	urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md']
	679	---
	680	name: WindowsEnvironmentVariableComSpec
	681	doc: The %ComSpec% environment variable contains the path of the command processor, typically "cmd.exe".
	682	sources:
	683	- type: REGISTRY_VALUE
	684	attributes:
	685	key_value_pairs:
	686	- {key: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment', value: 'ComSpec'}
	687	provides: [environ_comspec]
	688	supported_os: [Windows]
	689	urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md']
	690	---
	691	name: WindowsEnvironmentVariableDriverData
	692	doc: The %DriverData% environment variable contains the path of the directory used for temporary state files of user-mode drivers.
	693	sources:
	694	- type: REGISTRY_VALUE
	695	attributes:
	696	key_value_pairs:
	697	- {key: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment', value: 'DriverData'}
	698	provides: [environ_driverdata]
	699	supported_os: [Windows]
	700	conditions: [os_major_version >= 10]
	701	urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md']
498	702	---
499	703	name: WindowsEnvironmentVariablePath
500		doc: The %PATH% environment variable.
501		sources:
502		- type: REGISTRY_VALUE
503		attributes:
504		key_value_pairs:
505		- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment', value: 'Path'}
	704	doc: The %PATH% environment variable contains an ordered list of paths of directories that will be searched on execution request without a specific path.
	705	sources:
	706	- type: REGISTRY_VALUE
	707	attributes:
	708	key_value_pairs:
	709	- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment', value: 'Path'}
506	710	provides: [environ_path]
507	711	supported_os: [Windows]
508		urls: ['http://environmentvariables.org/Path']
	712	urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md']
509	713	---
510	714	name: WindowsEnvironmentVariableProfilesDirectory
511		doc: Folder that typically contains users' profile directories; default is '%SystemDrive%\Users'
512		sources:
513		- type: REGISTRY_VALUE
514		attributes:
515		key_value_pairs:
516		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'ProfilesDirectory'}
	715	doc: The %ProfilesDirectory% environment variable contain a path of a directory that contains the users' profile directories, typically "%SystemDrive%\Users".
	716	sources:
	717	- type: REGISTRY_VALUE
	718	attributes:
	719	key_value_pairs:
	720	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'ProfilesDirectory'}
517	721	provides: [environ_profilesdirectory]
518	722	supported_os: [Windows]
519		urls:
520		- 'https://msdn.microsoft.com/en-us/library/windows/desktop/bb776892(v=vs.85).aspx'
521		- 'https://docs.microsoft.com/en-us/windows/deployment/usmt/usmt-recognized-environment-variables'
522		- 'http://support.microsoft.com/kb//214653'
	723	urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md']
523	724	---
524	725	name: WindowsEnvironmentVariableProgramData
525		doc: The %ProgramData% environment variable.
526		sources:
527		- type: REGISTRY_VALUE
528		attributes:
529		key_value_pairs:
530		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'ProgramData'}
	726	doc: The %ProgramData% environment variable contains a path of the "Program Data" directory.
	727	sources:
	728	- type: REGISTRY_VALUE
	729	attributes:
	730	key_value_pairs:
	731	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'ProgramData'}
531	732	provides: [environ_programdata]
532	733	supported_os: [Windows]
533		urls: ['http://environmentvariables.org/ProgramData']
	734	urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md']
534	735	---
535	736	name: WindowsEnvironmentVariableProgramFiles
536		doc: The %ProgramFiles% environment variable.
	737	doc: The %ProgramFiles% environment variable contains a path of the "Program Files" directory.
537	738	sources:
538	739	- type: PATH
539	740	attributes:

542	743	- type: REGISTRY_VALUE
543	744	attributes:
544	745	key_value_pairs:
545		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion', value: 'ProgramFilesDir'}
	746	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion', value: 'ProgramFilesDir'}
546	747	provides: [environ_programfiles]
547	748	supported_os: [Windows]
548		urls: ['http://environmentvariables.org/ProgramFiles']
	749	urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md']
549	750	---
550	751	name: WindowsEnvironmentVariableProgramFilesX86
551		doc: The %ProgramFiles(x86)% environment variable.
	752	doc: The %ProgramFiles(x86)% environment variable contains a path of the 32-bit "Program Files" directory on a 64-bit Windows installation.
552	753	sources:
553	754	- type: PATH
554	755	attributes:

557	758	- type: REGISTRY_VALUE
558	759	attributes:
559	760	key_value_pairs:
560		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion', value: 'ProgramFilesDir (x86)'}
	761	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion', value: 'ProgramFilesDir (x86)'}
561	762	provides: [environ_programfilesx86]
562	763	supported_os: [Windows]
563		urls: ['http://environmentvariables.org/ProgramFiles']
	764	urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md']
564	765	---
565	766	name: WindowsEnvironmentVariableSystemDrive
566	767	doc: \|
567		The %SystemDrive% environment variable, usually "C:".
568
569		This value isn't actually present in the Registry but with some parsing we
570		can figure it out from SystemRoot.
	768	The %SystemDrive% environment variable contains the letter of the drive in which the system directory is located, typically "C:".
	769
	770	This value is not present in the Windows Registry but can be derived from %SystemRoot%.
571	771	sources:
572	772	- type: ARTIFACT_GROUP
573	773	attributes: {names: ['WindowsEnvironmentVariableSystemRoot']}
574	774	provides: [environ_systemdrive]
575	775	supported_os: [Windows]
576		urls:
577		- 'http://environmentvariables.org/SystemDrive'
578		- 'https://msdn.microsoft.com/en-us/library/cc231436.aspx'
	776	urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md']
579	777	---
580	778	name: WindowsEnvironmentVariableSystemRoot
581		doc: The system root directory path, defined by %SystemRoot%, typically "C:\Windows".
	779	doc: The %SystemRoot%, environment variable contains the path of the system directory, typically "C:\Windows".
582	780	sources:
583	781	- type: PATH
584	782	attributes:
585	783	paths:
586		- '\Windows'
587		- '\WinNT'
588		- '\WINNT35'
589		- '\WTSRV'
590		separator: '\'
591		- type: REGISTRY_VALUE
592		attributes:
593		key_value_pairs:
594		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion', value: 'SystemRoot'}
	784	- '\Windows'
	785	- '\WinNT'
	786	- '\WINNT35'
	787	- '\WTSRV'
	788	separator: '\'
	789	- type: REGISTRY_VALUE
	790	attributes:
	791	key_value_pairs:
	792	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion', value: 'SystemRoot'}
595	793	provides: [environ_systemroot]
596	794	supported_os: [Windows]
597		urls: ['http://environmentvariables.org/SystemRoot']
	795	urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md']
598	796	---
599	797	name: WindowsEnvironmentVariableTemp
600	798	doc: The %TEMP% environment variable.

602	800	- type: REGISTRY_VALUE
603	801	attributes:
604	802	key_value_pairs:
605		- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment', value: 'TEMP'}
	803	- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment', value: 'TEMP'}
606	804	provides: [environ_temp]
607	805	supported_os: [Windows]
608		urls: ['http://environmentvariables.org/Temp']
	806	urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md']
609	807	---
610	808	name: WindowsEnvironmentVariableWinDir
611		doc: The %WinDir% environment variable.
	809	doc: The %WinDir%, environment variable contains the path of the Windows directory, typically "C:\Windows".
612	810	sources:
613	811	- type: PATH
614	812	attributes:
615	813	paths:
616		- '\Windows'
617		- '\WinNT'
618		- '\WINNT35'
619		- '\WTSRV'
620		separator: '\'
621		- type: REGISTRY_VALUE
622		attributes:
623		key_value_pairs:
624		- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment', value: 'windir'}
	814	- '\Windows'
	815	- '\WinNT'
	816	- '\WINNT35'
	817	- '\WTSRV'
	818	separator: '\'
	819	- type: REGISTRY_VALUE
	820	attributes:
	821	key_value_pairs:
	822	- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment', value: 'windir'}
625	823	provides: [environ_windir]
626	824	supported_os: [Windows]
627		urls: ['http://environmentvariables.org/WinDir']
	825	urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EnvironmentVariables.md']
628	826	---
629	827	name: WindowsEventLogs
630	828	doc: Windows Event logs.

632	830	- type: ARTIFACT_GROUP
633	831	attributes:
634	832	names:
635		- 'WindowsEventLogApplication'
636		- 'WindowsEventLogSecurity'
637		- 'WindowsEventLogSystem'
638		- 'WindowsXMLEventLogApplication'
639		- 'WindowsXMLEventLogSecurity'
640		- 'WindowsXMLEventLogSystem'
	833	- 'WindowsEventLogApplication'
	834	- 'WindowsEventLogSecurity'
	835	- 'WindowsEventLogSystem'
	836	- 'WindowsXMLEventLogApplication'
	837	- 'WindowsXMLEventLogSecurity'
	838	- 'WindowsXMLEventLogSysmon'
	839	- 'WindowsXMLEventLogSystem'
	840	- 'WindowsXMLEventLogTerminalServices'
641	841	labels: [Logs]
642	842	supported_os: [Windows]
	843	urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EventLog.md']
643	844	---
644	845	name: WindowsEventLogApplication
645	846	doc: Application Windows Event Log.

651	852	conditions: [os_major_version < 6]
652	853	labels: [Logs]
653	854	supported_os: [Windows]
654		urls: ['http://www.forensicswiki.org/wiki/Windows_Event_Log_(EVT)']
	855	urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EventLog.md']
655	856	---
656	857	name: WindowsEventLogSecurity
657	858	doc: Security Windows Event Log.

663	864	conditions: [os_major_version < 6]
664	865	labels: [Logs]
665	866	supported_os: [Windows]
666		urls: ['http://www.forensicswiki.org/wiki/Windows_Event_Log_(EVT)']
	867	urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EventLog.md']
667	868	---
668	869	name: WindowsEventLogSystem
669	870	doc: System Windows Event Log.

675	876	conditions: [os_major_version < 6]
676	877	labels: [Logs]
677	878	supported_os: [Windows]
678		urls: ['http://www.forensicswiki.org/wiki/Windows_Event_Log_(EVT)']
	879	urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EventLog.md']
679	880	---
680	881	name: WindowsXMLEventLogApplication
681	882	doc: Application Windows XML Event Log.

687	888	conditions: [os_major_version >= 6]
688	889	labels: [Logs]
689	890	supported_os: [Windows]
690		urls: ['http://www.forensicswiki.org/wiki/Windows_XML_Event_Log_(EVTX)']
	891	urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EventLog.md']
691	892	---
692	893	name: WindowsXMLEventLogSecurity
693	894	doc: Security Windows XML Event Log.

699	900	conditions: [os_major_version >= 6]
700	901	labels: [Logs]
701	902	supported_os: [Windows]
702		urls: ['http://www.forensicswiki.org/wiki/Windows_XML_Event_Log_(EVTX)']
	903	urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EventLog.md']
703	904	---
704	905	name: WindowsXMLEventLogSysmon
705	906	doc: Sysmon Windows XML Event Log.

710	911	separator: '\'
711	912	labels: [Logs]
712	913	supported_os: [Windows]
713		urls:
714		- 'https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon'
715		- 'https://blogs.technet.microsoft.com/motiba/2016/10/18/sysinternals-sysmon-unleashed'
	914	urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EventLog.md']
716	915	---
717	916	name: WindowsXMLEventLogSystem
718	917	doc: System Windows XML Event Log.

724	923	conditions: [os_major_version >= 6]
725	924	labels: [Logs]
726	925	supported_os: [Windows]
727		urls: ['http://www.forensicswiki.org/wiki/Windows_XML_Event_Log_(EVTX)']
	926	urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EventLog.md']
728	927	---
729	928	name: WindowsXMLEventLogTerminalServices
730	929	doc: TerminalServices Windows XML Event Log.

736	935	conditions: [os_major_version >= 6]
737	936	labels: [Logs]
738	937	supported_os: [Windows]
739		urls: ['http://www.forensicswiki.org/wiki/Windows_XML_Event_Log_(EVTX)']
	938	urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/EventLog.md']
740	939	---
741	940	name: WindowsExcludeFromKnownDLLs
742	941	doc: ExcludeFromKnownDLLs can be used to bypass search order hijacking protection.

753	952	- type: REGISTRY_VALUE
754	953	attributes:
755	954	key_value_pairs:
756		- {key: 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AppKey\*', value: 'ShellExecute'}
	955	- {key: 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AppKey\*', value: 'ShellExecute'}
757	956	supported_os: [Windows]
758	957	urls:
759	958	- 'http://answers.microsoft.com/en-us/windows/forum/windows_vista-hardware/assigning-the-special-keys-at-the-top-of-the/d1ab2e13-5297-457d-a8e8-bc2c883d8b58?db=5'

776	975	- type: REGISTRY_VALUE
777	976	attributes:
778	977	key_value_pairs:
779		- {key: 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CommandStore\shell\*', value: 'CommandStateHandler'}
780		- {key: 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CommandStore\shell\*', value: 'ExplorerCommandHandler'}
781		- {key: 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CommandStore\shell\*', value: 'command'}
782		- {key: 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CommandStore\shell\*\command', value: 'DelegateExecute'}
	978	- {key: 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CommandStore\shell\*', value: 'CommandStateHandler'}
	979	- {key: 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CommandStore\shell\*', value: 'ExplorerCommandHandler'}
	980	- {key: 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CommandStore\shell\*', value: 'command'}
	981	- {key: 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CommandStore\shell\*\command', value: 'DelegateExecute'}
783	982	supported_os: [Windows]
784	983	urls:
785	984	- 'https://msdn.microsoft.com/en-us/library/windows/desktop/hh127467(v=vs.85).aspx'

793	992	- type: REGISTRY_KEY
794	993	attributes:
795	994	keys:
796		- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace'
797		- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace'
798		- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace'
799		- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace'
800		- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace\DelegateFolders'
801		- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace\DelegateFolders'
802		- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace\DelegateFolders'
803		- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace\DelegateFolders'
804		- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\CommonPlaces\NameSpace'
805		- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\CommonPlaces\NameSpace'
806		- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\CommonPlaces\NameSpace\DelegateFolders'
807		- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\CommonPlaces\NameSpace\DelegateFolders'
	995	- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace'
	996	- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace'
	997	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace'
	998	- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace'
	999	- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace\DelegateFolders'
	1000	- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace\DelegateFolders'
	1001	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace\DelegateFolders'
	1002	- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace\DelegateFolders'
	1003	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\CommonPlaces\NameSpace'
	1004	- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\CommonPlaces\NameSpace'
	1005	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\CommonPlaces\NameSpace\DelegateFolders'
	1006	- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\CommonPlaces\NameSpace\DelegateFolders'
808	1007	supported_os: [Windows]
809	1008	urls:
810	1009	- 'https://msdn.microsoft.com/en-us/library/windows/desktop/hh127450(v=vs.85).aspx'

817	1016	- type: REGISTRY_KEY
818	1017	attributes:
819	1018	keys:
820		- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace'
821		- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace'
822		- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\DelegateFolders'
823		- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\DelegateFolders'
824		- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\ControlPanel\NameSpace'
825		- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\ControlPanel\NameSpace\DelegateFolders'
826		- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanelWOW64\NameSpace'
827		- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanelWOW64\NameSpace'
828		- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpaceWOW64\DelegateFolders'
829		- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanelWOW64\NameSpace\DelegateFolders'
830		- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\ControlPanelWOW64\NameSpace'
831		- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\ControlPanelWOW64\NameSpace\DelegateFolders'
832		- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace'
833		- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace'
834		- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\DelegateFolders'
835		- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\DelegateFolders'
836		- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\ControlPanel\NameSpace'
837		- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\ControlPanel\NameSpace\DelegateFolders'
838		- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ControlPanelWOW64\NameSpace'
839		- 'HKEY_USERS\%%users.sid%%\Wow6432Node\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\ControlPanelWOW64\NameSpace\DelegateFolders'
	1019	- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace'
	1020	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace'
	1021	- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\DelegateFolders'
	1022	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\DelegateFolders'
	1023	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\ControlPanel\NameSpace'
	1024	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\ControlPanel\NameSpace\DelegateFolders'
	1025	- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanelWOW64\NameSpace'
	1026	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanelWOW64\NameSpace'
	1027	- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpaceWOW64\DelegateFolders'
	1028	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanelWOW64\NameSpace\DelegateFolders'
	1029	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\ControlPanelWOW64\NameSpace'
	1030	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\ControlPanelWOW64\NameSpace\DelegateFolders'
	1031	- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace'
	1032	- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace'
	1033	- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\DelegateFolders'
	1034	- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\DelegateFolders'
	1035	- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\ControlPanel\NameSpace'
	1036	- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\ControlPanel\NameSpace\DelegateFolders'
	1037	- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ControlPanelWOW64\NameSpace'
	1038	- 'HKEY_USERS\%%users.sid%%\Wow6432Node\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\ControlPanelWOW64\NameSpace\DelegateFolders'
840	1039	supported_os: [Windows]
841	1040	urls:
842	1041	- 'https://msdn.microsoft.com/en-us/library/windows/desktop/hh127450(v=vs.85).aspx'

848	1047	- type: REGISTRY_KEY
849	1048	attributes:
850	1049	keys:
851		- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace'
852		- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace'
853		- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders'
854		- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders'
855		- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\Desktop\NameSpace'
856		- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\Desktop\NameSpace\DelegateFolders'
857		- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace'
858		- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace'
859		- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Wow6432Node\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders'
860		- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders'
861		- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\Desktop\NameSpace'
862		- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\Desktop\NameSpace\DelegateFolders'
	1050	- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace'
	1051	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace'
	1052	- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders'
	1053	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders'
	1054	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\Desktop\NameSpace'
	1055	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\Desktop\NameSpace\DelegateFolders'
	1056	- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace'
	1057	- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace'
	1058	- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Wow6432Node\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders'
	1059	- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders'
	1060	- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\Desktop\NameSpace'
	1061	- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\Desktop\NameSpace\DelegateFolders'
863	1062	supported_os: [Windows]
864	1063	urls:
865	1064	- 'https://social.technet.microsoft.com/Forums/windowsserver/en-US/2760309c-89d1-414c-a04c-ce4178e90787/hide-libraries-icon-from-desktop'

873	1072	- type: REGISTRY_KEY
874	1073	attributes:
875	1074	keys:
876		- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace'
877		- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace'
878		- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders'
879		- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders'
880		- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\MyComputer\NameSpace'
881		- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\MyComputer\NameSpace\DelegateFolders'
882		- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace'
883		- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace'
884		- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Wow6432Node\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders'
885		- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders'
886		- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\MyComputer\NameSpace'
887		- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\MyComputer\NameSpace\DelegateFolders'
	1075	- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace'
	1076	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace'
	1077	- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders'
	1078	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders'
	1079	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\MyComputer\NameSpace'
	1080	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\MyComputer\NameSpace\DelegateFolders'
	1081	- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace'
	1082	- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace'
	1083	- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Wow6432Node\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders'
	1084	- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders'
	1085	- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\MyComputer\NameSpace'
	1086	- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\MyComputer\NameSpace\DelegateFolders'
888	1087	supported_os: [Windows]
889	1088	urls:
890	1089	- 'http://www.geoffchappell.com/studies/windows/shell/shell32/classes/mycomputer.htm'

897	1096	- type: REGISTRY_KEY
898	1097	attributes:
899	1098	keys:
900		- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace'
901		- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace'
902		- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace\DelegateFolders'
903		- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace\DelegateFolders'
904		- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\NetworkNeighborhood\NameSpace'
905		- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\NetworkNeighborhood\NameSpace\DelegateFolders'
906		- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace'
907		- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace'
908		- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace\DelegateFolders'
909		- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace\DelegateFolders'
910		- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\NetworkNeighborhood\NameSpace'
911		- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\NetworkNeighborhood\NameSpace\DelegateFolders'
	1099	- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace'
	1100	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace'
	1101	- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace\DelegateFolders'
	1102	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace\DelegateFolders'
	1103	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\NetworkNeighborhood\NameSpace'
	1104	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\NetworkNeighborhood\NameSpace\DelegateFolders'
	1105	- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace'
	1106	- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace'
	1107	- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace\DelegateFolders'
	1108	- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace\DelegateFolders'
	1109	- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\NetworkNeighborhood\NameSpace'
	1110	- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\NetworkNeighborhood\NameSpace\DelegateFolders'
912	1111	supported_os: [Windows]
913	1112	urls:
914	1113	- 'http://www.geoffchappell.com/studies/windows/shell/shell32/classes/regfolder.htm'

921	1120	- type: REGISTRY_KEY
922	1121	attributes:
923	1122	keys:
924		- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace'
925		- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace'
926		- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace\DelegateFolders'
927		- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace\DelegateFolders'
928		- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\PrintersAndFaxes\NameSpace'
929		- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\PrintersAndFaxes\NameSpace\DelegateFolders'
930		- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace'
931		- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace'
932		- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace\DelegateFolders'
933		- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace\DelegateFolders'
934		- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\PrintersAndFaxes\NameSpace'
935		- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\PrintersAndFaxes\NameSpace\DelegateFolders'
	1123	- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace'
	1124	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace'
	1125	- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace\DelegateFolders'
	1126	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace\DelegateFolders'
	1127	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\PrintersAndFaxes\NameSpace'
	1128	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\PrintersAndFaxes\NameSpace\DelegateFolders'
	1129	- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace'
	1130	- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace'
	1131	- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace\DelegateFolders'
	1132	- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace\DelegateFolders'
	1133	- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\PrintersAndFaxes\NameSpace'
	1134	- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\PrintersAndFaxes\NameSpace\DelegateFolders'
936	1135	supported_os: [Windows]
937	1136	urls:
938	1137	- 'http://www.geoffchappell.com/studies/windows/shell/shell32/classes/printers.htm'

941	1140	doc: \|
942	1141	Registry value for what application class identifier (CLSID) to launch for a file extension.
943	1142
944		Extension subkeys start with a dot.
945		sources:
946		- type: REGISTRY_KEY
947		attributes:
948		keys:
949		- 'HKEY_LOCAL_MACHINE\Software\Classes\.*'
950		- 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\.*'
951		- 'HKEY_USERS\%%users.sid%%\Software\Classes\.*'
952		- 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\.*'
953		supported_os: [Windows]
954		urls: ['https://msdn.microsoft.com/en-us/library/windows/desktop/ms678415(v=vs.85).aspx']
	1143	Extension subkeys start with a dot. The '(Default)' value will be a ProgID,
	1144	which points to another entry in HKCR specifying the command to run to open
	1145	a file of the given type. The WindowsShellOpenCommand artifact is associated
	1146	with these ProgID command invocations.
	1147	sources:
	1148	- type: REGISTRY_VALUE
	1149	attributes:
	1150	key_value_pairs:
	1151	- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\.*', value: ''}
	1152	- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\.*', value: ''}
	1153	- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\.*', value: ''}
	1154	- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\.*', value: ''}
	1155	supported_os: [Windows]
	1156	urls:
	1157	- 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms678415(v=vs.85).aspx'
	1158	- 'https://docs.microsoft.com/en-us/windows/desktop/shell/fa-file-types'
955	1159	---
956	1160	name: WindowsFirewallLogFile
957	1161	doc: Windows Firewall default logfile

990	1194	- type: FILE
991	1195	attributes:
992	1196	paths:
993		- '%%environ_systemroot%%\GroupPolicy\User\Scripts\scripts.ini'
	1197	- '%%environ_systemroot%%\System32\GroupPolicy\User\Scripts\psscripts.ini'
	1198	- '%%environ_systemroot%%\System32\GroupPolicy\User\Scripts\scripts.ini'
	1199	- '%%environ_systemroot%%\System32\GroupPolicy\User\Scripts\Logoff\*'
	1200	- '%%environ_systemroot%%\System32\GroupPolicy\User\Scripts\Logon\*'
	1201	- '%%environ_systemroot%%\System32\GroupPolicy\Machine\Scripts\psscripts.ini'
	1202	- '%%environ_systemroot%%\System32\GroupPolicy\Machine\Scripts\scripts.ini'
	1203	- '%%environ_systemroot%%\System32\GroupPolicy\Machine\Scripts\Shutdown\*'
	1204	- '%%environ_systemroot%%\System32\GroupPolicy\Machine\Scripts\Startup\*'
994	1205	separator: '\'
995	1206	supported_os: [Windows]
996	1207	---

1000	1211	- type: FILE
1001	1212	attributes:
1002	1213	paths:
1003		- '%%environ_systemroot%%\System32\Drivers\etc\Lmhosts'
1004		- '%%environ_systemroot%%\System32\Drivers\etc\hosts'
	1214	- '%%environ_systemroot%%\System32\Drivers\etc\Lmhosts'
	1215	- '%%environ_systemroot%%\System32\Drivers\etc\hosts'
1005	1216	separator: '\'
1006	1217	supported_os: [Windows]
1007	1218	---

1011	1222	- type: FILE
1012	1223	attributes:
1013	1224	paths:
1014		- '%%environ_systemroot%%\System32\magnifier.exe'
1015		- '%%environ_systemroot%%\System32\sethc.exe'
1016		- '%%environ_systemroot%%\System32\utilman.exe'
	1225	- '%%environ_systemroot%%\System32\magnifier.exe'
	1226	- '%%environ_systemroot%%\System32\sethc.exe'
	1227	- '%%environ_systemroot%%\System32\utilman.exe'
1017	1228	separator: '\'
1018	1229	supported_os: [Windows]
1019	1230	---

1023	1234	- type: REGISTRY_VALUE
1024	1235	attributes:
1025	1236	key_value_pairs:
1026		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion', value: 'InstallDate'}
	1237	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion', value: 'InstallDate'}
1027	1238	supported_os: [Windows]
1028	1239	---
1029	1240	name: WindowsLogoffScript

1032	1243	- type: REGISTRY_VALUE
1033	1244	attributes:
1034	1245	key_value_pairs:
1035		- {key: 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\Windows\System\Scripts', value: 'Logoff'}
1036		- {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Scripts', value: 'Logoff'}
	1246	- {key: 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\Windows\System\Scripts', value: 'Logoff'}
	1247	- {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Scripts', value: 'Logoff'}
1037	1248	supported_os: [Windows]
1038	1249	urls: ['https://technet.microsoft.com/en-us/library/ff404236.aspx']
1039	1250	---

1043	1254	- type: REGISTRY_VALUE
1044	1255	attributes:
1045	1256	key_value_pairs:
1046		- {key: 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\Windows\System\Scripts', value: 'Logon'}
1047		- {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Scripts', value: 'Logon'}
	1257	- {key: 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\Windows\System\Scripts', value: 'Logon'}
	1258	- {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Scripts', value: 'Logon'}
1048	1259	supported_os: [Windows]
1049	1260	urls: ['https://technet.microsoft.com/en-us/library/ff404236.aspx']
1050	1261	---

1054	1265	- type: REGISTRY_VALUE
1055	1266	attributes:
1056	1267	key_value_pairs:
1057		- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa', value: 'Authentication Packages'}
1058		- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig', value: 'Authentication Packages'}
	1268	- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa', value: 'Authentication Packages'}
	1269	- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig', value: 'Authentication Packages'}
1059	1270	supported_os: [Windows]
1060	1271	urls:
1061	1272	- 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610'

1067	1278	- type: REGISTRY_VALUE
1068	1279	attributes:
1069	1280	key_value_pairs:
1070		- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa', value: 'Notification Packages'}
1071		- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig', value: 'Notification Packages'}
	1281	- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa', value: 'Notification Packages'}
	1282	- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig', value: 'Notification Packages'}
1072	1283	supported_os: [Windows]
1073	1284	urls:
1074	1285	- 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610'

1080	1291	- type: REGISTRY_VALUE
1081	1292	attributes:
1082	1293	key_value_pairs:
1083		- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa', value: 'Security Packages'}
1084		- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig', value: 'Security Packages'}
	1294	- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa', value: 'Security Packages'}
	1295	- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig', value: 'Security Packages'}
1085	1296	supported_os: [Windows]
1086	1297	urls:
1087	1298	- 'https://msdn.microsoft.com/en-us/library/windows/desktop/aa379392(v=vs.85).aspx'

1137	1348	- type: REGISTRY_VALUE
1138	1349	attributes:
1139	1350	key_value_pairs:
1140		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\*\MostRecentApplication', value: 'Name'}
1141		- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\*\MostRecentApplication', value: 'Name'}
	1351	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\*\MostRecentApplication', value: 'Name'}
	1352	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\*\MostRecentApplication', value: 'Name'}
1142	1353	supported_os: [Windows]
1143	1354	urls:
1144	1355	- 'http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_ransom.smc7'

1150	1361	- type: REGISTRY_KEY
1151	1362	attributes:
1152	1363	keys:
1153		- 'HKEY_LOCAL_MACHINE\Software\Microsoft\MSDTC\MTxOCI\*'
1154		- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\MSDTC\MTxOCI\*'
	1364	- 'HKEY_LOCAL_MACHINE\Software\Microsoft\MSDTC\MTxOCI\*'
	1365	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\MSDTC\MTxOCI\*'
1155	1366	supported_os: [Windows]
1156	1367	urls: ['https://www.mandiant.com/blog/hikit-rootkit-advanced-persistent-attack-techniques-part-1-2/']
1157	1368	---

1160	1371	sources:
1161	1372	- type: REGISTRY_KEY
1162	1373	attributes:
1163		keys: ['HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\*']
	1374	keys:
	1375	- 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\*'
	1376	- 'HKEY_USERS\%%users.sid%%\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\*'
	1377	- 'HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32\*'
	1378	- 'HKEY_USERS\%%users.sid%%\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32\*'
1164	1379	supported_os: [Windows]
1165	1380	urls:
1166	1381	- 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610'
1167	1382	- 'https://support.microsoft.com/en-us/kb/126054'
	1383	- 'https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2'
1168	1384	---
1169	1385	name: WindowsNetworkShellHelpers
1170	1386	doc: Windows Network Shell (netsh) helpers are loaded on boot

1172	1388	- type: REGISTRY_KEY
1173	1389	attributes:
1174	1390	keys:
1175		- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Netsh'
1176		- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Netsh'
	1391	- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Netsh'
	1392	- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Netsh'
1177	1393	supported_os: [Windows]
1178	1394	urls: ['https://support.microsoft.com/en-us/kb/242468']
1179	1395	---

1186	1402	conditions: [os_major_version < 6]
1187	1403	supported_os: [Windows]
1188	1404	urls:
1189		- 'http://www.forensicswiki.org/wiki/OpenSaveMRU'
	1405	- 'https://forensicswiki.xyz/wiki/index.php?title=OpenSaveMRU'
1190	1406	- 'https://digital-forensics.sans.org/blog/2010/04/02/openrunsavemru-lastvisitedmru'
1191	1407	---
1192	1408	name: WindowsOpenSavePidlMRU

1199	1415	supported_os: [Windows]
1200	1416	urls:
1201	1417	- 'https://digital-forensics.sans.org/blog/2010/04/02/openrunsavemru-lastvisitedmru'
1202		- 'http://www.forensicswiki.org/wiki/OpenSavePidlMRU'
	1418	- 'https://forensicswiki.xyz/wiki/index.php?title=OpenSavePidlMRU'
1203	1419	---
1204	1420	name: WindowsPendingFileRenames
1205	1421	doc: Windows Pending file renames on reboot

1207	1423	- type: REGISTRY_VALUE
1208	1424	attributes:
1209	1425	key_value_pairs:
1210		- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager', value: 'PendingFileRenameOperations'}
	1426	- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager', value: 'PendingFileRenameOperations'}
1211	1427	supported_os: [Windows]
1212	1428	urls: ['https://technet.microsoft.com/en-us/library/cc960241.aspx']
	1429	---
	1430	name: WindowsPendingGPOs
	1431	doc: \|
	1432	Windows Pending GPOs registry settings.
	1433
	1434	This is a persistence mechanism known to be used by the Gootkit malware family.
	1435	sources:
	1436	- type: REGISTRY_VALUE
	1437	attributes:
	1438	key_value_pairs:
	1439	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\IEAK\GroupPolicy\PendingGPOs', value: 'Path1'}
	1440	- {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\IEAK\GroupPolicy\PendingGPOs', value: 'Path1'}
	1441	supported_os: [Windows]
	1442	urls: ['https://www.certego.net/en/news/malware-tales-gootkit/']
1213	1443	---
1214	1444	name: WindowsPersistenceMechanisms
1215	1445	doc: Persistence mechanisms in Windows.

1217	1447	- type: ARTIFACT_GROUP
1218	1448	attributes:
1219	1449	names:
1220		- WindowsPersistenceRegistryKeys
1221		- WindowsPowerShellDefaultProfiles
1222		- WindowsServices
	1450	- WindowsPersistenceRegistryKeys
	1451	- WindowsPowerShellDefaultProfiles
	1452	- WindowsServices
1223	1453	labels: [Software]
1224	1454	supported_os: [Windows]
1225	1455	---

1229	1459	- type: ARTIFACT_GROUP
1230	1460	attributes:
1231	1461	names:
1232		- InternetExplorerBrowserHelperObjects
1233		- WindowsActiveDesktop
1234		- WindowsAlternateShell
1235		- WindowsAppCertDLLs
1236		- WindowsAppInitDLLs
1237		- WindowsBootVerificationProgram
1238		- WindowsCommandProcessorAutoRun
1239		- WindowsCredentialProviderFilters
1240		- WindowsCredentialProviders
1241		- WindowsDebugger
1242		- WindowsEnvironmentUserLoginScripts
1243		- WindowsExplorerAutoplayHandlers
1244		- WindowsFileTypeAutorunAssociations
1245		- WindowsLSAAuthenticationPackages
1246		- WindowsLSANotificationPackages
1247		- WindowsLSASecurityPackages
1248		- WindowsMSDTCDLLs
1249		- WindowsMultiMediaDrivers
1250		- WindowsNetworkShellHelpers
1251		- WindowsPLAPProviders
1252		- WindowsPrintMonitors
1253		- WindowsRunGrpConv
1254		- WindowsRunKeys
1255		- WindowsRunServices
1256		- WindowsScreenSaverExecutable
1257		- WindowsSecurityProviders
1258		- WindowsServiceControlManagerExtension
1259		- WindowsSessionManagerBootExecute
1260		- WindowsSessionManagerExecute
1261		- WindowsSessionManagerSetupExecute
1262		- WindowsSessionManagerSubSystems
1263		- WindowsSessionManagerWOWCommandLine
1264		- WindowsSharedTaskScheduler
1265		- WindowsShellExecuteHooks
1266		- WindowsShellExtensions
1267		- WindowsShellIconOverlayIdentifiers
1268		- WindowsShellLoadAndRun
1269		- WindowsShellOpenCommand
1270		- WindowsShellServiceObjects
1271		- WindowsStubPaths
1272		- WindowsSystemPolicyShell
1273		- WindowsTerminalServerRunKeys
1274		- WindowsTerminalServerStartupPrograms
1275		- WindowsToolPaths
1276		- WindowsWinlogonGinaDLL
1277		- WindowsWinlogonNotify
1278		- WindowsWinlogonShell
1279		- WindowsWinlogonSystem
1280		- WindowsWinlogonTaskman
1281		- WindowsWinlogonUiHost
1282		- WindowsWinlogonUserinit
1283		- WindowsWinlogonVMApplet
1284		- WinSock2LayeredServiceProviders
1285		- WinSock2NamespaceProviders
	1462	- InternetExplorerBrowserHelperObjects
	1463	- WindowsActiveDesktop
	1464	- WindowsActiveSyncAutoStart
	1465	- WindowsAlternateShell
	1466	- WindowsAppCertDLLs
	1467	- WindowsAppInitDLLs
	1468	- WindowsBootVerificationProgram
	1469	- WindowsCommandProcessorAutoRun
	1470	- WindowsCredentialProviderFilters
	1471	- WindowsCredentialProviders
	1472	- WindowsDebugger
	1473	- WindowsEnvironmentUserLoginScripts
	1474	- WindowsExplorerAutoplayHandlers
	1475	- WindowsFileTypeAutorunAssociations
	1476	- WindowsFontDrivers
	1477	- WindowsIconServiceLib
	1478	- WindowsLSAAuthenticationPackages
	1479	- WindowsLSANotificationPackages
	1480	- WindowsLSASecurityPackages
	1481	- WindowsMSDTCDLLs
	1482	- WindowsMultiMediaDrivers
	1483	- WindowsNetworkShellHelpers
	1484	- WindowsPendingGPOs
	1485	- WindowsPLAPProviders
	1486	- WindowsPrintMonitors
	1487	- WindowsRunGrpConv
	1488	- WindowsRunKeys
	1489	- WindowsRunServices
	1490	- WindowsScreenSaverExecutable
	1491	- WindowsSearchFilterHandlers
	1492	- WindowsSecurityProviders
	1493	- WindowsServiceControlManagerExtension
	1494	- WindowsSessionManagerBootExecute
	1495	- WindowsSessionManagerExecute
	1496	- WindowsSessionManagerS0InitialCommand
	1497	- WindowsSessionManagerSetupExecute
	1498	- WindowsSessionManagerSubSystems
	1499	- WindowsSessionManagerWOWCommandLine
	1500	- WindowsSetupCommandLine
	1501	- WindowsSharedTaskScheduler
	1502	- WindowsShellExecuteHooks
	1503	- WindowsShellExtensions
	1504	- WindowsShellIconOverlayIdentifiers
	1505	- WindowsShellLoadAndRun
	1506	- WindowsShellOpenCommand
	1507	- WindowsShellRunasCommand
	1508	- WindowsShellServiceObjects
	1509	- WindowsStubPaths
	1510	- WindowsSystemPolicyShell
	1511	- WindowsTerminalServerInitialProgram
	1512	- WindowsTerminalServerRunKeys
	1513	- WindowsTerminalServerStartupPrograms
	1514	- WindowsToolPaths
	1515	- WindowsWinlogonAppSetup
	1516	- WindowsWinlogonAvailableShells
	1517	- WindowsWinlogonGinaDLL
	1518	- WindowsWinlogonGPExtensions
	1519	- WindowsWinlogonNotify
	1520	- WindowsWinlogonShell
	1521	- WindowsWinlogonSystem
	1522	- WindowsWinlogonTaskman
	1523	- WindowsWinlogonUiHost
	1524	- WindowsWinlogonUserinit
	1525	- WindowsWinlogonVMApplet
	1526	- WinSock2LayeredServiceProviders
	1527	- WinSock2NamespaceProviders
1286	1528	labels: [Software]
1287	1529	supported_os: [Windows]
1288	1530	---

1292	1534	- type: REGISTRY_KEY
1293	1535	attributes:
1294	1536	keys:
1295		- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\*'
1296		- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\*'
	1537	- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\*'
	1538	- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\*'
1297	1539	supported_os: [Windows]
1298	1540	urls: ['https://msdn.microsoft.com/en-us/library/windows/desktop/bb530584(v=vs.85).aspx']
1299	1541	---

1302	1544	sources:
1303	1545	- type: REGISTRY_KEY
1304	1546	attributes:
1305		keys: ['HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\*']
1306		labels: [Software]
1307		supported_os: [Windows]
1308		urls: ['https://support.microsoft.com/en-us/kb/323525']
	1547	keys:
	1548	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\*'
	1549	- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\*'
	1550	labels: [System]
	1551	supported_os: [Windows]
	1552	urls:
	1553	- 'https://support.microsoft.com/en-us/kb/323525'
	1554	- 'https://blog.malwarebytes.com/detections/pum-optional-disallowrun/'
1309	1555	---
1310	1556	name: WindowsPowerShellDefaultProfiles
1311	1557	doc: Default PowerShell Profile files. These files are executed by default when PowerShell starts up.

1313	1559	- type: FILE
1314	1560	attributes:
1315	1561	paths:
1316		- '%%environ_systemroot%%\system32\WindowsPowerShell\v1.0\profile.ps1'
1317		- '%%environ_systemroot%%\system32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1'
1318		- '%%users.userprofile%%\Documents\WindowsPowerShell\profile.ps1'
1319		- '%%users.userprofile%%\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1'
	1562	- '%%environ_systemroot%%\system32\WindowsPowerShell\v1.0\profile.ps1'
	1563	- '%%environ_systemroot%%\system32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1'
	1564	- '%%users.userprofile%%\Documents\WindowsPowerShell\profile.ps1'
	1565	- '%%users.userprofile%%\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1'
1320	1566	separator: '\'
1321	1567	supported_os: [Windows]
1322	1568	urls:

1329	1575	- type: REGISTRY_VALUE
1330	1576	attributes:
1331	1577	key_value_pairs:
1332		- {key: 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\Windows\PowerShell', value: 'EnableScripts'}
1333		- {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell', value: 'EnableScripts'}
	1578	- {key: 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\Windows\PowerShell', value: 'EnableScripts'}
	1579	- {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell', value: 'EnableScripts'}
1334	1580	supported_os: [Windows]
1335	1581	urls:
1336	1582	- 'https://technet.microsoft.com/library/hh847748.aspx'

1342	1588	- type: REGISTRY_VALUE
1343	1589	attributes:
1344	1590	key_value_pairs:
1345		- {key: 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\Windows\PowerShell', value: 'ExecutionPolicy'}
1346		- {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell', value: 'ExecutionPolicy'}
	1591	- {key: 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\Windows\PowerShell', value: 'ExecutionPolicy'}
	1592	- {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell', value: 'ExecutionPolicy'}
1347	1593	supported_os: [Windows]
1348	1594	urls:
1349	1595	- 'https://technet.microsoft.com/library/hh847748.aspx'

1358	1604	separator: '\'
1359	1605	labels: [System]
1360	1606	supported_os: [Windows]
1361		urls: ['http://www.forensicswiki.org/wiki/Prefetch']
	1607	urls: ['https://forensicswiki.xyz/wiki/index.php?title=Prefetch']
1362	1608	---
1363	1609	name: WindowsPrintMonitors
1364	1610	doc: Windows Print Monitor DLL config.

1385	1631	- type: REGISTRY_VALUE
1386	1632	attributes:
1387	1633	key_value_pairs:
1388		- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage', value: 'ProgramsCache'}
1389		- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2', value: 'ProgramsCache'}
	1634	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage', value: 'ProgramsCache'}
	1635	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2', value: 'ProgramsCache'}
1390	1636	supported_os: [Windows]
1391	1637	urls: ['https://github.com/libyal/winreg-kb/blob/master/documentation/Programs%20Cache%20values.asciidoc']
	1638	---
	1639	name: WindowsProgramsCacheJumpLists
	1640	doc: Windows Programs Cache Jump Lists
	1641	sources:
	1642	- type: REGISTRY_VALUE
	1643	attributes:
	1644	key_value_pairs:
	1645	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2', value: 'ProgramsCacheSMP'}
	1646	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2', value: 'ProgramsCacheTBP'}
	1647	supported_os: [Windows]
	1648	urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/JumpLists.md']
1392	1649	---
1393	1650	name: WindowsProxyPACAutoConfigURL
1394	1651	doc: Windows Proxy PAC AutoConfigURL.

1396	1653	- type: REGISTRY_VALUE
1397	1654	attributes:
1398	1655	key_value_pairs:
1399		- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Internet Settings', value: 'AutoConfigURL'}
	1656	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Internet Settings', value: 'AutoConfigURL'}
1400	1657	labels: [System, Network]
1401	1658	supported_os: [Windows]
1402	1659	urls: ['https://blogs.msdn.microsoft.com/askie/2015/07/17/how-can-i-configure-proxy-autoconfigurl-setting-using-group-policy-preference-gpp/']
	1660	---
	1661	name: WindowsProxyServerSettings
	1662	doc: \|
	1663	Windows Proxy Server Settings.
	1664
	1665	Malware can modify these settings to redirect traffic through
	1666	a malicious program running on the machine (for instance, by
	1667	specifying 127.0.0.1 as the IP address of the proxy server to
	1668	use) or to a malicious host on the local network or internet.
	1669	sources:
	1670	- type: REGISTRY_VALUE
	1671	attributes:
	1672	key_value_pairs:
	1673	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings', value: 'ProxyServer'}
	1674	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Internet Settings', value: 'ProxyServer'}
	1675	- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings', value: 'ProxyServer'}
	1676	- {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings', value: 'ProxyServer'}
	1677	- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet\ManualProxies', value: 'ProxyServer'}
	1678	- {key: 'HKEY_USERS\%%users.sid%%\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet\ManualProxies', value: 'ProxyServer'}
	1679	labels: [System, Network]
	1680	supported_os: [Windows]
	1681	urls: ['https://blog.malwarebytes.com/detections/pum-optional-proxyhijacker/']
1403	1682	---
1404	1683	name: WindowsRecentFileCacheBCF
1405	1684	doc: The RecentFileCache.bcf file.

1410	1689	separator: '\'
1411	1690	conditions: [os_major_version >= 6 AND os_minor_version >= 1]
1412	1691	supported_os: [Windows]
1413		urls: ['https://github.com/libyal/assorted/blob/master/documentation/RecentFileCache.bcf%20format.asciidoc']
	1692	urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/RecentFileCache.md']
1414	1693	---
1415	1694	name: WindowsRecycleBin
1416	1695	doc: Windows Recycle Bin (Recyler, $Recycle.Bin) files.

1418	1697	- type: FILE
1419	1698	attributes:
1420	1699	paths:
1421		- '\$Recycle.Bin\**'
1422		- '\Recycler\**'
	1700	- '\$Recycle.Bin\**'
	1701	- '\Recycler\**'
1423	1702	separator: '\'
1424	1703	labels: [Users]
1425	1704	supported_os: [Windows]
1426		urls: ['http://www.forensicswiki.org/wiki/Windows#Recycle_Bin']
	1705	urls: ['https://forensicswiki.xyz/wiki/index.php?title=Windows#Recycle_Bin']
1427	1706	---
1428	1707	name: WindowsRegistryCurrentControlSet
1429	1708	doc: The current control set of the Windows Registry.

1432	1711	attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\Select', value: 'Current'}]}
1433	1712	provides: [current_control_set]
1434	1713	supported_os: [Windows]
1435		urls: ['https://github.com/libyal/winreg-kb/wiki/System-keys']
	1714	urls: ['https://github.com/libyal/winreg-kb/blob/master/documentation/System%20keys.asciidoc']
1436	1715	---
1437	1716	name: WindowsRegistryFilesAndTransactionLogs
1438	1717	doc: Windows user and system Registry files and transaction logs.

1440	1719	- type: ARTIFACT_GROUP
1441	1720	attributes:
1442	1721	names:
1443		- 'WindowsSystemRegistryFiles'
1444		- 'WindowsSystemRegistryTransactionLogFiles'
1445		- 'WindowsUserRegistryFiles'
1446		- 'WindowsUserRegistryTransactionLogFiles'
	1722	- 'WindowsSystemRegistryFiles'
	1723	- 'WindowsSystemRegistryTransactionLogFiles'
	1724	- 'WindowsUserRegistryFiles'
	1725	- 'WindowsUserRegistryTransactionLogFiles'
1447	1726	labels: [System,Users]
1448	1727	supported_os: [Windows]
	1728	urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/RegistryFiles.md']
1449	1729	---
1450	1730	name: WindowsRegistryProfiles
1451	1731	doc: \|

1522	1802	- type: REGISTRY_KEY
1523	1803	attributes:
1524	1804	keys:
1525		- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*'
1526		- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\*'
1527		- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\*'
1528		- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*'
1529		- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\*'
1530		- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\*'
1531		- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\*'
1532		- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*'
1533		- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx\*'
1534		- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*'
1535		- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*'
1536		- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Run\*'
1537		- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\RunOnce\*'
1538		- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*'
1539		- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\*'
1540		- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*'
1541		- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\*'
1542		- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\*'
1543		- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*'
1544		- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx\*'
	1805	- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*'
	1806	- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\*'
	1807	- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\*'
	1808	- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*'
	1809	- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\*'
	1810	- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\*'
	1811	- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\*'
	1812	- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*'
	1813	- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx\*'
	1814	- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*'
	1815	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*'
	1816	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Run\*'
	1817	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\RunOnce\*'
	1818	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*'
	1819	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\*'
	1820	- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*'
	1821	- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\*'
	1822	- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\*'
	1823	- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*'
	1824	- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx\*'
1545	1825	labels: [Software]
1546	1826	supported_os: [Windows]
1547	1827	urls:

1556	1836	- type: REGISTRY_KEY
1557	1837	attributes:
1558	1838	keys:
1559		- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\*'
1560		- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\*'
1561		- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce\*'
1562		- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\*'
1563		supported_os: [Windows]
1564		urls: ['https://support.microsoft.com/en-us/kb/179365']
	1839	- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\*'
	1840	- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\*'
	1841	- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce\*'
	1842	- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\*'
	1843	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\*'
	1844	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\RunServices\*'
	1845	- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce\*'
	1846	- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\*'
	1847	supported_os: [Windows]
	1848	urls:
	1849	- 'https://support.microsoft.com/en-us/kb/179365'
	1850	- 'https://threatvector.cylance.com/en_us/home/windows-registry-persistence-part-2-the-run-keys-and-search-order.html'
1565	1851	---
1566	1852	name: WindowsScheduledTasks
1567	1853	doc: Windows Scheduled Tasks.

1569	1855	- type: FILE
1570	1856	attributes:
1571	1857	paths:
1572		- '%%environ_systemroot%%\Tasks\**10'
1573		- '%%environ_systemroot%%\System32\Tasks\**10'
1574		- '%%environ_systemroot%%\SysWow64\Tasks\**10'
1575		separator: '\'
1576		supported_os: [Windows]
1577		urls: ['http://forensicswiki.org/wiki/Windows#Scheduled_Tasks']
	1858	- '%%environ_systemroot%%\Tasks\**10'
	1859	- '%%environ_systemroot%%\System32\Tasks\**10'
	1860	- '%%environ_systemroot%%\SysWow64\Tasks\**10'
	1861	separator: '\'
	1862	supported_os: [Windows]
	1863	urls: ['https://forensicswiki.xyz/wiki/index.php?title=Windows#Scheduled_Tasks']
1578	1864	---
1579	1865	name: WindowsScreenSaverExecutable
1580	1866	doc: ScreenSaver Executable

1582	1868	- type: REGISTRY_VALUE
1583	1869	attributes:
1584	1870	key_value_pairs:
1585		- {key: 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\Windows\Control Panel\Desktop', value: 'scrnsave.exe'}
1586		- {key: 'HKEY_USERS\%%users.sid%%\Control Panel\Desktop', value: 'scrnsave.exe'}
	1871	- {key: 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\Windows\Control Panel\Desktop', value: 'scrnsave.exe'}
	1872	- {key: 'HKEY_USERS\%%users.sid%%\Control Panel\Desktop', value: 'scrnsave.exe'}
1587	1873	supported_os: [Windows]
1588	1874	urls:
1589	1875	- 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610'

1599	1885	separator: '\'
1600	1886	labels: [Software]
1601	1887	supported_os: [Windows]
1602		urls: ['http://www.forensicswiki.org/wiki/Windows_Desktop_Search']
	1888	urls: ['https://forensicswiki.xyz/wiki/index.php?title=Windows_Desktop_Search']
1603	1889	---
1604	1890	name: WindowsSecurityProviders
1605	1891	doc: Security Providers DLLs

1627	1913	- 'http://www.silentrunners.org/Silent%20Runners.vbs'
1628	1914	---
1629	1915	name: WindowsServices
1630		doc: Windows services from the Registry.
	1916	doc: \|
	1917	Windows services from the Registry.
	1918
	1919	Malware can add new services to gain persistence, or modify
	1920	existing ones to avoid detection. For example, the ZeroAccess
	1921	rootkit will make the following changes to the WSCSVC (Windows
	1922	Security Service Center), WINDEFEND (Windows Defender),
	1923	and MPSSVC (Windows Firewall) services, among others
	1924
	1925	* Set 'Start' to 4, indicating that the service should be disabled
	1926	* Set 'DeleteFlag' to 1, indicating that the service should be removed
	1927	* Set 'ErrorControl' to 0 and 'Type' to 32, causing it to fail to be
	1928	started by the Service Controller and no error messages generated
1631	1929	sources:
1632	1930	- type: REGISTRY_KEY
1633	1931	attributes:
1634	1932	keys:
1635		- 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\\'
1636		- 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\\Parameters\'
	1933	- 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\\'
	1934	- 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\\Parameters\'
1637	1935	labels: [Software]
1638	1936	supported_os: [Windows]
1639	1937	urls:
1640	1938	- 'http://support.microsoft.com/kb/103000'
1641		- 'https://github.com/libyal/winreg-kb/wiki/System-keys'
	1939	- 'https://github.com/libyal/winreg-kb/blob/master/documentation/System%20keys.asciidoc'
	1940	---
	1941	name: WindowsActionCenterSettings
	1942	doc: \|
	1943	Windows Action Center Settings
	1944
	1945	Malware can modify these keys to disable notifications that occur
	1946	when various security features are disabled. One malware family
	1947	known to modify these keys is Kovter, a well-known trojan.
	1948	sources:
	1949	- type: REGISTRY_VALUE
	1950	attributes:
	1951	key_value_pairs:
	1952	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{e8433b72-5842-4d43-8645-bc2c35960837}.check.*', value: 'CheckSetting'}
	1953	- {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Action Center\Checks\{e8433b72-5842-4d43-8645-bc2c35960837}.check.*', value: 'CheckSetting'}
	1954	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance', value: 'Enabled'}
	1955	- {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance', value: 'Enabled'}
	1956	labels: [System]
	1957	supported_os: [Windows]
	1958	urls:
	1959	- 'https://winaero.com/blog/registry-tweak-to-disable-action-center-notifications-in-windows-7/'
	1960	- 'https://blog.talosintelligence.com/2019/05/threat-roundup-0517-0524.html'
	1961	- 'https://blogs.technet.microsoft.com/platforms_lync_cloud/2017/05/05/disabling-windows-10-action-center-notifications/'
	1962	---
	1963	name: WindowsBootConfigurationSettings
	1964	doc: \|
	1965	Windows Boot Configuration Settings.
	1966
	1967	These Windows Registry values are associated with the Windows Boot
	1968	Configuration Settings. Malware, like Cerber (ransomware), is known to
	1969	change the Windows Boot Configuration Settings and disable recovery options
	1970	like the ability to boot into safe mode.
	1971
	1972	'bcdedit.exe' can be used to modify the Windows Boot Configuration Settings.
	1973	The mappings of registry key to associated bcdedit commands is as
	1974	follows:
	1975	* 16000009: 'bcdedit.exe /set {default} recoveryenabled <yes\|no>'
	1976	* 00 gets stored for 'no', 01 gets stored for 'yes'
	1977	* 250000e0: 'bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures'
	1978	* 01 00 00 00 00 00 00 00 gets stored. Otherwise, the key is not present
	1979
	1980	The wildcard component of the Windows Registry key is the identifier
	1981	associated with the Windows Boot Loader instance on a given machine. This
	1982	identifier can be determined by running 'bcdedit.exe /v' and looking at the
	1983	'identifier' under the Windows Boot Loader section (on Windows 7 and
	1984	Windows 10, '{default}' [used by Cerber] points to this instance).
	1985	sources:
	1986	- type: REGISTRY_VALUE
	1987	attributes:
	1988	key_value_pairs:
	1989	- {key: 'HKEY_LOCAL_MACHINE\BCD00000000\Objects\*\Elements\16000009', value: 'Element'}
	1990	- {key: 'HKEY_LOCAL_MACHINE\BCD00000000\Objects\*\Elements\250000e0', value: 'Element'}
	1991	labels: [System]
	1992	supported_os: [Windows]
	1993	urls:
	1994	- 'https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/bcd-system-store-settings-for-uefi'
	1995	- 'https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html'
	1996	---
	1997	name: WindowsDisallowedSystemCertificates
	1998	doc: \|
	1999	Windows Disallowed System Certificates
	2000
	2001	Malware can add code-signing certificates associated with
	2002	antivirus programs to the disallowed list to prevent the
	2003	AV programs from running.
	2004	sources:
	2005	- type: REGISTRY_KEY
	2006	attributes:
	2007	keys:
	2008	- 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates\*'
	2009	- 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates\*'
	2010	- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\Disallowed\Certificates\*'
	2011	- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\Disallowed\Certificates\*'
	2012	labels: [System]
	2013	supported_os: [Windows]
	2014	urls:
	2015	- 'https://blog.malwarebytes.com/detections/pum-optional-misplacedcertificate/'
	2016	---
	2017	name: WindowsExplorerSettings
	2018	doc: \|
	2019	Windows Explorer Settings
	2020
	2021	Malware can modify these keys to make it more difficult for the
	2022	user to detect and remove malicious software.
	2023	sources:
	2024	- type: REGISTRY_VALUE
	2025	attributes:
	2026	key_value_pairs:
	2027	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'Hidden'}
	2028	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'Hidden'}
	2029	- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'Hidden'}
	2030	- {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'Hidden'}
	2031	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'HideFileExt'}
	2032	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'HideFileExt'}
	2033	- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'HideFileExt'}
	2034	- {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'HideFileExt'}
	2035	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'ShowSuperHidden'}
	2036	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'ShowSuperHidden'}
	2037	- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'ShowSuperHidden'}
	2038	- {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'ShowSuperHidden'}
	2039	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'HideSCAHealth'}
	2040	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'HideSCAHealth'}
	2041	- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'HideSCAHealth'}
	2042	- {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'HideSCAHealth'}
	2043	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoControlPanel'}
	2044	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoControlPanel'}
	2045	- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoControlPanel'}
	2046	- {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoControlPanel'}
	2047	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoFolderOptions'}
	2048	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoFolderOptions'}
	2049	- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoFolderOptions'}
	2050	- {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoFolderOptions'}
	2051	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoRun'}
	2052	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoRun'}
	2053	- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoRun'}
	2054	- {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoRun'}
	2055	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoViewContextMenu'}
	2056	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoViewContextMenu'}
	2057	- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoViewContextMenu'}
	2058	- {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoViewContextMenu'}
	2059	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'ShowControlPanel'}
	2060	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'ShowControlPanel'}
	2061	- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'ShowControlPanel'}
	2062	- {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'ShowControlPanel'}
	2063	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'TaskbarNoNotification'}
	2064	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'TaskbarNoNotification'}
	2065	- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'TaskbarNoNotification'}
	2066	- {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'TaskbarNoNotification'}
	2067	labels: [System]
	2068	supported_os: [Windows]
	2069	urls:
	2070	- 'https://www.sdkhere.com/2016/02/analysis-of-malware-using-wmi-query.html'
	2071	- 'https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_mandrom.e'
	2072	- 'https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_deleter.ah'
	2073	- 'https://blog.malwarebytes.com/detections/pum-optional-disabledrightclick/'
	2074	- 'https://blog.malwarebytes.com/detections/pum-optional-disableshowcontrolpanel/'
	2075	---
	2076	name: WindowsSystemSettings
	2077	doc: \|
	2078	Windows System Settings
	2079
	2080	Malware can modify these keys to make it more difficult for the
	2081	user to detect and remove malicious software.
	2082	sources:
	2083	- type: REGISTRY_VALUE
	2084	attributes:
	2085	key_value_pairs:
	2086	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System', value: 'DisableCAD'}
	2087	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\System', value: 'DisableCAD'}
	2088	- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System', value: 'DisableCAD'}
	2089	- {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System', value: 'DisableCAD'}
	2090	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System', value: 'DisableRegistryTools'}
	2091	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\System', value: 'DisableRegistryTools'}
	2092	- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System', value: 'DisableRegistryTools'}
	2093	- {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System', value: 'DisableRegistryTools'}
	2094	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System', value: 'DisableTaskMgr'}
	2095	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\System', value: 'DisableTaskMgr'}
	2096	- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System', value: 'DisableTaskMgr'}
	2097	- {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System', value: 'DisableTaskMgr'}
	2098	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System', value: 'NoDispCPL'}
	2099	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\System', value: 'NoDispCPL'}
	2100	- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System', value: 'NoDispCPL'}
	2101	- {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System', value: 'NoDispCPL'}
	2102	- {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System', value: 'DisableCMD'}
	2103	- {key: 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\Windows\System', value: 'DisableCMD'}
	2104	- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Policies\Microsoft\Windows\System', value: 'DisableCMD'}
	2105	- {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Policies\Microsoft\Windows\System', value: 'DisableCMD'}
	2106	labels: [System]
	2107	supported_os: [Windows]
	2108	urls:
	2109	- 'https://www.sdkhere.com/2016/02/analysis-of-malware-using-wmi-query.html'
	2110	- 'https://www.thewindowsclub.com/enable-disable-command-prompt-windows'
	2111	- 'https://blog.malwarebytes.com/detections/pum-optional-disableregistrytools/'
	2112	- 'https://blog.malwarebytes.com/detections/pum-optional-disabletaskmgr/'
	2113	- 'https://www.stigviewer.com/stig/windows_7/2014-04-02/finding/V-1154'
	2114	- 'https://blog.malwarebytes.com/detections/pum-optional-nodispcpl/'
	2115	- 'https://blog.malwarebytes.com/detections/pum-optional-disablecmdprompt/'
	2116	---
	2117	name: WindowsFirewallAuthorizedApplications
	2118	doc: \|
	2119	Windows Firewall Authorized Applications
	2120
	2121	Malware can add paths to this list to more easily communicate
	2122	over the network on an infected machine. For instance, Emotet
	2123	modifies some these settings after gaining execution.
	2124	sources:
	2125	- type: REGISTRY_KEY
	2126	attributes:
	2127	keys:
	2128	# Windows XP and 2003
	2129	- 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List\*'
	2130	- 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\StandardProfile\AuthorizedApplications\List\*'
	2131	# Windows Vista and later
	2132	- 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\*'
	2133	- 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\AuthorizedApplications\List\*'
	2134	- 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\*'
	2135	labels: [System]
	2136	supported_os: [Windows]
	2137	urls:
	2138	- 'https://threatvector.cylance.com/en_us/home/threat-spotlight-eyepyramid-malware.html'
	2139	- 'https://blog.talosintelligence.com/2019/05/threat-roundup-0524-0531.html'
	2140	---
	2141	name: WindowsFirewallGloballyOpenPorts
	2142	doc: \|
	2143	Windows Firewall Globally Open Ports
	2144
	2145	Malware can add to the list of open ports to avoid
	2146	having to create Windows Firewall exceptions tied
	2147	to specific applications.
	2148	sources:
	2149	- type: REGISTRY_KEY
	2150	attributes:
	2151	keys:
	2152	# Windows XP and 2003
	2153	- 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List\*'
	2154	- 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\StandardProfile\GloballyOpenPorts\List\*'
	2155	# Windows Vista and later
	2156	- 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\*'
	2157	- 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\GloballyOpenPorts\List\*'
	2158	- 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\*'
	2159	labels: [System]
	2160	supported_os: [Windows]
	2161	urls:
	2162	- 'https://qaforce.wordpress.com/2009/10/06/windows-firewall-registry-keys/'
	2163	- 'https://github.com/steeve85/Malwares/wiki/Registry'
	2164	---
	2165	name: WindowsFirewallPolicySettings
	2166	doc: \|
	2167	Windows Firewall Policy Settings
	2168
	2169	Malware can modify these settings to more easily communicate
	2170	over the network on an infected machine. For instance, Emotet
	2171	modifies some these settings after gaining execution.
	2172	sources:
	2173	- type: REGISTRY_VALUE
	2174	attributes:
	2175	key_value_pairs:
	2176	- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile', value: 'EnableFirewall'}
	2177	- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile', value: 'DisableNotifications'}
	2178	- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile', value: 'DoNotAllowExceptions'}
	2179	- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile', value: 'DefaultInboundAction'}
	2180	- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile', value: 'DefaultOutboundAction'}
	2181	- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile', value: 'EnableFirewall'}
	2182	- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile', value: 'DisableNotifications'}
	2183	- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile', value: 'DoNotAllowExceptions'}
	2184	- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile', value: 'DefaultInboundAction'}
	2185	- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile', value: 'DefaultOutboundAction'}
	2186	- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile', value: 'EnableFirewall'}
	2187	- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile', value: 'DisableNotifications'}
	2188	- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile', value: 'DoNotAllowExceptions'}
	2189	- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile', value: 'DefaultInboundAction'}
	2190	- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile', value: 'DefaultOutboundAction'}
	2191	labels: [System]
	2192	supported_os: [Windows]
	2193	urls:
	2194	- 'https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/networking-mpssvc-svc-privateprofile-enablefirewall'
	2195	- 'https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/networking-mpssvc-svc-privateprofile-disablenotifications'
	2196	- 'https://blog.talosintelligence.com/2019/05/threat-roundup-0503-0510.html'
	2197	---
	2198	name: WindowsSecurityCenterSettings
	2199	doc: \|
	2200	Windows Security Center Settings
	2201
	2202	Malware can modify these settings to avoid detection on
	2203	an infected machine. For instance, Emotet modifies some of
	2204	these settings after gaining execution.
	2205	sources:
	2206	- type: REGISTRY_VALUE
	2207	attributes:
	2208	key_value_pairs:
	2209	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center', value: 'AntiSpyWareDisableNotify'}
	2210	- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Security Center', value: 'AntiSpyWareDisableNotify'}
	2211	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center', value: 'AntiVirusDisableNotify'}
	2212	- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Security Center', value: 'AntiVirusDisableNotify'}
	2213	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center', value: 'AntiVirusOverride'}
	2214	- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Security Center', value: 'AntiVirusOverride'}
	2215	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center', value: 'AutoUpdateDisableNotify'}
	2216	- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Security Center', value: 'AutoUpdateDisableNotify'}
	2217	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center', value: 'FirewallDisableNotify'}
	2218	- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Security Center', value: 'FirewallDisableNotify'}
	2219	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center', value: 'FirewallOverride'}
	2220	- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Security Center', value: 'FirewallOverride'}
	2221	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center', value: 'UpdatesDisableNotify'}
	2222	- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Security Center', value: 'UpdatesDisableNotify'}
	2223	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center', value: 'UpdatesOverride'}
	2224	- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Security Center', value: 'UpdatesOverride'}
	2225	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center', value: 'UacDisableNotify'}
	2226	- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Security Center', value: 'UacDisableNotify'}
	2227	labels: [System]
	2228	supported_os: [Windows]
	2229	urls:
	2230	- 'https://blog.talosintelligence.com/2019/05/threat-roundup-0503-0510.html'
	2231	- 'https://blog.appriver.com/phorphiex/trik-botnet-campaign-leads-to-multiple-infections-ransomware-banking-trojan-cryptojacking'
	2232	- 'https://ccm.net/faq/1446-disabling-security-alerts-under-vista'
	2233	---
	2234	name: WindowsSystemRestoreSettings
	2235	doc: \|
	2236	Windows System Restore Settings
	2237
	2238	Some malware, especially ransomware, will disable system restore
	2239	to make system recovery more difficult.
	2240	sources:
	2241	- type: REGISTRY_VALUE
	2242	attributes:
	2243	key_value_pairs:
	2244	- {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore', value: 'DisableConfig'}
	2245	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore', value: 'DisableConfig'}
	2246	- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Policies\Microsoft\Windows NT\SystemRestore', value: 'DisableConfig'}
	2247	- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\SystemRestore', value: 'DisableConfig'}
	2248	- {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore', value: 'DisableSR'}
	2249	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore', value: 'DisableSR'}
	2250	- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Policies\Microsoft\Windows NT\SystemRestore', value: 'DisableSR'}
	2251	- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\SystemRestore', value: 'DisableSR'}
	2252	- {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer', value: 'LimitSystemRestoreCheckpointing'}
	2253	- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Policies\Microsoft\Windows\Installer', value: 'LimitSystemRestoreCheckpointing'}
	2254	labels: [System]
	2255	supported_os: [Windows]
	2256	urls:
	2257	- 'https://blog.talosintelligence.com/2019/05/threat-roundup-0503-0510.html'
	2258	- 'https://www.windows-commandline.com/enable-disable-system-restore-service/'
	2259	- 'https://docs.microsoft.com/en-us/windows/desktop/msi/limitsystemrestorecheckpointing'
	2260	---
	2261	name: WindowsUserAccountControlSettings
	2262	doc: \|
	2263	Windows User Account Control Settings
	2264
	2265	Malware sometimes disables UAC to make it easier to perform
	2266	actions on an infected machine.
	2267	sources:
	2268	- type: REGISTRY_VALUE
	2269	attributes:
	2270	key_value_pairs:
	2271	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System', value: 'EnableLUA'}
	2272	- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System', value: 'EnableLUA'}
	2273	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System', value: 'ConsentPromptBehaviorAdmin'}
	2274	- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System', value: 'ConsentPromptBehaviorAdmin'}
	2275	labels: [System]
	2276	supported_os: [Windows]
	2277	urls:
	2278	- 'https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpsb/958053ae-5397-4f96-977f-b7700ee461ec'
	2279	- 'https://blog.talosintelligence.com/2019/05/threat-roundup-0503-0510.html'
	2280	- 'https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpsb/341747f5-6b5d-4d30-85fc-fa1cc04038d4'
	2281	---
	2282	name: WindowsUpgradeSettings
	2283	doc: \|
	2284	Windows Upgrade Settings
	2285
	2286	Malware sometimes disables a machine ability to upgrade from
	2287	previous versions of Windows to Windows 10. One malware family
	2288	known to modify these keys is Kovter, a well-known trojan.
	2289	sources:
	2290	- type: REGISTRY_VALUE
	2291	attributes:
	2292	key_value_pairs:
	2293	- {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate', value: 'DisableOSUpgrade'}
	2294	- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Policies\Microsoft\Windows\WindowsUpdate', value: 'DisableOSUpgrade'}
	2295	- {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\OSUpgrade', value: 'ReservationsAllowed'}
	2296	- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Policies\Microsoft\Windows\WindowsUpdate\OSUpgrade', value: 'ReservationsAllowed'}
	2297	labels: [System]
	2298	supported_os: [Windows]
	2299	urls:
	2300	- 'https://www.ghacks.net/2016/01/08/disableosupgrade-prevents-the-upgrade-to-windows-10/'
	2301	- 'https://blog.talosintelligence.com/2019/05/threat-roundup-0517-0524.html'
	2302	---
	2303	name: WindowsUpdateSettings
	2304	doc: Windows Update Settings
	2305	sources:
	2306	- type: REGISTRY_VALUE
	2307	attributes:
	2308	key_value_pairs:
	2309	- {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU', value: 'NoAutoUpdate'}
	2310	- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Policies\Microsoft\Windows\WindowsUpdate\AU', value: 'NoAutoUpdate'}
	2311	labels: [System]
	2312	supported_os: [Windows]
	2313	urls:
	2314	- 'https://docs.microsoft.com/en-us/windows/deployment/update/waas-wu-settings'
	2315	- 'https://blog.talosintelligence.com/2019/06/threat-roundup-0531-0607.html'
	2316	---
	2317	name: WindowsFontDrivers
	2318	doc: Windows font drivers from the Registry.
	2319	sources:
	2320	- type: REGISTRY_KEY
	2321	attributes:
	2322	keys:
	2323	- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Font Drivers\*'
	2324	labels: [Software]
	2325	supported_os: [Windows]
	2326	urls:
	2327	- 'https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2'
1642	2328	---
1643	2329	name: WindowsSessionManagerBootExecute
1644	2330	doc: Windows Session Manager BootExecute persistence.

1650	2336	urls: ['https://technet.microsoft.com/en-us/library/cc963230.aspx']
1651	2337	---
1652	2338	name: WindowsSessionManagerExecute
1653		doc: Windows Session Manager Execute persistence
	2339	doc: \|
	2340	Windows Session Manager Execute persistence
	2341
	2342	This entry shouldn't be populated after Windows has been installed
1654	2343	sources:
1655	2344	- type: REGISTRY_VALUE
1656	2345	attributes:
1657	2346	key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager', value: 'Execute'}]
1658	2347	supported_os: [Windows]
1659		urls: ['https://technet.microsoft.com/en-us/library/cc976130.aspx']
	2348	urls:
	2349	- 'https://technet.microsoft.com/en-us/library/cc976130.aspx'
	2350	- 'https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2'
	2351	---
	2352	name: WindowsSessionManagerS0InitialCommand
	2353	doc: \|
	2354	Windows Session Manager S0InitialCommand persistence
	2355
	2356	This entry shouldn't be populated after Windows has been installed
	2357	sources:
	2358	- type: REGISTRY_VALUE
	2359	attributes:
	2360	key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager', value: 'S0InitialCommand'}]
	2361	supported_os: [Windows]
	2362	urls:
	2363	- 'https://msdn.microsoft.com/en-us/library/windows/desktop/dd392286%28v=vs.85%29.aspx'
	2364	- 'https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2'
1660	2365	---
1661	2366	name: WindowsSessionManagerSetupExecute
1662		doc: Windows Session Manager SetupExecute persistence
	2367	doc: \|
	2368	Windows Session Manager SetupExecute persistence
	2369
	2370	This entry shouldn't be populated after Windows has been installed
1663	2371	sources:
1664	2372	- type: REGISTRY_VALUE
1665	2373	attributes:
1666	2374	key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager', value: 'SetupExecute'}]
1667	2375	supported_os: [Windows]
1668		urls: ['https://msdn.microsoft.com/en-us/library/windows/desktop/dd392286%28v=vs.85%29.aspx']
	2376	urls:
	2377	- 'https://msdn.microsoft.com/en-us/library/windows/desktop/dd392286%28v=vs.85%29.aspx'
	2378	- 'https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2'
1669	2379	---
1670	2380	name: WindowsSessionManagerSubSystems
1671	2381	doc: Windows Session Manager SubSystems persistence

1684	2394	- type: REGISTRY_VALUE
1685	2395	attributes:
1686	2396	key_value_pairs:
1687		- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\WOW', value: 'cmdline'}
1688		- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\WOW', value: 'wowcmdline'}
	2397	- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\WOW', value: 'cmdline'}
	2398	- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\WOW', value: 'wowcmdline'}
1689	2399	supported_os: [Windows]
1690	2400	urls: ['https://support.microsoft.com/en-us/kb/102986']
	2401	---
	2402	name: WindowsSetupCommandLine
	2403	doc: Command line invocation used for custom setup and deployment tasks
	2404	sources:
	2405	- type: REGISTRY_VALUE
	2406	attributes:
	2407	key_value_pairs:
	2408	- {key: 'HKEY_LOCAL_MACHINE\System\Setup', value: 'CmdLine'}
	2409	supported_os: [Windows]
	2410	urls: ['https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2']
1691	2411	---
1692	2412	name: WindowsSharedTaskScheduler
1693	2413	doc: Runs on windows boot.

1695	2415	- type: REGISTRY_KEY
1696	2416	attributes:
1697	2417	keys:
1698		- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\*'
1699		- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\*'
	2418	- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\*'
	2419	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\*'
1700	2420	supported_os: [Windows]
1701	2421	urls:
1702	2422	- 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610'

1708	2428	- type: REGISTRY_KEY
1709	2429	attributes:
1710	2430	keys:
1711		- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\*'
1712		- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\*'
	2431	- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\*'
	2432	- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\*'
1713	2433	supported_os: [Windows]
1714	2434	urls:
1715	2435	- 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610'

1722	2442	- type: REGISTRY_KEY
1723	2443	attributes:
1724	2444	keys:
1725		- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved'
1726		- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved'
1727		- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved'
1728		- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved'
	2445	- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved'
	2446	- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved'
	2447	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved'
	2448	- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved'
1729	2449	supported_os: [Windows]
1730	2450	urls: ['https://msdn.microsoft.com/en-us/library/windows/desktop/cc144110(v=vs.85).aspx']
1731	2451	---

1740	2460	- type: REGISTRY_KEY
1741	2461	attributes:
1742	2462	keys:
1743		- 'HKEY_LOCAL_MACHINE\Software\Classes\\ShellEx\ColumnHandlers\'
1744		- 'HKEY_LOCAL_MACHINE\Software\Classes\\ShellEx\ContextMenuHandlers\'
1745		- 'HKEY_LOCAL_MACHINE\Software\Classes\\ShellEx\CopyHookHandlers\'
1746		- 'HKEY_LOCAL_MACHINE\Software\Classes\\ShellEx\DragDropHandlers\'
1747		- 'HKEY_LOCAL_MACHINE\Software\Classes\\ShellEx\PropertySheetHandlers\'
1748		- 'HKEY_LOCAL_MACHINE\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\*'
1749		- 'HKEY_LOCAL_MACHINE\Software\Classes\Directory\Background\ShellEx\CopyHookHandlers\*'
1750		- 'HKEY_LOCAL_MACHINE\Software\Classes\Directory\Background\ShellEx\DragDropHandlers\*'
1751		- 'HKEY_LOCAL_MACHINE\Software\Classes\Directory\Background\ShellEx\PropertySheetHandlers\*'
1752		- 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\\ShellEx\ColumnHandlers\'
1753		- 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\\ShellEx\ContextMenuHandlers\'
1754		- 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\\ShellEx\CopyHookHandlers\'
1755		- 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\\ShellEx\DragDropHandlers\'
1756		- 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\\ShellEx\PropertySheetHandlers\'
1757		- 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\Directory\Background\ShellEx\ContextMenuHandlers\*'
1758		- 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\Directory\Background\ShellEx\CopyHookHandlers\*'
1759		- 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\Directory\Background\ShellEx\DragDropHandlers\*'
1760		- 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\Directory\Background\ShellEx\PropertySheetHandlers\*'
1761		- 'HKEY_USERS\%%users.sid%%\Software\Classes\\ShellEx\ColumnHandlers\'
1762		- 'HKEY_USERS\%%users.sid%%\Software\Classes\\ShellEx\ContextMenuHandlers\'
1763		- 'HKEY_USERS\%%users.sid%%\Software\Classes\\ShellEx\CopyHookHandlers\'
1764		- 'HKEY_USERS\%%users.sid%%\Software\Classes\\ShellEx\DragDropHandlers\'
1765		- 'HKEY_USERS\%%users.sid%%\Software\Classes\\ShellEx\PropertySheetHandlers\'
1766		- 'HKEY_USERS\%%users.sid%%\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\*'
1767		- 'HKEY_USERS\%%users.sid%%\Software\Classes\Directory\Background\ShellEx\CopyHookHandlers\*'
1768		- 'HKEY_USERS\%%users.sid%%\Software\Classes\Directory\Background\ShellEx\DragDropHandlers\*'
1769		- 'HKEY_USERS\%%users.sid%%\Software\Classes\Directory\Background\ShellEx\PropertySheetHandlers\*'
1770		- 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\\ShellEx\ColumnHandlers\'
1771		- 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\\ShellEx\ContextMenuHandlers\'
1772		- 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\\ShellEx\CopyHookHandlers\'
1773		- 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\\ShellEx\DragDropHandlers\'
1774		- 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\\ShellEx\PropertySheetHandlers\'
1775		- 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\Directory\Background\ShellEx\ContextMenuHandlers\*'
1776		- 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\Directory\Background\ShellEx\CopyHookHandlers\*'
1777		- 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\Directory\Background\ShellEx\DragDropHandlers\*'
1778		- 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\Directory\Background\ShellEx\PropertySheetHandlers\*'
	2463	- 'HKEY_LOCAL_MACHINE\Software\Classes\\ShellEx\ColumnHandlers\'
	2464	- 'HKEY_LOCAL_MACHINE\Software\Classes\\ShellEx\ContextMenuHandlers\'
	2465	- 'HKEY_LOCAL_MACHINE\Software\Classes\\ShellEx\CopyHookHandlers\'
	2466	- 'HKEY_LOCAL_MACHINE\Software\Classes\\ShellEx\DragDropHandlers\'
	2467	- 'HKEY_LOCAL_MACHINE\Software\Classes\\ShellEx\PropertySheetHandlers\'
	2468	- 'HKEY_LOCAL_MACHINE\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\*'
	2469	- 'HKEY_LOCAL_MACHINE\Software\Classes\Directory\Background\ShellEx\CopyHookHandlers\*'
	2470	- 'HKEY_LOCAL_MACHINE\Software\Classes\Directory\Background\ShellEx\DragDropHandlers\*'
	2471	- 'HKEY_LOCAL_MACHINE\Software\Classes\Directory\Background\ShellEx\PropertySheetHandlers\*'
	2472	- 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\\ShellEx\ColumnHandlers\'
	2473	- 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\\ShellEx\ContextMenuHandlers\'
	2474	- 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\\ShellEx\CopyHookHandlers\'
	2475	- 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\\ShellEx\DragDropHandlers\'
	2476	- 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\\ShellEx\PropertySheetHandlers\'
	2477	- 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\Directory\Background\ShellEx\ContextMenuHandlers\*'
	2478	- 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\Directory\Background\ShellEx\CopyHookHandlers\*'
	2479	- 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\Directory\Background\ShellEx\DragDropHandlers\*'
	2480	- 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\Directory\Background\ShellEx\PropertySheetHandlers\*'
	2481	- 'HKEY_USERS\%%users.sid%%\Software\Classes\\ShellEx\ColumnHandlers\'
	2482	- 'HKEY_USERS\%%users.sid%%\Software\Classes\\ShellEx\ContextMenuHandlers\'
	2483	- 'HKEY_USERS\%%users.sid%%\Software\Classes\\ShellEx\CopyHookHandlers\'
	2484	- 'HKEY_USERS\%%users.sid%%\Software\Classes\\ShellEx\DragDropHandlers\'
	2485	- 'HKEY_USERS\%%users.sid%%\Software\Classes\\ShellEx\PropertySheetHandlers\'
	2486	- 'HKEY_USERS\%%users.sid%%\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\*'
	2487	- 'HKEY_USERS\%%users.sid%%\Software\Classes\Directory\Background\ShellEx\CopyHookHandlers\*'
	2488	- 'HKEY_USERS\%%users.sid%%\Software\Classes\Directory\Background\ShellEx\DragDropHandlers\*'
	2489	- 'HKEY_USERS\%%users.sid%%\Software\Classes\Directory\Background\ShellEx\PropertySheetHandlers\*'
	2490	- 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\\ShellEx\ColumnHandlers\'
	2491	- 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\\ShellEx\ContextMenuHandlers\'
	2492	- 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\\ShellEx\CopyHookHandlers\'
	2493	- 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\\ShellEx\DragDropHandlers\'
	2494	- 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\\ShellEx\PropertySheetHandlers\'
	2495	- 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\Directory\Background\ShellEx\ContextMenuHandlers\*'
	2496	- 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\Directory\Background\ShellEx\CopyHookHandlers\*'
	2497	- 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\Directory\Background\ShellEx\DragDropHandlers\*'
	2498	- 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\Directory\Background\ShellEx\PropertySheetHandlers\*'
1779	2499	supported_os: [Windows]
1780	2500	urls:
1781	2501	- 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610'

1788	2508	- type: REGISTRY_KEY
1789	2509	attributes:
1790	2510	keys:
1791		- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*'
1792		- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*'
1793		- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*'
1794		- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*'
	2511	- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*'
	2512	- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*'
	2513	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*'
	2514	- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*'
1795	2515	supported_os: [Windows]
1796	2516	urls:
1797	2517	- 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610'

1803	2523	- type: REGISTRY_VALUE
1804	2524	attributes:
1805	2525	key_value_pairs:
1806		- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Windows', value: 'Load'}
1807		- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Windows', value: 'Run'}
1808		- {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows', value: 'Load'}
1809		- {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows', value: 'Run'}
	2526	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Windows', value: 'Load'}
	2527	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Windows', value: 'Run'}
	2528	- {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows', value: 'Load'}
	2529	- {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows', value: 'Run'}
1810	2530	supported_os: [Windows]
1811	2531	urls: ['https://support.microsoft.com/en-us/kb/103865']
1812	2532	---
	2533	name: WindowsIconServiceLib
	2534	doc: \|
	2535	Windows Icon Service Library Name
	2536
	2537	The value should default to 'IconCodecService.dll'
	2538	sources:
	2539	- type: REGISTRY_VALUE
	2540	attributes:
	2541	key_value_pairs:
	2542	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows', value: 'IconServiceLib'}
	2543	supported_os: [Windows]
	2544	urls: ['https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2']
	2545	---
1813	2546	name: WindowsShellOpenCommand
1814		doc: Executed every time this file type is opened, should be "%1 %*".
1815		sources:
1816		- type: REGISTRY_KEY
1817		attributes:
1818		keys:
1819		- 'HKEY_LOCAL_MACHINE\Software\Classes\*\shell\open\command'
1820		- 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\shell\open\command'
1821		supported_os: [Windows]
1822		urls: ['http://gladiator-antivirus.com/forum/index.php?showtopic=24610']
	2547	doc: Executed every time this file type is opened. For most file types, the value should be '"%1" %*'.
	2548	sources:
	2549	- type: REGISTRY_VALUE
	2550	attributes:
	2551	key_value_pairs:
	2552	- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\*\shell\open\command', value: ''}
	2553	- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\*\shell\open\command', value: 'IsolatedCommand'}
	2554	- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\shell\open\command', value: ''}
	2555	- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\shell\open\command', value: 'IsolatedCommand'}
	2556	- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\*\shell\open\command', value: ''}
	2557	- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\*\shell\open\command', value: 'IsolatedCommand'}
	2558	- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\*\shell\open\command', value: ''}
	2559	- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\*\shell\open\command', value: 'IsolatedCommand'}
	2560	supported_os: [Windows]
	2561	urls:
	2562	- 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610'
	2563	- 'https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2'
	2564	- 'https://pentestlab.blog/2017/06/09/uac-bypass-sdclt/'
	2565	---
	2566	name: WindowsShellRunasCommand
	2567	doc: \|
	2568	Executed every time an executable or script file type is run as administrator.
	2569
	2570	For most file types, the value should be '"%1" %*' or something similar.
	2571	Example file type subkeys include 'exefile', 'batfile', and 'cmdfile'. These
	2572	keys can be modified by malware as a way to be periodically executed or to
	2573	bypass UAC.
	2574	sources:
	2575	- type: REGISTRY_VALUE
	2576	attributes:
	2577	key_value_pairs:
	2578	- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\*\shell\runas\command', value: ''}
	2579	- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\*\shell\runas\command', value: 'IsolatedCommand'}
	2580	- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\shell\runas\command', value: ''}
	2581	- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\shell\runas\command', value: 'IsolatedCommand'}
	2582	- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\*\shell\runas\command', value: ''}
	2583	- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\*\shell\runas\command', value: 'IsolatedCommand'}
	2584	- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\*\shell\runas\command', value: ''}
	2585	- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\*\shell\runas\command', value: 'IsolatedCommand'}
	2586	supported_os: [Windows]
	2587	urls:
	2588	- 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610'
	2589	- 'https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2'
	2590	- 'https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/'
1823	2591	---
1824	2592	name: WindowsShellServiceObjects
1825	2593	doc: Windows Shell (explorer.exe) service objects delayed load.

1827	2595	- type: REGISTRY_KEY
1828	2596	attributes:
1829	2597	keys:
1830		- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad'
1831		- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad'
	2598	- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad'
	2599	- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad'
1832	2600	supported_os: [Windows]
1833	2601	urls: ['http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=TrojanClicker:Win32/Zirit.X#tab=2']
1834	2602	---

1843	2611	- type: FILE
1844	2612	attributes:
1845	2613	paths:
1846		- '%%environ_systemroot%%\inf\setupapi.app.log'
1847		- '%%environ_systemroot%%\inf\setupapi.dev.log'
1848		- '%%environ_systemroot%%\inf\setupapi.offline.log'
	2614	- '%%environ_systemroot%%\inf\setupapi.app.log'
	2615	- '%%environ_systemroot%%\inf\setupapi.dev.log'
	2616	- '%%environ_systemroot%%\inf\setupapi.offline.log'
1849	2617	separator: '\'
1850	2618	conditions: [os_major_version >= 6]
1851	2619	labels: [Logs]
1852	2620	supported_os: [Windows]
1853		urls: ['http://www.forensicswiki.org/wiki/Setup_API_Logs']
	2621	urls: ['https://forensicswiki.xyz/wiki/index.php?title=Setup_API_Logs']
1854	2622	---
1855	2623	name: WindowsShutdownScript
1856	2624	doc: Windows policy shutdown script

1858	2626	- type: REGISTRY_VALUE
1859	2627	attributes:
1860	2628	key_value_pairs:
1861		- {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Scripts', value: 'Shutdown'}
1862		supported_os: [Windows]
1863		urls: ['https://technet.microsoft.com/en-us/library/ff404236.aspx']
	2629	- {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Scripts', value: 'Shutdown'}
	2630	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\\', value: 'Script'}
	2631	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\\', value: 'Parameters'}
	2632	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown\\', value: 'Script'}
	2633	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown\\', value: 'Parameters'}
	2634	supported_os: [Windows]
	2635	urls:
	2636	- 'https://technet.microsoft.com/en-us/library/ff404236.aspx'
	2637	- 'https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2'
1864	2638	---
1865	2639	name: WindowsStartupFolderModification
1866	2640	doc: Windows startup folder Registry values.

1868	2642	- type: REGISTRY_VALUE
1869	2643	attributes:
1870	2644	key_value_pairs:
1871		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Common Startup'}
1872		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Startup'}
1873		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Common Startup'}
1874		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Startup'}
1875		- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Common Startup'}
1876		- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Startup'}
1877		- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Common Startup'}
1878		- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Startup'}
1879		- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Common Startup'}
1880		- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Startup'}
1881		- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Common Startup'}
1882		- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Startup'}
1883		- {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Common Startup'}
1884		- {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Startup'}
1885		- {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Common Startup'}
1886		- {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Startup'}
	2645	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Common Startup'}
	2646	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Startup'}
	2647	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Common Startup'}
	2648	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Startup'}
	2649	- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Common Startup'}
	2650	- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Startup'}
	2651	- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Common Startup'}
	2652	- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Startup'}
	2653	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Common Startup'}
	2654	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Startup'}
	2655	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Common Startup'}
	2656	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Startup'}
	2657	- {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Common Startup'}
	2658	- {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Startup'}
	2659	- {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Common Startup'}
	2660	- {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Startup'}
1887	2661	supported_os: [Windows]
1888	2662	---
1889	2663	name: WindowsStartupFolders

1892	2666	- type: FILE
1893	2667	attributes:
1894	2668	paths:
1895		- '%%environ_allusersprofile%%\Microsoft\Windows\Start Menu\Programs\Startup\*'
1896		- '%%environ_allusersprofile%%\Start Menu\Programs\Startup\*'
1897		- '%%users.appdata%%\Microsoft\Windows\Start Menu\Programs\Startup\*'
1898		- '%%users.userprofile%%\Start Menu\Programs\Startup\*'
	2669	- '%%environ_allusersprofile%%\Microsoft\Windows\Start Menu\Programs\Startup\*'
	2670	- '%%environ_allusersprofile%%\Start Menu\Programs\Startup\*'
	2671	- '%%users.appdata%%\Microsoft\Windows\Start Menu\Programs\Startup\*'
	2672	- '%%users.userprofile%%\Start Menu\Programs\Startup\*'
1899	2673	separator: '\'
1900	2674	supported_os: [Windows]
1901	2675	---

1905	2679	- type: REGISTRY_VALUE
1906	2680	attributes:
1907	2681	key_value_pairs:
1908		- {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Scripts', value: 'Startup'}
1909		supported_os: [Windows]
1910		urls: ['https://technet.microsoft.com/en-us/library/ff404236.aspx']
	2682	- {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Scripts', value: 'Startup'}
	2683	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\\', value: 'Script'}
	2684	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\\', value: 'Parameters'}
	2685	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup\\', value: 'Script'}
	2686	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup\\', value: 'Parameters'}
	2687	supported_os: [Windows]
	2688	urls:
	2689	- 'https://technet.microsoft.com/en-us/library/ff404236.aspx'
	2690	- 'https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2'
1911	2691	---
1912	2692	name: WindowsStubPaths
1913		doc: Windows StubPath persistence.
1914		sources:
1915		- type: REGISTRY_VALUE
1916		attributes:
1917		key_value_pairs:
1918		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\*', value: 'StubPath'}
1919		- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\*', value: 'StubPath'}
1920		- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Active Setup\Installed Components\*', value: 'StubPath'}
1921		- {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\*', value: 'StubPath'}
1922		supported_os: [Windows]
	2693	doc: \|
	2694	Windows StubPath persistence.
	2695
	2696	Each time a user logs in, the Active Setup Installed Components in HKLM
	2697	are compared ot the ones in HKCU, and if any are missing, or if the
	2698	associated version is less, the program is executed.
	2699	sources:
	2700	- type: REGISTRY_VALUE
	2701	attributes:
	2702	key_value_pairs:
	2703	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\*', value: 'StubPath'}
	2704	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\*', value: 'Version'}
	2705	- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\*', value: 'StubPath'}
	2706	- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\*', value: 'Version'}
	2707	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Active Setup\Installed Components\*', value: 'StubPath'}
	2708	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Active Setup\Installed Components\*', value: 'Version'}
	2709	- {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\*', value: 'StubPath'}
	2710	- {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\*', value: 'Version'}
	2711	supported_os: [Windows]
	2712	urls:
	2713	- 'https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2'
	2714	- 'http://bonemanblog.blogspot.com/2004/12/active-setup-registry-keys-and-their.html'
1923	2715	---
1924	2716	name: WindowsSuperFetchFiles
1925	2717	doc: Windows SuperFetch files.

1927	2719	- type: FILE
1928	2720	attributes:
1929	2721	paths:
1930		- '%%environ_systemroot%%\Prefetch\Ag*.db'
1931		- '%%environ_systemroot%%\Prefetch\Ag*.db.trx'
	2722	- '%%environ_systemroot%%\Prefetch\Ag*.db'
	2723	- '%%environ_systemroot%%\Prefetch\Ag*.db.trx'
1932	2724	separator: '\'
1933	2725	labels: [System]
1934	2726	supported_os: [Windows]
1935		urls: ['http://www.forensicswiki.org/wiki/SuperFetch']
	2727	urls: ['https://forensicswiki.xyz/wiki/index.php?title=SuperFetch']
1936	2728	---
1937	2729	name: WindowsSystemIniFiles
1938	2730	doc: Windows system ini files

1940	2732	- type: FILE
1941	2733	attributes:
1942	2734	paths:
1943		- '%%environ_systemdrive%%\system.ini'
1944		- '%%environ_windir%%\win.ini'
1945		- '%%environ_windir%%\wininit.ini'
	2735	- '%%environ_systemdrive%%\system.ini'
	2736	- '%%environ_windir%%\win.ini'
	2737	- '%%environ_windir%%\wininit.ini'
1946	2738	separator: '\'
1947	2739	supported_os: [Windows]
1948	2740	---

1952	2744	- type: REGISTRY_VALUE
1953	2745	attributes:
1954	2746	key_value_pairs:
1955		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System', value: 'Shell'}
1956		- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System', value: 'Shell'}
	2747	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System', value: 'Shell'}
	2748	- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System', value: 'Shell'}
1957	2749	supported_os: [Windows]
1958	2750	urls: ['https://technet.microsoft.com/en-us/library/cc728472(v=ws.10).aspx']
1959	2751	---

1963	2755	- type: FILE
1964	2756	attributes:
1965	2757	paths:
1966		- '%%environ_systemroot%%\System32\config\RegBack\SAM'
1967		- '%%environ_systemroot%%\System32\config\RegBack\SECURITY'
1968		- '%%environ_systemroot%%\System32\config\RegBack\SOFTWARE'
1969		- '%%environ_systemroot%%\System32\config\RegBack\SYSTEM'
	2758	- '%%environ_systemroot%%\System32\config\RegBack\SAM'
	2759	- '%%environ_systemroot%%\System32\config\RegBack\SECURITY'
	2760	- '%%environ_systemroot%%\System32\config\RegBack\SOFTWARE'
	2761	- '%%environ_systemroot%%\System32\config\RegBack\SYSTEM'
1970	2762	separator: '\'
1971	2763	labels: [System]
1972	2764	supported_os: [Windows]
1973		urls: ['https://github.com/msuhanov/regf/blob/master/Windows%20registry%20file%20format%20specification.md#types-of-files']
	2765	urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/RegistryFiles.md']
1974	2766	---
1975	2767	name: WindowsSystemRegistryTransactionLogFilesBackup
1976	2768	doc: \|

1981	2773	- type: FILE
1982	2774	attributes:
1983	2775	paths:
1984		- '%%environ_systemroot%%\System32\config\RegBack\SAM.LOG'
1985		- '%%environ_systemroot%%\System32\config\RegBack\SAM.LOG1'
1986		- '%%environ_systemroot%%\System32\config\RegBack\SAM.LOG2'
1987		- '%%environ_systemroot%%\System32\config\RegBack\SECURITY.LOG'
1988		- '%%environ_systemroot%%\System32\config\RegBack\SECURITY.LOG1'
1989		- '%%environ_systemroot%%\System32\config\RegBack\SECURITY.LOG2'
1990		- '%%environ_systemroot%%\System32\config\RegBack\SOFTWARE.LOG'
1991		- '%%environ_systemroot%%\System32\config\RegBack\SOFTWARE.LOG1'
1992		- '%%environ_systemroot%%\System32\config\RegBack\SOFTWARE.LOG2'
1993		- '%%environ_systemroot%%\System32\config\RegBack\SYSTEM.LOG'
1994		- '%%environ_systemroot%%\System32\config\RegBack\SYSTEM.LOG1'
1995		- '%%environ_systemroot%%\System32\config\RegBack\SYSTEM.LOG2'
	2776	- '%%environ_systemroot%%\System32\config\RegBack\SAM.LOG'
	2777	- '%%environ_systemroot%%\System32\config\RegBack\SAM.LOG1'
	2778	- '%%environ_systemroot%%\System32\config\RegBack\SAM.LOG2'
	2779	- '%%environ_systemroot%%\System32\config\RegBack\SECURITY.LOG'
	2780	- '%%environ_systemroot%%\System32\config\RegBack\SECURITY.LOG1'
	2781	- '%%environ_systemroot%%\System32\config\RegBack\SECURITY.LOG2'
	2782	- '%%environ_systemroot%%\System32\config\RegBack\SOFTWARE.LOG'
	2783	- '%%environ_systemroot%%\System32\config\RegBack\SOFTWARE.LOG1'
	2784	- '%%environ_systemroot%%\System32\config\RegBack\SOFTWARE.LOG2'
	2785	- '%%environ_systemroot%%\System32\config\RegBack\SYSTEM.LOG'
	2786	- '%%environ_systemroot%%\System32\config\RegBack\SYSTEM.LOG1'
	2787	- '%%environ_systemroot%%\System32\config\RegBack\SYSTEM.LOG2'
1996	2788	separator: '\'
1997	2789	labels: [System]
1998	2790	supported_os: [Windows]
1999		urls: ['https://github.com/msuhanov/regf/blob/master/Windows%20registry%20file%20format%20specification.md#types-of-files']
	2791	urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/RegistryFiles.md']
2000	2792	---
2001	2793	name: WindowsSystemRegistryFiles
2002	2794	doc: Windows system Registry files.

2004	2796	- type: FILE
2005	2797	attributes:
2006	2798	paths:
2007		- '%%environ_systemroot%%\System32\config\SAM'
2008		- '%%environ_systemroot%%\System32\config\SECURITY'
2009		- '%%environ_systemroot%%\System32\config\SOFTWARE'
2010		- '%%environ_systemroot%%\System32\config\SYSTEM'
2011		- '\System Volume Information\Syscache.hve'
	2799	- '%%environ_systemroot%%\System32\config\SAM'
	2800	- '%%environ_systemroot%%\System32\config\SECURITY'
	2801	- '%%environ_systemroot%%\System32\config\SOFTWARE'
	2802	- '%%environ_systemroot%%\System32\config\SYSTEM'
	2803	- '\System Volume Information\Syscache.hve'
2012	2804	separator: '\'
2013	2805	labels: [System]
2014	2806	supported_os: [Windows]
2015		urls: ['https://github.com/libyal/winreg-kb/wiki/Registry-files']
	2807	urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/RegistryFiles.md']
2016	2808	---
2017	2809	name: WindowsSystemRegistryTransactionLogFiles
2018	2810	doc: Windows system Registry transaction log files.

2020	2812	- type: FILE
2021	2813	attributes:
2022	2814	paths:
2023		- '%%environ_systemroot%%\System32\config\SAM.LOG'
2024		- '%%environ_systemroot%%\System32\config\SAM.LOG1'
2025		- '%%environ_systemroot%%\System32\config\SAM.LOG2'
2026		- '%%environ_systemroot%%\System32\config\SECURITY.LOG'
2027		- '%%environ_systemroot%%\System32\config\SECURITY.LOG1'
2028		- '%%environ_systemroot%%\System32\config\SECURITY.LOG2'
2029		- '%%environ_systemroot%%\System32\config\SOFTWARE.LOG'
2030		- '%%environ_systemroot%%\System32\config\SOFTWARE.LOG1'
2031		- '%%environ_systemroot%%\System32\config\SOFTWARE.LOG2'
2032		- '%%environ_systemroot%%\System32\config\SYSTEM.LOG'
2033		- '%%environ_systemroot%%\System32\config\SYSTEM.LOG1'
2034		- '%%environ_systemroot%%\System32\config\SYSTEM.LOG2'
	2815	- '%%environ_systemroot%%\System32\config\SAM.LOG'
	2816	- '%%environ_systemroot%%\System32\config\SAM.LOG1'
	2817	- '%%environ_systemroot%%\System32\config\SAM.LOG2'
	2818	- '%%environ_systemroot%%\System32\config\SECURITY.LOG'
	2819	- '%%environ_systemroot%%\System32\config\SECURITY.LOG1'
	2820	- '%%environ_systemroot%%\System32\config\SECURITY.LOG2'
	2821	- '%%environ_systemroot%%\System32\config\SOFTWARE.LOG'
	2822	- '%%environ_systemroot%%\System32\config\SOFTWARE.LOG1'
	2823	- '%%environ_systemroot%%\System32\config\SOFTWARE.LOG2'
	2824	- '%%environ_systemroot%%\System32\config\SYSTEM.LOG'
	2825	- '%%environ_systemroot%%\System32\config\SYSTEM.LOG1'
	2826	- '%%environ_systemroot%%\System32\config\SYSTEM.LOG2'
2035	2827	separator: '\'
2036	2828	labels: [System]
2037	2829	supported_os: [Windows]
2038		urls: ['https://github.com/msuhanov/regf/blob/master/Windows%20registry%20file%20format%20specification.md#format-of-transaction-log-files']
	2830	urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/RegistryFiles.md']
2039	2831	---
2040	2832	name: WindowsSystemRegistryFilesAndTransactionLogs
2041	2833	doc: Windows system Registry files and transaction logs.

2043	2835	- type: ARTIFACT_GROUP
2044	2836	attributes:
2045	2837	names:
2046		- 'WindowsSystemRegistryFiles'
2047		- 'WindowsSystemRegistryTransactionLogFiles'
	2838	- 'WindowsSystemRegistryFiles'
	2839	- 'WindowsSystemRegistryTransactionLogFiles'
2048	2840	labels: [System]
2049	2841	supported_os: [Windows]
	2842	urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/RegistryFiles.md']
2050	2843	---
2051	2844	name: WindowsSystemResourceUsageMonitorDatabaseFile
2052	2845	doc: Windows System Resource Usage Monitor (SRUM) database file.

2076	2869	- type: REGISTRY_KEY
2077	2870	attributes:
2078	2871	keys:
2079		- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce\*'
2080		- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx\*'
2081		- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\*'
2082		- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce\*'
2083		- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx\*'
2084		- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\*'
2085		- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce\*'
2086		- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx\*'
2087		- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\*'
2088		- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce\*'
2089		- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx\*'
2090		- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\*'
	2872	- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce\*'
	2873	- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx\*'
	2874	- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\*'
	2875	- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce\*'
	2876	- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx\*'
	2877	- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\*'
	2878	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce\*'
	2879	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx\*'
	2880	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\*'
	2881	- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce\*'
	2882	- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx\*'
	2883	- 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\*'
2091	2884	supported_os: [Windows]
2092	2885	urls: ['http://gladiator-antivirus.com/forum/index.php?showtopic=24610']
2093	2886	---

2097	2890	- type: REGISTRY_VALUE
2098	2891	attributes:
2099	2892	key_value_pairs:
2100		- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd', value: 'StartupPrograms'}
	2893	- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd', value: 'StartupPrograms'}
2101	2894	supported_os: [Windows]
2102	2895	urls: ['http://forum.sysinternals.com/rdpclip_topic4729.html']
	2896	---
	2897	name: WindowsTerminalServerInitialProgram
	2898	doc: Windows Terminal Server Initial Program
	2899	sources:
	2900	- type: REGISTRY_VALUE
	2901	attributes:
	2902	key_value_pairs:
	2903	- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp', value: 'InitialProgram'}
	2904	- {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services', value: 'InitialProgram'}
	2905	- {key: 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\Windows NT\Terminal Services', value: 'InitialProgram'}
	2906	- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Policies\Microsoft\Windows NT\Terminal Services', value: 'InitialProgram'}
	2907	- {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Policies\Microsoft\Windows NT\Terminal Services', value: 'InitialProgram'}
	2908	supported_os: [Windows]
	2909	urls: ['https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2']
	2910	---
	2911	name: WindowsActiveSyncAutoStart
	2912	doc: Windows ActiveSync AutoStart entries
	2913	sources:
	2914	- type: REGISTRY_KEY
	2915	attributes:
	2916	keys:
	2917	- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows CE Services\AutoStartOnConnect\*'
	2918	- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows CE Services\AutoStartOnDisconnect\*'
	2919	- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows CE Services\AutoStartOnConnect\*'
	2920	- 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows CE Services\AutoStartOnDisconnect\*'
	2921	supported_os: [Windows]
	2922	urls: ['https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2']
2103	2923	---
2104	2924	name: WindowsTimezone
2105	2925	doc: The timezone of the system in Olson format.
2106	2926	sources:
2107	2927	- type: REGISTRY_VALUE
2108		attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation', value: 'StandardName'}]}
	2928	attributes:
	2929	key_value_pairs:
	2930	- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation', value: 'StandardName'}
	2931	- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation', value: 'TimeZoneKeyName'}
2109	2932	provides: [time_zone]
2110	2933	supported_os: [Windows]
2111		urls: ['https://github.com/libyal/winreg-kb/wiki/Time-zone-keys']
	2934	urls: ['https://github.com/libyal/winreg-kb/blob/master/documentation/Time%20zone%20keys.asciidoc']
2112	2935	---
2113	2936	name: WindowsToolPaths
2114	2937	doc: Paths to windows tools such as defrag, chkdsk.

2116	2939	- type: REGISTRY_KEY
2117	2940	attributes:
2118	2941	keys:
2119		- 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\BackupPath'
2120		- 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\ChkDskPath'
2121		- 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\cleanuppath'
2122		- 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\DefragPath'
	2942	- 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\BackupPath'
	2943	- 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\ChkDskPath'
	2944	- 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\cleanuppath'
	2945	- 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\DefragPath'
2123	2946	supported_os: [Windows]
2124	2947	urls:
2125	2948	- 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610'

2130	2953	sources:
2131	2954	- type: REGISTRY_KEY
2132	2955	attributes:
2133		keys:
2134		- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\*'
2135		- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Userdata\%%users.sid%%\Products\*\InstallProperties'
	2956	keys:
	2957	- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\\'
	2958	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Uninstall\\'
2136	2959	supported_os: [Windows]
2137	2960	urls: ['https://msdn.microsoft.com/en-us/library/aa372105(v=vs.85).aspx']
2138	2961	---

2153	2976	- type: REGISTRY_VALUE
2154	2977	attributes:
2155	2978	key_value_pairs:
2156		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Detect', value: 'LastError'}
2157		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Detect', value: 'LastSuccessTime'}
2158		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Download', value: 'LastError'}
2159		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Download', value: 'LastSuccessTime'}
2160		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install', value: 'LastError'}
2161		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install', value: 'LastSuccessTime'}
2162		supported_os: [Windows]
2163		urls:
2164		- 'http://forensicswiki.org/wiki/Windows_Update'
	2979	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Detect', value: 'LastError'}
	2980	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Detect', value: 'LastSuccessTime'}
	2981	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Download', value: 'LastError'}
	2982	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Download', value: 'LastSuccessTime'}
	2983	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install', value: 'LastError'}
	2984	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install', value: 'LastSuccessTime'}
	2985	supported_os: [Windows]
	2986	urls:
	2987	- 'https://forensicswiki.xyz/wiki/index.php?title=Windows_Update'
2165	2988	- 'http://blogs.msdn.com/b/aruns_blog/archive/2011/06/20/active-setup-registry-key-what-it-is-and-how-to-create-in-the-package-using-admin-studio-install-shield.aspx'
	2989	---
	2990	name: WindowsUserAutomaticDestinationsJumpLists
	2991	doc: Windows user AutomaticDestinations Jump Lists.
	2992	sources:
	2993	- type: FILE
	2994	attributes:
	2995	paths: ['%%users.appdata%%\Microsoft\Windows\Recent\AutomaticDestinations\*.automaticDestinations-ms']
	2996	separator: '\'
	2997	labels: [Users]
	2998	supported_os: [Windows]
	2999	urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/JumpLists.md']
	3000	---
	3001	name: WindowsUserCustomDestinationsJumpLists
	3002	doc: Windows user CustomDestinations Jump Lists.
	3003	sources:
	3004	- type: FILE
	3005	attributes:
	3006	paths: ['%%users.appdata%%\Microsoft\Windows\Recent\CustomDestinations\*.customDestinations-ms']
	3007	separator: '\'
	3008	labels: [Users]
	3009	supported_os: [Windows]
	3010	urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/JumpLists.md']
2166	3011	---
2167	3012	name: WindowsUserDownloadsDirectory
2168	3013	doc: User downloads directory

2174	3019	labels: [Users]
2175	3020	supported_os: [Windows]
2176	3021	---
	3022	name: WindowsUserJumpLists
	3023	doc: Windows user Jump Lists.
	3024	sources:
	3025	- type: ARTIFACT_GROUP
	3026	attributes:
	3027	names:
	3028	- 'WindowsProgramsCacheJumpLists'
	3029	- 'WindowsUserAutomaticDestinationsJumpLists'
	3030	- 'WindowsUserCustomDestinationsJumpLists'
	3031	labels: [Users]
	3032	supported_os: [Windows]
	3033	urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/JumpLists.md']
	3034	---
2177	3035	name: WindowsUserRecentFiles
2178	3036	doc: Windows user specific recent files.
2179	3037	sources:
2180	3038	- type: FILE
2181	3039	attributes:
2182	3040	paths:
2183		- '%%users.appdata%%\Microsoft\Office\Recent\*'
2184		- '%%users.appdata%%\Microsoft\Windows\Recent\*'
	3041	- '%%users.appdata%%\Microsoft\Office\Recent\*'
	3042	- '%%users.appdata%%\Microsoft\Windows\Recent\*'
2185	3043	separator: '\'
2186	3044	labels: [Users]
2187	3045	supported_os: [Windows]

2192	3050	- type: FILE
2193	3051	attributes:
2194	3052	paths:
2195		- '%%users.userprofile%%\NTUSER.DAT'
2196		- '%%users.userprofile%%\NTUSER.MAN'
2197		- '%%users.localappdata%%\Microsoft\Windows\UsrClass.dat'
	3053	- '%%users.userprofile%%\NTUSER.DAT'
	3054	- '%%users.userprofile%%\NTUSER.MAN'
	3055	- '%%users.localappdata%%\Microsoft\Windows\UsrClass.dat'
2198	3056	separator: '\'
2199	3057	labels: [Users]
2200	3058	supported_os: [Windows]
2201		urls: ['https://github.com/libyal/winreg-kb/wiki/Registry-files']
	3059	urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/RegistryFiles.md']
2202	3060	---
2203	3061	name: WindowsUserRegistryTransactionLogFiles
2204	3062	doc: Windows user Registry transaction log files.

2206	3064	- type: FILE
2207	3065	attributes:
2208	3066	paths:
2209		- '%%users.userprofile%%\NTUSER.DAT.LOG'
2210		- '%%users.userprofile%%\NTUSER.DAT.LOG1'
2211		- '%%users.userprofile%%\NTUSER.DAT.LOG2'
2212		- '%%users.localappdata%%\Microsoft\Windows\UsrClass.dat.LOG'
2213		- '%%users.localappdata%%\Microsoft\Windows\UsrClass.dat.LOG1'
2214		- '%%users.localappdata%%\Microsoft\Windows\UsrClass.dat.LOG2'
	3067	- '%%users.userprofile%%\NTUSER.DAT.LOG'
	3068	- '%%users.userprofile%%\NTUSER.DAT.LOG1'
	3069	- '%%users.userprofile%%\NTUSER.DAT.LOG2'
	3070	- '%%users.localappdata%%\Microsoft\Windows\UsrClass.dat.LOG'
	3071	- '%%users.localappdata%%\Microsoft\Windows\UsrClass.dat.LOG1'
	3072	- '%%users.localappdata%%\Microsoft\Windows\UsrClass.dat.LOG2'
2215	3073	separator: '\'
2216	3074	labels: [Users]
2217	3075	supported_os: [Windows]
2218		urls: ['https://github.com/msuhanov/regf/blob/master/Windows%20registry%20file%20format%20specification.md#format-of-transaction-log-files']
	3076	urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/RegistryFiles.md']
2219	3077	---
2220	3078	name: WindowsUserRegistryFilesAndTransactionLogs
2221	3079	doc: Windows user Registry files and transaction logs.

2223	3081	- type: ARTIFACT_GROUP
2224	3082	attributes:
2225	3083	names:
2226		- 'WindowsUserRegistryFiles'
2227		- 'WindowsUserRegistryTransactionLogFiles'
	3084	- 'WindowsUserRegistryFiles'
	3085	- 'WindowsUserRegistryTransactionLogFiles'
2228	3086	labels: [Users]
2229	3087	supported_os: [Windows]
	3088	urls: ['https://github.com/ForensicArtifacts/artifacts-kb/blob/master/windows/RegistryFiles.md']
2230	3089	---
2231	3090	name: WindowsUserShellFolders
2232	3091	doc: The Shell Folders information for Windows users.

2234	3093	- type: REGISTRY_KEY
2235	3094	attributes:
2236	3095	keys:
2237		- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\*'
2238		- 'HKEY_USERS\%%users.sid%%\Environment\*'
2239		- 'HKEY_USERS\%%users.sid%%\Volatile Environment\*'
	3096	- 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\*'
	3097	- 'HKEY_USERS\%%users.sid%%\Environment\*'
	3098	- 'HKEY_USERS\%%users.sid%%\Volatile Environment\*'
2240	3099	provides:
2241	3100	- users.cookies
2242	3101	- users.appdata

2258	3117	- type: REGISTRY_VALUE
2259	3118	attributes:
2260	3119	key_value_pairs:
2261		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'GinaDLL'}
2262		- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'GinaDLL'}
	3120	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'GinaDLL'}
	3121	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'GinaDLL'}
2263	3122	supported_os: [Windows]
2264	3123	urls: ['https://technet.microsoft.com/en-us/library/cc939701.aspx']
2265	3124	---

2269	3128	- type: REGISTRY_VALUE
2270	3129	attributes:
2271	3130	key_value_pairs:
2272		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\*', value: 'DLLName'}
2273		- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\*', value: 'DLLName'}
	3131	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\*', value: 'DLLName'}
	3132	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\*', value: 'DLLName'}
2274	3133	supported_os: [Windows]
2275	3134	urls: ['https://msdn.microsoft.com/en-us/library/windows/desktop/aa379402(v=vs.85).aspx']
2276	3135	---

2280	3139	- type: REGISTRY_VALUE
2281	3140	attributes:
2282	3141	key_value_pairs:
2283		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Shell'}
2284		- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Shell'}
	3142	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Shell'}
	3143	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Shell'}
2285	3144	supported_os: [Windows]
2286	3145	urls: ['https://msdn.microsoft.com/en-us/library/ms838576%28v=winembedded.5%29.aspx']
2287	3146	---

2291	3150	- type: REGISTRY_VALUE
2292	3151	attributes:
2293	3152	key_value_pairs:
2294		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'System'}
2295		- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'System'}
	3153	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'System'}
	3154	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'System'}
2296	3155	supported_os: [Windows]
2297	3156	urls:
2298	3157	- 'https://code.google.com/p/regripper/wiki/ASEPs'

2305	3164	- type: REGISTRY_VALUE
2306	3165	attributes:
2307	3166	key_value_pairs:
2308		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Taskman'}
2309		- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Taskman'}
	3167	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Taskman'}
	3168	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Taskman'}
2310	3169	supported_os: [Windows]
2311	3170	urls: ['https://technet.microsoft.com/en-us/library/cc939701.aspx']
2312	3171	---

2316	3175	- type: REGISTRY_VALUE
2317	3176	attributes:
2318	3177	key_value_pairs:
2319		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'UiHost'}
2320		- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'UiHost'}
	3178	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'UiHost'}
	3179	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'UiHost'}
2321	3180	supported_os: [Windows]
2322	3181	urls:
2323	3182	- 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610'

2329	3188	- type: REGISTRY_VALUE
2330	3189	attributes:
2331	3190	key_value_pairs:
2332		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Userinit'}
2333		- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Userinit'}
	3191	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Userinit'}
	3192	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Userinit'}
2334	3193	supported_os: [Windows]
2335	3194	urls: ['https://technet.microsoft.com/en-us/library/cc939862.aspx']
	3195	---
	3196	name: WindowsWinlogonAvailableShells
	3197	doc: \|
	3198	Windows Server Winlogon Available Shells
	3199
	3200	Used to specify an alternate shell application to be launched when
	3201	logging into Windows Server 2012 and later. Legitimate keys under
	3202	AvailableShells should just cause cmd.exe or explorer.exe to be executed,
	3203	whereas malicious programs may create keys that cause malware to be run
	3204	when a user logs in.
	3205	sources:
	3206	- type: REGISTRY_KEY
	3207	attributes:
	3208	keys: ['HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells\AvailableShells\*']
	3209	supported_os: [Windows]
	3210	urls:
	3211	- https://andymorgan.wordpress.com/2012/03/30/changing-the-default-shell-of-windows-server-8-core/
	3212	- https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2
2336	3213	---
2337	3214	name: WindowsWinlogonVMApplet
2338	3215	doc: Windows VMApplet replacement.

2340	3217	- type: REGISTRY_VALUE
2341	3218	attributes:
2342	3219	key_value_pairs:
2343		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'VMApplet'}
2344		- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'VMApplet'}
	3220	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'VMApplet'}
	3221	- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'VMApplet'}
2345	3222	supported_os: [Windows]
2346	3223	urls: ['https://technet.microsoft.com/en-us/library/cc939701.aspx']
2347	3224	---

2351	3228	- type: FILE
2352	3229	attributes:
2353	3230	paths:
2354		- '%%environ_windir%%\winstart.bat'
2355		- '%%environ_windir%%\dosstart.bat'
	3231	- '%%environ_windir%%\winstart.bat'
	3232	- '%%environ_windir%%\dosstart.bat'
2356	3233	separator: '\'
2357	3234	supported_os: [Windows]
2358	3235	---

2362	3239	- type: REGISTRY_VALUE
2363	3240	attributes:
2364	3241	key_value_pairs:
2365		- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'AppSetup'}
	3242	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'AppSetup'}
2366	3243	supported_os: [Windows]
2367	3244	urls: ['https://technet.microsoft.com/en-us/library/cc939701.aspx']
	3245	---
	3246	name: WindowsWinlogonGPExtensions
	3247	doc: \|
	3248	Windows Winlogon Group Policy Extensions
	3249
	3250	These keys specifiy DLLs that should be loaded when the group policy
	3251	engine loads, and can act as a persistence mechanism for malware.
	3252	sources:
	3253	- type: REGISTRY_VALUE
	3254	attributes:
	3255	key_value_pairs:
	3256	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\*', value: ''}
	3257	- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\*', value: 'DllName'}
	3258	- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\*', value: ''}
	3259	- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\*', value: 'DllName'}
	3260	supported_os: [Windows]
	3261	urls: ['https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2']
2368	3262	---
2369	3263	name: WinSock2LayeredServiceProviders
2370	3264	doc: Used to filter TCP/IP traffic through WinSock2.
2371	3265	sources:
2372	3266	- type: REGISTRY_KEY
2373	3267	attributes:
2374		keys: ['HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\*']
	3268	keys:
	3269	- 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\*'
	3270	- 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\*'
2375	3271	supported_os: [Windows]
2376	3272	urls:
2377	3273	- 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610'
2378	3274	- 'https://en.wikipedia.org/wiki/Layered_Service_Provider'
	3275	- 'https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2'
2379	3276	---
2380	3277	name: WinSock2NamespaceProviders
2381		doc: WinSock2NamespaceProviders
2382		sources:
2383		- type: REGISTRY_VALUE
2384		attributes:
2385		key_value_pairs:
2386		- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters\namespace_catalog5\catalog_entries\*', value: 'LibraryPath'}
	3278	doc: Used to provide name-resolution services through WinSock2
	3279	sources:
	3280	- type: REGISTRY_VALUE
	3281	attributes:
	3282	key_value_pairs:
	3283	- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\*', value: 'LibraryPath'}
	3284	- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\*', value: 'LibraryPath'}
2387	3285	supported_os: [Windows]
2388	3286	urls:
2389	3287	- 'https://www.symantec.com/security_response/writeup.jsp?docid=2012-020609-4221-99&tabid=2'
2390	3288	- 'http://www.nirsoft.net/utils/winsock_service_providers.html'
2391	3289	- 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms739923(v=vs.85).aspx'
	3290	- 'https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2'
2392	3291	---
2393	3292	name: WindowsDNSSettings
2394	3293	doc: Windows Registry Keys that contain DNS and DHCP settings.

2396	3295	- type: REGISTRY_VALUE
2397	3296	attributes:
2398	3297	key_value_pairs:
2399		- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters', value: 'NameServer'}
2400		- {key: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\*', value: 'NameServer'}
2401		- {key: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrenControlSet\Services\Dnscache\Parameters', value: 'NameServer'}
2402		- {key: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\*', value: 'DhcpNameServer'}
2403		- {key: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\*', value: 'DhcpServer'}
	3298	- {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters', value: 'NameServer'}
	3299	- {key: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\*', value: 'NameServer'}
	3300	- {key: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters', value: 'NameServer'}
	3301	- {key: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\*', value: 'DhcpNameServer'}
	3302	- {key: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\*', value: 'DhcpServer'}
2404	3303	labels: [System, Network]
2405	3304	supported_os: [Windows]
2406	3305	urls: ['https://technet.microsoft.com/en-us/library/dd197418(v=ws.10).aspx']

+151

-149

data/windows_dll_hijacking.yaml less more

	0	# DLL Hijack Locations
	1
0	2	name: DLLHijackLocations
1	3	doc: DLL search order hijacking locations collected from base Windows 7.
2	4	urls: ['https://www.fireeye.com/blog/threat-research/2010/07/malware-persistence-windows-registry.html']

4	6	- type: FILE
5	7	attributes:
6	8	paths:
7		- '%%environ_windir%%\EXPLORERFRAME.dll'
8		- '%%environ_windir%%\DUser.dll'
9		- '%%environ_windir%%\DUI70.dll'
10		- '%%environ_windir%%\UxTheme.dll'
11		- '%%environ_windir%%\POWRPROF.dll'
12		- '%%environ_windir%%\dwmapi.dll'
13		- '%%environ_windir%%\slc.dll'
14		- '%%environ_windir%%\gdiplus.dll'
15		- '%%environ_windir%%\Secur32.dll'
16		- '%%environ_windir%%\SSPICLI.dll'
17		- '%%environ_windir%%\PROPSYS.dll'
18		- '%%environ_windir%%\WINSTA.dll'
19		- '%%environ_windir%%\CRYPTBASE.dll'
20		- '%%environ_windir%%\WindowsCodecs.dll'
21		- '%%environ_windir%%\profapi.dll'
22		- '%%environ_windir%%\apphelp.dll'
23		- '%%environ_windir%%\EhStorShell.dll'
24		- '%%environ_windir%%\cscui.dll'
25		- '%%environ_windir%%\CSCDLL.dll'
26		- '%%environ_windir%%\CSCAPI.dll'
27		- '%%environ_windir%%\ntshrui.dll'
28		- '%%environ_windir%%\srvcli.dll'
29		- '%%environ_windir%%\IconCodecService.dll'
30		- '%%environ_windir%%\CRYPTSP.dll'
31		- '%%environ_windir%%\rsaenh.dll'
32		- '%%environ_windir%%\RpcRtRemote.dll'
33		- '%%environ_windir%%\SndVolSSO.dll'
34		- '%%environ_windir%%\HID.dll'
35		- '%%environ_windir%%\MMDevApi.dll'
36		- '%%environ_windir%%\timedate.cpl'
37		- '%%environ_windir%%\ATL.dll'
38		- '%%environ_windir%%\actxprxy.dll'
39		- '%%environ_windir%%\ntmarta.dll'
40		- '%%environ_windir%%\shdocvw.dll'
41		- '%%environ_windir%%\LINKINFO.dll'
42		- '%%environ_windir%%\USERENV.dll'
43		- '%%environ_windir%%\shacct.dll'
44		- '%%environ_windir%%\gameux.dll'
45		- '%%environ_windir%%\XmlLite.dll'
46		- '%%environ_windir%%\wer.dll'
47		- '%%environ_windir%%\SAMLIB.dll'
48		- '%%environ_windir%%\msls31.dll'
49		- '%%environ_windir%%\tiptsf.dll'
50		- '%%environ_windir%%\authui.dll'
51		- '%%environ_windir%%\CRYPTUI.dll'
52		- '%%environ_windir%%\msiltcfg.dll'
53		- '%%environ_windir%%\VERSION.dll'
54		- '%%environ_windir%%\msi.dll'
55		- '%%environ_windir%%\NetworkExplorer.dll'
56		- '%%environ_windir%%\WINMM.dll'
57		- '%%environ_windir%%\wdmaud.drv'
58		- '%%environ_windir%%\ksuser.dll'
59		- '%%environ_windir%%\AVRT.dll'
60		- '%%environ_windir%%\AUDIOSES.dll'
61		- '%%environ_windir%%\msacm32.drv'
62		- '%%environ_windir%%\MSACM32.dll'
63		- '%%environ_windir%%\midimap.dll'
64		- '%%environ_windir%%\netutils.dll'
65		- '%%environ_windir%%\stobject.dll'
66		- '%%environ_windir%%\BatMeter.dll'
67		- '%%environ_windir%%\WTSAPI32.dll'
68		- '%%environ_windir%%\es.dll'
69		- '%%environ_windir%%\prnfldr.dll'
70		- '%%environ_windir%%\WINSPOOL.DRV'
71		- '%%environ_windir%%\dxp.dll'
72		- '%%environ_windir%%\Syncreg.dll'
73		- '%%environ_windir%%\netshell.dll'
74		- '%%environ_windir%%\IPHLPAPI.dll'
75		- '%%environ_windir%%\WINNSI.dll'
76		- '%%environ_windir%%\nlaapi.dll'
77		- '%%environ_windir%%\AltTab.dll'
78		- '%%environ_windir%%\pnidui.dll'
79		- '%%environ_windir%%\QUtil.dll'
80		- '%%environ_windir%%\wevtapi.dll'
81		- '%%environ_windir%%\dhcpcsvc6.dll'
82		- '%%environ_windir%%\dhcpcsvc.dll'
83		- '%%environ_windir%%\credssp.dll'
84		- '%%environ_windir%%\npmproxy.dll'
85		- '%%environ_windir%%\cscobj.dll'
86		- '%%environ_windir%%\Wlanapi.dll'
87		- '%%environ_windir%%\wlanutil.dll'
88		- '%%environ_windir%%\wwanapi.dll'
89		- '%%environ_windir%%\wwapi.dll'
90		- '%%environ_windir%%\QAgent.dll'
91		- '%%environ_windir%%\srchadmin.dll'
92		- '%%environ_windir%%\mssprxy.dll'
93		- '%%environ_windir%%\bthprops.cpl'
94		- '%%environ_windir%%\ieframe.dll'
95		- '%%environ_windir%%\OLEACC.dll'
96		- '%%environ_windir%%\SyncCenter.dll'
97		- '%%environ_windir%%\Actioncenter.dll'
98		- '%%environ_windir%%\imapi2.dll'
99		- '%%environ_windir%%\SXS.dll'
100		- '%%environ_windir%%\hgcpl.dll'
101		- '%%environ_windir%%\provsvc.dll'
102		- '%%environ_windir%%\wkscli.dll'
103		- '%%environ_windir%%\fxsst.dll'
104		- '%%environ_windir%%\FXSAPI.dll'
105		- '%%environ_windir%%\FXSRESM.dll'
106		- '%%environ_windir%%\ieproxy.dll'
107		- '%%environ_windir%%\thumbcache.dll'
108		- '%%environ_windir%%\rasadhlp.dll'
109		- '%%environ_windir%%\MPR.dll'
110		- '%%environ_windir%%\vmhgfs.dll'
111		- '%%environ_windir%%\drprov.dll'
112		- '%%environ_windir%%\ntlanman.dll'
113		- '%%environ_windir%%\davclnt.dll'
114		- '%%environ_windir%%\DAVHLPR.dll'
115		- '%%environ_windir%%\StructuredQuery.dll'
116		- '%%environ_windir%%\UIAnimation.dll'
117		- '%%environ_windir%%\DEVRTL.dll'
118		- '%%environ_windir%%\MLANG.dll'
119		- '%%environ_windir%%\wscinterop.dll'
120		- '%%environ_windir%%\WSCAPI.dll'
121		- '%%environ_windir%%\wscui.cpl'
122		- '%%environ_windir%%\werconcpl.dll'
123		- '%%environ_windir%%\framedynos.dll'
124		- '%%environ_windir%%\wercplsupport.dll'
125		- '%%environ_windir%%\msxml6.dll'
126		- '%%environ_windir%%\hcproviders.dll'
127		- '%%environ_windir%%\zipfldr.dll'
128		- '%%environ_windir%%\rarext.dll'
129		- '%%environ_windir%%\7-zip.dll'
130		- '%%environ_windir%%\twext.dll'
131		- '%%environ_windir%%\WinCDEmuContextMenu.dll'
132		- '%%environ_windir%%\syncui.dll'
133		- '%%environ_windir%%\SYNCENG.dll'
134		- '%%environ_windir%%\shlext010.dll'
135		- '%%environ_windir%%\ATL90.dll'
136		- '%%environ_windir%%\acppage.dll'
137		- '%%environ_windir%%\sfc.dll'
138		- '%%environ_windir%%\sfc_os.dll'
139		- '%%environ_windir%%\dsrole.dll'
140		- '%%environ_windir%%\ACLUI.dll'
141		- '%%environ_windir%%\NTDSAPI.dll'
142		- '%%environ_windir%%\PhotoBase.dll'
143		- '%%environ_windir%%\sbdrop.dll'
144		- '%%environ_windir%%\tquery.dll'
145		- '%%environ_windir%%\EhStorAPI.dll'
146		- '%%environ_windir%%\SearchFolder.dll'
147		- '%%environ_windir%%\NaturalLanguage6.dll'
148		- '%%environ_windir%%\NLSData0009.dll'
149		- '%%environ_windir%%\NLSLexicons0009.dll'
150		- '%%environ_windir%%\MsftEdit.dll'
151		- '%%environ_windir%%\dnsapi.dll'
152		- '%%environ_windir%%\RASAPI32.dll'
153		- '%%environ_windir%%\rasman.dll'
154		- '%%environ_windir%%\rtutils.dll'
155		- '%%environ_windir%%\sensapi.dll'
	9	- '%%environ_windir%%\EXPLORERFRAME.dll'
	10	- '%%environ_windir%%\DUser.dll'
	11	- '%%environ_windir%%\DUI70.dll'
	12	- '%%environ_windir%%\UxTheme.dll'
	13	- '%%environ_windir%%\POWRPROF.dll'
	14	- '%%environ_windir%%\dwmapi.dll'
	15	- '%%environ_windir%%\slc.dll'
	16	- '%%environ_windir%%\gdiplus.dll'
	17	- '%%environ_windir%%\Secur32.dll'
	18	- '%%environ_windir%%\SSPICLI.dll'
	19	- '%%environ_windir%%\PROPSYS.dll'
	20	- '%%environ_windir%%\WINSTA.dll'
	21	- '%%environ_windir%%\CRYPTBASE.dll'
	22	- '%%environ_windir%%\WindowsCodecs.dll'
	23	- '%%environ_windir%%\profapi.dll'
	24	- '%%environ_windir%%\apphelp.dll'
	25	- '%%environ_windir%%\EhStorShell.dll'
	26	- '%%environ_windir%%\cscui.dll'
	27	- '%%environ_windir%%\CSCDLL.dll'
	28	- '%%environ_windir%%\CSCAPI.dll'
	29	- '%%environ_windir%%\ntshrui.dll'
	30	- '%%environ_windir%%\srvcli.dll'
	31	- '%%environ_windir%%\IconCodecService.dll'
	32	- '%%environ_windir%%\CRYPTSP.dll'
	33	- '%%environ_windir%%\rsaenh.dll'
	34	- '%%environ_windir%%\RpcRtRemote.dll'
	35	- '%%environ_windir%%\SndVolSSO.dll'
	36	- '%%environ_windir%%\HID.dll'
	37	- '%%environ_windir%%\MMDevApi.dll'
	38	- '%%environ_windir%%\timedate.cpl'
	39	- '%%environ_windir%%\ATL.dll'
	40	- '%%environ_windir%%\actxprxy.dll'
	41	- '%%environ_windir%%\ntmarta.dll'
	42	- '%%environ_windir%%\shdocvw.dll'
	43	- '%%environ_windir%%\LINKINFO.dll'
	44	- '%%environ_windir%%\USERENV.dll'
	45	- '%%environ_windir%%\shacct.dll'
	46	- '%%environ_windir%%\gameux.dll'
	47	- '%%environ_windir%%\XmlLite.dll'
	48	- '%%environ_windir%%\wer.dll'
	49	- '%%environ_windir%%\SAMLIB.dll'
	50	- '%%environ_windir%%\msls31.dll'
	51	- '%%environ_windir%%\tiptsf.dll'
	52	- '%%environ_windir%%\authui.dll'
	53	- '%%environ_windir%%\CRYPTUI.dll'
	54	- '%%environ_windir%%\msiltcfg.dll'
	55	- '%%environ_windir%%\VERSION.dll'
	56	- '%%environ_windir%%\msi.dll'
	57	- '%%environ_windir%%\NetworkExplorer.dll'
	58	- '%%environ_windir%%\WINMM.dll'
	59	- '%%environ_windir%%\wdmaud.drv'
	60	- '%%environ_windir%%\ksuser.dll'
	61	- '%%environ_windir%%\AVRT.dll'
	62	- '%%environ_windir%%\AUDIOSES.dll'
	63	- '%%environ_windir%%\msacm32.drv'
	64	- '%%environ_windir%%\MSACM32.dll'
	65	- '%%environ_windir%%\midimap.dll'
	66	- '%%environ_windir%%\netutils.dll'
	67	- '%%environ_windir%%\stobject.dll'
	68	- '%%environ_windir%%\BatMeter.dll'
	69	- '%%environ_windir%%\WTSAPI32.dll'
	70	- '%%environ_windir%%\es.dll'
	71	- '%%environ_windir%%\prnfldr.dll'
	72	- '%%environ_windir%%\WINSPOOL.DRV'
	73	- '%%environ_windir%%\dxp.dll'
	74	- '%%environ_windir%%\Syncreg.dll'
	75	- '%%environ_windir%%\netshell.dll'
	76	- '%%environ_windir%%\IPHLPAPI.dll'
	77	- '%%environ_windir%%\WINNSI.dll'
	78	- '%%environ_windir%%\nlaapi.dll'
	79	- '%%environ_windir%%\AltTab.dll'
	80	- '%%environ_windir%%\pnidui.dll'
	81	- '%%environ_windir%%\QUtil.dll'
	82	- '%%environ_windir%%\wevtapi.dll'
	83	- '%%environ_windir%%\dhcpcsvc6.dll'
	84	- '%%environ_windir%%\dhcpcsvc.dll'
	85	- '%%environ_windir%%\credssp.dll'
	86	- '%%environ_windir%%\npmproxy.dll'
	87	- '%%environ_windir%%\cscobj.dll'
	88	- '%%environ_windir%%\Wlanapi.dll'
	89	- '%%environ_windir%%\wlanutil.dll'
	90	- '%%environ_windir%%\wwanapi.dll'
	91	- '%%environ_windir%%\wwapi.dll'
	92	- '%%environ_windir%%\QAgent.dll'
	93	- '%%environ_windir%%\srchadmin.dll'
	94	- '%%environ_windir%%\mssprxy.dll'
	95	- '%%environ_windir%%\bthprops.cpl'
	96	- '%%environ_windir%%\ieframe.dll'
	97	- '%%environ_windir%%\OLEACC.dll'
	98	- '%%environ_windir%%\SyncCenter.dll'
	99	- '%%environ_windir%%\Actioncenter.dll'
	100	- '%%environ_windir%%\imapi2.dll'
	101	- '%%environ_windir%%\SXS.dll'
	102	- '%%environ_windir%%\hgcpl.dll'
	103	- '%%environ_windir%%\provsvc.dll'
	104	- '%%environ_windir%%\wkscli.dll'
	105	- '%%environ_windir%%\fxsst.dll'
	106	- '%%environ_windir%%\FXSAPI.dll'
	107	- '%%environ_windir%%\FXSRESM.dll'
	108	- '%%environ_windir%%\ieproxy.dll'
	109	- '%%environ_windir%%\thumbcache.dll'
	110	- '%%environ_windir%%\rasadhlp.dll'
	111	- '%%environ_windir%%\MPR.dll'
	112	- '%%environ_windir%%\vmhgfs.dll'
	113	- '%%environ_windir%%\drprov.dll'
	114	- '%%environ_windir%%\ntlanman.dll'
	115	- '%%environ_windir%%\davclnt.dll'
	116	- '%%environ_windir%%\DAVHLPR.dll'
	117	- '%%environ_windir%%\StructuredQuery.dll'
	118	- '%%environ_windir%%\UIAnimation.dll'
	119	- '%%environ_windir%%\DEVRTL.dll'
	120	- '%%environ_windir%%\MLANG.dll'
	121	- '%%environ_windir%%\wscinterop.dll'
	122	- '%%environ_windir%%\WSCAPI.dll'
	123	- '%%environ_windir%%\wscui.cpl'
	124	- '%%environ_windir%%\werconcpl.dll'
	125	- '%%environ_windir%%\framedynos.dll'
	126	- '%%environ_windir%%\wercplsupport.dll'
	127	- '%%environ_windir%%\msxml6.dll'
	128	- '%%environ_windir%%\hcproviders.dll'
	129	- '%%environ_windir%%\zipfldr.dll'
	130	- '%%environ_windir%%\rarext.dll'
	131	- '%%environ_windir%%\7-zip.dll'
	132	- '%%environ_windir%%\twext.dll'
	133	- '%%environ_windir%%\WinCDEmuContextMenu.dll'
	134	- '%%environ_windir%%\syncui.dll'
	135	- '%%environ_windir%%\SYNCENG.dll'
	136	- '%%environ_windir%%\shlext010.dll'
	137	- '%%environ_windir%%\ATL90.dll'
	138	- '%%environ_windir%%\acppage.dll'
	139	- '%%environ_windir%%\sfc.dll'
	140	- '%%environ_windir%%\sfc_os.dll'
	141	- '%%environ_windir%%\dsrole.dll'
	142	- '%%environ_windir%%\ACLUI.dll'
	143	- '%%environ_windir%%\NTDSAPI.dll'
	144	- '%%environ_windir%%\PhotoBase.dll'
	145	- '%%environ_windir%%\sbdrop.dll'
	146	- '%%environ_windir%%\tquery.dll'
	147	- '%%environ_windir%%\EhStorAPI.dll'
	148	- '%%environ_windir%%\SearchFolder.dll'
	149	- '%%environ_windir%%\NaturalLanguage6.dll'
	150	- '%%environ_windir%%\NLSData0009.dll'
	151	- '%%environ_windir%%\NLSLexicons0009.dll'
	152	- '%%environ_windir%%\MsftEdit.dll'
	153	- '%%environ_windir%%\dnsapi.dll'
	154	- '%%environ_windir%%\RASAPI32.dll'
	155	- '%%environ_windir%%\rasman.dll'
	156	- '%%environ_windir%%\rtutils.dll'
	157	- '%%environ_windir%%\sensapi.dll'
156	158	separator: '\'
157	159	supported_os: [Windows]

+70

-0

data/wmi.yaml less more

36	36	supported_os: [Windows]
37	37	urls: ['http://msdn.microsoft.com/en-us/library/aa394105(v=vs.85).aspx']
38	38	---
	39	name: WMIDNSClientCache
	40	doc: DNS client cache via Windows Management Instrumentation (WMI).
	41	sources:
	42	- type: WMI
	43	attributes: {query: SELECT * from MSFT_DNSClientCache, base_object: 'winmgmts:\root\StandardCimv2'}
	44	conditions: [os_major_version >= 6 AND os_minor_version >= 2]
	45	labels: [Network]
	46	supported_os: [Windows]
	47	urls: ['https://docs.microsoft.com/en-us/previous-versions/windows/desktop/dnsclientcimprov/msft-dnsclientcache']
	48	---
39	49	name: WMIDrivers
40	50	doc: Installed drivers via Windows Management Instrumentation (WMI).
41	51	sources:

123	133	conditions: [os_major_version >= 6]
124	134	labels: [Software]
125	135	supported_os: [Windows]
	136	---
	137	name: WMINetNeighbors
	138	doc: TCP/IP neighbors via Windows Management Instrumentation (WMI).
	139	sources:
	140	- type: WMI
	141	attributes: {query: SELECT * from MSFT_NetNeighbor, base_object: 'winmgmts:\root\StandardCimv2'}
	142	conditions: [os_major_version >= 6 AND os_minor_version >= 2]
	143	labels: [Network]
	144	supported_os: [Windows]
	145	urls: ['https://docs.microsoft.com/en-us/previous-versions/windows/desktop/nettcpipprov/msft-netneighbor']
	146	---
	147	name: WMINetTCPConnections
	148	doc: TCP connections via Windows Management Instrumentation (WMI).
	149	sources:
	150	- type: WMI
	151	attributes: {query: SELECT * from MSFT_NetTCPConnection, base_object: 'winmgmts:\root\StandardCimv2'}
	152	conditions: [os_major_version >= 6 AND os_minor_version >= 2]
	153	labels: [Network]
	154	supported_os: [Windows]
	155	urls: ['https://docs.microsoft.com/en-us/previous-versions/windows/desktop/nettcpipprov/msft-nettcpconnection']
	156	---
	157	name: WMINetUDPEndpoints
	158	doc: UDP endpoints via Windows Management Instrumentation (WMI).
	159	sources:
	160	- type: WMI
	161	attributes: {query: SELECT * from MSFT_NetUDPEndpoint, base_object: 'winmgmts:\root\StandardCimv2'}
	162	conditions: [os_major_version >= 6 AND os_minor_version >= 2]
	163	labels: [Network]
	164	supported_os: [Windows]
	165	urls: ['https://docs.microsoft.com/en-us/previous-versions/windows/desktop/nettcpipprov/msft-netudpendpoint']
	166	---
	167	name: WMIOperatingSystem
	168	doc: Operating system installed on the computer via Windows Management Instrumentation (WMI).
	169	sources:
	170	- type: WMI
	171	attributes: {query: SELECT * from Win32_OperatingSystem}
	172	conditions: [os_major_version >= 6]
	173	labels: [System]
	174	supported_os: [Windows]
	175	urls: ['https://docs.microsoft.com/en-us/windows/desktop/cimwin32prov/win32-operatingsystem']
126	176	---
127	177	name: WMIPhysicalMemory
128	178	doc: Physical memory information via Windows Management Instrumentation (WMI).

158	208	supported_os: [Windows]
159	209	urls: ['http://msdn.microsoft.com/en-us/library/windows/desktop/ee886409(v=vs.85).aspx']
160	210	---
	211	name: WMIScheduledTasks
	212	doc: Scheduled tasks that are registered on the computer via Windows Management Instrumentation (WMI).
	213	sources:
	214	- type: WMI
	215	attributes: {query: SELECT * from MSFT_ScheduledTask, base_object: 'winmgmts:\root\Microsoft\Windows\TaskScheduler'}
	216	conditions: [os_major_version >= 6 AND os_minor_version >= 2]
	217	labels: [System]
	218	supported_os: [Windows]
	219	urls: ['https://wutils.com/wmi/root/microsoft/windows/taskscheduler/msft_scheduledtask/']
	220	---
161	221	name: WMIServices
162	222	doc: Services queried from WMI.
163	223	sources:
164	224	- type: WMI
165	225	attributes: {query: SELECT * FROM Win32_Service}
166	226	supported_os: [Windows]
	227	---
	228	name: WMIStartupCommands
	229	doc: Commands that run automatically when a user logs onto the computer system via Windows Management Instrumentation (WMI).
	230	sources:
	231	- type: WMI
	232	attributes: {query: SELECT * from Win32_StartupCommand}
	233	conditions: [os_major_version >= 6]
	234	labels: [System]
	235	supported_os: [Windows]
	236	urls: ['https://docs.microsoft.com/en-us/windows/desktop/cimwin32prov/win32-startupcommand']
167	237	---
168	238	name: WMIUsers
169	239	doc: \|

-0

docs/Artifacts definition format and style guide.asciidoc less more

277	277	\| paths \| A list of file paths that can potentially be collected. +
278	278	The paths can use parameter expansion e.g. `%%environ_systemroot%%`. +
279	279	See section: <<parameter_expansion,Parameter expansion and globs>>
	280	\| separator \| Optional path segment seperator e.g. '\' for Windows systems. +
	281	When not specified the default path segment separator is '/'.
280	282	\|===
281	283
282	284	=== Path source

299	301	\| paths \| A list of file paths that can potentially be collected. +
300	302	The paths can use parameter expansion e.g. `%%environ_systemroot%%`. +
301	303	See section: <<parameter_expansion,Parameter expansion and globs>>
	304	\| separator \| Optional path segment seperator e.g. '\' for Windows systems. +
	305	When not specified the default path segment separator is '/'.
302	306	\|===
303	307
304	308	=== Windows Registry key source

365	369	[cols="1,5",options="header"]
366	370	\|===
367	371	\| Value \| Description
	372	\| base_object \| Optional WMI base object e.g. `winmgmts:\root\SecurityCenter2`
368	373	\| query \| The Windows Management Instrumentation (WMI) query. +
369	374	The query can use parameter expansion e.g. `%%users.username%%`. +
370	375	See section: <<parameter_expansion,Parameter expansion and globs>>

-2

setup.cfg less more

7	7	AUTHORS
8	8	LICENSE
9	9	README
10		build_requires = python2-setuptools
11		requires = python2-pyyaml >= 3.10
	10	build_requires = python3-setuptools
	11	requires = python3-pyyaml >= 3.10
12	12
13	13	[bdist_wheel]
14	14	universal = 1

+22

-67

setup.py less more

4	4	from __future__ import print_function
5	5
6	6	import glob
7		import locale
8	7	import os
9	8	import sys
10	9

24	23	bdist_rpm = None
25	24
26	25	version_tuple = (sys.version_info[0], sys.version_info[1])
27		if version_tuple[0] not in (2, 3):
28		print('Unsupported Python version: {0:s}.'.format(sys.version))
29		sys.exit(1)
30
31		elif version_tuple[0] == 2 and version_tuple < (2, 7):
	26	if version_tuple < (3, 6):
32	27	print((
33		'Unsupported Python 2 version: {0:s}, version 2.7 or higher '
34		'required.').format(sys.version))
35		sys.exit(1)
36
37		elif version_tuple[0] == 3 and version_tuple < (3, 4):
38		print((
39		'Unsupported Python 3 version: {0:s}, version 3.4 or higher '
	28	'Unsupported Python version: {0:s}, version 3.6 or higher '
40	29	'required.').format(sys.version))
41	30	sys.exit(1)
42	31

52	41	class BdistMSICommand(bdist_msi):
53	42	"""Custom handler for the bdist_msi command."""
54	43
	44	# pylint: disable=invalid-name
55	45	def run(self):
56	46	"""Builds an MSI."""
57	47	# Command bdist_msi does not support the library version, neither a date

67	57	class BdistRPMCommand(bdist_rpm):
68	58	"""Custom handler for the bdist_rpm command."""
69	59
	60	# pylint: disable=invalid-name
70	61	def _make_spec_file(self):
71	62	"""Generates the text of an RPM spec file.
72	63

79	70	else:
80	71	spec_file = bdist_rpm._make_spec_file(self)
81	72
82		if sys.version_info[0] < 3:
83		python_package = 'python2'
84		else:
85		python_package = 'python3'
	73	python_package = 'python3'
86	74
87	75	description = []
88	76	requires = ''

100	88
101	89	elif line.startswith('Requires: '):
102	90	requires = line[10:]
103		if python_package == 'python3':
104		requires = requires.replace('python-', 'python3-')
105		requires = requires.replace('python2-', 'python3-')
106	91	continue
107	92
108	93	elif line.startswith('%description'):

121	106	line = '%py2_install'
122	107
123	108	elif line.startswith('%files'):
124		python_spec_file.extend([
125		'%package -n %{name}-tools',
126		'Requires: {0:s}-artifacts >= %{{version}}'.format(
127		python_package),
128		'Summary: Tools for {0:s}'.format(summary),
129		'',
130		'%description -n %{name}-tools'])
131
132		python_spec_file.extend(description)
133
134	109	lines = [
135	110	'%files -n %{name}-data',
136	111	'%defattr(644,root,root,755)',

143	118	'%license LICENSE',
144	119	'%doc ACKNOWLEDGEMENTS AUTHORS README']
145	120
146		if python_package == 'python3':
147		lines.extend([
148		'%{python3_sitelib}/artifacts/*.py',
149		'%{python3_sitelib}/artifacts.egg-info/',
150		'',
151		'%exclude %{_prefix}/share/doc/*',
152		'%exclude %{python3_sitelib}/artifacts/__pycache__/*'])
153
154		else:
155		lines.extend([
156		'%{python2_sitelib}/artifacts/*.py',
157		'%{python2_sitelib}/artifacts.egg-info/',
158		'',
159		'%exclude %{_prefix}/share/doc/*',
160		'%exclude %{python2_sitelib}/artifacts/*.pyc',
161		'%exclude %{python2_sitelib}/artifacts/*.pyo'])
	121	lines.extend([
	122	'%{python3_sitelib}/artifacts/*.py',
	123	'%{python3_sitelib}/artifacts.egg-info/',
	124	'',
	125	'%exclude %{_prefix}/share/doc/*',
	126	'%exclude %{python3_sitelib}/artifacts/__pycache__/*'])
162	127
163	128	python_spec_file.extend(lines)
164	129	break

176	141
177	142	python_spec_file.append(
178	143	'%package -n {0:s}-%{{name}}'.format(python_package))
179		if python_package == 'python2':
180		python_spec_file.extend([
181		'Obsoletes: python-artifacts < %{version}',
182		'Provides: python-artifacts = %{version}'])
183		python_summary = 'Python 2 module of {0:s}'.format(summary)
184		else:
185		python_summary = 'Python 3 module of {0:s}'.format(summary)
	144	python_summary = 'Python 3 module of {0:s}'.format(summary)
186	145
187	146	python_spec_file.extend([
188	147	'Requires: artifacts-data >= %{{version}} {0:s}'.format(

193	152
194	153	python_spec_file.extend(description)
195	154
	155	python_spec_file.extend([
	156	'%package -n %{name}-tools',
	157	'Requires: {0:s}-artifacts >= %{{version}}'.format(
	158	python_package),
	159	'Summary: Tools for {0:s}'.format(summary),
	160	'',
	161	'%description -n %{name}-tools'])
	162
	163	python_spec_file.extend(description)
	164
196	165	elif in_description:
197	166	# Ignore leading white lines in the description.
198	167	if not description and not line:

208	177	'%{_bindir}/*.py'])
209	178
210	179	return python_spec_file
211
212
213		if version_tuple[0] == 2:
214		encoding = sys.stdin.encoding # pylint: disable=invalid-name
215
216		# Note that sys.stdin.encoding can be None.
217		if not encoding:
218		encoding = locale.getpreferredencoding()
219
220		# Make sure the default encoding is set correctly otherwise on Python 2
221		# setup.py sdist will fail to include filenames with Unicode characters.
222		reload(sys) # pylint: disable=undefined-variable
223
224		sys.setdefaultencoding(encoding) # pylint: disable=no-member
225	180
226	181
227	182	artifacts_description = (

+12

-8

tests/reader_test.py less more

112	112	supported_os: [Windows]
113	113	"""
114	114
115		@test_lib.skipUnlessHasTestFile(['definitions.yaml'])
116	115	def testReadFileObject(self):
117	116	"""Tests the ReadFileObject function."""
118		artifact_reader = reader.YamlArtifactsReader()
119	117	test_file = self._GetTestFilePath(['definitions.yaml'])
	118	self._SkipIfPathNotExists(test_file)
	119
	120	artifact_reader = reader.YamlArtifactsReader()
120	121
121	122	with open(test_file, 'rb') as file_object:
122	123	artifact_definitions = list(artifact_reader.ReadFileObject(file_object))

314	315	with self.assertRaises(errors.FormatError):
315	316	_ = list(artifact_reader.ReadFileObject(file_object))
316	317
317		@test_lib.skipUnlessHasTestFile(['definitions.yaml'])
318	318	def testReadYamlFile(self):
319	319	"""Tests the ReadFile function."""
320		artifact_reader = reader.YamlArtifactsReader()
321	320	test_file = self._GetTestFilePath(['definitions.yaml'])
	321	self._SkipIfPathNotExists(test_file)
	322
	323	artifact_reader = reader.YamlArtifactsReader()
322	324
323	325	artifact_definitions = list(artifact_reader.ReadFile(test_file))
324	326	self.assertEqual(len(artifact_definitions), 7)

331	333	artifact_definitions = list(artifact_reader.ReadDirectory(test_file))
332	334	self.assertEqual(len(artifact_definitions), 7)
333	335
334		@test_lib.skipUnlessHasTestFile(['definitions.yaml'])
335	336	def testArtifactAsDict(self):
336	337	"""Tests the AsDict function."""
337		artifact_reader = reader.YamlArtifactsReader()
338	338	test_file = self._GetTestFilePath(['definitions.yaml'])
	339	self._SkipIfPathNotExists(test_file)
	340
	341	artifact_reader = reader.YamlArtifactsReader()
339	342
340	343	with open(test_file, 'r') as file_object:
341	344	for artifact_definition in yaml.safe_load_all(file_object):

364	367	class JsonArtifactsReaderTest(test_lib.BaseTestCase):
365	368	"""JSON artifacts reader tests."""
366	369
367		@test_lib.skipUnlessHasTestFile(['definitions.json'])
368	370	def testReadJsonFile(self):
369	371	"""Tests the ReadFile function."""
	372	test_file = self._GetTestFilePath(['definitions.json'])
	373	self._SkipIfPathNotExists(test_file)
	374
370	375	artifact_reader = reader.JsonArtifactsReader()
371		test_file = self._GetTestFilePath(['definitions.json'])
372	376
373	377	artifact_definitions = list(artifact_reader.ReadFile(test_file))
374	378

-2

tests/registry_test.py less more

47	47
48	48	# pylint: disable=protected-access
49	49
50		@test_lib.skipUnlessHasTestFile(['definitions.yaml'])
51	50	def testArtifactDefinitionsRegistry(self):
52	51	"""Tests the ArtifactDefinitionsRegistry functions."""
	52	test_file = self._GetTestFilePath(['definitions.yaml'])
	53	self._SkipIfPathNotExists(test_file)
	54
53	55	artifact_registry = registry.ArtifactDefinitionsRegistry()
54	56
55	57	artifact_reader = reader.YamlArtifactsReader()
56		test_file = self._GetTestFilePath(['definitions.yaml'])
57	58
58	59	for artifact_definition in artifact_reader.ReadFile(test_file):
59	60	artifact_registry.RegisterDefinition(artifact_definition)

+12

-0

tests/source_type_test.py less more

59	59	source_type.FileSourceType(paths=['test'])
60	60	source_type.FileSourceType(paths=['test'], separator='\\')
61	61
	62	with self.assertRaises(errors.FormatError):
	63	source_type.FileSourceType()
	64
	65	with self.assertRaises(errors.FormatError):
	66	source_type.FileSourceType(paths='test')
	67
62	68
63	69	class PathSourceTypeTest(test_lib.BaseTestCase):
64	70	"""Class to test the paths source type."""

67	73	"""Tests the __init__ function."""
68	74	source_type.PathSourceType(paths=['test'])
69	75	source_type.PathSourceType(paths=['test'], separator='\\')
	76
	77	with self.assertRaises(errors.FormatError):
	78	source_type.PathSourceType()
	79
	80	with self.assertRaises(errors.FormatError):
	81	source_type.PathSourceType(paths='test')
70	82
71	83
72	84	class WindowsRegistryKeySourceTypeTest(test_lib.BaseTestCase):

+13

-39

tests/test_lib.py less more

4	4
5	5	import os
6	6	import shutil
7		import sys
8	7	import tempfile
9	8	import unittest
10
11
12		def skipUnlessHasTestFile(path_segments): # pylint: disable=invalid-name
13		"""Decorator to skip a test if the test file does not exist.
14
15		Args:
16		path_segments (list[str]): path segments inside the test data directory.
17
18		Returns:
19		function: to invoke.
20		"""
21		fail_unless_has_test_file = getattr(
22		unittest, 'fail_unless_has_test_file', False)
23
24		path = os.path.join('test_data', *path_segments)
25		if fail_unless_has_test_file or os.path.exists(path):
26		return lambda function: function
27
28		if sys.version_info[0] < 3:
29		path = path.encode('utf-8')
30
31		# Note that the message should be of type str which is different for
32		# different versions of Python.
33		return unittest.skip('missing test file: {0:s}'.format(path))
34
35
36		def GetTestFilePath(path_segments):
37		"""Retrieves the path of a test file in the test data directory.
38
39		Args:
40		path_segments (list[str]): path segments inside the test data directory.
41
42		Returns:
43		str: path of the test file.
44		"""
45		# Note that we need to pass the individual path segments to os.path.join
46		# and not a list.
47		return os.path.join(os.getcwd(), 'test_data', *path_segments)
48	9
49	10
50	11	class BaseTestCase(unittest.TestCase):

70	31	# and not a list.
71	32	return os.path.join(self._TEST_DATA_PATH, *path_segments)
72	33
	34	def _SkipIfPathNotExists(self, path):
	35	"""Skips the test if the path does not exist.
	36
	37	Args:
	38	path (str): path of a test file.
	39
	40	Raises:
	41	SkipTest: if the path path does not exist and the test should be skipped.
	42	"""
	43	if not os.path.exists(path):
	44	filename = os.path.basename(path)
	45	raise unittest.SkipTest('missing test file: {0:s}'.format(filename))
	46
73	47
74	48	class TempDirectory(object):
75	49	"""Class that implements a temporary directory."""

-2

tests/writer_test.py less more

24	24	filename (str): name of the file to convert.
25	25	"""
26	26	test_file = self._GetTestFilePath([filename])
	27	self._SkipIfPathNotExists(test_file)
	28
27	29	artifact_definitions = list(artifact_reader.ReadFile(test_file))
28	30
29	31	with test_lib.TempDirectory() as temporary_directory:

38	40	[artifact.AsDict() for artifact in artifact_definitions],
39	41	[artifact.AsDict() for artifact in converted_artifact_definitions])
40	42
41		@test_lib.skipUnlessHasTestFile(['definitions.json'])
42	43	def testJsonWriter(self):
43	44	"""Tests conversion with the JsonArtifactsWriter."""
44	45	artifact_reader = reader.JsonArtifactsReader()

46	47	self._TestArtifactsConversion(
47	48	artifact_reader, artifact_writer, 'definitions.json')
48	49
49		@test_lib.skipUnlessHasTestFile(['definitions.yaml'])
50	50	def testYamlWriter(self):
51	51	"""Tests conversion with the YamlArtifactsWriter."""
52	52	artifact_reader = reader.YamlArtifactsReader()

+24

-24

tools/stats.py less more

17	17	def __init__(self):
18	18	"""Initializes artifact statistics."""
19	19	super(ArtifactStatistics, self).__init__()
20		self.label_counts = {}
21		self.os_counts = {}
22		self.path_count = 0
23		self.reg_key_count = 0
24		self.source_type_counts = {}
25		self.total_count = 0
	20	self._label_counts = {}
	21	self._os_counts = {}
	22	self._path_count = 0
	23	self._reg_key_count = 0
	24	self._source_type_counts = {}
	25	self._total_count = 0
26	26
27	27	def _PrintDictAsTable(self, src_dict):
28	28	"""Prints a table of artifact definitions.

51	51	def PrintOSTable(self):
52	52	"""Prints a table of artifact definitions by operating system."""
53	53	print('Artifacts by OS\n')
54		self._PrintDictAsTable(self.os_counts)
	54	self._PrintDictAsTable(self._os_counts)
55	55
56	56	def PrintLabelTable(self):
57	57	"""Prints a table of artifact definitions by label."""
58	58	print('Artifacts by label\n')
59		self._PrintDictAsTable(self.label_counts)
	59	self._PrintDictAsTable(self._label_counts)
60	60
61	61	def PrintSourceTypeTable(self):
62	62	"""Prints a table of artifact definitions by source type."""
63	63	print('Artifacts by type\n')
64		self._PrintDictAsTable(self.source_type_counts)
	64	self._PrintDictAsTable(self._source_type_counts)
65	65
66	66	def PrintSummaryTable(self):
67	67	"""Prints a summary table."""

74	74	\| Registry keys covered \| {2:d} \|
75	75	\| Total artifacts \| {3:d} \|
76	76	""".format(
77		time.strftime('%Y-%m-%d'), self.path_count, self.reg_key_count,
78		self.total_count))
	77	time.strftime('%Y-%m-%d'), self._path_count, self._reg_key_count,
	78	self._total_count))
79	79
80	80	def BuildStats(self):
81	81	"""Builds the statistics."""
82	82	artifact_reader = reader.YamlArtifactsReader()
83		self.label_counts = {}
84		self.os_counts = {}
85		self.path_count = 0
86		self.reg_key_count = 0
87		self.source_type_counts = {}
88		self.total_count = 0
	83	self._label_counts = {}
	84	self._os_counts = {}
	85	self._path_count = 0
	86	self._reg_key_count = 0
	87	self._source_type_counts = {}
	88	self._total_count = 0
89	89
90	90	for artifact_definition in artifact_reader.ReadDirectory('data'):
91	91	if hasattr(artifact_definition, 'labels'):
92	92	for label in artifact_definition.labels:
93		self.label_counts[label] = self.label_counts.get(label, 0) + 1
	93	self._label_counts[label] = self._label_counts.get(label, 0) + 1
94	94
95	95	for source in artifact_definition.sources:
96		self.total_count += 1
	96	self._total_count += 1
97	97	source_type = source.type_indicator
98		self.source_type_counts[source_type] = self.source_type_counts.get(
	98	self._source_type_counts[source_type] = self._source_type_counts.get(
99	99	source_type, 0) + 1
100	100
101	101	if source_type == definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY:
102		self.reg_key_count += len(source.keys)
	102	self._reg_key_count += len(source.keys)
103	103	elif source_type == definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE:
104		self.reg_key_count += len(source.key_value_pairs)
	104	self._reg_key_count += len(source.key_value_pairs)
105	105	elif source_type in (definitions.TYPE_INDICATOR_FILE,
106	106	definitions.TYPE_INDICATOR_DIRECTORY):
107		self.path_count += len(source.paths)
	107	self._path_count += len(source.paths)
108	108
109	109	os_list = source.supported_os
110	110	for os_str in os_list:
111		self.os_counts[os_str] = self.os_counts.get(os_str, 0) + 1
	111	self._os_counts[os_str] = self._os_counts.get(os_str, 0) + 1
112	112
113	113	def PrintStats(self):
114	114	"""Build stats and print in MarkDown format."""

+252

-33

tools/validator.py less more

5	5	from __future__ import unicode_literals
6	6
7	7	import argparse
	8	import glob
8	9	import logging
9	10	import os
10	11	import sys

21	22	LEGACY_PATH = os.path.join('data', 'legacy.yaml')
22	23
23	24	_MACOS_PRIVATE_SUB_PATHS = ('etc', 'tftpboot', 'tmp', 'var')
	25
	26	_SUPPORTED_POSIX_USERS_VARIABLES = [
	27	'%%users.homedir%%']
	28
	29	_SUPPORTED_WINDOWS_ENVIRONMENT_VARIABLES = [
	30	'%%environ_allusersappdata%%',
	31	'%%environ_allusersprofile%%',
	32	'%%environ_programfiles%%',
	33	'%%environ_programfilesx86%%',
	34	'%%environ_systemdrive%%',
	35	'%%environ_systemroot%%',
	36	'%%environ_windir%%']
	37
	38	_SUPPORTED_WINDOWS_USERS_VARIABLES = [
	39	'%%users.appdata%%',
	40	'%%users.localappdata%%',
	41	'%%users.sid%%',
	42	'%%users.temp%%',
	43	'%%users.username%%',
	44	'%%users.userprofile%%']
24	45
25	46	def __init__(self):
26	47	"""Initializes an artifact definitions validator."""

28	49	self._artifact_registry = registry.ArtifactDefinitionsRegistry()
29	50	self._artifact_registry_key_paths = set()
30	51
31		def _CheckRegistryKeyPath(self, filename, artifact_definition, key_path):
32		"""Checks a Windows Registry key path.
	52	def _CheckGlobstarInPathSegment(
	53	self, filename, artifact_definition, path, path_segment):
	54	"""Checks if a globstar in a path segment is valid.
33	55
34	56	Args:
35	57	filename (str): name of the artifacts definition file.
36	58	artifact_definition (ArtifactDefinition): artifact definition.
37		key_path (str): key path.
38
39		Returns:
40		bool: True if the Registry key path is valid.
41		"""
42		result = True
43		key_path = key_path.upper()
44
45		if key_path.startswith('%%CURRENT_CONTROL_SET%%'):
46		result = False
47		logging.warning((
48		'Artifact definition: {0:s} in file: {1:s} contains Windows '
49		'Registry key path that starts with '
50		'%%CURRENT_CONTROL_SET%%. Replace %%CURRENT_CONTROL_SET%% with '
51		'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet').format(
52		artifact_definition.name, filename))
53
54		return result
	59	path (str): path of which the path segment originated.
	60	path_segment (str): path segment to validate.
	61
	62	Returns:
	63	bool: True if the globstar is valid.
	64	"""
	65	if not path_segment.startswith('**'):
	66	logging.warning((
	67	'Unuspported globstar with prefix: {0:s} for path: {1:s} defined by '
	68	'artifact definition: {2:s} in file: {3:s}').format(
	69	path_segment, path, artifact_definition.name, filename))
	70	return False
	71
	72	if len(path_segment) > 2:
	73	try:
	74	recursion_depth = int(path_segment[2:], 10)
	75	except (TypeError, ValueError):
	76	logging.warning((
	77	'Unuspported globstar with suffix: {0:s} for path: {1:s} defined '
	78	'by artifact definition: {2:s} in file: {3:s}').format(
	79	path_segment, path, artifact_definition.name, filename))
	80	return False
	81
	82	if recursion_depth <= 0 or recursion_depth > 10:
	83	logging.warning((
	84	'Globstar with unsupported recursion depth: {0:s} for path: {1:s} '
	85	'defined by artifact definition: {2:s} in file: {3:s}').format(
	86	path_segment, path, artifact_definition.name, filename))
	87	return False
	88
	89	return True
55	90
56	91	def _CheckMacOSPaths(self, filename, artifact_definition, source, paths):
57	92	"""Checks if the paths are valid MacOS paths.

96	131	path, artifact_definition.name, filename))
97	132	result = False
98	133
	134	has_globstar = False
	135	for path_segment in path_segments:
	136	if '**' in path_segment:
	137	if has_globstar:
	138	logging.warning((
	139	'Unsupported path: {0:s} with multiple globstars defined by '
	140	'artifact definition: {1:s} in file: {2:s}').format(
	141	path, artifact_definition.name, filename))
	142	result = False
	143	break
	144
	145	has_globstar = True
	146	if not self._CheckGlobstarInPathSegment(
	147	filename, artifact_definition, path, path_segment):
	148	result = False
	149
	150	if has_globstar and path.endswith(source.separator):
	151	logging.warning((
	152	'Unsupported path: {0:s} with globstar and trailing path '
	153	'separator defined by artifact definition: {1:s} in file: '
	154	'{2:s}').format(path, artifact_definition.name, filename))
	155	result = False
	156
99	157	for private_path in paths_with_private:
100	158	if private_path[8:] not in paths_with_symbolic_link_to_private:
101	159	logging.warning((

116	174
117	175	return result
118	176
	177	def _CheckPath(self, filename, artifact_definition, source, path):
	178	"""Checks if a path is valid.
	179
	180	Args:
	181	filename (str): name of the artifacts definition file.
	182	artifact_definition (ArtifactDefinition): artifact definition.
	183	source (SourceType): source definition.
	184	path (str): path to validate.
	185
	186	Returns:
	187	bool: True if the path is valid.
	188	"""
	189	result = True
	190
	191	path_segments = path.split(source.separator)
	192
	193	has_globstar = False
	194	for path_segment in path_segments:
	195	if '**' in path_segment:
	196	if has_globstar:
	197	logging.warning((
	198	'Unsupported path: {0:s} with multiple globstars defined by '
	199	'artifact definition: {1:s} in file: {2:s}').format(
	200	path, artifact_definition.name, filename))
	201	result = False
	202	break
	203
	204	has_globstar = True
	205	if not self._CheckGlobstarInPathSegment(
	206	filename, artifact_definition, path, path_segment):
	207	result = False
	208
	209	if has_globstar and path.endswith(source.separator):
	210	logging.warning((
	211	'Unsupported path: {0:s} with globstar and trailing path '
	212	'separator defined by artifact definition: {1:s} in file: '
	213	'{2:s}').format(path, artifact_definition.name, filename))
	214	result = False
	215
	216	return result
	217
119	218	def _CheckWindowsPath(self, filename, artifact_definition, source, path):
120	219	"""Checks if a path is a valid Windows path.
121	220

200	299	'definition: {1:s} in file: {2:s}').format(
201	300	path, artifact_definition.name, filename))
202	301	result = False
	302
	303	has_globstar = False
	304	for path_segment in path_segments:
	305	if path_segment.startswith('%%') and path_segment.endswith('%%'):
	306	if (path_segment.startswith('%%environ_') and
	307	path_segment not in self._SUPPORTED_WINDOWS_ENVIRONMENT_VARIABLES):
	308	result = False
	309	logging.warning((
	310	'Artifact definition: {0:s} in file: {1:s} contains Windows '
	311	'path that contains an unuspported environment variable: '
	312	'"{2:s}".').format(
	313	artifact_definition.name, filename, path_segment))
	314
	315	elif (path_segment.startswith('%%users.') and
	316	path_segment not in self._SUPPORTED_WINDOWS_USERS_VARIABLES):
	317	result = False
	318	logging.warning((
	319	'Artifact definition: {0:s} in file: {1:s} contains Windows '
	320	'path that contains an unsupported users variable: '
	321	'"{2:s}". ').format(
	322	artifact_definition.name, filename, path_segment))
	323
	324	elif '**' in path_segment:
	325	if has_globstar:
	326	logging.warning((
	327	'Unsupported path: {0:s} with multiple globstars defined by '
	328	'artifact definition: {1:s} in file: {2:s}').format(
	329	path, artifact_definition.name, filename))
	330	result = False
	331	break
	332
	333	has_globstar = True
	334	if not self._CheckGlobstarInPathSegment(
	335	filename, artifact_definition, path, path_segment):
	336	result = False
	337
	338	if has_globstar and path.endswith(source.separator):
	339	logging.warning((
	340	'Unsupported path: {0:s} with globstar and trailing path '
	341	'separator defined by artifact definition: {1:s} in file: '
	342	'{2:s}').format(path, artifact_definition.name, filename))
	343	result = False
	344
	345	return result
	346
	347	def _CheckWindowsRegistryKeyPath(
	348	self, filename, artifact_definition, key_path):
	349	"""Checks if a path is a valid Windows Registry key path.
	350
	351	Args:
	352	filename (str): name of the artifacts definition file.
	353	artifact_definition (ArtifactDefinition): artifact definition.
	354	key_path (str): Windows Registry key path to validate.
	355
	356	Returns:
	357	bool: True if the Windows Registry key path is valid.
	358	"""
	359	result = True
	360	key_path_segments = key_path.lower().split('\\')
	361
	362	if key_path_segments[0] == '%%current_control_set%%':
	363	result = False
	364	logging.warning((
	365	'Artifact definition: {0:s} in file: {1:s} contains Windows '
	366	'Registry key path that starts with '
	367	'%%CURRENT_CONTROL_SET%%. Replace %%CURRENT_CONTROL_SET%% with '
	368	'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet').format(
	369	artifact_definition.name, filename))
	370
	371	for segment_index, key_path_segment in enumerate(key_path_segments):
	372	if key_path_segment.startswith('%%') and key_path_segment.endswith('%%'):
	373	if (segment_index == 1 and key_path_segment == '%%users.sid%%' and
	374	key_path_segments[0] == 'hkey_users'):
	375	continue
	376
	377	if key_path_segment.startswith('%%environ_'):
	378	result = False
	379	logging.warning((
	380	'Artifact definition: {0:s} in file: {1:s} contains Windows '
	381	'Registry key path that contains an environment variable: '
	382	'"{2:s}". Usage of environment variables in key paths is not '
	383	'encouraged at this time.').format(
	384	artifact_definition.name, filename, key_path_segment))
	385
	386	elif key_path_segment.startswith('%%users.'):
	387	result = False
	388	logging.warning((
	389	'Artifact definition: {0:s} in file: {1:s} contains Windows '
	390	'Registry key path that contains a users variable: "{2:s}". '
	391	'Usage of users variables in key paths, except for '
	392	'"HKEY_USERS\\%%users.sid%%", is not encouraged at this '
	393	'time.').format(
	394	artifact_definition.name, filename, key_path_segment))
203	395
204	396	return result
205	397

231	423	result = True
232	424
233	425	self._artifact_registry_key_paths.update(source.keys)
	426	return result
	427
	428	def CheckDirectory(self, path):
	429	"""Validates the artifacts definition in a specific directory.
	430
	431	Args:
	432	path (str): path of the directory containing the artifacts definition
	433	files.
	434
	435	Returns:
	436	bool: True if the file contains valid artifacts definitions.
	437	"""
	438	for filename in glob.glob(os.path.join(path, '*.yaml')):
	439	result = self.CheckFile(filename)
	440	if not result:
	441	break
	442
234	443	return result
235	444
236	445	def CheckFile(self, filename):

280	489	filename, artifact_definition, source, path):
281	490	result = False
282	491
	492	else:
	493	for path in source.paths:
	494	if not self._CheckPath(
	495	filename, artifact_definition, source, path):
	496	result = False
	497
283	498	elif source.type_indicator == (
284	499	definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY):
285	500

291	506	result = False
292	507
293	508	for key_path in source.keys:
294		if not self._CheckRegistryKeyPath(
	509	if not self._CheckWindowsRegistryKeyPath(
295	510	filename, artifact_definition, key_path):
296	511	result = False
297	512

299	514	definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE):
300	515
301	516	for key_value_pair in source.key_value_pairs:
302		if not self._CheckRegistryKeyPath(
	517	if not self._CheckWindowsRegistryKeyPath(
303	518	filename, artifact_definition, key_value_pair['key']):
304	519	result = False
305	520

330	545	description='Validates an artifact definitions file.')
331	546
332	547	args_parser.add_argument(
333		'filename',
334		nargs='?',
335		action='store',
336		metavar='artifacts.yaml',
337		default=None,
338		help=('path of the file that contains the artifact '
	548	'definitions', nargs='?', action='store', metavar='PATH', default=None,
	549	help=('path of the file or directory that contains the artifact '
339	550	'definitions.'))
340	551
341	552	options = args_parser.parse_args()
342	553
343		if not options.filename:
	554	if not options.definitions:
344	555	print('Source value is missing.')
345	556	print('')
346	557	args_parser.print_help()
347	558	print('')
348	559	return False
349	560
350		if not os.path.isfile(options.filename):
351		print('No such file: {0:s}'.format(options.filename))
	561	if not os.path.exists(options.definitions):
	562	print('No such file or directory: {0:s}'.format(options.definitions))
352	563	print('')
353	564	return False
354	565
355		print('Validating: {0:s}'.format(options.filename))
356	566	validator = ArtifactDefinitionsValidator()
357		if not validator.CheckFile(options.filename):
	567
	568	if os.path.isdir(options.definitions):
	569	print('Validating definitions in: {0:s}/*.yaml'.format(options.definitions))
	570	result = validator.CheckDirectory(options.definitions)
	571
	572	elif os.path.isfile(options.definitions):
	573	print('Validating definitions in: {0:s}'.format(options.definitions))
	574	result = validator.CheckFile(options.definitions)
	575
	576	if not result:
358	577	print('FAILURE')
359	578	return False
360	579

+29

-6

tox.ini less more

0	0	[tox]
1		envlist = py2, py3
	1	envlist = py3{6,7,8},coverage,pylint
2	2
3	3	[testenv]
4	4	pip_pre = True

7	7	deps =
8	8	-rrequirements.txt
9	9	-rtest_requirements.txt
	10	coverage: coverage
10	11	commands =
11		./run_tests.py
	12	py3{6,7,8}: ./run_tests.py
	13	coverage: coverage erase
	14	coverage: coverage run --source=artifacts --omit="_test,__init__,test_lib" run_tests.py
12	15
13		[testenv:py27]
	16	[testenv:codecov]
	17	skip_install = true
	18	passenv =
	19	CI
	20	TRAVIS_BUILD_ID
	21	TRAVIS_COMMIT
	22	TRAVIS_JOB_ID
	23	TRAVIS_JOB_NUMBER
	24	TRAVIS_PULL_REQUEST
	25	TRAVIS_REPO_SLUG
	26	TRAVIS TRAVIS_BRANCH
	27	deps =
	28	codecov
	29	commands =
	30	codecov
	31
	32	[testenv:pylint]
	33	skipsdist=True
14	34	pip_pre = True
15	35	setenv =
16	36	PYTHONPATH = {toxinidir}
17	37	deps =
18	38	-rrequirements.txt
19	39	-rtest_requirements.txt
20		coverage
	40	pylint >= 2.4.0, < 2.5.0
21	41	commands =
22		coverage erase
23		coverage run --source=artifacts --omit="_test,__init__,test_lib" run_tests.py
	42	pylint --version
	43	# Ignore setup.py for now due to:
	44	# setup.py:15:0: E0001: Cannot import 'distutils.command.bdist_msi' due to
	45	# syntax error 'expected an indented block (<unknown>, line 347)' (syntax-error)
	46	pylint --rcfile=.pylintrc artifacts tests tools

+21

-52

utils/dependencies.py less more

3	3	from __future__ import print_function
4	4	from __future__ import unicode_literals
5	5
	6	import configparser
6	7	import re
7
8		try:
9		import ConfigParser as configparser
10		except ImportError:
11		import configparser # pylint: disable=import-error
12	8
13	9
14	10	class DependencyDefinition(object):

21	17	provides the dependency.
22	18	l2tbinaries_name (str): name of the l2tbinaries package that provides
23	19	the dependency.
24		maximum_version (str): maximum supported version.
25		minimum_version (str): minimum supported version.
	20	maximum_version (str): maximum supported version, a greater or equal
	21	version is not supported.
	22	minimum_version (str): minimum supported version, a lesser version is
	23	not supported.
26	24	name (str): name of (the Python module that provides) the dependency.
27	25	pypi_name (str): name of the PyPI package that provides the dependency.
28	26	python2_only (bool): True if the dependency is only supported by Python 2.
29	27	python3_only (bool): True if the dependency is only supported by Python 3.
30	28	rpm_name (str): name of the rpm package that provides the dependency.
	29	skip_check (bool): True if the dependency should be skipped by the
	30	CheckDependencies or CheckTestDependencies methods of DependencyHelper.
31	31	version_property (str): name of the version attribute or function.
32	32	"""
33	33

49	49	self.python2_only = False
50	50	self.python3_only = False
51	51	self.rpm_name = None
	52	self.skip_check = None
52	53	self.version_property = None
53	54
54	55

66	67	'python2_only',
67	68	'python3_only',
68	69	'rpm_name',
	70	'skip_check',
69	71	'version_property'])
70	72
71	73	def _GetConfigValue(self, config_parser, section_name, value_name):

93	95	Yields:
94	96	DependencyDefinition: dependency definition.
95	97	"""
96		config_parser = configparser.RawConfigParser()
97		# pylint: disable=deprecated-method
98		# TODO: replace readfp by read_file, check if Python 2 compatible
99		config_parser.readfp(file_object)
	98	config_parser = configparser.ConfigParser(interpolation=None)
	99	config_parser.read_file(file_object)
100	100
101	101	for section_name in config_parser.sections():
102	102	dependency_definition = DependencyDefinition(section_name)

146	146	dependency (DependencyDefinition): dependency definition.
147	147
148	148	Returns:
149		tuple: consists:
	149	tuple: containing:
150	150
151	151	bool: True if the Python module is available and conforms to
152	152	the minimum required version, False otherwise.

177	177	maximum_version (str): maximum version.
178	178
179	179	Returns:
180		tuple: consists:
	180	tuple: containing:
181	181
182	182	bool: True if the Python module is available and conforms to
183	183	the minimum required version, False otherwise.

251	251	status_message = '{0:s} version: {1!s}'.format(module_name, module_version)
252	252	return True, status_message
253	253
254		def _CheckSQLite3(self):
255		"""Checks the availability of sqlite3.
256
257		Returns:
258		tuple: consists:
259
260		bool: True if the Python module is available and conforms to
261		the minimum required version, False otherwise.
262		str: status message.
263		"""
264		# On Windows sqlite3 can be provided by both pysqlite2.dbapi2 and
265		# sqlite3. sqlite3 is provided with the Python installation and
266		# pysqlite2.dbapi2 by the pysqlite2 Python module. Typically
267		# pysqlite2.dbapi2 would contain a newer version of sqlite3, hence
268		# we check for its presence first.
269		module_name = 'pysqlite2.dbapi2'
270		minimum_version = '3.7.8'
271
272		module_object = self._ImportPythonModule(module_name)
273		if not module_object:
274		module_name = 'sqlite3'
275
276		module_object = self._ImportPythonModule(module_name)
277		if not module_object:
278		status_message = 'missing: {0:s}.'.format(module_name)
279		return False, status_message
280
281		return self._CheckPythonModuleVersion(
282		module_name, module_object, 'sqlite_version', minimum_version, None)
283
284	254	def _ImportPythonModule(self, module_name):
285	255	"""Imports a Python module.
286	256

336	306	print('Checking availability and versions of dependencies.')
337	307	check_result = True
338	308
339		for module_name, dependency in sorted(self.dependencies.items()):
340		if module_name == 'sqlite3':
341		result, status_message = self._CheckSQLite3()
342		else:
343		result, status_message = self._CheckPythonModule(dependency)
344
345		if not result and module_name == 'lzma':
346		dependency.name = 'backports.lzma'
347		result, status_message = self._CheckPythonModule(dependency)
	309	for _, dependency in sorted(self.dependencies.items()):
	310	if dependency.skip_check:
	311	continue
	312
	313	result, status_message = self._CheckPythonModule(dependency)
348	314
349	315	if not result and not dependency.is_optional:
350	316	check_result = False

376	342	for dependency in sorted(
377	343	self._test_dependencies.values(),
378	344	key=lambda dependency: dependency.name):
	345	if dependency.skip_check:
	346	continue
	347
379	348	result, status_message = self._CheckPythonModule(dependency)
380	349	if not result:
381	350	check_result = False