From c063690d4445a1d65df3fbadd56e1974a4584491 Mon Sep 17 00:00:00 2001 From: Gott <47673777+danielgottt@users.noreply.github.com> Date: Wed, 4 Sep 2024 15:54:30 -0400 Subject: [PATCH 1/2] Update DFIRBatch.reb Add additional third party applications --- BatchExamples/DFIRBatch.reb | 175 ++++++++++++++++++++++++++++++++++++ 1 file changed, 175 insertions(+) diff --git a/BatchExamples/DFIRBatch.reb b/BatchExamples/DFIRBatch.reb index 0c818a7..56a4817 100644 --- a/BatchExamples/DFIRBatch.reb +++ b/BatchExamples/DFIRBatch.reb @@ -2693,6 +2693,181 @@ Keys: Recursive: false Comment: "Displays the location of the SQLite database associated with 4K Video Downloader" +# Third Party Applications -> AnyDesk - https://anydesk.com + + - + Description: AnyDesk + HiveType: SYSTEM + Category: Third Party Applications + KeyPath: CurrentControlSet\Services\AnyDesk + Recursive: true + Comment: "Displays artifacts relating to AnyDesk" +# https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_1_yamashige-nakatani-tanaka_en.pdf + +# Third Party Applications -> Atera - https://www.atera.com + + - + Description: Atera + HiveType: SYSTEM + Category: Third Party Applications + KeyPath: CurrentControlSet\Services\AteraAgent + Recursive: true + Comment: "Displays artifacts relating to Atera" +# https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_1_yamashige-nakatani-tanaka_en.pdf + +# Third Party Applications -> ConnectWise (ScreenConnect) - https://screenconnect.connectwise.com/ + + - + Description: ConnectWise (ScreenConnect) + HiveType: SYSTEM + Category: Third Party Applications + KeyPath: CurrentControlSet\Services\ScreenConnect Client* + ValueName: DisplayName + Recursive: false + Comment: "Displays artifacts relating to ConnectWise (ScreenConnect)" +# https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_1_yamashige-nakatani-tanaka_en.pdf + +# Third Party Applications -> LogMeIn - https://www.logmein.com + + - + Description: LogMeIn + HiveType: SYSTEM + Category: Third Party Applications + KeyPath: CurrentControlSet\Services\LogMeIn + Recursive: true + Comment: "Displays artifacts relating to LogMeIn" +# https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_1_yamashige-nakatani-tanaka_en.pdf + +# Third Party Applications -> RemoteUtilities - https://www.remoteutilities.com/ + + - + Description: RemoteUtilities + HiveType: SYSTEM + Category: Third Party Applications + KeyPath: CurrentControlSet\Services\RManService + Recursive: true + Comment: "Displays artifacts relating to RemoteUtilities" + - + Description: RemoteUtilities + HiveType: SYSTEM + Category: Third Party Applications + KeyPath: Usoris\Remote Utilities\RManService\Host\Parameters + Recursive: true + Comment: "Displays artifacts relating to Portable RemoteUtilities Configuration" + - + Description: RemoteUtilities + HiveType: NTUSER + Category: Third Party Applications + KeyPath: Software\Usoris\Remote Utilities\RManService\Host\Parameters + ValueName: General + Recursive: false + Comment: "Displays artifacts relating to RemoteUtilities Configuration - Base64 decode output" + - + Description: RemoteUtilities + HiveType: NTUSER + Category: Third Party Applications + KeyPath: Software\Usoris\Remote Utilities\RManService\Host\Parameters + ValueName: InternetId + Recursive: false + Comment: "Displays artifacts relating to RemoteUtilities Configuration - Base64 decode output" + - + Description: RemoteUtilities + HiveType: NTUSER + Category: Third Party Applications + KeyPath: Software\Usoris\Remote Utilities\RManService\Host\Parameters + ValueName: Security + Recursive: false + Comment: "Displays artifacts relating to RemoteUtilities Configuration - Base64 decode output" + - + Description: RemoteUtilities + HiveType: NTUSER + Category: Third Party Applications + KeyPath: Software\Usoris\Remote Utilities\RManService\Host\Parameters + ValueName: FUSClientPath + Recursive: false + Comment: "Displays artifacts relating to RemoteUtilities Configuration" +# https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_1_yamashige-nakatani-tanaka_en.pdf + +# Third Party Applications -> Splashtop - https://www.splashtop.com/ + + - + Description: Splashtop + HiveType: SYSTEM + Category: Third Party Applications + KeyPath: CurrentControlSet\Services\SplashtopRemoteService + Recursive: true + Comment: "Displays artifacts relating to Splashtop" + - + Description: Splashtop + HiveType: SYSTEM + Category: Third Party Applications + KeyPath: CurrentControlSet\Services\SSUService + Recursive: true + Comment: "Displays artifacts relating to Splashtop" +# https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_1_yamashige-nakatani-tanaka_en.pdf + +# Third Party Applications -> TeamViewer - https://www.teamviewer.com/en-us/ + + - + Description: TeamViewer + HiveType: SYSTEM + Category: Third Party Applications + KeyPath: CurrentControlSet\Services\TeamViewer + Recursive: true + Comment: "Displays artifacts relating to Splashtop" +# https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_1_yamashige-nakatani-tanaka_en.pdf + +# Third Party Applications -> TightVNC - https://www.tightvnc.com/ + + - + Description: TightVNC + HiveType: SYSTEM + Category: Third Party Applications + KeyPath: tvnserver + Recursive: true + Comment: "Displays artifacts relating to TightVNC" + - + Description: TightVNC + HiveType: NTUSER + Category: Third Party Applications + KeyPath: Software\TightVNC\Server + Recursive: true + Comment: "Displays artifacts relating to TightVNC" +# https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_1_yamashige-nakatani-tanaka_en.pdf + +# Third Party Applications -> FileZilla - https://filezilla-project.org/ + + - + Description: FileZilla + HiveType: SOFTWARE + Category: Third Party Applications + KeyPath: WOW6432Node\FileZilla Client* + Recursive: true + Comment: "Displays artifacts relating to FileZilla" +# https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_1_yamashige-nakatani-tanaka_en.pdf + +# Third Party Applications -> FreeFileSync - https://freefilesync.org/ + + - + Description: FreeFileSync + HiveType: SOFTWARE + Category: Third Party Applications + KeyPath: WOW6432Node\FileZilla Client* + Recursive: true + Comment: "Displays artifacts relating to FreeFileSync" +# https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_1_yamashige-nakatani-tanaka_en.pdf + +# Third Party Applications -> GoodSync - https://www.goodsync.com/ + + - + Description: GoodSync + HiveType: SYSTEM + Category: Third Party Applications + KeyPath: CurrentControlSet\Services\GsServer + Recursive: true + Comment: "Displays artifacts relating to GoodSync" +# https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_1_yamashige-nakatani-tanaka_en.pdf + # -------------------- # CLOUD STORAGE # -------------------- From 33245ccdce5703f69da47668d0ba0c7df13c871b Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Wed, 4 Sep 2024 16:35:06 -0400 Subject: [PATCH 2/2] Update DFIRBatch.reb - add spacing, remove trailing spaces --- BatchExamples/DFIRBatch.reb | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/BatchExamples/DFIRBatch.reb b/BatchExamples/DFIRBatch.reb index 56a4817..3681fc5 100644 --- a/BatchExamples/DFIRBatch.reb +++ b/BatchExamples/DFIRBatch.reb @@ -2702,6 +2702,7 @@ Keys: KeyPath: CurrentControlSet\Services\AnyDesk Recursive: true Comment: "Displays artifacts relating to AnyDesk" + # https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_1_yamashige-nakatani-tanaka_en.pdf # Third Party Applications -> Atera - https://www.atera.com @@ -2713,6 +2714,7 @@ Keys: KeyPath: CurrentControlSet\Services\AteraAgent Recursive: true Comment: "Displays artifacts relating to Atera" + # https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_1_yamashige-nakatani-tanaka_en.pdf # Third Party Applications -> ConnectWise (ScreenConnect) - https://screenconnect.connectwise.com/ @@ -2725,6 +2727,7 @@ Keys: ValueName: DisplayName Recursive: false Comment: "Displays artifacts relating to ConnectWise (ScreenConnect)" + # https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_1_yamashige-nakatani-tanaka_en.pdf # Third Party Applications -> LogMeIn - https://www.logmein.com @@ -2736,6 +2739,7 @@ Keys: KeyPath: CurrentControlSet\Services\LogMeIn Recursive: true Comment: "Displays artifacts relating to LogMeIn" + # https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_1_yamashige-nakatani-tanaka_en.pdf # Third Party Applications -> RemoteUtilities - https://www.remoteutilities.com/ @@ -2785,7 +2789,8 @@ Keys: KeyPath: Software\Usoris\Remote Utilities\RManService\Host\Parameters ValueName: FUSClientPath Recursive: false - Comment: "Displays artifacts relating to RemoteUtilities Configuration" + Comment: "Displays artifacts relating to RemoteUtilities Configuration" + # https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_1_yamashige-nakatani-tanaka_en.pdf # Third Party Applications -> Splashtop - https://www.splashtop.com/ @@ -2804,6 +2809,7 @@ Keys: KeyPath: CurrentControlSet\Services\SSUService Recursive: true Comment: "Displays artifacts relating to Splashtop" + # https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_1_yamashige-nakatani-tanaka_en.pdf # Third Party Applications -> TeamViewer - https://www.teamviewer.com/en-us/ @@ -2844,6 +2850,7 @@ Keys: KeyPath: WOW6432Node\FileZilla Client* Recursive: true Comment: "Displays artifacts relating to FileZilla" + # https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_1_yamashige-nakatani-tanaka_en.pdf # Third Party Applications -> FreeFileSync - https://freefilesync.org/ @@ -2855,6 +2862,7 @@ Keys: KeyPath: WOW6432Node\FileZilla Client* Recursive: true Comment: "Displays artifacts relating to FreeFileSync" + # https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_1_yamashige-nakatani-tanaka_en.pdf # Third Party Applications -> GoodSync - https://www.goodsync.com/ @@ -2866,6 +2874,7 @@ Keys: KeyPath: CurrentControlSet\Services\GsServer Recursive: true Comment: "Displays artifacts relating to GoodSync" + # https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_1_yamashige-nakatani-tanaka_en.pdf # --------------------