diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 01803ea..8adbb6b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -16,6 +16,15 @@ jobs: - run: make install generate-win fmt - run: git diff --exit-code + validate: + name: validate + runs-on: ubuntu-latest + steps: + - uses: actions/setup-go@v5 + with: { go-version: '1.23' } + - uses: actions/checkout@v4 + - run: make validate + lint: name: lint runs-on: ubuntu-latest diff --git a/.gitignore b/.gitignore index 268e36e..5bbd2b6 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,3 @@ -# config -config/artifacts/ - # go vendor diff --git a/Makefile b/Makefile index a19dad1..80117d3 100644 --- a/Makefile +++ b/Makefile @@ -39,13 +39,17 @@ test-coverage: go tool cover -func=coverage.out go tool cover -html=coverage.out +.PHONY: validate +validate: + @echo "Validating..." + cd tools/artifactvalidator && go build -o ../../build/bin/artifactvalidator . + ./build/bin/artifactvalidator -entrypoints=DefaultCollection1 config/artifacts/*.yaml + .PHONY: generate generate: @echo "Generating..." go install golang.org/x/tools/cmd/goimports@v0.1.7 go install github.com/forensicanalysis/go-resources/cmd/resources@v0.4.0 - rm -rf config/artifacts - git clone https://github.com/forensicanalysis/artifacts.git config/artifacts go run tools/yaml2go/main.go config/ac.yaml config/artifacts/*.yaml resources -package assets -output assets/bin.generated.go config/bin/* diff --git a/config/artifacts/README.md b/config/artifacts/README.md new file mode 100644 index 0000000..83ce9ce --- /dev/null +++ b/config/artifacts/README.md @@ -0,0 +1,14 @@ +## Artifact Definitions + +The artifactcollector uses yaml files to define forensic artifacts it can collect. + +The yaml files are based on the [ForensicArtifacts/artifacts](https://github.com/ForensicArtifacts/artifacts) +repository, but with the following major changes: + +- `provides` on source level are added to enable extraction of parameters +- All source types are distinctly defined, including the `DIRECTORY` type. +- Parameter expansion and globing is defined, including `**`. +- Inconsistent trailing `\*` in REGISTRY_KEYs are removed. + +The [Style Guide](style_guide.md) describes the full specification of the artifact definitions +how they are used in the artifactcollector. diff --git a/config/artifacts/collections.yaml b/config/artifacts/collections.yaml new file mode 100644 index 0000000..cfb4f57 --- /dev/null +++ b/config/artifacts/collections.yaml @@ -0,0 +1,168 @@ +# Predefined opinionated collections + +name: DefaultCollection1 +doc: Predefined opinionated collections +sources: + - type: ARTIFACT_GROUP + attributes: + names: + - 'FOR500' + - 'WindowsComputerName' + - 'WindowsEventLogs' + - 'WindowsHotfixes' + - 'WindowsNetworkInterfaceInformation' + - 'WindowsPersistence' + - 'WindowsRunKeys' + - 'WindowsServices' + - 'WindowsUninstallKeys' + - 'WindowsUSBInformation' + supported_os: [ Windows ] + - type: ARTIFACT_GROUP + attributes: + names: + # - 'BrowserCache' + - 'BrowserHistory' + - 'LinuxIPTablesRulesCommand' + - 'LinuxAtJobsFiles' + - 'LinuxAuditLogFiles' + - 'LinuxCronTabFiles' + - 'LinuxHostnameFile' + supported_os: [ Linux ] + - type: ARTIFACT_GROUP + attributes: + names: + # - 'BrowserCache' + - 'BrowserHistory' + - 'MacOSAtJobsFile' + - 'MacOSAuditLogFiles' + - 'MacOSBashHistoryFile' + - 'MacOSCronTabFile' + - 'MacOSHostsFile' + - 'MacOSLastlogFile' + - 'MacOSMiscLogFiles' + - 'MacOSRecentItemsFiles' + - 'MacOSSystemLogFiles' + - 'MacOSUserTrashFiles' + supported_os: [ Darwin ] +supported_os: [ Darwin,Linux,Windows ] +--- +# Artifacts from the SANS FOR500 course + +name: FOR500 +doc: Windows Forensic Analysis +sources: + - type: ARTIFACT_GROUP + attributes: + names: + - WindowsBrowserArtifacts + - WindowsProgramExecution + - WindowsDeletedFiles + - WindowsNetworkActivity + # - WindowsFileOpening + - AccountUsage + - ExternalDevice +supported_os: [ Windows ] +--- +name: WindowsBrowserArtifacts +doc: WindowsBrowserArtifacts +sources: + - type: ARTIFACT_GROUP + attributes: + names: + - WindowsOpenSaveMRU + - WindowsOpenSavePidlMRU + # EmailAttachments + # SkypeMainDirectory is only for macos + # BrowserCache not collected by default + - BrowserHistory + # AdsZoneIdentifier +supported_os: [ Windows ] +--- +name: WindowsProgramExecution +doc: Program Execution +sources: + - type: ARTIFACT_GROUP + attributes: + names: + # UserAssist + - WindowsActivitiesCacheDatabase + - WindowsMostRecentApplication + - WindowsAppCompatCache # Shimcache + # JumpLists + - WindowsAMCacheHveFile + - WindowsSystemResourceUsageMonitorDatabaseFile + # BAM/DAM + # LastVisitedMRU + - WindowsPrefetchFiles +supported_os: [ Windows ] +--- +name: WindowsDeletedFiles +doc: Deleted Files +sources: + - type: ARTIFACT_GROUP + attributes: + names: + # ACMRU + # Thumbcache + # Thumbs.db + # IEEdgeFile -> WindowsBrowserArtifacts + # WordWheelQuery + - WindowsRecycleBin + # LastVisitedMRU -> WindowsProgramExecution +supported_os: [ Windows ] +--- +name: WindowsNetworkActivity +doc: Network Activity +sources: + - type: ARTIFACT_GROUP + attributes: + names: + - WindowsTimezone + - InternetExplorerCookiesFile + # NetworkHistory + # WLANEventLog + # BrowserSearchTerms -> WindowsBrowserArtifacts + # WindowsSystemResourceUsageMonitorDatabaseFile -> WindowsProgramExecution +supported_os: [ Windows ] +# --- +# name: WindowsFileOpening +# doc: File Opening +# sources: +# - type: ARTIFACT_GROUP +# attributes: +# names: +# # WindowsOpenSaveMRU -> WindowsBrowserArtifacts +# # RecentFiles +# # JumpLists -> WindowsProgramExecution +# # ShellBags +# # LNKFiles +# # WindowsPrefetchFiles -> WindowsProgramExecution +# # LastVisitedMRU -> WindowsProgramExecution +# # IEEdgeFile -> WindowsBrowserArtifacts +# # OfficeRecentFiles +# supported_os: [Windows] +--- +name: AccountUsage +doc: Account Usage +sources: + - type: ARTIFACT_GROUP + attributes: + names: + - WindowsSystemRegistryFiles + - WindowsXMLEventLogSecurityFile +supported_os: [ Windows ] +--- +name: ExternalDevice +doc: External Device +sources: + - type: ARTIFACT_GROUP + attributes: + names: + # KeyIdentification + - WindowsSetupApiLogs + # User + # PnPEvents + # VolumeSerialNumber + # DriverLetter + # LNKFiles -> WindowsFileOpening +supported_os: [ Windows ] diff --git a/config/artifacts/linux.yaml b/config/artifacts/linux.yaml new file mode 100644 index 0000000..9999c5b --- /dev/null +++ b/config/artifacts/linux.yaml @@ -0,0 +1,65 @@ +# Linux specific artifacts. + +name: LinuxIPTablesRulesCommand +doc: List IPTables rules. +sources: + - type: COMMAND + attributes: + args: [ "-L", "-n", "-v" ] + cmd: /sbin/iptables +supported_os: [ Linux ] +--- +name: LinuxAtJobsFiles +doc: Linux at jobs. +sources: + - type: FILE + attributes: { paths: [ '/var/spool/at/*' ] } +supported_os: [ Linux ] +--- +name: LinuxAuditLogFiles +doc: Linux audit log files. +sources: + - type: FILE + attributes: { paths: [ '/var/log/audit/*' ] } +supported_os: [ Linux ] +--- +name: LinuxCronTabFiles +doc: Crontab files. +sources: + - type: FILE + attributes: + paths: + - '/etc/crontab' + - '/etc/cron.d/*' + - '/var/spool/cron/**' +supported_os: [ Linux ] +--- +name: LinuxHostnameFile +doc: Linux hostname file. +sources: + - type: FILE + attributes: { paths: [ '/etc/hostname' ] } +supported_os: [ Linux ] +--- +name: LinuxPasswdFile +doc: | + Linux passwd file. + + A passwd file consist of colon separated values in the format: + username:password:uid:gid:full name:home directory:shell +sources: + - type: FILE + attributes: { paths: [ '/etc/passwd' ] } + provides: + - key: users.homedir + regex: '.*:(.*?):.*' +supported_os: [ Linux ] +--- +name: LinuxHomePath +doc: Users directories in /home +sources: + - type: PATH + attributes: { paths: [ '/home/*' ] } + provides: + - key: users.homedir +supported_os: [ Linux ] diff --git a/config/artifacts/macos.yaml b/config/artifacts/macos.yaml new file mode 100644 index 0000000..c37d59d --- /dev/null +++ b/config/artifacts/macos.yaml @@ -0,0 +1,96 @@ +# MacOS (Darwin) specific artifacts. + +name: MacOSAtJobsFile +doc: MacOS at jobs +sources: + - type: FILE + attributes: { paths: [ '/usr/lib/cron/jobs/*' ] } +supported_os: [ Darwin ] +--- +name: MacOSAuditLogFiles +doc: Audit log files +sources: + - type: FILE + attributes: + paths: + - '/private/var/audit/*' + - '/var/audit/*' +supported_os: [ Darwin ] +--- +name: MacOSBashHistoryFile +doc: Terminal Commands History +sources: + - type: FILE + attributes: { paths: [ '%%users.homedir%%/.bash_history' ] } +supported_os: [ Darwin ] +--- +name: MacOSCronTabFile +doc: Cron tabs +sources: + - type: FILE + attributes: + paths: + - '/etc/crontab' + - '/private/etc/crontab' + - '/usr/lib/cron/tabs/*' +supported_os: [ Darwin ] +--- +name: MacOSHostsFile +doc: Hosts file +sources: + - type: FILE + attributes: + paths: + - '/etc/hosts' + - '/private/etc/hosts' +supported_os: [ Darwin ] +--- +name: MacOSLastlogFile +doc: Mac OS X lastlog file. +sources: + - type: FILE + attributes: + paths: + - '/private/var/log/lastlog' + - '/var/log/lastlog' +supported_os: [ Darwin ] +--- +name: MacOSMiscLogFiles +doc: Misc. Logs +sources: + - type: FILE + attributes: { paths: [ '/Library/Logs/*' ] } +supported_os: [ Darwin ] +--- +name: MacOSRecentItemsFiles +doc: Recent Items +sources: + - type: FILE + attributes: { paths: [ '%%users.homedir%%/Library/Preferences/com.apple.recentitems.plist' ] } +supported_os: [ Darwin ] +--- +name: MacOSSystemLogFiles +doc: System log files +sources: + - type: FILE + attributes: + paths: + - '/private/var/log/*' + - '/var/log/*' +supported_os: [ Darwin ] +--- +name: MacOSUsersPath +doc: Users directories in /Users +sources: + - type: PATH + attributes: { paths: [ '/Users/*' ] } + provides: + - key: users.homedir +supported_os: [ Darwin ] +--- +name: MacOSUserTrashFiles +doc: User Trash Folder +sources: + - type: FILE + attributes: { paths: [ '%%users.homedir%%/.Trash/*' ] } +supported_os: [ Darwin ] \ No newline at end of file diff --git a/config/artifacts/style_guide.md b/config/artifacts/style_guide.md new file mode 100644 index 0000000..8899fce --- /dev/null +++ b/config/artifacts/style_guide.md @@ -0,0 +1,532 @@ +# Artifact definition format and style guide + +## Summary + +This guide contains a description of the forensics artifacts definitions. The +artifacts definitions are [YAML](http://www.yaml.org/spec/1.2/spec.html)-based. +The format is currently still under development and is likely to undergo some +change. One of the goals of this guide is to ensure consistency and readability +of the artifacts definitions. + +## Revision history + +| Version | Author | Date | Comments | +|----------|-----------|----------------|-------------------------------------------------------------------------------------| +| 0.0.1 | G. Castle | November 2014 | Initial version. | +| 0.0.2 | G. Castle | December 2014 | Minor format changes. | +| 0.0.3 | J.B. Metz | April 2015 | Merged style guide and artifact definitions wiki page. | +| 0.0.3 | J.B. Metz | September 2015 | Additional label. | +| 0.0.4 | J.B. Metz | July 2016 | Added information about a naming convention. | +| 0.0.5 | J.B. Metz | February 2019 | Removed returned_types as keyword and format changes. | +| 0.0.6-ce | J. Plum | October 2019 | Add information about the knowledge base, directory sources, expansion and globbing | +| 0.0.7-ce | J. Plum | October 2024 | Deprecate labels | + +## Background + +The first version of the artifact definitions originated from the +[GRR project](https://github.com/google/grr), where it is used to describe and +quickly collect data of interest, e.g. specific files or Windows Registry keys. +The goal of the format is to provide a way to describe the majority of forensic +artifacts in a language that is readable by humans and machines. + +The format is designed to be simple and straight forward, so that a digital +forensic analyst is able to quickly write artifact definitions during an +investigation without having to rely on complex standards or tooling. + +The format is intended to describe forensically-relevant data on a machine, +while being tool agnostic. In particular, we intentionally avoided adding +IOC-like logic, or describing how the data should be collected since this +varies between tools. + +### Terminology + +The term artifact (or artefact) is widely used within computer (or digital) +forensics, though there is no official definition of this term. + +The definition closest to the meaning of the word within computer forensics is +that of the word artifact within +[archaeology](http://en.wikipedia.org/wiki/Artifact_(archaeology)). The term +should not be confused with the word artifact used within +[software development](http://en.wikipedia.org/wiki/Artifact_(software_development)). + +If archaeology defines an artifact as: + +``` +something made or given shape by man, such as a tool or +a work of art, esp an object of archaeological interest +``` + +The definition of artifact within computer forensics could be: + +``` +An object of digital archaeological interest. +``` + +Where digital archaeology roughly refers to computer forensics without the +forensic (legal) context. + +### Knowledge Base + +The knowledge base is a data store that is used for storing entries about +the host, users and other system properties. Every entry maps a key to a list +of values e.g. + +```json +{ + "users.username": [ + "root", + "bob" + ], + "users.homedir": [ + "/root", + "/home/bob" + ] +} +``` + +It is filled via the `provides` attribute of sources and +can be used in artifact conditions (*deprecated*) and in +[parameter expansion](#parameter-expansion-and-globs). + +## The artifact definition + +The best way to show what an artifact definition is, is by example. The +following example is the artifact definition for the Windows EVTX System Event +Logs. + +```yaml +name: WindowsSystemEventLogEvtx +doc: Windows System Event log for Vista or later systems. +sources: + - type: FILE + attributes: { paths: [ '%%environ_systemroot%%\System32\winevt\Logs\System.evtx' ] } +supported_os: [ Windows ] +``` + +The artifact definition can have the following values: + +| Key | Description | +|----------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| name | The name. An unique string that identifies the artifact definition. Also see section: [Name](#Name). | +| doc | The description (or documentation). A human readable string that describes the artifact definition. *Style note*: Typically one line description of the artifact, mentioning important caveats. If more description is necessary, use the [Long docs form](#long-docs-form). | +| sources | A list of source definitions. See section: [sources](#sources). | +| supported_os | Optional list that indicates which operating systems the artifact definition applies to. See section: [Supported operating system](#supported-operating-system). | +| urls | Optional list of URLs with more contextual information. Ideally the artifact definition links to an article that discusses the artificat in more depth. | +| ~~labels~~ | **Deprecated** This key is ignored. | +| ~~conditions~~ | **Deprecated** This key is ignored. | +| ~~provides~~ | **Deprecated** This key is ignored. | + +### Name + +*Style note*: The name of an artifact definition should be in CamelCase name +without spaces. + +Naming convention for artifact definition names: + +* Prefix platform specific artifact definitions with the name of the operating system using "Linux", "MacOS" or " + Windows" +* If not platform specific: + * prefix with the application name, for example "ChromeHistory". + * prefix with the name of the subsystem, for example "WMIComputerSystemProduct". + +*Style note*: If the sole source of the artifact definition for example are +files use "BrowserHistoryFiles" instead of "BrowserHistory" to reduce ambiguity. + +### Long docs form + +Multi-line documentation should use the YAML Literal Style as indicated by the | +character. + +```yaml +doc: | + The Windows run keys. + + Note users.sid will currently only expand to SIDs with profiles on the + system, not all SIDs. +``` + +*Style note*: the short description (first line) and the longer portion are +separated by an empty line. + +*Style note*: explicit newlines (\n) should not be used. + +## Sources + +Every source definition starts with a `type` followed by arguments e.g. + +```yaml +sources: + - type: COMMAND + attributes: + args: [ -qa ] + cmd: /bin/rpm +``` + +```yaml +sources: + - type: FILE + attributes: + paths: + - /root/.bashrc + - /root/.cshrc + - /root/.ksh + - /root/.logout + - /root/.profile + - /root/.tcsh + - /root/.zlogin + - /root/.zlogout + - /root/.zprofile + - /root/.zprofile +``` + +*Style note*: where sources take a single argument with a single value, the +one-line {} form should be used to save on line breaks as below: + +```yaml +- type: FILE + attributes: { paths: [ '%%environ_systemroot%%\System32\winevt\Logs\System.evtx' ] } +``` + +| Key | Description | +|----------------|----------------------------------------------------------------------------------------------------------------------------------------------------| +| attributes | A dictionary of keyword attributes specific to the type of source definition. | +| type | The source type. | +| provides | Optional list of dictonaries that describe knowledge base entries that this artifact can supply. See section: [Source provides](#source-provides). | +| supported_os | Optional list that indicates which operating systems the artifact definition applies to. | +| ~~conditions~~ | **Deprecated** This key is ignored. | + +### Source types + +Currently, the following different source types are defined: + +| Value | Description | +|----------------|-------------------------------------------------------------------------------------------| +| ARTIFACT_GROUP | A source that consists of a group of other artifacts. | +| COMMAND | A source that consists of the output of a command. | +| DIRECTORY | A source that consists of the file listing of a directories. | +| FILE | A source that consists of the contents of files. | +| PATH | A source that consists of a list of paths. | +| REGISTRY_KEY | A source that consists of the contents of Windows Registry keys. | +| REGISTRY_VALUE | A source that consists of the contents of Windows Registry values. | +| WMI | A source that consists of the output of a Windows Management Instrumentation (WMI) query. | + +### Source provides + +A source provide defines a knowledge base entry that can be created using this source e.g. + +```yaml +sources: + - type: PATH + attributes: { paths: [ '/Users/*' ] } + provides: + - key: users.username + regex: '.*/(.*)' +``` + +```yaml +sources: + - type: WMI + attributes: { query: SELECT * FROM Win32_UserAccount WHERE name='%%users.username%%' } + provides: + - key: users.userdomain + wmi_key: Domain +``` + +```yaml +sources: + - type: FILE + attributes: { paths: [ '/etc/passwd' ] } + provides: + - key: users.username + regex: '(.*?):.*' + - key: users.homedir + regex: '.*:(.*?):.*' +``` + +| Key | Description | +|---------|----------------------------------------------------------------------------------------------------------------| +| key | Defines the knowledge base key that is provided. | +| wmi_key | Required for provides in WMI sources, disallowed otherwise. WMI object key to select the provided value. | +| regex | Optional regular expression to filter the provided data. The first capturing group defines the provided value. | + +Provided values are dependent on the source type as follows: + +| Type | Added entries to knowledge base | +|----------------|------------------------------------------| +| COMMAND | The lines of the stdout of the command. | +| FILE | The lines of the file content. | +| PATH | The defined paths. | +| REGISTRY_KEY | The key paths. | +| REGISTRY_VALUE | The registry values. | +| WMI | The values selected using the `wmi_key`. | + +Definition of type ARTIFACT_GROUP or DIRECTORY must not have a `provides` attribute. + +### Artifact group source + +The artifact group source is a source that consists of a group of other +artifacts e.g. + +```yaml +- type: ARTIFACT_GROUP + attributes: + names: [ WindowsRunKeys, WindowsServices ] +``` + +Where `attributes` can contain the following values: + +| Value | Description | +|-------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| names | A list of artifact definition names that make up this "composite" artifact. This can also be used to group multiple artifact definitions into one for convenience. | + +### Command source + +The command source is a source that consists of the output of a command e.g. + +```yaml +- type: COMMAND + attributes: + args: [ -qa ] + cmd: /bin/rpm +``` + +Where `attributes` can contain the following values: + +| Value | Description | +|-------|------------------------------------------------------------------------------------------------------------------------------------------------------| +| args | A list arguments to pass to the command. | +| cmd | The path of the command. The path can either be relative or absolute. Handling of relative paths depends on the application processing the artifact. | + +### Directory source + +The directory source is a source that consists of a file listing of directory contents e.g. + +```yaml +- type: DIRECTORY + attributes: + paths: [ '%%users.userprofile%%\Downloads\*' ] + separator: '\' +``` + +Where `attributes` can contain the following values: + +| Value | Description | +|-----------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| paths | A list of file paths that can potentially be collected. These paths should be absolute. The paths can use parameter expansion e.g. `%%environ_systemroot%%`. See section: [Parameter expansion and globs](#parameter-expansion-and-globs) | +| separator | Optional path separator e.g. '\' for Windows systems. | + +### File source + +The file source is a source that consists of the binary contents of files e.g. + +```yaml +- type: FILE + attributes: + paths: [ '%%environ_systemroot%%\System32\winevt\Logs\System.evtx' ] +``` + +Where `attributes` can contain the following values: + +| Value | Description | +|-----------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| paths | A list of file paths that can potentially be collected. These paths should be absolute. The paths can use parameter expansion e.g. `%%environ_systemroot%%`. See section: [Parameter expansion and globs](#parameter-expansion-and-globs) | +| separator | Optional path separator e.g. '\' for Windows systems. | + +### Path source + +The path source is a source that consists of a list of paths e.g. + +```yaml +- type: PATH + attributes: + paths: [ '\Program Files' ] + separator: '\' +``` + +Where `attributes` can contain the following values: + +| Value | Description | +|-----------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| paths | A list of file paths that can potentially be collected. These paths can should be absolute. The paths can use parameter expansion e.g. `%%environ_systemroot%%`. See section: [Parameter expansion and globs](#parameter-expansion) | +| separator | Optional path separator e.g. '\' for Windows systems. | + +### Windows Registry key source + +The Windows Registry key source is a source that consists of a key path and all +registry values of a Windows Registry key. Subkeys are not part of this artifact. + +Example: + +```yaml +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\TypedURLs\*' +``` + +Where `attributes` can contain the following values: + +| Value | Description | +|-------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| keys | A list of Windows Registry key paths that can potentially be collected. The paths can use parameter expansion e.g. `%%users.sid%%`. See section: [Parameter expansion and globs](#parameter-expansion) | + +### Windows Registry value source + +The Windows Registry value source is a source that consists of the contents of defined +Windows registry values e.g. + +```yaml +- type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\WindowsUpdate', value: 'CISCNF4654' } +``` + +Where `attributes` can contain the following values: + +| Value | Description | +|-----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| key_value_pairs | A list of Windows Registry key paths and value names that can potentially be collected. The key path can use parameter expansion e.g. `%%users.sid%%`. See section: [Parameter expansion and globs](#parameter-expansion) | + +### Windows Management Instrumentation (WMI) query source + +The Windows Management Instrumentation (WMI) query source is a source that +consists of the output of a Windows Management Instrumentation (WMI) query e.g. + +```yaml +- type: WMI + attributes: + query: SELECT * FROM Win32_UserAccount WHERE name='%%users.username%%' +``` + +Where `attributes` can contain the following values: + +| Value | Description | +|-------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| query | The Windows Management Instrumentation (WMI) query. The query can use parameter expansion e.g. `%%users.username%%`. See section: [Parameter expansion and globs](#parameter-expansion-and-globs) | +| base_object | Optional WMI base object e.g. `winmgmts:\root\SecurityCenter2` | + +## Supported operating system + +Since operating system (OS) conditions are a very common constraint, this has +been provided as a separate option `supported_os` to simplify syntax. For +supported_os no quotes are required. The currently supported operating systems +are: + +* Darwin (also used for Mac OS X) +* Linux +* Windows + +```yaml +supported_os: [ Darwin, Linux, Windows ] +``` + +## Style notes + +### Artifact definition YAML files + +Artifact definition YAML filenames should be of the form: +.... +$FILENAME.yaml +.... + +Where $FILENAME is name of the file e.g. windows.yaml. + +Each definition file should have a comment at the top of the file with a +one-line summary describing the type of artifact definitions contained in the +file e.g. + +```yaml +# Windows specific artifacts. +``` + +### Lists + +Generally use the short [] format for single-item lists that fit inside 80 +characters to save on unnecessary line breaks: + +```yaml +supported_os: [ Windows ] +``` + +and the bulleted list form for multi-item lists or long lines: + +```yaml +paths: + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Run\*' + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\RunOnce\*' + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\*' + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\*' + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\*' +``` + +### Quotes + +Quotes should not be used for doc strings, artifact names, and simple lists +like labels and supported_os. + +Paths and URLs should use single quotes to avoid the need for manual escaping. + +```yaml +paths: [ '%%environ_temp%%\*.exe' ] +``` + +Double quotes should be used where escaping causes problems, such as +regular expressions: + +```yaml +content_regex_list: [ "^%%users.username%%:[^:]*\n" ] +``` + +### Minimize the number of definitions by using multiple sources + +To minimize the number of artifacts in the list, combine them using the +supported_os and conditions attributes where it makes sense. e.g. rather than +having FirefoxHistoryWindows, FirefoxHistoryLinux, FirefoxHistoryDarwin, do: + +```yaml +name: FirefoxHistory +doc: Firefox places.sqlite files. +sources: + - type: FILE + attributes: + paths: + - %%users.localappdata%%\Mozilla\Firefox\Profiles\*\places.sqlite + - %%users.appdata%%\Mozilla\Firefox\Profiles\*\places.sqlite + supported_os: [ Windows ] + - type: FILE + attributes: + paths: [ %%users.homedir%%/Library/Application Support/Firefox/Profiles/*/places.sqlite ] + supported_os: [ Darwin ] + - type: FILE + attributes: + paths: [ '%%users.homedir%%/.mozilla/firefox/*/places.sqlite' ] + supported_os: [ Linux ] +supported_os: [ Windows, Linux, Darwin ] +``` + +## Parameter expansion and globs + +### Parameter expansion + +Path, keys, key and query attributes can contain parameter expansion and +globing. This allows for flexible creation of artifact locations. + +Parameter expansions values are enclosed by double percent symbols e.g. +`%%environ_systemroot%%`. The parameter expansion value can be replaced by the +corresponding value from the [knowledge base](#knowledge-base). + +For every expansion that is used in an artifact, there should be another artifact +that `provides` this expansion in one of its sources. Implementations may choose +to precompute parameter values from sources outside of these definitions. + +### Parameter Globs + +Parameters can also contain regular glob elements (`**`, or `*`). +For example, having files `foo`, `bar`, `baz` glob expansion of `ba*` +will yield `bar` and `baz`. A recursive component (specified as `**`) +matches any directory tree up to some specified depth (3 by default). +`**` does not match the current directory. +The search depth can optionally be specified by appending a number, e.g. +`**9` will match up to 9 levels of a directory hierarchy. diff --git a/config/artifacts/webbrowser.yaml b/config/artifacts/webbrowser.yaml new file mode 100644 index 0000000..ac7d0d0 --- /dev/null +++ b/config/artifacts/webbrowser.yaml @@ -0,0 +1,295 @@ +# Web browser artifacts. + +name: BrowserHistory +doc: Web browser history of multiple web browsers. +sources: + - type: ARTIFACT_GROUP + attributes: + names: + - 'ChromiumBasedBrowsersHistoryDatabaseFile' + - 'FirefoxHistoryFile' + - 'InternetExplorerHistoryFile' + - 'OperaHistoryFile' + - 'SafariDownloadFile' + - 'SafariHistoryFile' +supported_os: [ Darwin,Linux,Windows ] +--- +name: ChromiumBasedBrowsersHistoryDatabaseFile +doc: >- + Browsing history database file for multiple Chromium-based browsers, such as + Google Chrome, Brave, Chromium, Yandex, Opera, Edge, EdgeBeta. +sources: + - type: FILE + attributes: + paths: + - '%%users.homedir%%/Library/Application Support/BraveSoftware/Brave-Browser/*/Archived + History' + - '%%users.homedir%%/Library/Application Support/BraveSoftware/Brave-Browser/*/Archived + History-journal' + - '%%users.homedir%%/Library/Application Support/BraveSoftware/Brave-Browser/*/History' + - '%%users.homedir%%/Library/Application Support/BraveSoftware/Brave-Browser/*/History-journal' + - '%%users.homedir%%/Library/Application Support/Chromium/*/Archived History' + - '%%users.homedir%%/Library/Application Support/Chromium/*/Archived History-journal' + - '%%users.homedir%%/Library/Application Support/Chromium/*/History' + - '%%users.homedir%%/Library/Application Support/Chromium/*/History-journal' + - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Archived + History' + - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Archived + History-journal' + - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/History' + - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/History-journal' + - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Archived History' + - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Archived History-journal' + - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/History' + - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/History-journal' + - '%%users.homedir%%/Library/Application Support/Microsoft Edge Beta/*/Archived + History' + - '%%users.homedir%%/Library/Application Support/Microsoft Edge Beta/*/Archived + History-journal' + - '%%users.homedir%%/Library/Application Support/Microsoft Edge Beta/*/History' + - '%%users.homedir%%/Library/Application Support/Microsoft Edge Beta/*/History-journal' + - '%%users.homedir%%/Library/Application Support/Microsoft Edge/*/Archived History' + - '%%users.homedir%%/Library/Application Support/Microsoft Edge/*/Archived History-journal' + - '%%users.homedir%%/Library/Application Support/Microsoft Edge/*/History' + - '%%users.homedir%%/Library/Application Support/Microsoft Edge/*/History-journal' + - '%%users.homedir%%/Library/Application Support/Yandex/YandexBrowser/*/Archived + History' + - '%%users.homedir%%/Library/Application Support/Yandex/YandexBrowser/*/Archived + History-journal' + - '%%users.homedir%%/Library/Application Support/Yandex/YandexBrowser/*/History' + - '%%users.homedir%%/Library/Application Support/Yandex/YandexBrowser/*/History-journal' + - '%%users.homedir%%/Library/Application Support/com.operasoftware.Opera/*/Archived + History' + - '%%users.homedir%%/Library/Application Support/com.operasoftware.Opera/*/Archived + History-journal' + - '%%users.homedir%%/Library/Application Support/com.operasoftware.Opera/*/History' + - '%%users.homedir%%/Library/Application Support/com.operasoftware.Opera/*/History-journal' + supported_os: + - Darwin + - type: FILE + attributes: + paths: + - '%%users.homedir%%/.config/BraveSoftware/Brave-Browser/*/Archived History' + - '%%users.homedir%%/.config/BraveSoftware/Brave-Browser/*/Archived History-journal' + - '%%users.homedir%%/.config/BraveSoftware/Brave-Browser/*/History' + - '%%users.homedir%%/.config/BraveSoftware/Brave-Browser/*/History-journal' + - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Archived + History' + - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Archived + History-journal' + - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/History' + - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/History-journal' + - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Archived History' + - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Archived History-journal' + - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/History' + - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/History-journal' + - '%%users.homedir%%/.config/chromium/*/Archived History' + - '%%users.homedir%%/.config/chromium/*/Archived History-journal' + - '%%users.homedir%%/.config/chromium/*/History' + - '%%users.homedir%%/.config/chromium/*/History-journal' + - '%%users.homedir%%/.config/google-chrome-beta/*/Archived History' + - '%%users.homedir%%/.config/google-chrome-beta/*/Archived History-journal' + - '%%users.homedir%%/.config/google-chrome-beta/*/History' + - '%%users.homedir%%/.config/google-chrome-beta/*/History-journal' + - '%%users.homedir%%/.config/google-chrome/*/Archived History' + - '%%users.homedir%%/.config/google-chrome/*/Archived History-journal' + - '%%users.homedir%%/.config/google-chrome/*/History' + - '%%users.homedir%%/.config/google-chrome/*/History-journal' + - '%%users.homedir%%/.config/microsoft-edge/*/Archived History' + - '%%users.homedir%%/.config/microsoft-edge/*/Archived History-journal' + - '%%users.homedir%%/.config/microsoft-edge/*/History' + - '%%users.homedir%%/.config/microsoft-edge/*/History-journal' + - '%%users.homedir%%/.config/opera/*/Archived History' + - '%%users.homedir%%/.config/opera/*/Archived History-journal' + - '%%users.homedir%%/.config/opera/*/History' + - '%%users.homedir%%/.config/opera/*/History-journal' + - '%%users.homedir%%/.config/yandex-browser-beta/*/Archived History' + - '%%users.homedir%%/.config/yandex-browser-beta/*/Archived History-journal' + - '%%users.homedir%%/.config/yandex-browser-beta/*/History' + - '%%users.homedir%%/.config/yandex-browser-beta/*/History-journal' + - '%%users.homedir%%/snap/chromium/common/chromium/*/Archived History' + - '%%users.homedir%%/snap/chromium/common/chromium/*/Archived History-journal' + - '%%users.homedir%%/snap/chromium/common/chromium/*/History' + - '%%users.homedir%%/snap/chromium/common/chromium/*/History-journal' + supported_os: + - Linux + - type: FILE + attributes: + paths: + - '%%users.appdata%%\Brave\*\Archived History' + - '%%users.appdata%%\Brave\*\Archived History-journal' + - '%%users.appdata%%\Brave\*\History' + - '%%users.appdata%%\Brave\*\History-journal' + - '%%users.appdata%%\BraveSoftware\Brave-Browser\User Data\*\History' + - '%%users.appdata%%\BraveSoftware\Brave-Browser\User Data\*\History-journal' + - '%%users.appdata%%\Opera Software\Opera Stable\*\Archived History' + - '%%users.appdata%%\Opera Software\Opera Stable\*\Archived History-journal' + - '%%users.appdata%%\Opera Software\Opera Stable\*\History' + - '%%users.appdata%%\Opera Software\Opera Stable\*\History-journal' + - '%%users.localappdata%%\Chromium\*\Archived History' + - '%%users.localappdata%%\Chromium\*\Archived History-journal' + - '%%users.localappdata%%\Chromium\*\History' + - '%%users.localappdata%%\Chromium\*\History-journal' + - '%%users.localappdata%%\Chromium\User Data\*\Archived History' + - '%%users.localappdata%%\Chromium\User Data\*\Archived History-journal' + - '%%users.localappdata%%\Chromium\User Data\*\History' + - '%%users.localappdata%%\Chromium\User Data\*\History-journal' + - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Archived History' + - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Archived History-journal' + - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\History' + - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\History-journal' + - '%%users.localappdata%%\Google\Chrome\User Data\*\Archived History' + - '%%users.localappdata%%\Google\Chrome\User Data\*\Archived History-journal' + - '%%users.localappdata%%\Google\Chrome\User Data\*\History' + - '%%users.localappdata%%\Google\Chrome\User Data\*\History-journal' + - '%%users.localappdata%%\Microsoft\Edge Beta\User Data\*\Archived History' + - '%%users.localappdata%%\Microsoft\Edge Beta\User Data\*\Archived History-journal' + - '%%users.localappdata%%\Microsoft\Edge Beta\User Data\*\History' + - '%%users.localappdata%%\Microsoft\Edge Beta\User Data\*\History-journal' + - '%%users.localappdata%%\Microsoft\Edge\User Data\*\Archived History' + - '%%users.localappdata%%\Microsoft\Edge\User Data\*\Archived History-journal' + - '%%users.localappdata%%\Microsoft\Edge\User Data\*\History' + - '%%users.localappdata%%\Microsoft\Edge\User Data\*\History-journal' + - '%%users.localappdata%%\Yandex\YandexBrowser\User Data\*\Archived History' + - '%%users.localappdata%%\Yandex\YandexBrowser\User Data\*\Archived History-journal' + - '%%users.localappdata%%\Yandex\YandexBrowser\User Data\*\History' + - '%%users.localappdata%%\Yandex\YandexBrowser\User Data\*\History-journal' + separator: \ + supported_os: + - Windows +supported_os: + - Darwin + - Linux + - Windows +--- +name: FirefoxHistoryFile +doc: Firefox browser history (places.sqlite). +sources: + - type: FILE + attributes: + paths: + - '%%users.localappdata%%\Mozilla\Firefox\Profiles\*\places.sqlite' + - '%%users.localappdata%%\Mozilla\Firefox\Profiles\*\places.sqlite-wal' + - '%%users.appdata%%\Mozilla\Firefox\Profiles\*\places.sqlite' + - '%%users.localappdata%%\Mozilla\Firefox\Profiles\*\places.sqlite-wal' + separator: '\' + supported_os: [ Windows ] + - type: FILE + attributes: + paths: + - '%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/places.sqlite' + - '%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/places.sqlite-wal' + supported_os: [ Darwin ] + - type: FILE + attributes: + paths: + - '%%users.homedir%%/.mozilla/firefox/*/places.sqlite' + - '%%users.homedir%%/.mozilla/firefox/*/places.sqlite-wal' + - '%%users.homedir%%/snap/firefox/common/.mozilla/firefox/*/places.sqlite' + - '%%users.homedir%%/snap/firefox/common/.mozilla/firefox/*/places.sqlite-wal' + supported_os: [ Linux ] +supported_os: [ Windows,Darwin,Linux ] +--- +name: InternetExplorerBrowserHelperObjectsRegistryKeys +doc: Loaded on Internet Explorer startup +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*' +supported_os: [ Windows ] +--- +name: InternetExplorerCookiesFile +doc: | + Microsoft Internet Explorer (MSIE) browser cookies. + + * MSIE 4 - 9 Cache files (index.dat) +sources: + - type: FILE + attributes: + paths: + - '%%users.appdata%%\Microsoft\Windows\Cookies\index.dat' + - '%%users.appdata%%\Microsoft\Windows\Cookies\Low\index.dat' + - '%%users.userprofile%%\Cookies\index.dat' + separator: '\' +supported_os: [ Windows ] +--- +name: InternetExplorerHistoryFile +doc: | + Microsoft Internet Explorer (MSIE) browser history. + + * MSIE 4 - 9 Cache files (index.dat); + * MSIE 10 WebCacheV*.dat files. +sources: + - type: FILE + attributes: + paths: + - '%%users.appdata%%\Microsoft\Windows\IEDownloadHistory\index.dat' + - '%%users.localappdata%%\Microsoft\Feeds Cache\index.dat' + - '%%users.localappdata%%\Microsoft\Windows\History\History.IE5\*\index.dat' + - '%%users.localappdata%%\Microsoft\Windows\History\History.IE5\index.dat' + - '%%users.localappdata%%\Microsoft\Windows\History\Low\History.IE5\*\index.dat' + - '%%users.localappdata%%\Microsoft\Windows\History\Low\History.IE5\index.dat' + - '%%users.localappdata%%\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat' + - '%%users.localappdata%%\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat' + - '%%users.localappdata%%\Microsoft\Windows\WebCache\WebCacheV*.dat' + - '%%users.userprofile%%\Local Settings\History\History.IE5\index.dat' + - '%%users.userprofile%%\Local Settings\History\History.IE5\*\index.dat' + - '%%users.userprofile%%\Local Settings\History\Temporary Internet Files\Content.IE5\index.dat' + - '%%users.userprofile%%\Local Settings\Temporary Internet Files\Content.IE5\index.dat' + separator: '\' +supported_os: [ Windows ] +--- +name: OperaHistoryFile +doc: Opera browser history (global_history.dat). +sources: + - type: FILE + attributes: { paths: [ '%%users.homedir%%/Library/Opera/global_history.dat' ] } + supported_os: [ Darwin ] + - type: FILE + attributes: { paths: [ '%%users.homedir%%/.opera/global_history.dat' ] } + supported_os: [ Linux ] + - type: FILE + attributes: + paths: + - '%%users.appdata%%\Opera\Opera\global_history.dat' + - '%%users.appdata%%\Opera Software\Opera Stable\History' + - '%%users.appdata%%\Opera Software\Opera Stable\History-journal' + separator: '\' + supported_os: [ Windows ] +supported_os: [ Windows,Darwin,Linux ] +--- +name: SafariDownloadFile +doc: Safari downloads history (Downloads.plist). +sources: + - type: FILE + attributes: { paths: [ '%%users.homedir%%/Library/Safari/Downloads.plist' ] } + supported_os: [ Darwin ] + - type: FILE + attributes: + paths: + - '%%users.localappdata%%\Apple Computer\Safari\Downloads.plist' + - '%%users.appdata%%\Apple Computer\Safari\Downloads.plist' + separator: '\' + supported_os: [ Windows ] +supported_os: [ Darwin, Windows ] +--- +name: SafariHistoryFile +doc: Safari browser history (History.plist). +sources: + - type: FILE + attributes: + paths: + - '%%users.localappdata%%\Apple Computer\Safari\History.plist' + - '%%users.appdata%%\Apple Computer\Safari\History.plist' + separator: '\' + supported_os: [ Windows ] + - type: FILE + attributes: + paths: + - '%%users.homedir%%/Library/Safari/History.plist' + - '%%users.homedir%%/Library/Safari/History.db' + - '%%users.homedir%%/Library/Safari/History.db-wal' + supported_os: [ Darwin ] +supported_os: [ Windows, Darwin ] diff --git a/config/artifacts/windows.yaml b/config/artifacts/windows.yaml new file mode 100644 index 0000000..63d46d8 --- /dev/null +++ b/config/artifacts/windows.yaml @@ -0,0 +1,1404 @@ +# Windows specific artifacts. + +name: WindowsActiveDesktop +doc: Windows Active Desktop settings and components. +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Desktop\Components\*' + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Desktop\General' +supported_os: [ Windows ] +--- +name: WindowsActivitiesCacheDatabase +doc: SQLite database containing the Windows activities cache. +sources: + - type: FILE + attributes: + paths: [ '%%users.localappdata%%\ConnectedDevicesPlatform\L.%%users.username%%\ActivitiesCache.db' ] + separator: '\' +supported_os: [ Windows ] +--- +name: WindowsAlternateShell +doc: Alternate Shell to be run via Userinit. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot', value: 'AlternateShell' } + - { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option', value: 'UseAlternateShell' } +supported_os: [ Windows ] +--- +name: WindowsAMCacheHveFile +doc: The AMCache file, stored in the Windows NT Registry file format. +sources: + - type: FILE + attributes: + paths: + - '%%environ_systemroot%%\AppCompat\Programs\Amcache.hve' + - '%%environ_systemroot%%\AppCompat\Programs\Amcache.hve.LOG1' + - '%%environ_systemroot%%\AppCompat\Programs\Amcache.hve.LOG2' + separator: '\' +supported_os: [ Windows ] +--- +name: WindowsAppCertDLLs +doc: Windows AppCertDLLs persistence. +sources: + - type: REGISTRY_KEY + attributes: + keys: [ 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDLLs' ] +supported_os: [ Windows ] +--- +name: WindowsAppCompatCache +doc: Windows Application Compatibility Cache +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility', value: 'AppCompatCache' } + - { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatCache', value: 'AppCompatCache' } +supported_os: [ Windows ] +--- +name: WindowsAppInitDLLs +doc: | + Windows Application Initial (AppInit) DLLs persistence. + + AppInit DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded + into each user mode process on the system. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows', value: 'AppInit_DLLs' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows', value: 'AppInit_DLLs' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Windows', value: 'AppInit_DLLs' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows', value: 'AppInit_DLLs' } +supported_os: [ Windows ] +--- +name: WindowsApplicationCompatibilityInstalledShimDatabases +doc: | + Windows Application Compatibility Installed Shim Databases. + + drvmain.sdb, frxmain.sdb, msimain.sdb, pcamain.sdb, and sysmain.sdb are + shim database files (SDB files) that are provided by Windows, and contain + many predefined shims that address known application compatibility issues. + Note that these database files are not signed. + + Windows also supports custom shim database. These are typically installed + by the sdbinst.exe utility. Note, that shim database files can also exist + elsewhere in the file system. + + Windows application shims provide a way for the operating system to + apply patches to executables before they are run, ultimately providing + a lightweight mechanism for applying hot fixes and making modifications to + ensure compatibility across the various versions of Windows. This + functionality can also be leveraged maliciously to change how certain + programs operate, or to provide capabilities to malware, such as the + ability to bypass UAC, gain persistence by injecting loading into legitimate + processes, or avoid detection by disabling anti-virus software. +sources: + - type: FILE + attributes: + paths: + - '%%environ_systemroot%%\AppPatch\drvmain.sdb' + - '%%environ_systemroot%%\AppPatch\frxmain.sdb' + - '%%environ_systemroot%%\AppPatch\msimain.sdb' + - '%%environ_systemroot%%\AppPatch\pcamain.sdb' + - '%%environ_systemroot%%\AppPatch\sysmain.sdb' + - '%%environ_systemroot%%\AppPatch\AppPatch64\Custom\*' + - '%%environ_systemroot%%\AppPatch\Custom\*' + - '%%environ_systemroot%%\AppPatch\Custom\Custom64\*' + - '%%environ_systemroot%%\AppPatch\CustomSDB\*' + separator: '\' +supported_os: [ Windows ] +--- +name: WindowsApplicationCompatibilityShimDatabaseMappings +doc: | + Windows Application Compatibility Shim Database Mappings. + + Mappings between the Windows Application Compatibility shim database files and + the programs that they apply to. + + Windows allows for custom application shims to be installed via the + sdbinst.exe application. For example a mapping for 'notepad.exe': + + Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ + AppCompatFlags\Custom\notepad.exe + Value: {00000000-1111-2222-3333-444444444444}.sdb = 0 + + Key: AppCompatFlags\InstalledSDB\{00000000-1111-2222-3333-444444444444} + Value: DatabasePath = + "C:\Windows\AppPatch\Custom\{00000000-1111-2222-3333-444444444444}.sdb" + + Windows application shims provide a way for the operating system to + apply patches to executables before they are run, ultimately providing + a lightweight mechanism for applying hot fixes and making modifications to + ensure compatibility across the various versions of Windows. This + functionality can also be leveraged maliciously to change how certain + programs operate, or to provide capabilities to malware, such as the + ability to bypass UAC, gain persistence by injecting loading into legitimate + processes, or avoid detection by disabling anti-virus software. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\*', value: 'DatabaseDescription' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\*', value: 'DatabasePath' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\*', value: '*' } +supported_os: [ Windows ] +--- +name: WindowsApplicationCompatibilityShims +doc: Windows Application Compatibility Shim Database Files and Application Mappings +sources: + - type: ARTIFACT_GROUP + attributes: + names: + - 'WindowsApplicationCompatibilityInstalledShimDatabases' + - 'WindowsApplicationCompatibilityShimDatabaseMappings' +supported_os: [ Windows ] +--- +name: WindowsBootVerificationProgram +doc: Path to custom startup verification program. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: [ { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\BootVerificationProgram', value: 'ImagePath' } ] +supported_os: [ Windows ] +--- +name: WindowsComputerName +doc: The name of the system. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ComputerName', value: 'ComputerName' } + - { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ActiveComputerName', value: 'ComputerName' } +supported_os: [ Windows ] +--- +name: WindowsCommandProcessorAutoRun +doc: Commands that are run each time the Command Processor (Cmd.exe) is started. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor', value: 'AutoRun' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Command Processor', value: 'AutoRun' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Command Processor', value: 'AutoRun' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Command Processor', value: 'AutoRun' } +supported_os: [ Windows ] +--- +name: WindowsCOMProperties +doc: | + Various properties of Windows COM Objects. + + These artifacts are meant to highlight properties of COM objects that, + although legitimate, are known to be associated with persistence techniques + or other capabilities that malware can leverage. + + ShellFolder\HideOnDesktop, ShellFolder\Attributes (specifically with value + 0xf090013d), and InprocServer\LoadWithoutCOM are associated with a technique + to cause iexplore or explorer to load a malicious DLL by registering a COM + object and invoking it through the use of Junction Folders. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\ShellFolder', value: 'Attributes' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*\ShellFolder', value: 'Attributes' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\ShellFolder', value: 'Attributes' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*\ShellFolder', value: 'Attributes' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\ShellFolder', value: 'HideOnDesktop' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*\ShellFolder', value: 'HideOnDesktop' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\ShellFolder', value: 'HideOnDesktop' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*\ShellFolder', value: 'HideOnDesktop' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\InprocServer32', value: 'LoadWithoutCOM' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*\InprocServer32', value: 'LoadWithoutCOM' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\InprocServer32', value: 'LoadWithoutCOM' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*\InprocServer32', value: 'LoadWithoutCOM' } +supported_os: [ Windows ] +--- +name: WindowsSearchFilterHandlers +doc: | + Windows Search filter handlers configured for file types and applications. + + Windows Search loads DLLs that implement the IFilter interface in order to + scan files for text and extract certain types of information. Malware can + replace the filter handler for a given file type or CLSID with itself to gain + execution when a search operation is performed on that file. Search + operations can be performed indirectly in a number of cases; for instance, + the .txt, .html, and .rtf filter handlers are invoked when indexing email + message bodies. + + The filter handler to use is specified indirectly via a persistent handler. + The persistent handler GUID is indicated via the PersistentHandler subkey for + a file type or application GUID. The filter handler CLSID is indicated via + the PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF} subkey + under the persistent handler GUID key path. This artifact inspects both of + these paths. + + NOTE: Only the HKEY_LOCAL_MACHINE root key needs be checked, because these + are the only keys used. SearchFilterHost.exe runs under the SYSTEM account, + which does not have access to HKEY_CURRENT_USER. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Classes\*\PersistentHandler', value: '' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\PersistentHandler', value: '' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\PersistentHandler', value: '' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\PersistentHandler', value: '' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF}', value: '' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF}', value: '' } +supported_os: [ Windows ] +--- +name: WindowsCredentialProviderFilters +doc: Windows Credential Provider Filters +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\*' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\*' +supported_os: [ Windows ] +--- +name: WindowsCredentialProviders +doc: CLSIDs of applications to use as Credential Providers +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\*' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\*' +supported_os: [ Windows ] +--- +name: WindowsDebugger +doc: Windows Debugger peristence or AV disable. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*', value: 'Debugger' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*', value: 'Debugger' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*', value: 'Debugger' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*', value: 'Debugger' } +supported_os: [ Windows ] +--- +name: WindowsEnvironmentUserLoginScripts +doc: User login scripts configured via Windows environment variables. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_USERS\%%users.sid%%\Environment', value: 'UserInitLogonServer' } + - { key: 'HKEY_USERS\%%users.sid%%\Environment', value: 'UserInitLogonScript' } + - { key: 'HKEY_USERS\%%users.sid%%\Environment', value: 'UserInitMprLogonScript' } +supported_os: [ Windows ] +--- +name: WindowsEnvironmentVariableAllUsersProfile +doc: The system-wide %AllUsersProfile% environment variable contains the path of the of the "All Users" or "Common" profile directory. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'AllUsersProfile' } + provides: + - key: environ_allusersappdata + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'ProgramData' } + provides: + - key: environ_allusersappdata + - type: PATH + attributes: + paths: + - '\ProgramData' + - '\Documents and Settings\All Users' + separator: '\' + provides: + - key: environ_allusersappdata +supported_os: [ Windows ] +--- +name: WindowsEnvironmentVariableProfilesDirectory +doc: The %ProfilesDirectory% environment variable contain a path of a directory that contains the users' profile directories, typically "%SystemDrive%\Users". +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'ProfilesDirectory' } + provides: + - key: environ_profilesdirectory +supported_os: [ Windows ] +--- +name: WindowsEnvironmentVariableSystemRoot +doc: The %SystemRoot%, environment variable contains the path of the system directory, typically "C:\Windows". +sources: + - type: PATH + attributes: + paths: + - '\Windows' + - '\WinNT' + - '\WINNT35' + - '\WTSRV' + separator: '\' + provides: + - key: environ_systemroot + - key: environ_systemdrive + regex: '^(..)' + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion', value: 'SystemRoot' } + provides: + - key: environ_systemroot + - key: environ_systemdrive + regex: '^(..)' +supported_os: [ Windows ] +--- +name: WindowsExplorerAutoplayHandlers +doc: Handlers for autoplay events in Windows Explorer. +sources: + - type: REGISTRY_KEY + attributes: + keys: [ 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\*' ] +supported_os: [ Windows ] +--- +name: WindowsFileTypeAutorunAssociations +doc: | + Registry value for what application class identifier (CLSID) to launch for a file extension. + + Extension subkeys start with a dot. The '(Default)' value will be a ProgID, + which points to another entry in HKCR specifying the command to run to open + a file of the given type. The WindowsShellOpenCommand artifact is associated + with these ProgID command invocations. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Classes\.*', value: '' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\.*', value: '' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Classes\.*', value: '' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\.*', value: '' } +supported_os: [ Windows ] +--- +name: WindowsGroupPolicyScripts +doc: Windows group policy scripts +sources: + - type: FILE + attributes: + paths: + - '%%environ_systemroot%%\System32\GroupPolicy\User\Scripts\psscripts.ini' + - '%%environ_systemroot%%\System32\GroupPolicy\User\Scripts\scripts.ini' + - '%%environ_systemroot%%\System32\GroupPolicy\User\Scripts\Logoff\*' + - '%%environ_systemroot%%\System32\GroupPolicy\User\Scripts\Logon\*' + - '%%environ_systemroot%%\System32\GroupPolicy\Machine\Scripts\psscripts.ini' + - '%%environ_systemroot%%\System32\GroupPolicy\Machine\Scripts\scripts.ini' + - '%%environ_systemroot%%\System32\GroupPolicy\Machine\Scripts\Shutdown\*' + - '%%environ_systemroot%%\System32\GroupPolicy\Machine\Scripts\Startup\*' + separator: '\' +supported_os: [ Windows ] +--- +name: WindowsLogoffScript +doc: Windows policy logoff script +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\Windows\System\Scripts', value: 'Logoff' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Scripts', value: 'Logoff' } +supported_os: [ Windows ] +--- +name: WindowsLogonScript +doc: Windows policy logon script +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\Windows\System\Scripts', value: 'Logon' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Scripts', value: 'Logon' } +supported_os: [ Windows ] +--- +name: WindowsLSAAuthenticationPackages +doc: Authentication Packages can be injected into LSASS. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa', value: 'Authentication Packages' } + - { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig', value: 'Authentication Packages' } +supported_os: [ Windows ] +--- +name: WindowsLSANotificationPackages +doc: Notification Packages can be injected into LSASS. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa', value: 'Notification Packages' } + - { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig', value: 'Notification Packages' } +supported_os: [ Windows ] +--- +name: WindowsLSASecurityPackages +doc: Security Packages can be injected into LSASS. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa', value: 'Security Packages' } + - { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig', value: 'Security Packages' } +supported_os: [ Windows ] +--- +name: WindowsMostRecentApplication +doc: Windows Most Recent Application name key +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\*\MostRecentApplication', value: 'Name' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\*\MostRecentApplication', value: 'Name' } +supported_os: [ Windows ] +--- +name: WindowsMSDTCDLLs +doc: Windows MSDTC attempts to load these DLLs on start +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\MSDTC\MTxOCI\*' + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\MSDTC\MTxOCI\*' +supported_os: [ Windows ] +--- +name: WindowsMultiMediaDrivers +doc: Configured drivers for different multimedia filetypes. +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\*' + - 'HKEY_USERS\%%users.sid%%\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\*' + - 'HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32\*' + - 'HKEY_USERS\%%users.sid%%\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32\*' +supported_os: [ Windows ] +--- +name: WindowsNetworkShellHelpers +doc: Windows Network Shell (netsh) helpers are loaded on boot +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Netsh' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Netsh' +supported_os: [ Windows ] +--- +name: WindowsOpenSaveMRU +doc: Information about files opened or saved in a Windows shell dialog. +sources: + - type: REGISTRY_KEY + attributes: + keys: [ 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDIg32\OpenSaveMRU\*' ] +supported_os: [ Windows ] +--- +name: WindowsOpenSavePidlMRU +doc: Information about files opened or saved in a Windows shell dialog. +sources: + - type: REGISTRY_KEY + attributes: + keys: [ 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\*' ] +supported_os: [ Windows ] +--- +name: WindowsPendingGPOs +doc: | + Windows Pending GPOs registry settings. + + This is a persistence mechanism known to be used by the Gootkit malware family. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\IEAK\GroupPolicy\PendingGPOs', value: 'Path1' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\IEAK\GroupPolicy\PendingGPOs', value: 'Path1' } +supported_os: [ Windows ] +--- +name: WindowsPersistenceMechanisms +doc: Persistence mechanisms in Windows. +sources: + - type: ARTIFACT_GROUP + attributes: + names: + - WindowsPersistenceRegistryKeys + - WindowsPowerShellDefaultProfiles + - WindowsServices + - WindowsJobFiles +supported_os: [ Windows ] +--- +name: WindowsPersistenceRegistryKeys +doc: Windows Registry keys used for persistence. +sources: + - type: ARTIFACT_GROUP + attributes: + names: + - InternetExplorerBrowserHelperObjectsRegistryKeys + - WindowsActiveDesktop + - WindowsActiveSyncAutoStart + - WindowsAlternateShell + - WindowsAppCertDLLs + - WindowsAppInitDLLs + - WindowsBootVerificationProgram + - WindowsCommandProcessorAutoRun + - WindowsCredentialProviderFilters + - WindowsCredentialProviders + - WindowsDebugger + - WindowsEnvironmentUserLoginScripts + - WindowsExplorerAutoplayHandlers + - WindowsFileTypeAutorunAssociations + - WindowsFontDrivers + - WindowsIconServiceLib + - WindowsLSAAuthenticationPackages + - WindowsLSANotificationPackages + - WindowsLSASecurityPackages + - WindowsMSDTCDLLs + - WindowsMultiMediaDrivers + - WindowsNetworkShellHelpers + - WindowsPendingGPOs + - WindowsPLAPProviders + - WindowsPrintMonitors + - WindowsRunGrpConv + - WindowsRunKeys + - WindowsRunServices + - WindowsScreenSaverExecutable + - WindowsSearchFilterHandlers + - WindowsSecurityProviders + - WindowsServiceControlManagerExtension + - WindowsSessionManagerBootExecute + - WindowsSessionManagerExecute + - WindowsSessionManagerS0InitialCommand + - WindowsSessionManagerSetupExecute + - WindowsSessionManagerSubSystems + - WindowsSessionManagerWOWCommandLine + - WindowsSetupCommandLine + - WindowsSharedTaskScheduler + - WindowsShellExecuteHooks + - WindowsShellExtensions + - WindowsShellIconOverlayIdentifiers + - WindowsShellLoadAndRun + - WindowsShellOpenCommand + - WindowsShellRunasCommand + - WindowsShellServiceObjects + - WindowsStubPaths + - WindowsSystemPolicyShell + - WindowsTerminalServerInitialProgram + - WindowsTerminalServerRunKeys + - WindowsTerminalServerStartupPrograms + - WindowsToolPaths + - WindowsWinlogonAppSetup + - WindowsWinlogonAvailableShells + - WindowsWinlogonGinaDLL + - WindowsWinlogonGPExtensions + - WindowsWinlogonNotify + - WindowsWinlogonShell + - WindowsWinlogonSystem + - WindowsWinlogonTaskman + - WindowsWinlogonUiHost + - WindowsWinlogonUserinit + - WindowsWinlogonVMApplet + - WinSock2LayeredServiceProviders + - WinSock2NamespaceProviders +supported_os: [ Windows ] +--- +name: WindowsPLAPProviders +doc: Windows Pre-Logon Access Provider (PLAP) Providers +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\*' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\*' +supported_os: [ Windows ] +--- +name: WindowsPowerShellDefaultProfiles +doc: Default PowerShell Profile files. These files are executed by default when PowerShell starts up. +sources: + - type: FILE + attributes: + paths: + - '%%environ_systemroot%%\system32\WindowsPowerShell\v1.0\profile.ps1' + - '%%environ_systemroot%%\system32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1' + - '%%users.userprofile%%\Documents\WindowsPowerShell\profile.ps1' + - '%%users.userprofile%%\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1' + separator: '\' +supported_os: [ Windows ] +--- +name: WindowsPrefetchFiles +doc: Windows Prefetch files. +sources: + - type: FILE + attributes: + paths: [ '%%environ_systemroot%%\Prefetch\*.pf' ] + separator: '\' +supported_os: [ Windows ] +--- +name: WindowsPrintMonitors +doc: Windows Print Monitor DLL config. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: [ { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Monitors\*', value: 'Driver' } ] +supported_os: [ Windows ] +--- +name: WindowsRecycleBin +doc: Windows Recycle Bin (Recyler, $Recycle.Bin) files. +sources: + - type: FILE + attributes: + paths: + - '\$Recycle.Bin\**' + - '\Recycler\**' + separator: '\' +supported_os: [ Windows ] +--- +name: WindowsRegistryProfileSIDs +doc: Get SIDs for all users on the system with profiles present in the Registry. +sources: + - type: REGISTRY_KEY + attributes: { keys: [ 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\*' ] } + provides: + - key: users.sid + regex: 'ProfileList\\(.+)$' +supported_os: [ Windows ] +--- +name: WindowsRegistryProfiles +doc: | + Get SIDs for all users on the system with profiles present in the Registry. + + This looks in the Windows Registry where the profiles are stored and retrieves + the paths for each profile. +sources: + - type: REGISTRY_VALUE + attributes: { key_value_pairs: [ { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\*', value: 'ProfileImagePath' } ] } + provides: + - key: users.userprofile + - key: users.username + regex: '.*\\(.+)' +supported_os: [ Windows ] +--- +name: WindowsRunGrpConv +doc: | + The Windows RunGrpConv Registry value. + + When this Registry value is non-zero userinit.exe will launch grpconv.exe at user login. +sources: + - type: REGISTRY_VALUE + attributes: { key_value_pairs: [ { key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'RunGrpConv' } ] } +supported_os: [ Windows ] +--- +name: WindowsRunKeys +doc: | + Windows Run and RunOnce keys. + + Note users.sid will currently only expand to SIDs with profiles + on the system, not all SIDs. +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run' + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run' + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce' + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup' + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Setup' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run' + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run' + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Run' + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\RunOnce' + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup' + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\RunOnceEx' + - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run' + - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run' + - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce' + - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Setup' + - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx' +supported_os: [ Windows ] +--- +name: WindowsRunServices +doc: Windows Run Services. +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce' + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices' + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce' + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\RunServices' + - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce' + - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices' +supported_os: [ Windows ] +--- +name: WindowsScheduledTasks +doc: Windows Scheduled Tasks. +sources: + - type: FILE + attributes: + paths: + - '%%environ_systemroot%%\Tasks\**10' + - '%%environ_systemroot%%\System32\Tasks\**10' + - '%%environ_systemroot%%\SysWow64\Tasks\**10' + separator: '\' +supported_os: [ Windows ] +--- +name: WindowsScreenSaverExecutable +doc: ScreenSaver Executable +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\Windows\Control Panel\Desktop', value: 'scrnsave.exe' } + - { key: 'HKEY_USERS\%%users.sid%%\Control Panel\Desktop', value: 'scrnsave.exe' } +supported_os: [ Windows ] +--- +name: WindowsSecurityProviders +doc: Security Providers DLLs +sources: + - type: REGISTRY_KEY + attributes: + keys: [ 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders' ] +supported_os: [ Windows ] +--- +name: WindowsServiceControlManagerExtension +doc: Windows service control manager extension +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: [ { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control', value: 'ServiceControlManagerExtension' } ] +supported_os: [ Windows ] +--- +name: WindowsServices +doc: | + Windows services from the Registry. + + Malware can add new services to gain persistence, or modify + existing ones to avoid detection. For example, the ZeroAccess + rootkit will make the following changes to the WSCSVC (Windows + Security Service Center), WINDEFEND (Windows Defender), + and MPSSVC (Windows Firewall) services, among others + + * Set 'Start' to 4, indicating that the service should be disabled + * Set 'DeleteFlag' to 1, indicating that the service should be removed + * Set 'ErrorControl' to 0 and 'Type' to 32, causing it to fail to be + started by the Service Controller and no error messages generated +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\*' + - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\*\Parameters' +supported_os: [ Windows ] +--- +name: WindowsFontDrivers +doc: Windows font drivers from the Registry. +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Font Drivers\*' +supported_os: [ Windows ] +--- +name: WindowsSessionManagerBootExecute +doc: Windows Session Manager BootExecute persistence. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: [ { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager', value: 'BootExecute' } ] +supported_os: [ Windows ] +--- +name: WindowsSessionManagerExecute +doc: | + Windows Session Manager Execute persistence + + This entry shouldn't be populated after Windows has been installed +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: [ { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager', value: 'Execute' } ] +supported_os: [ Windows ] +--- +name: WindowsSessionManagerS0InitialCommand +doc: | + Windows Session Manager S0InitialCommand persistence + + This entry shouldn't be populated after Windows has been installed +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: [ { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager', value: 'S0InitialCommand' } ] +supported_os: [ Windows ] +--- +name: WindowsSessionManagerSetupExecute +doc: | + Windows Session Manager SetupExecute persistence + + This entry shouldn't be populated after Windows has been installed +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: [ { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager', value: 'SetupExecute' } ] +supported_os: [ Windows ] +--- +name: WindowsSessionManagerSubSystems +doc: Windows Session Manager SubSystems persistence +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: [ { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems', value: 'Windows' } ] +supported_os: [ Windows ] +--- +name: WindowsSessionManagerWOWCommandLine +doc: Windows Session Manager Windows-on-Windows (WOW) command line +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\WOW', value: 'cmdline' } + - { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\WOW', value: 'wowcmdline' } +supported_os: [ Windows ] +--- +name: WindowsSetupCommandLine +doc: Command line invocation used for custom setup and deployment tasks +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\System\Setup', value: 'CmdLine' } +supported_os: [ Windows ] +--- +name: WindowsSharedTaskScheduler +doc: Runs on windows boot. +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\*' + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\*' +supported_os: [ Windows ] +--- +name: WindowsShellExecuteHooks +doc: Shell execution hooks are called when ShellExecuteEx() is called. +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks' +supported_os: [ Windows ] +--- +name: WindowsShellExtensions +doc: Approved extensions to the Windows Shell (explorer.exe). +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved' + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved' + - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved' +supported_os: [ Windows ] +--- +name: WindowsShellIconOverlayIdentifiers +doc: Called to display custom icons. +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*' + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*' + - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*' +supported_os: [ Windows ] +--- +name: WindowsShellLoadAndRun +doc: Windows Shell Load and Run values +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Windows', value: 'Load' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Windows', value: 'Run' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows', value: 'Load' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows', value: 'Run' } +supported_os: [ Windows ] +--- +name: WindowsIconServiceLib +doc: | + Windows Icon Service Library Name + + The value should default to 'IconCodecService.dll' +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows', value: 'IconServiceLib' } +supported_os: [ Windows ] +--- +name: WindowsShellOpenCommand +doc: Executed every time this file type is opened. For most file types, the value should be '"%1" %*'. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Classes\*\shell\open\command', value: '' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Classes\*\shell\open\command', value: 'IsolatedCommand' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\shell\open\command', value: '' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\shell\open\command', value: 'IsolatedCommand' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Classes\*\shell\open\command', value: '' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Classes\*\shell\open\command', value: 'IsolatedCommand' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\*\shell\open\command', value: '' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\*\shell\open\command', value: 'IsolatedCommand' } +supported_os: [ Windows ] +--- +name: WindowsShellRunasCommand +doc: | + Executed every time an executable or script file type is run as administrator. + + For most file types, the value should be '"%1" %*' or something similar. + Example file type subkeys include 'exefile', 'batfile', and 'cmdfile'. These + keys can be modified by malware as a way to be periodically executed or to + bypass UAC. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Classes\*\shell\runas\command', value: '' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Classes\*\shell\runas\command', value: 'IsolatedCommand' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\shell\runas\command', value: '' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\shell\runas\command', value: 'IsolatedCommand' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Classes\*\shell\runas\command', value: '' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Classes\*\shell\runas\command', value: 'IsolatedCommand' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\*\shell\runas\command', value: '' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\*\shell\runas\command', value: 'IsolatedCommand' } +supported_os: [ Windows ] +--- +name: WindowsShellServiceObjects +doc: Windows Shell (explorer.exe) service objects delayed load. +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad' +supported_os: [ Windows ] +--- +name: WindowsSetupApiLogs +doc: Windows setup API logs. +sources: + - type: FILE + attributes: + paths: + - '%%environ_systemroot%%\setupapi.log' + - '%%environ_systemroot%%\inf\setupapi.app.log' + - '%%environ_systemroot%%\inf\setupapi.dev.log' + - '%%environ_systemroot%%\inf\setupapi.offline.log' + separator: '\' +supported_os: [ Windows ] +--- +name: WindowsStartupFolders +doc: Windows startup folder persistence. +sources: + - type: FILE + attributes: + paths: + - '%%environ_allusersappdata%%\Microsoft\Windows\Start Menu\Programs\Startup\*' + - '%%environ_allusersappdata%%\Start Menu\Programs\Startup\*' + - '%%users.appdata%%\Microsoft\Windows\Start Menu\Programs\Startup\*' + - '%%users.userprofile%%\Start Menu\Programs\Startup\*' + separator: '\' +supported_os: [ Windows ] +--- +name: WindowsStartupScript +doc: Windows policy startup script +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Scripts', value: 'Startup' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\*\*', value: 'Script' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\*\*', value: 'Parameters' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup\*\*', value: 'Script' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup\*\*', value: 'Parameters' } +supported_os: [ Windows ] +--- +name: WindowsStubPaths +doc: | + Windows StubPath persistence. + + Each time a user logs in, the Active Setup Installed Components in HKLM + are compared ot the ones in HKCU, and if any are missing, or if the + associated version is less, the program is executed. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\*', value: 'StubPath' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\*', value: 'Version' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\*', value: 'StubPath' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\*', value: 'Version' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Active Setup\Installed Components\*', value: 'StubPath' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Active Setup\Installed Components\*', value: 'Version' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\*', value: 'StubPath' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\*', value: 'Version' } +supported_os: [ Windows ] +--- +name: WindowsSystemPolicyShell +doc: Windows System policy replacement shell (custom user interface). +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System', value: 'Shell' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System', value: 'Shell' } +supported_os: [ Windows ] +--- +name: WindowsSystemRegistryFiles +doc: Windows system Registry files. +sources: + - type: FILE + attributes: + paths: + - '%%environ_systemdrive%%\System Volume Information\Syscache.hve' + - '%%environ_systemroot%%\System32\config\SAM' + - '%%environ_systemroot%%\System32\config\SECURITY' + - '%%environ_systemroot%%\System32\config\SOFTWARE' + - '%%environ_systemroot%%\System32\config\SYSTEM' + separator: '\' +supported_os: [ Windows ] +--- +name: WindowsSystemResourceUsageMonitorDatabaseFile +doc: Windows System Resource Usage Monitor (SRUM) database file. +sources: + - type: FILE + attributes: + paths: [ '%%environ_systemroot%%\System32\sru\SRUDB.dat' ] + separator: '\' +supported_os: [ Windows ] +--- +name: WindowsTerminalServerRunKeys +doc: Windows Terminal Server Run keys +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce\*' + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx\*' + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\*' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce\*' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx\*' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\*' + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce\*' + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx\*' + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\*' + - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce\*' + - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx\*' + - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\*' +supported_os: [ Windows ] +--- +name: WindowsTerminalServerStartupPrograms +doc: Windows Terminal Server Startup Programs +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd', value: 'StartupPrograms' } +supported_os: [ Windows ] +--- +name: WindowsTerminalServerInitialProgram +doc: Windows Terminal Server Initial Program +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp', value: 'InitialProgram' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services', value: 'InitialProgram' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\Windows NT\Terminal Services', value: 'InitialProgram' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Policies\Microsoft\Windows NT\Terminal Services', value: 'InitialProgram' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Policies\Microsoft\Windows NT\Terminal Services', value: 'InitialProgram' } +supported_os: [ Windows ] +--- +name: WindowsActiveSyncAutoStart +doc: Windows ActiveSync AutoStart entries +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows CE Services\AutoStartOnConnect\*' + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows CE Services\AutoStartOnDisconnect\*' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows CE Services\AutoStartOnConnect\*' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows CE Services\AutoStartOnDisconnect\*' +supported_os: [ Windows ] +--- +name: WindowsTimezone +doc: The time zone of the system as a Windows time zone name or in MUI form. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation', value: 'StandardName' } + - { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation', value: 'TimeZoneKeyName' } +supported_os: [ Windows ] +--- +name: WindowsToolPaths +doc: Paths to windows tools such as defrag, chkdsk. +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\BackupPath' + - 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\ChkDskPath' + - 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\cleanuppath' + - 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\DefragPath' +supported_os: [ Windows ] +--- +name: WindowsUninstallKeys +doc: Uninstall Registry keys +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\*' + - 'HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*' + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Uninstall\*' +supported_os: [ Windows ] +--- +name: WindowsUserShellFoldersOfInterest +doc: The Shell Folders information for Windows users, defined as single values for knowledge base extraction +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'AppData' } + provides: [ { key: users.appdata } ] + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Local AppData' } + provides: [ { key: users.localappdata } ] +supported_os: [ Windows ] +--- +name: WindowsWinlogonGinaDLL +doc: Windows Gina DLL replacement. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'GinaDLL' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'GinaDLL' } +supported_os: [ Windows ] +--- +name: WindowsWinlogonNotify +doc: Windows Winlogon Notify DLL names. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\*', value: 'DLLName' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\*', value: 'DLLName' } +supported_os: [ Windows ] +--- +name: WindowsWinlogonShell +doc: Windows shell replacement. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Shell' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Shell' } +supported_os: [ Windows ] +--- +name: WindowsWinlogonSystem +doc: Applications launched by Winlogon in the system context during the system initialisation. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'System' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'System' } +supported_os: [ Windows ] +--- +name: WindowsWinlogonTaskman +doc: Windows Winlogon Taskman replacement. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Taskman' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Taskman' } +supported_os: [ Windows ] +--- +name: WindowsWinlogonUiHost +doc: Windows Winlogon UI screen application +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'UiHost' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'UiHost' } +supported_os: [ Windows ] +--- +name: WindowsWinlogonUserinit +doc: Windows Winlogon Userinit replacement. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Userinit' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Userinit' } +supported_os: [ Windows ] +--- +name: WindowsWinlogonAvailableShells +doc: | + Windows Server Winlogon Available Shells + + Used to specify an alternate shell application to be launched when + logging into Windows Server 2012 and later. Legitimate keys under + AvailableShells should just cause cmd.exe or explorer.exe to be executed, + whereas malicious programs may create keys that cause malware to be run + when a user logs in. +sources: + - type: REGISTRY_KEY + attributes: + keys: [ 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells\AvailableShells\*' ] +supported_os: [ Windows ] +--- +name: WindowsWinlogonVMApplet +doc: Windows VMApplet replacement. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'VMApplet' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'VMApplet' } +supported_os: [ Windows ] +--- +name: WindowsWinlogonAppSetup +doc: Windows Winlogon Appsetup +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'AppSetup' } +supported_os: [ Windows ] +--- +name: WindowsWinlogonGPExtensions +doc: | + Windows Winlogon Group Policy Extensions + + These keys specify DLLs that should be loaded when the group policy + engine loads, and can act as a persistence mechanism for malware. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\*', value: '' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\*', value: 'DllName' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\*', value: '' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\*', value: 'DllName' } +supported_os: [ Windows ] +--- +name: WinSock2LayeredServiceProviders +doc: Used to filter TCP/IP traffic through WinSock2. +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\*' + - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\*' +supported_os: [ Windows ] +--- +name: WinSock2NamespaceProviders +doc: Used to provide name-resolution services through WinSock2 +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\*', value: 'LibraryPath' } + - { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\*', value: 'LibraryPath' } +supported_os: [ Windows ] +--- +name: WindowsJobFiles +doc: Files for the Windows Task Scheduler +sources: + - type: FILE + attributes: + paths: + - '%%environ_systemroot%%\system32\Tasks\**10' + - '%%environ_systemroot%%\Tasks\**10' + separator: '\' +supported_os: [ Windows ] +--- +name: WindowsNetworkInterfaceInformation +doc: Details for network interfaces and their names +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\SYSTEM\ControlSet*\Services\Tcpip\Parameters\Interfaces\*' + - 'HKEY_LOCAL_MACHINE\SYSTEM\ControlSet*\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\*\Connection' +supported_os: [ Windows ] +--- +name: WindowsHotfixes +doc: Windows Registry Keys that contain Hotfix information +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\*' + - 'HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Updates\*\*' + - 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\*\*' +supported_os: [ Windows ] +--- +name: WindowsDefaultPaths +doc: Default Paths for many parameters +sources: + - type: PATH + attributes: + paths: + - '%%environ_systemdrive%%\Users' + separator: '\' + provides: [ { key: environ_profilesdirectory } ] + - type: PATH + attributes: + paths: + - '%%environ_profilesdirectory%%\*' + - '\Users\*' + separator: '\' + provides: + - { key: users.userprofile } + - { key: users.username, regex: '.*\\(.+)' } + - type: PATH + attributes: + paths: + - '%%environ_profilesdirectory%%\*\AppData\Roaming' + - '\Users\*\AppData\Roaming' + separator: '\' + provides: [ { key: users.appdata } ] + - type: PATH + attributes: + paths: + - '%%environ_profilesdirectory%%\*\AppData\Local' + - '\Users\*\AppData\Local' + separator: '\' + provides: [ { key: users.localappdata } ] +supported_os: [ Windows ] +--- +name: WindowsUserSIDDefaultKeys +doc: Bruteforce SIDs +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_USERS\*' + provides: [ { key: users.sid, regex: '.*\\(.+)' } ] +supported_os: [ Windows ] diff --git a/config/artifacts/windows_logs.yaml b/config/artifacts/windows_logs.yaml new file mode 100644 index 0000000..7870592 --- /dev/null +++ b/config/artifacts/windows_logs.yaml @@ -0,0 +1,101 @@ +# Windows event logs. + +name: WindowsEventLogs +doc: Windows Event logs. +sources: + - type: ARTIFACT_GROUP + attributes: + names: + - 'WindowsEventLogApplicationFile' + - 'WindowsEventLogSecurityFile' + - 'WindowsEventLogSystemFile' + - 'WindowsXMLEventLogApplicationFile' + - 'WindowsXMLEventLogSecurityFile' + - 'WindowsXMLEventLogSysmonFile' + - 'WindowsXMLEventLogSystemFile' + - 'WindowsXMLEventLogTerminalServicesFile' +supported_os: [ Windows ] +--- +name: WindowsEventLogPath +doc: Windows Event log locations. +sources: + - type: PATH + attributes: + paths: + - '%%environ_systemroot%%\System32\config' + - '%%environ_systemroot%%\System32\winevt\Logs' + separator: '\' + provides: [ { key: windows_event_logs } ] +supported_os: [ Windows ] +--- +name: WindowsEventLogApplicationFile +doc: Application Windows Event Log. +sources: + - type: FILE + attributes: + paths: [ '%%windows_event_logs%%\AppEvent.evt' ] + separator: '\' +supported_os: [ Windows ] +--- +name: WindowsEventLogSecurityFile +doc: Security Windows Event Log. +sources: + - type: FILE + attributes: + paths: [ '%%windows_event_logs%%\SecEvent.evt' ] + separator: '\' +supported_os: [ Windows ] +--- +name: WindowsEventLogSystemFile +doc: System Windows Event Log. +sources: + - type: FILE + attributes: + paths: [ '%%windows_event_logs%%\SysEvent.evt' ] + separator: '\' +supported_os: [ Windows ] +--- +name: WindowsXMLEventLogApplicationFile +doc: Application Windows XML Event Log. +sources: + - type: FILE + attributes: + paths: [ '%%windows_event_logs%%\Application.evtx' ] + separator: '\' +supported_os: [ Windows ] +--- +name: WindowsXMLEventLogSecurityFile +doc: Security Windows XML Event Log. +sources: + - type: FILE + attributes: + paths: [ '%%windows_event_logs%%\Security.evtx' ] + separator: '\' +supported_os: [ Windows ] +--- +name: WindowsXMLEventLogSysmonFile +doc: Sysmon Windows XML Event Log. +sources: + - type: FILE + attributes: + paths: [ '%%windows_event_logs%%\Microsoft-Windows-Sysmon%4Operational.evtx' ] + separator: '\' +supported_os: [ Windows ] +--- +name: WindowsXMLEventLogSystemFile +doc: System Windows XML Event Log. +sources: + - type: FILE + attributes: + paths: [ '%%windows_event_logs%%\System.evtx' ] + separator: '\' +supported_os: [ Windows ] +--- +name: WindowsXMLEventLogTerminalServicesFile +doc: TerminalServices Windows XML Event Log. +sources: + - type: FILE + attributes: + paths: [ '%%windows_event_logs%%\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx' ] + separator: '\' +supported_os: [ Windows ] diff --git a/config/artifacts/windows_persistence.yaml b/config/artifacts/windows_persistence.yaml new file mode 100644 index 0000000..d40facd --- /dev/null +++ b/config/artifacts/windows_persistence.yaml @@ -0,0 +1,190 @@ +# Arifacts used for persistence on Windows. + +name: WindowsPersistence +doc: Windows persistence mechanisms. +sources: + - type: ARTIFACT_GROUP + attributes: + names: + - 'WindowsEnvironmentVariableSystemRoot' + - 'WindowsRegistryProfiles' + - 'WindowsPersistenceMechanisms' + - 'WindowsApplicationCompatibilityShims' + - 'WindowsAppCertDLLsAlt' + - 'WindowsCOMProperties' + - 'WindowsBrowserPersistenceKeys' + - 'InternetExplorerBrowserHelperObjectsRegistryKeys' + - 'WindowsBrowserPersistenceFiles' + - 'WindowsFileAssociation' + - 'WindowsScheduledTasks' + - 'WindowsTimeProviders' + - 'WindowsSIPandTrustProviderHijacking' + - 'WindowsKnownDLLs' + - 'WindowsOfficeApplicationStartup' + - 'WindowsImageHijacks' + - 'WindowsCommandProcessorAutoRun' + - 'WindowsDebugger' + - 'WindowsCodecs' + - 'WindowsFontDriversAlt' + - 'WindowsStartupFolders' + - 'WindowsStartupScript' + - 'WindowsGroupPolicyScripts' + - 'WindowsLogonScript' + - 'WindowsLogoffScript' +supported_os: [ Windows ] +--- +name: WindowsBrowserPersistenceKeys +doc: Registry keys for various browser extensions or wrapper objects. +sources: + - type: REGISTRY_KEY + attributes: + keys: + # - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*' + # - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*' + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\*' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\*' +supported_os: [ Windows ] +--- +name: WindowsBrowserPersistenceFiles +doc: Windows Scheduled Tasks. +sources: + - type: FILE + attributes: + paths: + - '%%users.appdata%%\Mozilla\Firefox\Profiles\*\extensions.json' + separator: '\' +supported_os: [ Windows ] +--- +name: WindowsFileAssociation +doc: User file association preferences +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\*\OpenWithList' + - 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\*\OpenWithList' +supported_os: [ Windows ] +--- +name: WindowsImageHijacks +doc: Various image hijack mechanisms used for persistence. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + # - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*', value: 'Debugger'} + # - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*', value: 'Debugger'} + # - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*', value: 'Debugger'} + # - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*', value: 'Debugger'} + - { key: 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\*', value: 'MonitorProcess' } + # - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Command Processor', value: 'AutoRun'} + # - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor', value: 'AutoRun'} + # - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Command Processor', value: 'AutoRun'} + # - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Command Processor', value: 'AutoRun'} + # - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Command Processor', value: 'AutoRun'} + - { key: 'HKEY_LOCAL_MACHINE\Software\Classes\Exefile\Shell\Open\Command', value: '' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Exefile\Shell\Open\Command', value: '' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Classes\Htmlfile\Shell\Open\Command', value: '' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Htmlfile\Shell\Open\Command', value: '' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Classes\.cmd', value: '' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Classes\.cmd', value: '' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Classes\.exe', value: '' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Classes\.exe', value: '' } +supported_os: [ Windows ] +--- +name: WindowsTimeProviders +doc: Windows time provider services. +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\*' +supported_os: [ Windows ] +--- +name: WindowsSIPandTrustProviderHijacking +doc: SIP are responsible for signature procession and can be abused by adversaries. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\*', value: 'Dll' } + - { key: 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\*', value: 'Dll' } + - { key: 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\*', value: '`$DLL' } + - { key: 'HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\*', value: 'Dll' } + - { key: 'HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\*', value: 'Dll' } + - { key: 'HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\*', value: '`$DLL' } +supported_os: [ Windows ] +--- +name: WindowsKnownDLLs +doc: DLLs that can be abused by search order hijacking. +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs' +supported_os: [ Windows ] +--- +name: WindowsOfficeApplicationStartup +doc: Add-ins and plug-ins registered to hook into office apps. +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Office test\Special\Perf' + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Office test\Special\Perf' + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Office\*\Addins\*' + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Office\*\Addins\*' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Office\*\Addins\*' + - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Office\*\Addins\*' + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Office\*\Outlook\WebView\Calendar\URL' + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Office\*\Outlook\WebView\Calendar\URL' + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Office\*\Outlook\WebView\Inbox' + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Office\*\Outlook\WebView\Inbox' +supported_os: [ Windows ] +--- +name: WindowsCodecs +doc: Codecs are executable software that can be loaded by media playback software. They could be abused for system persistence. +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance' + - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance' + - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Classes\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance' + - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Classes\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance' + - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Classes\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32' + - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32' + - 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance' + - 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance' + - 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance' + - 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance' + - 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance' + - 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance' + - 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance' + - 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance' + - 'HKEY_LOCAL_MACHINE\Software\Classes\Filter' + - 'HKEY_USERS\%%users.sid%%\Software\Classes\Filter' + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Drivers32' + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Drivers32' +supported_os: [ Windows ] +--- +name: WindowsAppCertDLLsAlt +doc: Windows AppCertDLLs persistence. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager', value: 'AppCertDLLs' } +supported_os: [ Windows ] +--- +name: WindowsFontDriversAlt +doc: Windows font drivers from the Registry. +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Font Drivers' +supported_os: [ Windows ] diff --git a/config/artifacts/windows_usb.yaml b/config/artifacts/windows_usb.yaml new file mode 100644 index 0000000..ce21e6f --- /dev/null +++ b/config/artifacts/windows_usb.yaml @@ -0,0 +1,59 @@ +# USB Artifacts + +name: WindowsUSBInformation +doc: Windows Event logs. +sources: + - type: ARTIFACT_GROUP + attributes: + names: + - 'WindowsUSBDeviceInformations' + - 'WindowsUSBVolumeAndDriveMapping' + - 'WindowsUSBUserMountedDevices' + - 'WindowsDeviceSetupFile' +supported_os: [ Windows ] +--- +name: WindowsUSBDeviceInformations +doc: | + Windows USB Device Informations. + + USBSTOR subkey only exists when there ever was an USB device mounted. +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\**' +supported_os: [ Windows ] +--- +name: WindowsUSBVolumeAndDriveMapping +doc: | + Windows USB volume and drive mapping. + + Displays the mapping of USB devices to drives and volumes. +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices' +supported_os: [ Windows ] +--- +name: WindowsUSBUserMountedDevices +doc: | + Windows USB user mounted devices. + + Shows the GUIDs of all devices the user has ever mounted. +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\**' +supported_os: [ Windows ] +--- +name: WindowsDeviceSetupFile +doc: Logfiles for Windows PNP driver installation +sources: + - type: FILE + attributes: + paths: + - '%%environ_systemroot%%\inf\setupapi*.log' + separator: '\' +supported_os: [ Windows ] diff --git a/tools/artifactvalidator/main.go b/tools/artifactvalidator/main.go index dd1352e..17e34b6 100644 --- a/tools/artifactvalidator/main.go +++ b/tools/artifactvalidator/main.go @@ -41,6 +41,7 @@ import ( "path/filepath" "runtime" "sort" + "strings" "github.com/olekukonko/tablewriter" @@ -52,6 +53,7 @@ func main() { // nolint:gocyclo,gocognit,funlen exitcode := 0 // parse flags + var entrypoints string var verbose, summary, quite, nofail bool flag.BoolVar(&verbose, "verbose", false, "show common flaws as well") flag.BoolVar(&verbose, "v", false, "show common flaws as well"+" (shorthand)") @@ -60,6 +62,7 @@ func main() { // nolint:gocyclo,gocognit,funlen flag.BoolVar(&summary, "summary", false, "show summary") flag.BoolVar(&summary, "s", false, "show summary"+" (shorthand)") flag.BoolVar(&nofail, "no-fail", false, "do not fail on flaws") + flag.StringVar(&entrypoints, "entrypoints", "", "entrypoint for the artifact collection which are not marked as unused, e.g. 'DefaultCollection1', can be a comma separated list") flag.Parse() // setup logging @@ -88,7 +91,7 @@ func main() { // nolint:gocyclo,gocognit,funlen } // parse artifacts - flaws, err := ValidateFiles(args) + flaws, err := ValidateFiles(args, strings.Split(entrypoints, ",")) if err != nil { slog.ErrorContext(ctx, err.Error()) diff --git a/tools/artifactvalidator/validator.go b/tools/artifactvalidator/validator.go index 26792fe..6765cfc 100644 --- a/tools/artifactvalidator/validator.go +++ b/tools/artifactvalidator/validator.go @@ -24,10 +24,12 @@ package main import ( "bufio" "fmt" + "maps" "net/http" "os" "path/filepath" "regexp" + "slices" "sort" "strings" "sync" @@ -90,7 +92,7 @@ func (r *validator) addErrorf(filename, artifactDefiniton, format string, a ...i } // ValidateFiles checks a list of files for various flaws. -func ValidateFiles(filenames []string) (flaws []Flaw, err error) { +func ValidateFiles(filenames []string, entrypoints []string) (flaws []Flaw, err error) { artifactDefinitionMap := map[string][]artifacts.ArtifactDefinition{} // decode file @@ -106,19 +108,19 @@ func ValidateFiles(filenames []string) (flaws []Flaw, err error) { } // validate - flaws = append(flaws, ValidateArtifactDefinitions(artifactDefinitionMap)...) + flaws = append(flaws, ValidateArtifactDefinitions(artifactDefinitionMap, entrypoints)...) return } // ValidateArtifactDefinitions validates a map of artifact definitions and returns any flaws found in those. -func ValidateArtifactDefinitions(artifactDefinitionMap map[string][]artifacts.ArtifactDefinition) []Flaw { +func ValidateArtifactDefinitions(artifactDefinitionMap map[string][]artifacts.ArtifactDefinition, entrypoints []string) []Flaw { r := newValidator() - r.validateArtifactDefinitions(artifactDefinitionMap) + r.validateArtifactDefinitions(artifactDefinitionMap, entrypoints) return r.flaws } // validateArtifactDefinitions validates single artifacts. -func (r *validator) validateArtifactDefinitions(artifactDefinitionMap map[string][]artifacts.ArtifactDefinition) { +func (r *validator) validateArtifactDefinitions(artifactDefinitionMap map[string][]artifacts.ArtifactDefinition, entrypoints []string) { var globalArtifactDefinitions []artifacts.ArtifactDefinition for filename, artifactDefinitions := range artifactDefinitionMap { @@ -139,6 +141,7 @@ func (r *validator) validateArtifactDefinitions(artifactDefinitionMap map[string r.validateGroupMemberExist(globalArtifactDefinitions) r.validateNoCycles(globalArtifactDefinitions) r.validateParametersProvided(globalArtifactDefinitions) + r.validateUnused(globalArtifactDefinitions, entrypoints) r.validateArtifactURLs(artifactDefinitionMap) } @@ -155,6 +158,7 @@ func (r *validator) validateArtifactDefinition(filename string, artifactDefiniti r.validateNamePrefix(filename, artifactDefinition) r.validateOSSpecific(filename, artifactDefinition) r.validateArtifactOS(filename, artifactDefinition) + r.validateNoDefinitionLabels(filename, artifactDefinition) r.validateNoDefinitionConditions(filename, artifactDefinition) r.validateNoDefinitionProvides(filename, artifactDefinition) if macosArtifact { @@ -368,6 +372,48 @@ func (r *validator) validateParametersProvided(artifactDefinitions []artifacts.A } } } + + for operatingSystem := range knownProvides { + for key := range knownProvides[operatingSystem] { + if !slices.Contains(slices.Collect(maps.Keys(parametersRequired[operatingSystem])), key) { + r.addWarningf( + "", knownProvides[operatingSystem][key], + "Provided key %s is not used for %s", key, operatingSystem, + ) + } + } + } +} + +func (r *validator) validateUnused(artifactDefinitions []artifacts.ArtifactDefinition, entrypoints []string) { + used := map[string]bool{} + + for _, entrypoint := range entrypoints { + used[entrypoint] = true + } + + for _, artifactDefinition := range artifactDefinitions { + for _, source := range artifactDefinition.Sources { + for _, path := range source.Attributes.Names { + used[path] = true + } + + for _, source := range artifactDefinition.Sources { + if len(source.Provides) > 0 { + used[artifactDefinition.Name] = true + } + } + } + } + + for _, artifactDefinition := range artifactDefinitions { + if _, ok := used[artifactDefinition.Name]; !ok { + r.addInfof( + "", artifactDefinition.Name, + "Artifact %s is not used", artifactDefinition.Name, + ) + } + } } func (r *validator) validateArtifactURLs(artifactDefinitionMap map[string][]artifacts.ArtifactDefinition) { @@ -566,6 +612,12 @@ func (r *validator) validateArtifactOS(filename string, artifactDefinition artif } } +func (r *validator) validateNoDefinitionLabels(filename string, artifactDefinition artifacts.ArtifactDefinition) { + if len(artifactDefinition.Labels) > 0 { + r.addInfof(filename, artifactDefinition.Name, "Definition labels are deprecated") + } +} + func (r *validator) validateNoDefinitionConditions(filename string, artifactDefinition artifacts.ArtifactDefinition) { if len(artifactDefinition.Conditions) > 0 { r.addInfof(filename, artifactDefinition.Name, "Definition conditions are deprecated") diff --git a/tools/artifactvalidator/validator_test.go b/tools/artifactvalidator/validator_test.go index 1f9aba9..7f61b56 100644 --- a/tools/artifactvalidator/validator_test.go +++ b/tools/artifactvalidator/validator_test.go @@ -117,7 +117,7 @@ func TestValidator_ValidateFilesInvalid(t *testing.T) { tt.yamlfile: ads, } - r.validateArtifactDefinitions(artifactDefinitionMap) + r.validateArtifactDefinitions(artifactDefinitionMap, nil) if len(flaws)+len(r.flaws) == 0 { t.Errorf("Validator.ValidateFiles() %s has no flaws", tt.yamlfile)