-
Notifications
You must be signed in to change notification settings - Fork 115
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
883b15f
commit 13d7488
Showing
39 changed files
with
54 additions
and
68 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1 @@ | ||
| [{"parser_files_categorization_values": "SYSTEM", "important_field": [{"path": "Name", "name": "Name"}], "name": "KnownDLLs", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2022-08-11T19:26:21.509750", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "KnownDLLs", "description": "\tKnownDLLs helps improve system performance by ensuring that all Windows processes use the same version of certain DLLs, rather than choose their own from various file locations. During startup, the Session Manager maps the DLLs listed in HKLM\\System\\CurrentControlSet\\Control\\Session Manager\\KnownDlls into memory as named section objects. When a new process is loaded and needs to map these DLLs, it uses the existing sections rather than searching the file system for another version of the DLL."}, {"parser_files_categorization_values": "SYSTEM,SOFTWARE", "important_field": [{"path": "Path", "name": "Path"}], "name": "Winlogon", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2022-08-11T19:27:14.704024", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "Winlogon", "description": "Lists entries that hook into Winlogon.exe, which manages the Windows interactive-logon user interface\r\n"}, {"parser_files_categorization_values": "SOFTWARE,NTUSER", "important_field": [{"path": "Path", "name": "Path"}], "name": "Explorer", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2022-08-11T19:28:14.567543", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "Explorer", "description": "Lists common autostart entries that hook directly into Windows Explorer\r\n"}, {"parser_files_categorization_values": "SOFTWARE,NTUSER", "important_field": [{"path": "Name", "name": "Name"}], "name": "ImageHijacks", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2022-08-11T19:30:01.377947", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "ImageHijacks", "description": "This refers to using Image File Execution options in the Windows registry to redirect a process loading by mapping the executable name and thus load a completely different process.\r\n\r\n"}, {"parser_files_categorization_values": "SOFTWARE,NTUSER", "important_field": [{"path": "Path", "name": "Path"}], "name": "InternetExplorerAddons\t", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2022-08-11T19:31:02.310682", "parser_type_field": "autostart_locations", "action": "edit", "parser_folder": "Autoruns", "_id": "InternetExplorerAddons\t", "description": "Lists Addons of Internet Explorer\t\r\n"}, {"parser_files_categorization_values": "SYSTEM", "important_field": [{"path": "Name", "name": "Name"}], "name": "BootExecute", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2022-08-11T19:33:08.666637", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "BootExecute", "description": "Lists Windows native-mode executables that are started by the Session Manager (Smss.exe) during system boot.\r\n"}, {"parser_files_categorization_values": "SYSTEM,SOFTWARE", "important_field": [{"path": "Name", "name": "Name"}], "name": "AppinitDLLs", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2022-08-11T19:33:58.221311", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "AppinitDLLs", "description": "DLLs in the Appinit_Dlls registry key, and those DLLs will be loaded into every process that loads User32.dll\t\r\n"}, {"parser_files_categorization_values": "SYSTEM", "important_field": [{"path": "Path", "name": "Path"}], "name": "LSAsecurityProviders", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2022-08-11T19:34:43.058475", "parser_type_field": "autostart_locations", "action": "edit", "parser_folder": "Autoruns", "_id": "LSAsecurityProviders", "description": "This list should contain only Windows-verifiable entries. The DLLs listed in these entries are loaded by Lsass.exe or Winlogon.exe and run as Local System.\t\r\n"}, {"parser_files_categorization_values": "SOFTWARE,NTUSER", "important_field": [{"path": "Path", "name": "Path"}], "name": "Codecs", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2022-08-11T19:35:30.965137", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "Codecs", "description": "Lists executable code that can be loaded by media playback applications\t\r\n"}, {"parser_files_categorization_values": "SOFTWARE,NTUSER", "important_field": [{"path": "Path", "name": "Path"}], "name": "OfficeAddins", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2022-08-11T19:36:16.648628", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "OfficeAddins", "description": "Lists add-ins and plug-ins registered to hook into documented interfaces for Access, Excel, Outlook, PowerPoint, and Word.\t\r\n"}, {"parser_files_categorization_values": "SYSTEM,SOFTWARE,NTUSER", "important_field": [{"path": "Path", "name": "Path"}], "name": "Logon", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2022-08-11T19:37:05.817065", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "Logon", "description": "Lists all scripts and binary files that will be execute when Windows starts up and a user logs on\t\r\n"}, {"parser_files_categorization_values": "SYSTEM,SOFTWARE", "important_field": [{"path": "Path", "name": "Path"}], "name": "PrintMonitorDLLs", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2022-08-11T19:37:53.564546", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "PrintMonitorDLLs", "description": "Lists DLLs that are loaded into the Spooler service.\r\n"}, {"parser_files_categorization_values": "SYSTEM", "important_field": [{"path": "Path", "name": "Path"}], "name": "Winsock", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2022-08-11T19:38:39.093495", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "Winsock", "description": "List Winsock protocols and service providers.\t\r\n"}, {"parser_files_categorization_values": "SYSTEM,SOFTWARE", "important_field": [{"path": "Path", "name": "Path"}], "name": "ServicesAndDrivers", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2022-08-11T19:39:57.611707", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "ServicesAndDrivers", "description": "Lists services and drivers that load at boot up a system"}] | ||
| [{"parser_files_categorization_values": "SYSTEM", "important_field": [{"path": "Name", "name": "Name"}], "name": "KnownDLLs", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2023-02-03T14:14:07.229597", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "KnownDLLs", "description": "\tKnownDLLs helps improve system performance by ensuring that all Windows processes use the same version of certain DLLs, rather than choose their own from various file locations. During startup, the Session Manager maps the DLLs listed in HKLM\\System\\CurrentControlSet\\Control\\Session Manager\\KnownDlls into memory as named section objects. When a new process is loaded and needs to map these DLLs, it uses the existing sections rather than searching the file system for another version of the DLL."}, {"parser_files_categorization_values": "SYSTEM,SOFTWARE", "important_field": [{"path": "Path", "name": "Path"}], "name": "Winlogon", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2023-02-03T14:14:07.234509", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "Winlogon", "description": "Lists entries that hook into Winlogon.exe, which manages the Windows interactive-logon user interface\r\n"}, {"parser_files_categorization_values": "SOFTWARE,NTUSER", "important_field": [{"path": "Path", "name": "Path"}], "name": "Explorer", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2023-02-03T14:14:07.238119", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "Explorer", "description": "Lists common autostart entries that hook directly into Windows Explorer\r\n"}, {"parser_files_categorization_values": "SOFTWARE,NTUSER", "important_field": [{"path": "Name", "name": "Name"}], "name": "ImageHijacks", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2023-02-03T14:14:07.242549", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "ImageHijacks", "description": "This refers to using Image File Execution options in the Windows registry to redirect a process loading by mapping the executable name and thus load a completely different process.\r\n\r\n"}, {"parser_files_categorization_values": "SOFTWARE,NTUSER", "important_field": [{"path": "Path", "name": "Path"}], "name": "InternetExplorerAddons\t", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2023-02-03T14:14:07.246449", "parser_type_field": "autostart_locations", "action": "edit", "parser_folder": "Autoruns", "_id": "InternetExplorerAddons\t", "description": "Lists Addons of Internet Explorer\t\r\n"}, {"parser_files_categorization_values": "SYSTEM", "important_field": [{"path": "Name", "name": "Name"}], "name": "BootExecute", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2023-02-03T14:14:07.250112", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "BootExecute", "description": "Lists Windows native-mode executables that are started by the Session Manager (Smss.exe) during system boot.\r\n"}, {"parser_files_categorization_values": "SYSTEM,SOFTWARE", "important_field": [{"path": "Name", "name": "Name"}], "name": "AppinitDLLs", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2023-02-03T14:14:07.254170", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "AppinitDLLs", "description": "DLLs in the Appinit_Dlls registry key, and those DLLs will be loaded into every process that loads User32.dll\t\r\n"}, {"parser_files_categorization_values": "SYSTEM", "important_field": [{"path": "Path", "name": "Path"}], "name": "LSAsecurityProviders", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2023-02-03T14:14:07.258054", "parser_type_field": "autostart_locations", "action": "edit", "parser_folder": "Autoruns", "_id": "LSAsecurityProviders", "description": "This list should contain only Windows-verifiable entries. The DLLs listed in these entries are loaded by Lsass.exe or Winlogon.exe and run as Local System.\t\r\n"}, {"parser_files_categorization_values": "SOFTWARE,NTUSER", "important_field": [{"path": "Path", "name": "Path"}], "name": "Codecs", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2023-02-03T14:14:07.261977", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "Codecs", "description": "Lists executable code that can be loaded by media playback applications\t\r\n"}, {"parser_files_categorization_values": "SOFTWARE,NTUSER", "important_field": [{"path": "Path", "name": "Path"}], "name": "OfficeAddins", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2023-02-03T14:14:07.265490", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "OfficeAddins", "description": "Lists add-ins and plug-ins registered to hook into documented interfaces for Access, Excel, Outlook, PowerPoint, and Word.\t\r\n"}, {"parser_files_categorization_values": "SYSTEM,SOFTWARE,NTUSER", "important_field": [{"path": "Path", "name": "Path"}], "name": "Logon", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2023-02-03T14:14:07.269270", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "Logon", "description": "Lists all scripts and binary files that will be execute when Windows starts up and a user logs on\t\r\n"}, {"parser_files_categorization_values": "SYSTEM,SOFTWARE", "important_field": [{"path": "Path", "name": "Path"}], "name": "PrintMonitorDLLs", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2023-02-03T14:14:07.272831", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "PrintMonitorDLLs", "description": "Lists DLLs that are loaded into the Spooler service.\r\n"}, {"parser_files_categorization_values": "SYSTEM", "important_field": [{"path": "Path", "name": "Path"}], "name": "Winsock", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2023-02-03T14:14:07.276474", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "Winsock", "description": "List Winsock protocols and service providers.\t\r\n"}, {"parser_files_categorization_values": "SYSTEM,SOFTWARE", "important_field": [{"path": "Path", "name": "Path"}], "name": "ServicesAndDrivers", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2023-02-03T14:14:07.280370", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "ServicesAndDrivers", "description": "Lists services and drivers that load at boot up a system"}] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1 @@ | ||
| [{"parser_files_categorization_values": "WebCacheV01.dat,History,places.sqlite", "important_field": [{"path": "type", "name": "Type"}, {"path": "browser_name", "name": "Browser"}, {"path": "link", "name": "Link"}], "name": "Browser_History", "interface_function": "BrowserHistory_interface.auto_browser_history", "parser_files_categorization_type": "file_name", "creation_time": "2022-08-13T19:20:17.279363", "parser_type_field": "web_browser", "action": "edit", "parser_folder": "BrowserHistory", "_id": "Browser_History", "description": "Parser the browser history for (IE, Firefox, Chrome)"}] | ||
| [{"parser_files_categorization_values": "WebCacheV01.dat,History,places.sqlite", "important_field": [{"path": "type", "name": "Type"}, {"path": "browser_name", "name": "Browser"}, {"path": "link", "name": "Link"}], "name": "Browser_History", "interface_function": "BrowserHistory_interface.auto_browser_history", "parser_files_categorization_type": "file_name", "creation_time": "2023-02-03T14:14:07.196119", "parser_type_field": "web_browser", "action": "edit", "parser_folder": "BrowserHistory", "_id": "Browser_History", "description": "Parser the browser history for (IE, Firefox, Chrome)"}] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1 @@ | ||
| [{"parser_files_categorization_values": "70000000", "important_field": [{"path": "URL", "name": "URL"}, {"path": "FileSize", "name": "FileSize"}], "name": "CertUtilParser", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "magic_number", "creation_time": "2022-08-13T19:20:17.202324", "parser_type_field": "os_general", "action": "edit", "parser_folder": "CertUtilParser", "_id": "CertUtilParser", "description": "certutil cache parser"}] | ||
| [{"parser_files_categorization_values": "70000000", "important_field": [{"path": "URL", "name": "URL"}, {"path": "FileSize", "name": "FileSize"}], "name": "CertUtilParser", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "magic_number", "creation_time": "2023-02-03T14:14:07.097761", "parser_type_field": "os_general", "action": "edit", "parser_folder": "CertUtilParser", "_id": "CertUtilParser", "description": "certutil cache parser"}] |
Large diffs are not rendered by default.
Oops, something went wrong.
Oops, something went wrong.