Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

update DFIRBatch.reb to 2.07 - add various artifacts from DEFAULT hive #83

Merged
merged 3 commits into from
Nov 26, 2024
Merged

update DFIRBatch.reb to 2.07 - add various artifacts from DEFAULT hive #83

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
1dd211b
add new DEFAULT artifacts to DFIRBatch.reb
AndrewRathbun Nov 26, 2024
3c939fa
Update DFIRBatch.md
AndrewRathbun Nov 26, 2024
0eb9ca0
Merge branch 'EricZimmerman:master' into master
AndrewRathbun Nov 26, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions BatchExamples/DFIRBatch.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@ Example entry, please follow this format:
| 2.04 | 2024-08-25 | Added Various Windows Defender, Microsoft Security Essentials and SmartScreen artifacts. Also added LogonBanner and SpecialAccounts |
| 2.05 | 2024-09-01 | Added new artifacts related to the third party application MobaTek MobaXTerm |
| 2.06 | 2024-09-06 | Added various JPCert artifacts around remote access tools, Added LogonStats and an example of DEFAULT registry hive use with WinSCP |
| 2.07 | 2024-11-26 | Added new artifacts from the DEFAULT registry hive |

# Documentation

Expand Down
31 changes: 30 additions & 1 deletion BatchExamples/DFIRBatch.reb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
Description: DFIR RECmd Batch File
Author: Andrew Rathbun
Version: 2.06
Version: 2.07
Id: 2e1589f5-e31a-4bef-822f-075d56afdddd
Keys:
#
Expand Down Expand Up @@ -1435,6 +1435,15 @@ Keys:

# SCSI plugin - https://github.com/EricZimmerman/RegistryPlugins/tree/master/RegistryPlugin.SCSI

# Devices -> Default Printers (DEFAULT)
-
Description: Default Printers
HiveType: DEFAULT
Category: User Activity
KeyPath: Printers\ConvertUserDevModesCount
Recursive: true
Comment: "Displays the printer options available to the user"

# --------------------
# NETWORK SHARES
# --------------------
Expand Down Expand Up @@ -1547,6 +1556,16 @@ Keys:

# https://superuser.com/questions/618555/what-values-are-defined-for-the-specialaccounts-userlist-key-and-what-i-is-their/926453#926453

# User Accounts -> Stored Identites (DEFAULT)

-
Description: Stored Identities
HiveType: DEFAULT
Category: User Accounts
KeyPath: Software\Microsoft\IdentityCRL\StoredIdentities\*\*
Recursive: true
Comment: "Displays information about Microsoft accounts that have signed into a computer"

# --------------------
# PROGRAM EXECUTION
# --------------------
Expand Down Expand Up @@ -3000,6 +3019,16 @@ Keys:
Recursive: true
Comment: "Displays the user's specified storage location for Dropbox"

# Cloud Storage -> Cloud-related Folders (DEFAULT)

-
Description: Cloud-related Folders
HiveType: DEFAULT
Category: Cloud Storage
KeyPath: Software\Microsoft\Windows\CurrentVersion\StorageSense\SuggestedFolders\*\Suggestions\*
Recursive: true
Comment: "Displays evidence of cloud-related folders that exist or have existed previously"

# --------------------
# SERVICES
# --------------------
Expand Down
Loading