From 1bd36618c046ef755df39ad6823044beb8fc97bb Mon Sep 17 00:00:00 2001 From: Tonmoy Jitu <52621226+tonmoy0010@users.noreply.github.com> Date: Sat, 14 Jun 2025 12:39:56 +1000 Subject: [PATCH 1/2] chore: prepare RegSeek v1.0.0 release --- artifacts/system/security_center.yml | 2 +- artifacts/user-activity/vlc_player.yml | 99 -------------------------- scripts/build.py | 2 +- 3 files changed, 2 insertions(+), 101 deletions(-) delete mode 100644 artifacts/user-activity/vlc_player.yml diff --git a/artifacts/system/security_center.yml b/artifacts/system/security_center.yml index 16b2764..6812db9 100644 --- a/artifacts/system/security_center.yml +++ b/artifacts/system/security_center.yml @@ -55,7 +55,7 @@ details: metadata: windows_versions: - - "Windows XP SP2" + - "Windows XP" - "Windows Vista" - "Windows 7" - "Windows 8" diff --git a/artifacts/user-activity/vlc_player.yml b/artifacts/user-activity/vlc_player.yml deleted file mode 100644 index 3750895..0000000 --- a/artifacts/user-activity/vlc_player.yml +++ /dev/null @@ -1,99 +0,0 @@ -title: "VLC Media Player Usage and Media History" -category: "user-activity" -description: "VLC player configuration, recent media files, playlists, and playback history" - -paths: - - "HKCU\\Software\\VideoLAN\\VLC" - - "HKLM\\SOFTWARE\\VideoLAN\\VLC" - - "HKCU\\Software\\Classes\\VLC.*" - - "HKLM\\SOFTWARE\\Classes\\VLC.*" - -details: - what: | - VLC Media Player stores configuration including recent media files, playlists, - playback preferences, subtitle settings, and file associations. Registry tracks - media consumption patterns, network streaming usage, codec preferences, and - interface customizations for comprehensive media player behavior analysis - and user media consumption activity tracking. - - forensic_value: | - Important for investigating media consumption patterns, potential copyright - violations, network streaming activity, and evidence of specific media file - access. Shows evidence of video/audio content consumption, network media - streaming, and can reveal timeline information about user media activities. - Useful for behavioral analysis and establishing user presence/activity patterns. - - structure: | - VLC configuration includes recent media lists, interface preferences, codec - settings, network stream URLs, subtitle configurations, and file association - data. Recent items show media file paths, network streams, and access timestamps - for comprehensive media consumption analysis and user behavior profiling. - - examples: - - "RecentMRL: file:///C:/Users/user/Videos/suspicious_video.mp4" - - "RecentMRL: http://streaming-server.com/live/stream.m3u8" - - "RecentMRL: smb://network-share/media/confidential_meeting.avi" - - "Interface\\UseNativeStyle: 1 (Native Windows interface)" - - "Codec\\FFmpegDemux: 1 (FFmpeg demuxer enabled)" - - "Playlist\\PlaylistRepeat: 0 (Repeat disabled)" - - tools: - - name: "VLC Media Player Preferences" - description: "Built-in VLC configuration and media library management" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Media Forensics Tools" - description: "Specialized tools for media file analysis and metadata extraction" - -metadata: - windows_versions: - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - introduced: "VLC Media Player" - - criticality: "low" - - investigation_types: - - "behavioral-analysis" - - "timeline-analysis" - - "incident-response" - - tags: - - "vlc" - - "media-player" - - "video-consumption" - - "media-history" - - "streaming" - - "file-access" - - references: - - title: "VLC Media Player" - url: "https://www.videolan.org/vlc/" - type: "official" - - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT)" - persistence: "Media history and preferences persist until manually cleared" - volatility: "Recent media lists provide ongoing user activity evidence" - - related_artifacts: - - "media_consumption" - - "file_access_history" - - "recent_documents" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" diff --git a/scripts/build.py b/scripts/build.py index 92fc337..752295e 100644 --- a/scripts/build.py +++ b/scripts/build.py @@ -165,7 +165,7 @@ def build_site(): "statistics": stats, "total": len(valid_artifacts), "last_updated": datetime.now().isoformat(), - "version": "2.0.0", + "version": "1.0.0", "build_info": { "total_files_processed": len(artifacts), "valid_artifacts": len(valid_artifacts), From 32e90d21df37e6d88e7aac88d077c989afee4f5a Mon Sep 17 00:00:00 2001 From: Tonmoy Jitu <52621226+tonmoy0010@users.noreply.github.com> Date: Sat, 14 Jun 2025 12:53:44 +1000 Subject: [PATCH 2/2] feat: upodated site with new categories and artifact template --- README.md | 89 +- artifacts/_template.yml | 44 +- .../credential_providers.yml | 53 +- artifacts/browser/activex_controls.yml | 121 --- artifacts/browser/browser_helper_objects.yml | 125 --- artifacts/browser/chrome_history.yml | 121 --- artifacts/browser/downloads.yml | 105 --- artifacts/browser/firefox_history.yml | 111 --- artifacts/browser/security_zones.yml | 117 --- artifacts/browser/tor.yml | 101 --- artifacts/browser/typed_urls.yml | 114 --- artifacts/cloud/box_sync.yml | 98 --- artifacts/cloud/dropbox_desktop.yml | 98 --- artifacts/cloud/google_drive_desktop.yml | 99 --- artifacts/cloud/icloud.yml | 98 --- artifacts/cloud/onedrive_sync.yml | 116 --- artifacts/communication/discord.yml | 98 --- artifacts/communication/microsoft_teams.yml | 98 --- artifacts/communication/slack.yml | 98 --- artifacts/communication/telephony.yml | 125 --- artifacts/communication/whatsapp.yml | 96 --- artifacts/communication/zoom.yml | 98 --- artifacts/execution/amcache.yml | 113 --- artifacts/execution/app_compat_flags.yml | 125 --- artifacts/execution/app_paths.yml | 129 --- artifacts/execution/appcompat_cache.yml | 124 --- artifacts/execution/docker.yml | 96 --- artifacts/execution/git.yml | 104 --- artifacts/execution/muicache.yml | 126 --- artifacts/execution/powershell_policy.yml | 128 --- artifacts/execution/prefetch_settings.yml | 126 --- artifacts/execution/services.yml | 127 --- artifacts/execution/userassist.yml | 111 --- artifacts/execution/visual_stuido_code.yml | 101 --- artifacts/execution/windows_terminal.yml | 96 --- artifacts/execution/wsh_settings.yml | 128 --- artifacts/malware/quarantine.yml | 119 --- artifacts/mobile/device_sync.yml | 112 --- artifacts/mobile/itunes.yml | 103 --- artifacts/network/anydesk.yml | 100 --- artifacts/network/bits_service.yml | 128 --- artifacts/network/bluetooth_devices.yml | 109 --- artifacts/network/dns_cache.yml | 121 --- artifacts/network/firewall_rules.yml | 128 --- artifacts/network/mapped_drives.yml | 125 --- artifacts/network/netbios_settings.yml | 119 --- artifacts/network/network_interfaces.yml | 137 --- artifacts/network/proxy_settings.yml | 135 --- artifacts/network/remote_assistance.yml | 118 --- artifacts/network/shared_folders.yml | 125 --- artifacts/network/teamviewer.yml | 102 --- artifacts/network/teredo_ipv6.yml | 115 --- artifacts/network/terminal_services.yml | 130 --- artifacts/network/upnp_settings.yml | 112 --- artifacts/network/vpn_connections.yml | 134 --- artifacts/network/wifi_profiles.yml | 112 --- .../persistence/appcertdlls_injection.yml | 127 --- artifacts/persistence/com_objects.yml | 137 --- artifacts/persistence/image_hijack.yml | 134 --- artifacts/persistence/lsa_packages.yml | 130 --- artifacts/persistence/print_processors.yml | 132 --- artifacts/persistence/registry_run_keys.yml | 129 --- artifacts/persistence/scheduled_tasks.yml | 132 --- artifacts/persistence/screensaver.yml | 123 --- artifacts/persistence/shell_extensions.yml | 135 --- artifacts/persistence/shell_folders.yml | 133 --- artifacts/persistence/winlogon_userinit.yml | 133 --- artifacts/persistence/wmi_events.yml | 130 --- artifacts/security/bitlocker_config.yml | 117 --- .../camera_microphone_access_control.yml | 101 --- artifacts/security/device_permissions.yml | 109 --- artifacts/security/explorer_policies.yml | 123 --- artifacts/security/local_security_policy.yml | 123 --- artifacts/security/sam_security.yml | 124 --- artifacts/security/uac.yml | 98 --- artifacts/security/vpn_client.yml | 100 --- .../security/windows_defender_app_guard.yml | 100 --- .../security/windows_defender_security.yml | 123 --- artifacts/security/windows_firewall.yml | 100 --- artifacts/security/windows_hello.yml | 117 --- artifacts/system/applocker_policies.yml | 109 --- artifacts/system/boot_configuration.yml | 114 --- artifacts/system/certificate_stores.yml | 120 --- artifacts/system/computer_name.yml | 118 --- artifacts/system/device_install_policies.yml | 123 --- artifacts/system/error_reporting.yml | 120 --- artifacts/system/event_log_config.yml | 126 --- artifacts/system/file_associations.yml | 128 --- artifacts/system/file_history_backup.yml | 110 --- artifacts/system/hardware_devices.yml | 127 --- artifacts/system/installed_programs.yml | 136 --- artifacts/system/location_services.yml | 111 --- artifacts/system/page_file.yml | 117 --- artifacts/system/performance_monitoring.yml | 121 --- artifacts/system/power_management.yml | 119 --- artifacts/system/sam_authentication.yml | 139 --- artifacts/system/security_center.yml | 118 --- artifacts/system/security_policy.yml | 124 --- artifacts/system/software_restriction.yml | 117 --- artifacts/system/startup_programs.yml | 125 --- artifacts/system/timezone_settings.yml | 123 --- artifacts/system/user_profiles.yml | 129 --- artifacts/system/version_info.yml | 125 --- artifacts/system/volume_shadow_copy.yml | 120 --- artifacts/system/windows_activation.yml | 118 --- artifacts/system/windows_defender.yml | 121 --- artifacts/system/windows_features.yml | 117 --- artifacts/system/windows_update.yml | 126 --- artifacts/usb/device_capabilities.yml | 134 --- artifacts/usb/device_history.yml | 127 --- artifacts/usb/drive_letter_mapping.yml | 119 --- artifacts/usb/last_write_times.yml | 118 --- artifacts/usb/wpdbusenum_connections.yml | 120 --- artifacts/user-activity/acmru.yml | 110 --- artifacts/user-activity/comdlg32_settings.yml | 113 --- .../user-activity/gaming_entertainment.yml | 109 --- artifacts/user-activity/jump_lists.yml | 100 --- .../user-activity/lastvisited_pidl_mru.yml | 128 --- artifacts/user-activity/mail_client.yml | 114 --- artifacts/user-activity/microsoft_store.yml | 108 --- artifacts/user-activity/notepad_plus_plus.yml | 100 --- artifacts/user-activity/office_files.yml | 132 --- artifacts/user-activity/opensavemru.yml | 133 --- artifacts/user-activity/print_history.yml | 119 --- artifacts/user-activity/recent_docs.yml | 132 --- .../user-activity/run_dialog_history.yml | 117 --- artifacts/user-activity/search_history.yml | 120 --- artifacts/user-activity/seven_zip.yml | 105 --- artifacts/user-activity/shellbags.yml | 131 --- artifacts/user-activity/thumbnail_cache.yml | 119 --- artifacts/user-activity/voice_recorder.yml | 92 -- artifacts/user-activity/windows_spotlight.yml | 93 -- artifacts/user-activity/winrar.yml | 103 --- artifacts/user-activity/winzip.yml | 102 --- artifacts/user-activity/wordwheel_query.yml | 114 --- artifacts/virtualization/hyperv.yml | 117 --- .../virtualization/oracle_virtual_box.yml | 108 --- artifacts/virtualization/vmware.yml | 100 --- .../virtualization/windows_containers.yml | 115 --- .../windows_subsystem_linux.yml | 111 --- scripts/validate.py | 807 +++++++++++++----- site/css/styles.css | 686 ++++++++++++--- site/index.html | 122 ++- site/js/app.js | 556 +++++++++--- 144 files changed, 1818 insertions(+), 16568 deletions(-) rename artifacts/{security => authentication}/credential_providers.yml (68%) delete mode 100644 artifacts/browser/activex_controls.yml delete mode 100644 artifacts/browser/browser_helper_objects.yml delete mode 100644 artifacts/browser/chrome_history.yml delete mode 100644 artifacts/browser/downloads.yml delete mode 100644 artifacts/browser/firefox_history.yml delete mode 100644 artifacts/browser/security_zones.yml delete mode 100644 artifacts/browser/tor.yml delete mode 100644 artifacts/browser/typed_urls.yml delete mode 100644 artifacts/cloud/box_sync.yml delete mode 100644 artifacts/cloud/dropbox_desktop.yml delete mode 100644 artifacts/cloud/google_drive_desktop.yml delete mode 100644 artifacts/cloud/icloud.yml delete mode 100644 artifacts/cloud/onedrive_sync.yml delete mode 100644 artifacts/communication/discord.yml delete mode 100644 artifacts/communication/microsoft_teams.yml delete mode 100644 artifacts/communication/slack.yml delete mode 100644 artifacts/communication/telephony.yml delete mode 100644 artifacts/communication/whatsapp.yml delete mode 100644 artifacts/communication/zoom.yml delete mode 100644 artifacts/execution/amcache.yml delete mode 100644 artifacts/execution/app_compat_flags.yml delete mode 100644 artifacts/execution/app_paths.yml delete mode 100644 artifacts/execution/appcompat_cache.yml delete mode 100644 artifacts/execution/docker.yml delete mode 100644 artifacts/execution/git.yml delete mode 100644 artifacts/execution/muicache.yml delete mode 100644 artifacts/execution/powershell_policy.yml delete mode 100644 artifacts/execution/prefetch_settings.yml delete mode 100644 artifacts/execution/services.yml delete mode 100644 artifacts/execution/userassist.yml delete mode 100644 artifacts/execution/visual_stuido_code.yml delete mode 100644 artifacts/execution/windows_terminal.yml delete mode 100644 artifacts/execution/wsh_settings.yml delete mode 100644 artifacts/malware/quarantine.yml delete mode 100644 artifacts/mobile/device_sync.yml delete mode 100644 artifacts/mobile/itunes.yml delete mode 100644 artifacts/network/anydesk.yml delete mode 100644 artifacts/network/bits_service.yml delete mode 100644 artifacts/network/bluetooth_devices.yml delete mode 100644 artifacts/network/dns_cache.yml delete mode 100644 artifacts/network/firewall_rules.yml delete mode 100644 artifacts/network/mapped_drives.yml delete mode 100644 artifacts/network/netbios_settings.yml delete mode 100644 artifacts/network/network_interfaces.yml delete mode 100644 artifacts/network/proxy_settings.yml delete mode 100644 artifacts/network/remote_assistance.yml delete mode 100644 artifacts/network/shared_folders.yml delete mode 100644 artifacts/network/teamviewer.yml delete mode 100644 artifacts/network/teredo_ipv6.yml delete mode 100644 artifacts/network/terminal_services.yml delete mode 100644 artifacts/network/upnp_settings.yml delete mode 100644 artifacts/network/vpn_connections.yml delete mode 100644 artifacts/network/wifi_profiles.yml delete mode 100644 artifacts/persistence/appcertdlls_injection.yml delete mode 100644 artifacts/persistence/com_objects.yml delete mode 100644 artifacts/persistence/image_hijack.yml delete mode 100644 artifacts/persistence/lsa_packages.yml delete mode 100644 artifacts/persistence/print_processors.yml delete mode 100644 artifacts/persistence/registry_run_keys.yml delete mode 100644 artifacts/persistence/scheduled_tasks.yml delete mode 100644 artifacts/persistence/screensaver.yml delete mode 100644 artifacts/persistence/shell_extensions.yml delete mode 100644 artifacts/persistence/shell_folders.yml delete mode 100644 artifacts/persistence/winlogon_userinit.yml delete mode 100644 artifacts/persistence/wmi_events.yml delete mode 100644 artifacts/security/bitlocker_config.yml delete mode 100644 artifacts/security/camera_microphone_access_control.yml delete mode 100644 artifacts/security/device_permissions.yml delete mode 100644 artifacts/security/explorer_policies.yml delete mode 100644 artifacts/security/local_security_policy.yml delete mode 100644 artifacts/security/sam_security.yml delete mode 100644 artifacts/security/uac.yml delete mode 100644 artifacts/security/vpn_client.yml delete mode 100644 artifacts/security/windows_defender_app_guard.yml delete mode 100644 artifacts/security/windows_defender_security.yml delete mode 100644 artifacts/security/windows_firewall.yml delete mode 100644 artifacts/security/windows_hello.yml delete mode 100644 artifacts/system/applocker_policies.yml delete mode 100644 artifacts/system/boot_configuration.yml delete mode 100644 artifacts/system/certificate_stores.yml delete mode 100644 artifacts/system/computer_name.yml delete mode 100644 artifacts/system/device_install_policies.yml delete mode 100644 artifacts/system/error_reporting.yml delete mode 100644 artifacts/system/event_log_config.yml delete mode 100644 artifacts/system/file_associations.yml delete mode 100644 artifacts/system/file_history_backup.yml delete mode 100644 artifacts/system/hardware_devices.yml delete mode 100644 artifacts/system/installed_programs.yml delete mode 100644 artifacts/system/location_services.yml delete mode 100644 artifacts/system/page_file.yml delete mode 100644 artifacts/system/performance_monitoring.yml delete mode 100644 artifacts/system/power_management.yml delete mode 100644 artifacts/system/sam_authentication.yml delete mode 100644 artifacts/system/security_center.yml delete mode 100644 artifacts/system/security_policy.yml delete mode 100644 artifacts/system/software_restriction.yml delete mode 100644 artifacts/system/startup_programs.yml delete mode 100644 artifacts/system/timezone_settings.yml delete mode 100644 artifacts/system/user_profiles.yml delete mode 100644 artifacts/system/version_info.yml delete mode 100644 artifacts/system/volume_shadow_copy.yml delete mode 100644 artifacts/system/windows_activation.yml delete mode 100644 artifacts/system/windows_defender.yml delete mode 100644 artifacts/system/windows_features.yml delete mode 100644 artifacts/system/windows_update.yml delete mode 100644 artifacts/usb/device_capabilities.yml delete mode 100644 artifacts/usb/device_history.yml delete mode 100644 artifacts/usb/drive_letter_mapping.yml delete mode 100644 artifacts/usb/last_write_times.yml delete mode 100644 artifacts/usb/wpdbusenum_connections.yml delete mode 100644 artifacts/user-activity/acmru.yml delete mode 100644 artifacts/user-activity/comdlg32_settings.yml delete mode 100644 artifacts/user-activity/gaming_entertainment.yml delete mode 100644 artifacts/user-activity/jump_lists.yml delete mode 100644 artifacts/user-activity/lastvisited_pidl_mru.yml delete mode 100644 artifacts/user-activity/mail_client.yml delete mode 100644 artifacts/user-activity/microsoft_store.yml delete mode 100644 artifacts/user-activity/notepad_plus_plus.yml delete mode 100644 artifacts/user-activity/office_files.yml delete mode 100644 artifacts/user-activity/opensavemru.yml delete mode 100644 artifacts/user-activity/print_history.yml delete mode 100644 artifacts/user-activity/recent_docs.yml delete mode 100644 artifacts/user-activity/run_dialog_history.yml delete mode 100644 artifacts/user-activity/search_history.yml delete mode 100644 artifacts/user-activity/seven_zip.yml delete mode 100644 artifacts/user-activity/shellbags.yml delete mode 100644 artifacts/user-activity/thumbnail_cache.yml delete mode 100644 artifacts/user-activity/voice_recorder.yml delete mode 100644 artifacts/user-activity/windows_spotlight.yml delete mode 100644 artifacts/user-activity/winrar.yml delete mode 100644 artifacts/user-activity/winzip.yml delete mode 100644 artifacts/user-activity/wordwheel_query.yml delete mode 100644 artifacts/virtualization/hyperv.yml delete mode 100644 artifacts/virtualization/oracle_virtual_box.yml delete mode 100644 artifacts/virtualization/vmware.yml delete mode 100644 artifacts/virtualization/windows_containers.yml delete mode 100644 artifacts/virtualization/windows_subsystem_linux.yml diff --git a/README.md b/README.md index da070ac..a1955d0 100644 --- a/README.md +++ b/README.md @@ -2,37 +2,53 @@ > Advanced Windows Registry forensics reference and search engine -RegSeek is a comprehensive reference tool for Windows Registry forensics artifacts. It provides detailed information about registry locations that are valuable for digital forensics investigations, incident response, and malware analysis. - -# Features - -- Extensive collection of Windows Registry forensics artifacts -- Multi-criteria search with filters for category, criticality, investigation type, and more -- Filter by Windows version, registry hive, criticality level, and analysis tools -- Each artifact includes forensic value, data structure, examples, and analysis tools -- Artifacts tagged by investigation scenarios (malware analysis, data exfiltration, etc.) - -# Categories - -- **Execution**: Program execution tracking and artifacts -- **Network**: Network connections, shares, and communication -- **Persistence**: Autostart locations and persistence mechanisms -- **User Activity**: User behavior and document access patterns -- **System**: System configuration and installed software -- **USB/Storage**: USB device history and storage artifacts -- **Security**: Security settings and access controls -- **Browser**: Web browser artifacts and configurations -- **Malware**: Malware-specific registry artifacts -- **Communication**: Messaging and communication applications - -# Advanced Search - -- **Category**: Filter by artifact category -- **Criticality**: High/Medium/Low priority filtering -- **Investigation Type**: Filter by investigation scenario -- **Windows Version**: Version-specific artifacts -- **Registry Hive**: HKLM, HKCU, HKCR, etc. -- **Analysis Tools**: Artifacts with or without tools +## What is RegSeek? + +RegSeek is a comprehensive reference tool for Windows Registry forensics artifacts. It provides detailed information about registry locations that are valuable for digital forensics investigations, incident response, and malware analysis including: + +- **Forensic limitations** and what artifacts **cannot prove** +- **Correlation requirements** for definitive conclusions +- **Analysis tools** and investigation techniques +- **Real-world examples** and data structures +- **Windows version compatibility** + +## Artifact Categories + +| Category | Count | Key Use Cases | +|----------|-------|---------------| +| **Program Execution** | 15+ | Application usage, malware execution tracking | +| **Browser Activity** | 8+ | Web browsing history, security zone configurations | +| **User Behavior** | 20+ | Application usage patterns, cloud storage sync | +| **File Operations** | 12+ | Recent documents, file associations, jump lists | +| **External Storage** | 5+ | USB device history, removable media tracking | +| **Persistence Methods** | 10+ | Autostart locations, service configurations | +| **System Modifications** | 15+ | Windows settings, security configurations | +| **Network Infrastructure** | 12+ | Network connections, DNS configurations | +| **Remote Access** | 8+ | RDP settings, VPN configurations | +| **Security Monitoring** | 10+ | Windows Defender, audit configurations | +| **Communication Apps** | 7+ | Teams, Discord, email client settings | +| **Virtualization** | 6+ | VMware, VirtualBox, container settings | +| **Authentication** | 4+ | Credential providers, account information | + +## Key Features + +### **Advanced Search & Filtering** +- Full-text search across artifact titles, descriptions, and registry paths +- Filter by category, criticality level, Windows version, and registry hive +- Investigation type filtering (incident response, malware analysis, etc.) + +### **Forensic Intelligence** +- **Limitations warnings**: What each artifact CANNOT prove +- **Correlation requirements**: Additional artifacts needed for conclusions +- **Criticality levels**: High/Medium/Low priority classifications +- **Tool recommendations**: Specific analysis tools for each artifact + +### **Investigation-Focused** +- Organized by forensic investigation types +- Real-world examples and data structures +- Windows version compatibility information +- Direct links to analysis tools and references + # Quick Start @@ -76,8 +92,15 @@ Visit the deployed site: [https://regseek.github.io/](https://regseek.github.io/ # Contributing -We welcome contributions! Please see our [Contributing Guide](CONTRIBUTING.md) for details. +We welcome contributions from the digital forensics community! See our [Contributing Guidelines](CONTRIBUTING.md) for details on: + +- Adding new registry artifacts +- Improving existing documentation +- Suggesting new features or categories +- Reporting bugs or inaccuracies # License -GPL-3.0 license - see [LICENSE](LICENSE) file for details. +This project is licensed under GPL-3.0 license - see [LICENSE](LICENSE) file for details. + +*RegSeek is a comprehensive Windows Registry forensics reference tool designed to assist digital forensics professionals, incident response teams, and cybersecurity analysts in their investigations.* diff --git a/artifacts/_template.yml b/artifacts/_template.yml index 4e314c5..5094d20 100644 --- a/artifacts/_template.yml +++ b/artifacts/_template.yml @@ -2,7 +2,10 @@ # File naming: use_lowercase_with_underscore.yml title: "Artifact Display Name" -category: "execution|network|usb|user-activity|persistence|system|security|cloud|browser|malware|mobile|virtualization|communication" +category: "program-execution|browser-activity|file-operations|user-behavior|external-storage|persistence-methods|system-modifications|network-infrastructure|remote-access|security-monitoring|communication-apps|virtualization|authentication + +# Top 8 categories appear in quick filters: program-execution, browser-activity, file-operations, user-behavior, persistence-methods, system-modifications, network-infrastructure, security-monitoring +# All 13 categories available in advanced search description: "Brief description of what this artifact reveals (focus on forensic value)" @@ -38,6 +41,21 @@ details: - name: "Another Tool" description: "Alternative analysis method" +# CRITICAL: Anti-checklist methodology sections +limitations: + - "Specific things this artifact cannot determine" + - "Common false positives or misinterpretations" + - "What this artifact does NOT prove" + +correlation: + required_for_definitive_conclusions: + - "List other artifacts needed to prove what people assume this one proves" + - "Required evidence for court presentation" + + strengthens_evidence: + - "Artifacts that support but don't prove the same conclusions" + - "Supporting evidence that adds context" + metadata: windows_versions: - "Windows 10" @@ -53,13 +71,25 @@ metadata: criticality: "high|medium|low" - # Investigation types where this is particularly useful + # Investigation types where this is particularly useful (choose multiple from 14 types) investigation_types: - - "malware-analysis" - - "data-exfiltration" - - "insider-threat" - - "incident-response" - - "timeline-analysis" + # Investigation Phases (how you're investigating): + - "incident-response" # Emergency response situations + - "malware-analysis" # Analyzing malicious software + - "timeline-analysis" # Reconstructing sequence of events + - "behavioral-analysis" # Understanding user/system behavior + - "insider-threat" # Internal threat investigations + + # Attack Techniques (what the attacker did): + - "initial-access" # How attackers got in + - "program-execution" # What programs were run + - "persistence-analysis" # How threats maintain presence + - "privilege-escalation" # Elevation of privileges + - "credential-theft" # Credential harvesting/dumping + - "lateral-movement" # Movement across network + - "remote-access" # Remote access tools/methods + - "data-exfiltration" # Data theft and staging + - "anti-forensics" # Evidence destruction/hiding tags: - "specific-keyword" diff --git a/artifacts/security/credential_providers.yml b/artifacts/authentication/credential_providers.yml similarity index 68% rename from artifacts/security/credential_providers.yml rename to artifacts/authentication/credential_providers.yml index 7aecc3c..747fac0 100644 --- a/artifacts/security/credential_providers.yml +++ b/artifacts/authentication/credential_providers.yml @@ -1,5 +1,5 @@ title: "Credential Providers and Authentication Extensions" -category: "security" +category: "authentication" description: "Windows credential provider registration, custom authentication modules, and logon extension configuration" paths: @@ -10,24 +10,19 @@ paths: details: what: | - Credential Providers extend Windows authentication infrastructure with custom logon methods, - smart card integration, biometric authentication, multi-factor authentication, and enterprise - single sign-on solutions. Registry manages provider registration, authentication filters, - Pre-Logon Access Provider (PLAP) configuration, and credential enumeration settings for - comprehensive authentication ecosystem management and security enhancement. + Credential Providers extend Windows authentication infrastructure with custom logon methods, + smart card integration, biometric authentication, multi-factor authentication, and enterprise + single sign-on solutions. Registry manages provider registration and authentication filters. forensic_value: | - Critical for detecting unauthorized authentication modifications, malicious credential - harvesting tools, and sophisticated attack techniques targeting authentication infrastructure. - Shows evidence of credential provider abuse for password interception, authentication bypass - attempts, and unauthorized access to authentication systems. Essential for analyzing advanced - persistent threats that target authentication mechanisms and credential theft operations. + Critical for detecting unauthorized authentication modifications, malicious credential harvesting + tools, and sophisticated attack techniques targeting authentication infrastructure. Shows evidence + of credential provider abuse for password interception and authentication bypass attempts. structure: | - Credential Providers registry contains CLSID-based entries referencing COM objects that - implement authentication interfaces. Each provider includes DLL paths, capability flags, - trust levels, and configuration parameters. Provider Filters control authentication flow, - while PLAP Providers manage pre-logon network connectivity for domain authentication scenarios. + Credential Providers registry contains CLSID-based entries referencing COM objects that implement + authentication interfaces. Each provider includes DLL paths, capability flags, trust levels, and + configuration parameters. Provider Filters control authentication flow. examples: - "Credential Providers\\\\{60b78e88-ead8-445c-9cfd-0b87f74ea6cd}: Password Credential Provider" @@ -53,6 +48,28 @@ details: - name: "Authentication Provider Scanner" description: "Specialized tools for credential provider security assessment" +limitations: + - "Credential provider registration does NOT prove malicious credential harvesting occurred" + - "Provider installation may be legitimate enterprise authentication enhancement" + - "Custom providers don't indicate successful password interception" + - "Authentication filter modifications may be for legitimate security improvements" + - "Provider capability flags don't prove actual authentication usage" + - "DLL registration doesn't indicate active credential collection" + +correlation: + required_for_definitive_credential_theft_proof: + - "Event logs showing successful authentications using custom providers" + - "Network traffic logs showing credential transmission from compromised system" + - "File system artifacts showing harvested credentials stored on disk" + - "Process execution logs showing malicious provider DLL loading" + - "Memory dumps containing harvested credentials from provider processes" + + strengthens_evidence: + - "Registry changes showing provider installation during suspicious timeframes" + - "File modifications in provider DLL locations with malware signatures" + - "Authentication attempts correlating with custom provider usage" + - "Network connections from processes using custom authentication providers" + metadata: windows_versions: - "Windows Vista" @@ -68,7 +85,6 @@ metadata: - "Windows Server 2022" introduced: "Windows Vista" - criticality: "high" investigation_types: @@ -77,6 +93,7 @@ metadata: - "malware-analysis" - "incident-response" - "behavioral-analysis" + - "credential-theft" tags: - "authentication" @@ -122,5 +139,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file + last_updated: "2025-06-13" + version: "3.0" diff --git a/artifacts/browser/activex_controls.yml b/artifacts/browser/activex_controls.yml deleted file mode 100644 index 947729c..0000000 --- a/artifacts/browser/activex_controls.yml +++ /dev/null @@ -1,121 +0,0 @@ -title: "ActiveX Controls and Compatibility Settings" -category: "browser" -description: "Internet Explorer ActiveX control registration, kill bits, compatibility flags, and security settings" - -paths: - - "HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\ActiveX Compatibility" - - "HKLM\\SOFTWARE\\Classes\\CLSID" - - "HKLM\\SOFTWARE\\Microsoft\\Code Store Database\\Distribution Units" - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Ext" - -details: - what: | - ActiveX controls are Component Object Model (COM) objects that provide interactive functionality - in Internet Explorer and other applications. Registry manages control registration, security - settings, kill bits for blocking dangerous controls, compatibility flags, and distribution - unit management. Controls ActiveX behavior, installation permissions, security zones, and - browser integration for enhanced web functionality with comprehensive security management. - - forensic_value: | - Critical for investigating browser-based attacks, malicious ActiveX control installation, - and web-based malware delivery. Shows evidence of dangerous ActiveX controls that were - installed or blocked, reveals attempts to exploit ActiveX vulnerabilities, and indicates - security policy modifications that weaken browser defenses. Essential for analyzing - drive-by downloads, browser exploits, and ActiveX-based persistence mechanisms. - - structure: | - ActiveX Compatibility contains CLSID entries with Compatibility Flags controlling behavior, - kill bits preventing execution of dangerous controls, and version-specific settings. - Distribution Units track downloaded controls with authentication information. Kill bits - stored as REG_DWORD values prevent specific controls from running for security protection. - - examples: - - "ActiveX Compatibility\\{CLSID}\\Compatibility Flags: 0x00000400 (Kill bit set - control blocked)" - - "ActiveX Compatibility\\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\\Compatibility Flags: 0x00000000 (Windows Media Player control allowed)" - - "Distribution Units\\{D27CDB6E-AE6D-11cf-96B8-444553540000}: Adobe Flash Player control" - - "CLSID\\{CLSID}\\InprocServer32: C:\\malware\\malicious_control.dll (Suspicious ActiveX control)" - - "Kill Bit: Compatibility Flags: 0x00000400 (ActiveX control disabled for security)" - - "CodeBase: http://malicious-site.com/exploit.cab (Dangerous download location)" - - tools: - - name: "Internet Options (inetcpl.cpl)" - description: "Built-in Internet Explorer security and ActiveX control configuration" - - name: "OLE/COM Object Viewer (oleview.exe)" - description: "Microsoft tool for viewing registered COM/ActiveX objects" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "ActiveX Control Scanner" - description: "Third-party tools for identifying and analyzing ActiveX controls" - - name: "Internet Explorer Administration Kit" - description: "Microsoft toolkit for enterprise IE and ActiveX management" - -metadata: - windows_versions: - - "Windows 95" - - "Windows 98" - - "Windows NT 4.0" - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - introduced: "Internet Explorer 3.0" - - criticality: "high" - - investigation_types: - - "malware-analysis" - - "incident-response" - - "behavioral-analysis" - - "lateral-movement" - - tags: - - "activex" - - "browser-security" - - "malware-delivery" - - "kill-bits" - - "browser-exploits" - - "web-security" - - "drive-by-downloads" - - "com-objects" - - references: - - title: "Microsoft Documentation: ActiveX Controls" - url: "https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/aa751968(v=vs.85)" - type: "official" - - title: "ActiveX Kill Bits" - url: "https://docs.microsoft.com/en-us/troubleshoot/browsers/activex-controls-not-load" - type: "official" - - title: "MITRE ATT&CK: Exploitation for Client Execution" - url: "https://attack.mitre.org/techniques/T1203/" - type: "research" - - title: "ActiveX Security Analysis" - url: "https://www.sans.org/white-papers/33439/" - type: "research" - - retention: - default_location: "Registry hive files (SOFTWARE, CLASSES)" - persistence: "ActiveX settings persist until manually changed or security updates" - volatility: "Control registrations and kill bits affect ongoing browser security posture" - - related_artifacts: - - "browser_security" - - "com_objects" - - "internet_settings" - - "security_zones" - - "malware_persistence" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file diff --git a/artifacts/browser/browser_helper_objects.yml b/artifacts/browser/browser_helper_objects.yml deleted file mode 100644 index e77a617..0000000 --- a/artifacts/browser/browser_helper_objects.yml +++ /dev/null @@ -1,125 +0,0 @@ -title: "Browser Helper Objects and Internet Explorer Extensions" -category: "browser" -description: "Internet Explorer Browser Helper Objects, toolbar extensions, search providers, and browser plugin management" - -paths: - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects" - - "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects" - - "HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Toolbar" - - "HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions" - -details: - what: | - Browser Helper Objects (BHOs) are Dynamic Link Libraries (DLLs) that automatically load - with Internet Explorer to extend browser functionality. Registry manages BHO registration, - toolbar installations, search provider configurations, and extension permissions. Controls - browser plugin behavior, automatic loading, security restrictions, and integration with - web browsing for enhanced functionality and user experience. - - forensic_value: | - Critical for detecting malicious browser extensions, adware installations, and browser - hijacking attacks. BHOs can intercept web traffic, steal credentials, inject malicious - content, and monitor user browsing behavior. Shows evidence of unauthorized browser - modifications, malicious toolbars, search hijacking, and browser-based data exfiltration. - Essential for analyzing browser malware, adware infections, and privacy violations. - - structure: | - BHO registration uses CLSID identifiers as subkeys referencing COM objects that load - automatically with Internet Explorer. Each BHO entry contains class registration, - security settings, and loading preferences. Toolbar entries define button configurations, - display properties, and execution commands. Extensions manage browser add-ons and - functionality enhancements with security descriptors and capability definitions. - - examples: - - "BHO\\{CLSID}: Adobe PDF Reader (Legitimate PDF viewer integration)" - - "BHO\\{2670000A-7350-4f3c-8081-5663EE0C6C49}: Windows Live Toolbar (Microsoft toolbar)" - - "BHO\\{12345678-1234-5678-9abc-123456789abc}: Malicious Adware BHO (Suspicious entry)" - - "Toolbar\\{GUID}: Search Hijacker Toolbar (Unauthorized search modification)" - - "Extensions\\{MenuExt-GUID}: Download Manager (Context menu extension)" - - "NoExplorer: 1 (BHO disabled in Windows Explorer)" - - "CLSID Reference: HKLM\\SOFTWARE\\Classes\\CLSID\\{GUID}\\InprocServer32: malware.dll" - - tools: - - name: "Internet Options (inetcpl.cpl)" - description: "Built-in Internet Explorer add-on and extension management" - - name: "BHODemon" - url: "https://www.malwareremovalguides.info/bhodemon_review.htm" - description: "Third-party tool for BHO analysis and management" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Autoruns" - url: "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns" - description: "Microsoft Sysinternals tool with comprehensive BHO enumeration" - - name: "BrowserAddonsView" - url: "https://www.nirsoft.net/utils/browser_addons_view.html" - description: "NirSoft tool for viewing installed browser add-ons and extensions" - -metadata: - windows_versions: - - "Windows 98" - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - introduced: "Internet Explorer 4.0" - deprecated: "Legacy with IE, modern browsers use different extension models" - - criticality: "high" - - investigation_types: - - "malware-analysis" - - "incident-response" - - "behavioral-analysis" - - "data-exfiltration" - - tags: - - "browser-extensions" - - "bho" - - "browser-hijacking" - - "adware" - - "malicious-toolbars" - - "browser-security" - - "credential-theft" - - "traffic-interception" - - references: - - title: "Microsoft Documentation: Browser Helper Objects" - url: "https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/bb250436(v=vs.85)" - type: "official" - - title: "Internet Explorer Extension Security" - url: "https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/aa741313(v=vs.85)" - type: "official" - - title: "Browser Helper Object Malware Analysis" - url: "https://www.sans.org/white-papers/33439/" - type: "research" - - title: "BHO-based Attacks and Detection" - url: "https://www.forensicfocus.com/articles/browser-helper-object-forensics/" - type: "research" - - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT)" - persistence: "BHO registrations persist until manually removed or software uninstalled" - volatility: "Automatically load with browser sessions, immediate impact on browsing security" - - related_artifacts: - - "activex_controls" - - "browser_security" - - "com_objects" - - "internet_settings" - - "malware_persistence" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file diff --git a/artifacts/browser/chrome_history.yml b/artifacts/browser/chrome_history.yml deleted file mode 100644 index 73a9b04..0000000 --- a/artifacts/browser/chrome_history.yml +++ /dev/null @@ -1,121 +0,0 @@ -title: "Chrome and Edge Browser Registry Data" -category: "browser" -description: "Chrome and Edge browser preferences, extensions, policies, and configuration registry data" - -paths: - - "HKCU\\Software\\Google\\Chrome" - - "HKCU\\Software\\Microsoft\\Edge" - - "HKLM\\SOFTWARE\\Policies\\Google\\Chrome" - - "HKLM\\SOFTWARE\\Policies\\Microsoft\\Edge" - - "HKCU\\Software\\Chromium" - -details: - what: | - Chrome and Edge Chromium-based browsers store configuration data, extension information, - enterprise policy settings, homepage URLs, search engine preferences, and browser state - information in the registry for system-wide settings and Group Policy enforcement. - Manages security policies, extension permissions, profile configurations, and browser - behavior controls for comprehensive web browsing security and functionality. - - forensic_value: | - Critical for browser-based investigations including malicious extension detection, homepage - hijacking analysis, enterprise policy bypass attempts, and browser-based data exfiltration. - Shows browser usage patterns, installed extensions that could be malicious, policy restrictions - that may have been circumvented, and evidence of browser-based attacks or command and control - communication through browser configurations and extension installations. - - structure: | - Hierarchical registry structure containing browser preferences, extension lists, policy settings, - and user profile information. Configuration data stored as JSON-formatted values for complex - settings, REG_DWORD for boolean options, and REG_SZ for text preferences. Separate branches - for user preferences and machine-wide Group Policy enforcement. - - examples: - - "HomepageLocation: http://malicious-site.com (Potential homepage hijacking)" - - "Extensions\\\\Installed: [{\"extension_id\": \"malicious_extension\"}]" - - "DefaultSearchProviderSearchURL: http://evil-search.com/search?q={searchTerms}" - - "Policies\\\\URLBlocklist: [\"*.legitimate-security-site.com\"] (Blocking security sites)" - - "PreferenceMACs: [MAC values for preference integrity verification]" - - "Profile Path: C:\\\\Users\\\\user\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data" - - "BookmarkBarEnabled: 1 (Bookmark bar visibility)" - - tools: - - name: "Chrome Browser Policy List" - url: "https://chromeenterprise.google/policies/" - description: "Complete Chrome enterprise policy reference" - - name: "ChromeHistoryView" - url: "https://www.nirsoft.net/utils/chrome_history_view.html" - description: "View and analyze Chrome browsing history from database files" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "BrowsingHistoryView" - url: "https://www.nirsoft.net/utils/browsing_history_view.html" - description: "Universal browser history viewer for multiple browsers" - - name: "Browser Configuration Analyzer" - description: "Specialized tools for analyzing browser security configurations" - -metadata: - windows_versions: - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Chrome 2008, Edge 2015" - - criticality: "high" - - investigation_types: - - "insider-threat" - - "malware-analysis" - - "data-exfiltration" - - "incident-response" - - "timeline-analysis" - - tags: - - "browser" - - "chrome" - - "edge" - - "extensions" - - "policies" - - "hijacking" - - "web-security" - - references: - - title: "Google Chrome Enterprise Documentation" - url: "https://support.google.com/chrome/a/answer/7532015" - type: "official" - - title: "Microsoft Edge Enterprise Documentation" - url: "https://docs.microsoft.com/en-us/deployedge/" - type: "official" - - title: "Browser Extension Malware Analysis" - url: "https://www.sans.org/white-papers/39738/" - type: "research" - - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT)" - persistence: "Browser configuration persists until manually changed or policy update" - volatility: "Configuration changes affect immediate browser behavior and security" - - related_artifacts: - - "firefox_history" - - "file_associations" - - "default_applications" - - "security_policies" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/browser/downloads.yml b/artifacts/browser/downloads.yml deleted file mode 100644 index 9469d0c..0000000 --- a/artifacts/browser/downloads.yml +++ /dev/null @@ -1,105 +0,0 @@ -title: "Browser Download History and Settings" -category: "browser" -description: "Browser download preferences, default locations, security settings, and download management configuration" - -paths: - - "HKCU\\Software\\Microsoft\\Internet Explorer\\Main" - - "HKCU\\Software\\Microsoft\\Internet Explorer\\Download Directory" - - "HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Restrictions" - - "HKCU\\Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\http" - -details: - what: | - Browser download configuration controls default download locations, security restrictions, - file type handling, automatic download behavior, and download management policies. - Manages download folder settings, security zone restrictions, file execution policies, - and malware protection settings for safe file downloading across web browsers. - - forensic_value: | - Critical for investigating malware delivery mechanisms, unauthorized software downloads, - and data exfiltration through download channels. Shows evidence of download folder - modifications that could facilitate malware execution, reveals download security - bypasses, and indicates attempts to modify browser security to enable dangerous - downloads essential for malware distribution and system compromise. - - structure: | - Download configuration includes Download Directory (default save location), Security - settings for download zones, file type associations, automatic execution policies, - and download notification preferences. Security restrictions control download behavior - in different zones with policy enforcement for enterprise environments. - - examples: - - "Download Directory: C:\\Users\\user\\Downloads (Standard download location)" - - "Download Directory: C:\\Temp\\Malware (Suspicious download location)" - - "DisableFirstRunCustomize: 1 (Skip security setup wizard)" - - "Check_Associations: no (Disable file association checking)" - - "Safety Warning Level: Low (Reduced download security warnings)" - - "NoSelectDownloadDir: 1 (Prevent download folder selection)" - - "RestrictFileDownload: 0 (Allow all file downloads)" - - tools: - - name: "Internet Options (inetcpl.cpl)" - description: "Built-in Internet Explorer download and security configuration" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Browser Security Scanner" - description: "Third-party tools for browser security assessment" - - name: "Download History Analyzer" - description: "Tools for analyzing browser download patterns and locations" - -metadata: - windows_versions: - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - introduced: "Internet Explorer 4.0" - - criticality: "high" - - investigation_types: - - "malware-analysis" - - "data-exfiltration" - - "incident-response" - - tags: - - "browser" - - "downloads" - - "malware-delivery" - - "security-settings" - - "file-downloads" - - "download-security" - - references: - - title: "Microsoft Documentation: Internet Explorer Security" - url: "https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/" - type: "official" - - title: "Browser Download Security Analysis" - url: "https://www.sans.org/white-papers/33896/" - type: "research" - - retention: - default_location: "Registry hive files (NTUSER.DAT, SOFTWARE)" - persistence: "Download settings persist until manually changed" - volatility: "Configuration affects ongoing download security and malware protection" - - related_artifacts: - - "security_zones" - - "typed_urls" - - "file_associations" - - "security_policy" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-06-07" - last_updated: "2025-06-07" - version: "1.0" diff --git a/artifacts/browser/firefox_history.yml b/artifacts/browser/firefox_history.yml deleted file mode 100644 index 3032338..0000000 --- a/artifacts/browser/firefox_history.yml +++ /dev/null @@ -1,111 +0,0 @@ -title: "Firefox Browser Registry Data" -category: "user-activity" -description: "Firefox installation information, profile locations, browser preferences, and configuration data" - -paths: - - "HKCU\\Software\\Mozilla\\Firefox" - - "HKLM\\SOFTWARE\\Mozilla\\Firefox" - - "HKCU\\Software\\Classes\\FirefoxHTML" - - "HKLM\\SOFTWARE\\Classes\\FirefoxURL" - -details: - what: | - Firefox browser registration and configuration data stored in Windows registry including - installation information, version details, profile directory locations, default browser - settings, update preferences, and file association handlers. Manages Firefox integration - with Windows shell, protocol handlers, and system-wide browser configuration for - comprehensive web browsing functionality and system integration. - - forensic_value: | - Essential for Firefox-based investigations including web browsing activity analysis, - profile location identification for further examination, installation timeline establishment, - and browser preference analysis. Shows Firefox usage patterns, configuration modifications - that might indicate security bypasses, and integration with system shell for protocol - handling. Critical for investigations involving Firefox-specific browsing artifacts. - - structure: | - Installation information organized under Mozilla\\Firefox including CurrentVersion, install - directory paths, profile management settings, and update configurations. File associations - stored in Classes registry showing protocol handlers for HTTP, HTTPS, FTP, and custom - protocols. Profile settings include default profile locations and user-specific configurations. - - examples: - - "CurrentVersion: 121.0 (Firefox version information)" - - "Install Directory: C:\\\\Program Files\\\\Mozilla Firefox (Installation path)" - - "Profile Path: %APPDATA%\\\\Mozilla\\\\Firefox\\\\Profiles (Profile directory location)" - - "FirefoxHTML\\\\shell\\\\open\\\\command: \"C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\" -osint -url \"%1\"" - - "FirefoxURL\\\\DefaultIcon: C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe,1" - - "DefaultClientState: 1 (Default browser status)" - - "ProfileManager\\\\StartWithLastProfile: 1 (Automatic profile loading)" - - tools: - - name: "Firefox Profile Manager" - description: "Firefox built-in profile management and configuration utility" - - name: "MozillaHistoryView" - url: "https://www.nirsoft.net/utils/mozilla_history_view.html" - description: "Third-party tool for viewing Firefox browsing history" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Firefox Configuration Editor" - description: "about:config interface for advanced Firefox settings" - - name: "Browser Forensics Tools" - description: "Specialized utilities for Firefox artifact analysis" - -metadata: - windows_versions: - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - introduced: "Firefox 1.0 (2004)" - - criticality: "medium" - - investigation_types: - - "behavioral-analysis" - - "insider-threat" - - "incident-response" - - "timeline-analysis" - - tags: - - "browser" - - "firefox" - - "web-browsing" - - "profiles" - - "internet-activity" - - "file-associations" - - "protocol-handlers" - - references: - - title: "Mozilla Documentation: Firefox Profiles" - url: "https://support.mozilla.org/en-US/kb/profiles-where-firefox-stores-user-data" - type: "official" - - title: "Firefox Browser Forensics Guide" - url: "https://www.forensicfocus.com/articles/firefox-browser-forensics/" - type: "research" - - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT)" - persistence: "Firefox configuration persists until uninstallation or manual removal" - volatility: "Browser settings reflect current installation and configuration state" - - related_artifacts: - - "chrome_history" - - "default_applications" - - "file_associations" - - "user_profiles" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/browser/security_zones.yml b/artifacts/browser/security_zones.yml deleted file mode 100644 index c6e5e63..0000000 --- a/artifacts/browser/security_zones.yml +++ /dev/null @@ -1,117 +0,0 @@ -title: "Internet Explorer Security Zones and Settings" -category: "browser" -description: "Internet Explorer security zone configuration, trusted sites, restricted sites, and browser security policies" - -paths: - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones" - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones" - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap" - - "HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer" - -details: - what: | - Internet Explorer security zones framework controls website trust levels, security policies, - ActiveX control permissions, script execution restrictions, and download behaviors based - on website categorization. Manages Internet, Local Intranet, Trusted Sites, and Restricted - Sites zones with granular security settings, custom site assignments, and enterprise - policy enforcement for comprehensive web browsing security management. - - forensic_value: | - Critical for investigating browser-based attacks, malicious website interactions, and - security policy bypass attempts. Shows evidence of trusted site modifications that could - facilitate attacks, restricted site configurations that may have been circumvented, - and security zone changes that weaken browser defenses. Essential for analyzing - browser-based malware delivery, social engineering attacks, and policy violations. - - structure: | - Security zones numbered 0-4 (My Computer, Local Intranet, Trusted Sites, Internet, Restricted) - with detailed security settings as REG_DWORD values. ZoneMap contains site-to-zone assignments - with domain classifications. Policy enforcement controls enterprise-wide browser security - through Group Policy with inheritance and override mechanisms for centralized management. - - examples: - - "Zones\\1\\1001: 3 (Local Intranet - Prompt for ActiveX download)" - - "Zones\\2\\1200: 0 (Trusted Sites - Enable ActiveX controls)" - - "Zones\\3\\1400: 1 (Internet - Disable active scripting)" - - "Zones\\4\\1001: 3 (Restricted - Disable ActiveX completely)" - - "ZoneMap\\Domains\\malicious-site.com: 4 (Restricted zone assignment)" - - "ZoneMap\\Domains\\intranet.company.com: 1 (Local Intranet zone)" - - "Policies\\DisableSecuritySettingsCheck: 1 (Security warnings disabled)" - - "ProtectedMode\\Enabled: 0 (Protected Mode disabled - security risk)" - - tools: - - name: "Internet Options (inetcpl.cpl)" - description: "Built-in Internet Explorer security zone configuration interface" - - name: "IEZoneAnalyzer" - description: "Third-party tools for analyzing IE security zone configurations" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Group Policy Editor (gpedit.msc)" - description: "Enterprise Internet Explorer policy management" - - name: "Browser Security Scanner" - description: "Tools for assessing browser security configuration and vulnerabilities" - -metadata: - windows_versions: - - "Windows 98" - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - introduced: "Internet Explorer 4.0" - - criticality: "high" - - investigation_types: - - "malware-analysis" - - "incident-response" - - "behavioral-analysis" - - "insider-threat" - - tags: - - "browser" - - "internet-explorer" - - "security-zones" - - "trusted-sites" - - "browser-security" - - "activex" - - "script-execution" - - "web-security" - - references: - - title: "Microsoft Documentation: Internet Explorer Security Zones" - url: "https://docs.microsoft.com/en-us/troubleshoot/browsers/security-zones-registry-entries" - type: "official" - - title: "Internet Explorer Security Analysis" - url: "https://www.sans.org/white-papers/33439/" - type: "research" - - title: "Browser Security Zone Exploitation Techniques" - url: "https://attack.mitre.org/techniques/T1185/" - type: "research" - - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT)" - persistence: "Security zone settings persist until manually changed or policy update" - volatility: "Security configuration changes affect immediate browser security posture" - - related_artifacts: - - "chrome_history" - - "firefox_history" - - "typed_urls" - - "security_policy" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file diff --git a/artifacts/browser/tor.yml b/artifacts/browser/tor.yml deleted file mode 100644 index 0437083..0000000 --- a/artifacts/browser/tor.yml +++ /dev/null @@ -1,101 +0,0 @@ -title: "Tor Browser Privacy Configuration" -category: "browser" -description: "Tor Browser settings, anonymity preferences, and privacy-focused browsing configuration" - -paths: - - "HKCU\\Software\\Mozilla\\Firefox\\Profiles\\*\\Tor Browser" - - "HKLM\\SOFTWARE\\Mozilla\\Firefox\\Tor Browser" - - "HKCU\\Software\\Classes\\TorBrowser" - - "HKLM\\SOFTWARE\\Classes\\TorBrowser" - -details: - what: | - Tor Browser manages privacy-focused web browsing including anonymity settings, - proxy configurations, security levels, and anti-tracking preferences. Registry - stores installation data, security configurations, bridge settings, and privacy - preferences for comprehensive anonymous browsing analysis and privacy-conscious - internet usage behavior tracking in sensitive or security-focused environments. - - forensic_value: | - Critical for investigating privacy-conscious behavior, potential anonymous - communications, dark web access, and security-aware browsing patterns. Shows - evidence of anonymity-seeking behavior, privacy tool usage, potential illicit - activities, and can indicate attempts to evade monitoring, access restricted - content, or maintain operational security in sensitive investigations. - - structure: | - Tor Browser configuration includes proxy settings, security level preferences, - bridge configurations, and anonymity options. Privacy settings track JavaScript - restrictions, plugin blocking, and anti-fingerprinting measures for comprehensive - privacy-focused browsing behavior analysis and security-conscious user profiling. - - examples: - - "InstallPath: C:\\Users\\user\\Desktop\\Tor Browser" - - "SecurityLevel: Safest (Highest security configuration)" - - "BridgeSettings: obfs4 (Pluggable transport bridges)" - - "NoScript: 1 (JavaScript blocking enabled)" - - "Letterboxing: 1 (Anti-fingerprinting protection)" - - "ProxyType: SOCKS5 (Tor proxy configuration)" - - "ExitCountry: {us} (Preferred exit node country)" - - tools: - - name: "Tor Browser" - description: "Privacy-focused web browser for anonymous browsing" - - name: "Tor Network Status" - description: "Tools for monitoring Tor network connectivity and status" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - -metadata: - windows_versions: - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - introduced: "Tor Browser" - - criticality: "high" - - investigation_types: - - "behavioral-analysis" - - "incident-response" - - "malware-analysis" - - tags: - - "tor" - - "privacy" - - "anonymity" - - "dark-web" - - "security" - - "anti-surveillance" - - "onion-routing" - - references: - - title: "Tor Project" - url: "https://www.torproject.org/" - type: "official" - - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT)" - persistence: "Privacy settings persist until manual reconfiguration" - volatility: "Anonymity tool usage provides evidence of privacy-conscious behavior" - - related_artifacts: - - "privacy_tools" - - "browser_security" - - "anonymity_software" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" diff --git a/artifacts/browser/typed_urls.yml b/artifacts/browser/typed_urls.yml deleted file mode 100644 index f222d2a..0000000 --- a/artifacts/browser/typed_urls.yml +++ /dev/null @@ -1,114 +0,0 @@ -title: "Internet Explorer Typed URLs" -category: "browser" -description: "URLs manually typed in Internet Explorer address bar with chronological access tracking" - -paths: - - "HKCU\\Software\\Microsoft\\Internet Explorer\\TypedURLs" - - "HKCU\\Software\\Microsoft\\Internet Explorer\\TypedURLsTime" - -details: - what: | - Internet Explorer maintains a record of URLs that users manually type in the address bar - for autocomplete functionality and user convenience. Stores chronological order of manual - URL entry with corresponding timestamps for each typed address. Provides evidence of - intentional website navigation rather than accidental clicks or redirect-based visits. - - forensic_value: | - Extremely valuable for investigating intentional website visits, manual navigation to - suspicious or malicious sites, and user browsing intent analysis. Shows deliberate - attempts to access specific websites, command and control domains manually entered, - unauthorized browsing to restricted sites, and evidence of users actively seeking - specific content or services. Critical for establishing intent in cybercrime investigations. - - structure: | - Sequential value names (url1, url2, url3, etc.) containing full URLs as REG_SZ data. - TypedURLsTime contains corresponding binary FILETIME timestamps for each URL entry. - Most recent entries receive higher sequential numbers, maintaining chronological order - of manual URL entry events with precise timing information. - - examples: - - "url1: https://www.google.com (Common search engine access)" - - "url2: https://malicious-domain.com (Suspicious manual navigation)" - - "url3: http://192.168.1.100:8080 (Direct IP address with non-standard port)" - - "url4: ftp://internal-server.company.com (Internal FTP server access)" - - "url5: https://darkweb-marketplace.onion (Tor hidden service access)" - - "TypedURLsTime: Binary FILETIME timestamps corresponding to each URL" - - "url6: https://sensitive-competitor-site.com (Potential corporate espionage)" - - tools: - - name: "IEHistoryView" - url: "https://www.nirsoft.net/utils/iehv.html" - description: "Comprehensive Internet Explorer history viewer and analyzer" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "BrowsingHistoryView" - url: "https://www.nirsoft.net/utils/browsing_history_view.html" - description: "Universal browser history viewer for multiple browsers" - - name: "RegRipper" - url: "https://github.com/keydet89/RegRipper3.0" - description: "Registry data extraction and analysis framework" - - name: "Internet Explorer Analysis Tools" - description: "Specialized forensic utilities for IE artifact examination" - -metadata: - windows_versions: - - "Windows 98" - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - introduced: "Internet Explorer 4.0" - - criticality: "high" - - investigation_types: - - "timeline-analysis" - - "insider-threat" - - "incident-response" - - tags: - - "browser" - - "internet-explorer" - - "manual-navigation" - - "typed-urls" - - "suspicious-domains" - - "user-intent" - - "web-browsing" - - references: - - title: "Microsoft Documentation: Internet Explorer Registry Settings" - url: "https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/" - type: "official" - - title: "Internet Explorer Forensics Guide" - url: "https://www.forensicfocus.com/articles/internet-explorer-forensics/" - type: "research" - - title: "Browser Artifact Analysis for Digital Forensics" - url: "https://www.sans.org/white-papers/33439/" - type: "research" - - retention: - default_location: "Registry hive files (NTUSER.DAT)" - persistence: "Typed URLs persist until manually cleared or registry limit reached" - volatility: "Real-time updates with manual URL entry, immediate evidence of user intent" - - related_artifacts: - - "chrome_history" - - "firefox_history" - - "browser_security" - - "internet_settings" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/cloud/box_sync.yml b/artifacts/cloud/box_sync.yml deleted file mode 100644 index 79a7164..0000000 --- a/artifacts/cloud/box_sync.yml +++ /dev/null @@ -1,98 +0,0 @@ -title: "Box Sync and Drive Client" -category: "cloud" -description: "Box Sync and Box Drive configuration, enterprise integration, and file synchronization" - -paths: - - "HKCU\\Software\\Box\\Box" - - "HKLM\\SOFTWARE\\Box\\Box Edit" - - "HKLM\\SOFTWARE\\Box\\Box Sync" - - "HKCU\\Software\\Box\\Box Drive" - -details: - what: | - Box Sync and Box Drive manage enterprise cloud storage synchronization including - folder mapping, authentication with Box enterprise accounts, collaboration settings, - and security policies. Registry tracks installation configurations, user credentials, - folder sync preferences, and Box Edit integration for comprehensive enterprise - content management and secure file sharing in business environments. - - forensic_value: | - Critical for investigating enterprise data exfiltration, unauthorized access to - Box repositories, and violation of corporate data governance policies. Shows evidence - of Box usage in enterprise environments, shared folder access, collaboration - activities, and potential data leakage through Box platform. Essential for analyzing - insider threats and unauthorized data sharing in corporate settings. - - structure: | - Box configuration includes enterprise account identifiers, sync folder locations, - collaboration permissions, security settings, and Box Edit integration preferences. - Enterprise policies control access restrictions, sharing permissions, and data - governance compliance for comprehensive Box platform security management. - - examples: - - "BoxSyncPath: C:\\Users\\user\\Box Sync" - - "BoxDrivePath: B:\\ (Box Drive mount point)" - - "EnterpriseID: company.app.box.com (Enterprise Box instance)" - - "UserEmail: user@company.com (Box enterprise account)" - - "CollaborationEnabled: 1 (File collaboration allowed)" - - "BoxEditEnabled: 1 (Box Edit integration active)" - - "OfflineAccess: 0 (Offline file access disabled)" - - tools: - - name: "Box Sync/Drive Settings" - description: "Built-in Box application configuration interface" - - name: "Box Admin Console" - description: "Enterprise Box administration and audit capabilities" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - -metadata: - windows_versions: - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - introduced: "Box Sync Client" - - criticality: "medium" - - investigation_types: - - "data-exfiltration" - - "insider-threat" - - "behavioral-analysis" - - tags: - - "box" - - "enterprise-storage" - - "collaboration" - - "file-sharing" - - "box-drive" - - "data-governance" - - references: - - title: "Box Drive Documentation" - url: "https://support.box.com/hc/en-us/sections/360007415174-Box-Drive" - type: "official" - - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT)" - persistence: "Enterprise configurations persist per corporate policies" - volatility: "Collaboration activity provides enterprise data sharing intelligence" - - related_artifacts: - - "enterprise_storage" - - "file_collaboration" - - "data_governance" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" diff --git a/artifacts/cloud/dropbox_desktop.yml b/artifacts/cloud/dropbox_desktop.yml deleted file mode 100644 index a0fe112..0000000 --- a/artifacts/cloud/dropbox_desktop.yml +++ /dev/null @@ -1,98 +0,0 @@ -title: "Dropbox Desktop Client" -category: "cloud" -description: "Dropbox desktop application configuration, sync settings, and account management" - -paths: - - "HKCU\\Software\\Dropbox" - - "HKLM\\SOFTWARE\\Dropbox" - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Dropbox" - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Dropbox" - -details: - what: | - Dropbox Desktop Client manages file synchronization configuration including sync folder - locations, account authentication, selective sync preferences, bandwidth controls, - and LAN sync settings. Registry stores installation paths, user credentials, team - folder configurations, and Smart Sync behavior for comprehensive cloud storage - management and collaborative file sharing across multiple devices and platforms. - - forensic_value: | - Essential for investigating data exfiltration through Dropbox, unauthorized file - sharing with external parties, and intellectual property theft. Shows evidence of - Dropbox usage patterns, shared folder access, team memberships, and potential data - leakage vectors. Can reveal deliberate data theft through personal Dropbox accounts - or unauthorized sharing of sensitive corporate information. - - structure: | - Dropbox configuration includes account identifiers, sync folder paths, selective - sync exclusions, bandwidth settings, LAN sync preferences, and Smart Sync policies. - Team configuration shows business account integration, shared folder access, and - administrative controls for enterprise Dropbox management. - - examples: - - "DropboxPath: C:\\Users\\user\\Dropbox" - - "AccountEmail: user@company.com (Business Dropbox account)" - - "AccountEmail: personal@email.com (Personal Dropbox account)" - - "SelectiveSync: {Private, Confidential} (Excluded folders)" - - "LanSync: 1 (Local network synchronization enabled)" - - "SmartSync: 1 (Online-only files enabled)" - - "BandwidthLimit: 100 (Upload limit in KB/s)" - - tools: - - name: "Dropbox Desktop Preferences" - description: "Built-in Dropbox configuration and account management" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Dropbox Business Admin Console" - description: "Enterprise Dropbox monitoring and audit tools" - -metadata: - windows_versions: - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - introduced: "Dropbox Desktop Client" - - criticality: "medium" - - investigation_types: - - "data-exfiltration" - - "insider-threat" - - "behavioral-analysis" - - tags: - - "dropbox" - - "cloud-storage" - - "file-sharing" - - "team-folders" - - "smart-sync" - - "data-exfiltration" - - references: - - title: "Dropbox Desktop App" - url: "https://help.dropbox.com/desktop/get-started" - type: "official" - - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT)" - persistence: "Sync settings persist until manually changed or app removal" - volatility: "Real-time sync activity provides data movement evidence" - - related_artifacts: - - "file_access_history" - - "browser_downloads" - - "recent_documents" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" diff --git a/artifacts/cloud/google_drive_desktop.yml b/artifacts/cloud/google_drive_desktop.yml deleted file mode 100644 index 5d10259..0000000 --- a/artifacts/cloud/google_drive_desktop.yml +++ /dev/null @@ -1,99 +0,0 @@ -title: "Google Drive Desktop Client" -category: "cloud" -description: "Google Drive for Desktop configuration, sync settings, and account information" - -paths: - - "HKCU\\Software\\Google\\Drive" - - "HKCU\\Software\\Google\\DriveFS" - - "HKLM\\SOFTWARE\\Google\\Drive" - - "HKLM\\SOFTWARE\\Google\\Update\\Clients\\{E5972223-1C8E-4C23-8010-F2B6F9F24818}" - -details: - what: | - Google Drive Desktop Client stores synchronization configuration including sync folder - locations, account authentication data, selective sync preferences, bandwidth settings, - and file stream configurations. Registry tracks installation paths, user accounts, - Google Workspace integration, backup settings, and Drive File Stream behavior for - comprehensive cloud storage management and file synchronization across devices. - - forensic_value: | - Critical for investigating data exfiltration through Google Drive, unauthorized file - sharing to personal accounts, and intellectual property theft. Shows evidence of - Google Drive usage patterns, synced folder locations, account associations, and - potential data leakage vectors. Can reveal deliberate or accidental exposure of - sensitive corporate data through personal Google accounts and unauthorized synchronization. - - structure: | - Google Drive configuration includes account identifiers, sync root paths, selective - sync folder lists, bandwidth throttling settings, and Drive File Stream mounting - options. Installation data provides version information, update preferences, and - integration settings for comprehensive Google Drive behavior analysis. - - examples: - - "SyncRootPath: C:\\Users\\user\\Google Drive" - - "Account: user@company.com (Google Workspace account)" - - "Account: personal@gmail.com (Personal Google account)" - - "DriveFS MountPoint: G:\\ (Drive File Stream mount)" - - "SelectiveSync: {folder1, folder2} (Only specific folders synchronized)" - - "BandwidthRx: 1024 (Download bandwidth limit in KB/s)" - - "BandwidthTx: 512 (Upload bandwidth limit in KB/s)" - - tools: - - name: "Google Drive Desktop Settings" - description: "Built-in Google Drive configuration interface" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Google Takeout" - url: "https://takeout.google.com" - description: "Google data export tool for comprehensive analysis" - -metadata: - windows_versions: - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - introduced: "Google Drive Desktop (2021)" - - criticality: "medium" - - investigation_types: - - "data-exfiltration" - - "insider-threat" - - "behavioral-analysis" - - tags: - - "google-drive" - - "cloud-storage" - - "data-sync" - - "file-sharing" - - "google-workspace" - - "data-exfiltration" - - references: - - title: "Google Drive Desktop Documentation" - url: "https://support.google.com/drive/answer/7329379" - type: "official" - - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT)" - persistence: "Configuration persists until application removal or account changes" - volatility: "Sync activity provides ongoing data movement intelligence" - - related_artifacts: - - "browser_downloads" - - "recent_documents" - - "file_access_history" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" diff --git a/artifacts/cloud/icloud.yml b/artifacts/cloud/icloud.yml deleted file mode 100644 index d79eac9..0000000 --- a/artifacts/cloud/icloud.yml +++ /dev/null @@ -1,98 +0,0 @@ -title: "iCloud for Windows Client" -category: "cloud" -description: "iCloud for Windows configuration, Apple ID integration, and sync settings" - -paths: - - "HKCU\\Software\\Apple Inc.\\iCloud" - - "HKLM\\SOFTWARE\\Apple Inc.\\iCloud" - - "HKCU\\Software\\Apple Inc.\\Mobile Device Support" - - "HKLM\\SOFTWARE\\Apple Inc.\\Apple Application Support" - -details: - what: | - iCloud for Windows enables synchronization between Windows computers and Apple's - iCloud services including iCloud Drive, Photos, Mail, Contacts, Calendar, and - Bookmarks. Registry stores Apple ID authentication, sync preferences, storage - locations, and integration settings for seamless data sharing between Windows - and Apple ecosystem devices including iPhone, iPad, and Mac computers. - - forensic_value: | - Important for investigating data synchronization between Windows systems and Apple - devices, cross-platform data exfiltration, and unauthorized access to Apple - ecosystem data. Shows evidence of iCloud usage, Apple ID associations, synced - content types, and potential data leakage between corporate Windows systems and - personal Apple devices through iCloud synchronization. - - structure: | - iCloud configuration includes Apple ID credentials, sync service enablement - (Drive, Photos, Mail, Contacts, Calendar), storage locations, and device - associations. Integration settings control Windows Explorer and Outlook - synchronization with iCloud services for comprehensive cross-platform data management. - - examples: - - "AppleID: user@icloud.com (Associated Apple ID)" - - "iCloudDrive: 1 (iCloud Drive sync enabled)" - - "Photos: 1 (iCloud Photos sync enabled)" - - "Mail: 0 (iCloud Mail sync disabled)" - - "Contacts: 1 (Contact synchronization enabled)" - - "Calendar: 1 (Calendar sync with Outlook enabled)" - - "BookmarkSync: 1 (Safari bookmark synchronization)" - - tools: - - name: "iCloud for Windows Settings" - description: "Built-in iCloud configuration and sync management" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Apple ID Account Management" - description: "Apple's account and device management portal" - -metadata: - windows_versions: - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - introduced: "iCloud for Windows" - - criticality: "medium" - - investigation_types: - - "data-exfiltration" - - "behavioral-analysis" - - "timeline-analysis" - - tags: - - "icloud" - - "apple-ecosystem" - - "cross-platform" - - "data-sync" - - "apple-id" - - "mobile-integration" - - references: - - title: "iCloud for Windows Support" - url: "https://support.apple.com/en-us/HT204283" - type: "official" - - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT)" - persistence: "Apple ID and sync settings persist until manually changed" - volatility: "Cross-platform sync provides ongoing data movement evidence" - - related_artifacts: - - "mobile_sync" - - "cross_platform_data" - - "cloud_integration" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" diff --git a/artifacts/cloud/onedrive_sync.yml b/artifacts/cloud/onedrive_sync.yml deleted file mode 100644 index 85255a9..0000000 --- a/artifacts/cloud/onedrive_sync.yml +++ /dev/null @@ -1,116 +0,0 @@ -title: "OneDrive Cloud Storage Integration" -category: "cloud" -description: "OneDrive sync settings, account configuration, file synchronization status, and cloud storage integration" - -paths: - - "HKCU\\Software\\Microsoft\\OneDrive" - - "HKLM\\SOFTWARE\\Microsoft\\OneDrive" - - "HKCU\\Software\\Microsoft\\OneDrive\\Accounts" - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" - -details: - what: | - OneDrive cloud storage integration configuration includes sync folder locations, account details, - synchronization preferences, bandwidth throttling settings, file collaboration configurations, - and cloud storage management policies. Controls automatic file synchronization, selective sync - settings, version history, sharing permissions, and integration with Windows Explorer for - seamless cloud storage access and file management across multiple devices. - - forensic_value: | - Critical for investigating cloud-based data exfiltration, unauthorized file sharing, and - corporate data leakage through cloud storage services. Shows evidence of files uploaded - to cloud storage, account configurations that may indicate unauthorized access, sync - patterns that could reveal data theft timelines, and sharing activities that might - expose sensitive information. Essential for understanding cloud storage usage in insider - threat and data breach investigations. - - structure: | - OneDrive configuration includes UserFolder (local sync directory), Accounts subkey with - cloud account details, Business/Personal account separation, sync status information, - and SyncRootManager entries for cloud storage integration. Settings control file - synchronization behavior, bandwidth usage, sharing permissions, and cloud service - authentication with various registry data types. - - examples: - - "UserFolder: C:\\Users\\user\\OneDrive (Default OneDrive sync location)" - - "Accounts\\Personal\\UserEmail: user@outlook.com (Personal Microsoft account)" - - "Accounts\\Business1\\UserEmail: user@company.com (Corporate OneDrive account)" - - "EnableAllOcsiClients: 1 (Office integration enabled)" - - "DisablePersonalSync: 1 (Personal OneDrive sync disabled by policy)" - - "PreventNetworkTrafficPreUserSignIn: 0 (Allow network traffic before signin)" - - "SyncRootManager\\OneDrive: Cloud storage root configuration" - - tools: - - name: "OneDrive Settings" - description: "Built-in OneDrive configuration and account management interface" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "OneDrive Sync Status" - description: "Built-in Windows sync status and troubleshooting tools" - - name: "Cloud Storage Analyzer" - description: "Third-party tools for analyzing cloud storage configurations" - - name: "Group Policy Editor" - description: "Enterprise OneDrive policy management and configuration" - -metadata: - windows_versions: - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows 8.1" - - criticality: "high" - - investigation_types: - - "data-exfiltration" - - "insider-threat" - - "behavioral-analysis" - - "incident-response" - - tags: - - "cloud" - - "onedrive" - - "data-synchronization" - - "cloud-storage" - - "file-sharing" - - "data-exfiltration" - - "collaboration" - - "remote-access" - - references: - - title: "Microsoft Documentation: OneDrive" - url: "https://docs.microsoft.com/en-us/onedrive/" - type: "official" - - title: "OneDrive Security and Compliance" - url: "https://docs.microsoft.com/en-us/onedrive/security/" - type: "official" - - title: "Cloud Storage Security Analysis" - url: "https://www.sans.org/white-papers/39847/" - type: "research" - - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT)" - persistence: "OneDrive settings persist until account removal or policy changes" - volatility: "Sync status and file operations provide real-time cloud activity evidence" - - related_artifacts: - - "user_profiles" - - "network_interfaces" - - "recent_docs" - - "file_associations" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/communication/discord.yml b/artifacts/communication/discord.yml deleted file mode 100644 index 4b8190a..0000000 --- a/artifacts/communication/discord.yml +++ /dev/null @@ -1,98 +0,0 @@ -title: "Discord Desktop Client" -category: "communication" -description: "Discord application configuration, server memberships, and communication settings" - -paths: - - "HKCU\\Software\\Discord" - - "HKLM\\SOFTWARE\\Discord Inc\\Discord" - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Discord" - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Discord" - -details: - what: | - Discord Desktop Client manages gaming and community communication including text - chat, voice channels, screen sharing, and server memberships. Registry stores - user authentication, server configurations, notification settings, privacy - preferences, and integration options for comprehensive gaming-focused - communication platform with potential corporate usage scenarios. - - forensic_value: | - Important for investigating unauthorized external communications, potential data - sharing through Discord channels, gaming-related activities, and evidence of - informal communication channels that bypass corporate monitoring. Can reveal - membership in suspicious servers, external contact patterns, and potential - data exfiltration through gaming communication platforms. - - structure: | - Discord configuration includes user identifiers, server memberships, privacy - settings, notification preferences, and voice/video call configurations. - Authentication data shows account associations and login patterns for - comprehensive Discord usage analysis and communication behavior tracking. - - examples: - - "UserID: 123456789012345678 (Discord user identifier)" - - "Username: employee_username (Discord display name)" - - "AutoStart: 1 (Discord starts with Windows)" - - "MinimizeToTray: 1 (Minimize to system tray)" - - "EnableGameOverlay: 0 (Game overlay disabled)" - - "StreamNotifications: 1 (Stream notifications enabled)" - - "VoiceMode: PushToTalk (Voice activation method)" - - tools: - - name: "Discord Desktop Settings" - description: "Built-in Discord configuration and privacy controls" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Discord Server Audit Tools" - description: "Third-party tools for Discord server and user analysis" - -metadata: - windows_versions: - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - introduced: "Discord Desktop Client" - - criticality: "medium" - - investigation_types: - - "insider-threat" - - "behavioral-analysis" - - "timeline-analysis" - - tags: - - "discord" - - "gaming-communication" - - "informal-channels" - - "voice-chat" - - "screen-sharing" - - "community-platforms" - - references: - - title: "Discord Support Documentation" - url: "https://support.discord.com/" - type: "official" - - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT)" - persistence: "User preferences and server memberships persist across sessions" - volatility: "Communication activity provides ongoing behavioral intelligence" - - related_artifacts: - - "gaming_applications" - - "informal_communication" - - "voice_chat_history" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" diff --git a/artifacts/communication/microsoft_teams.yml b/artifacts/communication/microsoft_teams.yml deleted file mode 100644 index fcab1a4..0000000 --- a/artifacts/communication/microsoft_teams.yml +++ /dev/null @@ -1,98 +0,0 @@ -title: "Microsoft Teams Desktop Client" -category: "communication" -description: "Microsoft Teams configuration, account integration, and collaboration settings" - -paths: - - "HKCU\\Software\\Microsoft\\Office\\Teams" - - "HKLM\\SOFTWARE\\Microsoft\\Teams" - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\Positions\\MSTeams_8wekyb3d8bbwe!MSTeams" - - "HKCU\\Software\\Microsoft\\Office\\16.0\\Teams" - -details: - what: | - Microsoft Teams Desktop Client manages enterprise communication including chat, - video conferencing, file sharing, and collaboration workspace integration. - Registry stores user authentication, tenant configurations, meeting settings, - notification preferences, and integration with Office 365 and Microsoft 365 - services for comprehensive workplace collaboration and communication management. - - forensic_value: | - Critical for investigating internal communications, unauthorized external contacts, - data sharing through Teams channels, and evidence of collaboration activities. - Shows evidence of Teams usage patterns, tenant memberships, external meeting - participation, and potential data exfiltration through Teams file sharing and - communication channels in enterprise environments. - - structure: | - Teams configuration includes tenant identifiers, user principal names, meeting - policies, chat settings, file sharing permissions, and device integration - preferences. Enterprise policies control external access, guest permissions, - and data governance compliance for comprehensive Teams security management. - - examples: - - "TenantId: company.onmicrosoft.com (Office 365 tenant)" - - "UserPrincipalName: user@company.com (Teams account identifier)" - - "AllowExternalAccess: 0 (External Teams communication blocked)" - - "AllowGuestAccess: 1 (Guest users allowed in meetings)" - - "RecordingPolicy: Enabled (Meeting recording allowed)" - - "FileSharing: Restricted (Limited file sharing capabilities)" - - "RingOnOtherApps: 1 (Cross-device calling enabled)" - - tools: - - name: "Microsoft Teams Admin Center" - description: "Enterprise Teams administration and policy management" - - name: "Teams Desktop Client Settings" - description: "Built-in Teams configuration interface" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - -metadata: - windows_versions: - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - introduced: "Microsoft Teams (2017)" - - criticality: "medium" - - investigation_types: - - "insider-threat" - - "data-exfiltration" - - "behavioral-analysis" - - tags: - - "teams" - - "microsoft-365" - - "enterprise-communication" - - "collaboration" - - "video-conferencing" - - "file-sharing" - - references: - - title: "Microsoft Teams Documentation" - url: "https://docs.microsoft.com/en-us/microsoftteams/" - type: "official" - - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT)" - persistence: "Enterprise configurations managed by organizational policies" - volatility: "Communication patterns provide ongoing collaboration intelligence" - - related_artifacts: - - "office_integration" - - "enterprise_communication" - - "collaboration_tools" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" diff --git a/artifacts/communication/slack.yml b/artifacts/communication/slack.yml deleted file mode 100644 index 7a2fdd6..0000000 --- a/artifacts/communication/slack.yml +++ /dev/null @@ -1,98 +0,0 @@ -title: "Slack Desktop Application" -category: "communication" -description: "Slack workspace configuration, team memberships, and enterprise communication settings" - -paths: - - "HKCU\\Software\\Slack\\Teams" - - "HKLM\\SOFTWARE\\Slack Technologies\\Slack" - - "HKCU\\Software\\Slack Technologies Inc\\Slack" - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\Positions\\SlackTechnologies.Slack_4k3xh6g9q8ydm!App" - -details: - what: | - Slack Desktop Application manages workplace communication including channel - memberships, direct messaging, file sharing, and workspace integration. - Registry stores workspace configurations, user credentials, notification - settings, and team associations for comprehensive enterprise communication - platform with extensive third-party integration capabilities and collaboration features. - - forensic_value: | - Essential for investigating workplace communications, unauthorized workspace - access, data sharing through Slack channels, and evidence of internal - collaboration or conspiracy. Shows evidence of workspace memberships, external - Slack usage, file sharing activities, and potential data exfiltration through - Slack's extensive integration and file sharing capabilities. - - structure: | - Slack configuration includes workspace identifiers, team memberships, user - authentication, notification preferences, and integration settings. Workspace - data shows team domains, user roles, and access permissions for comprehensive - Slack usage analysis and workplace communication behavior tracking. - - examples: - - "Team: company-workspace.slack.com (Primary workspace)" - - "Team: external-partner.slack.com (External workspace access)" - - "UserID: U123456789 (Slack user identifier)" - - "Email: user@company.com (Associated email address)" - - "NotificationSound: 1 (Audio notifications enabled)" - - "AutoHideMenuBar: 0 (Menu bar always visible)" - - "ShowUnreadBadge: 1 (Unread message indicators enabled)" - - tools: - - name: "Slack Desktop Preferences" - description: "Built-in Slack configuration and workspace management" - - name: "Slack Enterprise Grid Admin" - description: "Enterprise Slack administration and audit capabilities" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - -metadata: - windows_versions: - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - introduced: "Slack Desktop Application" - - criticality: "medium" - - investigation_types: - - "insider-threat" - - "data-exfiltration" - - "behavioral-analysis" - - tags: - - "slack" - - "workplace-communication" - - "team-collaboration" - - "workspace-access" - - "enterprise-messaging" - - "file-sharing" - - references: - - title: "Slack Documentation" - url: "https://slack.com/help" - type: "official" - - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT)" - persistence: "Workspace memberships and settings persist per user configuration" - volatility: "Workspace activity provides ongoing workplace communication intelligence" - - related_artifacts: - - "workplace_communication" - - "team_collaboration" - - "enterprise_messaging" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" diff --git a/artifacts/communication/telephony.yml b/artifacts/communication/telephony.yml deleted file mode 100644 index fee8192..0000000 --- a/artifacts/communication/telephony.yml +++ /dev/null @@ -1,125 +0,0 @@ -title: "Windows Telephony and Communication Services" -category: "communication" -description: "TAPI configuration, VoIP settings, messaging protocols, and communication service integration" - -paths: - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Telephony" - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Communications" - - "HKLM\\SYSTEM\\CurrentControlSet\\Services\\TapiSrv" - - "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost\\LocalSystemNetworkRestricted" - -details: - what: | - Windows Telephony Application Programming Interface (TAPI) and communication services - configuration encompasses VoIP integration, telephony service providers, communication - device management, messaging protocols, and unified communication platform settings. - Controls phone integration, voice services, messaging applications, and communication - protocol support for enterprise and consumer communication solutions. - - forensic_value: | - Critical for investigating unauthorized communication channels, VoIP-based data exfiltration, - covert communication protocols, and misuse of communication services for malicious purposes. - Shows evidence of telephony applications, communication service configurations that could - facilitate unauthorized access, and protocol settings that might indicate command and - control communication attempts through legitimate communication channels. - - structure: | - Telephony configuration includes TAPI service providers, communication device registrations, - protocol handlers, messaging service configurations, and VoIP integration settings. - TapiSrv service controls telephony infrastructure with provider registration, device - enumeration, and communication protocol management for comprehensive communication support. - - examples: - - "Telephony\\Providers\\Provider0: unimdm.tsp (Universal modem TSP)" - - "Telephony\\Providers\\Provider1: kmddsp.tsp (Kernel mode telephony provider)" - - "Communications\\CallHistoryEnabled: 1 (Call history tracking enabled)" - - "TapiSrv\\Start: 3 (Telephony service manual startup)" - - "VoIPProtocols\\SIP: Enabled (Session Initiation Protocol support)" - - "MessagingProtocols\\SMTP: smtp.company.com:587 (Email server configuration)" - - "CommunicationApps\\Teams: Registered (Microsoft Teams integration)" - - "PhoneIntegration: 1 (Mobile phone integration enabled)" - - tools: - - name: "Phone and Modem Options (telephon.cpl)" - description: "Built-in Windows telephony and modem configuration interface" - - name: "Communication Apps Settings" - description: "Windows communication application configuration and management" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "TAPI Browser" - description: "Telephony API configuration analysis and service enumeration tools" - - name: "VoIP Protocol Analyzer" - description: "Tools for analyzing VoIP and communication protocol configurations" - -metadata: - windows_versions: - - "Windows 95" - - "Windows NT" - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2000" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows 95 (TAPI 1.0)" - - criticality: "medium" - - investigation_types: - - "data-exfiltration" - - "behavioral-analysis" - - "incident-response" - - "lateral-movement" - - tags: - - "communication" - - "telephony" - - "voip" - - "messaging" - - "tapi" - - "communication-protocols" - - "covert-channels" - - "unified-communications" - - references: - - title: "Microsoft Documentation: Telephony API (TAPI)" - url: "https://docs.microsoft.com/en-us/windows/win32/tapi/telephony-application-programming-interfaces" - type: "official" - - title: "Windows Communication Services Security" - url: "https://docs.microsoft.com/en-us/windows/security/" - type: "official" - - title: "VoIP Security and Forensics Analysis" - url: "https://www.sans.org/white-papers/33649/" - type: "research" - - retention: - default_location: "Registry hive files (SOFTWARE, SYSTEM, NTUSER.DAT)" - persistence: "Communication service configuration persists until service reconfiguration" - volatility: "Protocol settings affect ongoing communication service security and monitoring" - - related_artifacts: - - "network_interfaces" - - "firewall_rules" - - "proxy_settings" - - "installed_programs" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file diff --git a/artifacts/communication/whatsapp.yml b/artifacts/communication/whatsapp.yml deleted file mode 100644 index 445dc09..0000000 --- a/artifacts/communication/whatsapp.yml +++ /dev/null @@ -1,96 +0,0 @@ -title: "WhatsApp Desktop Application" -category: "communication" -description: "WhatsApp Desktop configuration, account linking, and messaging settings" - -paths: - - "HKCU\\Software\\WhatsApp" - - "HKLM\\SOFTWARE\\WhatsApp" - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WhatsApp" - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\Positions\\5319275A.WhatsAppDesktop_cv1g1gvanyjgm!App" - -details: - what: | - WhatsApp Desktop Application enables messaging synchronization between mobile - WhatsApp and Windows desktop through QR code linking. Registry stores account - linking data, notification preferences, media download settings, and desktop - integration configuration for comprehensive cross-platform messaging experience - with end-to-end encryption and multimedia sharing capabilities. - - forensic_value: | - Important for investigating personal communication on corporate devices, - unauthorized external messaging, and potential data sharing through WhatsApp's - multimedia capabilities. Shows evidence of personal device linking, messaging - activity patterns, and external communication that may bypass corporate - monitoring through encrypted messaging platform usage. - - structure: | - WhatsApp configuration includes account linking information, notification - settings, media auto-download preferences, and desktop integration options. - Linking data shows mobile device associations and authentication sessions - for comprehensive WhatsApp Desktop usage analysis and communication tracking. - - examples: - - "LinkedDevice: Android/iPhone (Linked mobile device type)" - - "AutoDownloadMedia: 1 (Automatic media download enabled)" - - "Notifications: 1 (Desktop notifications enabled)" - - "StartMinimized: 0 (Application starts in normal window)" - - "PlaySounds: 1 (Message notification sounds enabled)" - - "LaunchAtStartup: 1 (WhatsApp starts with Windows)" - - tools: - - name: "WhatsApp Desktop Settings" - description: "Built-in WhatsApp configuration and notification controls" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Mobile Device Analysis Tools" - description: "Complementary mobile forensics for complete WhatsApp analysis" - -metadata: - windows_versions: - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - introduced: "WhatsApp Desktop (2016)" - - criticality: "medium" - - investigation_types: - - "behavioral-analysis" - - "timeline-analysis" - - "incident-response" - - tags: - - "whatsapp" - - "personal-messaging" - - "encrypted-communication" - - "mobile-linking" - - "multimedia-sharing" - - "cross-platform" - - references: - - title: "WhatsApp Desktop Support" - url: "https://faq.whatsapp.com/general/download-and-installation/how-to-download-and-install-whatsapp-desktop" - type: "official" - - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT)" - persistence: "Account linking and preferences persist until manual disconnection" - volatility: "Messaging activity patterns provide personal communication intelligence" - - related_artifacts: - - "personal_messaging" - - "mobile_device_linking" - - "encrypted_communication" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" diff --git a/artifacts/communication/zoom.yml b/artifacts/communication/zoom.yml deleted file mode 100644 index c3f992a..0000000 --- a/artifacts/communication/zoom.yml +++ /dev/null @@ -1,98 +0,0 @@ -title: "Zoom Desktop Client" -category: "communication" -description: "Zoom video conferencing configuration, meeting settings, and account integration" - -paths: - - "HKCU\\Software\\Zoom\\Installer" - - "HKCU\\Software\\Zoom" - - "HKLM\\SOFTWARE\\Zoom\\ZoomInstaller" - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\ZoomUMX" - -details: - what: | - Zoom Desktop Client manages video conferencing including meeting participation, - recording settings, security configurations, and account integration. Registry - stores user authentication, meeting preferences, security settings, recording - locations, and enterprise Single Sign-On (SSO) configurations for comprehensive - video communication platform with extensive meeting and webinar capabilities. - - forensic_value: | - Critical for investigating meeting participation, unauthorized external meetings, - recording activities, and potential data sharing through Zoom sessions. Shows - evidence of meeting history, account associations, recording configurations, - and external communication patterns through video conferencing that may bypass - traditional communication monitoring and corporate security controls. - - structure: | - Zoom configuration includes account identifiers, SSO settings, meeting preferences, - recording locations, security configurations, and device integration options. - Enterprise settings control meeting policies, recording permissions, and - external participant restrictions for comprehensive Zoom security management. - - examples: - - "Email: user@company.com (Zoom account email)" - - "SSO: company.zoom.us (Enterprise SSO domain)" - - "AutoRecord: 1 (Automatic meeting recording enabled)" - - "RecordPath: C:\\Users\\user\\Documents\\Zoom (Recording save location)" - - "JoinBeforeHost: 0 (Participants cannot join before host)" - - "MuteOnEntry: 1 (Participants muted when joining)" - - "EnableWaitingRoom: 1 (Waiting room security enabled)" - - tools: - - name: "Zoom Desktop Client Settings" - description: "Built-in Zoom configuration and meeting preferences" - - name: "Zoom Admin Portal" - description: "Enterprise Zoom administration and usage analytics" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - -metadata: - windows_versions: - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - introduced: "Zoom Desktop Client" - - criticality: "medium" - - investigation_types: - - "behavioral-analysis" - - "timeline-analysis" - - "incident-response" - - tags: - - "zoom" - - "video-conferencing" - - "meeting-recording" - - "remote-collaboration" - - "enterprise-sso" - - "webinars" - - references: - - title: "Zoom Support Documentation" - url: "https://support.zoom.us/" - type: "official" - - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT)" - persistence: "Account and meeting settings persist across application sessions" - volatility: "Meeting activity and recordings provide communication pattern evidence" - - related_artifacts: - - "video_conferencing" - - "meeting_recordings" - - "remote_collaboration" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" diff --git a/artifacts/execution/amcache.yml b/artifacts/execution/amcache.yml deleted file mode 100644 index 0b6d40c..0000000 --- a/artifacts/execution/amcache.yml +++ /dev/null @@ -1,113 +0,0 @@ -title: "AmCache Application Activity Cache" -category: "execution" -description: "Advanced execution tracking with SHA1 hashes, file metadata, and compilation timestamps" - -paths: - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\AppCompatCache\\Amcache.hve" - -details: - what: | - AmCache.hve is a registry hive that replaced RecentFileCache.bcf in Windows 8+. - It tracks metadata about executables, installed applications, and drivers including - file paths, SHA1 hashes, compilation times, and detailed program information. - The database contains InventoryApplication, InventoryApplicationFile, and - InventoryDriverBinary entries with rich forensic metadata. - - forensic_value: | - Critical for proving file presence on system even if deleted. Contains SHA1 hashes - for malware identification via VirusTotal. Shows compilation timestamps useful for - correlating with threat actor campaigns. More detailed than ShimCache with richer metadata. - Can identify renamed executables and track software installation patterns. - - structure: | - Registry hive file containing multiple keys: InventoryApplication (installed programs), - InventoryApplicationFile (executables), InventoryDriverBinary (drivers). Each entry - includes FileID (SHA1 hash), file path, size, compilation time, program details, - and binary version information stored in structured data format. - - examples: - - "Path: C:\\Users\\user\\Desktop\\malware.exe" - - "SHA1: 9c07abbdd1faa019708cfb54a778748077fe13e3" - - "CompileTime: 2024-01-10 15:30:45" - - "Size: 1,048,576 bytes" - - "Publisher: Unknown Publisher" - - "Product: Suspicious Application" - - "BinaryType: 64-bit" - - "Language: English (United States)" - - tools: - - name: "AmcacheParser" - url: "https://github.com/EricZimmerman/AmcacheParser" - description: "Eric Zimmerman's AmCache parser with timeline output" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry browser and analysis tool" - - name: "RegRipper" - url: "https://github.com/keydet89/RegRipper3.0" - description: "Registry analysis framework with AmCache plugins" - - name: "KAPE" - url: "https://www.kroll.com/en/services/cyber-risk/investigate-and-respond/kroll-artifact-parser-extractor-kape" - description: "Artifact collection and parsing framework" - -metadata: - windows_versions: - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows 8" - - criticality: "high" - - investigation_types: - - "malware-analysis" - - "timeline-analysis" - - "incident-response" - - "behavioral-analysis" - - tags: - - "execution" - - "amcache" - - "sha1-hashes" - - "malware-analysis" - - "compilation-time" - - "file-presence" - - "application-tracking" - - "forensic-timeline" - - references: - - title: "Windows AmCache Analysis" - url: "https://www.mandiant.com/resources/blog/amcache" - type: "research" - - title: "AmCache.hve in Windows 8" - url: "https://www.swiftforensics.com/2013/12/amcachehve-in-windows-8-goldmine-for.html" - type: "blog" - - title: "SANS AmCache Analysis" - url: "https://www.sans.org/blog/amcache-still-rules-everything-around-me-updated/" - type: "research" - - retention: - default_location: "Registry hive file (Amcache.hve)" - persistence: "Survives reboots and system cleaning, persists until hive corruption" - volatility: "Entries can be overwritten but historical data often recoverable" - - related_artifacts: - - "appcompat_cache" - - "userassist" - - "prefetch_settings" - - "muicache" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/execution/app_compat_flags.yml b/artifacts/execution/app_compat_flags.yml deleted file mode 100644 index b962fe7..0000000 --- a/artifacts/execution/app_compat_flags.yml +++ /dev/null @@ -1,125 +0,0 @@ -title: "Application Compatibility Flags and Settings" -category: "execution" -description: "Application compatibility flags, shim layers, and compatibility database entries for legacy application support" - -paths: - - "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags" - - "HKCU\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags" - - "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers" - - "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB" - -details: - what: | - Application Compatibility Flags control compatibility shims, layers, and fixes - applied to applications for legacy support. Includes compatibility settings, - execution flags, application-specific fixes, and shim database installations. - Manages Windows compatibility infrastructure for running older applications - on newer operating systems through various compatibility mechanisms. - - forensic_value: | - Shows applications that required compatibility fixes, reveals execution history - through compatibility layer application, and can indicate malware attempting - to masquerade as legacy applications or bypass security measures. May reveal - unauthorized compatibility database installations or malicious shim applications - designed to evade detection or modify application behavior. - - structure: | - Layers subkey contains compatibility layer definitions and application assignments. - CompatTelRunner tracks compatibility telemetry execution. InstalledSDB manages - custom shim database installations. Application names as subkeys contain specific - compatibility flags, layer assignments, and execution parameters. - - examples: - - "Layers\\application.exe: WIN98 WINXPSP3 256COLOR" - - "Layers\\malware.exe: RUNASADMIN HIGHDPIAWARE" - - "CompatTelRunner\\LastRunTime: 0x01DA2E8F5C6A0000 (FILETIME)" - - "InstalledSDB\\{12345678-1234-5678-9abc-123456789abc}: Custom.sdb" - - "Compatibility Assistant\\Store\\program.exe: 1" - - "ExecutionAlias\\notepad.exe: C:\\Windows\\System32\\notepad.exe" - - "Custom\\suspicious_app.exe: ELEVATECREATEPROCESS" - - "ProcessHistory\\malware.exe: compatibility_check_timestamp" - - tools: - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry browser for compatibility flags analysis" - - name: "Compatibility Administrator" - description: "Microsoft Application Compatibility Toolkit for shim management" - - name: "sdbinst.exe" - description: "Windows shim database installation and management utility" - - name: "Application Compatibility Toolkit" - url: "https://docs.microsoft.com/en-us/windows/deployment/planning/act-technical-reference" - description: "Microsoft toolkit for application compatibility analysis" - - name: "ShimView" - description: "Tools for analyzing installed compatibility shims and databases" - -metadata: - windows_versions: - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows XP" - - criticality: "medium" - - investigation_types: - - "malware-analysis" - - "behavioral-analysis" - - "incident-response" - - tags: - - "execution" - - "compatibility" - - "shims" - - "legacy-applications" - - "execution-history" - - "application-layers" - - "compatibility-database" - - "process-behavior" - - references: - - title: "Application Compatibility in Windows" - url: "https://docs.microsoft.com/en-us/windows/deployment/planning/compatibility-fixes-for-windows-10" - type: "official" - - title: "Windows Application Compatibility" - url: "https://docs.microsoft.com/en-us/windows/deployment/planning/act-technical-reference" - type: "official" - - title: "Shim Database Analysis" - url: "https://www.sans.org/blog/application-compatibility-shims/" - type: "research" - - title: "Compatibility Flags Forensics" - url: "https://www.forensicfocus.com/articles/application-compatibility-forensics/" - type: "research" - - retention: - default_location: "Registry hives (SOFTWARE, NTUSER.DAT)" - persistence: "Survives reboots and application updates, persists until compatibility changes" - volatility: "Compatibility settings preserved across system updates" - - related_artifacts: - - "appcompat_cache" - - "amcache" - - "userassist" - - "app_paths" - - "image_hijack" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/execution/app_paths.yml b/artifacts/execution/app_paths.yml deleted file mode 100644 index 63b36c2..0000000 --- a/artifacts/execution/app_paths.yml +++ /dev/null @@ -1,129 +0,0 @@ -title: "Application Execution Paths" -category: "execution" -description: "Registered application paths for command-line execution without full path specification" - -paths: - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths" - - "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths" - -details: - what: | - Windows maintains registry entries that allow applications to be executed - from command line, Run dialog, or Start menu search without specifying full paths. - Contains default executable paths, working directories, and PATH environment - additions for registered applications. Enables convenient application launching - and provides application location information for Windows shell operations. - - forensic_value: | - Shows applications registered for easy execution, can reveal malware that - registers itself for convenient access from command line or Run dialog, - indicates software installation patterns, and shows potential execution - methods. Useful for understanding available execution vectors, identifying - malicious applications that register for easy access, and tracking application installations. - - structure: | - Application names as subkeys with default value pointing to full executable - path. Optional Path value specifies additional directories to add to PATH - environment variable during execution. DropTarget value indicates drag-and-drop - support. Values stored as REG_SZ with optional REG_EXPAND_SZ for environment variables. - - examples: - - "notepad.exe\\(Default): C:\\Windows\\System32\\notepad.exe" - - "chrome.exe\\(Default): C:\\Program Files\\Google\\Chrome\\chrome.exe" - - "chrome.exe\\Path: C:\\Program Files\\Google\\Chrome" - - "malware.exe\\(Default): C:\\Temp\\malware.exe" - - "python.exe\\(Default): C:\\Python39\\python.exe" - - "python.exe\\Path: C:\\Python39;C:\\Python39\\Scripts" - - "suspicious_tool.exe\\(Default): C:\\Users\\user\\AppData\\Local\\tool.exe" - - "cmd\\(Default): C:\\Windows\\System32\\cmd.exe" - - tools: - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry browser for App Paths analysis" - - name: "AppPathEdit" - description: "Tools for editing and managing Windows App Paths registry entries" - - name: "RegRipper" - url: "https://github.com/keydet89/RegRipper3.0" - description: "Registry analysis with app paths enumeration plugins" - - name: "PathEditor" - description: "PATH environment variable and application path management tools" - - name: "AppPathsView" - url: "https://www.nirsoft.net/utils/app_paths_view.html" - description: "NirSoft tool for viewing registered application paths" - -metadata: - windows_versions: - - "Windows 95" - - "Windows 98" - - "Windows NT 4.0" - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2000" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows 95" - - criticality: "low" - - investigation_types: - - "malware-analysis" - - "behavioral-analysis" - - "incident-response" - - tags: - - "execution" - - "application-paths" - - "command-line" - - "malware-registration" - - "software-installation" - - "execution-convenience" - - "run-dialog" - - "shell-execution" - - references: - - title: "App Paths Registry Key" - url: "https://docs.microsoft.com/en-us/windows/win32/shell/app-registration" - type: "official" - - title: "Application Registration" - url: "https://docs.microsoft.com/en-us/windows/win32/com/application-registration" - type: "official" - - title: "Windows Execution Paths Analysis" - url: "https://www.sans.org/blog/application-execution-paths/" - type: "research" - - title: "App Paths Security Implications" - url: "https://www.forensicfocus.com/articles/app-paths-security/" - type: "research" - - retention: - default_location: "Registry hives (SOFTWARE, NTUSER.DAT)" - persistence: "Survives reboots and application updates, persists until uninstallation" - volatility: "Application path registrations preserved across system updates" - - related_artifacts: - - "file_associations" - - "registry_run_keys" - - "shell_extensions" - - "appcompat_cache" - - "installed_programs" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/execution/appcompat_cache.yml b/artifacts/execution/appcompat_cache.yml deleted file mode 100644 index afad52d..0000000 --- a/artifacts/execution/appcompat_cache.yml +++ /dev/null @@ -1,124 +0,0 @@ -title: "Application Compatibility Cache (ShimCache)" -category: "execution" -description: "Application execution tracking with file paths, timestamps, and execution indicators across Windows versions" - -paths: - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\AppCompatCache" - -details: - what: | - Windows Application Compatibility Cache (ShimCache) tracks executable files that have been run - or accessed on the system. Stores file paths, file sizes, last modification times, and execution - flags to determine if compatibility shims need to be applied for legacy applications. The cache - helps Windows decide whether to apply compatibility fixes when applications are executed. - - forensic_value: | - Provides critical evidence of program execution even when other artifacts are missing or deleted. - Shows both executed and accessed executables with precise timestamps. Survives prefetch deletion, - log clearing, and basic system cleaning. Essential for malware analysis, timeline reconstruction, - and proving program execution. Can detect renamed executables and portable applications. - - structure: | - Binary data structure containing arrays of file entries. Each entry includes Unicode file path, - file size (bytes), last modification time (FILETIME), and execution flag. Structure varies - significantly between Windows versions: XP uses different format than Win7, Win8+ uses - compressed format. Entries stored in chronological order of access/execution. - - examples: - - "File: C:\\Windows\\System32\\cmd.exe" - - "Size: 289,792 bytes" - - "Modified: 2024-01-15 14:30:25 UTC" - - "Executed: True" - - "Malware: C:\\Users\\user\\Desktop\\suspicious.exe" - - "Portable: D:\\PortableApps\\tool.exe" - - "Network: \\\\server\\share\\application.exe" - - "Path Format: \\??\\C:\\Temp\\malware.exe" - - tools: - - name: "AppCompatCacheParser" - url: "https://github.com/EricZimmerman/AppCompatCacheParser" - description: "Eric Zimmerman's comprehensive ShimCache parser with timeline output" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry browser with built-in ShimCache parsing" - - name: "ShimCacheParser" - url: "https://github.com/mandiant/ShimCacheParser" - description: "Mandiant's Python-based ShimCache analysis tool" - - name: "RegRipper" - url: "https://github.com/keydet89/RegRipper3.0" - description: "Registry analysis framework with shimcache.pl plugin" - - name: "KAPE" - url: "https://www.kroll.com/en/services/cyber-risk/investigate-and-respond/kroll-artifact-parser-extractor-kape" - description: "Artifact collection framework with ShimCache modules" - -metadata: - windows_versions: - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows XP" - - criticality: "high" - - investigation_types: - - "malware-analysis" - - "timeline-analysis" - - "incident-response" - - "behavioral-analysis" - - tags: - - "execution" - - "shimcache" - - "timeline" - - "malware-analysis" - - "application-tracking" - - "file-execution" - - "compatibility-cache" - - "program-evidence" - - references: - - title: "Application Compatibility Cache" - url: "https://docs.microsoft.com/en-us/windows/win32/devnotes/application-compatibility-cache" - type: "official" - - title: "Leveraging the Application Compatibility Cache in Forensic Investigations" - url: "https://www.mandiant.com/resources/blog/caching-out-the-val" - type: "research" - - title: "Windows ShimCache Forensics" - url: "https://www.sans.org/blog/computer-forensic-artifacts-windows-7-shimcache/" - type: "research" - - title: "Registry Analysis: ShimCache" - url: "https://www.forensicfocus.com/articles/registry-analysis-application-compatibility-cache/" - type: "research" - - retention: - default_location: "SYSTEM registry hive" - persistence: "Survives reboots, system cleaning, and prefetch deletion" - volatility: "Limited cache size may cause older entries to be overwritten" - - related_artifacts: - - "amcache" - - "userassist" - - "muicache" - - "prefetch_settings" - - "recent_docs" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/execution/docker.yml b/artifacts/execution/docker.yml deleted file mode 100644 index 60b3fcc..0000000 --- a/artifacts/execution/docker.yml +++ /dev/null @@ -1,96 +0,0 @@ -title: "Docker Desktop Container Platform" -category: "virtualization" -description: "Docker Desktop configuration, container management, and development environment settings" - -paths: - - "HKCU\\Software\\Docker Inc\\Docker Desktop" - - "HKLM\\SOFTWARE\\Docker Inc\\Docker Desktop" - - "HKCU\\Software\\Classes\\docker" - - "HKLM\\SOFTWARE\\Classes\\docker" - -details: - what: | - Docker Desktop manages container development including container creation, - image management, volume mounting, and network configuration. Registry stores - installation settings, runtime preferences, resource allocations, and integration - configurations for comprehensive containerized development environment analysis - and modern application deployment workflow tracking. - - forensic_value: | - Important for investigating containerized application development, potential - isolation bypass attempts, container-based malware analysis, and modern - development workflows. Shows evidence of container usage, image downloads, - development environment setups, and can reveal container-based data exfiltration, - isolated development activities, and advanced development practices. - - structure: | - Docker Desktop configuration includes installation paths, resource settings, - container runtime preferences, volume mount configurations, and network - settings. Container registry tracks image repositories, development workflows, - and containerization activities for comprehensive container platform analysis. - - examples: - - "InstallPath: C:\\Program Files\\Docker\\Docker\\Docker Desktop.exe" - - "ResourceSettings: CPUs=4, Memory=8GB" - - "EnableKubernetesCluster: 1 (Kubernetes integration enabled)" - - "ShareDrives: C:\\ (Host drive sharing enabled)" - - "FileSharing: C:\\Development (Shared development directory)" - - "ProxySettings: http://proxy.company.com:8080" - - "WSL2Backend: 1 (Windows Subsystem for Linux backend)" - - tools: - - name: "Docker Desktop GUI" - description: "Docker's graphical container management interface" - - name: "docker CLI" - description: "Docker command-line interface for container operations" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - -metadata: - windows_versions: - - "Windows 10" - - "Windows 11" - - introduced: "Docker Desktop for Windows" - - criticality: "medium" - - investigation_types: - - "malware-analysis" - - "behavioral-analysis" - - "incident-response" - - tags: - - "docker" - - "containers" - - "virtualization" - - "development" - - "microservices" - - "deployment" - - "isolation" - - references: - - title: "Docker Desktop Documentation" - url: "https://docs.docker.com/desktop/" - type: "official" - - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT)" - persistence: "Container platform settings persist until reconfiguration" - volatility: "Container development activity provides modern application deployment evidence" - - related_artifacts: - - "development_tools" - - "virtualization_settings" - - "wsl_configuration" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" diff --git a/artifacts/execution/git.yml b/artifacts/execution/git.yml deleted file mode 100644 index 009afed..0000000 --- a/artifacts/execution/git.yml +++ /dev/null @@ -1,104 +0,0 @@ -title: "Git Source Code Management Configuration" -category: "execution" -description: "Git version control system configuration, repository history, and development activity tracking" - -paths: - - "HKCU\\Software\\Git" - - "HKLM\\SOFTWARE\\Git" - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Git_is1" - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Git_is1" - -details: - what: | - Git stores version control configuration including user credentials, repository - settings, remote URLs, and development workflow preferences. Registry tracks - installation paths, global configuration, credential helpers, and integration - settings for comprehensive source code management analysis and development - activity tracking in software projects and collaborative programming environments. - - forensic_value: | - Critical for investigating software development activities, source code access, - intellectual property theft, and evidence of programming work. Shows evidence - of repository cloning, commit activity, remote server access, and can reveal - unauthorized code access, stolen source code, insider development activities, - and software project involvement in corporate or personal development scenarios. - - structure: | - Git configuration includes installation directories, user identity settings, - credential storage methods, repository paths, and integration preferences. - Global configuration data shows default behavior, authentication methods, - and remote repository access patterns for comprehensive development activity analysis. - - examples: - - "InstallPath: C:\\Program Files\\Git" - - "GitConfig: user.name=John Developer" - - "GitConfig: user.email=john@company.com" - - "GitConfig: credential.helper=manager-core" - - "RecentRepo: https://github.com/company/sensitive-project.git" - - "RecentRepo: git@internal-server:proprietary-code.git" - - "GitBash: C:\\Program Files\\Git\\bin\\bash.exe" - - tools: - - name: "Git Bash / Git GUI" - description: "Git command-line and graphical user interfaces" - - name: "git config --list" - description: "Command to display all Git configuration settings" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Git Credential Manager" - description: "Secure credential storage for Git operations" - -metadata: - windows_versions: - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - introduced: "Git for Windows" - - criticality: "medium" - - investigation_types: - - "malware-analysis" - - "data-exfiltration" - - "behavioral-analysis" - - tags: - - "git" - - "version-control" - - "source-code" - - "development" - - "repositories" - - "programming" - - "intellectual-property" - - references: - - title: "Git Documentation" - url: "https://git-scm.com/doc" - type: "official" - - title: "Git for Windows" - url: "https://gitforwindows.org/" - type: "official" - - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT)" - persistence: "Git configuration persists until manual reconfiguration or uninstallation" - volatility: "Repository access patterns provide ongoing development activity evidence" - - related_artifacts: - - "development_tools" - - "source_code_access" - - "programming_activity" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" diff --git a/artifacts/execution/muicache.yml b/artifacts/execution/muicache.yml deleted file mode 100644 index efe4503..0000000 --- a/artifacts/execution/muicache.yml +++ /dev/null @@ -1,126 +0,0 @@ -title: "MUICache Application Names" -category: "execution" -description: "Multilingual User Interface cache tracking executed programs with friendly display names" - -paths: - - "HKCU\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\Shell\\MuiCache" - - "HKCU\\Software\\Microsoft\\Windows\\ShellNoRoam\\MUICache" - -details: - what: | - Windows MUICache stores the friendly display names of executed programs - for multilingual interface support. Tracks applications that have been - run by caching their localized names, descriptions, and version information. - Helps Windows display proper application names in various UI contexts regardless - of system language settings. - - forensic_value: | - Provides evidence of program execution with human-readable application names. - Complements other execution artifacts by showing what programs were actually - launched with their proper names. Useful for identifying renamed executables, - suspicious programs masquerading as legitimate software, and portable applications. - Can reveal execution of programs that may not appear in other execution artifacts. - - structure: | - Full executable paths as value names with corresponding friendly names as - REG_SZ value data. Includes both system programs and user applications. - Cache persists across reboots and system updates. Path format includes - drive letters and full directory structures for precise program identification. - - examples: - - "C:\\Windows\\System32\\cmd.exe: Command Prompt" - - "C:\\Program Files\\Notepad++\\notepad++.exe: Notepad++" - - "C:\\Users\\user\\Desktop\\malware.exe: Suspicious Application" - - "C:\\Windows\\explorer.exe: Windows Explorer" - - "D:\\PortableApps\\Firefox\\firefox.exe: Mozilla Firefox" - - "C:\\Tools\\SysinternalsSuite\\procexp.exe: Process Explorer" - - "C:\\Temp\\renamed_calc.exe: Calculator" - - "\\\\server\\tools\\admin_tool.exe: Network Administration Tool" - - tools: - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry browser with MUICache parsing capabilities" - - name: "RegRipper" - url: "https://github.com/keydet89/RegRipper3.0" - description: "Registry analysis framework with muicache.pl plugin" - - name: "MUICache Parser" - description: "Specialized tools for MUICache analysis and correlation" - - name: "ExecutedProgramsList" - url: "https://www.nirsoft.net/utils/executed_programs_list.html" - description: "NirSoft tool showing executed programs from multiple sources" - - name: "LastActivityView" - url: "https://www.nirsoft.net/utils/computer_activity_view.html" - description: "Comprehensive computer activity viewer including MUICache" - -metadata: - windows_versions: - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows XP" - - criticality: "medium" - - investigation_types: - - "malware-analysis" - - "behavioral-analysis" - - "timeline-analysis" - - "incident-response" - - tags: - - "execution" - - "application-names" - - "program-tracking" - - "malware-analysis" - - "multilingual-interface" - - "friendly-names" - - "program-identification" - - "portable-applications" - - references: - - title: "Windows MUICache Registry Key" - url: "https://www.aldeid.com/wiki/Windows-muicache-registry-key" - type: "research" - - title: "Registry Forensics: MUICache Analysis" - url: "https://www.forensicfocus.com/articles/windows-registry-analysis-muicache/" - type: "research" - - title: "Digital Forensics: Application Execution Artifacts" - url: "https://www.sans.org/blog/execution-artifacts-in-the-windows-registry/" - type: "research" - - title: "Windows Shell Cache Analysis" - url: "https://articles.forensicfocus.com/2010/03/15/windows-shell-cache-analysis/" - type: "research" - - retention: - default_location: "NTUSER.DAT registry hive" - persistence: "Survives reboots and application uninstallation, persists per user profile" - volatility: "Cache may be cleared but typically persists through normal system usage" - - related_artifacts: - - "appcompat_cache" - - "amcache" - - "userassist" - - "recent_docs" - - "shellbags" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/execution/powershell_policy.yml b/artifacts/execution/powershell_policy.yml deleted file mode 100644 index 0f999d5..0000000 --- a/artifacts/execution/powershell_policy.yml +++ /dev/null @@ -1,128 +0,0 @@ -title: "PowerShell Execution Policy and Configuration" -category: "execution" -description: "PowerShell execution policies, module logging, script execution settings, and security configurations" - -paths: - - "HKLM\\SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell" - - "HKCU\\SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell" - - "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell" - - "HKCU\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell" - - "HKLM\\SOFTWARE\\Microsoft\\PowerShell\\3\\PowerShellEngine" - -details: - what: | - PowerShell execution policy settings control script execution permissions, - logging configuration, transcription settings, module loading policies, and - security restrictions for PowerShell script execution. Determines security - restrictions, audit capabilities, and execution environments for PowerShell - across different user contexts and security zones. - - forensic_value: | - Shows if PowerShell security was weakened to allow malicious script execution, - reveals logging configuration that may hide or expose malicious activity, - indicates PowerShell usage patterns, and can reveal attempts to bypass security - controls. Critical for analyzing script-based attacks, PowerShell Empire usage, - and advanced persistent threats using PowerShell for persistence and lateral movement. - - structure: | - ExecutionPolicy values control script execution (Restricted, AllSigned, RemoteSigned, - Unrestricted, Bypass), logging settings for ScriptBlock and Module logging, - transcription paths, constrained language mode settings, and AMSI bypass attempts - stored as REG_SZ and REG_DWORD values with policy inheritance hierarchies. - - examples: - - "ExecutionPolicy: Unrestricted (allows all scripts)" - - "EnableScriptBlockLogging: 1 (detailed script logging enabled)" - - "EnableTranscripting: 1 (session transcription enabled)" - - "OutputDirectory: C:\\Logs\\PowerShell_Transcripts" - - "EnableModuleLogging: 1 (module activity logging)" - - "ModuleNames: * (log all modules)" - - "ConstrainedLanguageMode: 0 (full language mode)" - - "ScriptBlockInvocationLogging: 1 (detailed invocation logging)" - - "EnableScriptBlockInvocationLogging: 1" - - "PSVersion: 5.1.19041.1682" - - tools: - - name: "Get-ExecutionPolicy PowerShell" - description: "Built-in PowerShell cmdlet for checking current execution policy" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry browser for PowerShell policy analysis" - - name: "PowerShell ISE" - description: "Integrated Scripting Environment for PowerShell development and testing" - - name: "Event Viewer" - description: "Windows Event Viewer for PowerShell execution logs (Event IDs 4103, 4104)" - - name: "PowerShell Security Scanner" - description: "Tools for analyzing PowerShell security configuration and threats" - -metadata: - windows_versions: - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "PowerShell 1.0 (2006)" - - criticality: "high" - - investigation_types: - - "malware-analysis" - - "persistence-analysis" - - "incident-response" - - "behavioral-analysis" - - "lateral-movement" - - tags: - - "execution" - - "powershell" - - "script-execution" - - "security-policy" - - "logging" - - "malware-analysis" - - "execution-bypass" - - "amsi" - - "constrained-language" - - references: - - title: "PowerShell Execution Policies" - url: "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies" - type: "official" - - title: "PowerShell Security Best Practices" - url: "https://docs.microsoft.com/en-us/powershell/scripting/security/powershell-security-best-practices" - type: "official" - - title: "MITRE ATT&CK: PowerShell" - url: "https://attack.mitre.org/techniques/T1059/001/" - type: "research" - - title: "PowerShell Logging and Security" - url: "https://www.sans.org/blog/powershell-logging-and-security/" - type: "research" - - retention: - default_location: "Registry hives (SOFTWARE, NTUSER.DAT)" - persistence: "Survives reboots, persists until policy changes or system reconfiguration" - volatility: "Policy changes overwrite previous settings, audit logs retain execution history" - - related_artifacts: - - "registry_run_keys" - - "scheduled_tasks" - - "wmi_events" - - "event_log_config" - - "app_compat_flags" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/execution/prefetch_settings.yml b/artifacts/execution/prefetch_settings.yml deleted file mode 100644 index b87f639..0000000 --- a/artifacts/execution/prefetch_settings.yml +++ /dev/null @@ -1,126 +0,0 @@ -title: "Prefetch Service Configuration" -category: "execution" -description: "Prefetch service settings, SuperFetch/SysMain behavior, and execution optimization configuration" - -paths: - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Memory Management\\PrefetchParameters" - - "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SysMain" - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\ReadyBoot" - -details: - what: | - Windows Prefetch service configuration that controls prefetch file creation, - SuperFetch/SysMain service behavior, ReadyBoot optimization, and application - launch optimization. Determines what execution evidence is preserved in prefetch - files and how the system optimizes application startup performance through - predictive loading and caching mechanisms. - - forensic_value: | - Shows if prefetch was disabled to hide execution evidence, reveals prefetch - configuration that affects forensic artifact availability, and indicates - system optimization settings that impact investigation capabilities. Critical - for understanding why prefetch evidence may be missing and assessing the - completeness of execution artifact preservation on the system. - - structure: | - EnablePrefetcher controls prefetch functionality (0=disabled, 1=application, - 2=boot, 3=both). EnableSuperfetch controls intelligent memory management. - SysMain service settings control advanced prefetch and memory optimization. - MaxPrefetchFiles limits the number of prefetch files retained on the system. - - examples: - - "EnablePrefetcher: 3 (Applications and boot prefetch enabled)" - - "EnableSuperfetch: 1 (SuperFetch enabled)" - - "SysMain\\Start: 2 (Automatic startup)" - - "SysMain\\Type: 32 (Win32 service, share process)" - - "MaxPrefetchFiles: 128 (maximum prefetch file retention)" - - "EnableBootTrace: 1 (boot tracing enabled)" - - "TracingPath: %SystemRoot%\\Prefetch" - - "BootTracingPolicy: 3 (comprehensive boot tracing)" - - "Disabled: EnablePrefetcher: 0 (forensic evidence disabled)" - - tools: - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry browser for prefetch configuration analysis" - - name: "PECmd" - url: "https://github.com/EricZimmerman/PECmd" - description: "Eric Zimmerman's Prefetch analysis tool" - - name: "Services.msc" - description: "Windows Services management console for SysMain configuration" - - name: "WinPrefetchView" - url: "https://www.nirsoft.net/utils/win_prefetch_view.html" - description: "NirSoft tool for prefetch file analysis and configuration" - - name: "Prefetch Analyzer" - description: "Specialized tools for prefetch configuration and forensic analysis" - -metadata: - windows_versions: - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows XP" - - criticality: "medium" - - investigation_types: - - "timeline-analysis" - - "incident-response" - - "malware-analysis" - - tags: - - "execution" - - "prefetch" - - "superfetch" - - "sysmain" - - "execution-evidence" - - "forensic-artifacts" - - "performance-optimization" - - "evidence-preservation" - - references: - - title: "Windows Prefetch" - url: "https://docs.microsoft.com/en-us/windows/win32/memory/prefetching" - type: "official" - - title: "SuperFetch and SysMain" - url: "https://docs.microsoft.com/en-us/windows/win32/services/service-security-and-access-rights" - type: "official" - - title: "Prefetch Analysis in Digital Forensics" - url: "https://www.sans.org/blog/prefetch-analysis-digital-forensics/" - type: "research" - - title: "Windows Performance Optimization Forensics" - url: "https://www.forensicfocus.com/articles/prefetch-forensics/" - type: "research" - - retention: - default_location: "SYSTEM registry hive" - persistence: "Survives reboots, persists until configuration changes" - volatility: "Configuration settings preserved across system updates" - - related_artifacts: - - "appcompat_cache" - - "amcache" - - "userassist" - - "performance_monitoring" - - "startup_programs" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/execution/services.yml b/artifacts/execution/services.yml deleted file mode 100644 index 756ba60..0000000 --- a/artifacts/execution/services.yml +++ /dev/null @@ -1,127 +0,0 @@ -title: "Windows Services Configuration and Execution" -category: "execution" -description: "Windows service definitions, startup configurations, dependencies, and service-based persistence mechanisms" - -paths: - - "HKLM\\SYSTEM\\CurrentControlSet\\Services" - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\ServiceGroupOrder" - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\GroupOrderList" - - "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost" - -details: - what: | - Windows Services registry contains comprehensive service configuration including executable - paths, startup types, dependencies, security descriptors, service accounts, group memberships, - and failure recovery actions. Controls system service behavior, automatic startup sequences, - service isolation, and inter-service dependencies for complete Windows service management - and execution control across system and user contexts. - - forensic_value: | - Critical for identifying malicious service installation, service hijacking attacks, and - unauthorized service modifications used for persistence. Shows evidence of malware services, - suspicious service configurations, privilege escalation through service accounts, and - service-based backdoors. Essential for detecting advanced persistent threats that abuse - legitimate service infrastructure for stealth and persistence. - - structure: | - Individual service subkeys contain ImagePath (executable), Start (startup type), Type - (service type), ObjectName (service account), DependOnService (dependencies), and - ServiceSidType (security identifier type). Svchost configuration manages service - hosting for shared processes with isolation and security boundaries. - - examples: - - "Services\\MaliciousService\\ImagePath: C:\\malware\\backdoor.exe" - - "Services\\Spooler\\Start: 2 (Automatic startup)" - - "Services\\BITS\\Type: 32 (Win32 service, share process)" - - "Services\\TrustedInstaller\\ObjectName: NT SERVICE\\TrustedInstaller" - - "Services\\Themes\\DependOnService: RpcSs (RPC dependency)" - - "Svchost\\netsvcs: BITS,Themes,Schedule,ProfSvc (Service group)" - - "Services\\BackdoorSvc\\FailureActions: [Binary recovery settings]" - - "Services\\SuspiciousSvc\\ServiceSidType: 1 (Unrestricted service SID)" - - tools: - - name: "Services Management Console (services.msc)" - description: "Built-in Windows service management and configuration interface" - - name: "sc.exe" - description: "Service Control command-line utility for service management" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Autoruns" - url: "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns" - description: "Microsoft Sysinternals comprehensive service enumeration tool" - - name: "Service Security Analyzer" - description: "Tools for analyzing service security configurations and permissions" - -metadata: - windows_versions: - - "Windows NT 3.1" - - "Windows NT 4.0" - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows NT 3.1" - - criticality: "high" - - investigation_types: - - "malware-analysis" - - "persistence-analysis" - - "privilege-escalation" - - "incident-response" - - "behavioral-analysis" - - tags: - - "execution" - - "windows-services" - - "persistence" - - "privilege-escalation" - - "service-hijacking" - - "malware-services" - - "system-services" - - "service-accounts" - - references: - - title: "Microsoft Documentation: Windows Services" - url: "https://docs.microsoft.com/en-us/windows/win32/services/services" - type: "official" - - title: "MITRE ATT&CK: Windows Service" - url: "https://attack.mitre.org/techniques/T1543/003/" - type: "research" - - title: "Windows Service Security Analysis" - url: "https://www.sans.org/white-papers/36240/" - type: "research" - - retention: - default_location: "SYSTEM registry hive" - persistence: "Service configuration persists until service removal or modification" - volatility: "Service settings control ongoing system behavior and security posture" - - related_artifacts: - - "registry_run_keys" - - "scheduled_tasks" - - "winlogon_userinit" - - "startup_programs" - - "lsa_packages" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file diff --git a/artifacts/execution/userassist.yml b/artifacts/execution/userassist.yml deleted file mode 100644 index a0c8fde..0000000 --- a/artifacts/execution/userassist.yml +++ /dev/null @@ -1,111 +0,0 @@ -title: "UserAssist Execution Statistics" -category: "execution" -description: "ROT13-encoded execution statistics including run count and last execution time" - -paths: - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist" - -details: - what: | - Windows UserAssist tracks program execution statistics for GUI applications - accessed through Windows Explorer, desktop, and Start menu. Stores execution - count, last run time, session data, and focus time encoded with ROT13 obfuscation. - Different GUIDs track different application categories and usage patterns. - - forensic_value: | - Provides detailed execution statistics showing how many times programs were run - and when they were last executed. Critical for establishing user behavior patterns, - program usage frequency, and timeline analysis of application execution. Can prove - user interaction with specific applications and reveal usage of portable/malicious tools. - - structure: | - ROT13-encoded executable paths as value names with binary data containing - execution count, last run time (FILETIME), session ID, and focus time. - Multiple subkeys for different program categories and Windows versions. - Data structure varies between Windows versions with consistent core elements. - - examples: - - "Encoded: HRZR_PGYFRFFVAT\\{CEBTENF}\\Count" - - "Decoded: UEME_CTLSESSION\\{PROGRAMS}\\Count" - - "Program: notepad.exe" - - "Run Count: 15" - - "Last Executed: 2024-01-15 14:30:25" - - "Focus Time: 120000ms" - - "Session ID: 2" - - "ROT13 Example: abgrCnq.rkr -> notepad.exe" - - tools: - - name: "UserAssistView" - url: "https://www.nirsoft.net/utils/userassist_view.html" - description: "NirSoft tool for viewing and decoding UserAssist data" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry browser with UserAssist parsing" - - name: "RegRipper" - url: "https://github.com/keydet89/RegRipper3.0" - description: "Registry analysis with userassist.pl plugin" - - name: "UserAssist Parser" - description: "Custom Python/PowerShell scripts for bulk analysis" - -metadata: - windows_versions: - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - introduced: "Windows XP" - - criticality: "high" - - investigation_types: - - "timeline-analysis" - - "behavioral-analysis" - - "incident-response" - - "malware-analysis" - - tags: - - "execution" - - "statistics" - - "program-usage" - - "timeline" - - "user-behavior" - - "rot13-encoding" - - "gui-applications" - - "execution-count" - - references: - - title: "UserAssist Registry Key" - url: "https://www.aldeid.com/wiki/Windows-userassist-keys" - type: "research" - - title: "Decoding UserAssist" - url: "https://blog.didierstevens.com/2009/10/13/userassist/" - type: "blog" - - title: "SANS UserAssist Analysis" - url: "https://www.sans.org/blog/windows-registry-analysis/" - type: "research" - - retention: - default_location: "NTUSER.DAT registry hive" - persistence: "Survives reboots, persists per user profile" - volatility: "Can be cleared but often persists through normal system usage" - - related_artifacts: - - "amcache" - - "appcompat_cache" - - "muicache" - - "recent_docs" - - "jump_lists" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file diff --git a/artifacts/execution/visual_stuido_code.yml b/artifacts/execution/visual_stuido_code.yml deleted file mode 100644 index 411470b..0000000 --- a/artifacts/execution/visual_stuido_code.yml +++ /dev/null @@ -1,101 +0,0 @@ -title: "Visual Studio Code Editor Configuration" -category: "execution" -description: "VS Code editor settings, extensions, workspace history, and development environment configuration" - -paths: - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{771FD6B0-FA20-440A-A002-3B3BAC16DC50}_is1" - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{EA457B21-F73E-494C-ACAB-524FDE069978}_is1" - - "HKCU\\Software\\Classes\\vscode" - - "HKLM\\SOFTWARE\\Classes\\vscode" - -details: - what: | - Visual Studio Code stores development environment configuration including workspace - settings, installed extensions, recent projects, debugging configurations, and - integrated terminal preferences. Registry manages file associations, protocol - handlers, installation data, and integration settings for comprehensive code - editing and development activity analysis in modern programming environments. - - forensic_value: | - Essential for investigating software development activities, code editing patterns, - project access, and programming-related evidence. Shows evidence of code development, - extension usage, workspace access, and can reveal unauthorized code modifications, - software project involvement, development tool usage, and programming activities - relevant to intellectual property investigations and insider threat analysis. - - structure: | - VS Code configuration includes installation directories, file associations, - protocol handlers, and workspace preferences. Extension data tracks installed - development tools, language support, and productivity enhancements for - comprehensive development environment analysis and programming activity tracking. - - examples: - - "InstallLocation: C:\\Users\\user\\AppData\\Local\\Programs\\Microsoft VS Code" - - "FileAssociation: .py -> Visual Studio Code" - - "FileAssociation: .js -> Visual Studio Code" - - "ProtocolHandler: vscode:// (VS Code URL protocol)" - - "RecentWorkspace: C:\\Development\\ProjectName" - - "RecentWorkspace: \\\\server\\shared\\source-code" - - "Extension: ms-python.python (Python development support)" - - tools: - - name: "Visual Studio Code" - description: "Microsoft's popular source code editor" - - name: "code --list-extensions" - description: "Command to list installed VS Code extensions" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "VS Code Settings Sync" - description: "Microsoft's settings synchronization for VS Code" - -metadata: - windows_versions: - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - introduced: "Visual Studio Code (2015)" - - criticality: "medium" - - investigation_types: - - "malware-analysis" - - "behavioral-analysis" - - "incident-response" - - tags: - - "vscode" - - "code-editor" - - "development" - - "programming" - - "extensions" - - "workspace" - - "microsoft" - - references: - - title: "Visual Studio Code Documentation" - url: "https://code.visualstudio.com/docs" - type: "official" - - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT)" - persistence: "Development settings and workspace history persist across sessions" - volatility: "Recent projects and development activity provide ongoing programming evidence" - - related_artifacts: - - "git_configuration" - - "development_tools" - - "recent_documents" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" diff --git a/artifacts/execution/windows_terminal.yml b/artifacts/execution/windows_terminal.yml deleted file mode 100644 index 6700b5f..0000000 --- a/artifacts/execution/windows_terminal.yml +++ /dev/null @@ -1,96 +0,0 @@ -title: "Windows Terminal Configuration" -category: "execution" -description: "Windows Terminal settings, profiles, and modern command-line interface configuration" - -paths: - - "HKCU\\Software\\Microsoft\\Windows Terminal" - - "HKLM\\SOFTWARE\\Microsoft\\WindowsTerminal" - - "HKCU\\Software\\Classes\\Directory\\Background\\shell\\wt" - - "HKLM\\SOFTWARE\\Classes\\Directory\\Background\\shell\\wt" - -details: - what: | - Windows Terminal manages modern command-line interface including shell profiles, - appearance settings, key bindings, and terminal emulation preferences. Registry - stores configuration profiles, color schemes, font preferences, and integration - settings for comprehensive command-line activity analysis and system - administration behavior tracking in modern Windows environments. - - forensic_value: | - Important for investigating command-line activities, system administration tasks, - scripting behavior, and advanced user interactions. Shows evidence of terminal - usage patterns, shell preferences, custom configurations, and can reveal - system administration activities, scripting development, and command-line based - attack techniques or administrative access patterns. - - structure: | - Windows Terminal configuration includes profile definitions, appearance settings, - key binding mappings, and startup preferences. Shell integration data tracks - context menu additions, protocol handlers, and command-line interface - customizations for comprehensive terminal usage analysis and administrative activity tracking. - - examples: - - "DefaultProfile: {PowerShell GUID}" - - "DefaultProfile: {Command Prompt GUID}" - - "Profile: PowerShell 7 (Custom PowerShell Core profile)" - - "Profile: WSL Ubuntu (Windows Subsystem for Linux)" - - "StartupActions: new-tab --profile PowerShell" - - "ColorScheme: Campbell (Terminal color theme)" - - "ContextMenuIntegration: 1 (Right-click context menu enabled)" - - tools: - - name: "Windows Terminal" - description: "Microsoft's modern terminal application" - - name: "wt.exe" - description: "Windows Terminal command-line launcher" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - -metadata: - windows_versions: - - "Windows 10" - - "Windows 11" - - introduced: "Windows Terminal (2019)" - - criticality: "medium" - - investigation_types: - - "malware-analysis" - - "behavioral-analysis" - - "incident-response" - - tags: - - "windows-terminal" - - "command-line" - - "terminal" - - "powershell" - - "wsl" - - "system-administration" - - "scripting" - - references: - - title: "Windows Terminal Documentation" - url: "https://docs.microsoft.com/en-us/windows/terminal/" - type: "official" - - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT)" - persistence: "Terminal configuration and profiles persist across sessions" - volatility: "Command-line usage patterns provide ongoing administrative activity evidence" - - related_artifacts: - - "powershell_configuration" - - "command_line_history" - - "wsl_configuration" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" diff --git a/artifacts/execution/wsh_settings.yml b/artifacts/execution/wsh_settings.yml deleted file mode 100644 index 457ed2e..0000000 --- a/artifacts/execution/wsh_settings.yml +++ /dev/null @@ -1,128 +0,0 @@ -title: "Windows Script Host Settings and Configuration" -category: "execution" -description: "Windows Script Host execution policies, script engine settings, and VBScript/JScript security configuration" - -paths: - - "HKLM\\SOFTWARE\\Microsoft\\Windows Script Host\\Settings" - - "HKCU\\SOFTWARE\\Microsoft\\Windows Script Host\\Settings" - - "HKLM\\SOFTWARE\\Classes\\VBSFile\\Shell\\Open\\Command" - - "HKLM\\SOFTWARE\\Classes\\JSFile\\Shell\\Open\\Command" - -details: - what: | - Windows Script Host (WSH) provides native scripting capabilities for VBScript and JScript execution - with comprehensive security and execution policy configuration. Controls script execution permissions, - timeout settings, security zones, debugging capabilities, and engine-specific behaviors. Manages - both system-wide and user-specific script execution policies for enterprise security and - administrative automation while preventing unauthorized script-based attacks. - - forensic_value: | - Critical for detecting script-based malware attacks, policy bypass attempts, and unauthorized - script execution. Shows if WSH was disabled to prevent malicious script execution or enabled - to facilitate attacks. Configuration changes may indicate attempts to execute malicious VBScript - or JScript files, bypass security restrictions, or establish script-based persistence mechanisms. - Essential for analyzing script-based attacks, macro malware, and fileless attack vectors. - - structure: | - WSH configuration includes Enabled (global WSH enablement), Timeout (script execution timeout), - DisplayLogo (banner display), TrustPolicy (script trust level), and UseWINSAFER (Windows SAFER - integration). Settings control script engine behavior, security restrictions, execution timeouts, - and debugging capabilities stored as REG_DWORD values with policy inheritance mechanisms. - - examples: - - "Enabled: 0 (Windows Script Host completely disabled)" - - "Enabled: 1 (WSH enabled for script execution)" - - "Timeout: 0 (No timeout limit for script execution)" - - "DisplayLogo: 0 (Suppress WSH banner when scripts run)" - - "TrustPolicy: 0 (Allow all scripts to run)" - - "TrustPolicy: 2 (Disallow all scripts - high security)" - - "UseWINSAFER: 1 (Integrate with Software Restriction Policies)" - - "Remote: 0 (Disable remote WSH execution)" - - tools: - - name: "cscript.exe / wscript.exe" - description: "Built-in Windows Script Host command-line and Windows-based script engines" - - name: "Group Policy Editor (gpedit.msc)" - description: "Configure WSH policies through Administrative Templates" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Script Security Scanner" - description: "Third-party tools for analyzing WSH security configuration" - - name: "Windows Script Host Analysis Tools" - description: "Specialized utilities for WSH configuration assessment" - -metadata: - windows_versions: - - "Windows 98" - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2000" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows 98" - - criticality: "high" - - investigation_types: - - "malware-analysis" - - "incident-response" - - "behavioral-analysis" - - "persistence-analysis" - - tags: - - "script-execution" - - "vbscript" - - "jscript" - - "wsh" - - "script-security" - - "execution-policy" - - "malware-delivery" - - "fileless-attacks" - - references: - - title: "Microsoft Documentation: Windows Script Host" - url: "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc738350(v=ws.10)" - type: "official" - - title: "Windows Script Host Security" - url: "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc976135(v=technet.10)" - type: "official" - - title: "MITRE ATT&CK: Windows Script Host" - url: "https://attack.mitre.org/techniques/T1059/005/" - type: "research" - - title: "Script-Based Attack Detection and Analysis" - url: "https://www.sans.org/white-papers/36240/" - type: "research" - - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT)" - persistence: "Script execution settings persist until manually changed or policy override" - volatility: "Configuration changes affect immediate script execution capabilities and security posture" - - related_artifacts: - - "powershell_policy" - - "file_associations" - - "software_restriction" - - "applocker_policies" - - "security_policy" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file diff --git a/artifacts/malware/quarantine.yml b/artifacts/malware/quarantine.yml deleted file mode 100644 index 0f62596..0000000 --- a/artifacts/malware/quarantine.yml +++ /dev/null @@ -1,119 +0,0 @@ -title: "Malware Quarantine and Detection History" -category: "malware" -description: "Anti-malware quarantine locations, detection history, threat signatures, and security incident tracking" - -paths: - - "HKLM\\SOFTWARE\\Microsoft\\Microsoft Antimalware\\Quarantine" - - "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Quarantine" - - "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Threats\\ThreatIDDefaultAction" - - "HKLM\\SOFTWARE\\Microsoft\\RemovalTools\\MpSigStub" - -details: - what: | - Windows anti-malware quarantine system maintains comprehensive records of detected threats, - quarantined files, malware signatures, threat classifications, detection timestamps, and - security incident tracking. Manages isolated malicious files, threat analysis results, - automatic response actions, and malware family identification for comprehensive endpoint - protection and forensic analysis capabilities. - - forensic_value: | - Essential for malware incident analysis, threat timeline reconstruction, and understanding - attack vectors used against the system. Shows evidence of malware detection, quarantine - actions, threat persistence attempts, and security software effectiveness. Critical for - identifying attack campaigns, malware families, and establishing infection timelines. - Provides direct evidence of malicious activity and security response effectiveness. - - structure: | - Quarantine entries contain threat identifiers, file locations, detection timestamps, threat - categories, and quarantine actions. ThreatIDDefaultAction maps threat identifiers to - automatic response behaviors. RemovalTools contains malware removal utility execution - history and specialized cleaning tool deployment information with binary threat data. - - examples: - - "Quarantine\\{12345678-1234-5678-9abc-123456789abc}: Quarantined malware file" - - "ThreatName: Trojan:Win32/Emotet.A (Threat classification)" - - "DetectionTime: 2024-01-15T14:30:25Z (Malware detection timestamp)" - - "QuarantinePath: C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine" - - "ThreatIDDefaultAction\\2147735503: 2 (Automatic quarantine action)" - - "OriginalPath: C:\\Users\\user\\Downloads\\malware.exe (Original file location)" - - "ThreatSeverity: 4 (High severity threat level)" - - "CleaningAction: 3 (File quarantined successfully)" - - tools: - - name: "Windows Security (ms-settings:windowsdefender)" - description: "Built-in Windows Defender threat history and quarantine management" - - name: "MpCmdRun.exe" - description: "Windows Defender command-line scanner and threat management utility" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Quarantine File Analyzer" - description: "Specialized tools for analyzing quarantined malware samples" - - name: "Threat Intelligence Platform" - description: "Enterprise threat analysis and malware family identification tools" - -metadata: - windows_versions: - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows Vista (Windows Defender)" - - criticality: "high" - - investigation_types: - - "malware-analysis" - - "incident-response" - - "timeline-analysis" - - "behavioral-analysis" - - tags: - - "malware" - - "quarantine" - - "threat-detection" - - "antivirus" - - "security-incidents" - - "threat-analysis" - - "malware-families" - - "endpoint-protection" - - references: - - title: "Microsoft Documentation: Windows Defender Antivirus" - url: "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/" - type: "official" - - title: "Malware Analysis and Quarantine Forensics" - url: "https://www.sans.org/white-papers/37657/" - type: "research" - - title: "Windows Defender Threat Intelligence" - url: "https://www.microsoft.com/en-us/security/business/threat-protection/intelligence" - type: "official" - - retention: - default_location: "Registry hive files (SOFTWARE), quarantine storage" - persistence: "Quarantine records persist until manual cleanup or retention policy expiry" - volatility: "Threat detection data provides ongoing security incident intelligence" - - related_artifacts: - - "windows_defender" - - "security_center" - - "appcompat_cache" - - "amcache" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file diff --git a/artifacts/mobile/device_sync.yml b/artifacts/mobile/device_sync.yml deleted file mode 100644 index 4158a24..0000000 --- a/artifacts/mobile/device_sync.yml +++ /dev/null @@ -1,112 +0,0 @@ -title: "Mobile Device Synchronization and Integration" -category: "mobile" -description: "Mobile device pairing, synchronization settings, Your Phone app configuration, and cross-device integration" - -paths: - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\CDP" - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-DeviceSync" - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\DeviceAccess" - - "HKLM\\SOFTWARE\\Microsoft\\PolicyManager\\current\\device\\Connectivity" - -details: - what: | - Windows mobile device integration encompasses Cross-Device Platform (CDP) configuration, - device synchronization settings, Your Phone app connections, Bluetooth device pairing, - notification mirroring, and cross-platform continuity features. Manages smartphone - integration, tablet connectivity, and multi-device user experience through Windows - ecosystem integration and third-party mobile device management. - - forensic_value: | - Critical for investigating cross-device data synchronization, mobile device access to - corporate resources, and potential data exfiltration through mobile integration features. - Shows evidence of paired mobile devices, synchronization activities, notification sharing, - and cross-platform file access. Essential for understanding mobile attack vectors, - BYOD policy violations, and multi-device security incidents. - - structure: | - CDP configuration includes device discovery settings, paired device information, sync - preferences, and cross-device communication protocols. DeviceAccess controls mobile - device permissions, notification access, and feature sharing. WINEVT channels track - device synchronization events and connection history with mobile devices. - - examples: - - "CDP\\UserActivities\\EnableCdpUserService: 1 (Cross-device platform enabled)" - - "DeviceAccess\\Global\\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}: Allow (Location access)" - - "Bluetooth\\PairedDevices\\iPhone_User: Mobile device pairing information" - - "YourPhone\\ConnectedDevices\\Samsung Galaxy S21: Smartphone integration" - - "NotificationMirroring: 1 (Mobile notification sync enabled)" - - "Connectivity\\AllowPhonePC: 1 (Phone-PC linking permitted)" - - "CrossDeviceClipboard: 1 (Clipboard sharing between devices)" - - tools: - - name: "Your Phone App" - description: "Built-in Windows mobile device integration and management interface" - - name: "Settings - Phone (ms-settings:mobile-devices)" - description: "Windows mobile device configuration and connection settings" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Bluetooth Device Manager" - description: "Windows Bluetooth device pairing and management utilities" - - name: "Mobile Device Management Tools" - description: "Enterprise MDM solutions for mobile device policy and monitoring" - -metadata: - windows_versions: - - "Windows 10" - - "Windows 11" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows 10 (Cross-Device Platform)" - - criticality: "medium" - - investigation_types: - - "data-exfiltration" - - "insider-threat" - - "behavioral-analysis" - - "incident-response" - - tags: - - "mobile" - - "device-sync" - - "cross-device" - - "smartphone-integration" - - "byod" - - "mobile-security" - - "device-pairing" - - "your-phone" - - references: - - title: "Microsoft Documentation: Your Phone App" - url: "https://support.microsoft.com/en-us/topic/getting-started-with-your-phone-app-2d0fe4c3-36dd-43aa-9d1e-6b8a745c7e43" - type: "official" - - title: "Windows Cross-Device Platform" - url: "https://docs.microsoft.com/en-us/windows/uwp/launch-resume/connected-apps-and-devices" - type: "official" - - title: "Mobile Device Security in Enterprise Environments" - url: "https://www.sans.org/white-papers/36240/" - type: "research" - - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT)" - persistence: "Mobile device configuration persists until device unpairing or policy changes" - volatility: "Device sync status provides real-time mobile integration intelligence" - - related_artifacts: - - "bluetooth_devices" - - "network_interfaces" - - "user_profiles" - - "device_permissions" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file diff --git a/artifacts/mobile/itunes.yml b/artifacts/mobile/itunes.yml deleted file mode 100644 index c4eb23d..0000000 --- a/artifacts/mobile/itunes.yml +++ /dev/null @@ -1,103 +0,0 @@ -title: "iTunes for Windows Mobile Device Sync" -category: "mobile" -description: "iTunes configuration, device synchronization, backup locations, and Apple device management" - -paths: - - "HKCU\\Software\\Apple Computer, Inc.\\iTunes" - - "HKLM\\SOFTWARE\\Apple Inc.\\Apple Mobile Device Support" - - "HKCU\\Software\\Apple Inc.\\iTunes" - - "HKLM\\SOFTWARE\\Apple Computer, Inc.\\iTunes" - -details: - what: | - iTunes for Windows manages Apple device synchronization including iPhone, iPad, - and iPod connections, backup locations, media library sync, and device management. - Registry stores device identifiers, backup paths, sync preferences, and media - library configurations for comprehensive Apple ecosystem integration and - cross-platform data synchronization between Windows and Apple devices. - - forensic_value: | - Critical for investigating mobile device connections, data synchronization - between Windows and Apple devices, backup locations containing mobile device - data, and evidence of Apple device usage patterns. Shows evidence of mobile - device ownership, sync activity, backup creation, and can reveal access to - mobile device data through iTunes backups and synchronization. - - structure: | - iTunes configuration includes device registration data, backup storage paths, - sync preferences, media library locations, and Apple ID authentication. - Mobile Device Support entries track connected devices, device capabilities, - and synchronization history for comprehensive Apple device interaction analysis. - - examples: - - "StoreAccountName: user@icloud.com (Associated Apple ID)" - - "LastBackupPath: C:\\Users\\user\\AppData\\Roaming\\Apple Computer\\MobileSync\\Backup" - - "DeviceID: 1234567890abcdef (Connected device identifier)" - - "DeviceName: John's iPhone (User device name)" - - "BackupDirectory: {device-guid} (Device-specific backup folder)" - - "SyncLibrary: 1 (Music library synchronization enabled)" - - "AutoSync: 0 (Automatic sync disabled)" - - tools: - - name: "iTunes Application" - description: "Apple iTunes media management and device sync application" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "iTunes Backup Analysis Tools" - description: "Specialized tools for iTunes backup examination and mobile forensics" - - name: "Apple Mobile Device Support Tools" - description: "Apple's device management and synchronization utilities" - -metadata: - windows_versions: - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - introduced: "iTunes for Windows" - - criticality: "low" - - investigation_types: - - "behavioral-analysis" - - "timeline-analysis" - - "incident-response" - - tags: - - "itunes" - - "apple-devices" - - "mobile-sync" - - "device-backups" - - "iphone" - - "ipad" - - "cross-platform" - - references: - - title: "iTunes Support" - url: "https://support.apple.com/itunes/" - type: "official" - - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT)" - persistence: "Device sync and backup settings persist until application removal" - volatility: "Device connection history provides mobile device usage patterns" - - related_artifacts: - - "mobile_device_sync" - - "apple_ecosystem" - - "device_backups" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" diff --git a/artifacts/network/anydesk.yml b/artifacts/network/anydesk.yml deleted file mode 100644 index e3160b7..0000000 --- a/artifacts/network/anydesk.yml +++ /dev/null @@ -1,100 +0,0 @@ -title: "AnyDesk Remote Desktop Configuration" -category: "network" -description: "AnyDesk remote access settings, connection management, and security configuration" - -paths: - - "HKCU\\Software\\AnyDesk" - - "HKLM\\SOFTWARE\\AnyDesk" - - "HKLM\\SYSTEM\\CurrentControlSet\\Services\\AnyDesk" - - "HKCU\\Software\\Classes\\anydesk" - -details: - what: | - AnyDesk manages lightweight remote desktop access including connection settings, - security configurations, address book management, and session preferences. - Registry stores installation data, access permissions, connection history, - and authentication settings for comprehensive remote access analysis and - system administration behavior tracking in modern remote work environments. - - forensic_value: | - Important for investigating remote access activities, potential unauthorized - system control, technical support sessions, and remote collaboration evidence. - Shows evidence of remote desktop usage, connection patterns, security settings, - and can indicate legitimate remote work, unauthorized access attempts, technical - support activities, or potential command and control communications. - - structure: | - AnyDesk configuration includes connection preferences, security settings, - address book entries, access permissions, and session management options. - Connection data tracks remote session history, partner devices, and access - control configurations for comprehensive remote access behavior analysis. - - examples: - - "InstallPath: C:\\Program Files (x86)\\AnyDesk" - - "AnyDeskID: 123456789 (Unique device identifier)" - - "AddressBook: Work-Computer-987654321" - - "UnattendedAccess: 1 (Permanent access enabled)" - - "Password: (Encrypted connection password)" - - "FileTransfer: 1 (File transfer capability enabled)" - - "AudioTransmission: 1 (Audio streaming enabled)" - - "ClipboardSync: 1 (Clipboard synchronization active)" - - tools: - - name: "AnyDesk Application" - description: "AnyDesk remote desktop software" - - name: "AnyDesk Address Book" - description: "Contact management for remote connections" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - -metadata: - windows_versions: - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - introduced: "AnyDesk" - - criticality: "high" - - investigation_types: - - "incident-response" - - "behavioral-analysis" - - "insider-threat" - - tags: - - "anydesk" - - "remote-access" - - "remote-desktop" - - "technical-support" - - "remote-work" - - "unauthorized-access" - - "lightweight-rdp" - - references: - - title: "AnyDesk Documentation" - url: "https://support.anydesk.com/" - type: "official" - - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT, SYSTEM)" - persistence: "Remote access configuration persists until software removal" - volatility: "Connection activity provides evidence of remote desktop usage patterns" - - related_artifacts: - - "teamviewer" - - "remote_desktop_connections" - - "network_connections" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" diff --git a/artifacts/network/bits_service.yml b/artifacts/network/bits_service.yml deleted file mode 100644 index af71b0e..0000000 --- a/artifacts/network/bits_service.yml +++ /dev/null @@ -1,128 +0,0 @@ -title: "BITS Background Transfer Service" -category: "network" -description: "Background Intelligent Transfer Service configuration, job history, and file transfer management" - -paths: - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\BITS\\StateIndex" - - "HKLM\\SYSTEM\\CurrentControlSet\\Services\\BITS" - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\BITS\\Jobs" - - "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\BITS" - -details: - what: | - Background Intelligent Transfer Service (BITS) manages file transfers in the - background using spare network bandwidth, commonly used by Windows Update, - Microsoft applications, and third-party software. Registry contains service - configuration, transfer job metadata, bandwidth throttling settings, and - job state information for both system and user-initiated transfers. - - forensic_value: | - BITS is increasingly used by malware for stealthy file downloads, data exfiltration, - and command and control communication. Shows evidence of background file transfers, - download sources, upload destinations, and potential covert communication channels. - Can reveal malicious file distribution, data theft operations, or unauthorized - software installation through background transfer mechanisms. - - structure: | - Service configuration includes startup type, dependencies, parameters, and - bandwidth management settings. StateIndex contains job identifiers and transfer - metadata. Jobs subkey tracks active and completed transfers with source URLs, - destination paths, transfer states, and authentication information. - - examples: - - "BITS\\Start: 3 (Manual startup)" - - "BITS\\Type: 20 (Win32 service, share process)" - - "BITS\\ObjectName: LocalSystem" - - "MaxBandwidthPerJob: 2000000 (bytes per second)" - - "EnableBitsMaxBandwidth: 1" - - "Job State: Transfer in progress" - - "StateIndex\\{12345678-1234-5678-9abc-123456789abc}: Job identifier" - - "Source URL: http://malicious-server.com/payload.exe" - - "Destination: C:\\temp\\downloaded_malware.exe" - - tools: - - name: "bitsadmin.exe" - description: "Built-in Windows command-line tool for BITS job management and monitoring" - - name: "Get-BitsTransfer PowerShell" - description: "PowerShell cmdlet for comprehensive BITS transfer analysis" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry browser for BITS configuration analysis" - - name: "BITS Job Monitor" - description: "Real-time monitoring tools for BITS transfer activity" - - name: "BITSInspector" - description: "Specialized tools for BITS forensic analysis and job enumeration" - -metadata: - windows_versions: - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows XP" - - criticality: "medium" - - investigation_types: - - "malware-analysis" - - "data-exfiltration" - - "lateral-movement" - - "incident-response" - - "behavioral-analysis" - - tags: - - "network" - - "bits" - - "background-transfer" - - "malware-communication" - - "data-exfiltration" - - "stealth-downloads" - - "command-control" - - "file-transfers" - - "covert-channels" - - references: - - title: "Background Intelligent Transfer Service" - url: "https://docs.microsoft.com/en-us/windows/win32/bits/background-intelligent-transfer-service-portal" - type: "official" - - title: "BITS Security Considerations" - url: "https://docs.microsoft.com/en-us/windows/win32/bits/security-considerations" - type: "official" - - title: "BITS Malware Analysis" - url: "https://www.sans.org/blog/bits-malware-analysis/" - type: "research" - - title: "Background Transfer Service Forensics" - url: "https://www.forensicfocus.com/articles/bits-forensics/" - type: "research" - - retention: - default_location: "Registry hives (SYSTEM, SOFTWARE)" - persistence: "Job information persists across reboots until job completion or removal" - volatility: "Transfer history may be limited by job retention policies" - - related_artifacts: - - "proxy_settings" - - "network_interfaces" - - "firewall_rules" - - "scheduled_tasks" - - "prefetch_settings" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file diff --git a/artifacts/network/bluetooth_devices.yml b/artifacts/network/bluetooth_devices.yml deleted file mode 100644 index 9fc1461..0000000 --- a/artifacts/network/bluetooth_devices.yml +++ /dev/null @@ -1,109 +0,0 @@ -title: "Bluetooth Device History and Configuration" -category: "network" -description: "Bluetooth device pairing history, connection logs, device capabilities, and wireless communication tracking" - -paths: - - "HKLM\\SYSTEM\\CurrentControlSet\\Services\\BTHPORT\\Parameters\\Devices" - - "HKCU\\Software\\Microsoft\\Bluetooth\\Device" - - "HKLM\\SYSTEM\\CurrentControlSet\\Enum\\BTHENUM" - - "HKLM\\SOFTWARE\\Microsoft\\Bluetooth\\AudioGateway" - -details: - what: | - Windows Bluetooth subsystem maintains comprehensive device pairing history, connection logs, - device capabilities, authentication keys, and service discovery records. Tracks all Bluetooth - devices that have been paired, attempted connections, device profiles supported, and wireless - communication patterns for complete Bluetooth forensic analysis and device correlation. - - forensic_value: | - Critical for investigating wireless data exfiltration, unauthorized device connections, covert - communication channels, and device tracking. Shows evidence of Bluetooth keyboards, mice, phones, - headsets, and potential data transfer devices. Essential for insider threat investigations, - unauthorized device usage, and establishing device presence during incident timeframes. - - structure: | - Device entries organized by Bluetooth MAC addresses containing device names, pairing timestamps, - authentication keys, supported services, device types, and connection history. Each device - maintains profile information, capability flags, and last seen timestamps for comprehensive - tracking and forensic correlation with other system artifacts. - - examples: - - "Device: 00:11:22:33:44:55 (Samsung Galaxy S21 - Mobile phone)" - - "DeviceName: AirPods Pro (Apple wireless earbuds)" - - "LastConnected: 2024-01-20 15:30:25 UTC (Recent connection timestamp)" - - "PairingDate: 2024-01-15 09:00:00 UTC (Initial pairing time)" - - "DeviceType: 0x040418 (Audio/Video device - headphones)" - - "Services: A2DP, AVRCP, HFP (Audio streaming and control)" - - "LinkKey: [Binary authentication key data]" - - "TrustedDevice: 1 (Device marked as trusted)" - - tools: - - name: "Bluetooth Settings (ms-settings:bluetooth)" - description: "Built-in Windows Bluetooth device management interface" - - name: "Device Manager (devmgmt.msc)" - description: "Hardware device management including Bluetooth devices" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "BluetoothView" - url: "https://www.nirsoft.net/utils/bluetooth_viewer.html" - description: "NirSoft tool for monitoring Bluetooth devices and connections" - - name: "Bluetooth Device Analyzer" - description: "Specialized forensic tools for Bluetooth device analysis" - -metadata: - windows_versions: - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - introduced: "Windows XP SP2" - - criticality: "high" - - investigation_types: - - "data-exfiltration" - - "insider-threat" - - "timeline-analysis" - - tags: - - "bluetooth" - - "wireless" - - "device-pairing" - - "data-exfiltration" - - "covert-communication" - - "device-tracking" - - "mobile-devices" - - references: - - title: "Microsoft Documentation: Bluetooth" - url: "https://docs.microsoft.com/en-us/windows-hardware/drivers/bluetooth/" - type: "official" - - title: "Bluetooth Forensics and Investigation" - url: "https://www.sans.org/white-papers/33584/" - type: "research" - - retention: - default_location: "Registry hive files (SYSTEM, NTUSER.DAT)" - persistence: "Device pairing history persists until manually removed" - volatility: "Connection timestamps provide precise device usage correlation" - - related_artifacts: - - "device_sync" - - "hardware_devices" - - "network_interfaces" - - "usb_device_history" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-06-07" - last_updated: "2025-06-07" - version: "1.0" diff --git a/artifacts/network/dns_cache.yml b/artifacts/network/dns_cache.yml deleted file mode 100644 index 935fb0d..0000000 --- a/artifacts/network/dns_cache.yml +++ /dev/null @@ -1,121 +0,0 @@ -title: "DNS Client Configuration and Cache Settings" -category: "network" -description: "DNS client settings, cache configuration, name resolution preferences, and DNS security policies" - -paths: - - "HKLM\\SYSTEM\\CurrentControlSet\\Services\\Dnscache\\Parameters" - - "HKLM\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters" - - "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\DNSClient" - - "HKLM\\SYSTEM\\CurrentControlSet\\Services\\Dnscache\\Parameters\\DnsPolicy" - -details: - what: | - DNS client configuration encompasses comprehensive name resolution settings including cache - behavior, DNS server preferences, DNS-over-HTTPS (DoH) configuration, cache size limits, - negative caching policies, and DNS security settings. Controls system-wide name resolution - behavior, cache management policies, and modern DNS security features including encrypted - DNS protocols and DNS filtering for enhanced privacy and security. - - forensic_value: | - Critical for investigating DNS hijacking attacks, malicious DNS server usage, DNS tunneling - attempts, and command and control communication through DNS protocols. DNS configuration - changes may indicate network-based attacks, DNS cache poisoning attempts, or DNS exfiltration - techniques. Essential for analyzing advanced persistent threats that manipulate DNS infrastructure - for stealth communication and detecting DNS-based data exfiltration methods. - - structure: | - DNS configuration includes MaxCacheTtl (maximum cache time), NegativeCacheTime (failed lookup - caching), CacheHashTableSize (cache table dimensions), EnableAutoDoh (automatic DNS-over-HTTPS), - DohPolicy (DoH enforcement level), and PrimaryDnsServer (preferred DNS server). Policy settings - control enterprise DNS behavior, security restrictions, and DNS filtering implementations. - - examples: - - "MaxCacheTtl: 604800 (7 days maximum cache retention)" - - "NegativeCacheTime: 300 (5 minutes for failed DNS lookups)" - - "CacheHashTableSize: 211 (DNS cache hash table size)" - - "EnableAutoDoh: 2 (Automatic secure DNS resolution enabled)" - - "DohPolicy: 3 (DNS-over-HTTPS required for all queries)" - - "PrimaryDnsServer: 8.8.8.8 (Google DNS - potential policy violation)" - - "PrimaryDnsServer: 192.168.1.100 (Internal DNS server)" - - "DnsPolicy\\\\malicious-domain.com: Block (DNS filtering policy)" - - tools: - - name: "ipconfig /displaydns" - description: "Built-in Windows DNS cache display and management utility" - - name: "nslookup" - description: "DNS lookup and troubleshooting command-line tool" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "DNS Cache Monitor" - description: "Third-party tools for DNS cache analysis and monitoring" - - name: "DNS Security Analysis Tools" - description: "Specialized utilities for DNS security assessment and threat detection" - -metadata: - windows_versions: - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2000" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows 2000" - - criticality: "high" - - investigation_types: - - "persistence-analysis" - - "incident-response" - - "data-exfiltration" - - tags: - - "network" - - "dns" - - "name-resolution" - - "dns-cache" - - "dns-hijacking" - - "dns-tunneling" - - "dns-security" - - references: - - title: "Microsoft Documentation: DNS Client Service" - url: "https://docs.microsoft.com/en-us/windows-server/networking/dns/" - type: "official" - - title: "DNS Security and Attack Techniques" - url: "https://www.sans.org/white-papers/33896/" - type: "research" - - title: "DNS Tunneling Detection and Analysis" - url: "https://attack.mitre.org/techniques/T1071/004/" - type: "research" - - retention: - default_location: "Registry hive files (SYSTEM, SOFTWARE)" - persistence: "DNS configuration persists until manually changed or policy update" - volatility: "DNS settings affect ongoing name resolution and network communication security" - - related_artifacts: - - "network_interfaces" - - "proxy_settings" - - "firewall_rules" - - "teredo_ipv6" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/network/firewall_rules.yml b/artifacts/network/firewall_rules.yml deleted file mode 100644 index 7c65a91..0000000 --- a/artifacts/network/firewall_rules.yml +++ /dev/null @@ -1,128 +0,0 @@ -title: "Windows Firewall Rules and Configuration" -category: "network" -description: "Firewall rules, exceptions, security policy configurations, and network protection settings" - -paths: - - "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy" - - "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall" - - "HKLM\\SYSTEM\\CurrentControlSet\\Services\\MpsSvc" - - "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Epoch" - -details: - what: | - Windows stores comprehensive firewall configuration including enabled/disabled status, - firewall rules, port exceptions, application exceptions, network profile settings - for Domain, Private, and Public networks, and Windows Defender Firewall policies. - Controls inbound and outbound traffic filtering, application permissions, and - network security enforcement across different network location types. - - forensic_value: | - Shows security posture changes, unauthorized firewall rule modifications, malware - attempts to create network exceptions, and evidence of network policy tampering. - Critical for understanding network security state, identifying firewall bypass - attempts, and revealing unauthorized network access permissions that could - facilitate data exfiltration, lateral movement, or command and control communication. - - structure: | - Profile-based configuration with subkeys for DomainProfile, StandardProfile - (Private), and PublicProfile containing EnableFirewall, DefaultInboundAction, - DefaultOutboundAction, and detailed rule definitions. Binary data includes - rule specifications, port ranges, application paths, and protocol configurations. - - examples: - - "DomainProfile\\EnableFirewall: 1 (firewall enabled)" - - "StandardProfile\\DefaultInboundAction: 1 (block inbound)" - - "PublicProfile\\DefaultOutboundAction: 0 (allow outbound)" - - "FirewallRules\\Rule: v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=80|App=C:\\inetpub\\wwwroot\\app.exe|" - - "Exception: Allow TCP 3389 for Remote Desktop" - - "Malicious: Allow TCP 4444 for C:\\malware\\backdoor.exe" - - "GloballyOpenPorts: 445:TCP:*:Enabled:File and Printer Sharing" - - "AuthorizedApplications: C:\\Windows\\System32\\svchost.exe:*:Enabled:Generic Host Process" - - tools: - - name: "Windows Defender Firewall with Advanced Security" - description: "Built-in Windows firewall management interface with advanced rule configuration" - - name: "netsh advfirewall" - description: "Command-line interface for Windows firewall configuration and analysis" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry browser for firewall configuration analysis" - - name: "FirewallAPI" - description: "Windows Firewall API for programmatic rule management and analysis" - - name: "Windows Firewall Control" - url: "https://www.binisoft.org/wfc" - description: "Third-party firewall management tool for detailed rule analysis" - -metadata: - windows_versions: - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows XP SP2" - - criticality: "high" - - investigation_types: - - "lateral-movement" - - "data-exfiltration" - - "malware-analysis" - - "incident-response" - - "behavioral-analysis" - - tags: - - "network" - - "firewall" - - "security-policy" - - "network-exceptions" - - "malware-evasion" - - "traffic-filtering" - - "network-protection" - - "rule-modification" - - "security-bypass" - - references: - - title: "Windows Defender Firewall" - url: "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security" - type: "official" - - title: "Firewall Rules and Policies" - url: "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/best-practices-configuring" - type: "official" - - title: "Firewall Security Analysis" - url: "https://www.sans.org/blog/windows-firewall-analysis/" - type: "research" - - title: "Network Security Forensics" - url: "https://www.forensicfocus.com/articles/firewall-configuration-forensics/" - type: "research" - - retention: - default_location: "SYSTEM registry hive" - persistence: "Survives reboots, persists until policy or configuration changes" - volatility: "Rule modifications overwrite previous firewall configurations" - - related_artifacts: - - "network_interfaces" - - "shared_folders" - - "remote_assistance" - - "proxy_settings" - - "upnp_settings" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/network/mapped_drives.yml b/artifacts/network/mapped_drives.yml deleted file mode 100644 index d1e4282..0000000 --- a/artifacts/network/mapped_drives.yml +++ /dev/null @@ -1,125 +0,0 @@ -title: "Network Mapped Drives and Shares" -category: "network" -description: "Mapped network drives, UNC paths, shared resource connections, and persistent drive mappings" - -paths: - - "HKCU\\Network" - - "HKLM\\SYSTEM\\CurrentControlSet\\Services\\lanmanserver\\Shares" - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Map Network Drive MRU" - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2" - -details: - what: | - Windows stores comprehensive information about mapped network drives, shared folder connections, - UNC path access history, and persistent drive mappings. Maintains both active drive mappings - and historical connection data including server names, share paths, authentication credentials, - and connection persistence settings. Manages network resource access, automatic reconnection - preferences, and Most Recently Used (MRU) lists for network location convenience. - - forensic_value: | - Critical for investigating lateral movement, data exfiltration routes, unauthorized network - access, and corporate espionage through network shares. Shows evidence of file server access, - shared resource usage patterns, and potential data staging locations on network drives. - Essential for analyzing advanced persistent threats that leverage legitimate network infrastructure - for stealth operations and detecting insider threats accessing sensitive network resources. - - structure: | - Network registry key contains drive letters as subkeys with RemotePath (UNC path), ProviderName - (network provider), UserName (authentication context), and ConnectionType (persistent/temporary). - Map Network Drive MRU stores recently accessed UNC paths in chronological order with connection - frequency and access patterns for user convenience and investigation correlation. - - examples: - - "Z:\\\\RemotePath: \\\\\\\\fileserver.domain.com\\\\shared (Corporate file server)" - - "Y:\\\\RemotePath: \\\\\\\\192.168.1.100\\\\admin$ (Administrative share access)" - - "X:\\\\RemotePath: \\\\\\\\suspicious-server\\\\confidential (Potential unauthorized access)" - - "ProviderName: Microsoft Windows Network (Standard SMB/CIFS provider)" - - "UserName: DOMAIN\\\\username (Authentication context for connection)" - - "ConnectionType: 1 (Persistent connection - reconnects on logon)" - - "MRU: \\\\\\\\server\\\\finance (Recently accessed financial share)" - - tools: - - name: "net use" - description: "Built-in Windows command for network drive management and enumeration" - - name: "NetDriveView" - url: "https://www.nirsoft.net/utils/netdrive_view.html" - description: "View and analyze network drive mappings and connections" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "RegRipper" - url: "https://github.com/keydet89/RegRipper3.0" - description: "Registry data extraction and analysis framework" - - name: "Network Resource Monitor" - description: "Tools for monitoring network share access and authentication patterns" - -metadata: - windows_versions: - - "Windows NT" - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2000" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows NT 3.1" - - criticality: "high" - - investigation_types: - - "lateral-movement" - - "data-exfiltration" - - "behavioral-analysis" - - "timeline-analysis" - - "incident-response" - - tags: - - "network" - - "mapped-drives" - - "lateral-movement" - - "file-shares" - - "unc-paths" - - "network-access" - - "data-exfiltration" - - references: - - title: "Microsoft Documentation: Network Drive Mapping" - url: "https://docs.microsoft.com/en-us/windows-server/storage/file-server/" - type: "official" - - title: "Lateral Movement via Network Shares" - url: "https://attack.mitre.org/techniques/T1021/002/" - type: "research" - - title: "Network Share Forensics Analysis" - url: "https://www.sans.org/white-papers/33492/" - type: "research" - - retention: - default_location: "Registry hive files (NTUSER.DAT, SYSTEM)" - persistence: "Drive mappings persist until manually removed or network configuration change" - volatility: "Network connections provide ongoing intelligence about file server access patterns" - - related_artifacts: - - "shared_folders" - - "network_interfaces" - - "recent_docs" - - "netbios_settings" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/network/netbios_settings.yml b/artifacts/network/netbios_settings.yml deleted file mode 100644 index 3d919b1..0000000 --- a/artifacts/network/netbios_settings.yml +++ /dev/null @@ -1,119 +0,0 @@ -title: "NetBIOS and Network Naming Configuration" -category: "network" -description: "NetBIOS over TCP/IP settings, name resolution configuration, and legacy network browsing capabilities" - -paths: - - "HKLM\\SYSTEM\\CurrentControlSet\\Services\\NetBT\\Parameters" - - "HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters" - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\ComputerName\\ComputerName" - - "HKLM\\SYSTEM\\CurrentControlSet\\Services\\Browser\\Parameters" - -details: - what: | - NetBIOS over TCP/IP configuration controls legacy network naming services, Windows Internet - Name Service (WINS) integration, network browsing capabilities, and backward compatibility - for older Windows networking protocols. Manages NetBIOS name resolution, scope identification, - node types, LMHOSTS file usage, and legacy network neighborhood functionality essential - for mixed-environment network operations. - - forensic_value: | - Critical for investigating lateral movement techniques that exploit NetBIOS vulnerabilities, - analyzing legacy network reconnaissance activities, and detecting attacks that leverage - NetBIOS name resolution for network discovery. Shows WINS server configurations that may - indicate network infrastructure compromise, reveals network browsing capabilities that - facilitate information gathering, and provides evidence of legacy protocol abuse in attacks. - - structure: | - NetBT parameters include EnableLMHosts (LMHOSTS file usage), NodeType (NetBIOS resolution method), - NameServer (WINS server addresses), ScopeId (NetBIOS scope identifier), and EnableNetbiosSmb - (NetBIOS over SMB). LanmanServer controls network browsing, server announcements, and - network neighborhood visibility with various REG_DWORD and REG_SZ configuration values. - - examples: - - "EnableLMHosts: 1 (LMHOSTS file resolution enabled)" - - "NodeType: 8 (Hybrid node - P-node then B-node)" - - "NameServer: 192.168.1.10,192.168.1.11 (Primary and secondary WINS servers)" - - "ScopeId: CORPORATE.LOCAL (NetBIOS scope identifier)" - - "EnableNetbiosSmb: 1 (NetBIOS over SMB enabled)" - - "BrowseAnnounce: 1 (Server announces presence to browsers)" - - "MaintainServerList: 2 (Auto - maintain browser list)" - - "IsDomainMaster: 0 (Not domain master browser)" - - tools: - - name: "nbtstat.exe" - description: "Built-in NetBIOS over TCP/IP statistics and name table utility" - - name: "net view" - description: "Command-line network browsing and share enumeration" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Network Configuration Tools" - description: "Built-in Windows network adapter configuration interface" - - name: "NetBIOS Name Scanner" - description: "Third-party tools for NetBIOS network discovery and analysis" - -metadata: - windows_versions: - - "Windows NT" - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2000" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows NT 3.1" - - criticality: "medium" - - investigation_types: - - "lateral-movement" - - "behavioral-analysis" - - "incident-response" - - tags: - - "netbios" - - "name-resolution" - - "wins" - - "network-browsing" - - "lateral-movement" - - "legacy-protocols" - - "smb" - - references: - - title: "Microsoft Documentation: NetBIOS over TCP/IP" - url: "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc759150(v=ws.10)" - type: "official" - - title: "NetBIOS Attacks and Lateral Movement" - url: "https://attack.mitre.org/techniques/T1021/002/" - type: "research" - - retention: - default_location: "Registry hive files (SYSTEM)" - persistence: "Network configuration persists until manually changed" - volatility: "Network settings affect ongoing network communication capabilities" - - related_artifacts: - - "network_interfaces" - - "shared_folders" - - "computer_name" - - "dns_cache" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/network/network_interfaces.yml b/artifacts/network/network_interfaces.yml deleted file mode 100644 index 766796a..0000000 --- a/artifacts/network/network_interfaces.yml +++ /dev/null @@ -1,137 +0,0 @@ -title: "Network Interface Configuration" -category: "network" -description: "Network adapter configuration including IP addresses, DHCP settings, DNS servers, and routing information" - -paths: - - "HKLM\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces" - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Network\\{4D36E972-E325-11CE-BFC1-08002BE10318}" - - "HKLM\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters" - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E972-E325-11CE-BFC1-08002BE10318}" - -details: - what: | - Windows stores comprehensive network interface configuration data including IP addresses, - subnet masks, default gateways, DNS servers, DHCP settings, and adapter-specific parameters. - Each network interface has its own GUID-identified subkey containing current and historical - network configuration. Includes both static and dynamic (DHCP) configuration data with - timestamps and lease information. - - forensic_value: | - Reveals network configuration history, static IP assignments, DNS server changes, - and can show evidence of network pivoting, tunneling, or lateral movement preparation. - Critical for understanding network connectivity, identifying rogue configurations, - and correlating network-based attacks with system configuration. Can indicate - VPN usage, proxy configurations, and network infrastructure reconnaissance. - - structure: | - Interface GUIDs as subkeys containing REG_SZ and REG_MULTI_SZ values for network parameters. - Key values include IPAddress, SubnetMask, DefaultGateway, NameServer, DHCPIPAddress, - DHCPServer, Domain, EnableDHCP, and lease information. Binary data includes interface - metrics, adapter settings, and network binding configurations. - - examples: - - "DHCPIPAddress: 192.168.1.100" - - "StaticAddress: 10.0.0.50" - - "SubnetMask: 255.255.255.0" - - "DefaultGateway: 192.168.1.1" - - "NameServer: 8.8.8.8,1.1.1.1" - - "DHCPServer: 192.168.1.1" - - "Domain: company.local" - - "DHCPLeaseObtainedTime: 1642291200 (Unix timestamp)" - - "DHCPLeaseTerminatesTime: 1642377600 (Unix timestamp)" - - "EnableDHCP: 1 (DHCP enabled)" - - "MTU: 1500" - - "Interface Metric: 20" - - tools: - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry browser for network configuration analysis" - - name: "RegRipper" - url: "https://github.com/keydet89/RegRipper3.0" - description: "Registry analysis with network interface plugins" - - name: "ipconfig /all" - description: "Built-in Windows command for current network configuration" - - name: "netsh interface show" - description: "Advanced network shell for interface configuration details" - - name: "NetworkInterfaceView" - url: "https://www.nirsoft.net/utils/network_interface_view.html" - description: "NirSoft tool for detailed network interface information" - -metadata: - windows_versions: - - "Windows NT 4.0" - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2000" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows NT 4.0" - - criticality: "medium" - - investigation_types: - - "lateral-movement" - - "data-exfiltration" - - "timeline-analysis" - - "incident-response" - - "behavioral-analysis" - - tags: - - "network" - - "ip-addresses" - - "dhcp" - - "dns" - - "lateral-movement" - - "network-configuration" - - "interface-settings" - - "routing" - - "connectivity" - - references: - - title: "TCP/IP Registry Parameters" - url: "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc739819(v=ws.10)" - type: "official" - - title: "Network Interface Identification" - url: "https://docs.microsoft.com/en-us/windows-hardware/drivers/network/network-interface-identification" - type: "official" - - title: "Windows Network Forensics" - url: "https://www.sans.org/blog/digital-forensics-network-configuration/" - type: "research" - - title: "Registry Network Analysis" - url: "https://www.forensicfocus.com/articles/windows-network-configuration-forensics/" - type: "research" - - retention: - default_location: "SYSTEM registry hive" - persistence: "Survives reboots, persists until network reconfiguration" - volatility: "Historical lease data may be overwritten but configuration persists" - - related_artifacts: - - "wifi_profiles" - - "mapped_drives" - - "vpn_connections" - - "proxy_settings" - - "dns_cache" - - "shared_folders" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file diff --git a/artifacts/network/proxy_settings.yml b/artifacts/network/proxy_settings.yml deleted file mode 100644 index 64b99d6..0000000 --- a/artifacts/network/proxy_settings.yml +++ /dev/null @@ -1,135 +0,0 @@ -title: "Internet Proxy and Connection Settings" -category: "network" -description: "Proxy server configuration, PAC files, automatic proxy detection, and internet connection routing" - -paths: - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" - - "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections" - -details: - what: | - Internet proxy configuration including proxy server addresses, port numbers, - Proxy Auto-Configuration (PAC) file locations, bypass lists, automatic proxy - detection settings, and WinINet connection configurations. Controls how web - browsers and system internet connections route through proxy servers, handle - authentication, and manage traffic filtering and monitoring. - - forensic_value: | - Shows proxy configurations that could indicate data exfiltration routes, - malicious proxy servers used for traffic interception, command and control - communication, or network evasion techniques. Critical for understanding - network communication paths, identifying proxy-based attacks, and detecting - unauthorized network routing that could facilitate data theft. - - structure: | - Settings include ProxyEnable (proxy enabled/disabled), ProxyServer (address:port), - ProxyOverride (bypass list), AutoConfigURL (PAC file location), AutoDetect - (automatic proxy detection), and binary connection data in DefaultConnectionSettings - containing detailed proxy configurations and authentication information. - - examples: - - "ProxyEnable: 1 (proxy enabled)" - - "ProxyServer: 192.168.1.100:8080" - - "ProxyOverride: localhost;127.*;10.*;192.168.*;*.company.com" - - "AutoConfigURL: http://proxy.company.com/proxy.pac" - - "AutoDetect: 1 (automatic proxy detection enabled)" - - "ProxyServer: socks=127.0.0.1:9050 (SOCKS proxy for Tor)" - - "ProxyServer: http=proxy.evil.com:3128;https=proxy.evil.com:3128" - - "MigrateProxy: 1" - - "EnableHttp1_1: 1" - - "EnableNegotiate: 1" - - tools: - - name: "Internet Options" - description: "Built-in Windows Internet Properties control panel for proxy configuration" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry browser for proxy configuration analysis" - - name: "ProxyCfg.exe" - description: "Legacy Windows proxy configuration tool for WinHTTP settings" - - name: "netsh winhttp" - description: "Windows HTTP Services proxy configuration utility" - - name: "ProxyLogView" - url: "https://www.nirsoft.net/utils/proxy_log_view.html" - description: "NirSoft tool for proxy server log analysis and monitoring" - -metadata: - windows_versions: - - "Windows 95" - - "Windows 98" - - "Windows NT 4.0" - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2000" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows 95 (Internet Explorer 3.0)" - - criticality: "medium" - - investigation_types: - - "data-exfiltration" - - "lateral-movement" - - "malware-analysis" - - "incident-response" - - "behavioral-analysis" - - tags: - - "network" - - "proxy" - - "internet-settings" - - "pac-files" - - "traffic-interception" - - "network-evasion" - - "command-control" - - "data-exfiltration" - - "network-routing" - - references: - - title: "WinINet Proxy Configuration" - url: "https://docs.microsoft.com/en-us/windows/win32/wininet/wininet-proxy-configuration" - type: "official" - - title: "Proxy Auto-Configuration (PAC) Files" - url: "https://docs.microsoft.com/en-us/troubleshoot/browsers/proxy-auto-configuration-files" - type: "official" - - title: "Network Proxy Security Analysis" - url: "https://www.sans.org/blog/proxy-configuration-analysis/" - type: "research" - - title: "Malware and Proxy Abuse" - url: "https://www.crowdstrike.com/blog/proxy-based-attacks/" - type: "research" - - retention: - default_location: "Registry hives (SOFTWARE, NTUSER.DAT)" - persistence: "Survives reboots, persists until proxy reconfiguration" - volatility: "Configuration changes overwrite previous proxy settings" - - related_artifacts: - - "dns_cache" - - "network_interfaces" - - "vpn_connections" - - "wifi_profiles" - - "firewall_rules" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file diff --git a/artifacts/network/remote_assistance.yml b/artifacts/network/remote_assistance.yml deleted file mode 100644 index 312cbd3..0000000 --- a/artifacts/network/remote_assistance.yml +++ /dev/null @@ -1,118 +0,0 @@ -title: "Remote Assistance and Remote Desktop Settings" -category: "network" -description: "RDP configuration, remote assistance settings, terminal services, and remote access security" - -paths: - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server" - - "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services" - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Remote Assistance" - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" - -details: - what: | - Remote Desktop Protocol (RDP) and Remote Assistance configuration encompasses service enablement, - port settings, authentication requirements, encryption levels, connection permissions, session - management, and security policies for remote system access. Controls terminal services behavior, - remote assistance capabilities, Network Level Authentication, and multi-session management - for comprehensive remote access functionality. - - forensic_value: | - Critical for investigating unauthorized remote access, lateral movement techniques, and - persistent backdoor installations. Shows if remote access was enabled for malicious connections, - reveals RDP configuration changes facilitating attacker persistence, and indicates remote - assistance sessions that could be used for data theft or system reconnaissance. Essential - for detecting advanced persistent threats using legitimate remote access tools for stealth. - - structure: | - Terminal Server settings include fDenyTSConnections (RDP enable/disable), PortNumber (listening port), - SecurityLayer (authentication method), UserAuthentication (Network Level Authentication requirement), - and MaxInstanceCount (concurrent sessions). Remote Assistance contains AllowToGetHelp (service - enablement), MaxTicketExpiry (session timeout), and CreateEncryptedOnlyTickets (security requirements). - - examples: - - "fDenyTSConnections: 0 (Remote Desktop enabled - potential security risk)" - - "PortNumber: 3389 (Standard RDP port - commonly targeted)" - - "PortNumber: 443 (Non-standard RDP port - potential evasion technique)" - - "SecurityLayer: 2 (TLS 1.0 authentication required)" - - "UserAuthentication: 1 (Network Level Authentication enabled)" - - "AllowToGetHelp: 1 (Remote Assistance enabled)" - - "MaxTicketExpiry: 6 (6-hour session timeout)" - - "CreateEncryptedOnlyTickets: 1 (Require encryption for assistance)" - - tools: - - name: "Remote Desktop Configuration" - description: "Windows built-in RDP settings and configuration interface" - - name: "Terminal Services Configuration (tsconfig.msc)" - description: "Advanced terminal services management console" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Remote Desktop Connection Manager" - description: "Microsoft tool for managing multiple RDP connections" - - name: "RDP Security Scanner" - description: "Third-party tools for assessing RDP security configuration" - -metadata: - windows_versions: - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows XP" - - criticality: "high" - - investigation_types: - - "behavioral-analysis" - - "lateral-movement" - - "incident-response" - - "persistence-analysis" - - "privilege-escalation" - - tags: - - "rdp" - - "remote-assistance" - - "remote-access" - - "lateral-movement" - - "unauthorized-access" - - "terminal-services" - - "network-security" - - references: - - title: "Microsoft Documentation: Remote Desktop Services" - url: "https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/" - type: "official" - - title: "RDP Attacks and Lateral Movement" - url: "https://attack.mitre.org/techniques/T1021/001/" - type: "research" - - retention: - default_location: "Registry hive files (SYSTEM, SOFTWARE)" - persistence: "Remote access configuration persists until manually changed" - volatility: "Critical security settings affecting remote access capabilities" - - related_artifacts: - - "network_interfaces" - - "firewall_rules" - - "user_accounts" - - "security_policy" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/network/shared_folders.yml b/artifacts/network/shared_folders.yml deleted file mode 100644 index 17e4b31..0000000 --- a/artifacts/network/shared_folders.yml +++ /dev/null @@ -1,125 +0,0 @@ -title: "Windows File Shares and SMB Configuration" -category: "network" -description: "Shared folders, SMB settings, network file sharing configuration, and access control policies" - -paths: - - "HKLM\\SYSTEM\\CurrentControlSet\\Services\\lanmanserver\\Shares" - - "HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters" - - "HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanmanWorkstation\\Parameters" - - "HKLM\\SYSTEM\\CurrentControlSet\\Services\\lanmanserver\\Parameters" - -details: - what: | - Windows Server Message Block (SMB/CIFS) file sharing configuration encompasses shared folder - definitions, access permissions, security descriptors, server parameters, workstation settings, - and network file sharing policies. Manages both administrative shares (C$, ADMIN$) and - user-defined shares with comprehensive access control, authentication requirements, and - network security settings for enterprise file sharing infrastructure. - - forensic_value: | - Critical for investigating lateral movement techniques, data exfiltration through network shares, - and unauthorized file access in enterprise environments. Shows evidence of shared folders used - for data staging, reveals SMB configuration vulnerabilities exploited by attackers, and indicates - network shares accessible for unauthorized data access. Essential for analyzing advanced - persistent threats that leverage legitimate file sharing for stealth operations. - - structure: | - Shares registry subkey contains individual share configurations with UNC paths, security - descriptors, access permissions, and share properties. Server parameters control SMB behavior, - authentication requirements, security signing, and session management. Workstation parameters - manage client-side SMB configuration and security settings for network resource access. - - examples: - - "Shares\\\\ADMIN$: C:\\\\ (Hidden administrative share - full system access)" - - "Shares\\\\C$: C:\\\\ (Hidden drive share - root filesystem access)" - - "Shares\\\\SharedDocs: C:\\\\Users\\\\Public\\\\Documents (Public document share)" - - "Shares\\\\Confidential: C:\\\\Sensitive\\\\Data (Custom sensitive data share)" - - "RequireSecuritySignature: 1 (SMB signing required for security)" - - "EnableSecuritySignature: 1 (SMB signing enabled)" - - "NullSessionShares: COMCFG,DFS$ (Shares accessible without authentication)" - - "RestrictNullSessAccess: 0 (Allow null session access - security risk)" - - tools: - - name: "Computer Management (compmgmt.msc)" - description: "Built-in Windows shared folder management interface" - - name: "net share" - description: "Command-line utility for share enumeration and management" - - name: "ShareEnum" - url: "https://docs.microsoft.com/en-us/sysinternals/downloads/shareenum" - description: "Microsoft Sysinternals tool for network share discovery" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "SMB Security Scanner" - description: "Third-party tools for SMB security assessment and vulnerability analysis" - -metadata: - windows_versions: - - "Windows NT" - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2000" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows NT 3.1" - - criticality: "high" - - investigation_types: - - "lateral-movement" - - "data-exfiltration" - - "incident-response" - - "behavioral-analysis" - - "malware-analysis" - - tags: - - "network" - - "file-shares" - - "smb" - - "lateral-movement" - - "data-exfiltration" - - "network-exposure" - - "cifs" - - references: - - title: "Microsoft Documentation: SMB File Sharing" - url: "https://docs.microsoft.com/en-us/windows-server/storage/file-server/" - type: "official" - - title: "SMB Security and Lateral Movement" - url: "https://attack.mitre.org/techniques/T1021/002/" - type: "research" - - title: "Windows File Share Security Analysis" - url: "https://www.sans.org/white-papers/33492/" - type: "research" - - retention: - default_location: "Registry hive files (SYSTEM)" - persistence: "Share configuration persists until manually removed or server reconfiguration" - volatility: "Network share settings affect ongoing file access and lateral movement capabilities" - - related_artifacts: - - "mapped_drives" - - "netbios_settings" - - "network_interfaces" - - "security_policy" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/network/teamviewer.yml b/artifacts/network/teamviewer.yml deleted file mode 100644 index b81b2af..0000000 --- a/artifacts/network/teamviewer.yml +++ /dev/null @@ -1,102 +0,0 @@ -title: "TeamViewer Remote Access Configuration" -category: "network" -description: "TeamViewer remote desktop settings, connection history, and access control preferences" - -paths: - - "HKCU\\Software\\TeamViewer" - - "HKLM\\SOFTWARE\\TeamViewer" - - "HKLM\\SYSTEM\\CurrentControlSet\\Services\\TeamViewer" - - "HKCU\\Software\\Classes\\teamviewer" - -details: - what: | - TeamViewer manages remote desktop access including connection preferences, - security settings, account integration, and access control policies. Registry - stores configuration data, connection history, authentication methods, and - collaboration settings for comprehensive remote access analysis and system - administration behavior tracking in support and business environments. - - forensic_value: | - Critical for investigating remote access activities, unauthorized system access, - insider threats through remote connections, and evidence of external control. - Shows evidence of remote desktop usage, connection patterns, access permissions, - and can indicate unauthorized remote access, insider collaboration, external - technical support, or potential command and control activities. - - structure: | - TeamViewer configuration includes account credentials, connection settings, - security policies, access permissions, and collaboration preferences. Connection - data tracks remote session history, partner information, and access control - settings for comprehensive remote access behavior analysis and security assessment. - - examples: - - "InstallPath: C:\\Program Files\\TeamViewer" - - "TeamViewerID: 123456789 (Unique system identifier)" - - "AccountEmail: user@company.com (TeamViewer account)" - - "SecurityPassword: (Encrypted access password)" - - "AllowRemoteControl: 1 (Remote control permitted)" - - "FileTransfer: 1 (File transfer enabled)" - - "ConnectionHistory: Partner-987654321 (Recent connections)" - - "UnattendedAccess: 1 (Permanent access configured)" - - tools: - - name: "TeamViewer Application" - description: "TeamViewer remote desktop and collaboration software" - - name: "TeamViewer Management Console" - description: "Enterprise TeamViewer administration interface" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - -metadata: - windows_versions: - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - introduced: "TeamViewer" - - criticality: "high" - - investigation_types: - - "incident-response" - - "behavioral-analysis" - - "insider-threat" - - tags: - - "teamviewer" - - "remote-access" - - "remote-desktop" - - "collaboration" - - "technical-support" - - "unauthorized-access" - - "insider-threat" - - references: - - title: "TeamViewer Documentation" - url: "https://community.teamviewer.com/" - type: "official" - - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT, SYSTEM)" - persistence: "Remote access settings persist until manual reconfiguration" - volatility: "Connection history provides evidence of remote access activities" - - related_artifacts: - - "remote_desktop_connections" - - "network_connections" - - "remote_assistance" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" diff --git a/artifacts/network/teredo_ipv6.yml b/artifacts/network/teredo_ipv6.yml deleted file mode 100644 index 753f97c..0000000 --- a/artifacts/network/teredo_ipv6.yml +++ /dev/null @@ -1,115 +0,0 @@ -title: "Teredo and IPv6 Transition Configuration" -category: "network" -description: "IPv6 transition technologies, Teredo tunneling, dual-stack configuration, and covert communication channels" - -paths: - - "HKLM\\SYSTEM\\CurrentControlSet\\Services\\Tcpip6\\Parameters" - - "HKLM\\SYSTEM\\CurrentControlSet\\Services\\Teredo\\Parameters" - - "HKLM\\SYSTEM\\CurrentControlSet\\Services\\IPHTTPS\\Parameters" - - "HKLM\\SYSTEM\\CurrentControlSet\\Services\\iphlpsvc\\Parameters\\Isatap" - -details: - what: | - IPv6 transition technology configuration manages Teredo tunneling, 6to4 automatic tunneling, - ISATAP (Intra-Site Automatic Tunnel Addressing Protocol), and IP-HTTPS settings that enable - IPv6 connectivity over IPv4 networks. Controls tunnel server addresses, interface parameters, - transition mechanism enablement, and dual-stack network configuration for seamless IPv4/IPv6 - interoperability in mixed network environments. - - forensic_value: | - Critical for detecting covert communication channels that exploit IPv6 transition technologies - to bypass firewall restrictions and network monitoring. Teredo and other tunneling protocols - can be abused for command and control communication, data exfiltration, and firewall evasion. - Configuration changes may indicate sophisticated attack techniques using IPv6 tunnels for - stealth communication or attempts to establish persistent backdoor channels. - - structure: | - Teredo configuration includes Type (client/server mode), ServerName (tunnel server address), - ClientPort (client communication port), and EnabledState (service status). IPv6 parameters - control DisabledComponents (IPv6 feature disabling), transition technology enablement, and - interface configurations. IP-HTTPS and ISATAP contain tunnel-specific settings and server configurations. - - examples: - - "Teredo\\Type: 4 (Teredo client mode)" - - "Teredo\\ServerName: teredo.ipv6.microsoft.com (Default Microsoft server)" - - "Teredo\\ClientPort: 0 (Dynamic port allocation)" - - "DisabledComponents: 0xFF (IPv6 completely disabled)" - - "6to4\\Enabled: 1 (6to4 automatic tunneling enabled)" - - "ISATAP\\Enabled: 1 (ISATAP tunneling enabled)" - - "IPHTTPS\\State: 3 (IP-HTTPS enabled and active)" - - "Teredo\\ServerName: malicious-tunnel.evil.com (Suspicious server)" - - tools: - - name: "netsh interface teredo" - description: "Built-in Teredo configuration and status commands" - - name: "netsh interface ipv6" - description: "IPv6 interface configuration and troubleshooting utilities" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "IPv6 Network Configuration" - description: "Windows built-in IPv6 configuration interface" - - name: "IPv6 Tunnel Analysis Tools" - description: "Specialized network analysis tools for IPv6 transition technologies" - -metadata: - windows_versions: - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows Vista" - - criticality: "high" - - investigation_types: - - "lateral-movement" - - "data-exfiltration" - - "behavioral-analysis" - - "incident-response" - - tags: - - "ipv6" - - "teredo" - - "tunneling" - - "covert-communication" - - "firewall-bypass" - - "transition-technologies" - - "dual-stack" - - references: - - title: "Microsoft Documentation: IPv6 Transition Technologies" - url: "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd379548(v=ws.10)" - type: "official" - - title: "IPv6 Tunnel Abuse for Covert Channels" - url: "https://www.sans.org/white-papers/33649/" - type: "research" - - retention: - default_location: "Registry hive files (SYSTEM)" - persistence: "Network tunnel configuration persists across reboots" - volatility: "Tunnel settings enable ongoing covert communication capabilities" - - related_artifacts: - - "network_interfaces" - - "firewall_rules" - - "proxy_settings" - - "dns_cache" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/network/terminal_services.yml b/artifacts/network/terminal_services.yml deleted file mode 100644 index c59c081..0000000 --- a/artifacts/network/terminal_services.yml +++ /dev/null @@ -1,130 +0,0 @@ -title: "Terminal Services and Remote Desktop Configuration" -category: "network" -description: "Terminal Services session management, RDP settings, and remote execution configuration" - -paths: - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations" - - "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install" - - "HKCU\\Software\\Microsoft\\Terminal Server Client" - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server" - -details: - what: | - Terminal Services configuration for remote desktop sessions, console sessions, - and multi-user environments. Controls session behavior, timeouts, security - settings, application execution in terminal sessions, RDP connection parameters, - and remote access policies. Manages both incoming remote connections and - outgoing Terminal Services client configurations. - - forensic_value: | - Shows remote session configuration that could facilitate unauthorized access, - reveals session policies that might hide user activity, indicates terminal - services usage for remote command execution, persistence, or lateral movement. - Critical for identifying unauthorized remote access, RDP-based attacks, and - evidence of remote administration activities that could indicate compromise. - - structure: | - WinStations configuration includes session settings, security descriptors, - connection parameters, and RDP-specific settings. Install settings control - application compatibility in multi-user environments. Client settings track - connection preferences, recently connected servers, and authentication methods. - - examples: - - "RDP-Tcp\\PortNumber: 3389 (default RDP port)" - - "RDP-Tcp\\SecurityLayer: 1 (RDP security layer)" - - "RDP-Tcp\\UserAuthentication: 1 (Network Level Authentication)" - - "Console\\LogonId: 0 (console session identifier)" - - "fDenyTSConnections: 0 (RDP connections allowed)" - - "Software\\Install Mode: Install (application install mode)" - - "Client\\LocalResourceMap: 7 (clipboard, drives, printers)" - - "MaxConnectionTime: 0 (unlimited connection time)" - - "MaxDisconnectionTime: 600000 (10 minutes)" - - "EnableTimeZoneRedirection: 1" - - tools: - - name: "Terminal Services Configuration" - description: "Windows Terminal Services Configuration Manager" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry browser for Terminal Services analysis" - - name: "qwinsta.exe" - description: "Windows query session utility for active session enumeration" - - name: "Remote Desktop Connection Manager" - url: "https://docs.microsoft.com/en-us/sysinternals/downloads/rdcman" - description: "Microsoft RDCMan for remote desktop connection management" - - name: "TSAdmin" - description: "Terminal Services administration and monitoring tools" - -metadata: - windows_versions: - - "Windows NT 4.0 Terminal Server Edition" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows NT 4.0 Terminal Server Edition" - - criticality: "medium" - - investigation_types: - - "lateral-movement" - - "incident-response" - - "behavioral-analysis" - - "privilege-escalation" - - tags: - - "execution" - - "terminal-services" - - "remote-sessions" - - "rdp" - - "session-management" - - "remote-execution" - - "lateral-movement" - - "remote-access" - - "multi-user" - - references: - - title: "Remote Desktop Services" - url: "https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/welcome-to-rds" - type: "official" - - title: "Terminal Services Security" - url: "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754344(v=ws.11)" - type: "official" - - title: "RDP Security Analysis" - url: "https://www.sans.org/blog/rdp-security-analysis/" - type: "research" - - title: "Terminal Services Forensics" - url: "https://www.forensicfocus.com/articles/terminal-services-forensics/" - type: "research" - - retention: - default_location: "Registry hives (SYSTEM, NTUSER.DAT)" - persistence: "Survives reboots, persists until configuration changes" - volatility: "Session configuration preserved across reboots and reconnections" - - related_artifacts: - - "remote_assistance" - - "network_interfaces" - - "user_profiles" - - "sam_security" - - "event_log_config" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/network/upnp_settings.yml b/artifacts/network/upnp_settings.yml deleted file mode 100644 index 2c63775..0000000 --- a/artifacts/network/upnp_settings.yml +++ /dev/null @@ -1,112 +0,0 @@ -title: "UPnP and Network Discovery Settings" -category: "network" -description: "Universal Plug and Play configuration, network discovery settings, and device enumeration security" - -paths: - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}" - - "HKLM\\SYSTEM\\CurrentControlSet\\Services\\upnphost\\Parameters" - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Network" - - "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\NetworkConnections" - -details: - what: | - Universal Plug and Play (UPnP) and network discovery configuration controls automatic device - discovery, network browsing capabilities, network location awareness, and seamless device - connectivity. Manages device enumeration services, network neighborhood visibility, automatic - port mapping, and network topology discovery for simplified network device interaction and - resource sharing in home and enterprise environments. - - forensic_value: | - Critical for investigating network-based attacks that exploit UPnP vulnerabilities for unauthorized - access, port manipulation, and lateral movement. UPnP can be abused for network reconnaissance, - automatic firewall rule creation, and device compromise. Configuration changes may indicate - attackers enabling network discovery for infrastructure mapping or disabling security features - that restrict network access and device enumeration capabilities. - - structure: | - UPnP service configuration includes device discovery settings, network location awareness - parameters, and browsing capabilities. Network discovery controls visibility of network - devices and shared resources with settings for public, private, and domain networks. - FolderDescriptions contains network location definitions and access policies for - different network profile types. - - examples: - - "UPnPHost\\Start: 3 (Manual startup - typical configuration)" - - "NetworkDiscovery: 1 (Network discovery enabled)" - - "ShowNetworkComputers: 1 (Show network computers in Explorer)" - - "EnableDeviceAssociation: 1 (Allow automatic device pairing)" - - "NetworkLocationAwareness: 1 (NLA service active)" - - "PublicNetworkDiscovery: 0 (Discovery disabled on public networks)" - - "NC_AllowNetBridge_NLA: 0 (Network bridging restricted)" - - "UPnP_Enabled: 1 (UPnP framework enabled for applications)" - - tools: - - name: "Network and Sharing Center" - description: "Built-in Windows network discovery and sharing management" - - name: "UPnP Test Tools" - description: "Network utilities for testing UPnP device discovery and functionality" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Network Discovery Settings" - description: "Windows Control Panel network discovery configuration interface" - - name: "UPnP Security Scanner" - description: "Third-party tools for assessing UPnP security vulnerabilities" - -metadata: - windows_versions: - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - introduced: "Windows XP" - - criticality: "medium" - - investigation_types: - - "lateral-movement" - - "behavioral-analysis" - - "incident-response" - - "timeline-analysis" - - tags: - - "upnp" - - "network-discovery" - - "device-discovery" - - "network-browsing" - - "lateral-movement" - - "network-enumeration" - - "automatic-configuration" - - references: - - title: "Microsoft Documentation: UPnP APIs" - url: "https://docs.microsoft.com/en-us/windows/win32/upnp/universal-plug-and-play-start-page" - type: "official" - - title: "UPnP Security Vulnerabilities and Exploitation" - url: "https://www.sans.org/white-papers/33832/" - type: "research" - - retention: - default_location: "Registry hive files (SOFTWARE, SYSTEM)" - persistence: "Network configuration persists until manually changed" - volatility: "Network settings affect ongoing device discovery and network security" - - related_artifacts: - - "network_interfaces" - - "firewall_rules" - - "shared_folders" - - "netbios_settings" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/network/vpn_connections.yml b/artifacts/network/vpn_connections.yml deleted file mode 100644 index 8535958..0000000 --- a/artifacts/network/vpn_connections.yml +++ /dev/null @@ -1,134 +0,0 @@ -title: "VPN and Remote Access Connections" -category: "network" -description: "VPN connection profiles, remote access settings, dial-up configurations, and encrypted tunnel history" - -paths: - - "HKCU\\Software\\Microsoft\\RAS Phonebook" - - "HKLM\\SYSTEM\\CurrentControlSet\\Services\\RasMan\\PPP" - - "HKCU\\Software\\Microsoft\\Connection Manager" - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections" - -details: - what: | - Windows stores comprehensive VPN connection profiles, dial-up settings, remote - access service configurations, and connection history. Includes server addresses, - authentication methods, encryption protocols, connection parameters for various - VPN protocols (PPTP, L2TP/IPSec, SSTP, IKEv2), and Point-to-Point Protocol - configuration for both corporate and personal VPN usage. - - forensic_value: | - Shows remote network access attempts, VPN usage for potential data exfiltration, - unauthorized remote access to corporate networks, and can reveal connections to - suspicious networks, command and control infrastructure, or anonymization services. - Critical for identifying covert communication channels, unauthorized network access, - and potential insider threat activities involving external network connections. - - structure: | - Connection profiles with server addresses, authentication settings, VPN protocols, - encryption configurations, auto-connect preferences, and credential storage options. - Phonebook entries contain detailed connection parameters, server endpoints, - authentication types, and protocol-specific settings stored in binary format. - - examples: - - "Connection: Corporate VPN" - - "Server: vpn.company.com" - - "Protocol: L2TP/IPSec" - - "Authentication: MS-CHAPv2" - - "PreSharedKey: [encrypted]" - - "Tunnel: 192.168.100.1" - - "Suspicious: Connection: TorVPN-Exit" - - "Anonymization: Server: vpn.privacy-service.onion" - - "AutoConnect: 1 (automatic connection)" - - "SaveCredentials: 1 (credentials stored)" - - tools: - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry browser for VPN configuration analysis" - - name: "VPN Connection Manager" - description: "Windows built-in VPN and dial-up connection management" - - name: "RAS Connection Monitor" - description: "Remote Access Service monitoring and analysis tools" - - name: "Network Connection Analyzer" - description: "Tools for analyzing network connection profiles and history" - - name: "RasPhone" - description: "Windows Remote Access phonebook editor and connection utility" - -metadata: - windows_versions: - - "Windows 95" - - "Windows 98" - - "Windows NT 4.0" - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2000" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows 95 (Dial-Up Networking)" - - criticality: "medium" - - investigation_types: - - "data-exfiltration" - - "lateral-movement" - - "insider-threat" - - "behavioral-analysis" - - "incident-response" - - tags: - - "network" - - "vpn" - - "remote-access" - - "data-exfiltration" - - "command-control" - - "suspicious-networks" - - "encrypted-tunnels" - - "anonymization" - - "covert-channels" - - references: - - title: "Windows VPN Connections" - url: "https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/vpn-top" - type: "official" - - title: "Remote Access Service (RAS)" - url: "https://docs.microsoft.com/en-us/windows/win32/rras/remote-access-service-ras-" - type: "official" - - title: "VPN Security Analysis" - url: "https://www.sans.org/blog/vpn-security-analysis/" - type: "research" - - title: "Remote Access Forensics" - url: "https://www.forensicfocus.com/articles/vpn-connection-forensics/" - type: "research" - - retention: - default_location: "Registry hives (NTUSER.DAT, SYSTEM)" - persistence: "Survives reboots, persists until connection profiles are deleted" - volatility: "Connection profiles and credentials preserved across system updates" - - related_artifacts: - - "network_interfaces" - - "proxy_settings" - - "dns_cache" - - "firewall_rules" - - "wifi_profiles" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file diff --git a/artifacts/network/wifi_profiles.yml b/artifacts/network/wifi_profiles.yml deleted file mode 100644 index 5369360..0000000 --- a/artifacts/network/wifi_profiles.yml +++ /dev/null @@ -1,112 +0,0 @@ -title: "WiFi Network Profiles and Credentials" -category: "network" -description: "Stored WiFi profiles, SSIDs, security settings, connection history, and network location tracking" - -paths: - - "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Profiles" - - "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Signatures\\Unmanaged" - - "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Signatures\\Managed" - -details: - what: | - Windows stores comprehensive WiFi network profile information including SSID names, security - configurations, connection properties, network categories, and encrypted credentials for - automatic reconnection. Network signatures track connection history, first/last connection - times, and network identification data. Maintains both managed (domain) and unmanaged - (personal) network profiles with detailed connection metadata and location tracking. - - forensic_value: | - Critical for establishing user location patterns, travel history, and potential access points - visited by suspects. WiFi profiles reveal geographic movement, lifestyle patterns, and - association with specific locations or organizations. Can indicate compromise through rogue - access points, unauthorized network access, or reveal investigative leads about suspect - activities and whereabouts during relevant time periods. - - structure: | - Network profiles stored with GUIDs as registry keys containing ProfileName (SSID), Description - (network details), Managed status (domain vs. personal), Category (public/private/domain), - DateCreated and DateLastConnected as FILETIME values. Signatures maintain network identification - data and connection correlation information for comprehensive network tracking. - - examples: - - "ProfileName: CoffeeShop_WiFi (Public WiFi access point)" - - "ProfileName: HOME-NETWORK-5G (Personal residence network)" - - "Description: Starbucks Guest Network (Business establishment WiFi)" - - "Category: 0 (Public network), 1 (Private network), 2 (Domain network)" - - "DateCreated: 0x01DA2E8F5C6A0000 (FILETIME: 2024-01-15 14:30:25)" - - "DateLastConnected: 0x01DA2F1A2B8C0000 (Recent connection timestamp)" - - "FirstNetwork: Corporate_Guest (First connected network profile)" - - "Managed: 1 (Enterprise-managed network profile)" - - tools: - - name: "WirelessKeyView" - url: "https://www.nirsoft.net/utils/wireless_key.html" - description: "Recover stored WiFi passwords and network information" - - name: "WiFi Password Revealer" - description: "Third-party tools for WiFi credential recovery and analysis" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "netsh wlan show profiles" - description: "Built-in Windows command for WiFi profile enumeration" - - name: "Network Location Analysis Tools" - description: "Specialized tools for geographic and location analysis from WiFi data" - -metadata: - windows_versions: - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - introduced: "Windows Vista" - - criticality: "medium" - - investigation_types: - - "insider-threat" - - "timeline-analysis" - - "behavioral-analysis" - - tags: - - "network" - - "wifi" - - "credentials" - - "location-tracking" - - "travel-patterns" - - "network-profiles" - - "geographic-analysis" - - references: - - title: "Microsoft Documentation: Network Location Awareness" - url: "https://docs.microsoft.com/en-us/windows/win32/nla/network-location-awareness-portal" - type: "official" - - title: "WiFi Forensics and Location Analysis" - url: "https://www.sans.org/white-papers/33894/" - type: "research" - - title: "Wireless Network Forensics Investigation Techniques" - url: "https://www.forensicfocus.com/articles/wireless-network-forensics/" - type: "research" - - retention: - default_location: "Registry hive files (SOFTWARE)" - persistence: "WiFi profiles persist until manually removed or network forgotten" - volatility: "Connection timestamps provide ongoing location and travel intelligence" - - related_artifacts: - - "network_interfaces" - - "network_connections" - - "location_services" - - "proxy_settings" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/persistence/appcertdlls_injection.yml b/artifacts/persistence/appcertdlls_injection.yml deleted file mode 100644 index f384e55..0000000 --- a/artifacts/persistence/appcertdlls_injection.yml +++ /dev/null @@ -1,127 +0,0 @@ -title: "AppCertDLLs DLL Injection Persistence" -category: "persistence" -description: "Application Certification DLL injection mechanism for persistent code execution in all processes" - -paths: - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\AppCertDLLs" - -details: - what: | - AppCertDLLs registry key enables system-wide DLL injection by specifying Dynamic Link Libraries - that Windows automatically loads into every process that calls CreateProcess, CreateProcessAsUser, - CreateProcessWithLogonW, CreateProcessWithTokenW, and WinExec APIs. Originally designed for - application certification and compatibility testing, this mechanism provides powerful process - injection capabilities for both legitimate and malicious purposes. - - forensic_value: | - Critical persistence mechanism used by advanced malware and sophisticated attackers for system-wide - code injection. Shows evidence of persistent DLL injection affecting all processes, rootkit-like - behavior, and advanced evasion techniques. Extremely dangerous when abused as it provides - unrestricted access to all process memory spaces and can be used for credential theft, process - manipulation, and comprehensive system compromise. Essential for detecting advanced persistent threats. - - structure: | - Registry key contains value names as arbitrary identifiers with REG_SZ data specifying full - paths to DLL files. Each DLL listed will be automatically injected into every new process - created on the system. Multiple DLLs can be specified with different value names. Empty - or non-existent key is normal; any entries should be investigated as potential malware. - - examples: - - "CertificationDLL1: C:\\Windows\\System32\\legitimate_cert.dll (Legitimate certification DLL)" - - "MaliciousDLL: C:\\malware\\backdoor.dll (Suspicious DLL injection)" - - "RootkitDLL: C:\\Windows\\System32\\evil_rootkit.dll (Rootkit persistence)" - - "SpywareDLL: C:\\temp\\keylogger.dll (Keylogging DLL injection)" - - "Empty Key: (Normal state - no DLL injection configured)" - - tools: - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis for AppCertDLLs detection" - - name: "Autoruns" - url: "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns" - description: "Microsoft Sysinternals tool with AppCertDLLs enumeration" - - name: "Process Monitor" - url: "https://docs.microsoft.com/en-us/sysinternals/downloads/procmon" - description: "Real-time monitoring of DLL injection activities" - - name: "RegRipper" - url: "https://github.com/keydet89/RegRipper3.0" - description: "Registry analysis with persistence mechanism detection" - - name: "DLL Injection Detectors" - description: "Specialized security tools for detecting DLL injection techniques" - -metadata: - windows_versions: - - "Windows NT" - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2000" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows NT" - - criticality: "high" - - investigation_types: - - "malware-analysis" - - "persistence-analysis" - - "privilege-escalation" - - "incident-response" - - "behavioral-analysis" - - tags: - - "persistence" - - "dll-injection" - - "process-injection" - - "system-wide-injection" - - "advanced-malware" - - "rootkits" - - "appcertdlls" - - "code-injection" - - "sophisticated-attacks" - - references: - - title: "Microsoft Documentation: Application Certification" - url: "https://docs.microsoft.com/en-us/windows/win32/win7appqual/application-certification" - type: "official" - - title: "MITRE ATT&CK: Process Injection" - url: "https://attack.mitre.org/techniques/T1055/" - type: "research" - - title: "AppCertDLLs Persistence Technique Analysis" - url: "https://www.sans.org/blog/appcertdlls-persistence-technique/" - type: "research" - - title: "DLL Injection Techniques and Detection" - url: "https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" - type: "research" - - retention: - default_location: "SYSTEM registry hive" - persistence: "Survives reboots, affects all future process creation until removed" - volatility: "Extremely persistent mechanism affecting entire system until explicit removal" - - related_artifacts: - - "lsa_packages" - - "winlogon_userinit" - - "image_hijack" - - "com_objects" - - "services" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "1.0" \ No newline at end of file diff --git a/artifacts/persistence/com_objects.yml b/artifacts/persistence/com_objects.yml deleted file mode 100644 index f3351cc..0000000 --- a/artifacts/persistence/com_objects.yml +++ /dev/null @@ -1,137 +0,0 @@ -title: "COM Objects and Class Registration" -category: "persistence" -description: "Component Object Model registration database for DLL hijacking and sophisticated persistence mechanisms" - -paths: - - "HKCR\\CLSID" - - "HKLM\\SOFTWARE\\Classes\\CLSID" - - "HKCU\\SOFTWARE\\Classes\\CLSID" - - "HKCR\\Interface" - - "HKCR\\TypeLib" - -details: - what: | - Component Object Model (COM) registration database containing Class IDs (CLSIDs), - Interface IDs (IIDs), Type Library information, and associated DLL/executable paths. - Controls how applications instantiate and interact with COM objects, services, and - components. Includes InProcess and OutProcess server registrations, interface - definitions, and security descriptors for COM object access control. - - forensic_value: | - COM hijacking is a sophisticated persistence technique where malware replaces - legitimate COM object paths with malicious DLLs. Shows unauthorized COM object - registration, DLL path modifications, potential hijacking attempts, and advanced - persistence mechanisms. Can indicate rootkit activity, advanced persistent threats, - and sophisticated malware families using COM for stealth and persistence. - - structure: | - CLSID entries contain InprocServer32 (DLL path), LocalServer32 (EXE path), - ProgID associations, threading models, and interface definitions. Each CLSID - represents a unique COM class with specific functionality, implementation, - security attributes, and activation contexts. Binary data includes type - libraries, interface marshaling information, and security descriptors. - - examples: - - "CLSID\\{00021401-0000-0000-C000-000000000046}\\InprocServer32: C:\\malware\\evil.dll" - - "CLSID\\{BCDE0395-E52F-467C-8E3D-C4579291692E}\\LocalServer32: C:\\Windows\\System32\\mmcndmgr.dll" - - "ProgID: Shell.Application" - - "ThreadingModel: Apartment" - - "Version: 1.0" - - "InprocServer32\\(Default): %SystemRoot%\\system32\\shell32.dll" - - "AppID: {GUID} (Application ID for DCOM configuration)" - - "TypeLib: {GUID} (Type Library reference)" - - "Hijacked CLSID: {GUID}\\InprocServer32: C:\\temp\\backdoor.dll" - - tools: - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry browser for COM object analysis and CLSID enumeration" - - name: "Autoruns" - url: "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns" - description: "Microsoft Sysinternals tool with comprehensive COM object enumeration" - - name: "RegDllView" - url: "https://www.nirsoft.net/utils/registered_dll_view.html" - description: "NirSoft tool for viewing registered DLLs and COM components" - - name: "OLE/COM Object Viewer" - description: "Microsoft OLE/COM Object Viewer for detailed COM analysis" - - name: "COM Hijack Toolkit" - description: "Specialized tools for COM hijacking detection and analysis" - -metadata: - windows_versions: - - "Windows 95" - - "Windows NT 3.5" - - "Windows NT 4.0" - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2000" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows 95 / Windows NT 3.5" - - criticality: "high" - - investigation_types: - - "persistence-analysis" - - "malware-analysis" - - "privilege-escalation" - - "incident-response" - - "behavioral-analysis" - - tags: - - "persistence" - - "com-objects" - - "dll-hijacking" - - "clsid" - - "advanced-persistence" - - "object-registration" - - "rootkits" - - "sophisticated-malware" - - "process-injection" - - references: - - title: "Component Object Model (COM)" - url: "https://docs.microsoft.com/en-us/windows/win32/com/component-object-model--com--portal" - type: "official" - - title: "COM Security and Authentication" - url: "https://docs.microsoft.com/en-us/windows/win32/com/security-in-com" - type: "official" - - title: "MITRE ATT&CK: Component Object Model Hijacking" - url: "https://attack.mitre.org/techniques/T1546/015/" - type: "research" - - title: "COM Hijacking Techniques" - url: "https://www.sans.org/blog/com-hijacking-techniques/" - type: "research" - - retention: - default_location: "Registry hives (SOFTWARE, CLASSES)" - persistence: "Survives reboots and application uninstallation, highly persistent" - volatility: "COM registrations persist until explicitly removed or system corruption" - - related_artifacts: - - "shell_extensions" - - "image_hijack" - - "registry_run_keys" - - "lsa_packages" - - "print_processors" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file diff --git a/artifacts/persistence/image_hijack.yml b/artifacts/persistence/image_hijack.yml deleted file mode 100644 index fee3d5b..0000000 --- a/artifacts/persistence/image_hijack.yml +++ /dev/null @@ -1,134 +0,0 @@ -title: "Image File Execution Options Hijacking" -category: "persistence" -description: "Process hijacking through Image File Execution Options debugger attachment and execution redirection" - -paths: - - "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options" - - "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options" - - "HKCU\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options" - -details: - what: | - Image File Execution Options (IFEO) allows attaching debuggers to processes, - modifying executable behavior, and controlling process execution parameters. - Originally designed for debugging and compatibility, malware abuses this mechanism - to hijack legitimate processes by setting malicious debuggers that run instead - of the target application. Includes GlobalFlag settings for debugging features. - - forensic_value: | - Advanced persistence technique that hijacks legitimate processes through debugger - attachment. Shows unauthorized debugger attachments, process redirection, and - sophisticated evasion techniques. Critical for detecting advanced malware persistence, - accessibility tool hijacking (sticky keys attacks), and process replacement attacks. - Can indicate privilege escalation attempts and system compromise. - - structure: | - Executable names as subkeys containing Debugger value pointing to malicious - executables, GlobalFlag for debugging options, VerifierDlls for application - verifier, and various debugging parameters. When the hijacked process starts, - the debugger runs instead with the original process as a parameter. - - examples: - - "sethc.exe\\Debugger: C:\\Windows\\System32\\cmd.exe (Sticky Keys hijack)" - - "taskmgr.exe\\Debugger: C:\\malware\\backdoor.exe" - - "regedit.exe\\Debugger: powershell.exe -enc " - - "utilman.exe\\Debugger: C:\\temp\\shell.exe (Utility Manager hijack)" - - "osk.exe\\Debugger: cmd.exe (On-Screen Keyboard hijack)" - - "GlobalFlag: 0x200 (Enable heap validation)" - - "VerifierDlls: malicious_verifier.dll" - - "DisableHeapLookaside: 1" - - "PageHeapFlags: 0x03" - - tools: - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry browser for IFEO analysis and debugger detection" - - name: "Autoruns" - url: "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns" - description: "Microsoft Sysinternals tool with IFEO enumeration and analysis" - - name: "RegRipper" - url: "https://github.com/keydet89/RegRipper3.0" - description: "Registry analysis with Image File Execution Options plugins" - - name: "Process Monitor" - url: "https://docs.microsoft.com/en-us/sysinternals/downloads/procmon" - description: "Real-time process monitoring for IFEO hijacking detection" - - name: "IFEO Manager" - description: "Tools for managing and analyzing Image File Execution Options" - -metadata: - windows_versions: - - "Windows NT 3.5" - - "Windows NT 4.0" - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2000" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows NT 3.5" - - criticality: "high" - - investigation_types: - - "persistence-analysis" - - "malware-analysis" - - "privilege-escalation" - - "incident-response" - - "behavioral-analysis" - - tags: - - "persistence" - - "process-hijacking" - - "debugger-abuse" - - "advanced-malware" - - "evasion" - - "ifeo" - - "sticky-keys" - - "accessibility-hijack" - - "process-replacement" - - references: - - title: "Image File Execution Options" - url: "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc786263(v=ws.10)" - type: "official" - - title: "Application Verifier" - url: "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/application-verifier" - type: "official" - - title: "MITRE ATT&CK: Image File Execution Options Injection" - url: "https://attack.mitre.org/techniques/T1546/012/" - type: "research" - - title: "Sticky Keys Attack and IFEO" - url: "https://www.sans.org/blog/malware-persistence-image-file-execution-options/" - type: "research" - - retention: - default_location: "SOFTWARE registry hive" - persistence: "Survives reboots, highly persistent until explicitly removed" - volatility: "IFEO settings persist across system updates and application reinstallation" - - related_artifacts: - - "winlogon_userinit" - - "com_objects" - - "registry_run_keys" - - "shell_extensions" - - "app_compat_flags" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file diff --git a/artifacts/persistence/lsa_packages.yml b/artifacts/persistence/lsa_packages.yml deleted file mode 100644 index 73bc59f..0000000 --- a/artifacts/persistence/lsa_packages.yml +++ /dev/null @@ -1,130 +0,0 @@ -title: "LSA Security Packages and Authentication" -category: "persistence" -description: "Local Security Authority packages, authentication providers, and credential interception mechanisms" - -paths: - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa" - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders" - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig" - -details: - what: | - Local Security Authority (LSA) configuration including security packages, - authentication providers, notification packages, and security support providers - that handle authentication, credential management, and security functions. - Controls authentication protocols, password filtering, and security event - notifications throughout the Windows authentication subsystem. - - forensic_value: | - Advanced persistence technique where malware registers malicious DLLs as LSA - security packages, providing persistent access with SYSTEM privileges and the - ability to intercept authentication credentials, passwords, and security tokens. - Can indicate sophisticated attacks targeting authentication infrastructure, - credential harvesting operations, and advanced persistent threats. - - structure: | - LSA settings include Security Packages (authentication DLLs), Authentication - Packages (logon process DLLs), Notification Packages (password change notifications), - SecurityProviders (SSP/AP DLLs), and Bounds checking configuration stored as - REG_MULTI_SZ values with system security implications. - - examples: - - "Security Packages: kerberos, msv1_0, schannel, wdigest, tspkg, pku2u" - - "Authentication Packages: msv1_0, malicious_auth_package" - - "Notification Packages: scecli, rassfm, malicious_notify" - - "SecurityProviders: schannel.dll, digest.dll, msnsspc.dll, backdoor.dll" - - "LsaDbBackupPath: C:\\Windows\\System32\\config" - - "Bounds: 0x30 (bounds checking configuration)" - - "NoLMHash: 1 (disable LM hash storage)" - - "LmCompatibilityLevel: 5 (NTLMv2 only)" - - tools: - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry browser for LSA configuration analysis" - - name: "Autoruns" - url: "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns" - description: "Microsoft Sysinternals tool with LSA provider enumeration" - - name: "LSA Secrets Dumper" - description: "Tools for extracting and analyzing LSA secrets and configuration" - - name: "Security Policy Editor" - description: "Windows security policy management for LSA configuration" - - name: "Mimikatz" - url: "https://github.com/gentilkiwi/mimikatz" - description: "Credential extraction tool that can identify LSA modifications" - -metadata: - windows_versions: - - "Windows NT 3.1" - - "Windows NT 4.0" - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows NT 3.1" - - criticality: "high" - - investigation_types: - - "persistence-analysis" - - "privilege-escalation" - - "malware-analysis" - - "incident-response" - - tags: - - "persistence" - - "lsa" - - "authentication" - - "credential-theft" - - "system-privileges" - - "advanced-persistence" - - "security-packages" - - "password-interception" - - "sophisticated-malware" - - references: - - title: "Local Security Authority (LSA)" - url: "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/local-security-authority" - type: "official" - - title: "Authentication Packages" - url: "https://docs.microsoft.com/en-us/windows/win32/secauthn/authentication-packages" - type: "official" - - title: "MITRE ATT&CK: LSA Secrets" - url: "https://attack.mitre.org/techniques/T1003/004/" - type: "research" - - title: "LSA Security Package Analysis" - url: "https://www.sans.org/blog/lsa-security-packages-analysis/" - type: "research" - - retention: - default_location: "SYSTEM registry hive" - persistence: "Survives reboots, highly persistent with system-level privileges" - volatility: "LSA configuration persists until explicit modification or system corruption" - - related_artifacts: - - "sam_security" - - "security_policy" - - "winlogon_userinit" - - "com_objects" - - "scheduled_tasks" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/persistence/print_processors.yml b/artifacts/persistence/print_processors.yml deleted file mode 100644 index 4f90db2..0000000 --- a/artifacts/persistence/print_processors.yml +++ /dev/null @@ -1,132 +0,0 @@ -title: "Print Processors and Print Monitor DLLs" -category: "persistence" -description: "Print system DLL persistence through processors, monitors, and print providers" - -paths: - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Processors" - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors" - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Providers" - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Printers" - -details: - what: | - Windows print system configuration including print processors, print monitors, - print providers, and printer-specific settings. These DLLs are loaded by the - spooler service (spoolsv.exe) and provide opportunities for persistent code - execution with SYSTEM privileges. Controls print job processing, printer - communication, and network printing functionality through registered DLL components. - - forensic_value: | - Advanced persistence technique where malware registers malicious DLLs as print - processors, monitors, or providers. Shows unauthorized print system modifications - that can provide persistent access with high privileges. Can indicate sophisticated - attacks targeting the print spooler service for privilege escalation, lateral - movement, or persistent access to critical systems. - - structure: | - Print processors and monitors registered with DLL paths, entry points, and - configuration data. Each entry specifies the DLL location, functionality provided, - environment (Windows/NT x86/x64), and load order. Print providers handle network - printing, authentication, and print queue management with specific capabilities. - - examples: - - "Processors\\winprint\\Driver: C:\\Windows\\System32\\winprint.dll" - - "Processors\\malicious\\Driver: C:\\malware\\evil_processor.dll" - - "Monitors\\Standard TCP/IP Port\\Driver: tcpmon.dll" - - "Monitors\\Backdoor Monitor\\Driver: C:\\temp\\backdoor.dll" - - "Providers\\LanMan Print Services\\Name: win32spl.dll" - - "Providers\\Malicious Provider\\Name: C:\\malware\\provider.dll" - - "PrinterDriverDir: C:\\Windows\\System32\\spool\\drivers" - - "Environment: Windows NT x86" - - tools: - - name: "Print Management Console" - description: "Windows Print Management MMC snap-in for print system administration" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry browser for print system configuration analysis" - - name: "Autoruns" - url: "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns" - description: "Microsoft Sysinternals tool with print processor enumeration" - - name: "Process Monitor" - url: "https://docs.microsoft.com/en-us/sysinternals/downloads/procmon" - description: "Real-time monitoring of print spooler service DLL loading" - - name: "Print Spooler Analysis Tools" - description: "Specialized tools for print system security and configuration analysis" - -metadata: - windows_versions: - - "Windows NT 3.1" - - "Windows NT 4.0" - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows NT 3.1" - - criticality: "medium" - - investigation_types: - - "persistence-analysis" - - "privilege-escalation" - - "malware-analysis" - - "incident-response" - - "lateral-movement" - - tags: - - "persistence" - - "print-processors" - - "dll-hijacking" - - "system-privileges" - - "spooler-service" - - "advanced-persistence" - - "print-monitors" - - "print-providers" - - "privilege-escalation" - - references: - - title: "Print Spooler Architecture" - url: "https://docs.microsoft.com/en-us/windows-hardware/drivers/print/" - type: "official" - - title: "Print Processors" - url: "https://docs.microsoft.com/en-us/windows-hardware/drivers/print/print-processors" - type: "official" - - title: "Print Spooler Vulnerabilities" - url: "https://www.sans.org/blog/print-spooler-security/" - type: "research" - - title: "Print System Persistence Techniques" - url: "https://attack.mitre.org/techniques/T1547/" - type: "research" - - retention: - default_location: "SYSTEM registry hive" - persistence: "Survives reboots, highly persistent with system service integration" - volatility: "Print system configuration persists until explicit modification" - - related_artifacts: - - "lsa_packages" - - "com_objects" - - "registry_run_keys" - - "winlogon_userinit" - - "scheduled_tasks" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file diff --git a/artifacts/persistence/registry_run_keys.yml b/artifacts/persistence/registry_run_keys.yml deleted file mode 100644 index 4a18c65..0000000 --- a/artifacts/persistence/registry_run_keys.yml +++ /dev/null @@ -1,129 +0,0 @@ -title: "Registry Run Keys Persistence" -category: "persistence" -description: "Autostart programs via Run and RunOnce registry keys - primary malware persistence method" - -paths: - - "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" - - "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce" - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce" - - "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices" - - "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce" - -details: - what: | - Registry locations where Windows automatically executes programs during user logon - or system startup. HKLM keys run for all users with SYSTEM privileges, HKCU keys - run for specific users with user privileges. RunOnce keys execute once then delete - themselves. RunServices keys exist on older Windows versions for service startup. - - forensic_value: | - Primary persistence mechanism used by malware, backdoors, and legitimate software. - Shows what programs automatically start with Windows. Critical for identifying - unauthorized persistence and malware installation. Can reveal privilege escalation - attempts and system compromise indicators. Essential for incident response triage. - - structure: | - Value names are arbitrary (often program names), value data contains executable - paths with optional command line arguments. REG_SZ or REG_EXPAND_SZ format. - Can include quotes around paths, environment variables, and various command line switches. - Entries beginning with asterisk (*) are hidden from System Configuration Utility. - - examples: - - "SecurityHealthSystray: C:\\Windows\\System32\\SecurityHealthSystray.exe" - - "Malware: C:\\Users\\user\\AppData\\Roaming\\malware.exe -silent" - - "UpdateCheck: \"C:\\Program Files\\App\\updater.exe\" /background" - - "*Persistence: powershell.exe -enc [base64]" - - "Adobe ARM: %ProgramFiles(x86)%\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe" - - "Backdoor: cmd.exe /c start /min C:\\temp\\payload.bat" - - tools: - - name: "Autoruns" - url: "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns" - description: "Microsoft Sysinternals comprehensive autostart enumeration tool" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "RegRipper" - url: "https://github.com/keydet89/RegRipper3.0" - description: "Registry data extraction with run keys plugins" - - name: "AutorunsToWinEventLog" - url: "https://github.com/palantir/windows-event-forwarding" - description: "Convert Autoruns output to Windows Event Log format" - -metadata: - windows_versions: - - "Windows 95" - - "Windows 98" - - "Windows NT" - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows 95" - - criticality: "high" - - investigation_types: - - "malware-analysis" - - "persistence-analysis" - - "incident-response" - - "timeline-analysis" - - "behavioral-analysis" - - tags: - - "persistence" - - "autostart" - - "malware" - - "startup-programs" - - "privilege-escalation" - - "system-compromise" - - "registry-persistence" - - "boot-execution" - - references: - - title: "Microsoft Documentation: Run and RunOnce Registry Keys" - url: "https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys" - type: "official" - - title: "MITRE ATT&CK: Boot or Logon Autostart Execution" - url: "https://attack.mitre.org/techniques/T1547/001/" - type: "research" - - title: "SANS Registry Analysis" - url: "https://www.sans.org/blog/malware-persistence-windows-registry/" - type: "research" - - title: "Malware Persistence via Registry" - url: "https://attack.mitre.org/techniques/T1547/" - type: "research" - - retention: - default_location: "Registry hive files (SYSTEM, SOFTWARE, NTUSER.DAT)" - persistence: "Survives reboots, system cleaning, and basic malware removal attempts" - volatility: "Persistent until explicitly deleted or registry corruption occurs" - - related_artifacts: - - "shell_folders" - - "winlogon_userinit" - - "scheduled_tasks" - - "shell_extensions" - - "wmi_events" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file diff --git a/artifacts/persistence/scheduled_tasks.yml b/artifacts/persistence/scheduled_tasks.yml deleted file mode 100644 index 00979cb..0000000 --- a/artifacts/persistence/scheduled_tasks.yml +++ /dev/null @@ -1,132 +0,0 @@ -title: "Scheduled Tasks Registry Entries" -category: "persistence" -description: "Registry traces of scheduled tasks used for persistence, automation, and system maintenance" - -paths: - - "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks" - - "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree" - - "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Boot" - - "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Logon" - - "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Maintenance" - -details: - what: | - Windows Task Scheduler maintains registry entries for all scheduled tasks, - including task metadata, execution history, hierarchical organization, and - trigger information. Tracks both system tasks and user-created automation - with detailed execution statistics, security contexts, and scheduling patterns. - Registry data complements XML task definitions stored in the file system. - - forensic_value: | - Scheduled tasks are a common persistence mechanism for malware and legitimate - automation. Shows task creation times, execution patterns, authors, and can reveal - malicious automation, unauthorized access schedules, or privilege escalation attempts. - Critical for identifying advanced persistent threats (APTs) that use legitimate - Windows scheduling for persistence and lateral movement. - - structure: | - Tasks subkey contains binary task metadata including Author, Date, Path, URI, - Actions, and execution history. Tree subkey maintains hierarchical task organization - with folder structures. Binary data includes GUID identifiers, security descriptors, - trigger definitions, and execution statistics in proprietary Microsoft format. - - examples: - - "Author: Microsoft Corporation" - - "Path: \\Microsoft\\Windows\\UpdateOrchestrator\\Schedule Scan" - - "URI: \\MaliciousTask" - - "Date: 2024-01-15T14:30:00Z" - - "Actions: C:\\Windows\\System32\\cmd.exe /c malicious_script.bat" - - "Triggers: Daily at 3:00 AM" - - "Security Context: SYSTEM" - - "Last Run: 2024-01-20 03:00:15" - - "Next Run: 2024-01-21 03:00:00" - - "Run Count: 47" - - tools: - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry browser with task scheduler analysis" - - name: "Task Scheduler" - description: "Built-in Windows Task Scheduler management interface" - - name: "schtasks.exe" - description: "Command-line interface for task scheduling operations" - - name: "TaskSchedulerView" - url: "https://www.nirsoft.net/utils/task_scheduler_view.html" - description: "NirSoft tool for viewing scheduled tasks with detailed information" - - name: "Get-ScheduledTask PowerShell" - description: "PowerShell cmdlet for comprehensive task analysis" - - name: "Autoruns" - url: "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns" - description: "Microsoft Sysinternals tool including scheduled task enumeration" - -metadata: - windows_versions: - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows Vista (Task Scheduler 2.0)" - - criticality: "high" - - investigation_types: - - "persistence-analysis" - - "malware-analysis" - - "timeline-analysis" - - "incident-response" - - "privilege-escalation" - - tags: - - "persistence" - - "scheduled-tasks" - - "automation" - - "malware" - - "timeline" - - "privilege-escalation" - - "task-scheduler" - - "system-maintenance" - - "lateral-movement" - - references: - - title: "Task Scheduler for Windows Vista" - url: "https://docs.microsoft.com/en-us/windows/win32/taskschd/task-scheduler-start-page" - type: "official" - - title: "MITRE ATT&CK: Scheduled Task/Job" - url: "https://attack.mitre.org/techniques/T1053/005/" - type: "research" - - title: "Windows Task Scheduler Forensics" - url: "https://www.sans.org/blog/digital-forensics-scheduled-tasks/" - type: "research" - - title: "Malware Persistence via Scheduled Tasks" - url: "https://www.crowdstrike.com/blog/how-to-hunt-for-persistence-with-scheduled-tasks/" - type: "research" - - retention: - default_location: "SOFTWARE registry hive and %SystemRoot%\\System32\\Tasks" - persistence: "Survives reboots, persists until tasks are explicitly deleted" - volatility: "Historical execution data may be overwritten but task definitions persist" - - related_artifacts: - - "registry_run_keys" - - "winlogon_userinit" - - "wmi_events" - - "shell_extensions" - - "com_objects" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/persistence/screensaver.yml b/artifacts/persistence/screensaver.yml deleted file mode 100644 index e2db1b3..0000000 --- a/artifacts/persistence/screensaver.yml +++ /dev/null @@ -1,123 +0,0 @@ -title: "Screensaver Persistence and Configuration" -category: "persistence" -description: "Screensaver hijacking for persistence, execution triggers, and idle-time activation" - -paths: - - "HKCU\\Control Panel\\Desktop" - - "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\IniFileMapping\\Control.ini" - - "HKCU\\Control Panel\\Screen Saver.*" - -details: - what: | - Windows screensaver configuration including screensaver executable path, - timeout settings, password protection, and screensaver-related security - settings. Screensavers run with user privileges when activated and provide - an execution mechanism triggered by system idle time. Configuration also - includes screensaver selection, display properties, and activation policies. - - forensic_value: | - Malware can replace legitimate screensavers with malicious executables for - persistence that triggers during idle periods. Shows unauthorized screensaver - modifications that provide execution opportunities when systems are unattended. - Can indicate sophisticated persistence mechanisms that activate during low-activity - periods to avoid detection and maintain covert access to compromised systems. - - structure: | - Desktop settings include SCRNSAVE.EXE (screensaver path), ScreenSaveTimeOut - (activation time in seconds), ScreenSaverIsSecure (password protection), - ScreenSaveActive (enabled/disabled), and various screensaver-specific - configuration parameters stored as REG_SZ values in Control Panel\\Desktop. - - examples: - - "SCRNSAVE.EXE: C:\\Windows\\System32\\Mystify.scr" - - "ScreenSaveTimeOut: 900 (15 minutes)" - - "ScreenSaverIsSecure: 1 (password required to unlock)" - - "ScreenSaveActive: 1 (screensaver enabled)" - - "Malicious: SCRNSAVE.EXE: C:\\malware\\backdoor.scr" - - "Persistence: SCRNSAVE.EXE: powershell.exe -WindowStyle Hidden -File C:\\temp\\payload.ps1" - - "Hijacked: SCRNSAVE.EXE: C:\\Users\\user\\AppData\\Local\\evil.exe" - - "ScreenSaveUsePassword: 0 (no password protection)" - - tools: - - name: "Display Properties" - description: "Windows Display Properties control panel for screensaver configuration" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry browser for screensaver configuration analysis" - - name: "Autoruns" - url: "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns" - description: "Microsoft Sysinternals tool with screensaver enumeration" - - name: "Screen Saver Settings" - description: "Windows screensaver configuration and management utilities" - - name: "ScreenSaverView" - description: "Tools for analyzing and monitoring screensaver configurations" - -metadata: - windows_versions: - - "Windows 95" - - "Windows 98" - - "Windows NT 4.0" - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - introduced: "Windows 95" - - criticality: "low" - - investigation_types: - - "persistence-analysis" - - "malware-analysis" - - "behavioral-analysis" - - "incident-response" - - tags: - - "persistence" - - "screensaver" - - "execution" - - "desktop-hijacking" - - "idle-execution" - - "user-privileges" - - "unattended-execution" - - "display-properties" - - references: - - title: "Screensaver Configuration" - url: "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/legacy/dd162397(v=vs.85)" - type: "official" - - title: "Desktop Window Manager" - url: "https://docs.microsoft.com/en-us/windows/win32/dwm/dwm-overview" - type: "official" - - title: "Screensaver Malware Persistence" - url: "https://www.sans.org/blog/screensaver-persistence/" - type: "research" - - title: "Alternative Persistence Mechanisms" - url: "https://attack.mitre.org/techniques/T1547/" - type: "research" - - retention: - default_location: "NTUSER.DAT registry hive" - persistence: "Survives reboots, persists per user profile until configuration changes" - volatility: "Screensaver settings preserved across system updates and power cycles" - - related_artifacts: - - "registry_run_keys" - - "shell_extensions" - - "scheduled_tasks" - - "winlogon_userinit" - - "user_profiles" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file diff --git a/artifacts/persistence/shell_extensions.yml b/artifacts/persistence/shell_extensions.yml deleted file mode 100644 index 2953068..0000000 --- a/artifacts/persistence/shell_extensions.yml +++ /dev/null @@ -1,135 +0,0 @@ -title: "Shell Extensions and Context Menu Handlers" -category: "persistence" -description: "Shell extensions, context menu handlers, and Explorer integration points for persistence" - -paths: - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Approved" - - "HKCR\\*\\shellex\\ContextMenuHandlers" - - "HKCR\\Directory\\shellex\\ContextMenuHandlers" - - "HKLM\\SOFTWARE\\Classes\\*\\shellex" - - "HKCR\\Folder\\shellex\\ContextMenuHandlers" - -details: - what: | - Windows shell extensions provide integration points for third-party applications - to extend Explorer functionality through context menu handlers, property sheet - handlers, icon overlay handlers, drag-and-drop handlers, and shell namespace - extensions. These COM-based extensions execute within Explorer.exe process - and provide rich integration with Windows shell operations and user interactions. - - forensic_value: | - Malware often uses shell extensions for persistence and to intercept file operations, - monitor user activity, or provide covert access points. Shows unauthorized context - menu additions, suspicious file handlers, and potential execution points triggered - by normal user file interactions. Can indicate sophisticated malware that integrates - deeply with Windows shell for stealth persistence and user activity monitoring. - - structure: | - CLSID identifiers as values pointing to registered shell extension components - with specific handler types. Context menu handlers organized by file types, - locations (files, directories, drives), and shell objects. Approved extensions - list shows which extensions are permitted to load in Explorer process. - - examples: - - "Approved\\{00021500-0000-0000-C000-000000000046}: WinRAR Shell Extension" - - "*\\shellex\\ContextMenuHandlers\\Malware: {malicious-clsid}" - - "Directory\\shellex\\ContextMenuHandlers\\Backdoor: {suspicious-clsid}" - - "Folder\\shellex\\ContextMenuHandlers\\7-Zip: {23170F69-40C1-278A-1000-000100020000}" - - "IconHandler: {overlay-clsid}" - - "PropertySheetHandlers\\Security: {auth-clsid}" - - "DragDropHandlers\\MaliciousDrop: {evil-clsid}" - - "CopyHookHandlers\\Monitor: {surveillance-clsid}" - - tools: - - name: "ShellExView" - url: "https://www.nirsoft.net/utils/shexview.html" - description: "NirSoft comprehensive shell extensions viewer and manager" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry browser for shell extension analysis" - - name: "Autoruns" - url: "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns" - description: "Microsoft Sysinternals tool with shell extension enumeration" - - name: "RegDllView" - url: "https://www.nirsoft.net/utils/registered_dll_view.html" - description: "NirSoft tool for viewing registered DLLs including shell extensions" - - name: "Shell Extension Manager" - description: "Tools for managing and analyzing Windows shell extensions" - -metadata: - windows_versions: - - "Windows 95" - - "Windows 98" - - "Windows NT 4.0" - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2000" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows 95" - - criticality: "medium" - - investigation_types: - - "persistence-analysis" - - "malware-analysis" - - "behavioral-analysis" - - "incident-response" - - tags: - - "persistence" - - "shell-extensions" - - "context-menu" - - "explorer-integration" - - "malware-persistence" - - "file-handlers" - - "com-objects" - - "user-interaction" - - "shell-namespace" - - references: - - title: "Shell Extensions" - url: "https://docs.microsoft.com/en-us/windows/win32/shell/shell-exts" - type: "official" - - title: "Context Menu Handlers" - url: "https://docs.microsoft.com/en-us/windows/win32/shell/context-menu-handlers" - type: "official" - - title: "Shell Extension Security" - url: "https://www.sans.org/blog/shell-extension-persistence/" - type: "research" - - title: "Windows Shell Forensics" - url: "https://www.forensicfocus.com/articles/shell-extension-analysis/" - type: "research" - - retention: - default_location: "Registry hives (SOFTWARE, CLASSES)" - persistence: "Survives reboots and application updates, loads with Explorer process" - volatility: "Shell extension registrations persist until explicit removal" - - related_artifacts: - - "com_objects" - - "file_associations" - - "registry_run_keys" - - "image_hijack" - - "lsa_packages" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file diff --git a/artifacts/persistence/shell_folders.yml b/artifacts/persistence/shell_folders.yml deleted file mode 100644 index 04143ef..0000000 --- a/artifacts/persistence/shell_folders.yml +++ /dev/null @@ -1,133 +0,0 @@ -title: "Shell Folders and Startup Locations" -category: "persistence" -description: "Special folder paths including Startup folder locations, user directories, and system folder redirection" - -paths: - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders" - - "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders" - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" - - "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" - -details: - what: | - Windows defines special folder locations including Desktop, Documents, Startup, - system directories, and user profile paths. The Startup folder automatically - executes programs placed in it during user logon, making it a critical persistence - location. User Shell Folders contain environment variables and can be redirected - to alternative locations including network shares for roaming profiles. - - forensic_value: | - Shows persistence through Startup folder modification, reveals customized system - folder locations, indicates folder redirection for data hiding or collection, - and can reveal attempts to redirect critical folders to attacker-controlled - locations. Critical for identifying file-based persistence mechanisms and - understanding user environment modifications that could facilitate data theft. - - structure: | - Named values containing folder paths as REG_SZ or REG_EXPAND_SZ data with - environment variable expansion. Common values include Startup folders (user - and system-wide), Desktop, Personal (Documents), and system directories. - Paths can be redirected to unusual locations including network shares. - - examples: - - "Startup: C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup" - - "Common Startup: C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup" - - "Desktop: C:\\Users\\user\\Desktop" - - "Personal: C:\\Users\\user\\Documents" - - "My Pictures: C:\\Users\\user\\Pictures" - - "Redirected: \\\\server\\share\\startup (network redirection)" - - "Modified: Startup: C:\\temp\\malicious_startup" - - "Cache: %USERPROFILE%\\AppData\\Local\\Microsoft\\Windows\\INetCache" - - tools: - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry browser for shell folder configuration analysis" - - name: "Autoruns" - url: "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns" - description: "Microsoft Sysinternals tool with startup folder enumeration" - - name: "Folder Options" - description: "Windows Folder Options control panel for folder behavior configuration" - - name: "Special Folders View" - description: "Tools for analyzing Windows special folder configurations" - - name: "Group Policy Management" - description: "Group Policy tools for folder redirection analysis" - -metadata: - windows_versions: - - "Windows 95" - - "Windows 98" - - "Windows NT 4.0" - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2000" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows 95" - - criticality: "medium" - - investigation_types: - - "persistence-analysis" - - "data-exfiltration" - - "behavioral-analysis" - - "incident-response" - - "insider-threat" - - tags: - - "persistence" - - "startup-folder" - - "shell-folders" - - "folder-redirection" - - "file-persistence" - - "user-directories" - - "system-folders" - - "roaming-profiles" - - "network-redirection" - - references: - - title: "Shell Folders" - url: "https://docs.microsoft.com/en-us/windows/win32/shell/csidl" - type: "official" - - title: "Folder Redirection" - url: "https://docs.microsoft.com/en-us/windows-server/storage/folder-redirection/folder-redirection-overview" - type: "official" - - title: "Startup Folder Persistence" - url: "https://www.sans.org/blog/startup-folder-persistence/" - type: "research" - - title: "Shell Folder Security Analysis" - url: "https://www.forensicfocus.com/articles/shell-folder-forensics/" - type: "research" - - retention: - default_location: "Registry hives (SOFTWARE, NTUSER.DAT)" - persistence: "Survives reboots, persists until folder reconfiguration" - volatility: "Folder paths preserved across system updates and profile changes" - - related_artifacts: - - "registry_run_keys" - - "user_profiles" - - "shellbags" - - "recent_docs" - - "file_associations" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file diff --git a/artifacts/persistence/winlogon_userinit.yml b/artifacts/persistence/winlogon_userinit.yml deleted file mode 100644 index 8e37ef4..0000000 --- a/artifacts/persistence/winlogon_userinit.yml +++ /dev/null @@ -1,133 +0,0 @@ -title: "Winlogon and UserInit Persistence" -category: "persistence" -description: "Windows logon process hijacking through Userinit, Shell, and notification package modifications" - -paths: - - "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon" - - "HKCU\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon" - - "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify" - -details: - what: | - Winlogon registry keys control the Windows logon process including which - programs run during user logon, desktop shell initialization, and system - notification handlers. Userinit and Shell values specify programs that execute - automatically when users log in. Notify subkeys register DLLs for logon/logoff - event notifications. These mechanisms are fundamental to Windows startup process. - - forensic_value: | - Critical persistence mechanism used by advanced malware and sophisticated attackers. - Shows unauthorized modifications to the logon process that ensure malware execution - on every user login. Difficult to detect and highly effective for maintaining access. - Can indicate system compromise, privilege escalation, and advanced persistent threats. - Essential for identifying rootkits and advanced malware families. - - structure: | - Key values include Userinit (programs run during logon initialization), - Shell (desktop shell program), Notify DLL registrations, and system policies. - Values contain comma-separated executable paths with parameters. Binary data - may include security descriptors and policy enforcement mechanisms. - - examples: - - "Userinit: C:\\Windows\\system32\\userinit.exe,C:\\malware\\backdoor.exe" - - "Shell: explorer.exe,C:\\temp\\malicious.exe" - - "Notify\\malware_notify\\DllName: evil_notify.dll" - - "AutoAdminLogon: 1 (automatic login enabled)" - - "DefaultUserName: administrator" - - "LegalNoticeCaption: System Security Notice" - - "LegalNoticeText: Authorized use only" - - "VmApplet: rundll32.exe shell32.dll,Control_RunDLL appwiz.cpl" - - tools: - - name: "Autoruns" - url: "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns" - description: "Microsoft Sysinternals comprehensive autostart enumeration tool" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis for Winlogon configuration review" - - name: "RegRipper" - url: "https://github.com/keydet89/RegRipper3.0" - description: "Registry analysis with winlogon.pl and userinit.pl plugins" - - name: "Process Monitor" - url: "https://docs.microsoft.com/en-us/sysinternals/downloads/procmon" - description: "Real-time process and file system monitoring during logon" - - name: "LogonExpert" - description: "Specialized tools for Windows logon process analysis" - -metadata: - windows_versions: - - "Windows NT 3.1" - - "Windows NT 3.5" - - "Windows NT 4.0" - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows NT 3.1" - - criticality: "high" - - investigation_types: - - "malware-analysis" - - "persistence-analysis" - - "incident-response" - - "privilege-escalation" - - "behavioral-analysis" - - tags: - - "persistence" - - "winlogon" - - "userinit" - - "logon-hijacking" - - "advanced-malware" - - "process-hijacking" - - "system-startup" - - "rootkits" - - "notification-packages" - - references: - - title: "Windows Logon Process" - url: "https://docs.microsoft.com/en-us/windows/win32/secauthn/winlogon-and-credential-providers" - type: "official" - - title: "MITRE ATT&CK: Winlogon Helper DLL" - url: "https://attack.mitre.org/techniques/T1547/004/" - type: "research" - - title: "Windows Logon Forensics" - url: "https://www.sans.org/blog/digital-forensics-winlogon-analysis/" - type: "research" - - title: "Malware Persistence via Winlogon" - url: "https://attack.mitre.org/techniques/T1547/" - type: "research" - - retention: - default_location: "SYSTEM and SOFTWARE registry hives" - persistence: "Survives reboots, system updates, and most malware removal attempts" - volatility: "Persistent until explicitly modified or system corruption occurs" - - related_artifacts: - - "registry_run_keys" - - "scheduled_tasks" - - "shell_extensions" - - "lsa_packages" - - "image_hijack" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file diff --git a/artifacts/persistence/wmi_events.yml b/artifacts/persistence/wmi_events.yml deleted file mode 100644 index e837d23..0000000 --- a/artifacts/persistence/wmi_events.yml +++ /dev/null @@ -1,130 +0,0 @@ -title: "WMI Event Subscriptions" -category: "persistence" -description: "Windows Management Instrumentation event-based persistence through filters, consumers, and bindings" - -paths: - - "HKLM\\SOFTWARE\\Microsoft\\Wbem\\ESS\\//./root/subscription" - - "HKLM\\SOFTWARE\\Microsoft\\Wbem\\ESS\\//./root/cimv2" - - "HKLM\\SOFTWARE\\Microsoft\\Wbem\\ESS\\//./root/default" - - "HKLM\\SOFTWARE\\Microsoft\\Wbem\\CIMOM" - -details: - what: | - WMI Event Subscriptions create persistent event-driven triggers that execute - code when specific system events occur. Consists of Event Filters (WQL queries - defining trigger conditions), Event Consumers (actions to execute), and - Filter-to-Consumer Bindings (links between filters and consumers). Provides - sophisticated, legitimate-seeming persistence that survives reboots and security software. - - forensic_value: | - Advanced persistence technique used by sophisticated malware, APT groups, and - advanced persistent threats. Difficult to detect and remove through traditional - means. Shows evidence of advanced persistence mechanisms that survive system - reboots, security software removal, and system cleaning. Critical for identifying - advanced threat actors and sophisticated malware families. - - structure: | - Registry entries for WMI repository objects including __EventFilter (trigger - conditions), __EventConsumer (execution actions), and __FilterToConsumerBinding - (relationships) classes. Binary data contains serialized WMI objects with - WQL queries, PowerShell payloads, executable paths, and scheduling information. - - examples: - - "__EventFilter Name: MaliciousProcessMonitor" - - "Query: SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName='notepad.exe'" - - "__EventConsumer Type: CommandLineEventConsumer" - - "CommandLineTemplate: powershell.exe -enc " - - "__FilterToConsumerBinding: Links filter to consumer" - - "ActiveScriptEventConsumer: VBScript or JScript execution" - - "ScriptText: CreateObject(\"WScript.Shell\").Run \"malicious_command\"" - - "LogFileEventConsumer: Write to log file for persistence verification" - - "SMTPEventConsumer: Email-based command and control" - - tools: - - name: "WMI Explorer" - description: "GUI tool for browsing and analyzing WMI namespaces and objects" - - name: "Get-WMIObject PowerShell" - description: "PowerShell cmdlet for WMI object enumeration and analysis" - - name: "WMI-Persistence Toolkit" - description: "Specialized tools for WMI persistence detection and analysis" - - name: "Autoruns" - url: "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns" - description: "Microsoft Sysinternals tool with WMI event subscription enumeration" - - name: "WMI Event Monitor" - description: "Real-time WMI event monitoring and subscription analysis tools" - -metadata: - windows_versions: - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2000" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows 2000" - - criticality: "high" - - investigation_types: - - "persistence-analysis" - - "malware-analysis" - - "incident-response" - - "behavioral-analysis" - - "lateral-movement" - - tags: - - "persistence" - - "wmi" - - "advanced-threats" - - "apt" - - "event-driven" - - "sophisticated-malware" - - "stealth-persistence" - - "powershell" - - "lateral-movement" - - references: - - title: "Windows Management Instrumentation" - url: "https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page" - type: "official" - - title: "WMI Event Subscriptions" - url: "https://docs.microsoft.com/en-us/windows/win32/wmisdk/receiving-event-notifications-through-wmi" - type: "official" - - title: "MITRE ATT&CK: Windows Management Instrumentation Event Subscription" - url: "https://attack.mitre.org/techniques/T1546/003/" - type: "research" - - title: "WMI Persistence and Detection" - url: "https://www.sans.org/blog/wmi-persistence-advanced-threat-detection/" - type: "research" - - retention: - default_location: "WMI Repository (%SystemRoot%\\System32\\wbem\\Repository)" - persistence: "Survives reboots, system cleaning, and most security software removal" - volatility: "Highly persistent until WMI repository corruption or explicit removal" - - related_artifacts: - - "scheduled_tasks" - - "powershell_policy" - - "registry_run_keys" - - "com_objects" - - "winlogon_userinit" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file diff --git a/artifacts/security/bitlocker_config.yml b/artifacts/security/bitlocker_config.yml deleted file mode 100644 index d4c1073..0000000 --- a/artifacts/security/bitlocker_config.yml +++ /dev/null @@ -1,117 +0,0 @@ -title: "BitLocker Drive Encryption Settings" -category: "security" -description: "BitLocker encryption configuration, drive protection status, recovery policies, and TPM integration" - -paths: - - "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE" - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\BitLocker" - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\BitLocker" - - "HKLM\\SYSTEM\\CurrentControlSet\\Services\\BDESVC" - -details: - what: | - BitLocker Full Volume Encryption manages drive-level encryption configuration including - encryption algorithms, authentication methods, TPM (Trusted Platform Module) integration, - recovery key policies, and administrative settings. Controls system drive encryption, - removable media protection, network unlock capabilities, and enterprise key management - for comprehensive data protection and compliance requirements. - - forensic_value: | - Critical for understanding data protection mechanisms that may prevent forensic access, - reveals encryption bypass attempts, shows evidence of encryption policy violations, and - indicates security-conscious behavior or attempts to hide data through encryption. - Configuration changes may reveal insider threats attempting to protect stolen data or - attackers trying to disable encryption for persistent access. - - structure: | - BitLocker configuration includes encryption method settings (AES-128/256), authentication - requirements (TPM, PIN, USB key), recovery options, startup authentication policies, - and enterprise management settings. Service configuration controls BitLocker Drive - Encryption Service behavior, automatic encryption, and policy enforcement mechanisms. - - examples: - - "EncryptionMethod: 3 (AES 128-bit with Diffuser)" - - "EncryptionMethod: 4 (AES 256-bit with Diffuser)" - - "UseTPM: 2 (TPM required for system drive)" - - "UseTPMPIN: 1 (TPM + PIN authentication required)" - - "UseTPMKey: 0 (USB key not required)" - - "EnableBDEWithNoTPM: 0 (BitLocker requires TPM)" - - "RecoveryKeyMessageSource: IT Department Contact: helpdesk@company.com" - - "BDESVC\\Start: 3 (BitLocker service manual startup)" - - tools: - - name: "BitLocker Drive Encryption (Control Panel)" - description: "Built-in Windows BitLocker management interface" - - name: "manage-bde.exe" - description: "Command-line BitLocker administration and status utility" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Group Policy Editor (gpedit.msc)" - description: "BitLocker policy configuration and enterprise management" - - name: "TPM Management Console" - description: "Trusted Platform Module configuration and monitoring" - -metadata: - windows_versions: - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows Vista" - - criticality: "high" - - investigation_types: - - "incident-response" - - "insider-threat" - - tags: - - "security" - - "bitlocker" - - "encryption" - - "data-protection" - - "tpm" - - "drive-encryption" - - "recovery-keys" - - "authentication" - - references: - - title: "Microsoft Documentation: BitLocker" - url: "https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/" - type: "official" - - title: "BitLocker Security and Forensic Considerations" - url: "https://www.sans.org/white-papers/33649/" - type: "research" - - title: "Enterprise BitLocker Management" - url: "https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview" - type: "official" - - retention: - default_location: "Registry hive files (SOFTWARE, SYSTEM)" - persistence: "Encryption settings persist until administratively changed" - volatility: "Critical security configuration affecting data access and forensic investigations" - - related_artifacts: - - "security_policy" - - "tpm_configuration" - - "recovery_keys" - - "authentication_methods" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-06-07" - last_updated: "2025-06-07" - version: "1.0" diff --git a/artifacts/security/camera_microphone_access_control.yml b/artifacts/security/camera_microphone_access_control.yml deleted file mode 100644 index cd4fbc5..0000000 --- a/artifacts/security/camera_microphone_access_control.yml +++ /dev/null @@ -1,101 +0,0 @@ -title: "Camera and Microphone Access Control" -category: "security" -description: "Privacy consent settings for camera and microphone access by applications and system components" - -paths: - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore\\microphone" - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore\\webcam" - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore\\microphone" - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore\\webcam" - -details: - what: | - Windows manages application permissions for camera and microphone access through the - Capability Access Manager. Registry stores consent decisions, application-specific - permissions, system-wide privacy settings, and usage tracking for audio/video - recording capabilities. Controls which applications can access sensitive hardware - devices and maintains audit trails of permission grants and denials. - - forensic_value: | - Critical for investigating privacy violations, unauthorized surveillance, and potential - malware with recording capabilities. Shows evidence of applications attempting to - access camera/microphone, reveals privacy setting modifications that could indicate - malicious activity, and provides timeline of when sensitive permissions were granted - or denied. Essential for detecting spyware, unauthorized recording, and privacy breaches. - - structure: | - ConsentStore entries include Value (Allow/Deny), LastUsedTimeStart/LastUsedTimeStop - timestamps as FILETIME, and application-specific permission entries with package - family names for UWP apps and executable paths for desktop applications. Global - settings control system-wide camera/microphone access policies. - - examples: - - "microphone\\Value: Allow (System-wide microphone access enabled)" - - "webcam\\Value: Deny (System-wide camera access disabled)" - - "microphone\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Value: Allow (Skype microphone permission)" - - "webcam\\C:\\Program Files\\Zoom\\bin\\Zoom.exe\\Value: Allow (Zoom camera permission)" - - "LastUsedTimeStart: 0x01DA2E8F5C6A0000 (FILETIME: Last camera access)" - - "LastUsedTimeStop: 0x01DA2E8F5C6A0000 (FILETIME: Camera access ended)" - - tools: - - name: "Windows Settings (Privacy & Security)" - description: "Built-in Windows privacy control for camera and microphone permissions" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "PrivacyView" - description: "Third-party tools for Windows privacy setting analysis" - - name: "Process Monitor" - url: "https://docs.microsoft.com/en-us/sysinternals/downloads/procmon" - description: "Monitor real-time camera/microphone access attempts" - -metadata: - windows_versions: - - "Windows 10" - - "Windows 11" - - introduced: "Windows 10" - - criticality: "high" - - investigation_types: - - "malware-analysis" - - "incident-response" - - tags: - - "privacy" - - "camera" - - "microphone" - - "surveillance" - - "spyware" - - "recording" - - "consent" - - "permissions" - - references: - - title: "Windows Privacy Controls" - url: "https://docs.microsoft.com/en-us/windows/privacy/" - type: "official" - - title: "CapabilityAccessManager Documentation" - url: "https://docs.microsoft.com/en-us/uwp/api/windows.security.authorization.appcapabilityaccess" - type: "official" - - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT)" - persistence: "Permission settings persist until manually changed" - volatility: "Usage timestamps provide ongoing surveillance detection capability" - - related_artifacts: - - "device_permissions" - - "privacy_settings" - - "application_permissions" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" diff --git a/artifacts/security/device_permissions.yml b/artifacts/security/device_permissions.yml deleted file mode 100644 index 705ec66..0000000 --- a/artifacts/security/device_permissions.yml +++ /dev/null @@ -1,109 +0,0 @@ -title: "Device Permissions and Privacy Settings" -category: "security" -description: "App permissions for camera, microphone, location, contacts, and other device capabilities with privacy controls" - -paths: - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore" - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\DeviceAccess\\Global" - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Privacy" - - "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\AppPrivacy" - -details: - what: | - Windows capability access manager controls application permissions for sensitive device - resources including camera, microphone, location services, contacts, calendar, messaging, - and other privacy-sensitive capabilities. Manages both global permission settings and - per-application granular access controls for comprehensive privacy protection and - security enforcement across Modern Windows applications. - - forensic_value: | - Critical for investigating privacy violations, unauthorized surveillance, data exfiltration - through device sensors, and malicious application behavior. Shows which applications - have access to sensitive resources like cameras and microphones, reveals potential - surveillance capabilities, and indicates privacy-conscious user behavior or attempts - to hide malicious access to device capabilities through permission manipulation. - - structure: | - ConsentStore organizes permissions by capability type (camera, microphone, location, etc.) - with global and per-application settings. DeviceAccess controls system-wide capability - enablement, Privacy settings manage user-level privacy preferences, and AppPrivacy - policies enforce enterprise privacy controls and application access restrictions. - - examples: - - "ConsentStore\\\\webcam\\\\Value: Allow (Global camera access enabled)" - - "ConsentStore\\\\microphone\\\\Value: Deny (Global microphone access disabled)" - - "Microsoft.Camera_8wekyb3d8bbwe\\\\Value: Allow (Camera app access granted)" - - "Skype_kzf8qxf38zg5c\\\\Value: Allow (Skype microphone and camera access)" - - "ConsentStore\\\\location\\\\Value: Deny (Location services disabled globally)" - - "ConsentStore\\\\contacts\\\\Value: Allow (Contact access permitted)" - - "Global\\\\{E5323777-F976-4f5b-9B55-B94699C46E44}\\\\Value: Deny (Location disabled)" - - "AppPrivacy\\\\LetAppsAccessCamera: 2 (Force deny camera access policy)" - - tools: - - name: "Privacy Settings (ms-settings:privacy)" - description: "Windows built-in privacy and device permission configuration" - - name: "App Permissions (ms-settings:appsfeatures-app)" - description: "Per-application permission management interface" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Group Policy Editor (gpedit.msc)" - description: "Enterprise privacy policy configuration and enforcement" - - name: "Privacy Dashboard" - description: "Microsoft account privacy settings and data management" - -metadata: - windows_versions: - - "Windows 10" - - "Windows 11" - - introduced: "Windows 10" - - criticality: "high" - - investigation_types: - - "data-exfiltration" - - "malware-analysis" - - "insider-threat" - - tags: - - "security" - - "privacy" - - "device-permissions" - - "app-permissions" - - "camera-access" - - "microphone-access" - - "location-privacy" - - "surveillance" - - references: - - title: "Microsoft Documentation: App Permissions" - url: "https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services" - type: "official" - - title: "Windows Privacy Controls" - url: "https://docs.microsoft.com/en-us/windows/privacy/" - type: "official" - - title: "Digital Privacy and Device Permissions Forensics" - url: "https://www.sans.org/white-papers/39855/" - type: "research" - - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT)" - persistence: "Permission settings persist until manually changed or policy override" - volatility: "Privacy controls affect ongoing data collection and surveillance capabilities" - - related_artifacts: - - "location_services" - - "windows_hello" - - "microsoft_store" - - "security_policy" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-06-07" - last_updated: "2025-06-07" - version: "1.0" diff --git a/artifacts/security/explorer_policies.yml b/artifacts/security/explorer_policies.yml deleted file mode 100644 index a886cef..0000000 --- a/artifacts/security/explorer_policies.yml +++ /dev/null @@ -1,123 +0,0 @@ -title: "Windows Explorer Policies and Restrictions" -category: "security" -description: "Explorer restrictions, folder access policies, user interface limitations, and administrative controls" - -paths: - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" - - "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer" - -details: - what: | - Windows Explorer policy framework controls user interface restrictions, folder access permissions, - desktop limitations, shell behavior modifications, and administrative security controls. Manages - Group Policy enforcement for Explorer functionality, file system access restrictions, and - user interface element visibility. Provides comprehensive control over user interaction - capabilities with the Windows shell and file system navigation. - - forensic_value: | - Critical for investigating administrative security bypass attempts, policy modifications that - facilitate unauthorized access, and evidence of system restrictions being circumvented. Shows - if attackers disabled security controls to hide malicious activity, modified user interface - restrictions to access administrative tools, or bypassed folder access limitations to reach - sensitive data. Essential for understanding security posture during incidents. - - structure: | - Policy values stored as REG_DWORD entries controlling specific Explorer restrictions and - behaviors. Common policies include NoRun (disable Run dialog), NoControlPanel (hide Control Panel), - NoDesktop (disable desktop), NoFileMenu (disable File menu), and folder access restrictions. - Advanced settings control file system behavior, hidden file visibility, and extension display. - - examples: - - "NoRun: 1 (Run dialog disabled - restricts command execution)" - - "NoControlPanel: 1 (Control Panel access hidden - limits system configuration)" - - "NoDesktop: 1 (Desktop functionality disabled - severe restriction)" - - "NoFileMenu: 1 (File menu disabled in Explorer - limits file operations)" - - "Hidden: 2 (Show hidden files and folders - security setting modified)" - - "HideFileExt: 0 (Show file extensions - security enhancement)" - - "NoFolderOptions: 1 (Folder Options access disabled)" - - "RestrictRun: 1 (Restrict specific executable execution)" - - tools: - - name: "Group Policy Editor (gpedit.msc)" - description: "Built-in Windows Group Policy management interface" - - name: "Local Security Policy (secpol.msc)" - description: "Security policy configuration and analysis tool" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Folder Options (Control Panel)" - description: "Windows built-in folder and file display configuration" - - name: "PolicyAnalyzer" - description: "Third-party tools for comprehensive Group Policy analysis" - -metadata: - windows_versions: - - "Windows 95" - - "Windows NT" - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2000" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows 95" - - criticality: "medium" - - investigation_types: - - "insider-threat" - - "lateral-movement" - - "behavioral-analysis" - - tags: - - "security" - - "policies" - - "restrictions" - - "explorer" - - "group-policy" - - "user-interface" - - "access-control" - - references: - - title: "Microsoft Documentation: Group Policy Settings Reference" - url: "https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider" - type: "official" - - title: "Windows Explorer Security Policies" - url: "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn789189(v=ws.11)" - type: "official" - - title: "Group Policy Security Analysis" - url: "https://www.sans.org/white-papers/33492/" - type: "research" - - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT)" - persistence: "Policy restrictions persist until Group Policy update or manual modification" - volatility: "Security policies affect immediate user interface and system access capabilities" - - related_artifacts: - - "security_policy" - - "user_profiles" - - "file_associations" - - "software_restriction" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/security/local_security_policy.yml b/artifacts/security/local_security_policy.yml deleted file mode 100644 index dfcb2da..0000000 --- a/artifacts/security/local_security_policy.yml +++ /dev/null @@ -1,123 +0,0 @@ -title: "Local Security Policy Settings" -category: "security" -description: "Security policies, audit settings, user rights assignments, and Local Security Authority configuration" - -paths: - - "HKLM\\SECURITY\\Policy" - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies" - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa" - - "HKLM\\SECURITY\\Policy\\Accounts" - -details: - what: | - Local Security Policy encompasses comprehensive security configuration including audit policies, - user rights assignments, security options, account policies, Local Security Authority (LSA) - settings, and system security behavior controls. Manages authentication requirements, password - policies, account lockout settings, privilege assignments, and security event logging - configuration for complete system security governance. - - forensic_value: | - Critical for detecting security policy modifications that facilitate attacks, privilege - escalation attempts, and evidence tampering through disabled auditing. Shows if attackers - weakened security settings to maintain persistence, disabled logging to hide activities, - or modified authentication requirements to bypass security controls. Essential for understanding - the security posture during incidents and identifying policy-based attack vectors. - - structure: | - Security policy data stored in binary format within the SECURITY registry hive. LSA - settings control authentication behavior, audit policies, and security options. Policies - registry contains user-level security restrictions and Group Policy enforcement settings. - Account policies include password requirements, lockout thresholds, and Kerberos settings. - - examples: - - "AuditLogonEvents: 0 (Logon auditing disabled - potential evidence hiding)" - - "AuditObjectAccess: 3 (Success and failure auditing enabled)" - - "LSA\\\\LimitBlankPasswordUse: 0 (Blank passwords allowed - security weakness)" - - "LSA\\\\NoLMHash: 1 (LM hash storage disabled for security)" - - "CrashOnAuditFail: 0 (System continues if audit log full)" - - "MinimumPasswordLength: 0 (No minimum password length required)" - - "MaximumPasswordAge: 4294967295 (Passwords never expire)" - - "EnableGuestAccount: 1 (Guest account enabled - security risk)" - - tools: - - name: "Local Security Policy (secpol.msc)" - description: "Built-in Windows security policy management interface" - - name: "secedit.exe" - description: "Command-line security configuration and analysis tool" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Group Policy Editor (gpedit.msc)" - description: "Local Group Policy editing for security settings" - - name: "Security Configuration Wizard" - description: "Windows tool for security policy analysis and configuration" - -metadata: - windows_versions: - - "Windows NT" - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2000" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows NT 3.1" - - criticality: "high" - - investigation_types: - - "privilege-escalation" - - "incident-response" - - "lateral-movement" - - "malware-analysis" - - tags: - - "security-policy" - - "audit-settings" - - "lsa" - - "access-control" - - "privilege-escalation" - - "authentication" - - "security-configuration" - - references: - - title: "Microsoft Documentation: Local Security Policy" - url: "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/" - type: "official" - - title: "Windows Security Policy Forensics" - url: "https://www.sans.org/white-papers/33492/" - type: "research" - - title: "LSA Security and Authentication" - url: "https://docs.microsoft.com/en-us/windows/win32/secauth/lsa-authentication" - type: "official" - - retention: - default_location: "Registry hive files (SECURITY, SOFTWARE, SYSTEM)" - persistence: "Security policy settings persist until administratively changed" - volatility: "Critical security settings affecting all system operations and evidence collection" - - related_artifacts: - - "user_profiles" - - "sam_security" - - "event_log_config" - - "windows_defender" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/security/sam_security.yml b/artifacts/security/sam_security.yml deleted file mode 100644 index ac35f92..0000000 --- a/artifacts/security/sam_security.yml +++ /dev/null @@ -1,124 +0,0 @@ -title: "SAM Database User Account Information" -category: "security" -description: "Local user account data including password hashes, logon statistics, and account security metadata" - -paths: - - "HKLM\\SAM\\SAM\\Domains\\Account\\Users" - - "HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names" - - "HKLM\\SAM\\SAM\\Domains\\Account\\Aliases" - -details: - what: | - Security Account Manager (SAM) database stores comprehensive local user account information - including usernames, NTLM password hashes, account policies, logon counts, last logon times, - password change dates, account lockout information, group memberships, and security metadata. - Manages local authentication credentials, account restrictions, and user privilege assignments - for complete local user account security and authentication management. - - forensic_value: | - Critical for identifying unauthorized accounts, password attack evidence, account creation - timelines, and authentication patterns during security incidents. Password hashes enable - offline password cracking for credential recovery, privilege escalation analysis, and - unauthorized access investigations. Essential for insider threat investigations, privilege - escalation analysis, and determining account compromise through authentication anomalies. - - structure: | - User accounts organized by Relative Identifier (RID) starting from 500 for built-in accounts. - Binary data structures contain NTLM password hashes, account creation timestamps, last logon - times, logon counts, bad password attempts, account flags, and security descriptors. - Names subkey provides RID-to-username mappings for account identification and correlation. - - examples: - - "RID 500: Built-in Administrator account (Default system administrator)" - - "RID 1001: Local user account (First user-created account)" - - "Username: administrator (Account name in Names subkey)" - - "NTLM Hash: aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0" - - "Last Logon: 2024-01-15 14:30:25 UTC (Most recent authentication)" - - "Password Last Set: 2024-01-01 08:00:00 UTC (Password change timestamp)" - - "Logon Count: 157 (Total successful authentications)" - - "Bad Password Count: 3 (Failed authentication attempts)" - - tools: - - name: "SAMInside" - description: "Professional SAM database analysis and password recovery tool" - - name: "pwdump" - description: "Command-line tool for extracting password hashes from SAM database" - - name: "John the Ripper" - url: "https://www.openwall.com/john/" - description: "Advanced password cracking tool for hash analysis" - - name: "Ophcrack" - url: "https://ophcrack.sourceforge.io/" - description: "Rainbow table-based password cracking utility" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - -metadata: - windows_versions: - - "Windows NT" - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2000" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows NT 3.1" - - criticality: "high" - - investigation_types: - - "lateral-movement" - - "incident-response" - - "timeline-analysis" - - "privilege-escalation" - - tags: - - "security" - - "user-accounts" - - "password-hashes" - - "authentication" - - "account-creation" - - "sam-database" - - "credential-analysis" - - references: - - title: "Microsoft Documentation: Security Account Manager" - url: "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/" - type: "official" - - title: "SAM Database Forensics and Analysis" - url: "https://www.sans.org/white-papers/36427/" - type: "research" - - title: "Windows Authentication and Credential Analysis" - url: "https://attack.mitre.org/techniques/T1003/002/" - type: "research" - - retention: - default_location: "Registry hive files (SAM)" - persistence: "Account data persists until account deletion or system reinstallation" - volatility: "Authentication data provides immediate evidence of credential compromise" - - related_artifacts: - - "security_policy" - - "user_profiles" - - "event_log_config" - - "lsa_packages" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/security/uac.yml b/artifacts/security/uac.yml deleted file mode 100644 index 394b6a1..0000000 --- a/artifacts/security/uac.yml +++ /dev/null @@ -1,98 +0,0 @@ -title: "User Account Control (UAC) Configuration" -category: "security" -description: "UAC elevation policies, prompt behavior, and administrative approval mode settings" - -paths: - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" - - "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer" - -details: - what: | - User Account Control (UAC) manages privilege elevation requests and administrative - approval mode for standard users and administrators. Registry controls prompt - behavior, elevation policies, secure desktop usage, and administrative token - filtering to prevent unauthorized privilege escalation and enhance system - security through controlled administrative access and user consent requirements. - - forensic_value: | - Critical for investigating privilege escalation attempts, UAC bypass techniques, - and unauthorized administrative access. Shows evidence of UAC policy modifications - that could weaken security, reveals attempts to disable security prompts, and - indicates sophisticated attacks targeting Windows privilege control mechanisms. - Essential for detecting UAC bypass malware and administrative rights abuse. - - structure: | - UAC configuration includes EnableLUA (UAC enabled/disabled), ConsentPromptBehaviorAdmin - (admin prompt behavior), ConsentPromptBehaviorUser (standard user prompts), - PromptOnSecureDesktop (secure desktop usage), and EnableInstallerDetection - (installer privilege detection) for comprehensive privilege control analysis. - - examples: - - "EnableLUA: 1 (UAC enabled)" - - "EnableLUA: 0 (UAC disabled - security risk)" - - "ConsentPromptBehaviorAdmin: 2 (Prompt for consent on secure desktop)" - - "ConsentPromptBehaviorAdmin: 0 (Elevate without prompting - dangerous)" - - "ConsentPromptBehaviorUser: 3 (Prompt for credentials)" - - "PromptOnSecureDesktop: 1 (Use secure desktop for prompts)" - - "EnableInstallerDetection: 1 (Detect installation programs)" - - tools: - - name: "UAC Settings (Control Panel)" - description: "Built-in Windows UAC configuration interface" - - name: "Group Policy Editor (secpol.msc)" - description: "Local security policy UAC configuration" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - -metadata: - windows_versions: - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - introduced: "Windows Vista" - - criticality: "high" - - investigation_types: - - "malware-analysis" - - "incident-response" - - "behavioral-analysis" - - tags: - - "uac" - - "privilege-escalation" - - "security-bypass" - - "administrative-access" - - "elevation" - - "malware-evasion" - - references: - - title: "UAC Documentation" - url: "https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/" - type: "official" - - retention: - default_location: "Registry hive files (SOFTWARE, SYSTEM)" - persistence: "UAC settings persist until administratively changed" - volatility: "Critical security configuration affecting system privilege model" - - related_artifacts: - - "security_policies" - - "administrative_access" - - "privilege_escalation" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" diff --git a/artifacts/security/vpn_client.yml b/artifacts/security/vpn_client.yml deleted file mode 100644 index 3e6ead3..0000000 --- a/artifacts/security/vpn_client.yml +++ /dev/null @@ -1,100 +0,0 @@ -title: "VPN Client Application Configurations" -category: "security" -description: "Commercial VPN client settings, server configurations, and privacy service integrations" - -paths: - - "HKCU\\Software\\NordVPN" - - "HKCU\\Software\\ExpressVPN" - - "HKCU\\Software\\CyberGhost" - - "HKCU\\Software\\Surfshark" - - "HKLM\\SOFTWARE\\OpenVPN" - -details: - what: | - Commercial VPN clients store configuration including server lists, connection - preferences, authentication credentials, and privacy settings. Registry tracks - installation data, subscription information, auto-connect preferences, and - kill switch configurations for comprehensive VPN usage analysis and privacy - service behavior tracking in security-conscious networking environments. - - forensic_value: | - Important for investigating privacy-seeking behavior, geographic location - obfuscation, potential evasion techniques, and privacy service usage. Shows - evidence of VPN connectivity, server preferences, privacy tool adoption, - and can indicate attempts to hide network traffic, evade geographic restrictions, - or maintain anonymity in network communications and online activities. - - structure: | - VPN client configuration includes server endpoints, authentication methods, - connection protocols, kill switch settings, and privacy preferences. Subscription - data tracks account information, service features, and usage patterns for - comprehensive VPN service behavior analysis and privacy-focused networking assessment. - - examples: - - "NordVPN\\ServerList: us-chicago-123.nordvpn.com" - - "ExpressVPN\\Protocol: OpenVPN UDP" - - "CyberGhost\\KillSwitch: 1 (Network kill switch enabled)" - - "Surfshark\\AutoConnect: 1 (Automatic VPN connection)" - - "OpenVPN\\ConfigPath: C:\\OpenVPN\\config\\client.ovpn" - - "Subscription: Premium (Paid VPN service subscription)" - - "DNSSettings: Private DNS (VPN-provided DNS servers)" - - tools: - - name: "VPN Client Applications" - description: "Commercial VPN service desktop applications" - - name: "OpenVPN GUI" - description: "Open-source VPN client configuration interface" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - -metadata: - windows_versions: - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - introduced: "VPN Client Applications" - - criticality: "medium" - - investigation_types: - - "behavioral-analysis" - - "incident-response" - - "timeline-analysis" - - tags: - - "vpn" - - "nordvpn" - - "expressvpn" - - "privacy" - - "networking" - - "encryption" - - "geolocation-bypass" - - references: - - title: "OpenVPN Documentation" - url: "https://openvpn.net/community-resources/" - type: "official" - - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT)" - persistence: "VPN configurations persist until service reconfiguration" - volatility: "VPN usage patterns provide evidence of privacy-seeking network behavior" - - related_artifacts: - - "network_connections" - - "privacy_tools" - - "vpn_connections" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" diff --git a/artifacts/security/windows_defender_app_guard.yml b/artifacts/security/windows_defender_app_guard.yml deleted file mode 100644 index 572bb5c..0000000 --- a/artifacts/security/windows_defender_app_guard.yml +++ /dev/null @@ -1,100 +0,0 @@ -title: "Windows Defender Application Guard" -category: "security" -description: "Application Guard isolation, virtualization settings, and enterprise security configuration" - -paths: - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WindowsApplicationGuard" - - "HKLM\\SOFTWARE\\Policies\\Microsoft\\AppHVSI" - - "HKLM\\SYSTEM\\CurrentControlSet\\Services\\HvHost" - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\msedge.exe" - -details: - what: | - Windows Defender Application Guard (WDAG) provides hardware-based isolation for - Microsoft Edge and Office applications using Hyper-V virtualization technology. - Registry manages isolation policies, virtualization settings, data persistence - rules, and enterprise configuration for protecting against advanced threats - through application-level containerization and secure browsing environments. - - forensic_value: | - Critical for investigating attempts to bypass enterprise security controls, - reveals configuration changes that could weaken isolation protections, shows - evidence of sophisticated attacks targeting virtualized environments, and - indicates potential security policy violations. Can reveal attempts to disable - security features or evidence of advanced persistent threats targeting - enterprise browser security mechanisms. - - structure: | - WindowsApplicationGuard contains feature enablement settings, isolation policies, - and data persistence configuration. AppHVSI policy entries control enterprise - settings for clipboard access, file downloads, printing, and camera/microphone - usage within isolated environments. Service configuration manages virtualization components. - - examples: - - "Enabled: 1 (Application Guard enabled)" - - "AllowPersistence: 0 (Non-persistent mode - data deleted on restart)" - - "AllowClipboard: 1 (Clipboard access between host and container allowed)" - - "BlockNonEnterpriseContent: 1 (Block non-enterprise websites)" - - "CertificateThumbprints: Enterprise certificate validation" - - "SaveFilesToHost: 0 (File downloads to container only)" - - tools: - - name: "Windows Features (Turn Windows features on or off)" - description: "Built-in Windows Application Guard enablement interface" - - name: "Group Policy Editor" - description: "Enterprise Application Guard policy configuration" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Hyper-V Manager" - description: "Virtualization platform management for Application Guard" - -metadata: - windows_versions: - - "Windows 10" - - "Windows 11" - - introduced: "Windows 10 Anniversary Update (1607)" - - criticality: "high" - - investigation_types: - - "incident-response" - - "insider-threat" - - tags: - - "application-guard" - - "isolation" - - "virtualization" - - "edge-security" - - "enterprise-protection" - - "hyper-v" - - "containerization" - - references: - - title: "Windows Defender Application Guard Documentation" - url: "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-application-guard/" - type: "official" - - title: "Application Guard Enterprise Configuration" - url: "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard" - type: "official" - - retention: - default_location: "Registry hive files (SOFTWARE, SYSTEM)" - persistence: "Configuration persists until administratively changed" - volatility: "Critical enterprise security configuration affecting threat protection" - - related_artifacts: - - "windows_defender" - - "virtualization_settings" - - "enterprise_security" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" diff --git a/artifacts/security/windows_defender_security.yml b/artifacts/security/windows_defender_security.yml deleted file mode 100644 index 1485481..0000000 --- a/artifacts/security/windows_defender_security.yml +++ /dev/null @@ -1,123 +0,0 @@ -title: "Windows Defender and Security Configuration" -category: "security" -description: "Windows Defender settings, exclusions, security policies, and threat protection configuration" - -paths: - - "HKLM\\SOFTWARE\\Microsoft\\Windows Defender" - - "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender" - - "HKCU\\SOFTWARE\\Microsoft\\Windows Defender" - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" - - "HKLM\\SOFTWARE\\Microsoft\\Windows Security Health\\State" - -details: - what: | - Windows Defender (Windows Security) configuration including real-time protection - settings, scan exclusions, threat detection policies, User Account Control (UAC) - settings, and security feature states. Controls system security posture, malware - detection capabilities, and security policy enforcement mechanisms. - - forensic_value: | - Shows if security features were disabled to facilitate malware execution, - reveals exclusion paths that attackers may have added, and indicates - security policy modifications. Critical for understanding security bypass techniques, - identifying potential compromise indicators, and assessing security posture during incidents. - - structure: | - Defender settings include DisableAntiSpyware, DisableRealtimeMonitoring, - scan exclusions, update configurations, and threat response settings. UAC settings - control elevation prompts and administrator approval mode. Binary policy data - controls feature enablement and security enforcement levels. - - examples: - - "DisableAntiSpyware: 1 (Windows Defender disabled)" - - "DisableRealtimeMonitoring: 1 (Real-time protection off)" - - "ExclusionPath: C:\\Malware\\staging" - - "ExclusionProcess: suspicious.exe" - - "EnableLUA: 0 (UAC completely disabled)" - - "ConsentPromptBehaviorAdmin: 0 (No UAC prompts)" - - "ThreatSeverityDefaultAction: 6 (Allow all threats)" - - "SubmitSamplesConsent: 2 (Never send samples)" - - tools: - - name: "Windows Security" - description: "Built-in Windows security management interface" - - name: "Get-MpPreference PowerShell" - description: "PowerShell cmdlet for Windows Defender configuration analysis" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis for security configuration review" - - name: "Group Policy Editor" - description: "Windows Group Policy management for security policy analysis" - - name: "Windows Defender Configuration Analyzer" - description: "Custom tools for security configuration assessment" - -metadata: - windows_versions: - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows Vista (as Windows Defender)" - - criticality: "high" - - investigation_types: - - "malware-analysis" - - "incident-response" - - "behavioral-analysis" - - "persistence-analysis" - - tags: - - "security" - - "windows-defender" - - "antivirus" - - "security-policy" - - "uac" - - "malware-evasion" - - "exclusions" - - "threat-protection" - - "security-bypass" - - references: - - title: "Windows Defender Antivirus Management" - url: "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/" - type: "official" - - title: "User Account Control Security" - url: "https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/" - type: "official" - - title: "MITRE ATT&CK: Disable or Modify Tools" - url: "https://attack.mitre.org/techniques/T1562/001/" - type: "research" - - title: "Windows Security Configuration Analysis" - url: "https://www.sans.org/blog/windows-security-configuration-analysis/" - type: "research" - - retention: - default_location: "Registry hives (SOFTWARE, SYSTEM)" - persistence: "Survives reboots, persists until policy changes or reinstallation" - volatility: "Configuration changes overwrite previous settings, audit logs may retain history" - - related_artifacts: - - "security_policy" - - "applocker_policies" - - "software_restriction" - - "event_log_config" - - "security_center" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file diff --git a/artifacts/security/windows_firewall.yml b/artifacts/security/windows_firewall.yml deleted file mode 100644 index db029d5..0000000 --- a/artifacts/security/windows_firewall.yml +++ /dev/null @@ -1,100 +0,0 @@ -title: "Windows Firewall Advanced Rules and Exceptions" -category: "security" -description: "Detailed firewall rules, port exceptions, application permissions, and network security policies" - -paths: - - "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules" - - "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile" - - "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\DomainProfile" - - "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\PublicProfile" - -details: - what: | - Windows Firewall Advanced Rules manage granular network traffic control including - application-specific permissions, port exceptions, protocol filtering, and profile-based - security policies. Registry stores detailed rule configurations, inbound/outbound - traffic permissions, network location-based profiles, and exception lists for - comprehensive network security management and threat protection. - - forensic_value: | - Critical for investigating network-based attacks, unauthorized network access, - and malware communication attempts. Shows evidence of firewall rule modifications - that could enable data exfiltration, reveals custom exceptions that bypass security, - and indicates sophisticated attacks that modify network security policies. - Essential for analyzing network security bypasses and unauthorized communications. - - structure: | - FirewallRules contain pipe-delimited rule definitions including direction (In/Out), - action (Allow/Block), protocol, local/remote ports, application paths, and profiles. - Profile-specific configurations control firewall behavior for domain, private, - and public networks with different security postures and rule enforcement levels. - - examples: - - "Rule: v2.25|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=80|App=C:\\Program Files\\App\\app.exe" - - "Rule: v2.25|Action=Block|Active=TRUE|Dir=Out|Protocol=17|RPort=53|RA=8.8.8.8" - - "DomainProfile\\EnableFirewall: 1 (Domain firewall enabled)" - - "PublicProfile\\EnableFirewall: 0 (Public firewall disabled - risk)" - - "StandardProfile\\DefaultInboundAction: 1 (Block inbound by default)" - - "FirewallRules\\{GUID}: Malware exception rule (Suspicious custom rule)" - - tools: - - name: "Windows Defender Firewall (wf.msc)" - description: "Built-in Windows firewall configuration and rule management" - - name: "netsh advfirewall" - description: "Command-line firewall configuration and rule export/import" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Windows Firewall Analysis Tools" - description: "Third-party tools for firewall rule analysis and audit" - -metadata: - windows_versions: - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - introduced: "Windows Vista (Advanced Firewall)" - - criticality: "high" - - investigation_types: - - "malware-analysis" - - "incident-response" - - "behavioral-analysis" - - tags: - - "firewall" - - "network-security" - - "port-exceptions" - - "network-rules" - - "malware-communication" - - "security-bypass" - - references: - - title: "Windows Firewall with Advanced Security" - url: "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/" - type: "official" - - retention: - default_location: "Registry hive files (SYSTEM)" - persistence: "Firewall rules persist until manually removed or policy changes" - volatility: "Network security configuration affecting ongoing threat protection" - - related_artifacts: - - "network_connections" - - "security_policies" - - "malware_communication" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" diff --git a/artifacts/security/windows_hello.yml b/artifacts/security/windows_hello.yml deleted file mode 100644 index 9699a50..0000000 --- a/artifacts/security/windows_hello.yml +++ /dev/null @@ -1,117 +0,0 @@ -title: "Windows Hello Biometric Authentication" -category: "security" -description: "Windows Hello configuration, biometric enrollment, PIN settings, and passwordless authentication policies" - -paths: - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WinBio" - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WinBio\\Credentials" - - "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WinBio" - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\WinBio\\Settings" - - "HKLM\\SOFTWARE\\Policies\\Microsoft\\PassportForWork" - - "HKLM\\SOFTWARE\\Microsoft\\PolicyManager\\current\\device\\DeviceLock" - - "HKLM\\SOFTWARE\\Policies\\Microsoft\\PassportForWork" - - "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WbioSrvc" - - -details: - what: | - Windows Hello biometric authentication system encompasses fingerprint reader configuration, - facial recognition settings, iris scanning support, PIN complexity requirements, and - enterprise policy enforcement. Controls biometric enrollment processes, authentication - methods, device trust requirements, and passwordless authentication capabilities - for enhanced security and user convenience in modern Windows environments. - - forensic_value: | - Critical for understanding authentication mechanisms that may affect system access, - reveals biometric enrollment indicating user presence and device usage patterns, - shows enterprise authentication policies, and indicates sophisticated security - configurations. May reveal attempts to bypass biometric authentication or - unauthorized enrollment attempts that could indicate unauthorized physical access. - - structure: | - WinBio configuration includes biometric service settings, enrolled user information, - sensor configuration, and policy enforcement. PassportForWork contains PIN policies, - biometric requirements, and enterprise authentication settings. DeviceLock manages - screen lock behavior, authentication timeouts, and security requirements. - - examples: - - "WinBio\\DatabaseConnections: Biometric database configuration" - - "EnrolledUsers: S-1-5-21-xxx-1001 (User SID with biometric enrollment)" - - "RequireBiometrics: 1 (Biometric authentication required)" - - "PIN\\MinimumLength: 6 (Minimum PIN length requirement)" - - "PIN\\MaximumLength: 127 (Maximum PIN length allowed)" - - "PIN\\RequireDigits: 1 (PIN must contain numbers)" - - "FacialRecognition: 1 (Windows Hello face authentication enabled)" - - "FingerprintReader: Microsoft Fingerprint Reader (Biometric device)" - - tools: - - name: "Windows Hello Setup" - description: "Built-in Windows Hello configuration and enrollment interface" - - name: "Sign-in Options (ms-settings:signinoptions)" - description: "Windows Settings authentication and Hello configuration" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Group Policy Editor (gpedit.msc)" - description: "Windows Hello policy configuration and management" - - name: "Biometric Device Manager" - description: "Hardware management for biometric sensors and readers" - -metadata: - windows_versions: - - "Windows 10" - - "Windows 11" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows 10" - - criticality: "medium" - - investigation_types: - - "incident-response" - - "behavioral-analysis" - - "insider-threat" - - tags: - - "security" - - "windows-hello" - - "biometric" - - "authentication" - - "fingerprint" - - "facial-recognition" - - "pin-policy" - - "passwordless" - - references: - - title: "Microsoft Documentation: Windows Hello" - url: "https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/" - type: "official" - - title: "Windows Hello for Business Deployment" - url: "https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-planning-guide" - type: "official" - - title: "Biometric Authentication Security Analysis" - url: "https://www.sans.org/white-papers/36427/" - type: "research" - - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT, SYSTEM)" - persistence: "Biometric configuration persists until manually changed or device modification" - volatility: "Authentication settings critical for ongoing system access and security" - - related_artifacts: - - "security_policy" - - "user_profiles" - - "sam_security" - - "tpm_configuration" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-06-07" - last_updated: "2025-06-07" - version: "1.0" diff --git a/artifacts/system/applocker_policies.yml b/artifacts/system/applocker_policies.yml deleted file mode 100644 index 9b67c47..0000000 --- a/artifacts/system/applocker_policies.yml +++ /dev/null @@ -1,109 +0,0 @@ -title: "AppLocker Application Control Policies" -category: "system" -description: "Advanced application whitelisting rules, execution control policies, and security bypass detection" - -paths: - - "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\SrpV2" - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\State\\Machine\\Extension-List" - - "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers" - -details: - what: | - AppLocker provides advanced application control policies that replace Software Restriction Policies - in modern Windows environments. Creates sophisticated whitelisting rules based on publisher signatures, - file paths, file hashes, and application packages. Controls execution of executables, scripts, - Windows Installer files, DLLs, and packaged applications with granular policy enforcement. - - forensic_value: | - Critical for identifying security policy bypass attempts, unauthorized application execution, - and sophisticated attack techniques that circumvent application controls. Shows evidence of - policy modifications that enable malware execution, reveals authorized application lists that - may indicate system purpose, and provides insight into administrative security posture. - Essential for detecting advanced persistent threats that modify security policies for persistence. - - structure: | - SrpV2 registry contains rule collections organized by file type (Exe, Msi, Script, Dll, Appx) - with XML policy data defining allow/deny rules. Each rule collection includes enforcement mode, - rule conditions (publisher, path, hash), and exception handling. Policy data stored as - REG_SZ XML format with digital signatures for integrity verification. - - examples: - - "Exe\\Policy: " - - "Script\\Policy: " - - "Dll\\Policy: " - - "EnforcementMode: Enabled (Block unapproved applications)" - - "RuleCollection Type=\"Exe\" EnforcementMode=\"AuditOnly\"" - - "Exception: " - - tools: - - name: "Local Security Policy (secpol.msc)" - description: "Built-in AppLocker policy management interface" - - name: "Get-AppLockerPolicy PowerShell" - description: "PowerShell cmdlets for AppLocker policy analysis" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Group Policy Management Console" - description: "Enterprise AppLocker policy deployment and management" - - name: "AppLocker Policy Analyzer" - description: "Third-party tools for AppLocker policy assessment" - -metadata: - windows_versions: - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows 7" - - criticality: "high" - - investigation_types: - - "malware-analysis" - - "privilege-escalation" - - "incident-response" - - tags: - - "applocker" - - "application-control" - - "whitelisting" - - "execution-prevention" - - "security-bypass" - - "policy-enforcement" - - "code-integrity" - - references: - - title: "Microsoft Documentation: AppLocker" - url: "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/" - type: "official" - - title: "AppLocker Bypass Techniques" - url: "https://github.com/api0cradle/UltimateAppLockerByPassList" - type: "research" - - retention: - default_location: "Registry hive files (SOFTWARE, Group Policy files)" - persistence: "Policy settings persist until administratively changed" - volatility: "Critical security settings affecting all application execution" - - related_artifacts: - - "software_restriction" - - "security_policy" - - "file_associations" - - "execution_tracking" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/system/boot_configuration.yml b/artifacts/system/boot_configuration.yml deleted file mode 100644 index 0ce2729..0000000 --- a/artifacts/system/boot_configuration.yml +++ /dev/null @@ -1,114 +0,0 @@ -title: "Boot Configuration and Startup Settings" -category: "system" -description: "System boot configuration, safe mode settings, BCD entries, and startup recovery options" - -paths: - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot" - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager" - - "HKLM\\BCD00000000" - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\CrashControl" - -details: - what: | - Windows boot configuration encompasses safe mode settings, Boot Configuration Data (BCD) registry - entries, session manager configuration, crash control settings, and startup options that control - system initialization behavior. Manages boot menu options, recovery settings, safe mode driver - loading, and system startup troubleshooting capabilities for comprehensive boot process control. - - forensic_value: | - Reveals if system was booted in safe mode to evade security software, shows boot configuration - changes indicating system tampering or recovery attempts, provides evidence of system modifications - that affect startup behavior, and indicates attempts to disable security features through boot - parameter manipulation. Critical for understanding system state during incidents and detecting - boot-level persistence mechanisms or evasion techniques. - - structure: | - SafeBoot contains Minimal and Network subkeys with drivers and services that load in safe mode. - Session Manager includes BootExecute (boot-time programs), GlobalFlag (debugging options), and - CriticalDeviceTimeout settings. BCD entries control boot menu options, recovery settings, and - boot parameters stored as binary data with specific formatting requirements. - - examples: - - "SafeBoot\\Minimal\\{36FC9E60-C465-11CF-8056-444553540000}: Universal Plug and Play" - - "SafeBoot\\Network\\Tcpip: TCP/IP Protocol Driver" - - "BootExecute: autocheck autochk * (automatic disk check)" - - "GlobalFlag: 0x00000010 (Enable heap validation)" - - "CriticalDeviceTimeout: 10 (10-second device timeout)" - - "BCD\\Objects\\{bootmgr}: Windows Boot Manager configuration" - - "CrashDumpEnabled: 7 (Automatic memory dump)" - - "SafeModeWithNetworking: 1 (Network safe mode available)" - - tools: - - name: "bcdedit.exe" - description: "Built-in Boot Configuration Data editor and viewer" - - name: "msconfig.exe" - description: "System Configuration utility for startup options" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Boot Configuration Editor" - description: "Third-party BCD editing and analysis tools" - - name: "Advanced Boot Options" - description: "Windows built-in boot menu for troubleshooting" - -metadata: - windows_versions: - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows Vista (BCD system)" - - criticality: "medium" - - investigation_types: - - "incident-response" - - "malware-analysis" - - "lateral-movement" - - "privilege-escalation" - - tags: - - "boot-configuration" - - "safe-mode" - - "startup" - - "system-tampering" - - "recovery" - - "bcd" - - "crash-control" - - references: - - title: "Microsoft Documentation: Boot Configuration Data" - url: "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/boot-configuration-data" - type: "official" - - title: "Windows Boot Process Forensics" - url: "https://www.forensicfocus.com/articles/windows-boot-process-forensics/" - type: "research" - - retention: - default_location: "Registry hive files (SYSTEM, BCD)" - persistence: "Boot settings persist until manually modified" - volatility: "Critical system settings affecting startup behavior" - - related_artifacts: - - "startup_programs" - - "security_policy" - - "error_reporting" - - "performance_monitoring" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/system/certificate_stores.yml b/artifacts/system/certificate_stores.yml deleted file mode 100644 index 89fb1c3..0000000 --- a/artifacts/system/certificate_stores.yml +++ /dev/null @@ -1,120 +0,0 @@ -title: "Certificate Stores and Cryptographic Configuration" -category: "system" -description: "PKI certificate stores, trusted root authorities, cryptographic settings, and SSL/TLS trust relationships" - -paths: - - "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates" - - "HKCU\\SOFTWARE\\Microsoft\\SystemCertificates" - - "HKLM\\SOFTWARE\\Microsoft\\Cryptography" - - "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates" - -details: - what: | - Windows certificate stores manage Public Key Infrastructure (PKI) components including trusted - root certificate authorities, intermediate certificates, personal certificates, revoked certificates, - and cryptographic service provider configurations. Controls SSL/TLS trust relationships, code - signing verification, email encryption, and overall system cryptographic security posture. - - forensic_value: | - Critical for detecting man-in-the-middle attacks through unauthorized certificate installation, - identifying certificate-based persistence mechanisms, analyzing SSL/TLS interception attempts, - and investigating cryptographic configuration changes that weaken security. Reveals malicious - certificate authorities installed by attackers, shows evidence of corporate monitoring software, - and indicates advanced persistent threat techniques using certificate manipulation. - - structure: | - Certificate stores organized by purpose including ROOT (trusted authorities), CA (intermediate), - MY (personal), TrustedPeople (trusted users), and Disallowed (revoked). Each certificate stored - with binary data including public key, issuer information, validity dates, thumbprint hash, - and usage restrictions. Cryptography settings control providers, algorithms, and security policies. - - examples: - - "ROOT\\Certificates\\{SHA1-Thumbprint}: VeriSign Class 3 Public Primary CA" - - "CA\\Certificates\\{Thumbprint}: Microsoft IT TLS CA 1 (Intermediate)" - - "MY\\Certificates\\{Thumbprint}: Personal Authentication Certificate" - - "Disallowed\\Certificates\\{Thumbprint}: Revoked DigiNotar Certificate" - - "TrustedPeople\\{Thumbprint}: Corporate Code Signing Certificate" - - "Cryptography\\Defaults\\Provider: Microsoft Enhanced Cryptographic Provider v1.0" - - "CertificateTransparency\\Logs: Certificate Transparency log configurations" - - tools: - - name: "Certificate Manager (certmgr.msc)" - description: "Built-in Windows certificate store management interface" - - name: "Certificate Console (certlm.msc)" - description: "Local machine certificate store management" - - name: "certutil.exe" - description: "Command-line certificate services utility" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Certificate Authority Analyzer" - description: "Third-party tools for certificate trust analysis" - - name: "SSL Certificate Checker" - description: "Tools for validating certificate chains and trust" - -metadata: - windows_versions: - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2000" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows 2000" - - criticality: "high" - - investigation_types: - - "malware-analysis" - - "incident-response" - - "timeline-analysis" - - "persistence-analysis" - - "lateral-movement" - - tags: - - "certificates" - - "pki" - - "cryptography" - - "ssl-tls" - - "mitm-attacks" - - "trust-relationships" - - "certificate-authorities" - - references: - - title: "Microsoft Documentation: Certificate Stores" - url: "https://docs.microsoft.com/en-us/windows/win32/seccrypto/certificate-stores" - type: "official" - - title: "Certificate-Based Attacks and Defense" - url: "https://attack.mitre.org/techniques/T1553/004/" - type: "research" - - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT)" - persistence: "Certificates persist until expiration or manual removal" - volatility: "Trust relationships critical for ongoing security verification" - - related_artifacts: - - "security_policy" - - "network_security" - - "browser_certificates" - - "cryptographic_settings" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/system/computer_name.yml b/artifacts/system/computer_name.yml deleted file mode 100644 index 82ea06d..0000000 --- a/artifacts/system/computer_name.yml +++ /dev/null @@ -1,118 +0,0 @@ -title: "Computer Name and Domain Information" -category: "system" -description: "System hostname, domain membership, workgroup settings, and network identification parameters" - -paths: - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\ComputerName\\ComputerName" - - "HKLM\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters" - - "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon" - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\ComputerName\\ActiveComputerName" - -details: - what: | - Windows computer identification information encompasses hostname configuration, NetBIOS name - settings, domain membership status, workgroup assignments, DNS hostname configuration, and - network identification parameters essential for network communication, authentication, and - resource access. Manages both current and pending computer name changes with proper - reboot handling for seamless network identity management. - - forensic_value: | - Essential for system identification in network environments, correlating with Active Directory - logs, network traffic analysis, and establishing system role in enterprise infrastructure. - Computer naming patterns may reveal organizational structure, system purpose, geographic - location, or administrative conventions. Critical for linking registry artifacts to specific - systems in multi-computer investigations and network forensic analysis. - - structure: | - ComputerName registry key contains current and active computer names, domain membership - information, and pending name changes. Tcpip Parameters include DNS hostname, domain - suffix, and network identification settings. Winlogon contains domain authentication - and default domain information stored as REG_SZ values with Unicode string formatting. - - examples: - - "ComputerName: DESKTOP-ABC123 (Default Windows 10 naming pattern)" - - "ActiveComputerName: WORKSTATION01 (Currently active system name)" - - "Domain: CORPORATE (Domain membership)" - - "Hostname: ws01.corporate.local (Fully qualified domain name)" - - "DnsNameServer: 192.168.1.10,192.168.1.11 (DNS server configuration)" - - "DefaultDomainName: CORPORATE.LOCAL (Default authentication domain)" - - "NV Domain: WORKGROUP (NetBIOS workgroup for non-domain systems)" - - tools: - - name: "System Properties (sysdm.cpl)" - description: "Built-in Windows computer name and domain management interface" - - name: "hostname.exe" - description: "Command-line utility for displaying current computer name" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "systeminfo.exe" - description: "Comprehensive system information including computer name and domain" - - name: "Computer Management Console" - description: "Windows administrative tool for system identification and management" - -metadata: - windows_versions: - - "Windows NT" - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2000" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows NT 3.1" - - criticality: "low" - - investigation_types: - - "incident-response" - - "timeline-analysis" - - "lateral-movement" - - tags: - - "computer-name" - - "domain" - - "network-identification" - - "hostname" - - "system-identity" - - "infrastructure" - - "workgroup" - - references: - - title: "Microsoft Documentation: Computer Names" - url: "https://docs.microsoft.com/en-us/windows/win32/sysinfo/computer-names" - type: "official" - - title: "Windows Network Identity and Domain Membership" - url: "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/" - type: "official" - - retention: - default_location: "Registry hive files (SYSTEM, SOFTWARE)" - persistence: "Computer identity information persists until manually changed" - volatility: "Stable system identification data, changes require administrator privileges" - - related_artifacts: - - "user_profiles" - - "version_info" - - "network_interfaces" - - "netbios_settings" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/system/device_install_policies.yml b/artifacts/system/device_install_policies.yml deleted file mode 100644 index 903086c..0000000 --- a/artifacts/system/device_install_policies.yml +++ /dev/null @@ -1,123 +0,0 @@ -title: "Device Installation Policies and Hardware Restrictions" -category: "system" -description: "Group Policy device installation controls, hardware restriction policies, and USB/removable media security settings" - -paths: - - "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceInstall\\Restrictions" - - "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceInstall\\Settings" - - "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\RemovableStorageDevices" - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\DeviceInstall\\Parameters" - -details: - what: | - Device Installation Policies provide enterprise-level control over hardware device installation, - removable storage access, and peripheral connectivity through Group Policy enforcement. - Manages device class restrictions, vendor/product ID filtering, installation privileges, - removable media access controls, and hardware security policies for comprehensive endpoint - device management and data loss prevention. - - forensic_value: | - Critical for investigating data exfiltration attempts through unauthorized devices, policy - bypass techniques, and insider threat activities involving removable storage. Shows if - device restrictions were disabled to enable unauthorized hardware usage, reveals attempts - to circumvent security policies, and indicates administrative changes that facilitate - data theft. Essential for understanding device access capabilities during security incidents. - - structure: | - Device installation restrictions include AllowDeviceClasses (permitted device types), - DenyDeviceClasses (blocked device categories), AllowDeviceIDs (specific device permissions), - DenyDeviceIDs (blocked device identifiers), and RemovableStorageDevices policies controlling - USB drives, optical media, and external storage access with granular read/write permissions. - - examples: - - "DenyDeviceClasses\\\\{f2f1b1b1-b1b1-b1b1-b1b1-b1b1b1b1b1b1}: Block USB Mass Storage" - - "AllowDeviceIDs\\\\USB\\\\VID_0951&PID_1666: Allow specific Kingston USB drive" - - "DenyDeviceIDs\\\\USB\\\\VID_*&PID_*: Block all USB devices" - - "RemovableStorageDevices\\\\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\\Deny_Write: 1 (Read-only USB)" - - "PolicyChangedTime: 2024-01-15 10:30:00 (Policy modification timestamp)" - - "DeviceInstallPolicy: 0 (Allow installation of any device)" - - "DeviceInstallPolicy: 1 (Prevent installation of devices not described by other policies)" - - tools: - - name: "Group Policy Editor (gpedit.msc)" - description: "Configure device installation and removable storage policies" - - name: "Device Manager (devmgmt.msc)" - description: "View device installation status and policy enforcement results" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "USBDeview" - url: "https://www.nirsoft.net/utils/usb_devices_view.html" - description: "Analyze USB device history and installation status" - - name: "Device Installation Policy Analyzer" - description: "Third-party tools for analyzing device restriction configurations" - -metadata: - windows_versions: - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows Vista" - - criticality: "high" - - investigation_types: - - "data-exfiltration" - - "insider-threat" - - "incident-response" - - "behavioral-analysis" - - tags: - - "device-installation" - - "usb-restrictions" - - "removable-storage" - - "data-loss-prevention" - - "hardware-security" - - "policy-enforcement" - - "device-control" - - "peripheral-security" - - references: - - title: "Microsoft Documentation: Control Device Installation with Group Policy" - url: "https://docs.microsoft.com/en-us/windows/security/threat-protection/device-control/control-usb-devices-using-intune" - type: "official" - - title: "Device Installation Restriction Policies" - url: "https://docs.microsoft.com/en-us/previous-versions/dotnet/articles/bb530324(v=msdn.10)" - type: "official" - - title: "USB Device Control for Data Loss Prevention" - url: "https://www.sans.org/white-papers/36240/" - type: "research" - - title: "Enterprise Device Management Security" - url: "https://www.nist.gov/publications/guide-enterprise-patch-management-technologies" - type: "research" - - retention: - default_location: "Registry hive files (SOFTWARE, SYSTEM)" - persistence: "Policy settings persist until Group Policy update or manual modification" - volatility: "Device restrictions affect immediate hardware installation and access capabilities" - - related_artifacts: - - "usb_device_history" - - "hardware_devices" - - "security_policy" - - "group_policy_settings" - - "removable_storage" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file diff --git a/artifacts/system/error_reporting.yml b/artifacts/system/error_reporting.yml deleted file mode 100644 index 26f5464..0000000 --- a/artifacts/system/error_reporting.yml +++ /dev/null @@ -1,120 +0,0 @@ -title: "Windows Error Reporting Configuration" -category: "system" -description: "Error reporting settings, crash dump configuration, debugging options, and failure analysis" - -paths: - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting" - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\CrashControl" - - "HKLM\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting" - - "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting" - -details: - what: | - Windows Error Reporting (WER) service collects and manages crash data, system errors, - application failures, and debugging information for analysis and troubleshooting. Configuration - includes crash dump settings, report destinations, disabled applications, automatic restart - behavior, and debugging options. Manages integration with Microsoft crash analysis services - and local crash dump storage for comprehensive failure analysis and system stability monitoring. - - forensic_value: | - Critical for forensic investigations as attackers often disable error reporting to hide - evidence of crashes caused by malicious software exploitation attempts. Shows if crash - dumps were disabled to prevent memory analysis, reveals crash dump locations containing - potential forensic evidence, and indicates system stability issues that may result from - malware activity. Essential for identifying exploitation attempts and recovering crash artifacts. - - structure: | - WER configuration includes Disabled (global enable/disable), LocalDumps registry containing - application-specific dump settings, CrashDumpEnabled controlling kernel dump creation, - and DumpFolder specifying crash dump storage locations. Policy settings override user - configurations with enterprise-level crash reporting controls and privacy settings. - - examples: - - "Disabled: 1 (Windows Error Reporting completely disabled)" - - "CrashDumpEnabled: 1 (Small memory dump - 256KB)" - - "CrashDumpEnabled: 2 (Kernel memory dump)" - - "CrashDumpEnabled: 7 (Automatic memory dump)" - - "DumpFolder: %SystemRoot%\\\\Minidump (Default crash dump location)" - - "LocalDumps\\\\malware.exe\\\\DumpFolder: C:\\\\CrashDumps (Application-specific dumps)" - - "AutoReboot: 0 (Don't automatically restart after crash)" - - "LogEvent: 1 (Log crash events in System Event Log)" - - tools: - - name: "System Properties - Advanced" - description: "Built-in Windows crash dump and error reporting configuration" - - name: "Event Viewer" - description: "Windows event log viewer for crash and error analysis" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "WinDbg" - url: "https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/" - description: "Windows debugging toolkit for crash dump analysis" - - name: "BlueScreenView" - url: "https://www.nirsoft.net/utils/blue_screen_view.html" - description: "Blue screen crash dump analyzer and viewer" - -metadata: - windows_versions: - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows XP" - - criticality: "medium" - - investigation_types: - - "incident-response" - - "malware-analysis" - - tags: - - "error-reporting" - - "crash-dumps" - - "debugging" - - "system-stability" - - "forensic-data" - - "memory-analysis" - - "failure-analysis" - - references: - - title: "Microsoft Documentation: Windows Error Reporting" - url: "https://docs.microsoft.com/en-us/windows/win32/wer/windows-error-reporting" - type: "official" - - title: "Crash Dump Analysis for Digital Forensics" - url: "https://www.sans.org/white-papers/33927/" - type: "research" - - title: "Windows Memory Forensics and Crash Analysis" - url: "https://www.volatilityfoundation.org/" - type: "tool" - - retention: - default_location: "Registry hive files (SOFTWARE, SYSTEM), crash dump files" - persistence: "Error reporting configuration persists until manually changed" - volatility: "Crash dumps may contain sensitive memory contents and exploitation evidence" - - related_artifacts: - - "page_file" - - "performance_monitoring" - - "volume_shadow_copy" - - "event_log_config" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/system/event_log_config.yml b/artifacts/system/event_log_config.yml deleted file mode 100644 index 7b51367..0000000 --- a/artifacts/system/event_log_config.yml +++ /dev/null @@ -1,126 +0,0 @@ -title: "Event Log Configuration and Settings" -category: "system" -description: "Windows Event Log size limits, retention policies, enabled/disabled logging channels, and audit configuration" - -paths: - - "HKLM\\SYSTEM\\CurrentControlSet\\Services\\EventLog" - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels" - - "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog" - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Audit" - -details: - what: | - Windows stores comprehensive event log configuration including maximum log sizes, retention policies, - enabled/disabled channels, log file locations, access permissions, and audit policy settings. - Controls logging behavior for Security, Application, System, Setup, and custom event logs including - modern Windows Event Log (EVTX) channels and legacy event log format settings. - - forensic_value: | - Critical for forensic investigations as it reveals if attackers disabled logging to hide malicious - activity, modified log retention to prevent evidence preservation, or altered audit policies to - avoid detection. Shows evidence tampering attempts, insufficient logging configurations that may - result in missing evidence, and indicates security-conscious modifications that affect investigation - capabilities and timeline reconstruction. - - structure: | - EventLog service configuration includes log names as subkeys containing MaxSize (maximum bytes), - Retention (retention days), File (log file path), RestrictGuestAccess (access permissions), - and Sources (event sources). WINEVT Channels contain modern event log configuration with - Enabled status, Isolation levels, Access permissions, and MaxSize settings stored as various data types. - - examples: - - "Security\\MaxSize: 0x6400000 (100MB maximum log size)" - - "Security\\Retention: 0 (overwrite events as needed)" - - "Application\\File: %SystemRoot%\\System32\\Winevt\\Logs\\Application.evtx" - - "Microsoft-Windows-PowerShell/Operational\\Enabled: 0 (PowerShell logging disabled)" - - "Security\\RestrictGuestAccess: 1 (guest access restricted)" - - "Microsoft-Windows-Sysmon/Operational\\MaxSize: 0x40000000 (1GB Sysmon log)" - - "System\\AutoBackupLogFiles: 1 (automatic log backup enabled)" - - "AuditLogonEvents: 0 (logon auditing disabled)" - - tools: - - name: "Event Viewer (eventvwr.msc)" - description: "Built-in Windows event log viewer and configuration interface" - - name: "wevtutil.exe" - description: "Command-line event log configuration and management utility" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "LogParser" - url: "https://www.microsoft.com/en-us/download/details.aspx?id=24659" - description: "Powerful log analysis and query tool" - - name: "Get-WinEvent PowerShell" - description: "PowerShell cmdlets for event log analysis and configuration" - - name: "Event Log Explorer" - url: "https://eventlogxp.com/" - description: "Advanced event log analysis and management tool" - -metadata: - windows_versions: - - "Windows NT" - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2000" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows NT 3.1" - - criticality: "high" - - investigation_types: - - "incident-response" - - "malware-analysis" - - "timeline-analysis" - - tags: - - "event-logs" - - "logging-config" - - "audit-policy" - - "evidence-tampering" - - "log-retention" - - "security-logging" - - "winevt" - - "sysmon" - - references: - - title: "Microsoft Documentation: Windows Event Logging" - url: "https://docs.microsoft.com/en-us/windows/win32/eventlog/event-logging" - type: "official" - - title: "Windows Event Log Analysis for Incident Response" - url: "https://www.sans.org/white-papers/32949/" - type: "research" - - title: "Advanced Windows Event Log Forensics" - url: "https://www.forensicfocus.com/articles/advanced-windows-event-log-forensics/" - type: "research" - - retention: - default_location: "Registry hive files (SYSTEM, SOFTWARE), event log files" - persistence: "Configuration settings persist until manually changed" - volatility: "Critical settings that affect all future evidence collection and analysis" - - related_artifacts: - - "security_policy" - - "audit_settings" - - "windows_defender" - - "performance_monitoring" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/system/file_associations.yml b/artifacts/system/file_associations.yml deleted file mode 100644 index fb4a29a..0000000 --- a/artifacts/system/file_associations.yml +++ /dev/null @@ -1,128 +0,0 @@ -title: "File Type Associations and Default Programs" -category: "system" -description: "File extension mappings to applications, default program settings, and shell action configurations" - -paths: - - "HKCR\\*" - - "HKLM\\SOFTWARE\\Classes" - - "HKCU\\SOFTWARE\\Classes" - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts" - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\KindMap" - -details: - what: | - Windows maintains comprehensive file type associations that determine which applications handle - specific file extensions, define shell actions (Open, Edit, Print), specify icon locations, - set command line parameters for execution, and control file handling behavior. Includes both - system-wide associations and user-specific overrides for customized file handling preferences. - - forensic_value: | - Critical for understanding file execution methods and potential malware persistence mechanisms. - Shows how files are launched, can reveal hijacked file associations used by malware for persistence, - indicates unauthorized changes to default programs, and provides evidence of attempts to disguise - malicious files through association manipulation. Essential for analyzing execution paths and - identifying security compromises through file handling modifications. - - structure: | - File extensions stored as registry keys (.exe, .txt, .pdf) pointing to ProgID class identifiers. - ProgID classes contain shell command definitions, icon paths, application details, and supported - actions. Default values specify handling applications, with shell\\open\\command containing - execution strings with command line parameters and file placeholders (%1, %* for arguments). - - examples: - - ".exe\\(Default): exefile (Executable file type identifier)" - - "exefile\\shell\\open\\command: \"%1\" %* (Direct execution)" - - ".txt\\(Default): txtfile (Text file identifier)" - - "txtfile\\shell\\open\\command: %SystemRoot%\\system32\\NOTEPAD.EXE %1" - - ".pdf\\(Default): AcroExch.Document (Adobe Acrobat association)" - - "Hijacked Association: .txt\\shell\\open\\command: C:\\malware\\backdoor.exe %1" - - ".lnk\\(Default): lnkfile (Shortcut file handler)" - - "Unknown\\shell\\open\\command: %SystemRoot%\\system32\\rundll32.exe" - - tools: - - name: "FileTypesMan" - url: "https://www.nirsoft.net/utils/file_types_manager.html" - description: "Comprehensive file type association manager and analyzer" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Default Programs Editor" - url: "https://defaultprogramseditor.com/" - description: "Advanced default program and file association editor" - - name: "AssocMan" - description: "Command-line file association management utility" - - name: "Windows Settings - Default Apps" - description: "Built-in Windows interface for managing file associations" - - name: "Autoruns" - url: "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns" - description: "Shows file association abuse for persistence" - -metadata: - windows_versions: - - "Windows 95" - - "Windows NT" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows 95" - - criticality: "high" - - investigation_types: - - "malware-analysis" - - "persistence-analysis" - - "incident-response" - - "behavioral-analysis" - - tags: - - "file-associations" - - "default-programs" - - "execution-paths" - - "malware-persistence" - - "hijacking" - - "shell-commands" - - "progid" - - "file-handlers" - - references: - - title: "Microsoft Documentation: File Type and URI Associations" - url: "https://docs.microsoft.com/en-us/windows/win32/shell/fa-file-types" - type: "official" - - title: "Malware Persistence via File Association Hijacking" - url: "https://attack.mitre.org/techniques/T1546/001/" - type: "research" - - title: "Windows File Association Forensics" - url: "https://www.forensicfocus.com/articles/windows-file-association-forensics/" - type: "research" - - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT, CLASSES_ROOT)" - persistence: "Associations persist until manually changed or overridden" - volatility: "Changes affect immediate file execution behavior, critical for security" - - related_artifacts: - - "run_keys" - - "shell_extensions" - - "com_objects" - - "installed_programs" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/system/file_history_backup.yml b/artifacts/system/file_history_backup.yml deleted file mode 100644 index ec1368e..0000000 --- a/artifacts/system/file_history_backup.yml +++ /dev/null @@ -1,110 +0,0 @@ -title: "File History and Backup System Configuration" -category: "system" -description: "File History backup settings, backup destinations, excluded folders, and automated backup policies" - -paths: - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\FileHistory" - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\FileHistory" - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\BackupRestore" - - "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\FileHistory" - -details: - what: | - Windows File History service provides automated backup and versioning for user files, - documents, pictures, music, and desktop contents. Configuration includes backup destinations, - inclusion/exclusion rules, backup frequency, retention policies, and network backup - locations for comprehensive data protection and file recovery capabilities. - - forensic_value: | - Critical for data recovery investigations, timeline reconstruction using historical file - versions, and detecting attempts to hide evidence through file deletion. File History - configuration reveals backup locations that may contain deleted evidence, shows user - data protection awareness, and indicates potential evidence preservation or destruction - attempts. Essential for recovering deleted files and establishing file modification timelines. - - structure: | - File History configuration includes TargetUrl (backup destination), LocalUserConfigPath - (configuration location), ProtectedFolders (included directories), ExcludedFolders (excluded - directories), and backup frequency settings. Policy configurations control enterprise - backup enforcement, retention periods, and administrative backup management restrictions. - - examples: - - "TargetUrl: D:\\FileHistory (Local drive backup destination)" - - "TargetUrl: \\\\\\\\server\\\\backups\\\\user (Network backup location)" - - "ConfigStatus: 0 (File History not configured)" - - "ConfigStatus: 2 (File History enabled and running)" - - "FrequencyInHours: 1 (Hourly backup frequency)" - - "RetainedVersions: 720 (Retain versions for 720 hours/30 days)" - - "ExcludedFolders: AppData, .git, node_modules (Excluded folder patterns)" - - "LastBackupTime: 2024-01-20 15:30:25 UTC (Most recent backup)" - - tools: - - name: "File History Settings (ms-settings:backup)" - description: "Built-in Windows File History configuration interface" - - name: "Control Panel File History" - description: "Legacy File History management and configuration panel" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "File History Restore" - description: "Built-in file recovery and version history browsing interface" - - name: "Backup and Restore Analysis Tools" - description: "Third-party utilities for backup configuration analysis" - -metadata: - windows_versions: - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - introduced: "Windows 8" - - criticality: "high" - - investigation_types: - - "data-exfiltration" - - "timeline-analysis" - - "incident-response" - - tags: - - "system" - - "file-history" - - "backup" - - "data-recovery" - - "version-control" - - "evidence-preservation" - - "timeline-reconstruction" - - "file-versioning" - - references: - - title: "Microsoft Documentation: File History" - url: "https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-filehistory" - type: "official" - - title: "Windows Backup and Recovery Forensics" - url: "https://www.forensicfocus.com/articles/windows-backup-forensics/" - type: "research" - - title: "File Recovery and Timeline Analysis" - url: "https://www.sans.org/white-papers/33649/" - type: "research" - - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT), File History storage" - persistence: "Backup configuration persists until manually changed, historical versions until retention expiry" - volatility: "File versions provide historical evidence crucial for timeline reconstruction" - - related_artifacts: - - "volume_shadow_copy" - - "recent_docs" - - "opensavemru" - - "shellbags" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-06-07" - last_updated: "2025-06-07" - version: "1.0" diff --git a/artifacts/system/hardware_devices.yml b/artifacts/system/hardware_devices.yml deleted file mode 100644 index c484685..0000000 --- a/artifacts/system/hardware_devices.yml +++ /dev/null @@ -1,127 +0,0 @@ -title: "Hardware Devices and Driver Information" -category: "system" -description: "Complete hardware device enumeration, driver information, and device configuration data" - -paths: - - "HKLM\\SYSTEM\\CurrentControlSet\\Enum" - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Class" - - "HKLM\\SYSTEM\\CurrentControlSet\\Services" - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\DeviceClasses" - -details: - what: | - Windows maintains comprehensive hardware device information including complete device enumeration - data, installed device drivers, hardware capabilities, device properties, configuration settings, - and system hardware inventory. Tracks all system components including CPUs, storage devices, - network adapters, USB devices, audio equipment, and specialized hardware for complete system profiling. - - forensic_value: | - Provides essential hardware inventory for system identification, baseline establishment, and - investigation correlation. Shows connected external devices that may have been used for data - transfer or evidence destruction, reveals specialized hardware that could indicate system purpose - or user activities, and identifies hardware changes that might indicate tampering or unauthorized - modifications. Critical for USB device tracking, network adapter analysis, and system capability assessment. - - structure: | - Device enumeration organized hierarchically by bus type (PCI, USB, IDE, ACPI, etc.) with unique - device instance identifiers. Each device contains DeviceDesc (description), HardwareID (vendor/product), - Service (driver), LocationInformation (physical location), Capabilities (device features), and - ConfigFlags (configuration status). Class GUIDs organize devices by functionality with driver information. - - examples: - - "ENUM\\PCI\\VEN_8086&DEV_1234&SUBSYS_56781234&REV_01: Intel Network Adapter" - - "ENUM\\USB\\VID_0951&PID_1666: Kingston DataTraveler USB Drive" - - "ENUM\\IDE\\DiskST31000528AS: Seagate 1TB Hard Drive" - - "ENUM\\ACPI\\GenuineIntel_-_Intel64_Family_6_Model_158: Intel Core i7 CPU" - - "Class\\{4D36E967-E325-11CE-BFC1-08002BE10318}: Disk Drives Class" - - "Services\\nvlddmkm: NVIDIA Display Driver Service" - - "DeviceDesc: High Definition Audio Controller" - - "HardwareID: PCI\\VEN_10DE&DEV_1B83 (NVIDIA Graphics Card)" - - tools: - - name: "Device Manager (devmgmt.msc)" - description: "Built-in Windows hardware device management interface" - - name: "DevManView" - url: "https://www.nirsoft.net/utils/device_manager_view.html" - description: "Alternative device manager with export capabilities" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "DriverView" - url: "https://www.nirsoft.net/utils/driverview.html" - description: "List all device drivers currently loaded on system" - - name: "HWiNFO" - url: "https://www.hwinfo.com/" - description: "Comprehensive hardware information and analysis tool" - - name: "USB Device Tree Viewer" - url: "https://www.uwe-sieber.de/usbtreeview_e.html" - description: "Detailed USB device hierarchy and information viewer" - -metadata: - windows_versions: - - "Windows NT" - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2000" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows NT 3.1" - - criticality: "medium" - - investigation_types: - - "incident-response" - - "data-exfiltration" - - tags: - - "hardware" - - "device-drivers" - - "device-enumeration" - - "hardware-inventory" - - "system-profiling" - - "usb-devices" - - "network-adapters" - - "storage-devices" - - references: - - title: "Microsoft Documentation: Device Installation" - url: "https://docs.microsoft.com/en-us/windows-hardware/drivers/install/" - type: "official" - - title: "Windows Hardware Forensics Guide" - url: "https://www.forensicfocus.com/articles/windows-hardware-forensics/" - type: "research" - - title: "USB Device Forensics in Windows" - url: "https://www.sans.org/white-papers/33584/" - type: "research" - - retention: - default_location: "Registry hive files (SYSTEM)" - persistence: "Device information persists until device removal or driver uninstallation" - volatility: "Real-time updates with hardware changes, provides current system state" - - related_artifacts: - - "usb_device_history" - - "drive_letter_mapping" - - "device_capabilities" - - "installed_programs" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/system/installed_programs.yml b/artifacts/system/installed_programs.yml deleted file mode 100644 index 7e94d0a..0000000 --- a/artifacts/system/installed_programs.yml +++ /dev/null @@ -1,136 +0,0 @@ -title: "Installed Programs and Software Inventory" -category: "system" -description: "Comprehensive software inventory with installation dates, versions, publishers, and uninstall information" - -paths: - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall" - - "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall" - - "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall" - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData" - -details: - what: | - Windows maintains a comprehensive registry-based database of all installed programs - including application names, versions, publishers, install dates, uninstall strings, - installation paths, size information, and Windows Installer (MSI) package data. - Includes both system-wide and per-user installations with detailed metadata for - software management, updates, and removal operations. - - forensic_value: | - Provides complete software inventory for baseline comparison, identifies malicious - or unauthorized software installations, shows installation timeline for correlation - with security incidents, reveals software versions for vulnerability assessment, - and indicates potential attack tools or suspicious applications. Critical for - incident response, compliance auditing, and security assessment. - - structure: | - Each installed program has a subkey (usually GUID or product name) containing - REG_SZ values for DisplayName, DisplayVersion, Publisher, InstallDate (YYYYMMDD), - UninstallString, InstallLocation, EstimatedSize, and additional metadata. - MSI installations include additional transform and feature information. - - examples: - - "DisplayName: Adobe Acrobat Reader DC" - - "DisplayVersion: 2023.008.20470" - - "Publisher: Adobe Inc." - - "InstallDate: 20240115" - - "InstallLocation: C:\\Program Files\\Adobe\\Acrobat DC" - - "EstimatedSize: 2097152 (KB)" - - "UninstallString: C:\\Program Files\\Adobe\\Uninstall.exe" - - "URLInfoAbout: https://www.adobe.com/products/acrobat.html" - - "Suspicious: DisplayName: System Update Manager" - - "Malware indicators: Publisher: Unknown, InstallDate: Recent" - - tools: - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry browser for software inventory analysis" - - name: "UninstallView" - url: "https://www.nirsoft.net/utils/uninstall_view.html" - description: "NirSoft comprehensive installed software viewer and analyzer" - - name: "RegRipper" - url: "https://github.com/keydet89/RegRipper3.0" - description: "Registry analysis with software installation plugins" - - name: "wmic product get" - description: "Windows Management Instrumentation for software inventory" - - name: "Get-WmiObject Win32_Product" - description: "PowerShell cmdlet for comprehensive software enumeration" - -metadata: - windows_versions: - - "Windows 95" - - "Windows 98" - - "Windows NT 4.0" - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2000" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows 95 (Add/Remove Programs)" - - criticality: "medium" - - investigation_types: - - "malware-analysis" - - "incident-response" - - "timeline-analysis" - - "behavioral-analysis" - - "insider-threat" - - tags: - - "system" - - "software-inventory" - - "installation" - - "baseline" - - "vulnerability-assessment" - - "malware-detection" - - "unauthorized-software" - - "compliance" - - "software-management" - - references: - - title: "Windows Installer Registry Entries" - url: "https://docs.microsoft.com/en-us/windows/win32/msi/registry" - type: "official" - - title: "Add or Remove Programs Registry Keys" - url: "https://docs.microsoft.com/en-us/troubleshoot/windows-server/application-management/remove-programs-not-listed" - type: "official" - - title: "Software Inventory for Security" - url: "https://www.sans.org/blog/software-inventory-security-analysis/" - type: "research" - - title: "Registry-Based Software Analysis" - url: "https://www.forensicfocus.com/articles/software-installation-forensics/" - type: "research" - - retention: - default_location: "Registry hives (SOFTWARE, NTUSER.DAT)" - persistence: "Survives reboots, persists until software uninstallation" - volatility: "Installation data preserved across system updates and reboots" - - related_artifacts: - - "version_info" - - "user_profiles" - - "amcache" - - "appcompat_cache" - - "registry_run_keys" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file diff --git a/artifacts/system/location_services.yml b/artifacts/system/location_services.yml deleted file mode 100644 index a5dec34..0000000 --- a/artifacts/system/location_services.yml +++ /dev/null @@ -1,111 +0,0 @@ -title: "Location Services and Geolocation Tracking" -category: "system" -description: "GPS location services, geolocation tracking, location history, privacy settings, and device positioning data" - -paths: - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore\\location" - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\DeviceAccess\\Global\\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" - - "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Sensor\\Overrides" - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Privacy" - -details: - what: | - Windows location services encompass GPS positioning, Wi-Fi location tracking, cellular - triangulation, geofencing capabilities, location history storage, and privacy controls - for location-aware applications. Manages system-wide location permissions, app-specific - location access, location data retention policies, and geolocation service configuration - for enhanced user experience and privacy protection. - - forensic_value: | - Critical for investigating location-based evidence, tracking device movement patterns, - establishing suspect presence at specific locations, and analyzing location-aware malware. - Shows geolocation access by applications, reveals location tracking that could establish - alibis or criminal activity, and provides evidence of device presence during incident - timeframes. Essential for timeline reconstruction and geographic correlation analysis. - - structure: | - Location consent store contains application permissions for location access organized - by package family names. Device access controls global location services enablement, - sensor overrides manage GPS and positioning hardware, and privacy settings control - location data collection, retention, and sharing policies across applications and services. - - examples: - - "ConsentStore\\location\\Value: Allow (Global location services enabled)" - - "Microsoft.Maps_8wekyb3d8bbwe\\Value: Allow (Maps app location access)" - - "Microsoft.BingWeather_8wekyb3d8bbwe\\Value: Deny (Weather app location denied)" - - "Global\\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}\\Value: Allow (System location access)" - - "LocationHistory: 1 (Location history tracking enabled)" - - "SensorPermissionState: 1 (Location sensors enabled)" - - "DefaultLocation: Redmond, WA (Default/cached location)" - - "GeoFencing: 1 (Geofencing capabilities enabled)" - - tools: - - name: "Privacy Settings (ms-settings:privacy-location)" - description: "Windows built-in location privacy configuration interface" - - name: "Location Settings (ms-settings:privacy-location)" - description: "System location services and app permissions management" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Location History Analyzer" - description: "Forensic tools for analyzing Windows location data and tracking" - - name: "GPS Data Recovery Tools" - description: "Specialized utilities for recovering and analyzing location information" - -metadata: - windows_versions: - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - introduced: "Windows 8" - - criticality: "high" - - investigation_types: - - "timeline-analysis" - - "behavioral-analysis" - - "incident-response" - - tags: - - "location" - - "gps" - - "geolocation" - - "privacy" - - "tracking" - - "movement-analysis" - - "geographic-evidence" - - "device-positioning" - - references: - - title: "Microsoft Documentation: Windows Location Service" - url: "https://docs.microsoft.com/en-us/windows/win32/locationapi/windows-location-api-portal" - type: "official" - - title: "Digital Forensics: Location Data Analysis" - url: "https://www.sans.org/white-papers/39855/" - type: "research" - - title: "Mobile Device Location Forensics" - url: "https://www.forensicfocus.com/articles/location-forensics/" - type: "research" - - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT), location data files" - persistence: "Location settings persist until manually changed, history data may be retained" - volatility: "Location permissions affect ongoing privacy and evidence collection capabilities" - - related_artifacts: - - "privacy_settings" - - "device_permissions" - - "mobile_sync" - - "wifi_profiles" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-06-07" - last_updated: "2025-06-07" - version: "1.0" diff --git a/artifacts/system/page_file.yml b/artifacts/system/page_file.yml deleted file mode 100644 index f6ed996..0000000 --- a/artifacts/system/page_file.yml +++ /dev/null @@ -1,117 +0,0 @@ -title: "Virtual Memory and Page File Configuration" -category: "system" -description: "Page file settings, virtual memory configuration, swap file management, and memory forensics" - -paths: - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Memory Management" - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment" - - "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AeDebug" - -details: - what: | - Virtual memory and page file configuration controls how Windows manages memory when physical - RAM is insufficient. Settings include page file locations, size limits, memory management - parameters, virtual address space configuration, and swap file behavior. Manages memory - allocation policies, paging algorithms, and virtual memory security settings for optimal - system performance and memory utilization across different workload scenarios. - - forensic_value: | - Critical for memory forensics as page files contain sensitive data including passwords, - encryption keys, process memory, and document contents that persist after process termination. - Page file security settings reveal if sensitive data clearing was disabled, enabling forensic - memory recovery. Configuration changes may indicate attempts to hide memory artifacts or - optimize system performance for malicious activities requiring intensive memory usage. - - structure: | - Memory Management contains PagingFiles (page file configuration string), ClearPageFileAtShutdown - (security setting for data erasure), ExistingPageFiles (current active page files), - SessionPoolSize (session memory allocation), SystemPages (system memory configuration), - and DisablePagingExecutive (kernel memory paging control) stored as REG_SZ and REG_DWORD values. - - examples: - - "PagingFiles: C:\\\\pagefile.sys 2048 4096 (2GB initial, 4GB maximum)" - - "ClearPageFileAtShutdown: 0 (Pagefile not cleared - potential data recovery)" - - "ExistingPageFiles: \\\\??\\\\C:\\\\pagefile.sys (Active page file location)" - - "SessionPoolSize: 192 (Session pool memory allocation in MB)" - - "SystemPages: 0 (System uses default page table size)" - - "DisablePagingExecutive: 1 (Kernel memory not paged - security enhancement)" - - "PagingFiles: D:\\\\swap.sys 8192 16384 (Custom location with larger size)" - - tools: - - name: "System Properties - Performance" - description: "Windows built-in virtual memory configuration interface" - - name: "Memory Analysis Toolkit" - description: "Forensic tools for analyzing page file contents and memory artifacts" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Virtual Memory Manager Tools" - description: "System administration utilities for memory management" - - name: "Page File Forensics Tools" - description: "Specialized tools for extracting data from Windows page files" - -metadata: - windows_versions: - - "Windows NT" - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2000" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows NT 3.1" - - criticality: "high" - - investigation_types: - - "malware-analysis" - - "data-exfiltration" - - "incident-response" - - "lateral-movement" - - tags: - - "virtual-memory" - - "page-file" - - "memory-management" - - "forensic-memory" - - "data-recovery" - - "swap-file" - - references: - - title: "Microsoft Documentation: Virtual Memory" - url: "https://docs.microsoft.com/en-us/windows/win32/memory/virtual-memory" - type: "official" - - title: "Windows Page File Forensics" - url: "https://www.sans.org/white-papers/33649/" - type: "research" - - retention: - default_location: "Registry hive files (SYSTEM), page file on disk" - persistence: "Page files may contain sensitive data until overwritten" - volatility: "Memory contents reflect recent system activity and sensitive information" - - related_artifacts: - - "performance_monitoring" - - "error_reporting" - - "volume_shadow_copy" - - "startup_programs" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/system/performance_monitoring.yml b/artifacts/system/performance_monitoring.yml deleted file mode 100644 index 35d2202..0000000 --- a/artifacts/system/performance_monitoring.yml +++ /dev/null @@ -1,121 +0,0 @@ -title: "Performance Monitoring and System Health" -category: "system" -description: "Performance counters, system monitoring, reliability tracking, and health assessment configuration" - -paths: - - "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib" - - "HKLM\\SYSTEM\\CurrentControlSet\\Services\\PerfProc\\Performance" - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Reliability" - - "HKLM\\SYSTEM\\CurrentControlSet\\Services\\PerfOS\\Performance" - -details: - what: | - Windows Performance Toolkit configuration encompasses performance counter definitions, - system health monitoring, reliability tracking, performance data collection settings, - and monitoring service configurations. Controls system optimization metrics, performance - baseline establishment, and health tracking capabilities essential for system analysis - and troubleshooting in enterprise and forensic environments. - - forensic_value: | - Performance monitoring can be disabled to hide malicious activity that would cause - system performance degradation, shows system health indicators that may reveal compromise, - and provides baseline information for detecting anomalous system behavior. Reliability - data tracks application crashes and system failures that could indicate malware activity, - while disabled performance counters may suggest attempts to hide resource-intensive - malicious processes or cryptocurrency mining activities. - - structure: | - Performance library configuration includes counter definitions with Last Counter and - Last Help values, provider registration for performance data sources, collection intervals, - and monitoring service settings. Reliability tracking maintains system stability metrics, - application crash data, and performance degradation indicators stored as various registry - data types including binary performance data structures. - - examples: - - "Perflib\\Last Counter: 1846 (Latest performance counter identifier)" - - "Perflib\\Last Help: 1847 (Latest help text identifier)" - - "PerfProc\\Collect Timeout: 10000 (Process data collection timeout)" - - "Reliability\\TimeStampInterval: 1 (Reliability data collection frequency)" - - "Performance\\Library: C:\\Windows\\System32\\perfproc.dll (Performance DLL)" - - "DisablePerformanceCounters: 1 (Performance monitoring disabled)" - - "PerfOS\\Open Timeout: 15000 (OS performance data timeout)" - - "Collect: PerfProcCollect (Performance collection function)" - - tools: - - name: "Performance Monitor (perfmon.exe)" - description: "Built-in Windows performance monitoring and analysis tool" - - name: "Reliability Monitor (perfmon /rel)" - description: "System reliability and stability tracking interface" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Resource Monitor (resmon.exe)" - description: "Real-time system resource monitoring and analysis tool" - - name: "Performance Toolkit (WPT)" - url: "https://docs.microsoft.com/en-us/windows-hardware/test/wpt/" - description: "Windows Performance Toolkit for advanced system analysis" - -metadata: - windows_versions: - - "Windows NT" - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2000" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows NT 3.1" - - criticality: "low" - - investigation_types: - - "malware-analysis" - - "incident-response" - - tags: - - "performance-monitoring" - - "system-health" - - "reliability" - - "performance-counters" - - "baseline-analysis" - - "system-optimization" - - "monitoring-evasion" - - references: - - title: "Microsoft Documentation: Performance Counters" - url: "https://docs.microsoft.com/en-us/windows/win32/perfctrs/performance-counters-portal" - type: "official" - - title: "Windows Performance Analysis for Security" - url: "https://www.sans.org/white-papers/33855/" - type: "research" - - retention: - default_location: "Registry hive files (SOFTWARE, SYSTEM), performance log files" - persistence: "Configuration settings persist until manually changed" - volatility: "Performance data reflects real-time system state and historical trends" - - related_artifacts: - - "error_reporting" - - "security_center" - - "page_file" - - "startup_programs" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/system/power_management.yml b/artifacts/system/power_management.yml deleted file mode 100644 index 7a07bf1..0000000 --- a/artifacts/system/power_management.yml +++ /dev/null @@ -1,119 +0,0 @@ -title: "Power Management Configuration and Sleep Settings" -category: "system" -description: "Power schemes, sleep timers, hibernation settings, wake events, and power policy configuration for forensic timeline analysis" - -paths: - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Power" - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FlyoutMenuSettings" - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Power" - -details: - what: | - Windows power management encompasses power schemes, sleep/hibernate timers, wake event - configuration, fast startup settings, power button behavior, and energy-saving policies. - Controls system sleep behavior, automatic wake events, power state transitions, and - power management policies that affect system availability and forensic artifact preservation. - - forensic_value: | - Critical for understanding system availability during incident timeframes, detecting - anti-forensic techniques that use sleep/hibernate to hide activity, and analyzing power - events that affect timeline reconstruction. Power settings reveal attempts to prevent - system sleep during malicious activities, or conversely, using power management to - evade detection by forcing system hibernation after unauthorized access. - - structure: | - Power configuration includes power scheme GUIDs, sleep timeout values, hibernation - enablement, fast startup settings, wake timer permissions, and power button actions. - Advanced settings control display timeout, hard disk sleep, processor power management, - and system wake events that can interrupt sleep states for various system activities. - - examples: - - "ActivePowerScheme: {381b4222-f694-41f0-9685-ff5bb260df2e} (Balanced power plan)" - - "HibernateEnabled: 1 (Hibernation feature enabled)" - - "HibernateSize: 16777216 (Hibernation file size in bytes)" - - "FastStartup: 1 (Fast startup enabled)" - - "ACSettingIndex: 1800 (30 minutes until sleep on AC power)" - - "DCSettingIndex: 900 (15 minutes until sleep on battery)" - - "AllowWakeTimers: 1 (Wake timers permitted)" - - "PowerButtonAction: 1 (Power button triggers sleep)" - - tools: - - name: "Power Options (powercfg.cpl)" - description: "Built-in Windows power management configuration interface" - - name: "powercfg.exe" - description: "Command-line power configuration and analysis utility" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Power Efficiency Diagnostics" - description: "Windows built-in power troubleshooting and analysis tools" - - name: "Event Viewer" - description: "System event logs for power state changes and wake events" - -metadata: - windows_versions: - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows XP" - - criticality: "medium" - - investigation_types: - - "timeline-analysis" - - "incident-response" - - "behavioral-analysis" - - tags: - - "power-management" - - "sleep-settings" - - "hibernation" - - "wake-events" - - "timeline-analysis" - - "system-availability" - - "anti-forensics" - - "power-schemes" - - references: - - title: "Microsoft Documentation: Power Management" - url: "https://docs.microsoft.com/en-us/windows/win32/power/power-management-portal" - type: "official" - - title: "Windows Power Settings and Forensic Analysis" - url: "https://www.forensicfocus.com/articles/power-management-forensics/" - type: "research" - - title: "System Timeline Reconstruction with Power Events" - url: "https://www.sans.org/white-papers/33927/" - type: "research" - - retention: - default_location: "Registry hive files (SYSTEM, NTUSER.DAT), hibernation files" - persistence: "Power settings persist until manually changed or policy override" - volatility: "Power events logged in system event logs, hibernation files may contain memory data" - - related_artifacts: - - "boot_configuration" - - "error_reporting" - - "event_log_config" - - "performance_monitoring" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-06-07" - last_updated: "2025-06-07" - version: "1.0" diff --git a/artifacts/system/sam_authentication.yml b/artifacts/system/sam_authentication.yml deleted file mode 100644 index e7463eb..0000000 --- a/artifacts/system/sam_authentication.yml +++ /dev/null @@ -1,139 +0,0 @@ -title: "SAM Database User Account Information" -category: "system" -description: "Local user account data including password hashes, logon counts, account policies, and authentication history" - -paths: - - "HKLM\\SAM\\SAM\\Domains\\Account\\Users" - - "HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names" - - "HKLM\\SAM\\SAM\\Domains\\Account\\Aliases" - - "HKLM\\SAM\\SAM\\Domains\\Builtin\\Aliases" - -details: - what: | - Security Account Manager (SAM) database stores comprehensive local user account information - including usernames, password hashes (NTLM), account policies, logon counts, last logon times, - password change dates, account lockout information, and group memberships. Contains both - active and disabled accounts with detailed authentication history and security settings. - Critical component of Windows local authentication infrastructure. - - forensic_value: | - Critical for identifying unauthorized accounts, password attacks, account creation timelines, - and user authentication patterns. Password hashes can be cracked or used for pass-the-hash - attacks. Shows evidence of account compromise, privilege escalation, lateral movement, and - unauthorized access attempts. Essential for user timeline analysis and security assessment. - - structure: | - User accounts stored by Relative Identifier (RID) starting from 500 (Administrator). - Contains binary data structures with NTLM password hashes, FILETIME timestamps for - account creation/last logon/password changes, logon count, bad password count, account - flags, and group membership information. Names subkey provides RID to username mapping. - - examples: - - "RID 500: Built-in Administrator account" - - "RID 1001: Local user account (first created user)" - - "Username: administrator" - - "NTLM Hash: aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0" - - "Last Logon: 2024-01-15 14:30:25 UTC" - - "Password Last Set: 2024-01-01 08:00:00 UTC" - - "Account Created: 2023-12-15 10:00:00 UTC" - - "Logon Count: 157" - - "Bad Password Count: 3" - - "Account Flags: 0x0210 (Normal user, password never expires)" - - tools: - - name: "SAMInside" - url: "https://www.insidepro.com/saminside.php" - description: "Professional SAM database analysis and password recovery tool" - - name: "pwdump7" - url: "https://www.tarasco.org/security/pwdump_7/" - description: "Tool for extracting password hashes from SAM database" - - name: "Ophcrack" - url: "https://ophcrack.sourceforge.io/" - description: "Rainbow table-based password cracking tool for Windows" - - name: "John the Ripper" - url: "https://www.openwall.com/john/" - description: "Advanced password cracking tool with Windows hash support" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry browser with SAM analysis capabilities" - - name: "SAM Parser" - description: "Specialized tools for SAM database structure analysis" - -metadata: - windows_versions: - - "Windows NT 3.1" - - "Windows NT 3.5" - - "Windows NT 4.0" - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows NT 3.1" - - criticality: "high" - - investigation_types: - - "privilege-escalation" - - "lateral-movement" - - "incident-response" - - "timeline-analysis" - - "malware-analysis" - - tags: - - "system" - - "user-accounts" - - "password-hashes" - - "authentication" - - "account-creation" - - "security" - - "privilege-escalation" - - "ntlm-hashes" - - "logon-history" - - "account-policy" - - references: - - title: "Security Account Manager (SAM)" - url: "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-account-management" - type: "official" - - title: "Windows Authentication Architecture" - url: "https://docs.microsoft.com/en-us/windows-server/security/windows-authentication/windows-authentication-architecture" - type: "official" - - title: "MITRE ATT&CK: Account Discovery" - url: "https://attack.mitre.org/techniques/T1087/001/" - type: "research" - - title: "Windows SAM Database Analysis" - url: "https://www.sans.org/blog/digital-forensics-sam-analysis/" - type: "research" - - retention: - default_location: "SAM registry hive (%SystemRoot%\\System32\\config\\SAM)" - persistence: "Survives reboots, persists until account deletion or system reinstallation" - volatility: "Account data persistent but logon history may be limited by policy settings" - - related_artifacts: - - "user_profiles" - - "security_policy" - - "event_log_config" - - "winlogon_userinit" - - "lsa_packages" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file diff --git a/artifacts/system/security_center.yml b/artifacts/system/security_center.yml deleted file mode 100644 index 6812db9..0000000 --- a/artifacts/system/security_center.yml +++ /dev/null @@ -1,118 +0,0 @@ -title: "Windows Security Center Configuration" -category: "system" -description: "Security Center monitoring, security provider registration, and notification management" - -paths: - - "HKLM\\SOFTWARE\\Microsoft\\Security Center" - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" - - "HKLM\\SOFTWARE\\Microsoft\\Windows Security Health" - - "HKLM\\SOFTWARE\\Microsoft\\Security Center\\Monitoring" - -details: - what: | - Windows Security Center provides centralized monitoring and reporting of security status - including firewall, antivirus, anti-spyware, and update status. Manages security provider - registration, user notification settings, security status aggregation, and health monitoring - for comprehensive system security oversight. Controls security warning displays and - provider integration for enterprise and standalone systems. - - forensic_value: | - Critical for identifying attempts to hide security status from users, reveals disabled - security notifications that may indicate compromise, shows registered security providers - that could be malicious software, and indicates security policy modifications designed - to suppress security warnings. Attackers often disable Security Center notifications - to prevent users from discovering security software disabling or malware presence. - - structure: | - Security Center configuration includes monitoring settings for individual security - categories, provider registration data with capabilities and status information, - notification policies, and user interface control settings. Provider information - stored with GUIDs, product names, and security service capabilities including - antivirus, firewall, and anti-spyware functionality definitions. - - examples: - - "SecurityCenter\\DisableNotifications: 1 (All notifications suppressed)" - - "AntiVirusDisableNotify: 1 (Antivirus warnings disabled)" - - "FirewallDisableNotify: 1 (Firewall notifications disabled)" - - "UpdatesDisableNotify: 1 (Update notifications suppressed)" - - "AntiVirusOverride: 1 (Security Center antivirus monitoring overridden)" - - "HealthService\\HealthCheckSettings: [Binary configuration data]" - - "Monitoring\\{GUID}: Security provider registration entry" - - "UacDisableNotify: 1 (UAC notifications disabled)" - - tools: - - name: "Windows Security (ms-settings:windowsdefender)" - description: "Built-in Windows Security Center interface" - - name: "Action Center (wscui.cpl)" - description: "Legacy Security and Maintenance control panel" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Security Center API Tools" - description: "Third-party utilities for querying Security Center status" - - name: "Group Policy Editor (gpedit.msc)" - description: "Policy management for Security Center configuration" - -metadata: - windows_versions: - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows XP" - - criticality: "medium" - - investigation_types: - - "persistence-analysis" - - "lateral-movement" - - "malware-analysis" - - "incident-response" - - tags: - - "security-center" - - "security-monitoring" - - "security-providers" - - "notification-suppression" - - "security-status" - - "defensive-evasion" - - "security-warnings" - - references: - - title: "Microsoft Documentation: Windows Security Center" - url: "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-security-center/" - type: "official" - - title: "Security Center Manipulation by Malware" - url: "https://attack.mitre.org/techniques/T1562/001/" - type: "research" - - retention: - default_location: "Registry hive files (SOFTWARE)" - persistence: "Security Center settings persist until manually changed" - volatility: "Security status reflects real-time system protection state" - - related_artifacts: - - "windows_defender" - - "security_policy" - - "firewall_rules" - - "installed_programs" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/system/security_policy.yml b/artifacts/system/security_policy.yml deleted file mode 100644 index 7cbdd44..0000000 --- a/artifacts/system/security_policy.yml +++ /dev/null @@ -1,124 +0,0 @@ -title: "Local Security Policy Settings" -category: "system" -description: "Security policies, audit settings, access control configuration, and Local Security Authority settings" - -paths: - - "HKLM\\SECURITY\\Policy" - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies" - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa" - - "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows" - -details: - what: | - Local Security Policy configuration encompasses comprehensive audit policies, user rights - assignments, security options, Local Security Authority (LSA) settings, and system-wide - security controls. Manages authentication policies, privilege assignments, audit logging - configuration, password policies, and security restrictions that govern system access - control and security behavior across Windows environments. - - forensic_value: | - Critical for detecting security policy modifications that weaken system defenses, shows - disabled audit logging designed to hide malicious activity, reveals privilege escalation - attempts through policy changes, and indicates sophisticated attacks that modify security - controls. Security policy analysis reveals attacker knowledge of Windows security mechanisms - and attempts to establish persistence or evade detection through policy manipulation. - - structure: | - Security policy data stored in binary format within SECURITY registry hive containing - audit policy settings, user rights assignments, and security options. LSA settings - control authentication mechanisms, credential caching, and security package configurations. - Policies registry contains user-level security restrictions and Group Policy settings - that affect security behavior and system restrictions. - - examples: - - "AuditLogonEvents: 0 (Logon event auditing disabled)" - - "AuditObjectAccess: 3 (File/folder access auditing enabled for success and failure)" - - "AuditPrivilegeUse: 2 (Privilege use auditing for failures only)" - - "LSA\\LimitBlankPasswordUse: 0 (Allow blank passwords for network logon)" - - "LSA\\NoLMHash: 1 (Disable LM hash storage)" - - "CrashOnAuditFail: 0 (System continues if audit log full)" - - "ShutdownWithoutLogon: 1 (Allow shutdown without logon)" - - "EnableGuestAccount: 0 (Guest account disabled)" - - tools: - - name: "Local Security Policy (secpol.msc)" - description: "Built-in Windows security policy management interface" - - name: "secedit.exe" - description: "Command-line security configuration and analysis tool" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Policy Analyzer" - description: "Third-party tools for security policy assessment and comparison" - - name: "Group Policy Editor (gpedit.msc)" - description: "Advanced policy configuration and management interface" - - name: "auditpol.exe" - description: "Command-line audit policy configuration utility" - -metadata: - windows_versions: - - "Windows NT" - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2000" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows NT 3.1" - - criticality: "high" - - investigation_types: - - "privilege-escalation" - - "behavioral-analysis" - - "lateral-movement" - - "incident-response" - - "lateral-movement" - - tags: - - "security-policy" - - "audit-settings" - - "lsa" - - "access-control" - - "privilege-escalation" - - "policy-modification" - - "security-evasion" - - references: - - title: "Microsoft Documentation: Local Security Policy" - url: "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/" - type: "official" - - title: "Windows Security Policy Manipulation" - url: "https://attack.mitre.org/techniques/T1562/" - type: "research" - - retention: - default_location: "Registry hive files (SECURITY, SOFTWARE, SYSTEM)" - persistence: "Security policies persist until administratively changed" - volatility: "Critical settings affecting ongoing system security and access control" - - related_artifacts: - - "sam_security" - - "audit_settings" - - "user_profiles" - - "security_center" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/system/software_restriction.yml b/artifacts/system/software_restriction.yml deleted file mode 100644 index 68e7928..0000000 --- a/artifacts/system/software_restriction.yml +++ /dev/null @@ -1,117 +0,0 @@ -title: "Software Restriction Policies" -category: "system" -description: "Legacy application whitelisting, execution control policies, and software restriction configuration" - -paths: - - "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers" - - "HKCU\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers" - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" - -details: - what: | - Software Restriction Policies (SRP) provide legacy application control mechanisms that - preceded AppLocker in Windows environments. Controls software execution based on path rules, - hash rules, certificate rules, and network zone rules with configurable security levels. - Provides basic application whitelisting capabilities, execution restrictions, and software - control policies for older Windows systems and backward compatibility scenarios. - - forensic_value: | - Critical for detecting legacy security policy bypass attempts, identifying software - restrictions that may have been circumvented by attackers, and analyzing application - control failures that enabled malware execution. Shows evidence of policy modifications - designed to allow unauthorized software execution, reveals legitimate software lists - that indicate system purpose, and provides insight into security posture weaknesses - that attackers may have exploited. - - structure: | - CodeIdentifiers configuration includes DefaultLevel (default security restriction level), - ExecutableTypes (file extensions subject to restrictions), TransparentEnabled (policy - enforcement mode), and rule collections for specific paths, hashes, certificates, and - network zones. Security levels range from Disallowed (blocked) to Unrestricted (allowed) - with intermediate Basic User and Constrained levels for granular control. - - examples: - - "DefaultLevel: 0x00040000 (Unrestricted - allow all software execution)" - - "DefaultLevel: 0x00000000 (Disallowed - block all software by default)" - - "ExecutableTypes: ADE;ADP;BAS;BAT;CHM;CMD;COM;CPL;CRT;EXE;HLP;HTA;INF;INS;ISP;LNK;MDB;MDE;MSC;MSI;MSP;MST;OCX;PCD;PIF;REG;SCR;SHS;URL;VB;WSC;WSF;WSH" - - "TransparentEnabled: 1 (Enforce policies for all users)" - - "PolicyScope: 0 (Apply to all software)" - - "PathRules\\0\\Description: Unrestricted access for Windows directory" - - "HashRules\\0\\SaferFlags: 0 (Standard hash rule enforcement)" - - tools: - - name: "Local Security Policy (secpol.msc)" - description: "Built-in Windows software restriction policy management" - - name: "Group Policy Editor (gpedit.msc)" - description: "Advanced software restriction policy configuration" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Software Restriction Policy Analyzer" - description: "Third-party tools for SRP configuration assessment" - - name: "Policy Management Tools" - description: "Enterprise tools for centralized policy deployment and management" - -metadata: - windows_versions: - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows XP" - deprecated: "Replaced by AppLocker in Windows 7+" - - criticality: "medium" - - investigation_types: - - "timeline-analysis" - - "lateral-movement" - - "behavioral-analysis" - - tags: - - "software-restriction" - - "application-whitelisting" - - "execution-control" - - "security-policy" - - "malware-prevention" - - "legacy-security" - - "srp" - - references: - - title: "Microsoft Documentation: Software Restriction Policies" - url: "https://docs.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policies" - type: "official" - - title: "Software Restriction Policy Bypass Techniques" - url: "https://attack.mitre.org/techniques/T1218/" - type: "research" - - retention: - default_location: "Registry hive files (SOFTWARE)" - persistence: "Policy settings persist until administratively changed" - volatility: "Execution control settings affect ongoing application security" - - related_artifacts: - - "applocker_policies" - - "security_policy" - - "file_associations" - - "execution_tracking" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/system/startup_programs.yml b/artifacts/system/startup_programs.yml deleted file mode 100644 index ff6ba24..0000000 --- a/artifacts/system/startup_programs.yml +++ /dev/null @@ -1,125 +0,0 @@ -title: "Startup Programs and Load Order" -category: "system" -description: "System startup configuration, boot order, service group dependencies, and early loading programs" - -paths: - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager" - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\ServiceGroupOrder" - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\SubSystems" - -details: - what: | - Windows startup sequence configuration encompasses boot execution programs, service group - load order, session manager settings, subsystem initialization, and early program loading - that occurs during system startup before user logon. Controls critical system component - initialization, driver loading sequences, and system service dependencies for proper - system startup and operation in multi-user and enterprise environments. - - forensic_value: | - Critical for identifying system-level persistence mechanisms that load before security - software and user-level defenses. Shows boot-time malware installation, startup sequence - modifications indicating system compromise, and early-loading persistence techniques used - by advanced threats. Essential for detecting rootkits, boot sector malware, and sophisticated - persistence mechanisms that establish control during system initialization phases. - - structure: | - Session Manager contains BootExecute (programs run during boot), SubSystems (core system - components), ExcludeFromKnownDlls (DLL exclusions), and CriticalDeviceTimeout (hardware - initialization timeouts). ServiceGroupOrder defines service loading sequence priorities - for proper dependency management and system stability during startup operations. - - examples: - - "BootExecute: autocheck autochk *, C:\\\\malware\\\\startup.exe (Malicious boot program)" - - "ServiceGroupOrder: System Bus Extender, Base, Network Provider (Loading sequence)" - - "SubSystems: Windows, Posix (Core subsystem definitions)" - - "ExcludeFromKnownDlls: malicious.dll (DLL exclusion for hijacking)" - - "CriticalDeviceTimeout: 10 (10-second hardware initialization timeout)" - - "KnownDLLs: kernel32, ntdll, user32 (Protected system DLLs)" - - "Execute: wininit (Windows initialization program)" - - tools: - - name: "Autoruns" - url: "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns" - description: "Microsoft Sysinternals comprehensive autostart program analyzer" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "MSConfig (System Configuration)" - description: "Built-in Windows startup program management utility" - - name: "System Configuration Utility" - description: "Windows tool for managing startup programs and services" - - name: "Service Control Manager" - description: "Windows service management and dependency analysis tools" - -metadata: - windows_versions: - - "Windows NT" - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2000" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows NT 3.1" - - criticality: "high" - - investigation_types: - - "malware-analysis" - - "incident-response" - - "privilege-escalation" - - "lateral-movement" - - "persistence-analysis" - - "behavioral-analysis" - - tags: - - "startup" - - "boot-execution" - - "service-order" - - "early-persistence" - - "system-initialization" - - "session-manager" - - "subsystems" - - references: - - title: "Microsoft Documentation: Session Manager" - url: "https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/session-manager" - type: "official" - - title: "Windows Boot Process and Startup Analysis" - url: "https://www.sans.org/white-papers/33927/" - type: "research" - - title: "Advanced Persistent Threat Startup Techniques" - url: "https://attack.mitre.org/techniques/T1547/" - type: "research" - - retention: - default_location: "Registry hive files (SYSTEM, SOFTWARE)" - persistence: "Startup configuration persists until manually modified" - volatility: "Critical system settings affecting boot process and early system security" - - related_artifacts: - - "boot_configuration" - - "run_keys" - - "scheduled_tasks" - - "winlogon_userinit" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/system/timezone_settings.yml b/artifacts/system/timezone_settings.yml deleted file mode 100644 index b1a24f0..0000000 --- a/artifacts/system/timezone_settings.yml +++ /dev/null @@ -1,123 +0,0 @@ -title: "Time Zone and Clock Configuration" -category: "system" -description: "System time zone settings, NTP configuration, daylight saving time policies, and time synchronization" - -paths: - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\TimeZoneInformation" - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\DateTime\\Servers" - - "HKLM\\SYSTEM\\CurrentControlSet\\Services\\W32Time" - - "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Time Service" - -details: - what: | - Windows time and date configuration encompasses time zone settings, Network Time Protocol (NTP) - server configuration, daylight saving time policies, automatic time synchronization settings, - and time service behavior. Controls system clock accuracy, timezone conversions, automatic - daylight saving adjustments, and network time synchronization for accurate timeline - reconstruction and system correlation across different geographic locations. - - forensic_value: | - Critical for forensic timeline analysis, correlation with other systems, and understanding - actual event timing. Time zone modifications may indicate attempts to obscure activity - timing, manipulate log timestamps, or hide temporal correlations. Essential for accurate - timeline reconstruction, cross-system correlation, and detecting time-based anti-forensic - techniques used to confuse investigators about actual event timing. - - structure: | - TimeZoneInformation contains StandardName (timezone), DaylightName (DST name), Bias (UTC offset), - StandardBias and DaylightBias (offset adjustments), and transition dates. W32Time service - controls NTP client/server behavior, synchronization intervals, and time source hierarchy. - DateTime\\Servers maintains time server lists and synchronization preferences. - - examples: - - "StandardName: Pacific Standard Time (West Coast US timezone)" - - "DaylightName: Pacific Daylight Time (DST designation)" - - "Bias: 480 (UTC-8, 480 minutes behind UTC)" - - "StandardBias: 0 (No additional offset for standard time)" - - "DaylightBias: -60 (1 hour ahead during daylight saving)" - - "NtpServer: time.windows.com,0x9 (Microsoft time server)" - - "UpdateInterval: 604800 (Weekly synchronization)" - - "W32Time\\Type: NTP (Network Time Protocol client)" - - tools: - - name: "Date and Time Settings (timedate.cpl)" - description: "Built-in Windows time and timezone configuration interface" - - name: "w32tm.exe" - description: "Windows Time service command-line configuration utility" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Time Zone Analyzer" - description: "Forensic tools for analyzing time zone changes and timeline correlation" - - name: "NTP Configuration Tools" - description: "Network time protocol configuration and monitoring utilities" - -metadata: - windows_versions: - - "Windows NT" - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2000" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows NT 3.1" - - criticality: "medium" - - investigation_types: - - "timeline-analysis" - - "incident-response" - - "behavioral-analysis" - - tags: - - "system" - - "timezone" - - "time-synchronization" - - "ntp" - - "timeline-analysis" - - "clock-settings" - - "daylight-saving" - - "temporal-correlation" - - references: - - title: "Microsoft Documentation: Windows Time Service" - url: "https://docs.microsoft.com/en-us/windows-server/networking/windows-time-service/" - type: "official" - - title: "Time Zone Forensics and Timeline Analysis" - url: "https://www.sans.org/white-papers/33927/" - type: "research" - - title: "Digital Forensics: Time and Date Analysis" - url: "https://www.forensicfocus.com/articles/time-date-forensics/" - type: "research" - - retention: - default_location: "Registry hive files (SYSTEM, SOFTWARE)" - persistence: "Time zone settings persist until manually changed" - volatility: "Critical for accurate timestamp interpretation and timeline reconstruction" - - related_artifacts: - - "version_info" - - "computer_name" - - "event_log_config" - - "regional_settings" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-06-07" - last_updated: "2025-06-07" - version: "1.0" diff --git a/artifacts/system/user_profiles.yml b/artifacts/system/user_profiles.yml deleted file mode 100644 index 89b5f28..0000000 --- a/artifacts/system/user_profiles.yml +++ /dev/null @@ -1,129 +0,0 @@ -title: "User Accounts and Profile Information" -category: "system" -description: "Complete user account registry data including SIDs, profile paths, account creation timestamps, and user metadata" - -paths: - - "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList" - - "HKLM\\SAM\\SAM\\Domains\\Account\\Users" - - "HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names" - - "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileGuid" - -details: - what: | - Windows stores comprehensive user account information including Security Identifiers (SIDs), - profile directory paths, account creation timestamps, last logon times, account properties, - profile states, and user metadata for all local and domain users who have logged onto the system. - Maintains both active and historical account data for complete user access tracking. - - forensic_value: | - Essential for multi-user system analysis, identifying all accounts that accessed the system, - establishing user access timelines, detecting unauthorized account creation, and correlating - user activities with specific accounts. Critical for insider threat investigations, privilege - escalation analysis, and determining user presence during incident timeframes. Provides - foundational data for linking forensic artifacts to specific user accounts. - - structure: | - ProfileList contains user SIDs as subkeys with ProfileImagePath (profile location), State - (profile status), RefCount (usage count), and Flags (profile properties). SAM database - stores account data including creation times, last logon times, login counts, password - change dates, and account flags. Names subkey provides SID-to-username mappings for - account identification and correlation. - - examples: - - "S-1-5-21-1234567890-1234567890-1234567890-1001\\ProfileImagePath: C:\\Users\\Administrator" - - "S-1-5-21-1234567890-1234567890-1234567890-1002\\ProfileImagePath: C:\\Users\\jdoe" - - "State: 0 (Active profile loaded successfully)" - - "RefCount: 1 (Profile currently in use)" - - "Flags: 0 (Standard user profile)" - - "Account Created: 2024-01-15 08:00:00 UTC" - - "Last Logon: 2024-01-20 14:30:25 UTC" - - "Login Count: 157 (total successful logons)" - - "Names\\Administrator: S-1-5-21-xxx-500 (Built-in Administrator SID)" - - tools: - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "User Account Control Panel" - description: "Built-in Windows user account management interface" - - name: "SAM Parser" - description: "Specialized tools for analyzing Security Account Manager database" - - name: "ProfileList Parser" - description: "Tools for analyzing user profile registry data" - - name: "PsGetSid" - url: "https://docs.microsoft.com/en-us/sysinternals/downloads/psgetsid" - description: "Utility for translating between account names and SIDs" - - name: "whoami /all" - description: "Built-in command for current user account information" - -metadata: - windows_versions: - - "Windows NT" - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2000" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows NT 3.1" - - criticality: "high" - - investigation_types: - - "insider-threat" - - "privilege-escalation" - - "timeline-analysis" - - "lateral-movement" - - "persistence-analysis" - - tags: - - "user-accounts" - - "profiles" - - "sids" - - "account-creation" - - "unauthorized-access" - - "user-correlation" - - "sam-database" - - "profile-paths" - - references: - - title: "Microsoft Documentation: User Profiles" - url: "https://docs.microsoft.com/en-us/windows/win32/shell/user-profiles" - type: "official" - - title: "Windows User Account Forensics" - url: "https://www.forensicfocus.com/articles/windows-user-account-forensics/" - type: "research" - - title: "SAM Database Analysis for Digital Forensics" - url: "https://www.sans.org/white-papers/36427/" - type: "research" - - retention: - default_location: "Registry hive files (SOFTWARE, SAM)" - persistence: "Account data persists until account deletion or system reinstallation" - volatility: "Profile states update with user sessions, account data generally stable" - - related_artifacts: - - "sam_security" - - "version_info" - - "computer_name" - - "security_policy" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/system/version_info.yml b/artifacts/system/version_info.yml deleted file mode 100644 index 4f463f8..0000000 --- a/artifacts/system/version_info.yml +++ /dev/null @@ -1,125 +0,0 @@ -title: "Windows Version and Build Information" -category: "system" -description: "Complete Windows version identification, build numbers, edition details, and installation metadata" - -paths: - - "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion" - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion" - - "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Update" - -details: - what: | - Windows stores comprehensive version identification information including build numbers, - edition details, installation timestamps, product keys, registered owner information, - update history, and licensing data. Provides complete system identification for baseline - establishment, vulnerability assessment, and forensic system profiling across different - Windows versions and editions with detailed metadata for investigation correlation. - - forensic_value: | - Essential for establishing system baseline information, determining available Windows - features and security capabilities, validating system timeline accuracy, and identifying - Windows editions for capability analysis during investigations. Version information - enables vulnerability assessment, helps correlate with known exploits, and provides - context for available security features, installed updates, and system configuration - options relevant to investigation scenarios. - - structure: | - Version information stored as REG_SZ strings and REG_DWORD values including ProductName - (Windows edition), CurrentBuild (build number), ReleaseId (version identifier), InstallDate - (Unix timestamp), RegisteredOwner (system owner), DigitalProductId (license data), and - update information with installation tracking and feature update history for comprehensive - system identification and timeline establishment. - - examples: - - "ProductName: Windows 11 Pro (Operating system edition)" - - "ProductName: Windows 10 Enterprise LTSC (Long-term servicing channel)" - - "CurrentBuild: 22621 (Windows 11 22H2 build number)" - - "CurrentBuild: 19044 (Windows 10 21H2 build number)" - - "ReleaseId: 22H2 (Feature update identifier)" - - "InstallDate: 0x63A1B2C0 (Unix timestamp: 1671450304 = December 19, 2022)" - - "RegisteredOwner: CORPORATE\\ITDepartment (System registration information)" - - "RegisteredOrganization: Acme Corporation (Organization registration)" - - "DigitalProductId: [Binary license and product key data]" - - tools: - - name: "winver.exe" - description: "Built-in Windows version information dialog" - - name: "systeminfo.exe" - description: "Command-line system information utility with comprehensive details" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "RegRipper" - url: "https://github.com/keydet89/RegRipper3.0" - description: "Registry data extraction and analysis framework" - - name: "Windows System Information (msinfo32.exe)" - description: "Comprehensive system information and configuration viewer" - - name: "PowerShell Get-ComputerInfo" - description: "PowerShell cmdlet for detailed system information retrieval" - -metadata: - windows_versions: - - "Windows NT 3.1" - - "Windows 95" - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2000" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows NT 3.1" - - criticality: "low" - - investigation_types: - - "incident-response" - - "lateral-movement" - - "timeline-analysis" - - tags: - - "version-info" - - "baseline" - - "installation" - - "vulnerability-assessment" - - "system-identification" - - "build-numbers" - - "edition-analysis" - - references: - - title: "Microsoft Documentation: Windows Version Information" - url: "https://docs.microsoft.com/en-us/windows/win32/sysinfo/getting-the-system-version" - type: "official" - - title: "Windows Version History and Security Features" - url: "https://docs.microsoft.com/en-us/windows/release-health/" - type: "official" - - retention: - default_location: "Registry hive files (SOFTWARE)" - persistence: "Version information static until system upgrade or reinstallation" - volatility: "Fundamental system identification data, stable across system operations" - - related_artifacts: - - "installed_programs" - - "computer_name" - - "user_profiles" - - "system_configuration" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/system/volume_shadow_copy.yml b/artifacts/system/volume_shadow_copy.yml deleted file mode 100644 index dcb4cd3..0000000 --- a/artifacts/system/volume_shadow_copy.yml +++ /dev/null @@ -1,120 +0,0 @@ -title: "Volume Shadow Copy Service Configuration" -category: "system" -description: "VSS settings, restore points, shadow copy storage, and backup service configuration" - -paths: - - "HKLM\\SYSTEM\\CurrentControlSet\\Services\\VSS" - - "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore" - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\BackupRestore\\FilesNotToBackup" - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WindowsBackup" - -details: - what: | - Volume Shadow Copy Service (VSS) creates point-in-time copies of files and volumes - for backup, restore operations, and data recovery. Configuration controls VSS behavior, - restore point creation policies, storage allocation limits, file exclusions, and - shadow copy retention settings. Manages automated backup scheduling, system restore - capabilities, and data protection mechanisms essential for forensic data recovery. - - forensic_value: | - Critical for forensic investigations as VSS can be disabled by attackers to prevent - data recovery and hide malicious activity. Shadow copies contain historical file - versions that may preserve evidence of deleted or modified files, providing crucial - data recovery opportunities. Configuration changes reveal attempts to disable backup - capabilities, while shadow copy analysis can recover deleted evidence and establish - file modification timelines essential for investigation reconstruction. - - structure: | - VSS service configuration includes startup type, dependencies, and operational parameters. - SystemRestore contains policies for restore point creation, disk usage limits (DiskPercent), - retention intervals (RPLifeInterval), and monitoring settings. FilesNotToBackup specifies - file types and locations excluded from shadow copy operations with detailed exclusion - rules and patterns for comprehensive backup management. - - examples: - - "VSS\\Start: 3 (Manual startup - VSS available on demand)" - - "VSS\\Start: 4 (Disabled - VSS completely unavailable)" - - "SystemRestore\\DisableSR: 1 (System Restore disabled)" - - "DiskPercent: 15 (15% maximum disk space allocation for restore points)" - - "RPLifeInterval: 7776000 (90 days restore point retention)" - - "FilesNotToBackup: *.tmp, pagefile.sys, hiberfil.sys (Excluded file patterns)" - - "CreateRestorePoint: 0 (Automatic restore point creation disabled)" - - "WindowsBackup\\LastSuccessfulBackupTime: [FILETIME] (Last backup timestamp)" - - tools: - - name: "vssadmin.exe" - description: "Built-in Volume Shadow Copy administrative command-line tool" - - name: "System Restore (rstrui.exe)" - description: "Built-in Windows system restore and recovery interface" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "ShadowExplorer" - url: "https://www.shadowexplorer.com" - description: "Third-party tool for browsing and extracting shadow copy data" - - name: "VSS Data Recovery Tools" - description: "Specialized forensic tools for shadow copy analysis and data extraction" - -metadata: - windows_versions: - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows XP" - - criticality: "high" - - investigation_types: - - "timeline-analysis" - - "data-exfiltration" - - "incident-response" - - "behavioral-analysis" - - tags: - - "vss" - - "shadow-copies" - - "restore-points" - - "data-recovery" - - "evidence-preservation" - - "backup-service" - - "file-history" - - references: - - title: "Microsoft Documentation: Volume Shadow Copy Service" - url: "https://docs.microsoft.com/en-us/windows/win32/vss/volume-shadow-copy-service-overview" - type: "official" - - title: "Shadow Copy Forensics and Data Recovery" - url: "https://www.sans.org/white-papers/33649/" - type: "research" - - retention: - default_location: "Registry hive files (SYSTEM, SOFTWARE), shadow copy storage" - persistence: "Configuration persists until manually changed, shadow copies until retention expiry" - volatility: "Shadow copies preserve historical data essential for forensic analysis" - - related_artifacts: - - "backup_configuration" - - "file_history" - - "system_restore" - - "data_recovery" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/system/windows_activation.yml b/artifacts/system/windows_activation.yml deleted file mode 100644 index 9e7d3a1..0000000 --- a/artifacts/system/windows_activation.yml +++ /dev/null @@ -1,118 +0,0 @@ -title: "Windows Activation and License Management" -category: "system" -description: "Windows activation status, licensing information, KMS configuration, and digital entitlement settings" - -paths: - - "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform" - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\OOBE" - - "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\DefaultProductKey" - - "HKLM\\SYSTEM\\WPA" - -details: - what: | - Windows activation and licensing infrastructure encompasses activation status verification, - product key management, Key Management Service (KMS) configuration, digital entitlement - validation, and Software Protection Platform settings. Controls license enforcement, - activation methods, grace periods, and compliance with Microsoft licensing terms - for genuine Windows installation validation. - - forensic_value: | - Important for system identification, compliance verification, and detecting unauthorized - or pirated Windows installations that may indicate security risks. Shows activation - bypass attempts, KMS server redirection for unauthorized activation, and license - tampering that could correlate with other security violations. Helps establish - system legitimacy and organizational compliance during investigations. - - structure: | - Software Protection Platform contains activation tokens, license status, KMS client - configuration, and digital rights management data. OOBE (Out-of-Box Experience) settings - control initial setup behavior and activation flow. WPA (Windows Product Activation) - maintains activation state and hardware fingerprinting for license enforcement. - - examples: - - "SoftwareProtectionPlatform\\ActivationStatus: 1 (Windows activated)" - - "KMSServerName: kms.company.com (Corporate KMS server)" - - "GracePeriodRemaining: 30 (Days remaining before activation required)" - - "LicenseStatus: Licensed (Valid license detected)" - - "DigitalEntitlement: 1 (Digital license linked to Microsoft account)" - - "ProductKeyChannel: Volume:GVLK (Volume license activation)" - - "OOBE\\MediaBootInstall: 1 (Installed from media)" - - "ActivationMethod: KMS (Key Management Service activation)" - - tools: - - name: "slmgr.vbs" - description: "Windows Software Licensing Management Tool" - - name: "Windows Activation Technologies" - description: "Built-in activation status and troubleshooting utilities" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "License Status Checker" - description: "Third-party tools for Windows license verification" - - name: "KMS Configuration Manager" - description: "Enterprise KMS server management and monitoring tools" - -metadata: - windows_versions: - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows XP" - - criticality: "low" - - investigation_types: - - "incident-response" - - tags: - - "system" - - "activation" - - "licensing" - - "compliance" - - "kms" - - "digital-entitlement" - - "product-key" - - "genuine-validation" - - references: - - title: "Microsoft Documentation: Windows Activation" - url: "https://docs.microsoft.com/en-us/windows/deployment/volume-activation/" - type: "official" - - title: "Volume Activation Management Tool" - url: "https://docs.microsoft.com/en-us/windows/deployment/volume-activation/volume-activation-management-tool" - type: "official" - - title: "Windows Licensing and Compliance" - url: "https://www.microsoft.com/en-us/licensing/learn-more/" - type: "official" - - retention: - default_location: "Registry hive files (SOFTWARE, SYSTEM)" - persistence: "Activation status persists until system changes or reactivation" - volatility: "License information stable but may change with hardware modifications" - - related_artifacts: - - "version_info" - - "computer_name" - - "hardware_devices" - - "installed_programs" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-06-07" - last_updated: "2025-06-07" - version: "1.0" diff --git a/artifacts/system/windows_defender.yml b/artifacts/system/windows_defender.yml deleted file mode 100644 index 2138306..0000000 --- a/artifacts/system/windows_defender.yml +++ /dev/null @@ -1,121 +0,0 @@ -title: "Windows Defender and Security Settings" -category: "system" -description: "Windows Defender configuration, exclusions, security policies, and User Account Control settings" - -paths: - - "HKLM\\SOFTWARE\\Microsoft\\Windows Defender" - - "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender" - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" - - "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions" - -details: - what: | - Windows Defender (Windows Security) comprehensive configuration including real-time protection - settings, scan exclusions, threat detection policies, automatic sample submission, cloud - protection settings, and User Account Control (UAC) configuration. Controls system security - posture, malware detection capabilities, security notifications, and administrative privilege - elevation policies essential for endpoint protection and security management. - - forensic_value: | - Critical for detecting sophisticated evasion techniques where attackers disable security - features to facilitate malware execution, reveals exclusion paths added by malware to - avoid detection, and indicates security policy modifications that weaken system defenses. - Disabled Windows Defender or modified exclusions often indicate compromise, while UAC - modifications may enable privilege escalation attacks or administrative access bypass - attempts essential for forensic security assessment. - - structure: | - Defender configuration includes DisableAntiSpyware (complete disabling), DisableRealtimeMonitoring - (real-time protection), exclusion lists for paths/processes/extensions, update configurations, - and cloud protection settings. UAC settings control elevation prompts through ConsentPromptBehaviorAdmin, - EnableLUA (UAC enablement), and PromptOnSecureDesktop (secure prompt display) with various - security level configurations for comprehensive protection management. - - examples: - - "DisableAntiSpyware: 1 (Windows Defender completely disabled)" - - "DisableRealtimeMonitoring: 1 (Real-time protection disabled)" - - "Exclusions\\Paths: C:\\Malware, C:\\Tools\\Hacking (Suspicious exclusion paths)" - - "Exclusions\\Processes: malware.exe, cryptominer.exe (Excluded malicious processes)" - - "ExclusionExtension: .exe, .dll, .scr (Dangerous extension exclusions)" - - "EnableLUA: 0 (User Account Control completely disabled)" - - "ConsentPromptBehaviorAdmin: 0 (No UAC prompts for administrators)" - - "PromptOnSecureDesktop: 0 (UAC prompts not on secure desktop)" - - tools: - - name: "Windows Security (ms-settings:windowsdefender)" - description: "Built-in Windows Security management interface" - - name: "Get-MpPreference PowerShell" - description: "PowerShell cmdlets for Windows Defender configuration analysis" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Group Policy Editor (gpedit.msc)" - description: "Advanced Windows Defender and UAC policy configuration" - - name: "Windows Defender Security Center" - description: "Centralized security status and configuration management" - - name: "Defender Configuration Analyzer" - description: "Third-party tools for comprehensive Defender settings assessment" - -metadata: - windows_versions: - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows Vista (Windows Defender), Windows Vista (UAC)" - - criticality: "high" - - investigation_types: - - "incident-response" - - "malware-analysis" - - "privilege-escalation" - - tags: - - "windows-defender" - - "security-policy" - - "uac" - - "malware-evasion" - - "exclusions" - - "real-time-protection" - - "endpoint-security" - - references: - - title: "Microsoft Documentation: Windows Security" - url: "https://docs.microsoft.com/en-us/windows/security/threat-protection/" - type: "official" - - title: "Windows Defender Evasion Techniques" - url: "https://attack.mitre.org/techniques/T1562/001/" - type: "research" - - title: "UAC Bypass Methods and Detection" - url: "https://attack.mitre.org/techniques/T1548/002/" - type: "research" - - retention: - default_location: "Registry hive files (SOFTWARE)" - persistence: "Security settings persist until manually changed or policy overridden" - volatility: "Critical security configuration affecting ongoing threat protection" - - related_artifacts: - - "security_center" - - "security_policy" - - "malware_exclusions" - - "privilege_escalation" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/system/windows_features.yml b/artifacts/system/windows_features.yml deleted file mode 100644 index 4c832d8..0000000 --- a/artifacts/system/windows_features.yml +++ /dev/null @@ -1,117 +0,0 @@ -title: "Windows Features and Optional Components" -category: "system" -description: "Enabled/disabled Windows features, optional components, role installations, and capability management" - -paths: - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Component Based Servicing" - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\OptionalFeatures" - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Servicing" - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\FeatureManagement" - -details: - what: | - Windows Features configuration encompasses optional component management, server role - installations, capability packages, feature enablement status, and component-based - servicing. Controls which Windows features are installed and active, including - development tools, administrative utilities, networking components, and security - features that affect system functionality and attack surface. - - forensic_value: | - Critical for understanding system capabilities, enabled attack vectors, and administrative - tool availability. Shows evidence of features enabled for malicious purposes (such as - Telnet, IIS, or developer tools), reveals system hardening through feature disabling, - and indicates specialized functionality that might be abused. Essential for assessing - system configuration and potential attack methods available to threat actors. - - structure: | - Component Based Servicing maintains feature installation status, dependency tracking, - and feature metadata. OptionalFeatures contains user-accessible feature toggles, - server role configurations, and capability package status. Feature management controls - enterprise feature policies and administrative restrictions on feature modifications. - - examples: - - "TelnetClient: 4 (Telnet client enabled - potential security risk)" - - "IIS-WebServerRole: 2 (Internet Information Services installed)" - - "Microsoft-Windows-Subsystem-Linux: 2 (WSL feature enabled)" - - "HypervisorPlatform: 2 (Windows Hypervisor Platform enabled)" - - "Containers: 2 (Windows containers feature enabled)" - - "TFTP: 4 (TFTP client enabled)" - - "SimpleTCP: 4 (Simple TCP/IP services enabled)" - - "WindowsMediaPlayer: 3 (Windows Media Player disabled)" - - tools: - - name: "Windows Features (optionalfeatures.exe)" - description: "Built-in Windows features management interface" - - name: "DISM (dism.exe)" - description: "Deployment Image Servicing and Management command-line tool" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Server Manager" - description: "Windows Server role and feature management console" - - name: "PowerShell Get-WindowsFeature" - description: "PowerShell cmdlets for Windows feature management and analysis" - -metadata: - windows_versions: - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows Vista" - - criticality: "medium" - - investigation_types: - - "incident-response" - - "malware-analysis" - - tags: - - "system" - - "windows-features" - - "optional-components" - - "attack-surface" - - "system-capabilities" - - "server-roles" - - "security-configuration" - - "feature-management" - - references: - - title: "Microsoft Documentation: Windows Features" - url: "https://docs.microsoft.com/en-us/windows/application-management/manage-optional-features" - type: "official" - - title: "Windows Server Roles and Features" - url: "https://docs.microsoft.com/en-us/windows-server/get-started/server-role-upgradeability-table" - type: "official" - - title: "Windows Attack Surface Analysis" - url: "https://www.sans.org/white-papers/36240/" - type: "research" - - retention: - default_location: "Registry hive files (SOFTWARE, SYSTEM), component store" - persistence: "Feature settings persist until manually changed or system reconfiguration" - volatility: "Feature enablement affects ongoing system capabilities and security posture" - - related_artifacts: - - "installed_programs" - - "services" - - "security_policy" - - "windows_activation" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-06-07" - last_updated: "2025-06-07" - version: "1.0" diff --git a/artifacts/system/windows_update.yml b/artifacts/system/windows_update.yml deleted file mode 100644 index 1720c81..0000000 --- a/artifacts/system/windows_update.yml +++ /dev/null @@ -1,126 +0,0 @@ -title: "Windows Update Configuration and History" -category: "system" -description: "Windows Update service settings, WSUS configuration, automatic update policies, and patch management" - -paths: - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate" - - "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate" - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate\\Auto Update" - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate\\Services" - -details: - what: | - Windows Update service comprehensive configuration including automatic update settings, - Windows Server Update Services (WSUS) server configuration, update sources, installation - schedules, update approval policies, and patch management settings. Controls security - update delivery, feature update policies, driver updates, and enterprise update management - for maintaining system security and functionality across Windows environments. - - forensic_value: | - Critical for detecting security policy modifications where attackers disable updates - to maintain vulnerable systems, reveals WSUS server redirection for malicious update - delivery, and indicates update tampering that could facilitate persistent access through - compromised updates. Disabled updates often indicate long-term compromise strategies, - while modified update sources may suggest sophisticated supply chain attacks or - infrastructure compromise designed to deliver malicious updates. - - structure: | - Update configuration includes AUOptions (automatic update behavior), WUServer (WSUS server), - UseWUServer (WSUS enablement), ScheduledInstallDay/Time (installation scheduling), update - source configuration, and service registration. Update policies control approval requirements, - installation restrictions, and enterprise deployment settings stored as REG_DWORD and - REG_SZ values with complex policy inheritance and override mechanisms. - - examples: - - "AUOptions: 1 (Notify before downloading any updates)" - - "AUOptions: 4 (Automatically download and install updates)" - - "WUServer: http://wsus.company.com:8530 (Corporate WSUS server)" - - "WUServer: http://malicious-wsus.evil.com (Suspicious update server)" - - "UseWUServer: 1 (Use specified WSUS server instead of Microsoft)" - - "ScheduledInstallDay: 0 (Install updates every day)" - - "ScheduledInstallTime: 3 (Install updates at 3:00 AM)" - - "NoAutoUpdate: 1 (Automatic updates completely disabled)" - - "DisableWindowsUpdateAccess: 1 (Block access to Windows Update)" - - tools: - - name: "Windows Update Settings (ms-settings:windowsupdate)" - description: "Built-in Windows Update configuration and status interface" - - name: "wuauclt.exe" - description: "Windows Update client command-line utility" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Update Orchestrator Service" - description: "Modern Windows Update service management and scheduling" - - name: "WSUS Administration Tools" - description: "Enterprise Windows Server Update Services management utilities" - - name: "PowerShell Update Management" - description: "PowerShell modules for Windows Update automation and analysis" - -metadata: - windows_versions: - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows XP" - - criticality: "high" - - investigation_types: - - "malware-analysis" - - "timeline-analysis" - - "privilege-escalation" - - "lateral-movement" - - "persistence-analysis" - - tags: - - "windows-update" - - "wsus" - - "patch-management" - - "vulnerability" - - "update-tampering" - - "security-updates" - - "automatic-updates" - - references: - - title: "Microsoft Documentation: Windows Update" - url: "https://docs.microsoft.com/en-us/windows/deployment/update/" - type: "official" - - title: "Windows Update Security and Attack Vectors" - url: "https://www.sans.org/white-papers/36427/" - type: "research" - - title: "WSUS Infrastructure Security" - url: "https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-services/" - type: "official" - - retention: - default_location: "Registry hive files (SOFTWARE), Windows Update logs" - persistence: "Update configuration persists until manually changed or policy overridden" - volatility: "Update settings critical for ongoing security patch delivery and vulnerability management" - - related_artifacts: - - "security_policy" - - "installed_programs" - - "version_info" - - "network_configuration" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/usb/device_capabilities.yml b/artifacts/usb/device_capabilities.yml deleted file mode 100644 index 1425a2a..0000000 --- a/artifacts/usb/device_capabilities.yml +++ /dev/null @@ -1,134 +0,0 @@ -title: "USB Device Capabilities and Properties" -category: "usb" -description: "USB device characteristics, capabilities, hardware properties, and identification data" - -paths: - - "HKLM\\SYSTEM\\CurrentControlSet\\Enum\\USB\\VID_*&PID_*" - - "HKLM\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR\\*" - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\DeviceClasses\\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}" - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\DeviceClasses\\{a5dcbf10-6530-11d2-901f-00c04fb951ed}" - -details: - what: | - Windows stores comprehensive USB device information including vendor/product IDs (VID/PID), - device capabilities, hardware characteristics, power requirements, supported features, - and device enumeration data. Tracks both storage and non-storage USB devices with - detailed technical specifications, driver associations, and compatibility information - for proper device enumeration and driver selection. - - forensic_value: | - Provides detailed device identification beyond basic vendor/product information. - Shows device capabilities that could indicate specialized hardware, covert devices, - modified USB devices, or devices specifically designed for data exfiltration or attacks. - Can identify USB weaponization attempts, reveal device modification, and track - sophisticated attack tools or surveillance equipment. - - structure: | - Device instance subkeys identified by VID (Vendor ID) and PID (Product ID) containing - Capabilities, DeviceDesc, HardwareID, CompatibleIDs, Service values, and configuration data. - Binary capability flags indicate supported features, power characteristics, and device classes. - ContainerID links related device interfaces and functions. - - examples: - - "VID_0951&PID_1666: Kingston DataTraveler USB drive" - - "DeviceDesc: USB Mass Storage Device" - - "HardwareID: USBSTOR\\DiskSanDisk_Cruzer_Blade____1.00" - - "Capabilities: 0x00000084 (Removable | UniqueID)" - - "Service: USBSTOR (USB storage driver)" - - "ContainerID: {12345678-1234-5678-9abc-123456789abc}" - - "Problem: 0 (Device working properly)" - - "ClassGUID: {36fc9e60-c465-11cf-8056-444553540000} (USB device class)" - - "PowerData: Bus-powered device, 500mA maximum" - - "DeviceClass: Mass Storage" - - tools: - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry browser with USB device enumeration analysis" - - name: "USBView" - url: "https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/usbview" - description: "Microsoft USB device viewer showing device tree and capabilities" - - name: "USBDeview" - url: "https://www.nirsoft.net/utils/usb_devices_view.html" - description: "NirSoft comprehensive USB device information and history viewer" - - name: "Device Manager" - description: "Built-in Windows device management interface for hardware analysis" - - name: "USB Detective" - description: "Specialized USB forensics tools for device identification and analysis" - -metadata: - windows_versions: - - "Windows 98" - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2000" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows 98 (USB support)" - - criticality: "medium" - - investigation_types: - - "data-exfiltration" - - "malware-analysis" - - "incident-response" - - "timeline-analysis" - - "behavioral-analysis" - - tags: - - "usb" - - "device-capabilities" - - "hardware-properties" - - "device-identification" - - "covert-devices" - - "usb-forensics" - - "device-enumeration" - - "hardware-analysis" - - "device-weaponization" - - references: - - title: "USB Device Registry Entries" - url: "https://docs.microsoft.com/en-us/windows-hardware/drivers/install/standard-usb-identifiers" - type: "official" - - title: "USB Device Capabilities" - url: "https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/ns-wdm-_device_capabilities" - type: "official" - - title: "USB Forensics and Analysis" - url: "https://www.sans.org/blog/digital-forensics-usb-device-analysis/" - type: "research" - - title: "Windows USB Device Identification" - url: "https://www.forensicfocus.com/articles/usb-device-forensics/" - type: "research" - - retention: - default_location: "SYSTEM registry hive" - persistence: "Survives device disconnection, persists until manual removal or corruption" - volatility: "Device enumeration data preserved across reboots and reconnections" - - related_artifacts: - - "drive_letter_mapping" - - "last_write_times" - - "shellbags" - - "recent_docs" - - "hardware_devices" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file diff --git a/artifacts/usb/device_history.yml b/artifacts/usb/device_history.yml deleted file mode 100644 index aeface2..0000000 --- a/artifacts/usb/device_history.yml +++ /dev/null @@ -1,127 +0,0 @@ -title: "USB Device Connection History" -category: "usb" -description: "Complete USB device connection tracking with vendor information, connection timestamps, and device enumeration history" - -paths: - - "HKLM\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR" - - "HKLM\\SYSTEM\\CurrentControlSet\\Enum\\USB" - - "HKLM\\SOFTWARE\\Microsoft\\Windows Portable Devices" - - "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\EMDMgmt" - -details: - what: | - Windows maintains comprehensive USB device connection history including all connected USB - storage devices, their vendor/product identifiers, serial numbers, connection timestamps, - device properties, and enumeration data. Tracks both current and historical USB device - connections with detailed hardware identification, driver associations, and device capabilities - for complete USB forensic analysis and device tracking. - - forensic_value: | - Essential for USB-based investigations including data exfiltration, malware delivery, - and unauthorized device usage. Provides complete history of USB devices connected to - the system, enabling identification of specific devices used for data theft, malware - introduction, or unauthorized access. Critical for establishing device usage timelines, - correlating USB activity with security incidents, and identifying recurring suspicious devices. - - structure: | - USBSTOR contains storage device entries with vendor, product, version, and unique serial - numbers. USB enumeration tracks all USB devices including non-storage items. Portable - Devices manages device-specific settings and capabilities. EMDMgmt contains external - device management policies and ReadyBoost configuration for USB optimization and security. - - examples: - - "USBSTOR\\Disk&Ven_Kingston&Prod_DataTraveler_3.0&Rev_PMAP\\001CC0EC336BD480&0" - - "DeviceDesc: Kingston DataTraveler 3.0 USB Device" - - "VendorID: 0951 (Kingston Technology)" - - "ProductID: 1666 (DataTraveler series identifier)" - - "SerialNumber: 001CC0EC336BD480 (Unique device identifier)" - - "FirstInstallDate: 2024-01-15 09:30:25 UTC" - - "LastArrivalDate: 2024-01-20 14:45:12 UTC" - - "DeviceCapabilities: 0x00000084 (Removable | UniqueID)" - - "FriendlyName: Kingston DataTraveler 3.0 (E:)" - - tools: - - name: "USBDeview" - url: "https://www.nirsoft.net/utils/usb_devices_view.html" - description: "Comprehensive USB device history viewer and analyzer" - - name: "USB Detective" - description: "Specialized USB forensics tool for device identification and timeline analysis" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis with USB device enumeration support" - - name: "USBLogView" - url: "https://www.nirsoft.net/utils/usb_log_view.html" - description: "USB device connection log analysis and timeline reconstruction" - - name: "Device Manager (devmgmt.msc)" - description: "Built-in Windows device management and USB device information" - -metadata: - windows_versions: - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows 2000" - - criticality: "high" - - investigation_types: - - "data-exfiltration" - - "malware-analysis" - - "insider-threat" - - "timeline-analysis" - - "incident-response" - - tags: - - "usb" - - "device-history" - - "connection-tracking" - - "data-exfiltration" - - "device-identification" - - "forensic-timeline" - - "external-storage" - - "device-enumeration" - - references: - - title: "Microsoft Documentation: USB Device Installation" - url: "https://docs.microsoft.com/en-us/windows-hardware/drivers/usbcon/" - type: "official" - - title: "USB Forensics: Device Identification and Timeline Analysis" - url: "https://www.sans.org/white-papers/33584/" - type: "research" - - title: "Windows USB Device Registry Analysis" - url: "https://www.forensicfocus.com/articles/usb-device-forensics/" - type: "research" - - retention: - default_location: "SYSTEM registry hive" - persistence: "Device history persists until manual cleanup or registry corruption" - volatility: "Connection timestamps provide precise device usage correlation data" - - related_artifacts: - - "usb_device_capabilities" - - "drive_letter_mapping" - - "last_write_times" - - "shellbags" - - "recent_docs" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file diff --git a/artifacts/usb/drive_letter_mapping.yml b/artifacts/usb/drive_letter_mapping.yml deleted file mode 100644 index fa8be61..0000000 --- a/artifacts/usb/drive_letter_mapping.yml +++ /dev/null @@ -1,119 +0,0 @@ -title: "USB Drive Letter Assignments" -category: "usb" -description: "Drive letter mappings for USB storage devices with volume serial numbers and device correlation" - -paths: - - "HKLM\\SYSTEM\\MountedDevices" - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\DeviceClasses\\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}" - - "HKLM\\SYSTEM\\MountManager\\MountedDevices" - -details: - what: | - Windows maintains persistent drive letter assignments for storage devices including USB drives, - external hard drives, and removable media. Correlates drive letters with device identifiers, - volume serial numbers, and hardware signatures to ensure consistent drive letter assignment - across multiple connection sessions. Manages mount point relationships and device recognition - for seamless user experience with removable storage devices. - - forensic_value: | - Critical for correlating USB device connections with file system artifacts, establishing - which specific USB device was assigned particular drive letters during file operations. - Essential for data exfiltration investigations, linking file access artifacts to specific - hardware devices, and establishing timeline correlations between device connections and - file transfer activities. Provides definitive evidence of which USB device accessed specific files. - - structure: | - Binary data structures linking drive letters (\\\\DosDevices\\\\C:) to device identifiers - and volume information. USB storage devices identified by unique signatures including - vendor ID, product ID, and serial numbers embedded in binary format. Mount Manager - maintains additional metadata for device mounting and unmounting operations. - - examples: - - "\\\\DosDevices\\\\E:: USB#VID_0951&PID_1666#50E549C6E258F571&0 (Kingston DataTraveler)" - - "\\\\DosDevices\\\\F:: USB#VID_090C&PID_1000#12345678&0 (SanDisk Cruzer)" - - "Volume{GUID}: Device instance path linkage" - - "Serial: 001CC0EC336BD480&0 (Unique device serial identifier)" - - "Signature: _??_USBSTOR#Disk&Ven_Kingston&Prod_DataTraveler_3.0&Rev_PMAP" - - "MountPoint: \\\\??\\\\Volume{12345678-1234-5678-9abc-123456789012}\\\\" - - tools: - - name: "DriveLetterView" - url: "https://www.nirsoft.net/utils/drive_letter_view.html" - description: "View and analyze drive letter assignments and device mappings" - - name: "USB Detective" - description: "Specialized tool for USB device forensics and drive letter correlation" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "RegRipper" - url: "https://github.com/keydet89/RegRipper3.0" - description: "Registry data extraction and analysis framework" - - name: "Disk Management (diskmgmt.msc)" - description: "Windows built-in drive and volume management interface" - -metadata: - windows_versions: - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows 2000" - - criticality: "high" - - investigation_types: - - "data-exfiltration" - - "insider-threat" - - "timeline-analysis" - - tags: - - "usb" - - "drive-letters" - - "device-mapping" - - "volume-tracking" - - "file-system-correlation" - - "mounted-devices" - - "storage-forensics" - - references: - - title: "Microsoft Documentation: Mount Manager" - url: "https://docs.microsoft.com/en-us/windows-hardware/drivers/storage/mount-manager" - type: "official" - - title: "USB Device Drive Letter Forensics" - url: "https://www.sans.org/white-papers/33584/" - type: "research" - - title: "Windows Storage Device Analysis" - url: "https://www.forensicfocus.com/articles/usb-device-forensics/" - type: "research" - - retention: - default_location: "Registry hive files (SYSTEM)" - persistence: "Drive letter mappings persist until device record cleanup or manual removal" - volatility: "Device mappings provide ongoing correlation data for USB device usage" - - related_artifacts: - - "usb_device_history" - - "device_capabilities" - - "last_write_times" - - "mounted_volumes" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/usb/last_write_times.yml b/artifacts/usb/last_write_times.yml deleted file mode 100644 index 1e20b85..0000000 --- a/artifacts/usb/last_write_times.yml +++ /dev/null @@ -1,118 +0,0 @@ -title: "USB Device Last Write Times" -category: "usb" -description: "USB device connection timestamps from registry key last write times and device enumeration data" - -paths: - - "HKLM\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR" - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\DeviceClasses\\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}" - - "HKLM\\SYSTEM\\CurrentControlSet\\Enum\\USB" - -details: - what: | - Registry key last write times provide precise timestamps indicating when USB storage devices - were last connected, enumerated, or had their configuration updated by the Windows Plug and Play - subsystem. These timestamps correlate directly with device connection events, driver installations, - and hardware configuration changes, offering forensic investigators exact timing information - for USB device interactions with the system. - - forensic_value: | - Critical for establishing precise USB device connection timelines in data exfiltration investigations, - insider threat cases, and malware delivery scenarios. Provides exact timestamps for when specific - USB devices were connected, enabling correlation with file access logs, user activity, and security - events. Essential for proving temporal relationships between device connections and suspicious - file operations, establishing evidence chains, and timeline reconstruction in digital forensics. - - structure: | - Registry key timestamps stored in NTFS metadata as FILETIME structures (64-bit values representing - 100-nanosecond intervals since January 1, 1601 UTC). Each USB device subkey's last write time - indicates most recent connection or configuration change. Device enumeration hierarchy preserves - connection chronology with vendor ID, product ID, and serial number correlation. - - examples: - - "Device Key: USBSTOR\\\\Disk&Ven_Kingston&Prod_DataTraveler_3.0&Rev_PMAP" - - "Last Write Time: 2024-01-15 09:45:23.123 UTC (Precise connection timestamp)" - - "Serial Number: 50E549C6E258F571&0 (Unique device identifier)" - - "Device Instance: 001CC0EC336BD480&0 (Hardware instance ID)" - - "Parent Key: USB\\\\VID_0951&PID_1666 (Vendor/Product identification)" - - "Connection Event: Registry key modification indicates device enumeration" - - tools: - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis with timestamp preservation and analysis" - - name: "USBLogView" - url: "https://www.nirsoft.net/utils/usb_log_view.html" - description: "USB device connection log viewer and timeline analyzer" - - name: "RegRipper" - url: "https://github.com/keydet89/RegRipper3.0" - description: "Registry data extraction framework with timestamp analysis" - - name: "USB Detective" - description: "Specialized USB forensics tool for device timeline reconstruction" - - name: "Windows Event Log Correlation Tools" - description: "Correlate registry timestamps with Windows Event Log entries" - -metadata: - windows_versions: - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows XP" - - criticality: "high" - - investigation_types: - - "timeline-analysis" - - "data-exfiltration" - - "insider-threat" - - tags: - - "usb" - - "timestamps" - - "device-connection" - - "timeline-analysis" - - "registry-timestamps" - - "device-enumeration" - - "forensic-timeline" - - references: - - title: "Microsoft Documentation: USB Device Installation" - url: "https://docs.microsoft.com/en-us/windows-hardware/drivers/usbcon/" - type: "official" - - title: "USB Device Timeline Reconstruction" - url: "https://www.sans.org/white-papers/33584/" - type: "research" - - title: "Registry Timestamp Analysis for USB Forensics" - url: "https://www.forensicfocus.com/articles/registry-timestamp-analysis/" - type: "research" - - retention: - default_location: "Registry hive files (SYSTEM), NTFS metadata" - persistence: "Timestamps persist until device record removal or registry cleanup" - volatility: "Provides precise temporal correlation for USB device usage patterns" - - related_artifacts: - - "usb_device_history" - - "drive_letter_mapping" - - "device_capabilities" - - "hardware_devices" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/usb/wpdbusenum_connections.yml b/artifacts/usb/wpdbusenum_connections.yml deleted file mode 100644 index e2b6ab8..0000000 --- a/artifacts/usb/wpdbusenum_connections.yml +++ /dev/null @@ -1,120 +0,0 @@ -title: "WPDBUSENUM Portable Device Connections" -category: "usb" -description: "Windows Portable Device Bus Enumerator tracking for mobile phones, cameras, media players, and other portable devices" - -paths: - - "HKLM\\SYSTEM\\CurrentControlSet\\Enum\\SWD\\WPDBUSENUM" - - "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WPDBusEnum" - - "HKLM\\SOFTWARE\\Microsoft\\Windows Portable Devices" - -details: - what: | - Windows Portable Device Bus Enumerator (WPDBUSENUM) tracks connections of portable devices including - smartphones, digital cameras, media players, tablets, and other MTP/PTP devices that don't appear - as traditional storage devices. Manages device enumeration, driver associations, and connection - metadata for portable devices that use Media Transfer Protocol (MTP) or Picture Transfer Protocol (PTP) - for advanced device interaction and media synchronization. - - forensic_value: | - Critical for mobile device forensics and investigations involving smartphones, tablets, and digital - cameras. Shows evidence of mobile device connections that could indicate data transfer, photo/video - extraction, or mobile device exploitation. Essential for cases involving mobile-based evidence, - BYOD policy violations, unauthorized device connections, and mobile-to-PC data transfer activities. - Can reveal connections even when devices don't mount as traditional drives. - - structure: | - Device entries organized under WPDBUSENUM with unique device identifiers containing DeviceDesc - (device description), HardwareID (vendor/product identification), Service (driver association), - ContainerID (device grouping), and connection metadata. Each device maintains enumeration data, - capabilities information, and driver binding details for comprehensive portable device tracking. - - examples: - - "WPDBUSENUM\\\\{12345678-1234-5678-9abc-123456789abc}\\\\0000: iPhone connection" - - "DeviceDesc: Apple iPhone (Device description)" - - "HardwareID: WPDBUSENUM\\\\Apple_iPhone (Hardware identification)" - - "Service: WUDFRd (Windows User-Mode Driver Framework)" - - "ContainerID: {abcdef12-3456-789a-bcde-f123456789ab} (Device container)" - - "FriendlyName: John's iPhone (User-assigned device name)" - - "Manufacturer: Apple Inc. (Device manufacturer)" - - "DeviceInterfaceGUIDs: Media Transfer Protocol interfaces" - - tools: - - name: "Device Manager (devmgmt.msc)" - description: "Built-in Windows device management for portable device enumeration" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "USBDeview" - url: "https://www.nirsoft.net/utils/usb_devices_view.html" - description: "USB and portable device history viewer" - - name: "Portable Device Inspector" - description: "Third-party tools for analyzing Windows portable device connections" - - name: "Mobile Device Forensics Tools" - description: "Specialized forensic utilities for mobile device connection analysis" - -metadata: - windows_versions: - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows Vista" - - criticality: "high" - - investigation_types: - - "data-exfiltration" - - "insider-threat" - - "timeline-analysis" - - "incident-response" - - tags: - - "usb" - - "portable-devices" - - "mobile-phones" - - "cameras" - - "media-players" - - "mtp" - - "ptp" - - "device-connections" - - "mobile-forensics" - - references: - - title: "Microsoft Documentation: Windows Portable Devices" - url: "https://docs.microsoft.com/en-us/windows/win32/windows-portable-devices" - type: "official" - - title: "Mobile Device Forensics and Windows Portable Devices" - url: "https://www.sans.org/white-papers/33584/" - type: "research" - - title: "Portable Device Connection Analysis" - url: "https://www.forensicfocus.com/articles/portable-device-forensics/" - type: "research" - - retention: - default_location: "Registry hive files (SYSTEM, SOFTWARE)" - persistence: "Device connection history persists until manual cleanup or registry corruption" - volatility: "Connection data provides evidence of mobile device interactions and data transfer" - - related_artifacts: - - "usb_device_history" - - "device_capabilities" - - "hardware_devices" - - "drive_letter_mapping" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "1.0" diff --git a/artifacts/user-activity/acmru.yml b/artifacts/user-activity/acmru.yml deleted file mode 100644 index e232b39..0000000 --- a/artifacts/user-activity/acmru.yml +++ /dev/null @@ -1,110 +0,0 @@ -title: "Automatic Destinations and Recent Items (ACMRU)" -category: "user-activity" -description: "Application-specific MRU tracking, dialog preferences, and automated destination management" - -paths: - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\CIDSizeMRU" - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\FirstFolder" - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StreamMRU" - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\LastVisitedMRU" - -details: - what: | - Windows tracks application-specific Most Recently Used (MRU) items including file dialog - sizing preferences, default folder locations, stream operations, and automated destination - management. Provides granular tracking of user interaction patterns with file dialogs, - application preferences, and document access behaviors across different software applications - and file operation contexts. - - forensic_value: | - Provides detailed user interaction patterns with applications and file systems, reveals - preferred locations for file operations across different applications, shows evidence of - document manipulation activities, and indicates user workflow patterns. Critical for - understanding user behavior, establishing application usage timelines, and correlating - file access activities with specific applications and user intentions. - - structure: | - CIDSizeMRU stores dialog box sizing preferences organized by application executable names. - FirstFolder maintains default folder locations for file dialogs by file type context. - StreamMRU contains data stream access patterns with binary PIDL (Pointer to Item IDentifier List) - data representing folder locations and navigation history in specialized data formats. - - examples: - - "CIDSizeMRU\\notepad.exe: Dialog size 800x600 (Notepad file dialog preferences)" - - "CIDSizeMRU\\winword.exe: Word document dialog sizing information" - - "FirstFolder\\*.txt: C:\\Users\\user\\Documents (Default text file location)" - - "FirstFolder\\*.pdf: C:\\Downloads (Default PDF file location)" - - "StreamMRU\\0: Binary PIDL data for recent stream operations" - - "LastVisitedMRU\\exe files: C:\\Tools\\Utilities (Executable file access location)" - - "MRUListEx: 2,1,0 (Access order - most recent first)" - - tools: - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "MRU Parser" - description: "Specialized tools for analyzing MRU registry data" - - name: "RegRipper" - url: "https://github.com/keydet89/RegRipper3.0" - description: "Registry data extraction and analysis framework" - - name: "PIDL Analyzer" - description: "Tools for decoding Windows Shell Item Lists and folder references" - - name: "Common Dialog Analysis Tools" - description: "Utilities for analyzing file dialog interaction patterns" - -metadata: - windows_versions: - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - introduced: "Windows XP" - - criticality: "medium" - - investigation_types: - - "behavioral-analysis" - - "insider-threat" - - "timeline-analysis" - - tags: - - "mru" - - "file-dialogs" - - "document-access" - - "user-interaction" - - "application-usage" - - "dialog-preferences" - - "automated-destinations" - - references: - - title: "Microsoft Documentation: Common File Dialogs" - url: "https://docs.microsoft.com/en-us/windows/win32/dlgbox/common-dialog-box-library" - type: "official" - - title: "Windows MRU Forensics Analysis" - url: "https://www.forensicfocus.com/articles/windows-mru-forensics/" - type: "research" - - retention: - default_location: "Registry hive files (NTUSER.DAT)" - persistence: "MRU data persists until overwritten by newer entries" - volatility: "Real-time updates with user file dialog interactions" - - related_artifacts: - - "opensavemru" - - "lastvisited_pidlmru" - - "comdlg32_settings" - - "recent_docs" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/user-activity/comdlg32_settings.yml b/artifacts/user-activity/comdlg32_settings.yml deleted file mode 100644 index 0bc5c6e..0000000 --- a/artifacts/user-activity/comdlg32_settings.yml +++ /dev/null @@ -1,113 +0,0 @@ -title: "Common Dialog Settings and File Browser History" -category: "user-activity" -description: "File dialog preferences, view settings, browsing behavior configuration, and dialog customization" - -paths: - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\CIDSizeMRU" - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\LastVisitedMRU" - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\PlacesBar" - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\FirstFolder" - -details: - what: | - Common file dialog configuration encompasses window sizing preferences, last visited folders, - custom places bar shortcuts, initial folder settings, and file browser behavior across - different applications and file operation contexts. Manages user interface customization, - navigation preferences, and application-specific dialog settings for consistent user - experience across Windows applications and improved workflow efficiency. - - forensic_value: | - Provides detailed insights into user interaction patterns with file dialogs across multiple - applications, reveals preferred locations for file operations, shows evidence of file access - behaviors and workflow patterns. Critical for understanding user navigation habits, establishing - application usage patterns, and correlating file access activities with specific user - intentions and operational contexts throughout various software applications. - - structure: | - CIDSizeMRU stores dialog sizing information organized by application executable names. - LastVisitedMRU maintains recent folder navigation history for file operations. PlacesBar - contains custom shortcuts displayed in file dialogs. FirstFolder tracks default starting - locations for different file types and applications with binary PIDL data structures. - - examples: - - "CIDSizeMRU\\\\notepad.exe: Dialog window size 800x600 (Notepad file dialog preferences)" - - "CIDSizeMRU\\\\winword.exe: Microsoft Word dialog sizing information" - - "LastVisitedMRU\\\\exe files: C:\\\\Tools\\\\Utilities (Executable file access location)" - - "PlacesBar\\\\Place0: Desktop (Custom shortcut in file dialog)" - - "PlacesBar\\\\Place1: C:\\\\Users\\\\user\\\\Documents (Quick access folder)" - - "PlacesBar\\\\Place2: \\\\\\\\server\\\\shared (Network location shortcut)" - - "FirstFolder\\\\*.pdf: C:\\\\Downloads (Default PDF file location)" - - tools: - - name: "File Dialog Customization Tools" - description: "Third-party utilities for analyzing and customizing file dialog behavior" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Common Dialog Parser" - description: "Specialized tools for analyzing Windows common dialog registry data" - - name: "RegRipper" - url: "https://github.com/keydet89/RegRipper3.0" - description: "Registry data extraction and analysis framework" - - name: "PIDL Analyzer" - description: "Tools for decoding Windows Shell Item Lists and folder references" - -metadata: - windows_versions: - - "Windows 95" - - "Windows NT" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - introduced: "Windows 95" - - criticality: "low" - - investigation_types: - - "behavioral-analysis" - - "insider-threat" - - "incident-response" - - "timeline-analysis" - - tags: - - "file-dialogs" - - "browsing-behavior" - - "dialog-preferences" - - "folder-navigation" - - "places-bar" - - "user-interface" - - "application-settings" - - references: - - title: "Microsoft Documentation: Common Dialog Box Library" - url: "https://docs.microsoft.com/en-us/windows/win32/dlgbox/common-dialog-box-library" - type: "official" - - title: "Windows File Dialog Forensics" - url: "https://www.forensicfocus.com/articles/windows-file-dialog-forensics/" - type: "research" - - retention: - default_location: "Registry hive files (NTUSER.DAT)" - persistence: "Dialog preferences persist until manually changed or application reinstallation" - volatility: "Real-time updates with file dialog interactions and user customization" - - related_artifacts: - - "opensavemru" - - "lastvisited_pidlmru" - - "acmru" - - "shellbags" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/user-activity/gaming_entertainment.yml b/artifacts/user-activity/gaming_entertainment.yml deleted file mode 100644 index 1fc251e..0000000 --- a/artifacts/user-activity/gaming_entertainment.yml +++ /dev/null @@ -1,109 +0,0 @@ -title: "Gaming and Entertainment System Configuration" -category: "user-activity" -description: "Xbox services, Game Bar settings, gaming performance optimization, and entertainment application usage" - -paths: - - "HKCU\\Software\\Microsoft\\GameBar" - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\GameDVR" - - "HKLM\\SOFTWARE\\Microsoft\\Xbox" - - "HKCU\\Software\\Microsoft\\Games" - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\GraphicsDrivers" - -details: - what: | - Windows gaming and entertainment infrastructure encompasses Xbox Live integration, Game Bar - functionality, game recording capabilities, gaming performance optimization, graphics settings, - and entertainment application preferences. Controls game mode behavior, screen recording, - social gaming features, and hardware acceleration for enhanced gaming experience and - multimedia consumption. - - forensic_value: | - Important for behavioral analysis, user profiling, and timeline reconstruction. Gaming - activity patterns can establish user presence, reveal social connections through gaming - platforms, and indicate system usage during specific timeframes. Game recordings and - screenshots may contain inadvertent evidence, while gaming-related network activity - can reveal communication patterns and social engineering opportunities. - - structure: | - Game Bar configuration includes recording settings, hotkey assignments, overlay preferences, - and privacy controls. GameDVR manages game capture functionality, storage locations, and - recording quality settings. Xbox integration contains account information, social features, - and cloud gaming preferences. Graphics drivers control hardware acceleration and gaming optimizations. - - examples: - - "GameBar\\AppCaptureEnabled: 1 (Game recording enabled)" - - "GameBar\\AudioCaptureEnabled: 1 (Audio recording in game clips)" - - "GameDVR\\AudioEncodingBitrate: 128000 (Audio quality setting)" - - "GameDVR\\VideoEncodingBitrateMode: 2 (High quality video recording)" - - "Xbox\\SignedInUser: user@outlook.com (Xbox Live account)" - - "GameMode: 1 (Windows Game Mode enabled)" - - "RecordingFolder: C:\\Users\\user\\Videos\\Captures (Game clip storage)" - - "HistoricalCaptureEnabled: 1 (Background recording active)" - - tools: - - name: "Xbox Game Bar (Win+G)" - description: "Built-in Windows gaming overlay and recording interface" - - name: "Gaming Settings (ms-settings:gaming)" - description: "Windows gaming configuration and performance settings" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Graphics Settings" - description: "Windows graphics preferences and hardware acceleration settings" - - name: "Xbox Console Companion" - description: "Xbox Live integration and social gaming features" - -metadata: - windows_versions: - - "Windows 10" - - "Windows 11" - - introduced: "Windows 10" - - criticality: "low" - - investigation_types: - - "behavioral-analysis" - - "timeline-analysis" - - tags: - - "user-activity" - - "gaming" - - "entertainment" - - "xbox" - - "game-recording" - - "social-gaming" - - "behavioral-analysis" - - "screen-capture" - - references: - - title: "Microsoft Documentation: Xbox Game Bar" - url: "https://support.microsoft.com/en-us/windows/xbox-game-bar-and-game-mode-for-gaming-on-your-windows-device" - type: "official" - - title: "Windows Gaming Features" - url: "https://docs.microsoft.com/en-us/gaming/game-bar/" - type: "official" - - title: "Digital Evidence in Gaming Environments" - url: "https://www.forensicfocus.com/articles/gaming-forensics/" - type: "research" - - retention: - default_location: "Registry hive files (NTUSER.DAT, SOFTWARE), game capture files" - persistence: "Gaming settings persist until manually changed, recordings until deletion" - volatility: "Gaming activity and recordings may contain timeline and behavioral evidence" - - related_artifacts: - - "user_profiles" - - "opensavemru" - - "recent_docs" - - "microsoft_store" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-06-07" - last_updated: "2025-06-07" - version: "1.0" diff --git a/artifacts/user-activity/jump_lists.yml b/artifacts/user-activity/jump_lists.yml deleted file mode 100644 index 0dbff52..0000000 --- a/artifacts/user-activity/jump_lists.yml +++ /dev/null @@ -1,100 +0,0 @@ -title: "Jump Lists and Taskbar Recent Items" -category: "user-activity" -description: "Taskbar jump list configuration, recent items tracking, and privacy settings for application shortcuts" - -paths: - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" - - "HKCU\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData" - -details: - what: | - Windows Jump Lists display recently accessed files, frequent destinations, and custom tasks for - applications pinned to the taskbar and Start menu. Registry settings control jump list behavior, - recent items tracking, privacy configurations, and the maximum number of items displayed. - - forensic_value: | - Jump list registry settings reveal if users disabled activity tracking to hide their behavior, - shows privacy-conscious modifications, and indicates attempts to conceal file access patterns. - While actual jump list data is stored in files, registry settings show configuration changes - that affect evidence preservation and user privacy choices during investigations. - - structure: | - Advanced Explorer settings include Start_TrackDocs (document tracking), Start_TrackProgs - (program tracking), JumpListItems_Maximum (item limits), Start_ShowRecentDocs (recent docs), - and TaskbarGlomLevel (taskbar grouping). Values stored as REG_DWORD with 1=enabled, 0=disabled. - - examples: - - "Start_TrackDocs: 0 (Recent documents tracking disabled)" - - "Start_TrackProgs: 0 (Recent programs tracking disabled)" - - "JumpListItems_Maximum: 10 (Maximum 10 items per jump list)" - - "Start_ShowRecentDocs: 0 (Hide recent documents in Start menu)" - - "TaskbarGlomLevel: 1 (Group similar taskbar buttons)" - - "EnableAutoTray: 1 (Hide inactive notification icons)" - - tools: - - name: "JumpListsView" - url: "https://www.nirsoft.net/utils/jump_lists_view.html" - description: "View and analyze Windows jump list files" - - name: "JLECmd" - url: "https://github.com/EricZimmerman/JLECmd" - description: "Command-line jump list analysis tool" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis tool" - - name: "Taskbar and Start Menu Properties" - description: "Windows built-in privacy settings configuration" - -metadata: - windows_versions: - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - introduced: "Windows 7" - - criticality: "medium" - - investigation_types: - - "behavioral-analysis" - - "timeline-analysis" - - tags: - - "jump-lists" - - "recent-items" - - "privacy-settings" - - "activity-tracking" - - "taskbar" - - "start-menu" - - "user-behavior" - - references: - - title: "Microsoft Documentation: Taskbar Jump Lists" - url: "https://docs.microsoft.com/en-us/windows/win32/shell/taskbar-extensions" - type: "official" - - title: "Windows 7 Jump Lists Forensics" - url: "https://www.forensicfocus.com/articles/windows-7-jump-lists/" - type: "research" - - retention: - default_location: "Registry hive files (NTUSER.DAT, SOFTWARE)" - persistence: "Settings persist until manually changed" - volatility: "Configuration changes immediate, affects future evidence collection" - - related_artifacts: - - "recent_docs" - - "shellbags" - - "userassist" - - "opensavemru" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/user-activity/lastvisited_pidl_mru.yml b/artifacts/user-activity/lastvisited_pidl_mru.yml deleted file mode 100644 index ee2353f..0000000 --- a/artifacts/user-activity/lastvisited_pidl_mru.yml +++ /dev/null @@ -1,128 +0,0 @@ -title: "Last Visited Folder MRU (PidlMRU)" -category: "user-activity" -description: "Last visited folders in file dialogs with executable name associations and application correlation" - -paths: - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\LastVisitedPidlMRU" - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\LastVisitedMRU" - -details: - what: | - Windows tracks the last visited folders when applications use standard file - dialog boxes, along with the executable name that opened each folder location. - Shows detailed folder navigation patterns, application-specific file access, - and correlates specific programs with folder locations they accessed. Maintains - chronological order of folder visits with associated application context. - - forensic_value: | - Links specific applications to folder locations they accessed, shows user - navigation patterns, reveals attempts to access restricted areas, and can - indicate data staging, reconnaissance activities, or exfiltration preparation. - Critical for proving application-specific folder access and understanding - user behavior patterns across different software applications. - - structure: | - Sequential entries containing executable name followed by folder path data - in binary PIDL (Pointer to Item IDentifier List) format. MRUListEx shows - access order with most recent first. Each entry links a specific program - to the folder location it accessed, providing application context for - folder navigation activities. - - examples: - - "Entry 0: notepad.exe -> C:\\Users\\user\\Documents\\Sensitive" - - "Entry 1: winrar.exe -> \\\\server\\confidential\\archives" - - "Entry 2: cmd.exe -> C:\\Windows\\System32" - - "Entry 3: malware.exe -> C:\\Temp\\Staging" - - "Entry 4: excel.exe -> \\\\fileserver\\finance\\reports" - - "MRUListEx: 4,3,2,1,0 (most recent access order)" - - "Network access: powershell.exe -> \\\\192.168.1.100\\admin$" - - "USB access: explorer.exe -> E:\\USB_Drive\\confidential" - - tools: - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry browser with PIDL MRU parsing and application correlation" - - name: "LastActivityView" - url: "https://www.nirsoft.net/utils/computer_activity_view.html" - description: "Comprehensive computer activity viewer including folder access patterns" - - name: "RegRipper" - url: "https://github.com/keydet89/RegRipper3.0" - description: "Registry analysis with lastvisitedmru.pl plugin for detailed parsing" - - name: "PIDL Analyzer" - description: "Specialized tools for analyzing PIDL data structures and folder paths" - - name: "MRU Analysis Toolkit" - description: "Comprehensive MRU analysis tools including LastVisited parsing" - -metadata: - windows_versions: - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows XP" - - criticality: "high" - - investigation_types: - - "data-exfiltration" - - "insider-threat" - - "behavioral-analysis" - - "timeline-analysis" - - "incident-response" - - tags: - - "user-activity" - - "folder-access" - - "application-tracking" - - "navigation-patterns" - - "data-staging" - - "file-dialogs" - - "program-correlation" - - "reconnaissance" - - "folder-navigation" - - references: - - title: "Common Dialog Box Library" - url: "https://docs.microsoft.com/en-us/windows/win32/dlgbox/common-dialog-box-library" - type: "official" - - title: "PIDL (Pointer to Item IDentifier List)" - url: "https://docs.microsoft.com/en-us/windows/win32/shell/objects" - type: "official" - - title: "Windows Dialog History Forensics" - url: "https://www.sans.org/blog/windows-dialog-history-analysis/" - type: "research" - - title: "MRU Analysis in Digital Forensics" - url: "https://www.forensicfocus.com/articles/mru-lists-analysis/" - type: "research" - - retention: - default_location: "NTUSER.DAT registry hive" - persistence: "Survives file deletion and application uninstallation, persists per user profile" - volatility: "Limited cache size may cause older entries to be overwritten" - - related_artifacts: - - "opensavemru" - - "shellbags" - - "recent_docs" - - "comdlg32_settings" - - "office_files" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file diff --git a/artifacts/user-activity/mail_client.yml b/artifacts/user-activity/mail_client.yml deleted file mode 100644 index f928f9e..0000000 --- a/artifacts/user-activity/mail_client.yml +++ /dev/null @@ -1,114 +0,0 @@ -title: "Email Client Registry Configuration" -category: "user-activity" -description: "Email client settings, MAPI configuration, default mail applications, and messaging protocols" - -paths: - - "HKCU\\Software\\Microsoft\\Office\\Outlook" - - "HKCU\\Software\\Microsoft\\Windows Mail" - - "HKCU\\Software\\Clients\\Mail" - - "HKLM\\SOFTWARE\\Clients\\Mail" - - "HKLM\\SOFTWARE\\Microsoft\\Windows Messaging Subsystem" - -details: - what: | - Email client configuration encompasses default mail client registration, MAPI (Messaging - Application Programming Interface) settings, account configuration remnants, mail client - preferences, protocol associations, and messaging subsystem configuration. Controls email - handling behavior, client integration, protocol support, and system-wide messaging - functionality for comprehensive email communication management. - - forensic_value: | - Critical for investigating email-based attacks, data exfiltration through email channels, - and communication pattern analysis. Shows email client usage indicating potential corporate - espionage, reveals mail client modifications that facilitate email interception, and provides - evidence of email-based command and control communication. Essential for understanding - email infrastructure used for malicious activities and insider threat investigations. - - structure: | - Mail client registration includes default client specification, protocol associations for - mailto: links, MAPI provider configuration, and client-specific settings. MAPI configuration - controls messaging API behavior, profile settings, and service provider integration. - Client preferences include server settings, security configurations, and user interface - customizations stored as various registry data types. - - examples: - - "Default Mail Client: Microsoft Outlook (Configured default email application)" - - "mailto\\shell\\open\\command: \"C:\\Program Files\\Microsoft Office\\OUTLOOK.EXE\" -c IPM.Note /m \"%1\"" - - "MAPI\\CMC: 1 (Common Messaging Calls interface enabled)" - - "MAPI\\CMCDLLNAME32: mapi32.dll (32-bit MAPI library)" - - "Outlook\\Profiles\\Outlook: Default mail profile configuration" - - "AutoConfigURL: https://autodiscover.company.com/autodiscover/autodiscover.xml" - - "SuspiciousClient: C:\\malware\\email-stealer.exe (Unauthorized mail client)" - - tools: - - name: "Default Programs Control Panel" - description: "Windows built-in default application configuration interface" - - name: "Mail Control Panel (32-bit)" - description: "MAPI profile and email account management utility" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "MAPI Configuration Analyzer" - description: "Third-party tools for analyzing MAPI and email client settings" - - name: "Email Client Forensics Tools" - description: "Specialized utilities for email client configuration analysis" - -metadata: - windows_versions: - - "Windows 95" - - "Windows NT" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - introduced: "Windows 95" - - criticality: "medium" - - investigation_types: - - "data-exfiltration" - - "insider-threat" - - "malware-analysis" - - "incident-response" - - tags: - - "email" - - "mail-client" - - "mapi" - - "default-applications" - - "communication" - - "messaging" - - "protocols" - - references: - - title: "Microsoft Documentation: MAPI" - url: "https://docs.microsoft.com/en-us/office/client-developer/outlook/mapi/mapi-reference" - type: "official" - - title: "Email Client Forensics and Investigation" - url: "https://www.forensicfocus.com/articles/email-client-forensics/" - type: "research" - - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT)" - persistence: "Email configuration persists until manually changed" - volatility: "Client settings affect ongoing email communication capabilities" - - related_artifacts: - - "default_applications" - - "user_profiles" - - "network_connections" - - "certificate_stores" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/user-activity/microsoft_store.yml b/artifacts/user-activity/microsoft_store.yml deleted file mode 100644 index 725ad67..0000000 --- a/artifacts/user-activity/microsoft_store.yml +++ /dev/null @@ -1,108 +0,0 @@ -title: "Microsoft Store and UWP Applications" -category: "user-activity" -description: "Universal Windows Platform app packages, Store configuration, and modern application management" - -paths: - - "HKCU\\Software\\Classes\\ActivatableClasses\\Package" - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Appx" - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Store" - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Appx\\AppxAllUserStore" - -details: - what: | - Microsoft Store and Universal Windows Platform (UWP) application ecosystem including installed - app packages, package registrations, Store configuration settings, app container security - configurations, and sideloading permissions. Manages modern Windows application deployment, - updates, licensing, and sandboxed execution environment for enhanced security and user experience. - - forensic_value: | - Critical for analyzing modern app usage patterns, identifying sideloaded applications that - bypass Store security mechanisms, detecting unauthorized app installations, and investigating - app-based data exfiltration or malicious activities. Shows evidence of enterprise app deployments, - developer mode enabling, and potential security bypasses through sideloading or app container - escape techniques used by sophisticated attackers. - - structure: | - Package registration data organized by package full names including publisher information, - installation paths, security descriptors, and app capabilities. Store configuration includes - installation policies, update settings, and purchase restrictions. AppX deployment information - contains package metadata, installation locations, and app container security configurations. - - examples: - - "Package\\Microsoft.WindowsCalculator_10.2103.8.0_x64__8wekyb3d8bbwe: Calculator app package" - - "Package\\Microsoft.Photos_2023.11090.26005.0_x64__8wekyb3d8bbwe: Photos application" - - "PackageRepositoryRoot: C:\\Program Files\\WindowsApps (Store app installation directory)" - - "Store\\InstallPromptPolicy: 1 (Prompt for app installations)" - - "AppxAllUserStore: C:\\Program Files\\WindowsApps (System-wide app store)" - - "PackageMoniker: CompanyName.SuspiciousApp_1.0.0.0_x64__1234567890abc (Sideloaded app)" - - "DeveloperModeEnabled: 1 (Developer mode active - allows sideloading)" - - tools: - - name: "Get-AppxPackage PowerShell" - description: "PowerShell cmdlets for UWP package management and analysis" - - name: "Microsoft Store (ms-windows-store:)" - description: "Built-in Store application for app management" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "App Package Manager" - description: "Third-party tools for analyzing UWP app packages" - - name: "Windows Package Manager (winget)" - description: "Command-line package management tool" - -metadata: - windows_versions: - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows 8" - - criticality: "medium" - - investigation_types: - - "behavioral-analysis" - - "data-exfiltration" - - tags: - - "microsoft-store" - - "uwp" - - "modern-apps" - - "app-packages" - - "sideloading" - - "app-containers" - - "developer-mode" - - references: - - title: "Microsoft Documentation: UWP App Packages" - url: "https://docs.microsoft.com/en-us/windows/uwp/packaging/" - type: "official" - - title: "Windows Store App Forensics" - url: "https://www.forensicfocus.com/articles/windows-store-app-forensics/" - type: "research" - - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT)" - persistence: "App registrations persist until uninstallation" - volatility: "Package data reflects current app installation state" - - related_artifacts: - - "installed_programs" - - "user_profiles" - - "app_execution" - - "security_policies" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/user-activity/notepad_plus_plus.yml b/artifacts/user-activity/notepad_plus_plus.yml deleted file mode 100644 index fae1581..0000000 --- a/artifacts/user-activity/notepad_plus_plus.yml +++ /dev/null @@ -1,100 +0,0 @@ -title: "Notepad++ Text Editor Usage and File History" -category: "user-activity" -description: "Notepad++ configuration, recent files, session data, and plugin usage" - -paths: - - "HKCU\\Software\\Notepad++" - - "HKLM\\SOFTWARE\\Notepad++" - - "HKCU\\Software\\Classes\\Notepad++_file" - -details: - what: | - Notepad++ text editor stores configuration including recent file lists, session - data, plugin configurations, and editing preferences. Registry tracks document - access patterns, programming language usage, find/replace history, and workspace - settings for comprehensive text editing activity analysis and development - work pattern tracking in programming and text manipulation activities. - - forensic_value: | - Important for investigating source code access, configuration file modifications, - script development, and text-based evidence manipulation. Shows evidence of - programming activity, configuration file editing, document modification patterns, - and can reveal development work, system administration activities, or evidence - of script-based attacks and system configuration changes. - - structure: | - Notepad++ configuration includes recent file paths, session restoration data, - language syntax settings, plugin configurations, and find/replace history. - File history shows accessed documents, editing sessions, and workspace - configurations for comprehensive text editing behavior analysis. - - examples: - - "RecentFiles: C:\\Scripts\\malware_payload.py" - - "RecentFiles: C:\\Windows\\System32\\drivers\\etc\\hosts" - - "RecentFiles: C:\\Users\\user\\Documents\\passwords.txt" - - "Session\\File0: C:\\Development\\source_code.cpp" - - "FindHistory: SELECT * FROM users WHERE admin=1" - - "ReplaceHistory: password123 -> ********" - - "Language: Python (Programming language syntax)" - - tools: - - name: "Notepad++ Settings" - description: "Built-in Notepad++ configuration and preference management" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Text Editor Forensics Tools" - description: "Specialized tools for text editor history and session analysis" - -metadata: - windows_versions: - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - introduced: "Notepad++" - - criticality: "medium" - - investigation_types: - - "behavioral-analysis" - - "malware-analysis" - - "incident-response" - - tags: - - "notepad-plus-plus" - - "text-editor" - - "programming" - - "source-code" - - "configuration-files" - - "development-activity" - - references: - - title: "Notepad++ Official Site" - url: "https://notepad-plus-plus.org/" - type: "official" - - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT)" - persistence: "File history and session data persist until manually cleared" - volatility: "Recent files provide ongoing development and editing activity evidence" - - related_artifacts: - - "development_tools" - - "text_editing" - - "recent_documents" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" diff --git a/artifacts/user-activity/office_files.yml b/artifacts/user-activity/office_files.yml deleted file mode 100644 index a9dbd0e..0000000 --- a/artifacts/user-activity/office_files.yml +++ /dev/null @@ -1,132 +0,0 @@ -title: "Microsoft Office Recent Files" -category: "user-activity" -description: "Recently accessed Microsoft Office documents with access timestamps, locations, and usage patterns" - -paths: - - "HKCU\\Software\\Microsoft\\Office\\*\\*\\File MRU" - - "HKCU\\Software\\Microsoft\\Office\\*\\*\\Place MRU" - - "HKCU\\Software\\Microsoft\\Office\\*\\User MRU" - - "HKCU\\Software\\Microsoft\\Office\\*\\*\\Security\\Trusted Documents" - -details: - what: | - Microsoft Office applications track recently opened documents, file locations, - access patterns, and trusted document settings for quick reopening and security. - Stores file paths, network locations, SharePoint URLs, OneDrive sync paths, - and document access history across Word, Excel, PowerPoint, Access, and other - Office applications. Includes both local and cloud-based document access tracking. - - forensic_value: | - Reveals what documents users have been working on, shows access to sensitive files, - can indicate data theft, unauthorized document access, or intellectual property - violations. Critical for investigations involving document tampering, data exfiltration, - corporate espionage, and unauthorized access to confidential information. Shows - collaboration patterns and document sharing activities. - - structure: | - Version-specific subkeys (16.0 for Office 2016/2019/365, 15.0 for Office 2013, etc.) - containing application-specific MRU lists. Item values contain full file paths, - network locations, SharePoint URLs, and cloud storage paths. Binary data includes - access timestamps, document metadata, and security trust settings. - - examples: - - "Word Item 1: C:\\Users\\user\\Documents\\Financial_Report_Q4.docx" - - "Excel Item 2: \\\\server\\shared\\HR\\Salary_Data_2024.xlsx" - - "PowerPoint Item 3: https://company.sharepoint.com/sites/marketing/presentation.pptx" - - "OneDrive: https://d.docs.live.net/abc123/Documents/strategy.docx" - - "Place MRU: C:\\Users\\user\\Desktop\\Confidential" - - "Trusted Document: C:\\Downloads\\suspicious_macro.xlsm" - - "Access Time: [Binary FILETIME: 132876543210000000]" - - "Network Share: \\\\fileserver.company.com\\finance\\budget.xlsx" - - "USB Document: E:\\USB_Drive\\sensitive_data.docx" - - tools: - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry browser with Office MRU parsing and analysis" - - name: "OfficeIns" - url: "https://www.nirsoft.net/utils/officeins.html" - description: "NirSoft tool for analyzing installed Office applications and settings" - - name: "RecentFilesView" - url: "https://www.nirsoft.net/utils/recent_files_view.html" - description: "Comprehensive recent files viewer including Office documents" - - name: "Office MRU Parser" - description: "Specialized tools for parsing Office MRU data and timestamps" - - name: "OfficeFileAnalyzer" - description: "Tools for correlating Office file access with document metadata" - -metadata: - windows_versions: - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Office 97 (basic MRU), enhanced in Office 2007+" - - criticality: "high" - - investigation_types: - - "data-exfiltration" - - "insider-threat" - - "behavioral-analysis" - - "timeline-analysis" - - "incident-response" - - tags: - - "user-activity" - - "office-documents" - - "recent-files" - - "data-exfiltration" - - "intellectual-property" - - "document-access" - - "sharepoint" - - "onedrive" - - "collaboration" - - "sensitive-documents" - - references: - - title: "Office File Formats and Extensions" - url: "https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference" - type: "official" - - title: "Office Security and Trust Center" - url: "https://docs.microsoft.com/en-us/office/client-developer/shared/security-and-trust-center" - type: "official" - - title: "Digital Forensics: Office Document Analysis" - url: "https://www.sans.org/blog/digital-forensics-office-documents/" - type: "research" - - title: "Microsoft Office Registry Forensics" - url: "https://www.forensicfocus.com/articles/microsoft-office-registry-analysis/" - type: "research" - - retention: - default_location: "NTUSER.DAT registry hive" - persistence: "Survives document deletion, persists across Office updates and reboots" - volatility: "Limited MRU list size may cause older entries to be overwritten" - - related_artifacts: - - "recent_docs" - - "opensavemru" - - "lastvisited_pidlmru" - - "shellbags" - - "thumbnail_cache" - - "jump_lists" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/user-activity/opensavemru.yml b/artifacts/user-activity/opensavemru.yml deleted file mode 100644 index 62e8e52..0000000 --- a/artifacts/user-activity/opensavemru.yml +++ /dev/null @@ -1,133 +0,0 @@ -title: "Open and Save Dialog MRU History" -category: "user-activity" -description: "Recently opened and saved files through Windows common dialog boxes with file type organization" - -paths: - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\OpenSavePidlMRU" - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\OpenSaveMRU" - -details: - what: | - Windows tracks files and folders accessed through standard Open and Save dialog boxes - used by most Windows applications. Maintains separate lists organized by file extension - and includes folder navigation history within dialogs. Captures user file interaction - patterns across applications, showing what files were opened, saved, or accessed through - standard Windows file dialogs regardless of the specific application used. - - forensic_value: | - Reveals comprehensive user file access patterns, document locations, network share usage, - and specific files opened for editing, viewing, or saving. Shows evidence of data access, - document tampering, unauthorized file operations, and can indicate data staging for - exfiltration. Critical for proving user interaction with specific files and understanding - work patterns across multiple applications. - - structure: | - Organized by file extensions (*.*, txt, pdf, docx, etc.) with MRUListEx showing - access order within each category. Binary data contains full file paths, folder locations, - and shell item lists. OpenSavePidlMRU uses PIDL format for richer location data including - network paths, special folders, and metadata. Each extension maintains separate access history. - - examples: - - "Extension: *.*\\0: C:\\Users\\user\\Documents\\confidential.pdf" - - "Extension: txt\\1: C:\\Temp\\passwords.txt" - - "Extension: xlsx\\2: \\\\server\\finance\\budget2024.xlsx" - - "Extension: exe\\0: D:\\USB\\suspicious_tool.exe" - - "Extension: zip\\1: C:\\Downloads\\data_archive.zip" - - "MRUListEx: 2,1,0 (most recent order within extension)" - - "Network path: \\\\192.168.1.100\\shared\\sensitive_data.docx" - - "Special folder: Desktop\\document.pdf" - - tools: - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry browser with OpenSaveMRU parsing and PIDL analysis" - - name: "OpenSaveMRU Parser" - description: "Specialized tools for parsing and analyzing Open/Save dialog history" - - name: "MRU-Blaster" - description: "Tool for clearing and analyzing various MRU lists including OpenSave" - - name: "RegRipper" - url: "https://github.com/keydet89/RegRipper3.0" - description: "Registry analysis with opensavemru.pl plugin for detailed parsing" - - name: "LastActivityView" - url: "https://www.nirsoft.net/utils/computer_activity_view.html" - description: "Comprehensive activity viewer including file dialog history" - -metadata: - windows_versions: - - "Windows 95" - - "Windows 98" - - "Windows NT 4.0" - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2000" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows 95" - - criticality: "high" - - investigation_types: - - "data-exfiltration" - - "insider-threat" - - "behavioral-analysis" - - "timeline-analysis" - - "incident-response" - - tags: - - "user-activity" - - "file-access" - - "document-history" - - "network-shares" - - "data-exfiltration" - - "dialog-boxes" - - "file-operations" - - "application-usage" - - "document-tampering" - - references: - - title: "Common Dialog Box Library" - url: "https://docs.microsoft.com/en-us/windows/win32/dlgbox/common-dialog-box-library" - type: "official" - - title: "Windows MRU Lists Forensics" - url: "https://www.sans.org/blog/digital-forensics-mru-analysis/" - type: "research" - - title: "Registry Forensics: OpenSaveMRU" - url: "https://www.forensicfocus.com/articles/opensavemru-analysis/" - type: "research" - - title: "Windows Dialog History Analysis" - url: "https://articles.forensicfocus.com/2009/08/17/windows-dialog-history/" - type: "research" - - retention: - default_location: "NTUSER.DAT registry hive" - persistence: "Survives file deletion and application uninstallation, persists per user profile" - volatility: "Limited cache size may cause older entries to be overwritten within each extension" - - related_artifacts: - - "recent_docs" - - "lastvisited_pidlmru" - - "comdlg32_settings" - - "shellbags" - - "office_files" - - "thumbnail_cache" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file diff --git a/artifacts/user-activity/print_history.yml b/artifacts/user-activity/print_history.yml deleted file mode 100644 index ac6c965..0000000 --- a/artifacts/user-activity/print_history.yml +++ /dev/null @@ -1,119 +0,0 @@ -title: "Print Spooler and Printer History" -category: "user-activity" -description: "Printer configuration, print job evidence, document printing history, and network printer access" - -paths: - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Printers" - - "HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Devices" - - "HKCU\\Printers\\DevModePerUser" - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Providers" - -details: - what: | - Windows print subsystem maintains comprehensive printer configurations including installed - printers, network printer connections, print settings, driver information, user-specific - printer preferences, print processor configurations, and evidence of print job activity. - Manages local and network printer access, document printing patterns, and print spooler - service behavior for complete printing infrastructure management. - - forensic_value: | - Critical for investigating data exfiltration through physical document printing, intellectual - property theft, and unauthorized document access. Shows what documents were printed, which - printers were accessed, network printer usage patterns, and potential evidence of sensitive - information being transferred to hard copy format. Essential for insider threat investigations - involving document theft and corporate espionage through print channels. - - structure: | - Printer configurations stored as printer name subkeys containing driver information, port - assignments, device settings, security descriptors, and print processor details. User - settings include default printer selections, device modes for specific print configurations, - and printer-specific preferences. Network printer connections show authentication and - access patterns with connection timestamps and usage statistics. - - examples: - - "Printers\\HP LaserJet Pro M404: Local printer configuration" - - "Printers\\\\\\\\printserver\\\\Legal_Printer: Network printer connection" - - "Port: \\\\\\\\192.168.1.100\\\\Finance_Printer (Network print server)" - - "Driver: HP Universal Printing PCL 6 (Printer driver information)" - - "DefaultPrinter: Microsoft Print to PDF (Default printer selection)" - - "PrintProcessor: winprint,RAW (Print data processor)" - - "DevModePerUser\\\\\\\\server\\\\Confidential_Printer: User-specific print settings" - - "Security: O:BAG:SYD: (DACL security descriptor for printer access)" - - tools: - - name: "Printers & Scanners Settings" - description: "Windows built-in printer management and configuration interface" - - name: "Print Management Console" - description: "Advanced printer administration and monitoring tool" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Print Job Monitor" - description: "Third-party tools for monitoring and analyzing print activity" - - name: "PrinterLogView" - description: "Utilities for analyzing Windows print spooler logs and history" - -metadata: - windows_versions: - - "Windows NT" - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2000" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows NT 3.1" - - criticality: "medium" - - investigation_types: - - "insider-threat" - - "data-exfiltration" - - tags: - - "printing" - - "document-access" - - "data-exfiltration" - - "network-printers" - - "physical-evidence" - - "print-spooler" - - "document-theft" - - references: - - title: "Microsoft Documentation: Print Spooler Architecture" - url: "https://docs.microsoft.com/en-us/windows-hardware/drivers/print/introduction-to-the-print-spooler" - type: "official" - - title: "Print Job Forensics and Investigation" - url: "https://www.forensicfocus.com/articles/print-job-forensics/" - type: "research" - - retention: - default_location: "Registry hive files (SYSTEM, NTUSER.DAT)" - persistence: "Printer configuration persists until manually removed" - volatility: "Print settings reflect recent printing activity and document access" - - related_artifacts: - - "user_activity" - - "network_connections" - - "document_access" - - "recent_docs" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/user-activity/recent_docs.yml b/artifacts/user-activity/recent_docs.yml deleted file mode 100644 index 1238fca..0000000 --- a/artifacts/user-activity/recent_docs.yml +++ /dev/null @@ -1,132 +0,0 @@ -title: "Recent Documents Access History" -category: "user-activity" -description: "Recently accessed documents and files with access order tracking and metadata" - -paths: - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs" - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\OpenSavePidlMRU" - -details: - what: | - Windows tracks recently accessed documents and files to populate recent items - in applications, Start menu, and taskbar jump lists. Stores file paths, access order, - file metadata, and shell link information for quick user access. Maintains separate - tracking for different file types and includes both local and network file access. - Data includes PIDL (Pointer to Item IDentifier List) information for comprehensive tracking. - - forensic_value: | - Shows what files a user has recently opened, indicating work patterns, data access, - and potential data exfiltration activities. Can reveal sensitive documents accessed, - unauthorized file access, evidence of specific work activities, or attempts to access - restricted information. Critical for intellectual property theft investigations and - user behavior analysis. - - structure: | - Binary data containing file paths, shell link information, and access metadata. - MRUListEx value shows access order with most recent first (0-based indexing). - File extensions get separate subkeys for organization. Data includes full file paths, - network locations, and associated metadata stored in shell item format. - - examples: - - "Extension: .pdf - C:\\Users\\user\\Documents\\financial_report.pdf" - - "Extension: .docx - \\\\server\\HR\\employee_records.docx" - - "Extension: .xlsx - D:\\USB\\confidential_data.xlsx" - - "Network file: \\\\fileserver.company.com\\shared\\strategy.pptx" - - "Local file: C:\\Temp\\downloaded_document.pdf" - - "MRUListEx: 0,3,1,2 (most recent access order)" - - "File metadata: Size, modification date, attributes" - - "Access timestamp: 2024-01-20 15:30:45" - - tools: - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry browser with RecentDocs parsing and PIDL analysis" - - name: "RecentFileCacheParser" - url: "https://github.com/EricZimmerman/RecentFileCacheParser" - description: "Eric Zimmerman's tool for recent file cache analysis" - - name: "RegRipper" - url: "https://github.com/keydet89/RegRipper3.0" - description: "Registry analysis with recentdocs.pl plugin for comprehensive parsing" - - name: "JumpList Explorer" - description: "Tools for analyzing recent documents through jump list correlation" - - name: "RecentFilesView" - url: "https://www.nirsoft.net/utils/recent_files_view.html" - description: "NirSoft tool for viewing recently opened files from multiple sources" - -metadata: - windows_versions: - - "Windows 98" - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2000" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows 98" - - criticality: "high" - - investigation_types: - - "data-exfiltration" - - "insider-threat" - - "behavioral-analysis" - - "timeline-analysis" - - "incident-response" - - tags: - - "user-activity" - - "document-access" - - "file-history" - - "data-exfiltration" - - "intellectual-property" - - "sensitive-documents" - - "user-behavior" - - "file-tracking" - - "network-access" - - references: - - title: "Windows Shell Recent Documents" - url: "https://docs.microsoft.com/en-us/windows/win32/shell/recent-documents" - type: "official" - - title: "Registry Forensics: Recent Documents" - url: "https://www.sans.org/blog/digital-forensics-recent-documents-analysis/" - type: "research" - - title: "Windows Recent Items Analysis" - url: "https://www.forensicfocus.com/articles/windows-recent-items-forensics/" - type: "research" - - title: "PIDL Analysis in Digital Forensics" - url: "https://articles.forensicfocus.com/2011/02/07/pidl-analysis/" - type: "research" - - retention: - default_location: "NTUSER.DAT registry hive" - persistence: "Survives file deletion, persists across reboots per user profile" - volatility: "Limited cache size may cause older entries to be overwritten" - - related_artifacts: - - "opensavemru" - - "lastvisited_pidlmru" - - "jump_lists" - - "shellbags" - - "office_files" - - "thumbnail_cache" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file diff --git a/artifacts/user-activity/run_dialog_history.yml b/artifacts/user-activity/run_dialog_history.yml deleted file mode 100644 index 0f000d1..0000000 --- a/artifacts/user-activity/run_dialog_history.yml +++ /dev/null @@ -1,117 +0,0 @@ -title: "Run Dialog Command History" -category: "user-activity" -description: "Windows Run dialog (Win+R) command history with executed commands and administrative tool access" - -paths: - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU" - -details: - what: | - Windows Run dialog maintains a Most Recently Used (MRU) list of commands executed through - the Run interface (Win+R keyboard shortcut). Tracks command execution history including - system utilities, administrative tools, file paths, network locations, and custom commands - entered by users for quick access to Windows functionality and programs. - - forensic_value: | - Extremely valuable for detecting administrative tool usage, malicious command execution, - system reconnaissance activities, and attempts to access restricted utilities. Shows - evidence of command-line tool usage, administrative access attempts, network resource - enumeration, and potential privilege escalation activities. Critical for understanding - user intent and technical knowledge level during investigations. - - structure: | - Sequential lettered values (a, b, c, etc.) containing executed commands as REG_SZ data. - MRUList value shows execution chronology with most recent commands listed first using - letter indicators. Commands include full paths, parameters, network locations, and - built-in Windows utilities with complete command syntax preservation. - - examples: - - "a: cmd (Command Prompt execution)" - - "b: regedit (Registry Editor access)" - - "c: gpedit.msc (Group Policy Editor)" - - "d: services.msc (Services management console)" - - "e: \\\\192.168.1.100\\admin$ (Network administrative share)" - - "f: powershell -enc [base64] (PowerShell encoded command)" - - "g: C:\\temp\\malware.exe (Suspicious executable execution)" - - "MRUList: gfedcba (chronological order, newest first)" - - tools: - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "RunMRU Parser" - description: "Specialized tools for Run dialog history analysis" - - name: "RegRipper" - url: "https://github.com/keydet89/RegRipper3.0" - description: "Registry data extraction and analysis framework" - - name: "LastActivityView" - url: "https://www.nirsoft.net/utils/computer_activity_view.html" - description: "Comprehensive computer activity viewer including Run commands" - - name: "Windows Run Dialog History Cleaner" - description: "Tools for clearing Run dialog history and privacy management" - -metadata: - windows_versions: - - "Windows 95" - - "Windows NT" - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - introduced: "Windows 95" - - criticality: "high" - - investigation_types: - - "malware-analysis" - - "privilege-escalation" - - "behavioral-analysis" - - "incident-response" - - "insider-threat" - - tags: - - "user-activity" - - "command-execution" - - "administrative-tools" - - "run-dialog" - - "system-utilities" - - "privilege-escalation" - - "reconnaissance" - - "malware-execution" - - references: - - title: "Microsoft Documentation: Run Dialog" - url: "https://docs.microsoft.com/en-us/windows/win32/shell/launch" - type: "official" - - title: "Windows Run Dialog Forensics" - url: "https://www.forensicfocus.com/articles/windows-run-dialog-analysis/" - type: "research" - - title: "Command Execution Artifacts in Windows" - url: "https://www.sans.org/blog/command-execution-artifacts/" - type: "research" - - retention: - default_location: "Registry hive file (NTUSER.DAT)" - persistence: "Command history persists across reboots until manually cleared" - volatility: "Real-time updates with Run dialog usage, immediate evidence of user actions" - - related_artifacts: - - "wordwheel_query" - - "userassist" - - "powershell_policy" - - "registry_run_keys" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-06-07" - last_updated: "2025-06-07" - version: "1.0" diff --git a/artifacts/user-activity/search_history.yml b/artifacts/user-activity/search_history.yml deleted file mode 100644 index fe91016..0000000 --- a/artifacts/user-activity/search_history.yml +++ /dev/null @@ -1,120 +0,0 @@ -title: "Windows Search Index and Configuration" -category: "user-activity" -description: "Windows Search service configuration, indexed locations, search preferences, and indexing behavior" - -paths: - - "HKLM\\SOFTWARE\\Microsoft\\Windows Search" - - "HKCU\\Software\\Microsoft\\Windows Search\\Preferences" - - "HKLM\\SOFTWARE\\Microsoft\\Windows Search\\CrawlScopeManager" - - "HKLM\\SOFTWARE\\Microsoft\\Windows Search\\Gather" - - "HKCU\\Software\\Microsoft\\Windows Search\\Gather\\Windows\\SystemIndex" - -details: - what: | - Windows Search service maintains comprehensive configuration for file indexing, search behavior, - crawl scope management, and search preferences. Controls which files and locations are searchable, - file type filters, search result preferences, privacy settings, and indexing service behavior - for both local and network resources. - - forensic_value: | - Critical for understanding user search patterns, data access intentions, and information-seeking - behavior. Shows what locations were indexed for search capabilities, reveals search preferences - that might indicate user intent to hide or find specific data types, and provides insights - into file access patterns through search functionality. Configuration changes may indicate - attempts to hide data from search or expand search capabilities for data discovery. - - structure: | - Search configuration includes indexed location rules (CrawlScopeManager), file type filters, - search preferences, service status, and privacy settings. CrawlScopeManager contains inclusion - and exclusion rules with scope definitions for local drives, network paths, and specific - folders. Preferences control search behavior, history, and result display options. - - examples: - - "IndexedLocations: C:\\Users\\user\\Documents" - - "ExcludedPaths: C:\\Windows\\Temp, C:\\Program Files" - - "EnableWebSearchInHistory: 1 (Web search enabled)" - - "SearchHistory: 1 (Search history tracking enabled)" - - "PrivacyMode: 0 (Privacy mode disabled)" - - "IndexerState: 2 (Indexing service running)" - - "CrawlIncludePatterns: *.pdf, *.docx, *.xlsx" - - "NetworkIndexing: 0 (Network locations excluded from indexing)" - - tools: - - name: "Windows Indexing Options" - description: "Built-in interface for search and indexing configuration" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Search Index Troubleshooter" - description: "Windows built-in diagnostic tool for search issues" - - name: "PowerShell Get-WindowsSearchSetting" - description: "PowerShell cmdlets for search configuration analysis" - - name: "Windows Search Configuration Analyzer" - description: "Third-party tools for comprehensive search settings analysis" - -metadata: - windows_versions: - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows Vista" - - criticality: "medium" - - investigation_types: - - "behavioral-analysis" - - "data-exfiltration" - - "incident-response" - - "timeline-analysis" - - "insider-threat" - - tags: - - "search" - - "indexing" - - "file-access" - - "search-history" - - "indexed-locations" - - "data-discovery" - - "user-intent" - - "privacy-settings" - - references: - - title: "Microsoft Documentation: Windows Search" - url: "https://docs.microsoft.com/en-us/windows/win32/search/" - type: "official" - - title: "Windows Search Index Forensics" - url: "https://www.forensicfocus.com/articles/windows-search-index-forensics/" - type: "research" - - title: "Configuring Windows Search for Forensic Investigations" - url: "https://www.sans.org/white-papers/39855/" - type: "research" - - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT), search index files" - persistence: "Configuration settings persist until manually changed" - volatility: "Search index reflects real-time file system changes, settings affect evidence collection" - - related_artifacts: - - "wordwheel_query" - - "recent_docs" - - "opensavemru" - - "explorer_policies" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/user-activity/seven_zip.yml b/artifacts/user-activity/seven_zip.yml deleted file mode 100644 index 1d17d51..0000000 --- a/artifacts/user-activity/seven_zip.yml +++ /dev/null @@ -1,105 +0,0 @@ -title: "7-Zip Archive Tool Usage" -category: "user-activity" -description: "7-Zip configuration, archive history, compression settings, and file handling preferences" - -paths: - - "HKCU\\Software\\7-Zip" - - "HKLM\\SOFTWARE\\7-Zip" - - "HKCU\\Software\\Classes\\7-Zip.*" - - "HKLM\\SOFTWARE\\Classes\\7-Zip.*" - -details: - what: | - 7-Zip archive utility stores configuration including compression settings, file - associations, context menu integration, and archive handling preferences. - Registry tracks archive creation/extraction activity, compression algorithms, - password usage, and interface customizations for comprehensive archive tool - usage analysis and file compression behavior tracking. - - forensic_value: | - Critical for investigating data packaging for exfiltration, evidence destruction - through compression, password-protected archive creation, and file transfer - preparation. Shows evidence of archive manipulation, compression activities, - and can indicate data theft preparation, evidence concealment, or file - organization for unauthorized distribution through compressed archive usage. - - structure: | - 7-Zip configuration includes compression level preferences, archive format - settings, password protection usage, context menu integration, and file - association data. Archive history shows processed files, compression ratios, - and extraction activities for comprehensive archive tool behavior analysis. - - examples: - - "InstallPath: C:\\Program Files\\7-Zip" - - "CompressionLevel: 5 (Normal compression)" - - "ArchiveFormat: 7z (Default archive format)" - - "ContextMenu: 1 (Explorer context menu integration)" - - "FileAssociation: .7z -> 7-Zip File Manager" - - "FileAssociation: .rar -> 7-Zip File Manager" - - "SolidArchive: 1 (Solid compression enabled)" - - "EncryptionMethod: AES-256 (Archive encryption method)" - - tools: - - name: "7-Zip File Manager" - description: "7-Zip's built-in archive management interface" - - name: "7z.exe" - description: "7-Zip command-line archiving utility" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - -metadata: - windows_versions: - - "Windows 95" - - "Windows 98" - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - introduced: "7-Zip" - - criticality: "medium" - - investigation_types: - - "data-exfiltration" - - "behavioral-analysis" - - "incident-response" - - tags: - - "7-zip" - - "archive-tools" - - "compression" - - "data-packaging" - - "file-extraction" - - "password-protection" - - "free-software" - - references: - - title: "7-Zip Official Site" - url: "https://www.7-zip.org/" - type: "official" - - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT)" - persistence: "Archive settings and file associations persist until reconfiguration" - volatility: "Archive manipulation activity provides evidence of file compression and extraction" - - related_artifacts: - - "winrar_usage" - - "file_compression" - - "data_packaging" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" diff --git a/artifacts/user-activity/shellbags.yml b/artifacts/user-activity/shellbags.yml deleted file mode 100644 index 4251488..0000000 --- a/artifacts/user-activity/shellbags.yml +++ /dev/null @@ -1,131 +0,0 @@ -title: "ShellBags Explorer Navigation History" -category: "user-activity" -description: "Windows Explorer folder navigation history and view preferences with deleted folder evidence" - -paths: - - "HKCU\\Software\\Microsoft\\Windows\\Shell\\Bags" - - "HKCU\\Software\\Microsoft\\Windows\\Shell\\BagMRU" - - "HKCU\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\Shell\\Bags" - - "HKCU\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\Shell\\BagMRU" - - "HKCU\\Software\\Classes\\Wow6432Node\\Local Settings\\Software\\Microsoft\\Windows\\Shell\\Bags" - -details: - what: | - ShellBags track Windows Explorer navigation history, folder view preferences, - window positions, column sorting options, and folder access patterns. Records evidence - of folders accessed even if they no longer exist on the system. Stores metadata about - folder structures, view settings, and user interaction patterns with the file system. - - forensic_value: | - Proves user accessed specific folders, shows folder structure of deleted - directories, reveals navigation patterns, and provides evidence of external - storage device usage. Critical for proving folder access and user activity. - Can reveal access to sensitive directories, network shares, and removable media. - Essential for timeline reconstruction and user behavior analysis. - - structure: | - Hierarchical folder structure with numbered bag entries containing view - preferences, access timestamps, and folder properties. BagMRU maintains - most recently used folder list with PIDL (Pointer to Item IDentifier List) data. - Each bag contains window size, view mode, column widths, and sorting preferences. - - examples: - - "Bag 1: Desktop folder settings (Icon view, large icons)" - - "Bag 15: C:\\Users\\user\\Documents\\Sensitive (Details view)" - - "Bag 23: \\\\server\\confidential (network folder access)" - - "Bag 45: E:\\ (USB drive - Kingston DataTraveler)" - - "MRU Entry: USB drive folder structure" - - "View: Details mode, sorted by date modified" - - "Position: Window at 100,100 size 800x600" - - "Columns: Name, Date Modified, Type, Size" - - tools: - - name: "ShellBagsExplorer" - url: "https://github.com/EricZimmerman/ShellBagsExplorer" - description: "Eric Zimmerman's comprehensive ShellBags analysis tool" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry browser with ShellBags parsing capabilities" - - name: "ShellBag Analyzer" - description: "Specialized tools for ShellBags timeline analysis" - - name: "RegRipper" - url: "https://github.com/keydet89/RegRipper3.0" - description: "Registry analysis with shellbags.pl plugin" - - name: "SBECmd" - url: "https://github.com/EricZimmerman/SBECmd" - description: "Command-line ShellBags extraction and analysis" - -metadata: - windows_versions: - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows XP" - - criticality: "high" - - investigation_types: - - "timeline-analysis" - - "behavioral-analysis" - - "data-exfiltration" - - "incident-response" - - "insider-threat" - - tags: - - "user-activity" - - "folder-navigation" - - "explorer-history" - - "deleted-folders" - - "external-storage" - - "user-behavior" - - "file-system-access" - - "network-shares" - - "usb-tracking" - - references: - - title: "Windows ShellBags Forensics" - url: "https://www.sans.org/blog/computer-forensic-artifacts-windows-7-shellbags/" - type: "research" - - title: "ShellBags Analysis Techniques" - url: "https://www.forensicfocus.com/articles/windows-shellbags-forensics/" - type: "research" - - title: "Registry Forensics: ShellBags" - url: "https://www.champlain.edu/Documents/LCDI/archive/Shellbags-Analysis.pdf" - type: "research" - - title: "Digital Forensics: ShellBags Analysis" - url: "https://articles.forensicfocus.com/2010/04/12/shellbags-forensics/" - type: "research" - - retention: - default_location: "NTUSER.DAT registry hive" - persistence: "Survives folder deletion, persists across reboots and system updates" - volatility: "Historical access patterns preserved even after folder removal" - - related_artifacts: - - "recent_docs" - - "lastvisited_pidlmru" - - "opensavemru" - - "jump_lists" - - "usb_device_history" - - "mapped_drives" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file diff --git a/artifacts/user-activity/thumbnail_cache.yml b/artifacts/user-activity/thumbnail_cache.yml deleted file mode 100644 index c72c010..0000000 --- a/artifacts/user-activity/thumbnail_cache.yml +++ /dev/null @@ -1,119 +0,0 @@ -title: "Thumbnail Cache and Image Preview Configuration" -category: "user-activity" -description: "Thumbnail generation settings, image preview configuration, and cache management for file explorer" - -paths: - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" - - "HKCU\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\Shell" - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" - -details: - what: | - Windows generates and caches thumbnail images for photos, videos, documents, and other files - to improve Explorer performance and user experience. Registry settings control thumbnail - generation behavior, cache size limits, quality settings, network file thumbnails, and - preview pane functionality for enhanced file browsing. - - forensic_value: | - Critical for investigations involving inappropriate content, intellectual property theft, or - data exfiltration. Even when original files are deleted, thumbnail images may persist in - cache files, providing visual evidence of viewed content. Registry settings reveal if - thumbnails were disabled to hide activity or if specialized thumbnail configurations - indicate specific user behaviors or security-conscious modifications. - - structure: | - Configuration settings include DisableThumbnailCache (thumbnail generation), DisableThumbsDBOnNetworkFolders - (network thumbnails), ThumbnailSize (image dimensions), ShowPreviewPane (preview visibility), - ThumbnailQuality (compression settings), and AlwaysShowIcons (disable thumbnails completely). - Values stored as REG_DWORD with various numerical settings. - - examples: - - "DisableThumbnailCache: 1 (Thumbnail generation disabled)" - - "DisableThumbsDBOnNetworkFolders: 1 (No network thumbnails)" - - "ThumbnailSize: 256 (Large thumbnail dimensions)" - - "ShowPreviewPane: 0 (Preview pane hidden)" - - "ThumbnailQuality: 90 (High quality compression)" - - "AlwaysShowIcons: 1 (Force generic icons instead of thumbnails)" - - "NoThumbnailCache: 1 (Prevent thumbnail cache creation)" - - tools: - - name: "ThumbCacheViewer" - url: "https://thumbcacheviewer.github.io" - description: "Extract and view images from Windows thumbnail cache files" - - name: "Thumbs Viewer" - url: "https://www.majorgeeks.com/files/details/thumbs_viewer.html" - description: "View thumbs.db and thumbnail cache contents" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Thumbnail Database Analyzer" - description: "Specialized forensic tools for thumbnail cache analysis" - - name: "Windows File Explorer Options" - description: "Built-in thumbnail and preview configuration interface" - -metadata: - windows_versions: - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows Vista" - - criticality: "high" - - investigation_types: - - "insider-threat" - - "data-exfiltration" - - "timeline-analysis" - - "behavioral-analysis" - - tags: - - "thumbnails" - - "image-viewing" - - "deleted-files" - - "visual-evidence" - - "inappropriate-content" - - "cache-files" - - "preview-pane" - - "file-explorer" - - references: - - title: "Microsoft Documentation: Thumbnail Cache" - url: "https://docs.microsoft.com/en-us/windows/win32/shell/thumbnail-cache" - type: "official" - - title: "Windows Thumbnail Cache Forensics" - url: "https://www.forensicfocus.com/articles/windows-thumbnail-cache-forensics/" - type: "research" - - title: "Digital Forensics: Recovering Deleted Images from Thumbnail Cache" - url: "https://www.sans.org/white-papers/33764/" - type: "research" - - retention: - default_location: "Registry hive files (NTUSER.DAT, SOFTWARE), thumbnail cache files" - persistence: "Settings persist until manually changed, cache files survive file deletion" - volatility: "Thumbnail images may persist after original file deletion, crucial for recovery" - - related_artifacts: - - "recent_docs" - - "shellbags" - - "opensavemru" - - "explorer_policies" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/user-activity/voice_recorder.yml b/artifacts/user-activity/voice_recorder.yml deleted file mode 100644 index b30858f..0000000 --- a/artifacts/user-activity/voice_recorder.yml +++ /dev/null @@ -1,92 +0,0 @@ -title: "Voice Recorder Application Activity" -category: "user-activity" -description: "Windows Voice Recorder usage, recording locations, and audio capture settings" - -paths: - - "HKCU\\Software\\Microsoft\\SoundRecorder" - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\Positions\\Microsoft.SoundRecorder_8wekyb3d8bbwe!App" - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Appx\\AppxAllUserStore\\Applications\\Microsoft.SoundRecorder_8wekyb3d8bbwe" - -details: - what: | - Windows Voice Recorder application stores configuration data including recording - quality settings, file save locations, application preferences, and usage statistics. - Registry tracks app positioning, window states, recently used settings, and - integration preferences for audio recording functionality built into Windows - for voice memos, interviews, and audio capture purposes. - - forensic_value: | - Provides evidence of audio recording activity that could indicate surveillance, - interview recording, voice memo creation, or audio evidence capture. Shows - usage patterns, recording preferences, and potential evidence of covert recording - activities. Can reveal user behavior related to audio documentation, meeting - recording, or evidence preservation activities during investigations. - - structure: | - SoundRecorder entries include recording quality preferences, default save - locations, application window positioning, and recent file access patterns. - ApplicationFrame data tracks window positions and application state information. - UWP app registration contains installation and permission data. - - examples: - - "LastOpenedFile: C:\\Users\\user\\Documents\\Recording.m4a" - - "RecordingQuality: High (Audio quality preference)" - - "DefaultSaveLocation: Documents\\Recordings" - - "AutoSave: 1 (Automatic file saving enabled)" - - "AppPosition: {x:100, y:100, width:800, height:600}" - - tools: - - name: "Voice Recorder App" - description: "Built-in Windows audio recording application" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Audio Forensics Tools" - description: "Specialized tools for audio file analysis and metadata extraction" - -metadata: - windows_versions: - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - introduced: "Windows 8" - - criticality: "medium" - - investigation_types: - - "behavioral-analysis" - - tags: - - "voice-recorder" - - "audio-recording" - - "surveillance" - - "evidence" - - "microphone-usage" - - "recording-activity" - - references: - - title: "Windows Voice Recorder" - url: "https://support.microsoft.com/en-us/windows/record-sounds-with-voice-recorder-83b2d3b0-3b62-4b45-9c9b-9c50a4b82db4" - type: "official" - - retention: - default_location: "Registry hive files (NTUSER.DAT, SOFTWARE)" - persistence: "Usage data persists until application reset or removal" - volatility: "Recording activity provides evidence of audio capture usage" - - related_artifacts: - - "microphone_access" - - "file_access_history" - - "application_usage" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" diff --git a/artifacts/user-activity/windows_spotlight.yml b/artifacts/user-activity/windows_spotlight.yml deleted file mode 100644 index d63a1af..0000000 --- a/artifacts/user-activity/windows_spotlight.yml +++ /dev/null @@ -1,93 +0,0 @@ -title: "Windows Spotlight and Lock Screen Data" -category: "user-activity" -description: "Lock screen personalization, Windows Spotlight content, and user interaction tracking" - -paths: - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\ContentDeliveryManager" - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Lock Screen" - - "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent" - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize" - -details: - what: | - Windows Spotlight manages lock screen background images, suggested content, tips and - tricks, app suggestions, and personalization features. Registry tracks user interactions - with spotlight content, downloaded image metadata, content preferences, and engagement - metrics. Controls automatic content updates, cloud-sourced backgrounds, and - personalized recommendations based on user behavior patterns. - - forensic_value: | - Reveals user behavior patterns, content interaction history, and system usage - characteristics. Shows evidence of user engagement with system features, potential - indicators of user presence and activity, and timeline information for system - access patterns. Can indicate user preferences, system interaction levels, and - provide context for user behavior analysis during investigations. - - structure: | - ContentDeliveryManager contains feature enablement flags, content subscription - settings, interaction counters, and download preferences. Lock Screen entries - include image sources, update frequencies, and user customization preferences. - Binary values track engagement metrics and content delivery statistics. - - examples: - - "RotatingLockScreenEnabled: 1 (Windows Spotlight enabled)" - - "RotatingLockScreenOverlayEnabled: 1 (Lock screen tips enabled)" - - "SoftLandingEnabled: 1 (App suggestions enabled)" - - "SystemPaneSuggestionsEnabled: 0 (Start menu suggestions disabled)" - - "SubscribedContent-338387Enabled: 1 (Tips and tricks enabled)" - - "SubscribedContent-353698Enabled: 0 (Timeline suggestions disabled)" - - tools: - - name: "Windows Settings (Personalization)" - description: "Built-in Windows lock screen and background configuration" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Group Policy Editor" - description: "Enterprise control over Windows Spotlight and content delivery" - -metadata: - windows_versions: - - "Windows 10" - - "Windows 11" - - introduced: "Windows 10" - - criticality: "low" - - investigation_types: - - "behavioral-analysis" - - "timeline-analysis" - - tags: - - "lock-screen" - - "spotlight" - - "personalization" - - "user-behavior" - - "content-delivery" - - "preferences" - - references: - - title: "Windows Spotlight Documentation" - url: "https://docs.microsoft.com/en-us/windows/configuration/windows-spotlight" - type: "official" - - retention: - default_location: "Registry hive files (NTUSER.DAT)" - persistence: "Settings persist until user modifications or policy changes" - volatility: "Interaction data provides ongoing user behavior insights" - - related_artifacts: - - "user_preferences" - - "system_personalization" - - "content_consumption" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" diff --git a/artifacts/user-activity/winrar.yml b/artifacts/user-activity/winrar.yml deleted file mode 100644 index 735093f..0000000 --- a/artifacts/user-activity/winrar.yml +++ /dev/null @@ -1,103 +0,0 @@ -title: "WinRAR Archive Tool Usage and File History" -category: "user-activity" -description: "WinRAR configuration, archive history, extraction locations, and compression activity" - -paths: - - "HKCU\\Software\\WinRAR" - - "HKLM\\SOFTWARE\\WinRAR" - - "HKCU\\Software\\Classes\\WinRAR" - - "HKLM\\SOFTWARE\\Classes\\WinRAR" - -details: - what: | - WinRAR archive utility stores configuration including recent archive files, - extraction paths, compression settings, and file association preferences. - Registry tracks archive creation/extraction activity, password usage patterns, - temporary file locations, and compression preferences for comprehensive - archive tool usage analysis and file handling behavior tracking. - - forensic_value: | - Critical for investigating data packaging for exfiltration, evidence destruction - through compression, password-protected archive usage, and file transfer - preparation. Shows evidence of archive creation/extraction activity, reveals - potentially suspicious file packaging, and can indicate data theft preparation - or evidence concealment through compressed archives. - - structure: | - WinRAR configuration includes recent archive lists, default extraction paths, - compression levels, password settings, and file association data. Archive - history shows processed files, extraction locations, and access patterns - for comprehensive archive tool behavior analysis and data handling tracking. - - examples: - - "ArcHistory: C:\\Users\\user\\Documents\\sensitive_data.rar" - - "ArcHistory: C:\\Temp\\exfiltration_package.zip" - - "ExtrPath: C:\\Users\\user\\Desktop\\extracted\\" - - "Compression: 3 (Normal compression level)" - - "SavePaths: 1 (Save extraction paths)" - - "Password: (Encrypted password usage indicator)" - - "TempPath: C:\\Temp\\WinRAR\\ (Temporary extraction location)" - - tools: - - name: "WinRAR File Manager" - description: "Built-in WinRAR archive management interface" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Archive Forensics Tools" - description: "Specialized tools for archive analysis and password recovery" - -metadata: - windows_versions: - - "Windows 95" - - "Windows 98" - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - introduced: "WinRAR" - - criticality: "low" - - investigation_types: - - "data-exfiltration" - - "behavioral-analysis" - - "incident-response" - - tags: - - "winrar" - - "archive-tools" - - "compression" - - "data-packaging" - - "file-extraction" - - "password-protection" - - references: - - title: "WinRAR Archiver" - url: "https://www.rarlab.com/" - type: "official" - - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT)" - persistence: "Archive history and settings persist until manually cleared" - volatility: "Archive activity provides evidence of file packaging and extraction" - - related_artifacts: - - "file_compression" - - "data_packaging" - - "recent_documents" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" diff --git a/artifacts/user-activity/winzip.yml b/artifacts/user-activity/winzip.yml deleted file mode 100644 index 8b6f8cb..0000000 --- a/artifacts/user-activity/winzip.yml +++ /dev/null @@ -1,102 +0,0 @@ -title: "WinZip Commercial Archive Tool" -category: "user-activity" -description: "WinZip configuration, archive management, cloud integration, and commercial compression features" - -paths: - - "HKCU\\Software\\WinZip Computing\\WinZip" - - "HKLM\\SOFTWARE\\WinZip Computing\\WinZip" - - "HKCU\\Software\\Classes\\WinZip" - - "HKLM\\SOFTWARE\\Classes\\WinZip" - -details: - what: | - WinZip commercial archive utility stores configuration including compression - preferences, cloud service integration, security settings, and enterprise - features. Registry tracks archive operations, cloud backup preferences, - encryption settings, and collaboration features for comprehensive commercial - archive tool usage analysis and professional file management behavior tracking. - - forensic_value: | - Important for investigating professional data packaging, commercial archive - tool usage, cloud integration activities, and enterprise file management. - Shows evidence of commercial software usage, cloud storage integration, - professional archive handling, and can reveal business-level data organization, - cloud-based file sharing, and commercial tool preferences in corporate environments. - - structure: | - WinZip configuration includes licensing information, cloud service connections, - compression algorithms, security preferences, and collaboration settings. - Enterprise features track policy compliance, backup configurations, and - professional archive management capabilities for comprehensive commercial tool analysis. - - examples: - - "InstallPath: C:\\Program Files\\WinZip" - - "LicenseKey: WZFM-XXXX-XXXX-XXXX (Commercial license)" - - "CloudServices: Dropbox, Google Drive, OneDrive" - - "EncryptionStrength: AES-256 (Enterprise encryption)" - - "BackupSchedule: Daily (Automated backup configuration)" - - "ZipShare: 1 (Cloud sharing service enabled)" - - "EnterpriseFeatures: 1 (Business features activated)" - - tools: - - name: "WinZip Interface" - description: "WinZip's commercial archive management application" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - -metadata: - windows_versions: - - "Windows 95" - - "Windows 98" - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - introduced: "WinZip" - - criticality: "medium" - - investigation_types: - - "data-exfiltration" - - "behavioral-analysis" - - "incident-response" - - tags: - - "winzip" - - "commercial-archive" - - "compression" - - "cloud-integration" - - "enterprise-features" - - "backup" - - "collaboration" - - references: - - title: "WinZip Official Site" - url: "https://www.winzip.com/" - type: "official" - - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT)" - persistence: "Commercial license and configuration data persist until software removal" - volatility: "Professional archive usage provides evidence of business-level file management" - - related_artifacts: - - "archive_tools" - - "cloud_integration" - - "commercial_software" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" diff --git a/artifacts/user-activity/wordwheel_query.yml b/artifacts/user-activity/wordwheel_query.yml deleted file mode 100644 index 54c630f..0000000 --- a/artifacts/user-activity/wordwheel_query.yml +++ /dev/null @@ -1,114 +0,0 @@ -title: "Start Menu Search History (WordWheelQuery)" -category: "user-activity" -description: "Windows Start menu search queries, typed terms, and search autocomplete history" - -paths: - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WordWheelQuery" - -details: - what: | - Windows records search terms typed in the Start menu search box to provide autocomplete - functionality and search suggestions. Maintains chronological history of user search - queries across system searches, application searches, settings searches, and file searches - initiated through the Start menu interface. - - forensic_value: | - Extremely valuable for understanding user intent, revealing what files, applications, or - system utilities users were searching for. Can show evidence of attempts to find specific - tools for malicious purposes, searches for confidential information, administrative utilities, - or attempts to locate and execute suspicious programs. Provides direct insight into user - behavior patterns and investigative leads for further analysis. - - structure: | - Sequential numbered values (0, 1, 2, etc.) containing search terms as REG_SZ data. - MRUListEx value shows search chronology with most recent searches listed first. - Search terms persist across user sessions and system reboots, maintaining complete - search history until manually cleared or overwritten by new searches. - - examples: - - "0: cmd (Command Prompt search)" - - "1: powershell (PowerShell search)" - - "2: regedit (Registry Editor search)" - - "3: confidential documents (File search)" - - "4: malware.exe (Suspicious executable search)" - - "5: administrative tools (System utilities search)" - - "6: control panel (Settings search)" - - "MRUListEx: 6,5,4,3,2,1,0 (chronological order, newest first)" - - tools: - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "RegRipper" - url: "https://github.com/keydet89/RegRipper3.0" - description: "Registry data extraction and analysis framework" - - name: "SearchMyFiles" - url: "https://www.nirsoft.net/utils/search_my_files.html" - description: "File search utility with history tracking" - - name: "Windows Search History Parser" - description: "Specialized tools for analyzing Windows search artifacts" - - name: "LastActivityView" - url: "https://www.nirsoft.net/utils/computer_activity_view.html" - description: "Computer activity tracking including search history" - -metadata: - windows_versions: - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - introduced: "Windows Vista" - - criticality: "high" - - investigation_types: - - "behavioral-analysis" - - "malware-analysis" - - "insider-threat" - - "timeline-analysis" - - tags: - - "search-history" - - "start-menu" - - "user-intent" - - "behavior-analysis" - - "search-queries" - - "application-search" - - "system-search" - - "investigation-leads" - - references: - - title: "Microsoft Documentation: Start Menu Search" - url: "https://docs.microsoft.com/en-us/windows/configuration/start-menu-search/" - type: "official" - - title: "Windows Search Artifacts for Digital Forensics" - url: "https://www.forensicfocus.com/articles/windows-search-artifacts/" - type: "research" - - title: "User Activity Reconstruction through Windows Search History" - url: "https://www.dfrws.org/sites/default/files/session-files/paper-user_activity_reconstruction_through_windows_search_history.pdf" - type: "research" - - retention: - default_location: "Registry hive file (NTUSER.DAT)" - persistence: "Search terms persist across reboots until manually cleared or overwritten" - volatility: "Real-time updates with each search, provides immediate user intent evidence" - - related_artifacts: - - "search_history" - - "recent_docs" - - "userassist" - - "opensavemru" - - "run_keys" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/virtualization/hyperv.yml b/artifacts/virtualization/hyperv.yml deleted file mode 100644 index b379e54..0000000 --- a/artifacts/virtualization/hyperv.yml +++ /dev/null @@ -1,117 +0,0 @@ -title: "Hyper-V and Virtualization Configuration" -category: "virtualization" -description: "Hyper-V hypervisor settings, virtual machine configuration, container support, and virtualization security" - -paths: - - "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Virtualization" - - "HKLM\\SYSTEM\\CurrentControlSet\\Services\\vmms" - - "HKLM\\SOFTWARE\\Microsoft\\Hyper-V" - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard" - -details: - what: | - Windows virtualization infrastructure encompasses Hyper-V hypervisor configuration, virtual - machine management service settings, container runtime support, hardware virtualization - capabilities, and security features including Virtualization-Based Security (VBS) and - Device Guard. Controls hypervisor operation, VM isolation, container orchestration, - and virtualization-enhanced security mechanisms for enterprise and development environments. - - forensic_value: | - Critical for investigating virtualization-based attacks, VM escape attempts, container - security incidents, and virtualization technology abuse for malware evasion. Shows - evidence of virtual machine usage that could hide malicious activity, reveals virtualization - configurations that may facilitate advanced persistent threats, and indicates attempts - to bypass security controls through virtualization technologies. - - structure: | - Virtualization configuration includes hypervisor enablement status, VM management service - settings, virtual switch configurations, security policy enforcement, and hardware - virtualization capabilities. DeviceGuard contains Virtualization-Based Security settings, - hypervisor-protected code integrity, and credential guard configurations for enhanced security. - - examples: - - "Virtualization\\HypervisorEnforced: 1 (Hypervisor-based security active)" - - "vmms\\Start: 3 (Virtual Machine Management Service - manual start)" - - "Hyper-V\\EnabledState: 1 (Hyper-V feature enabled)" - - "DeviceGuard\\EnableVirtualizationBasedSecurity: 1 (VBS enabled)" - - "DeviceGuard\\RequirePlatformSecurityFeatures: 1 (Secure boot required)" - - "HyperVGeneration: 2 (Generation 2 VM support)" - - "ContainerFeature: 1 (Windows container support enabled)" - - "VirtualizationExtensions: 1 (Hardware virtualization available)" - - tools: - - name: "Hyper-V Manager" - description: "Built-in Hyper-V virtual machine management interface" - - name: "Windows Features (optionalfeatures.exe)" - description: "Windows feature enablement including Hyper-V and containers" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "PowerShell Hyper-V Module" - description: "PowerShell cmdlets for Hyper-V management and analysis" - - name: "Virtual Machine Security Scanner" - description: "Tools for analyzing virtualization security configuration" - -metadata: - windows_versions: - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - introduced: "Windows Server 2008 (Hyper-V)" - - criticality: "high" - - investigation_types: - - "malware-analysis" - - "incident-response" - - "behavioral-analysis" - - "privilege-escalation" - - tags: - - "virtualization" - - "hyper-v" - - "containers" - - "vm-security" - - "hypervisor" - - "vbs" - - "device-guard" - - "vm-escape" - - references: - - title: "Microsoft Documentation: Hyper-V" - url: "https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/" - type: "official" - - title: "Virtualization-Based Security" - url: "https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs" - type: "official" - - title: "Virtual Machine Security Analysis" - url: "https://www.sans.org/white-papers/36240/" - type: "research" - - retention: - default_location: "Registry hive files (SOFTWARE, SYSTEM)" - persistence: "Virtualization configuration persists until feature modification" - volatility: "VM and container settings affect ongoing virtualization security posture" - - related_artifacts: - - "boot_configuration" - - "security_policy" - - "hardware_devices" - - "performance_monitoring" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/virtualization/oracle_virtual_box.yml b/artifacts/virtualization/oracle_virtual_box.yml deleted file mode 100644 index 4936532..0000000 --- a/artifacts/virtualization/oracle_virtual_box.yml +++ /dev/null @@ -1,108 +0,0 @@ -title: "Oracle VirtualBox Configuration" -category: "virtualization" -description: "Oracle VirtualBox virtualization software configuration, VM management, and hypervisor settings" - -paths: - - "HKCU\\Software\\Oracle\\VirtualBox" - - "HKLM\\SOFTWARE\\Oracle\\VirtualBox" - - "HKCU\\Software\\Oracle\\VirtualBox Guest Additions" - - "HKLM\\SOFTWARE\\Oracle\\VirtualBox Guest Additions" - -details: - what: | - Oracle VirtualBox manages free desktop virtualization including virtual machine - creation, hardware emulation, network configuration, and hypervisor management. - Registry stores VM definitions, guest operating system configurations, shared - folder settings, snapshot management, and virtualization preferences for - comprehensive open-source virtualization platform analysis and virtual environment tracking. - - forensic_value: | - Critical for investigating virtual machine usage in security research, malware - analysis, evidence isolation, and potential evasion techniques using free - virtualization software. Shows evidence of VM creation, guest OS installations, - network isolation setups, and can indicate attempts to conceal activities - through virtualized environments or use VMs for malicious testing and analysis. - - structure: | - VirtualBox configuration includes virtual machine registry data, guest additions - status, network adapter settings, shared folder configurations, and snapshot - information. VM entries track hardware allocations, ISO mounting history, and - virtual device assignments for comprehensive VirtualBox usage analysis and security assessment. - - examples: - - "InstallDir: C:\\Program Files\\Oracle\\VirtualBox" - - "Version: 7.0.12 (VirtualBox version)" - - "Default Machine Folder: C:\\Users\\user\\VirtualBox VMs" - - "RecentVMList: Windows_10_Test, Kali_Linux_Pen_Test" - - "HostOnlyNetworking: vboxnet0 (Host-only network interface)" - - "SharedFolders: Downloads -> C:\\Users\\user\\Downloads" - - "GuestAdditionsInstalled: 1 (Guest additions present)" - - "SnapshotFolder: C:\\VMs\\Snapshots (VM snapshot storage)" - - tools: - - name: "Oracle VirtualBox Manager" - description: "VirtualBox graphical management interface" - - name: "VBoxManage" - description: "VirtualBox command-line management utility" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "VirtualBox Guest Additions" - description: "Enhanced VM integration and shared folder management" - -metadata: - windows_versions: - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - introduced: "Oracle VirtualBox" - - criticality: "medium" - - investigation_types: - - "malware-analysis" - - "incident-response" - - "behavioral-analysis" - - tags: - - "virtualbox" - - "oracle" - - "virtualization" - - "virtual-machines" - - "free-hypervisor" - - "isolation" - - "security-research" - - references: - - title: "Oracle VirtualBox Documentation" - url: "https://www.virtualbox.org/wiki/Documentation" - type: "official" - - title: "VirtualBox User Manual" - url: "https://www.virtualbox.org/manual/" - type: "official" - - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT)" - persistence: "VM configurations and settings persist until manual deletion or software removal" - volatility: "Virtual machine usage patterns provide evidence of virtualization activities and security research" - - related_artifacts: - - "virtualization_settings" - - "vmware_workstation" - - "isolation_environments" - - "malware_analysis_tools" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" diff --git a/artifacts/virtualization/vmware.yml b/artifacts/virtualization/vmware.yml deleted file mode 100644 index e16ad52..0000000 --- a/artifacts/virtualization/vmware.yml +++ /dev/null @@ -1,100 +0,0 @@ -title: "VMware Workstation and Player Configuration" -category: "virtualization" -description: "VMware virtualization software configuration, virtual machine management, and hypervisor settings" - -paths: - - "HKCU\\Software\\VMware, Inc.\\VMware Workstation" - - "HKLM\\SOFTWARE\\VMware, Inc.\\VMware Workstation" - - "HKCU\\Software\\VMware, Inc.\\VMware Player" - - "HKLM\\SOFTWARE\\VMware, Inc.\\VMware Player" - -details: - what: | - VMware Workstation and Player manage desktop virtualization including virtual - machine creation, hardware configuration, network settings, and hypervisor - management. Registry stores VM configurations, licensing information, performance - settings, and virtual hardware preferences for comprehensive virtualization - platform analysis and virtual environment management tracking. - - forensic_value: | - Critical for investigating virtual machine usage, potential evidence isolation, - malware analysis environments, and sophisticated attack techniques using - virtualization. Shows evidence of VM creation, configuration changes, virtual - network setups, and can indicate attempts to hide activities through virtualization - or use of isolated environments for malicious purposes. - - structure: | - VMware configuration includes virtual machine paths, hardware settings, network - configurations, licensing data, and performance preferences. VM registry entries - track virtual hardware assignments, snapshot locations, and isolation settings - for comprehensive virtualization behavior analysis and security assessment. - - examples: - - "InstallPath: C:\\Program Files (x86)\\VMware\\VMware Workstation" - - "VMInventory: C:\\Users\\user\\Documents\\Virtual Machines" - - "RecentVM0: C:\\VMs\\Windows_Analysis.vmx" - - "RecentVM1: C:\\VMs\\Malware_Sandbox.vmx" - - "Networking.Host-Only: vmnet1 (Host-only network adapter)" - - "VMware.Player.SharedFolders: 1 (Shared folders enabled)" - - "Hardware.MemSize: 4096 (4GB RAM allocation)" - - tools: - - name: "VMware Workstation/Player" - description: "VMware virtualization management interface" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "VMware Tools" - description: "VMware virtual machine management and analysis utilities" - -metadata: - windows_versions: - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - introduced: "VMware Workstation" - - criticality: "medium" - - investigation_types: - - "malware-analysis" - - "incident-response" - - "behavioral-analysis" - - tags: - - "vmware" - - "virtualization" - - "virtual-machines" - - "hypervisor" - - "isolation" - - "malware-analysis" - - references: - - title: "VMware Workstation Documentation" - url: "https://docs.vmware.com/en/VMware-Workstation-Pro/" - type: "official" - - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT)" - persistence: "Virtualization settings persist until software removal or reconfiguration" - volatility: "VM configuration changes provide evidence of virtualization usage patterns" - - related_artifacts: - - "virtualization_settings" - - "isolation_environments" - - "malware_analysis_tools" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" diff --git a/artifacts/virtualization/windows_containers.yml b/artifacts/virtualization/windows_containers.yml deleted file mode 100644 index 7eb60ef..0000000 --- a/artifacts/virtualization/windows_containers.yml +++ /dev/null @@ -1,115 +0,0 @@ -title: "Windows Containers and Container Runtime" -category: "virtualization" -description: "Docker Desktop configuration, Windows container settings, container runtime policies, and isolation modes" - -paths: - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Container Manager" - - "HKCU\\Software\\Docker Inc\\Docker Desktop" - - "HKLM\\SYSTEM\\CurrentControlSet\\Services\\containerd" - - "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Containers" - -details: - what: | - Windows container infrastructure encompasses Docker Desktop configuration, Windows container - runtime settings, container isolation policies, image management, networking configuration, - and security boundaries. Controls container execution environment, resource allocation, - network isolation, storage management, and container-to-host communication for modern - application deployment and microservices architecture. - - forensic_value: | - Critical for investigating containerized malware, container escape attempts, unauthorized - container deployments, and container-based data exfiltration. Shows evidence of container - usage that could hide malicious activity, reveals container configurations that may facilitate - advanced persistent threats, and indicates attempts to bypass security controls through - container isolation weaknesses or privilege escalation techniques. - - structure: | - Container configuration includes runtime policies, isolation modes (process vs. Hyper-V), - network settings, storage drivers, security contexts, and resource constraints. Docker - Desktop settings control daemon configuration, experimental features, resource allocation, - and development environment preferences. Service configuration manages container runtime - behavior and system integration. - - examples: - - "ContainerManager\\IsolationMode: 1 (Process isolation enabled)" - - "containerd\\Start: 3 (Container runtime service - manual startup)" - - "Docker Desktop\\Settings\\SharedDrives: C,D (Host drive mapping)" - - "Docker Desktop\\ExperimentalFeatures: true (Experimental features enabled)" - - "Containers\\Runtime: Docker (Container runtime provider)" - - "NetworkingMode: NAT (Network Address Translation mode)" - - "StorageDriver: windowsfilter (Windows container storage driver)" - - "SecurityOptions: privileged (Privileged container execution allowed)" - - tools: - - name: "Docker Desktop" - description: "Docker Desktop for Windows container management interface" - - name: "docker.exe" - description: "Docker command-line interface for container operations" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Container Security Scanner" - description: "Tools for analyzing container security configuration and vulnerabilities" - - name: "Windows Container Host Analyzer" - description: "Utilities for examining Windows container host configuration" - -metadata: - windows_versions: - - "Windows 10" - - "Windows 11" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows Server 2016" - - criticality: "high" - - investigation_types: - - "malware-analysis" - - "incident-response" - - "privilege-escalation" - - "behavioral-analysis" - - "lateral-movement" - - tags: - - "virtualization" - - "containers" - - "docker" - - "container-security" - - "isolation" - - "runtime-security" - - "container-escape" - - "microservices" - - references: - - title: "Microsoft Documentation: Windows Containers" - url: "https://docs.microsoft.com/en-us/virtualization/windowscontainers/" - type: "official" - - title: "Docker Desktop for Windows" - url: "https://docs.docker.com/desktop/windows/" - type: "official" - - title: "Container Security and Forensic Analysis" - url: "https://www.sans.org/white-papers/36240/" - type: "research" - - retention: - default_location: "Registry hive files (SOFTWARE, SYSTEM, NTUSER.DAT)" - persistence: "Container configuration persists until service modification" - volatility: "Container settings affect ongoing application security and isolation" - - related_artifacts: - - "hyperv" - - "virtualization_security" - - "docker_runtime" - - "container_networking" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-06-07" - last_updated: "2025-06-07" - version: "1.0" diff --git a/artifacts/virtualization/windows_subsystem_linux.yml b/artifacts/virtualization/windows_subsystem_linux.yml deleted file mode 100644 index 112ac0d..0000000 --- a/artifacts/virtualization/windows_subsystem_linux.yml +++ /dev/null @@ -1,111 +0,0 @@ -title: "Windows Subsystem for Linux (WSL) Configuration" -category: "virtualization" -description: "WSL installation settings, Linux distribution management, interoperability configuration, and development environment tracking" - -paths: - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Lxss" - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Lxss" - - "HKCU\\Software\\Microsoft\\WSL" - - "HKLM\\SYSTEM\\CurrentControlSet\\Services\\LxssManager" - -details: - what: | - Windows Subsystem for Linux enables running Linux distributions natively on Windows through - compatibility layer technology. Registry configuration includes installed distributions, - default distribution settings, user mappings, file system interoperability, network - configuration, and development environment preferences for Linux development on Windows. - - forensic_value: | - Critical for investigating Linux-based attack tools, cross-platform malware, development - environment abuse, and sophisticated attacks that leverage Linux capabilities within Windows. - Shows evidence of Linux tool usage, script execution, container operations, and potential - security bypasses through Linux environment. Essential for advanced persistent threat - investigations involving cross-platform attack techniques. - - structure: | - WSL configuration includes DefaultDistribution (default Linux distro), installed distribution - metadata, user ID mappings, interoperability settings, and file system mount configurations. - Distribution entries contain installation paths, kernel versions, default user settings, - and distribution-specific configuration for comprehensive Linux environment management. - - examples: - - "DefaultDistribution: Ubuntu-20.04 (Default Linux distribution)" - - "Distribution: {12345678-1234-5678-9abc-123456789abc} Ubuntu installation" - - "DefaultUid: 1000 (Default Linux user ID)" - - "DistributionName: kali-linux (Penetration testing distribution)" - - "BasePath: C:\\Users\\user\\AppData\\Local\\Packages\\CanonicalGroupLimited.Ubuntu20.04onWindows" - - "PackageFamilyName: CanonicalGroupLimited.Ubuntu20.04onWindows_79rhkp1fndgsc" - - "State: 1 (Distribution installed and running)" - - "Version: 2 (WSL 2 with Linux kernel)" - - tools: - - name: "wsl.exe" - description: "Windows Subsystem for Linux command-line management tool" - - name: "Windows Features (optionalfeatures.exe)" - description: "Windows feature management including WSL enablement" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "WSL Configuration Manager" - description: "Third-party tools for WSL configuration analysis" - - name: "Linux Distribution Analyzer" - description: "Tools for analyzing installed Linux distributions and usage" - -metadata: - windows_versions: - - "Windows 10" - - "Windows 11" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows 10 Anniversary Update (2016)" - - criticality: "high" - - investigation_types: - - "malware-analysis" - - "incident-response" - - "behavioral-analysis" - - "lateral-movement" - - tags: - - "virtualization" - - "wsl" - - "linux" - - "cross-platform" - - "development" - - "attack-tools" - - "compatibility-layer" - - "linux-tools" - - references: - - title: "Microsoft Documentation: Windows Subsystem for Linux" - url: "https://docs.microsoft.com/en-us/windows/wsl/" - type: "official" - - title: "WSL Security Considerations" - url: "https://docs.microsoft.com/en-us/windows/wsl/wsl2-kernel" - type: "official" - - title: "Linux-Windows Hybrid Attack Techniques" - url: "https://www.sans.org/white-papers/39847/" - type: "research" - - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT, SYSTEM)" - persistence: "WSL configuration persists until distribution removal or feature disabling" - volatility: "Linux environment settings affect cross-platform attack capabilities" - - related_artifacts: - - "hyperv" - - "windows_containers" - - "virtualization_security" - - "developer_tools" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-06-07" - last_updated: "2025-06-07" - version: "1.0" diff --git a/scripts/validate.py b/scripts/validate.py index 69643c8..27dd4db 100644 --- a/scripts/validate.py +++ b/scripts/validate.py @@ -1,242 +1,607 @@ #!/usr/bin/env python3 """ -Validate artifact YAML files against the enhanced RegSeek schema +RegSeek Validation System v2.0 +Comprehensive validation of artifact YAML files against RegSeek standards """ import yaml import sys +import re from pathlib import Path -from jsonschema import validate, ValidationError +from typing import Dict, List, Any, Tuple, Optional +from datetime import datetime -# Enhanced schema for artifact validation -ARTIFACT_SCHEMA = { - "type": "object", - "required": ["title", "category", "description", "paths", "details"], - "properties": { - "title": {"type": "string", "minLength": 5}, - "category": { - "type": "string", - "enum": [ - "execution", "network", "usb", "user-activity", "persistence", - "system", "security", "cloud", "browser", "malware", "mobile", - "virtualization", "communication" - ] - }, - "description": {"type": "string", "minLength": 10}, - "paths": { - "type": "array", - "items": {"type": "string", "pattern": "^HK(LM|CU|CR|U|CC)\\\\"}, - "minItems": 1 - }, - "details": { - "type": "object", - "required": ["what", "forensic_value", "structure", "examples", "tools"], - "properties": { - "what": {"type": "string", "minLength": 20}, - "forensic_value": {"type": "string", "minLength": 20}, - "structure": {"type": "string", "minLength": 10}, - "examples": { - "type": "array", - "items": {"type": "string"}, - "minItems": 1 - }, - "tools": { - "type": "array", - "items": { - "type": "object", - "required": ["name"], - "properties": { - "name": {"type": "string"}, - "url": {"type": "string", "format": "uri"}, - "description": {"type": "string"} - } - }, - "minItems": 1 - } - } - }, - "metadata": { - "type": "object", - "properties": { - "windows_versions": { - "type": "array", - "items": {"type": "string"} - }, - "introduced": {"type": "string"}, - "deprecated": {"type": "string"}, - "criticality": { - "type": "string", - "enum": ["high", "medium", "low"] - }, - "investigation_types": { - "type": "array", - "items": { - "type": "string", - "enum": [ - "malware-analysis", "data-exfiltration", "insider-threat", - "incident-response", "timeline-analysis", "privilege-escalation", - "lateral-movement", "persistence-analysis", "behavioral-analysis" - ] - } - }, - "tags": { - "type": "array", - "items": {"type": "string"} - }, - "references": { - "type": "array", - "items": { - "type": "object", - "required": ["title"], - "properties": { - "title": {"type": "string"}, - "url": {"type": "string", "format": "uri"}, - "type": { - "type": "string", - "enum": ["official", "research", "blog", "tool"] - } - } - } - }, - "retention": { - "type": "object", - "properties": { - "default_location": {"type": "string"}, - "persistence": {"type": "string"}, - "volatility": {"type": "string"} - } - }, - "related_artifacts": { - "type": "array", - "items": {"type": "string"} - } - } - }, - "author": { - "type": "object", - "properties": { - "name": {"type": "string"}, - "github": {"type": "string"}, - "x": {"type": "string"}, - "email": {"type": "string", "format": "email"}, - "organization": {"type": "string"} - } - }, - "contribution": { - "type": "object", - "properties": { - "date_added": {"type": "string", "pattern": "^\\d{4}-\\d{2}-\\d{2}$"}, - "last_updated": {"type": "string", "pattern": "^\\d{4}-\\d{2}-\\d{2}$"}, - "version": {"type": "string"}, - "reviewed_by": {"type": "string"} - } +# Configuration Constants +VALID_CATEGORIES = [ + "program-execution", "browser-activity", "file-operations", "user-behaviour", + "external-storage", "persistence-methods", "system-modifications", "network-infrastructure", + "remote-access", "security-monitoring", "communication-apps", "virtualization", "authentication" +] + +PRIORITY_CATEGORIES = [ + "program-execution", "browser-activity", "file-operations", "user-behaviour", + "persistence-methods", "system-modifications", "network-infrastructure", "security-monitoring" +] + +VALID_INVESTIGATION_TYPES = [ + # Investigation Phases + "incident-response", "malware-analysis", "timeline-analysis", "behavioral-analysis", "insider-threat", + # Attack Techniques + "initial-access", "program-execution", "persistence-analysis", "privilege-escalation", + "credential-theft", "lateral-movement", "remote-access", "data-exfiltration", "anti-forensics" +] + +VALID_CRITICALITY_LEVELS = ["high", "medium", "low"] + +VALID_REGISTRY_PREFIXES = ["HKLM\\", "HKCU\\", "HKCR\\", "HKU\\", "HKCC\\"] + +VALID_REFERENCE_TYPES = ["official", "research", "blog", "tool"] + +# Validation Rules +MIN_TITLE_LENGTH = 5 +MIN_DESCRIPTION_LENGTH = 10 +MIN_DETAILED_FIELD_LENGTH = 20 +DATE_PATTERN = re.compile(r'^\d{4}-\d{2}-\d{2}$') +EMAIL_PATTERN = re.compile(r'^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$') +URL_PATTERN = re.compile(r'^https?://[^\s<>"{}|\\^`\[\]]+$') + +class ValidationResult: + """Store validation results""" + def __init__(self, file_path: str): + self.file_path = file_path + self.is_valid = True + self.errors = [] + self.warnings = [] + self.recommendations = [] + + def add_error(self, message: str): + """Add validation error""" + self.errors.append(message) + self.is_valid = False + + def add_warning(self, message: str): + """Add validation warning""" + self.warnings.append(message) + + def add_recommendation(self, message: str): + """Add recommendation for improvement""" + self.recommendations.append(message) + +class ArtifactValidator: + """Comprehensive artifact validator""" + + def __init__(self): + self.results = [] + + def validate_required_fields(self, artifact: Dict[str, Any], result: ValidationResult): + """Validate required top-level fields""" + required_fields = { + 'title': str, + 'category': str, + 'description': str, + 'paths': (list, str) # Can be list or string } - } -} + + for field, expected_type in required_fields.items(): + if field not in artifact: + result.add_error(f"Missing required field: '{field}'") + continue + + value = artifact[field] + if not isinstance(value, expected_type): + result.add_error(f"Field '{field}' must be {expected_type.__name__}, got {type(value).__name__}") + continue + + # String length validation + if isinstance(value, str): + if field == 'title' and len(value) < MIN_TITLE_LENGTH: + result.add_error(f"Title must be at least {MIN_TITLE_LENGTH} characters, got {len(value)}") + elif field == 'description' and len(value) < MIN_DESCRIPTION_LENGTH: + result.add_error(f"Description must be at least {MIN_DESCRIPTION_LENGTH} characters, got {len(value)}") + elif not value.strip(): + result.add_error(f"Field '{field}' cannot be empty") + + def validate_category(self, artifact: Dict[str, Any], result: ValidationResult): + """Validate category field""" + category = artifact.get('category') + if not category: + return + + if category not in VALID_CATEGORIES: + result.add_error(f"Invalid category '{category}'. Must be one of: {', '.join(VALID_CATEGORIES)}") + return + + # Check if it's a priority category + if category in PRIORITY_CATEGORIES: + result.add_recommendation(f"Category '{category}' is a priority category (appears in quick filters)") + + def validate_paths(self, artifact: Dict[str, Any], result: ValidationResult): + """Validate registry paths""" + paths = artifact.get('paths') + if not paths: + return + + # Convert single path to list + if isinstance(paths, str): + paths = [paths] + + if not isinstance(paths, list) or len(paths) == 0: + result.add_error("Paths must be a non-empty list or string") + return + + valid_hives = set() + for i, path in enumerate(paths): + if not isinstance(path, str): + result.add_error(f"Path {i+1} must be a string, got {type(path).__name__}") + continue + + if not path.strip(): + result.add_error(f"Path {i+1} cannot be empty") + continue + + # Check registry path format + path_valid = False + for prefix in VALID_REGISTRY_PREFIXES: + if path.startswith(prefix): + path_valid = True + valid_hives.add(prefix.rstrip('\\')) + break + + if not path_valid: + result.add_warning(f"Path may not be valid registry path: '{path}'") + result.add_recommendation(f"Registry paths should start with: {', '.join(VALID_REGISTRY_PREFIXES)}") + + # Add recommendation about hive diversity + if len(valid_hives) > 1: + result.add_recommendation(f"Artifact spans multiple registry hives: {', '.join(sorted(valid_hives))}") + + def validate_details_section(self, artifact: Dict[str, Any], result: ValidationResult): + """Validate details section (recommended)""" + details = artifact.get('details', {}) + + if not details: + result.add_warning("Missing 'details' section (recommended)") + return + + # Check for detailed explanations + detail_fields = { + 'what': 'explanation of what Windows stores', + 'forensic_value': 'forensic significance explanation', + 'structure': 'data format and structure description' + } + + for field, description in detail_fields.items(): + value = details.get(field) + if not value: + result.add_warning(f"Missing details.{field} ({description})") + elif isinstance(value, str) and len(value.strip()) < MIN_DETAILED_FIELD_LENGTH: + result.add_warning(f"details.{field} should be more detailed (at least {MIN_DETAILED_FIELD_LENGTH} characters)") + + # Check examples + examples = details.get('examples') + if not examples: + result.add_warning("Missing details.examples (recommended)") + elif isinstance(examples, list) and len(examples) == 0: + result.add_warning("Examples list is empty") + elif not isinstance(examples, list): + result.add_warning("Examples should be a list of strings") + + # Check tools + tools = details.get('tools') + if not tools: + result.add_warning("Missing details.tools (recommended)") + elif isinstance(tools, list): + self.validate_tools(tools, result) + else: + result.add_warning("Tools should be a list") + + def validate_tools(self, tools: List[Any], result: ValidationResult): + """Validate tools list""" + if len(tools) == 0: + result.add_warning("Tools list is empty") + return + + for i, tool in enumerate(tools): + if not isinstance(tool, dict): + result.add_warning(f"Tool {i+1} should be an object with 'name' field") + continue + + if 'name' not in tool: + result.add_error(f"Tool {i+1} missing required 'name' field") + continue + + name = tool['name'] + if not isinstance(name, str) or not name.strip(): + result.add_error(f"Tool {i+1} name must be a non-empty string") + continue + + # Check for URL (recommended) + if 'url' not in tool: + result.add_recommendation(f"Tool '{name}' missing URL (recommended)") + else: + url = tool['url'] + if not isinstance(url, str) or not URL_PATTERN.match(url): + result.add_warning(f"Tool '{name}' has invalid URL format") + + def validate_metadata_section(self, artifact: Dict[str, Any], result: ValidationResult): + """Validate metadata section""" + metadata = artifact.get('metadata', {}) + + if not metadata: + result.add_warning("Missing 'metadata' section (recommended)") + return + + # Criticality validation + criticality = metadata.get('criticality') + if not criticality: + result.add_recommendation("Missing metadata.criticality (recommended)") + elif criticality not in VALID_CRITICALITY_LEVELS: + result.add_error(f"Invalid criticality '{criticality}'. Must be one of: {', '.join(VALID_CRITICALITY_LEVELS)}") + + # Investigation types validation + inv_types = metadata.get('investigation_types', []) + if not inv_types: + result.add_recommendation("Missing metadata.investigation_types (recommended)") + elif isinstance(inv_types, list): + invalid_types = [t for t in inv_types if t not in VALID_INVESTIGATION_TYPES] + if invalid_types: + result.add_error(f"Invalid investigation types: {', '.join(invalid_types)}") + result.add_error(f"Valid types: {', '.join(VALID_INVESTIGATION_TYPES)}") + else: + result.add_error("investigation_types must be a list") + + # Windows versions + win_versions = metadata.get('windows_versions') + if not win_versions: + result.add_recommendation("Missing metadata.windows_versions (recommended)") + elif not isinstance(win_versions, list): + result.add_warning("windows_versions should be a list") + + # References validation + references = metadata.get('references', []) + if isinstance(references, list): + self.validate_references(references, result) + + # Date fields validation + date_fields = ['introduced', 'deprecated'] + for field in date_fields: + date_value = metadata.get(field) + if date_value and not DATE_PATTERN.match(str(date_value)): + result.add_warning(f"metadata.{field} should be in YYYY-MM-DD format") + + def validate_references(self, references: List[Any], result: ValidationResult): + """Validate references list""" + for i, ref in enumerate(references): + if not isinstance(ref, dict): + result.add_warning(f"Reference {i+1} should be an object") + continue + + if 'title' not in ref: + result.add_error(f"Reference {i+1} missing required 'title' field") + continue + + # Check URL format + if 'url' in ref: + url = ref['url'] + if not isinstance(url, str) or not URL_PATTERN.match(url): + result.add_warning(f"Reference {i+1} has invalid URL format") + + # Check reference type + ref_type = ref.get('type') + if ref_type and ref_type not in VALID_REFERENCE_TYPES: + result.add_warning(f"Reference {i+1} invalid type '{ref_type}'. Valid types: {', '.join(VALID_REFERENCE_TYPES)}") + + def validate_author_section(self, artifact: Dict[str, Any], result: ValidationResult): + """Validate author section""" + author = artifact.get('author') + + if not author: + result.add_recommendation("Missing 'author' section (recommended for attribution)") + return + + if not isinstance(author, dict): + result.add_warning("Author should be an object with name, contact info") + return + + if 'name' not in author: + result.add_warning("Author missing 'name' field") + elif not isinstance(author['name'], str) or not author['name'].strip(): + result.add_warning("Author name should be a non-empty string") + + # Email validation + email = author.get('email') + if email and not EMAIL_PATTERN.match(email): + result.add_warning("Author email format appears invalid") + + def validate_contribution_section(self, artifact: Dict[str, Any], result: ValidationResult): + """Validate contribution section""" + contribution = artifact.get('contribution') + + if not contribution: + result.add_recommendation("Missing 'contribution' section (recommended for tracking)") + return + + if not isinstance(contribution, dict): + result.add_warning("Contribution should be an object") + return + + # Date validation + date_fields = ['date_added', 'last_updated'] + for field in date_fields: + date_value = contribution.get(field) + if date_value and not DATE_PATTERN.match(str(date_value)): + result.add_warning(f"contribution.{field} should be in YYYY-MM-DD format") + + def validate_anti_checklist_methodology(self, artifact: Dict[str, Any], result: ValidationResult): + """Validate anti-checklist methodology sections (CRITICAL)""" + # Limitations section + limitations = artifact.get('limitations') + if not limitations: + result.add_error("CRITICAL: Missing 'limitations' section (anti-checklist methodology)") + result.add_error("Must specify what this artifact CANNOT determine or prove") + elif isinstance(limitations, list): + if len(limitations) == 0: + result.add_warning("Limitations list is empty") + else: + result.add_recommendation(f"Good: {len(limitations)} limitation(s) specified") + else: + result.add_warning("Limitations should be a list of strings") + + # Correlation section + correlation = artifact.get('correlation') + if not correlation: + result.add_error("CRITICAL: Missing 'correlation' section (anti-checklist methodology)") + result.add_error("Must specify required evidence for definitive conclusions") + elif isinstance(correlation, dict): + required = correlation.get('required_for_definitive_conclusions') + strengthens = correlation.get('strengthens_evidence') + + if not required and not strengthens: + result.add_warning("Correlation section empty - should specify required evidence") + else: + result.add_recommendation("Good: Correlation requirements specified") + else: + result.add_warning("Correlation should be an object with required/strengthens fields") + + def validate_file(self, file_path: Path) -> ValidationResult: + """Validate a single artifact file""" + result = ValidationResult(str(file_path)) + + try: + # Load YAML + with open(file_path, 'r', encoding='utf-8') as f: + artifact = yaml.safe_load(f) + + if not artifact: + result.add_error("File is empty or contains invalid YAML") + return result + + if not isinstance(artifact, dict): + result.add_error("Root element must be a YAML object/dictionary") + return result + + # Run all validations + self.validate_required_fields(artifact, result) + self.validate_category(artifact, result) + self.validate_paths(artifact, result) + self.validate_details_section(artifact, result) + self.validate_metadata_section(artifact, result) + self.validate_author_section(artifact, result) + self.validate_contribution_section(artifact, result) + self.validate_anti_checklist_methodology(artifact, result) + + except yaml.YAMLError as e: + result.add_error(f"YAML parsing error: {e}") + except Exception as e: + result.add_error(f"Unexpected error: {e}") + + return result + + def validate_directory(self, artifacts_dir: Path = None) -> List[ValidationResult]: + """Validate all artifacts in directory""" + if artifacts_dir is None: + artifacts_dir = Path("artifacts") + + if not artifacts_dir.exists(): + result = ValidationResult(str(artifacts_dir)) + result.add_error("Artifacts directory not found") + return [result] + + results = [] + + for category_dir in artifacts_dir.iterdir(): + if not category_dir.is_dir() or category_dir.name.startswith('_'): + continue + + for artifact_file in category_dir.glob("*.yml"): + if artifact_file.name.startswith('_'): + continue + + result = self.validate_file(artifact_file) + results.append(result) + + return results -def validate_artifact(file_path): - """Validate a single artifact file""" - try: - with open(file_path, 'r', encoding='utf-8') as f: - artifact = yaml.safe_load(f) - - # Basic structure validation - validate(instance=artifact, schema=ARTIFACT_SCHEMA) - - # Additional custom validations - validation_warnings = [] - - # Check if paths look like valid registry paths - for path in artifact.get('paths', []): - if not any(path.startswith(hive) for hive in ['HKLM\\', 'HKCU\\', 'HKCR\\', 'HKU\\', 'HKCC\\']): - validation_warnings.append(f"Path may not be valid registry path: {path}") - - # Check if tools have URLs (recommended) - tools = artifact.get('details', {}).get('tools', []) - tools_without_urls = 0 - for tool in tools: - if isinstance(tool, dict) and 'name' in tool and 'url' not in tool: - tools_without_urls += 1 - - if tools_without_urls > 0: - validation_warnings.append(f"{tools_without_urls} tool(s) missing URL (recommended)") - - # Check for criticality level (recommended) - if 'metadata' in artifact and 'criticality' not in artifact['metadata']: - validation_warnings.append("Criticality level not specified (recommended)") - - # Check for investigation types - if 'metadata' in artifact and 'investigation_types' not in artifact['metadata']: - validation_warnings.append("Investigation types not specified (recommended)") - - # Print results - if validation_warnings: - print(f"✓ {file_path} is valid but has recommendations:") - for warning in validation_warnings: - print(f" - {warning}") +def print_validation_summary(results: List[ValidationResult]): + """Print comprehensive validation summary""" + total_files = len(results) + valid_files = sum(1 for r in results if r.is_valid) + invalid_files = total_files - valid_files + total_errors = sum(len(r.errors) for r in results) + total_warnings = sum(len(r.warnings) for r in results) + total_recommendations = sum(len(r.recommendations) for r in results) + + print("\n" + "=" * 70) + print(" VALIDATION SUMMARY") + print("=" * 70) + + # Overall stats + print(f" STATISTICS:") + print(f" Files validated: {total_files}") + print(f" Valid: {valid_files}") + print(f" Invalid: {invalid_files}") + print(f" Total errors: {total_errors}") + print(f" Total warnings: {total_warnings}") + print(f" Total recommendations: {total_recommendations}") + + if total_files > 0: + success_rate = round((valid_files / total_files) * 100, 1) + print(f" Success rate: {success_rate}%") + + # Categories + categories = {} + for result in results: + if result.is_valid: + # Extract category from path + path_parts = Path(result.file_path).parts + if len(path_parts) >= 2: + category = path_parts[-2] # Parent directory name + categories[category] = categories.get(category, 0) + 1 + + if categories: + print(f"\n VALID ARTIFACTS BY CATEGORY:") + for category, count in sorted(categories.items()): + priority_marker = "⭐" if category in PRIORITY_CATEGORIES else " " + print(f" {priority_marker} {category}: {count}") + + # Critical issues (anti-checklist methodology) + critical_issues = [] + for result in results: + for error in result.errors: + if "CRITICAL" in error: + critical_issues.append(f"{Path(result.file_path).name}: {error}") + + if critical_issues: + print(f"\n CRITICAL ISSUES (Anti-Checklist Methodology):") + for issue in critical_issues[:10]: # Show first 10 + print(f" • {issue}") + if len(critical_issues) > 10: + print(f" ... and {len(critical_issues) - 10} more critical issues") + + # Most common warnings + warning_counts = {} + for result in results: + for warning in result.warnings: + # Extract warning type + warning_type = warning.split('(')[0].strip() + warning_counts[warning_type] = warning_counts.get(warning_type, 0) + 1 + + if warning_counts: + print(f"\n COMMON WARNINGS:") + sorted_warnings = sorted(warning_counts.items(), key=lambda x: x[1], reverse=True) + for warning_type, count in sorted_warnings[:5]: + print(f" • {warning_type}: {count} files") + +def print_file_results(results: List[ValidationResult], show_all: bool = False): + """Print individual file validation results""" + if not results: + return + + print("\n" + "=" * 70) + print(" FILE VALIDATION RESULTS") + print("=" * 70) + + # Group by status + valid_results = [r for r in results if r.is_valid] + invalid_results = [r for r in results if not r.is_valid] + + # Show invalid files first + if invalid_results: + print(f"\n INVALID FILES ({len(invalid_results)}):") + for result in invalid_results: + file_name = Path(result.file_path).name + print(f"\n {file_name}") + + for error in result.errors: + print(f" {error}") + + if result.warnings: + for warning in result.warnings[:3]: # Limit warnings for invalid files + print(f" {warning}") + if len(result.warnings) > 3: + print(f" ... and {len(result.warnings) - 3} more warnings") + + # Show valid files (summary or detailed) + if valid_results: + if show_all: + print(f"\n VALID FILES ({len(valid_results)}):") + for result in valid_results: + file_name = Path(result.file_path).name + issue_count = len(result.warnings) + len(result.recommendations) + + if issue_count == 0: + print(f" {file_name} - Perfect!") + else: + print(f" {file_name} - {len(result.warnings)} warnings, {len(result.recommendations)} recommendations") + + for warning in result.warnings: + print(f" {warning}") + + for rec in result.recommendations: + print(f" {rec}") else: - print(f"✓ {file_path} is valid and complete") - - return True - - except ValidationError as e: - print(f"✗ {file_path} validation failed:") - print(f" {e.message}") - if hasattr(e, 'absolute_path') and e.absolute_path: - print(f" Path: {' -> '.join(str(x) for x in e.absolute_path)}") - return False - except Exception as e: - print(f"✗ {file_path} error: {e}") - return False + print(f"\n VALID FILES: {len(valid_results)} files passed validation") + perfect_files = [r for r in valid_results if len(r.warnings) == 0 and len(r.recommendations) == 0] + if perfect_files: + print(f" {len(perfect_files)} files are perfect (no warnings or recommendations)") def main(): - print(" RegSeek Artifact Validator") - print("=" * 40) + """Main validation function""" + print(" RegSeek Validation System v2.0") + print("=" * 70) + + # Parse command line arguments + show_detailed = '--detailed' in sys.argv or '-d' in sys.argv + file_path = None + + # Check for specific file argument + for arg in sys.argv[1:]: + if not arg.startswith('-') and arg.endswith('.yml'): + file_path = Path(arg) + break - if len(sys.argv) > 1: - # Validate specific file - file_path = Path(sys.argv[1]) + # Initialize validator + validator = ArtifactValidator() + + if file_path: + # Validate single file if not file_path.exists(): print(f" File not found: {file_path}") - sys.exit(1) + return 1 - print(f"Validating: {file_path}") - if not validate_artifact(file_path): - sys.exit(1) + print(f" Validating: {file_path}") + result = validator.validate_file(file_path) + results = [result] + show_detailed = True # Always show details for single file else: - # Validate all artifacts - artifacts_dir = Path("artifacts") - if not artifacts_dir.exists(): - print(f" Artifacts directory not found: {artifacts_dir}") - sys.exit(1) - - failed = [] - validated = [] - - for artifact_file in artifacts_dir.rglob("*.yml"): - if artifact_file.name.startswith('_'): - print(f" Skipping template: {artifact_file}") - continue - - validated.append(artifact_file) - if not validate_artifact(artifact_file): - failed.append(artifact_file) - - # Summary - print("\n" + "=" * 40) - print(" Validation Summary:") - print("=" * 40) - print(f"Files validated: {len(validated)}") - print(f" Passed: {len(validated) - len(failed)}") - print(f" Failed: {len(failed)}") - - if failed: - print(f"\n {len(failed)} artifacts failed validation:") - for f in failed: - print(f" - {f}") - sys.exit(1) + # Validate all files + print(" Validating all artifacts...") + results = validator.validate_directory() + + # Print results + print_file_results(results, show_detailed) + print_validation_summary(results) + + # Final status + invalid_count = sum(1 for r in results if not r.is_valid) + critical_count = sum(1 for r in results for e in r.errors if "CRITICAL" in e) + + print("\n" + "=" * 70) + if invalid_count == 0: + if critical_count == 0: + print("🎉 All artifacts are valid and follow anti-checklist methodology!") + print(" Ready for build and deployment") + return 0 else: - print(f"\n🎉 All {len(validated)} artifacts are valid!") + print(f" {critical_count} critical methodology issues found") + print("🔧 Please address anti-checklist methodology requirements") + return 1 + else: + print(f" {invalid_count} artifacts failed validation") + if critical_count > 0: + print(f" Including {critical_count} critical methodology issues") + print(" Please fix errors before building") + return 1 if __name__ == "__main__": - main() + exit(main()) diff --git a/site/css/styles.css b/site/css/styles.css index 63837b6..d80e5ca 100644 --- a/site/css/styles.css +++ b/site/css/styles.css @@ -69,6 +69,54 @@ header { margin: 0 auto; } +/* Header Logo Link Styling */ +.logo-link { + text-decoration: none; + display: inline-block; + transition: transform 0.2s ease; +} + +.logo-link:hover { + transform: translateY(-2px); +} + +.logo-link .logo { + margin-bottom: 8px; + transition: all 0.2s ease; +} + +.logo-link:hover .logo { + background: linear-gradient(135deg, var(--accent-hover), #60a5fa); + -webkit-background-clip: text; + -webkit-text-fill-color: transparent; + background-clip: text; +} + +/* Project Info Styling */ +.project-info { + color: var(--text-muted); + font-size: 0.9rem; + font-weight: 400; + max-width: 900px; + margin: 16px auto 0 auto; + line-height: 1.5; + white-space: nowrap; + overflow: hidden; +} +.contribute-link { + color: var(--accent); + text-decoration: none; + font-weight: 500; + transition: all 0.2s ease; + border-bottom: 1px solid transparent; +} + +.contribute-link:hover { + color: var(--accent-hover); + border-bottom-color: var(--accent-hover); + text-decoration: none; +} + /* Search Container */ .search-container { margin: 48px 0 32px 0; @@ -123,7 +171,7 @@ header { /* Advanced Search Panel */ .advanced-search-panel { - max-width: 800px; + max-width: 1000px; /* Increased from 800px */ margin: 0 auto 32px auto; background: var(--bg-card); border: 1px solid var(--border); @@ -153,15 +201,16 @@ header { .filter-grid { display: grid; - grid-template-columns: repeat(auto-fit, minmax(250px, 1fr)); - gap: 20px; + grid-template-columns: repeat(auto-fit, minmax(300px, 1fr)); /* Increased from 250px */ + gap: 24px; margin-bottom: 24px; } +/* More comfortable filter group spacing */ .filter-group { display: flex; flex-direction: column; - gap: 8px; + gap: 10px; } .filter-group label { @@ -172,14 +221,16 @@ header { letter-spacing: 0.05em; } +/* More spacious select boxes */ .filter-group select { - padding: 12px 16px; + padding: 14px 18px; /* Increased from 12px 16px */ background: var(--bg-secondary); border: 1px solid var(--border); border-radius: 8px; color: var(--text-primary); font-size: 0.9375rem; transition: all 0.2s; + min-height: 48px; /* Ensure consistent height */ } .filter-group select:focus { @@ -465,7 +516,7 @@ header { font-weight: bold; } -/* Modal */ +/* Enhanced Modal */ .modal { display: none; position: fixed; @@ -476,40 +527,145 @@ header { background: rgba(0, 0, 0, 0.8); backdrop-filter: blur(4px); z-index: 1000; - overflow-y: auto; + overflow: hidden; } -.modal-content { - max-width: 900px; - margin: 48px auto; +.enhanced-modal { + width: 95%; + max-width: 1200px; + height: 90vh; + margin: 5vh auto; background: var(--bg-card); border: 1px solid var(--border); border-radius: 16px; + overflow: hidden; + display: flex; + box-shadow: 0 20px 40px rgba(0, 0, 0, 0.5); position: relative; - max-height: 90vh; +} + +/* Close button */ +.close-modal { + position: absolute; + top: 24px; + right: 24px; + font-size: 1.5rem; + cursor: pointer; + color: var(--text-muted); + background: var(--bg-secondary); + width: 40px; + height: 40px; + border-radius: 8px; + display: flex; + align-items: center; + justify-content: center; + transition: all 0.2s; + z-index: 10; +} + +.close-modal:hover { + color: var(--text-primary); + background: var(--bg-hover); +} + +/* Sidebar Navigation */ +.modal-sidebar { + width: 280px; + background: var(--bg-secondary); + border-right: 1px solid var(--border); + padding: 24px 0; overflow-y: auto; + flex-shrink: 0; +} + +.sidebar-section { + margin-bottom: 24px; +} + +.sidebar-title { + font-size: 0.875rem; + font-weight: 600; + color: var(--text-muted); + text-transform: uppercase; + letter-spacing: 0.05em; + padding: 0 24px; + margin-bottom: 12px; +} + +.nav-item { + display: flex; + align-items: center; + padding: 10px 24px; + color: var(--text-secondary); + cursor: pointer; + transition: all 0.2s; + border-left: 3px solid transparent; + font-size: 0.9375rem; +} + +.nav-item:hover { + background: var(--bg-hover); + color: var(--text-primary); +} + +.nav-item.active { + background: rgba(59, 130, 246, 0.1); + color: var(--accent); + border-left-color: var(--accent); +} + +.nav-icon { + width: 16px; + height: 16px; + margin-right: 12px; + opacity: 0.7; +} + +.nav-badge { + margin-left: auto; + font-size: 0.75rem; + background: var(--error); + color: white; + padding: 2px 6px; + border-radius: 10px; + font-weight: 500; +} + +.nav-badge.warning { + background: var(--warning); +} + +/* Main Content Area */ +.modal-main { + flex: 1; + display: flex; + flex-direction: column; + overflow: hidden; } -.modal-header { - padding: 32px 32px 24px; +/* Header */ +.modal-header-enhanced { + padding: 32px 40px 32px 32px; border-bottom: 1px solid var(--border); + background: linear-gradient(135deg, var(--bg-secondary), #1a1a2e); } -.modal-title { +.artifact-title { font-size: 1.875rem; font-weight: 700; margin-bottom: 12px; line-height: 1.2; } -.modal-badges { +.artifact-badges { display: flex; gap: 8px; flex-wrap: wrap; + margin-bottom: 16px; } -.modal-category, .modal-criticality { - font-size: 0.875rem; +.badge { + font-size: 0.75rem; font-weight: 500; text-transform: uppercase; letter-spacing: 0.05em; @@ -517,153 +673,266 @@ header { border-radius: 6px; } -.modal-category { +.badge-category { color: var(--accent); background: rgba(59, 130, 246, 0.1); + border: 1px solid rgba(59, 130, 246, 0.3); } -.modal-body { - padding: 32px; +.badge-criticality { + color: var(--error); + background: rgba(239, 68, 68, 0.1); + border: 1px solid rgba(239, 68, 68, 0.3); } -.close-modal { - position: absolute; - top: 24px; - right: 24px; - font-size: 1.5rem; - cursor: pointer; - color: var(--text-muted); - background: var(--bg-secondary); - width: 40px; - height: 40px; +.artifact-paths { + font-family: 'SF Mono', Monaco, 'Cascadia Code', monospace; + font-size: 0.875rem; + color: var(--text-secondary); + background: var(--bg-primary); + padding: 16px; border-radius: 8px; + border: 1px solid var(--border); +} + +/* Content Area */ +.modal-content-area { + flex: 1; + overflow-y: auto; + padding: 32px; +} + +/* Content Sections */ +.content-section { + display: none; + animation: fadeIn 0.3s ease; +} + +.content-section.active { + display: block; +} + +@keyframes fadeIn { + from { opacity: 0; transform: translateY(10px); } + to { opacity: 1; transform: translateY(0); } +} + +.section-header { display: flex; align-items: center; - justify-content: center; - transition: all 0.2s; + margin-bottom: 24px; } -.close-modal:hover { +.section-icon { + width: 24px; + height: 24px; + margin-right: 12px; + font-size: 1.5rem; +} + +.section-title { + font-size: 1.5rem; + font-weight: 600; color: var(--text-primary); - background: var(--bg-hover); } -.detail-section { +/* Critical Warning Section */ +.limitations-section { + background: rgba(239, 68, 68, 0.1); + border: 1px solid rgba(239, 68, 68, 0.3); + border-radius: 12px; + padding: 24px; margin-bottom: 32px; } -.detail-section:last-child { +.limitations-header { + display: flex; + align-items: center; + margin-bottom: 16px; +} + +.warning-icon { + width: 20px; + height: 20px; + margin-right: 8px; + font-size: 1.25rem; +} + +.limitations-title { + font-size: 1.125rem; + font-weight: 600; + color: var(--error); +} + +.limitations-list { + list-style: none; + margin: 0; + padding: 0; +} + +.limitations-list li { + padding: 8px 0; + padding-left: 24px; + position: relative; + color: var(--text-secondary); + line-height: 1.6; +} + +.limitations-list li::before { + content: "⚠"; + position: absolute; + left: 0; + color: var(--error); + font-weight: bold; +} + +/* Correlation Section */ +.correlation-section { + background: rgba(245, 158, 11, 0.1); + border: 1px solid rgba(245, 158, 11, 0.3); + border-radius: 12px; + padding: 24px; + margin-bottom: 32px; +} + +.correlation-header { + display: flex; + align-items: center; + margin-bottom: 16px; +} + +.correlation-title { + font-size: 1.125rem; + font-weight: 600; + color: var(--warning); +} + +.correlation-subsection { + margin-bottom: 20px; +} + +.correlation-subsection:last-child { margin-bottom: 0; } -.detail-section h3 { +.correlation-subtitle { + font-size: 1rem; + font-weight: 600; + color: var(--text-primary); + margin-bottom: 8px; +} + +.correlation-list { + list-style: none; + margin: 0; + padding: 0; +} + +.correlation-list li { + padding: 6px 0; + padding-left: 20px; + position: relative; + color: var(--text-secondary); +} + +.correlation-list li::before { + content: "→"; + position: absolute; + left: 0; + color: var(--warning); + font-weight: bold; +} + +/* Enhanced Info Cards */ +.info-card { + background: var(--bg-secondary); + border: 1px solid var(--border); + border-radius: 12px; + padding: 24px; + margin-bottom: 24px; +} + +.info-card h3 { font-size: 1.125rem; font-weight: 600; - margin-bottom: 12px; + margin-bottom: 16px; color: var(--text-primary); } -.detail-section p, .detail-section li { +.info-card p { color: var(--text-secondary); line-height: 1.7; + margin-bottom: 12px; } -.code-block { +.info-card p:last-child { + margin-bottom: 0; +} + +/* Tool Grid */ +.tools-grid { + display: grid; + grid-template-columns: repeat(auto-fit, minmax(300px, 1fr)); + gap: 16px; + margin-top: 16px; +} + +.tool-card { background: var(--bg-primary); border: 1px solid var(--border); - padding: 16px; border-radius: 8px; - font-family: 'SF Mono', Monaco, 'Cascadia Code', 'Roboto Mono', monospace; + padding: 16px; + transition: all 0.2s; +} + +.tool-card:hover { + border-color: var(--accent); + background: var(--bg-hover); +} + +.tool-name { + font-weight: 600; + color: var(--accent); + margin-bottom: 4px; +} + +.tool-description { font-size: 0.875rem; - margin: 12px 0; color: var(--text-secondary); } -.example-list { - list-style: none; - margin: 12px 0; +/* Examples */ +.examples-grid { + display: grid; + gap: 12px; + margin-top: 16px; } -.example-list li { - padding: 12px 16px; +.example-item { background: var(--bg-primary); border: 1px solid var(--border); border-radius: 8px; - margin-bottom: 8px; - font-family: 'SF Mono', Monaco, 'Cascadia Code', 'Roboto Mono', monospace; + padding: 16px; + font-family: 'SF Mono', Monaco, 'Cascadia Code', monospace; font-size: 0.875rem; color: var(--text-secondary); } -.example-list li:last-child { - margin-bottom: 0; -} - -.tool-links { +/* Tags */ +.tag-grid { display: flex; flex-wrap: wrap; gap: 8px; - margin-top: 8px; + margin-top: 16px; } -.tool-link { - display: inline-block; +.tag { + font-size: 0.75rem; + color: var(--text-muted); + background: rgba(255, 255, 255, 0.05); padding: 6px 12px; - background: var(--bg-secondary); - border: 1px solid var(--border); border-radius: 6px; - color: var(--accent); - text-decoration: none; - font-size: 0.875rem; - transition: all 0.2s; -} - -.tool-link:hover { - background: var(--bg-hover); - border-color: var(--accent); - transform: translateY(-1px); -} - -/* Responsive */ -@media (max-width: 768px) { - .container { - padding: 0 16px; - } - - .registry-grid { - grid-template-columns: 1fr; - } - - .search-wrapper { - flex-direction: column; - } - - .filter-grid { - grid-template-columns: 1fr; - } - - .quick-filter-buttons { - justify-content: center; - } - - .stats-bar { - grid-template-columns: repeat(2, 1fr); - } - - .sort-options { - justify-content: center; - } - - .modal-content { - margin: 0; - border-radius: 0; - height: 100vh; - max-height: 100vh; - } - - .advanced-search-actions { - flex-direction: column; - } + border: 1px solid var(--border-light); } /* Loading and Empty States */ @@ -701,3 +970,196 @@ header { .text-high { color: var(--high-priority); } .text-medium { color: var(--medium-priority); } .text-low { color: var(--low-priority); } + + +/* Tool Links Styling */ +.tool-name a { + color: var(--accent); + text-decoration: none; + transition: all 0.2s; +} + +.tool-name a:hover { + color: var(--accent-hover); + text-decoration: underline; +} + +/* Reference Links Styling */ +.info-card ul li a { + color: var(--accent); + text-decoration: none; + transition: all 0.2s; +} + +.info-card ul li a:hover { + color: var(--accent-hover); + text-decoration: underline; +} + +/* Enhanced Quick Filter Buttons for 13 Categories */ +.quick-filter-buttons { + display: flex; + flex-wrap: wrap; + gap: 8px; + justify-content: flex-start; + align-items: center; +} + +.filter-btn { + padding: 10px 20px; + background: transparent; + border: 1px solid var(--border); + border-radius: 8px; + color: var(--text-secondary); + cursor: pointer; + font-size: 0.875rem; + font-weight: 500; + transition: all 0.2s; + white-space: nowrap; + flex: 0 0 auto; + text-align: center; + /* Fixed size - no dynamic shrinking */ + min-width: 120px; +} +.filter-btn:hover { + border-color: var(--accent); + color: var(--accent); + background: rgba(59, 130, 246, 0.1); +} + +.filter-btn.active { + background: var(--accent); + color: white; + border-color: var(--accent); +} + +/* Responsive: Only change layout, not button size */ +@media (max-width: 768px) { + .quick-filter-buttons { + justify-content: center; + } +} + +@media (max-width: 480px) { + .quick-filter-buttons { + display: grid; + grid-template-columns: repeat(2, 1fr); + gap: 8px; + } + + .filter-btn { + min-width: 0; /* Allow grid to control width */ + } +} + +/* Enhanced dropdown styling for 14 investigation types */ +#filter-investigation { + max-height: 250px; + overflow-y: auto; +} + +/* Professional icon styling */ +.nav-icon { + width: 16px; + height: 16px; + margin-right: 12px; + opacity: 0.7; + stroke: currentColor; + stroke-width: 2; + transition: all 0.2s; + flex-shrink: 0; /* Prevent icon shrinking */ +} + +.section-icon { + width: 20px; + height: 20px; + margin-right: 12px; + stroke: var(--accent); + stroke-width: 2; + flex-shrink: 0; /* Prevent icon shrinking */ +} + +/* Enhanced hover effects for nav items */ +.nav-item:hover .nav-icon { + opacity: 1; + stroke: var(--text-primary); +} + +.nav-item.active .nav-icon { + opacity: 1; + stroke: var(--accent); +} + +/* Warning icons in limitations sections */ +.warning-icon { + width: 20px; + height: 20px; + margin-right: 8px; + stroke: var(--error); + stroke-width: 2; + flex-shrink: 0; +} + +/* Update limitations list styling for better icon alignment */ +.limitations-list li::before { + content: ""; + position: absolute; + left: 0; + top: 14px; + width: 12px; + height: 12px; + background: var(--error); + mask: url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='24' height='24' viewBox='0 0 24 24' fill='none' stroke='currentColor' stroke-width='2' stroke-linecap='round' stroke-linejoin='round'%3E%3Ccircle cx='12' cy='12' r='10'/%3E%3Cline x1='15' y1='9' x2='9' y2='15'/%3E%3Cline x1='9' y1='9' x2='15' y2='15'/%3E%3C/svg%3E") no-repeat center; + mask-size: contain; +} + +/* Better responsive breakpoints for wider panel */ +@media (max-width: 1200px) { + .advanced-search-panel { + max-width: 95%; /* Use more screen space on smaller screens */ + } + + .filter-grid { + grid-template-columns: repeat(auto-fit, minmax(280px, 1fr)); + gap: 20px; + } +} + +@media (max-width: 900px) { + .filter-grid { + grid-template-columns: repeat(auto-fit, minmax(250px, 1fr)); + gap: 18px; + } +} + +@media (max-width: 768px) { + .advanced-search-panel { + max-width: 98%; + } + + .filter-grid { + grid-template-columns: 1fr 1fr; /* Two columns on tablet */ + gap: 16px; + } + + .filter-group select { + padding: 12px 16px; + font-size: 0.875rem; + } +} + +@media (max-width: 480px) { + .filter-grid { + grid-template-columns: 1fr; /* Single column on mobile */ + } +} + +/* Mobile responsiveness - allow wrapping on very small screens */ +@media (max-width: 640px) { + .project-info { + white-space: normal; /* Allow wrapping on small screens */ + font-size: 0.85rem; + padding: 0 16px; + margin-top: 12px; + } +} diff --git a/site/index.html b/site/index.html index b8f81bb..b0dc064 100644 --- a/site/index.html +++ b/site/index.html @@ -3,6 +3,47 @@ + + + RegSeek - Windows Registry Forensics Reference | 136+ Registry Artifacts Database + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - RegSeek - Windows Registry Forensics Reference - -