diff --git a/BatchExamples/DFIRBatch.md b/BatchExamples/DFIRBatch.md index 39b30e3..8c68680 100644 --- a/BatchExamples/DFIRBatch.md +++ b/BatchExamples/DFIRBatch.md @@ -52,6 +52,7 @@ Example entry, please follow this format: | 2.03 | 2024-08-18 | Added Various Windows Defender and SmartScreen artifacts | | 2.04 | 2024-08-25 | Added Various Windows Defender, Microsoft Security Essentials and SmartScreen artifacts. Also added LogonBanner and SpecialAccounts | | 2.05 | 2024-09-01 | Added new artifacts related to the third party application MobaTek MobaXTerm | +| 2.06 | 2024-09-06 | Added various JPCert artifacts around remote access tools, Added LogonStats and an example of DEFAULT registry hive use with WinSCP | # Documentation diff --git a/BatchExamples/DFIRBatch.reb b/BatchExamples/DFIRBatch.reb index 3681fc5..0abcf1d 100644 --- a/BatchExamples/DFIRBatch.reb +++ b/BatchExamples/DFIRBatch.reb @@ -1,6 +1,6 @@ Description: DFIR RECmd Batch File Author: Andrew Rathbun -Version: 2.05 +Version: 2.06 Id: 2e1589f5-e31a-4bef-822f-075d56afdddd Keys: # @@ -1734,6 +1734,32 @@ Keys: # USER ACTIVITY # -------------------- + - + Description: LogonStats + HiveType: NTUSER + Category: User Activity + KeyPath: software\Microsoft\Windows\CurrentVersion\Explorer\LogonStats + ValueName: FirstLogonTime + IncludeBinary: true + BinaryConvert: SYSTEMTIME + Recursive: false + Comment: "First Time a User Logs in to a System." + +# https://x.com/jasonshale/status/623081308722475009 + + - + Description: LogonStats + HiveType: NTUSER + Category: User Activity + KeyPath: software\Microsoft\Windows\CurrentVersion\Explorer\LogonStats + ValueName: FirstLogonTimeOnCurrentInstallation + IncludeBinary: true + BinaryConvert: SYSTEMTIME + Recursive: false + Comment: "First Time a User Logs in to a System with Current Installation." + +# https://x.com/jasonshale/status/623081308722475009 + - Description: Pinned Taskbar Items HiveType: NTUSER @@ -2565,6 +2591,13 @@ Keys: KeyPath: Software\Martin Prikryl Recursive: true Comment: "WinSCP" + - + Description: WinSCP + HiveType: Other + Category: Third Party Applications + KeyPath: Software\Martin Prikryl + Recursive: true + Comment: "WinSCP" - Description: WinSCP HiveType: SOFTWARE @@ -2757,7 +2790,7 @@ Keys: Category: Third Party Applications KeyPath: Usoris\Remote Utilities\RManService\Host\Parameters Recursive: true - Comment: "Displays artifacts relating to Portable RemoteUtilities Configuration" + Comment: "Displays artifacts relating to RemoteUtilities Configuration - Base64 decode output" - Description: RemoteUtilities HiveType: NTUSER @@ -2765,7 +2798,7 @@ Keys: KeyPath: Software\Usoris\Remote Utilities\RManService\Host\Parameters ValueName: General Recursive: false - Comment: "Displays artifacts relating to RemoteUtilities Configuration - Base64 decode output" + Comment: "Displays artifacts relating to Portable RemoteUtilities Configuration" - Description: RemoteUtilities HiveType: NTUSER @@ -2820,7 +2853,7 @@ Keys: Category: Third Party Applications KeyPath: CurrentControlSet\Services\TeamViewer Recursive: true - Comment: "Displays artifacts relating to Splashtop" + Comment: "Displays artifacts relating to TeamViewer" # https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_1_yamashige-nakatani-tanaka_en.pdf # Third Party Applications -> TightVNC - https://www.tightvnc.com/ @@ -2829,7 +2862,7 @@ Keys: Description: TightVNC HiveType: SYSTEM Category: Third Party Applications - KeyPath: tvnserver + KeyPath: CurrentControlSet\Services\tvnserver Recursive: true Comment: "Displays artifacts relating to TightVNC" - @@ -2859,7 +2892,7 @@ Keys: Description: FreeFileSync HiveType: SOFTWARE Category: Third Party Applications - KeyPath: WOW6432Node\FileZilla Client* + KeyPath: WOW6432Node\FreeFileSync Recursive: true Comment: "Displays artifacts relating to FreeFileSync"