Skip to content

Commit

Permalink
Merge pull request #83 from AndrewRathbun/master
Browse files Browse the repository at this point in the history
update DFIRBatch.reb to 2.07 - add various artifacts from DEFAULT hive
  • Loading branch information
AndrewRathbun authored Nov 26, 2024
2 parents 1978c33 + 0eb9ca0 commit 67c75ac
Show file tree
Hide file tree
Showing 2 changed files with 31 additions and 1 deletion.
1 change: 1 addition & 0 deletions BatchExamples/DFIRBatch.md
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@ Example entry, please follow this format:
| 2.04 | 2024-08-25 | Added Various Windows Defender, Microsoft Security Essentials and SmartScreen artifacts. Also added LogonBanner and SpecialAccounts |
| 2.05 | 2024-09-01 | Added new artifacts related to the third party application MobaTek MobaXTerm |
| 2.06 | 2024-09-06 | Added various JPCert artifacts around remote access tools, Added LogonStats and an example of DEFAULT registry hive use with WinSCP |
| 2.07 | 2024-11-26 | Added new artifacts from the DEFAULT registry hive |

# Documentation

Expand Down
31 changes: 30 additions & 1 deletion BatchExamples/DFIRBatch.reb
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
Description: DFIR RECmd Batch File
Author: Andrew Rathbun
Version: 2.06
Version: 2.07
Id: 2e1589f5-e31a-4bef-822f-075d56afdddd
Keys:
#
Expand Down Expand Up @@ -1435,6 +1435,15 @@ Keys:

# SCSI plugin - https://github.com/EricZimmerman/RegistryPlugins/tree/master/RegistryPlugin.SCSI

# Devices -> Default Printers (DEFAULT)
-
Description: Default Printers
HiveType: DEFAULT
Category: User Activity
KeyPath: Printers\ConvertUserDevModesCount
Recursive: true
Comment: "Displays the printer options available to the user"

# --------------------
# NETWORK SHARES
# --------------------
Expand Down Expand Up @@ -1547,6 +1556,16 @@ Keys:

# https://superuser.com/questions/618555/what-values-are-defined-for-the-specialaccounts-userlist-key-and-what-i-is-their/926453#926453

# User Accounts -> Stored Identites (DEFAULT)

-
Description: Stored Identities
HiveType: DEFAULT
Category: User Accounts
KeyPath: Software\Microsoft\IdentityCRL\StoredIdentities\*\*
Recursive: true
Comment: "Displays information about Microsoft accounts that have signed into a computer"

# --------------------
# PROGRAM EXECUTION
# --------------------
Expand Down Expand Up @@ -3000,6 +3019,16 @@ Keys:
Recursive: true
Comment: "Displays the user's specified storage location for Dropbox"

# Cloud Storage -> Cloud-related Folders (DEFAULT)

-
Description: Cloud-related Folders
HiveType: DEFAULT
Category: Cloud Storage
KeyPath: Software\Microsoft\Windows\CurrentVersion\StorageSense\SuggestedFolders\*\Suggestions\*
Recursive: true
Comment: "Displays evidence of cloud-related folders that exist or have existed previously"

# --------------------
# SERVICES
# --------------------
Expand Down

0 comments on commit 67c75ac

Please sign in to comment.