From 1557dcecde07f82a97c78653d49f7d17c6791f2c Mon Sep 17 00:00:00 2001 From: Jonas Plum Date: Sat, 19 Oct 2024 13:00:54 +0200 Subject: [PATCH 1/4] refactor: include artifacts --- .github/workflows/ci.yml | 9 + .gitignore | 3 - Makefile | 8 +- config/artifacts/README.md | 14 + config/artifacts/collections.yaml | 168 +++ config/artifacts/linux.yaml | 65 + config/artifacts/macos.yaml | 96 ++ config/artifacts/style_guide.md | 532 ++++++++ config/artifacts/webbrowser.yaml | 295 +++++ config/artifacts/windows.yaml | 1404 +++++++++++++++++++++ config/artifacts/windows_logs.yaml | 101 ++ config/artifacts/windows_persistence.yaml | 190 +++ config/artifacts/windows_usb.yaml | 59 + tools/artifactvalidator/main.go | 5 +- tools/artifactvalidator/validator.go | 62 +- tools/artifactvalidator/validator_test.go | 2 +- 16 files changed, 3001 insertions(+), 12 deletions(-) create mode 100644 config/artifacts/README.md create mode 100644 config/artifacts/collections.yaml create mode 100644 config/artifacts/linux.yaml create mode 100644 config/artifacts/macos.yaml create mode 100644 config/artifacts/style_guide.md create mode 100644 config/artifacts/webbrowser.yaml create mode 100644 config/artifacts/windows.yaml create mode 100644 config/artifacts/windows_logs.yaml create mode 100644 config/artifacts/windows_persistence.yaml create mode 100644 config/artifacts/windows_usb.yaml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 01803ea..8adbb6b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -16,6 +16,15 @@ jobs: - run: make install generate-win fmt - run: git diff --exit-code + validate: + name: validate + runs-on: ubuntu-latest + steps: + - uses: actions/setup-go@v5 + with: { go-version: '1.23' } + - uses: actions/checkout@v4 + - run: make validate + lint: name: lint runs-on: ubuntu-latest diff --git a/.gitignore b/.gitignore index 268e36e..5bbd2b6 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,3 @@ -# config -config/artifacts/ - # go vendor diff --git a/Makefile b/Makefile index a19dad1..80117d3 100644 --- a/Makefile +++ b/Makefile @@ -39,13 +39,17 @@ test-coverage: go tool cover -func=coverage.out go tool cover -html=coverage.out +.PHONY: validate +validate: + @echo "Validating..." + cd tools/artifactvalidator && go build -o ../../build/bin/artifactvalidator . + ./build/bin/artifactvalidator -entrypoints=DefaultCollection1 config/artifacts/*.yaml + .PHONY: generate generate: @echo "Generating..." go install golang.org/x/tools/cmd/goimports@v0.1.7 go install github.com/forensicanalysis/go-resources/cmd/resources@v0.4.0 - rm -rf config/artifacts - git clone https://github.com/forensicanalysis/artifacts.git config/artifacts go run tools/yaml2go/main.go config/ac.yaml config/artifacts/*.yaml resources -package assets -output assets/bin.generated.go config/bin/* diff --git a/config/artifacts/README.md b/config/artifacts/README.md new file mode 100644 index 0000000..83ce9ce --- /dev/null +++ b/config/artifacts/README.md @@ -0,0 +1,14 @@ +## Artifact Definitions + +The artifactcollector uses yaml files to define forensic artifacts it can collect. + +The yaml files are based on the [ForensicArtifacts/artifacts](https://github.com/ForensicArtifacts/artifacts) +repository, but with the following major changes: + +- `provides` on source level are added to enable extraction of parameters +- All source types are distinctly defined, including the `DIRECTORY` type. +- Parameter expansion and globing is defined, including `**`. +- Inconsistent trailing `\*` in REGISTRY_KEYs are removed. + +The [Style Guide](style_guide.md) describes the full specification of the artifact definitions +how they are used in the artifactcollector. diff --git a/config/artifacts/collections.yaml b/config/artifacts/collections.yaml new file mode 100644 index 0000000..cfb4f57 --- /dev/null +++ b/config/artifacts/collections.yaml @@ -0,0 +1,168 @@ +# Predefined opinionated collections + +name: DefaultCollection1 +doc: Predefined opinionated collections +sources: + - type: ARTIFACT_GROUP + attributes: + names: + - 'FOR500' + - 'WindowsComputerName' + - 'WindowsEventLogs' + - 'WindowsHotfixes' + - 'WindowsNetworkInterfaceInformation' + - 'WindowsPersistence' + - 'WindowsRunKeys' + - 'WindowsServices' + - 'WindowsUninstallKeys' + - 'WindowsUSBInformation' + supported_os: [ Windows ] + - type: ARTIFACT_GROUP + attributes: + names: + # - 'BrowserCache' + - 'BrowserHistory' + - 'LinuxIPTablesRulesCommand' + - 'LinuxAtJobsFiles' + - 'LinuxAuditLogFiles' + - 'LinuxCronTabFiles' + - 'LinuxHostnameFile' + supported_os: [ Linux ] + - type: ARTIFACT_GROUP + attributes: + names: + # - 'BrowserCache' + - 'BrowserHistory' + - 'MacOSAtJobsFile' + - 'MacOSAuditLogFiles' + - 'MacOSBashHistoryFile' + - 'MacOSCronTabFile' + - 'MacOSHostsFile' + - 'MacOSLastlogFile' + - 'MacOSMiscLogFiles' + - 'MacOSRecentItemsFiles' + - 'MacOSSystemLogFiles' + - 'MacOSUserTrashFiles' + supported_os: [ Darwin ] +supported_os: [ Darwin,Linux,Windows ] +--- +# Artifacts from the SANS FOR500 course + +name: FOR500 +doc: Windows Forensic Analysis +sources: + - type: ARTIFACT_GROUP + attributes: + names: + - WindowsBrowserArtifacts + - WindowsProgramExecution + - WindowsDeletedFiles + - WindowsNetworkActivity + # - WindowsFileOpening + - AccountUsage + - ExternalDevice +supported_os: [ Windows ] +--- +name: WindowsBrowserArtifacts +doc: WindowsBrowserArtifacts +sources: + - type: ARTIFACT_GROUP + attributes: + names: + - WindowsOpenSaveMRU + - WindowsOpenSavePidlMRU + # EmailAttachments + # SkypeMainDirectory is only for macos + # BrowserCache not collected by default + - BrowserHistory + # AdsZoneIdentifier +supported_os: [ Windows ] +--- +name: WindowsProgramExecution +doc: Program Execution +sources: + - type: ARTIFACT_GROUP + attributes: + names: + # UserAssist + - WindowsActivitiesCacheDatabase + - WindowsMostRecentApplication + - WindowsAppCompatCache # Shimcache + # JumpLists + - WindowsAMCacheHveFile + - WindowsSystemResourceUsageMonitorDatabaseFile + # BAM/DAM + # LastVisitedMRU + - WindowsPrefetchFiles +supported_os: [ Windows ] +--- +name: WindowsDeletedFiles +doc: Deleted Files +sources: + - type: ARTIFACT_GROUP + attributes: + names: + # ACMRU + # Thumbcache + # Thumbs.db + # IEEdgeFile -> WindowsBrowserArtifacts + # WordWheelQuery + - WindowsRecycleBin + # LastVisitedMRU -> WindowsProgramExecution +supported_os: [ Windows ] +--- +name: WindowsNetworkActivity +doc: Network Activity +sources: + - type: ARTIFACT_GROUP + attributes: + names: + - WindowsTimezone + - InternetExplorerCookiesFile + # NetworkHistory + # WLANEventLog + # BrowserSearchTerms -> WindowsBrowserArtifacts + # WindowsSystemResourceUsageMonitorDatabaseFile -> WindowsProgramExecution +supported_os: [ Windows ] +# --- +# name: WindowsFileOpening +# doc: File Opening +# sources: +# - type: ARTIFACT_GROUP +# attributes: +# names: +# # WindowsOpenSaveMRU -> WindowsBrowserArtifacts +# # RecentFiles +# # JumpLists -> WindowsProgramExecution +# # ShellBags +# # LNKFiles +# # WindowsPrefetchFiles -> WindowsProgramExecution +# # LastVisitedMRU -> WindowsProgramExecution +# # IEEdgeFile -> WindowsBrowserArtifacts +# # OfficeRecentFiles +# supported_os: [Windows] +--- +name: AccountUsage +doc: Account Usage +sources: + - type: ARTIFACT_GROUP + attributes: + names: + - WindowsSystemRegistryFiles + - WindowsXMLEventLogSecurityFile +supported_os: [ Windows ] +--- +name: ExternalDevice +doc: External Device +sources: + - type: ARTIFACT_GROUP + attributes: + names: + # KeyIdentification + - WindowsSetupApiLogs + # User + # PnPEvents + # VolumeSerialNumber + # DriverLetter + # LNKFiles -> WindowsFileOpening +supported_os: [ Windows ] diff --git a/config/artifacts/linux.yaml b/config/artifacts/linux.yaml new file mode 100644 index 0000000..9999c5b --- /dev/null +++ b/config/artifacts/linux.yaml @@ -0,0 +1,65 @@ +# Linux specific artifacts. + +name: LinuxIPTablesRulesCommand +doc: List IPTables rules. +sources: + - type: COMMAND + attributes: + args: [ "-L", "-n", "-v" ] + cmd: /sbin/iptables +supported_os: [ Linux ] +--- +name: LinuxAtJobsFiles +doc: Linux at jobs. +sources: + - type: FILE + attributes: { paths: [ '/var/spool/at/*' ] } +supported_os: [ Linux ] +--- +name: LinuxAuditLogFiles +doc: Linux audit log files. +sources: + - type: FILE + attributes: { paths: [ '/var/log/audit/*' ] } +supported_os: [ Linux ] +--- +name: LinuxCronTabFiles +doc: Crontab files. +sources: + - type: FILE + attributes: + paths: + - '/etc/crontab' + - '/etc/cron.d/*' + - '/var/spool/cron/**' +supported_os: [ Linux ] +--- +name: LinuxHostnameFile +doc: Linux hostname file. +sources: + - type: FILE + attributes: { paths: [ '/etc/hostname' ] } +supported_os: [ Linux ] +--- +name: LinuxPasswdFile +doc: | + Linux passwd file. + + A passwd file consist of colon separated values in the format: + username:password:uid:gid:full name:home directory:shell +sources: + - type: FILE + attributes: { paths: [ '/etc/passwd' ] } + provides: + - key: users.homedir + regex: '.*:(.*?):.*' +supported_os: [ Linux ] +--- +name: LinuxHomePath +doc: Users directories in /home +sources: + - type: PATH + attributes: { paths: [ '/home/*' ] } + provides: + - key: users.homedir +supported_os: [ Linux ] diff --git a/config/artifacts/macos.yaml b/config/artifacts/macos.yaml new file mode 100644 index 0000000..c37d59d --- /dev/null +++ b/config/artifacts/macos.yaml @@ -0,0 +1,96 @@ +# MacOS (Darwin) specific artifacts. + +name: MacOSAtJobsFile +doc: MacOS at jobs +sources: + - type: FILE + attributes: { paths: [ '/usr/lib/cron/jobs/*' ] } +supported_os: [ Darwin ] +--- +name: MacOSAuditLogFiles +doc: Audit log files +sources: + - type: FILE + attributes: + paths: + - '/private/var/audit/*' + - '/var/audit/*' +supported_os: [ Darwin ] +--- +name: MacOSBashHistoryFile +doc: Terminal Commands History +sources: + - type: FILE + attributes: { paths: [ '%%users.homedir%%/.bash_history' ] } +supported_os: [ Darwin ] +--- +name: MacOSCronTabFile +doc: Cron tabs +sources: + - type: FILE + attributes: + paths: + - '/etc/crontab' + - '/private/etc/crontab' + - '/usr/lib/cron/tabs/*' +supported_os: [ Darwin ] +--- +name: MacOSHostsFile +doc: Hosts file +sources: + - type: FILE + attributes: + paths: + - '/etc/hosts' + - '/private/etc/hosts' +supported_os: [ Darwin ] +--- +name: MacOSLastlogFile +doc: Mac OS X lastlog file. +sources: + - type: FILE + attributes: + paths: + - '/private/var/log/lastlog' + - '/var/log/lastlog' +supported_os: [ Darwin ] +--- +name: MacOSMiscLogFiles +doc: Misc. Logs +sources: + - type: FILE + attributes: { paths: [ '/Library/Logs/*' ] } +supported_os: [ Darwin ] +--- +name: MacOSRecentItemsFiles +doc: Recent Items +sources: + - type: FILE + attributes: { paths: [ '%%users.homedir%%/Library/Preferences/com.apple.recentitems.plist' ] } +supported_os: [ Darwin ] +--- +name: MacOSSystemLogFiles +doc: System log files +sources: + - type: FILE + attributes: + paths: + - '/private/var/log/*' + - '/var/log/*' +supported_os: [ Darwin ] +--- +name: MacOSUsersPath +doc: Users directories in /Users +sources: + - type: PATH + attributes: { paths: [ '/Users/*' ] } + provides: + - key: users.homedir +supported_os: [ Darwin ] +--- +name: MacOSUserTrashFiles +doc: User Trash Folder +sources: + - type: FILE + attributes: { paths: [ '%%users.homedir%%/.Trash/*' ] } +supported_os: [ Darwin ] \ No newline at end of file diff --git a/config/artifacts/style_guide.md b/config/artifacts/style_guide.md new file mode 100644 index 0000000..8899fce --- /dev/null +++ b/config/artifacts/style_guide.md @@ -0,0 +1,532 @@ +# Artifact definition format and style guide + +## Summary + +This guide contains a description of the forensics artifacts definitions. The +artifacts definitions are [YAML](http://www.yaml.org/spec/1.2/spec.html)-based. +The format is currently still under development and is likely to undergo some +change. One of the goals of this guide is to ensure consistency and readability +of the artifacts definitions. + +## Revision history + +| Version | Author | Date | Comments | +|----------|-----------|----------------|-------------------------------------------------------------------------------------| +| 0.0.1 | G. Castle | November 2014 | Initial version. | +| 0.0.2 | G. Castle | December 2014 | Minor format changes. | +| 0.0.3 | J.B. Metz | April 2015 | Merged style guide and artifact definitions wiki page. | +| 0.0.3 | J.B. Metz | September 2015 | Additional label. | +| 0.0.4 | J.B. Metz | July 2016 | Added information about a naming convention. | +| 0.0.5 | J.B. Metz | February 2019 | Removed returned_types as keyword and format changes. | +| 0.0.6-ce | J. Plum | October 2019 | Add information about the knowledge base, directory sources, expansion and globbing | +| 0.0.7-ce | J. Plum | October 2024 | Deprecate labels | + +## Background + +The first version of the artifact definitions originated from the +[GRR project](https://github.com/google/grr), where it is used to describe and +quickly collect data of interest, e.g. specific files or Windows Registry keys. +The goal of the format is to provide a way to describe the majority of forensic +artifacts in a language that is readable by humans and machines. + +The format is designed to be simple and straight forward, so that a digital +forensic analyst is able to quickly write artifact definitions during an +investigation without having to rely on complex standards or tooling. + +The format is intended to describe forensically-relevant data on a machine, +while being tool agnostic. In particular, we intentionally avoided adding +IOC-like logic, or describing how the data should be collected since this +varies between tools. + +### Terminology + +The term artifact (or artefact) is widely used within computer (or digital) +forensics, though there is no official definition of this term. + +The definition closest to the meaning of the word within computer forensics is +that of the word artifact within +[archaeology](http://en.wikipedia.org/wiki/Artifact_(archaeology)). The term +should not be confused with the word artifact used within +[software development](http://en.wikipedia.org/wiki/Artifact_(software_development)). + +If archaeology defines an artifact as: + +``` +something made or given shape by man, such as a tool or +a work of art, esp an object of archaeological interest +``` + +The definition of artifact within computer forensics could be: + +``` +An object of digital archaeological interest. +``` + +Where digital archaeology roughly refers to computer forensics without the +forensic (legal) context. + +### Knowledge Base + +The knowledge base is a data store that is used for storing entries about +the host, users and other system properties. Every entry maps a key to a list +of values e.g. + +```json +{ + "users.username": [ + "root", + "bob" + ], + "users.homedir": [ + "/root", + "/home/bob" + ] +} +``` + +It is filled via the `provides` attribute of sources and +can be used in artifact conditions (*deprecated*) and in +[parameter expansion](#parameter-expansion-and-globs). + +## The artifact definition + +The best way to show what an artifact definition is, is by example. The +following example is the artifact definition for the Windows EVTX System Event +Logs. + +```yaml +name: WindowsSystemEventLogEvtx +doc: Windows System Event log for Vista or later systems. +sources: + - type: FILE + attributes: { paths: [ '%%environ_systemroot%%\System32\winevt\Logs\System.evtx' ] } +supported_os: [ Windows ] +``` + +The artifact definition can have the following values: + +| Key | Description | +|----------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| name | The name. An unique string that identifies the artifact definition. Also see section: [Name](#Name). | +| doc | The description (or documentation). A human readable string that describes the artifact definition. *Style note*: Typically one line description of the artifact, mentioning important caveats. If more description is necessary, use the [Long docs form](#long-docs-form). | +| sources | A list of source definitions. See section: [sources](#sources). | +| supported_os | Optional list that indicates which operating systems the artifact definition applies to. See section: [Supported operating system](#supported-operating-system). | +| urls | Optional list of URLs with more contextual information. Ideally the artifact definition links to an article that discusses the artificat in more depth. | +| ~~labels~~ | **Deprecated** This key is ignored. | +| ~~conditions~~ | **Deprecated** This key is ignored. | +| ~~provides~~ | **Deprecated** This key is ignored. | + +### Name + +*Style note*: The name of an artifact definition should be in CamelCase name +without spaces. + +Naming convention for artifact definition names: + +* Prefix platform specific artifact definitions with the name of the operating system using "Linux", "MacOS" or " + Windows" +* If not platform specific: + * prefix with the application name, for example "ChromeHistory". + * prefix with the name of the subsystem, for example "WMIComputerSystemProduct". + +*Style note*: If the sole source of the artifact definition for example are +files use "BrowserHistoryFiles" instead of "BrowserHistory" to reduce ambiguity. + +### Long docs form + +Multi-line documentation should use the YAML Literal Style as indicated by the | +character. + +```yaml +doc: | + The Windows run keys. + + Note users.sid will currently only expand to SIDs with profiles on the + system, not all SIDs. +``` + +*Style note*: the short description (first line) and the longer portion are +separated by an empty line. + +*Style note*: explicit newlines (\n) should not be used. + +## Sources + +Every source definition starts with a `type` followed by arguments e.g. + +```yaml +sources: + - type: COMMAND + attributes: + args: [ -qa ] + cmd: /bin/rpm +``` + +```yaml +sources: + - type: FILE + attributes: + paths: + - /root/.bashrc + - /root/.cshrc + - /root/.ksh + - /root/.logout + - /root/.profile + - /root/.tcsh + - /root/.zlogin + - /root/.zlogout + - /root/.zprofile + - /root/.zprofile +``` + +*Style note*: where sources take a single argument with a single value, the +one-line {} form should be used to save on line breaks as below: + +```yaml +- type: FILE + attributes: { paths: [ '%%environ_systemroot%%\System32\winevt\Logs\System.evtx' ] } +``` + +| Key | Description | +|----------------|----------------------------------------------------------------------------------------------------------------------------------------------------| +| attributes | A dictionary of keyword attributes specific to the type of source definition. | +| type | The source type. | +| provides | Optional list of dictonaries that describe knowledge base entries that this artifact can supply. See section: [Source provides](#source-provides). | +| supported_os | Optional list that indicates which operating systems the artifact definition applies to. | +| ~~conditions~~ | **Deprecated** This key is ignored. | + +### Source types + +Currently, the following different source types are defined: + +| Value | Description | +|----------------|-------------------------------------------------------------------------------------------| +| ARTIFACT_GROUP | A source that consists of a group of other artifacts. | +| COMMAND | A source that consists of the output of a command. | +| DIRECTORY | A source that consists of the file listing of a directories. | +| FILE | A source that consists of the contents of files. | +| PATH | A source that consists of a list of paths. | +| REGISTRY_KEY | A source that consists of the contents of Windows Registry keys. | +| REGISTRY_VALUE | A source that consists of the contents of Windows Registry values. | +| WMI | A source that consists of the output of a Windows Management Instrumentation (WMI) query. | + +### Source provides + +A source provide defines a knowledge base entry that can be created using this source e.g. + +```yaml +sources: + - type: PATH + attributes: { paths: [ '/Users/*' ] } + provides: + - key: users.username + regex: '.*/(.*)' +``` + +```yaml +sources: + - type: WMI + attributes: { query: SELECT * FROM Win32_UserAccount WHERE name='%%users.username%%' } + provides: + - key: users.userdomain + wmi_key: Domain +``` + +```yaml +sources: + - type: FILE + attributes: { paths: [ '/etc/passwd' ] } + provides: + - key: users.username + regex: '(.*?):.*' + - key: users.homedir + regex: '.*:(.*?):.*' +``` + +| Key | Description | +|---------|----------------------------------------------------------------------------------------------------------------| +| key | Defines the knowledge base key that is provided. | +| wmi_key | Required for provides in WMI sources, disallowed otherwise. WMI object key to select the provided value. | +| regex | Optional regular expression to filter the provided data. The first capturing group defines the provided value. | + +Provided values are dependent on the source type as follows: + +| Type | Added entries to knowledge base | +|----------------|------------------------------------------| +| COMMAND | The lines of the stdout of the command. | +| FILE | The lines of the file content. | +| PATH | The defined paths. | +| REGISTRY_KEY | The key paths. | +| REGISTRY_VALUE | The registry values. | +| WMI | The values selected using the `wmi_key`. | + +Definition of type ARTIFACT_GROUP or DIRECTORY must not have a `provides` attribute. + +### Artifact group source + +The artifact group source is a source that consists of a group of other +artifacts e.g. + +```yaml +- type: ARTIFACT_GROUP + attributes: + names: [ WindowsRunKeys, WindowsServices ] +``` + +Where `attributes` can contain the following values: + +| Value | Description | +|-------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| names | A list of artifact definition names that make up this "composite" artifact. This can also be used to group multiple artifact definitions into one for convenience. | + +### Command source + +The command source is a source that consists of the output of a command e.g. + +```yaml +- type: COMMAND + attributes: + args: [ -qa ] + cmd: /bin/rpm +``` + +Where `attributes` can contain the following values: + +| Value | Description | +|-------|------------------------------------------------------------------------------------------------------------------------------------------------------| +| args | A list arguments to pass to the command. | +| cmd | The path of the command. The path can either be relative or absolute. Handling of relative paths depends on the application processing the artifact. | + +### Directory source + +The directory source is a source that consists of a file listing of directory contents e.g. + +```yaml +- type: DIRECTORY + attributes: + paths: [ '%%users.userprofile%%\Downloads\*' ] + separator: '\' +``` + +Where `attributes` can contain the following values: + +| Value | Description | +|-----------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| paths | A list of file paths that can potentially be collected. These paths should be absolute. The paths can use parameter expansion e.g. `%%environ_systemroot%%`. See section: [Parameter expansion and globs](#parameter-expansion-and-globs) | +| separator | Optional path separator e.g. '\' for Windows systems. | + +### File source + +The file source is a source that consists of the binary contents of files e.g. + +```yaml +- type: FILE + attributes: + paths: [ '%%environ_systemroot%%\System32\winevt\Logs\System.evtx' ] +``` + +Where `attributes` can contain the following values: + +| Value | Description | +|-----------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| paths | A list of file paths that can potentially be collected. These paths should be absolute. The paths can use parameter expansion e.g. `%%environ_systemroot%%`. See section: [Parameter expansion and globs](#parameter-expansion-and-globs) | +| separator | Optional path separator e.g. '\' for Windows systems. | + +### Path source + +The path source is a source that consists of a list of paths e.g. + +```yaml +- type: PATH + attributes: + paths: [ '\Program Files' ] + separator: '\' +``` + +Where `attributes` can contain the following values: + +| Value | Description | +|-----------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| paths | A list of file paths that can potentially be collected. These paths can should be absolute. The paths can use parameter expansion e.g. `%%environ_systemroot%%`. See section: [Parameter expansion and globs](#parameter-expansion) | +| separator | Optional path separator e.g. '\' for Windows systems. | + +### Windows Registry key source + +The Windows Registry key source is a source that consists of a key path and all +registry values of a Windows Registry key. Subkeys are not part of this artifact. + +Example: + +```yaml +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\TypedURLs\*' +``` + +Where `attributes` can contain the following values: + +| Value | Description | +|-------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| keys | A list of Windows Registry key paths that can potentially be collected. The paths can use parameter expansion e.g. `%%users.sid%%`. See section: [Parameter expansion and globs](#parameter-expansion) | + +### Windows Registry value source + +The Windows Registry value source is a source that consists of the contents of defined +Windows registry values e.g. + +```yaml +- type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\WindowsUpdate', value: 'CISCNF4654' } +``` + +Where `attributes` can contain the following values: + +| Value | Description | +|-----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| key_value_pairs | A list of Windows Registry key paths and value names that can potentially be collected. The key path can use parameter expansion e.g. `%%users.sid%%`. See section: [Parameter expansion and globs](#parameter-expansion) | + +### Windows Management Instrumentation (WMI) query source + +The Windows Management Instrumentation (WMI) query source is a source that +consists of the output of a Windows Management Instrumentation (WMI) query e.g. + +```yaml +- type: WMI + attributes: + query: SELECT * FROM Win32_UserAccount WHERE name='%%users.username%%' +``` + +Where `attributes` can contain the following values: + +| Value | Description | +|-------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| query | The Windows Management Instrumentation (WMI) query. The query can use parameter expansion e.g. `%%users.username%%`. See section: [Parameter expansion and globs](#parameter-expansion-and-globs) | +| base_object | Optional WMI base object e.g. `winmgmts:\root\SecurityCenter2` | + +## Supported operating system + +Since operating system (OS) conditions are a very common constraint, this has +been provided as a separate option `supported_os` to simplify syntax. For +supported_os no quotes are required. The currently supported operating systems +are: + +* Darwin (also used for Mac OS X) +* Linux +* Windows + +```yaml +supported_os: [ Darwin, Linux, Windows ] +``` + +## Style notes + +### Artifact definition YAML files + +Artifact definition YAML filenames should be of the form: +.... +$FILENAME.yaml +.... + +Where $FILENAME is name of the file e.g. windows.yaml. + +Each definition file should have a comment at the top of the file with a +one-line summary describing the type of artifact definitions contained in the +file e.g. + +```yaml +# Windows specific artifacts. +``` + +### Lists + +Generally use the short [] format for single-item lists that fit inside 80 +characters to save on unnecessary line breaks: + +```yaml +supported_os: [ Windows ] +``` + +and the bulleted list form for multi-item lists or long lines: + +```yaml +paths: + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Run\*' + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\RunOnce\*' + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\*' + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\*' + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\*' +``` + +### Quotes + +Quotes should not be used for doc strings, artifact names, and simple lists +like labels and supported_os. + +Paths and URLs should use single quotes to avoid the need for manual escaping. + +```yaml +paths: [ '%%environ_temp%%\*.exe' ] +``` + +Double quotes should be used where escaping causes problems, such as +regular expressions: + +```yaml +content_regex_list: [ "^%%users.username%%:[^:]*\n" ] +``` + +### Minimize the number of definitions by using multiple sources + +To minimize the number of artifacts in the list, combine them using the +supported_os and conditions attributes where it makes sense. e.g. rather than +having FirefoxHistoryWindows, FirefoxHistoryLinux, FirefoxHistoryDarwin, do: + +```yaml +name: FirefoxHistory +doc: Firefox places.sqlite files. +sources: + - type: FILE + attributes: + paths: + - %%users.localappdata%%\Mozilla\Firefox\Profiles\*\places.sqlite + - %%users.appdata%%\Mozilla\Firefox\Profiles\*\places.sqlite + supported_os: [ Windows ] + - type: FILE + attributes: + paths: [ %%users.homedir%%/Library/Application Support/Firefox/Profiles/*/places.sqlite ] + supported_os: [ Darwin ] + - type: FILE + attributes: + paths: [ '%%users.homedir%%/.mozilla/firefox/*/places.sqlite' ] + supported_os: [ Linux ] +supported_os: [ Windows, Linux, Darwin ] +``` + +## Parameter expansion and globs + +### Parameter expansion + +Path, keys, key and query attributes can contain parameter expansion and +globing. This allows for flexible creation of artifact locations. + +Parameter expansions values are enclosed by double percent symbols e.g. +`%%environ_systemroot%%`. The parameter expansion value can be replaced by the +corresponding value from the [knowledge base](#knowledge-base). + +For every expansion that is used in an artifact, there should be another artifact +that `provides` this expansion in one of its sources. Implementations may choose +to precompute parameter values from sources outside of these definitions. + +### Parameter Globs + +Parameters can also contain regular glob elements (`**`, or `*`). +For example, having files `foo`, `bar`, `baz` glob expansion of `ba*` +will yield `bar` and `baz`. A recursive component (specified as `**`) +matches any directory tree up to some specified depth (3 by default). +`**` does not match the current directory. +The search depth can optionally be specified by appending a number, e.g. +`**9` will match up to 9 levels of a directory hierarchy. diff --git a/config/artifacts/webbrowser.yaml b/config/artifacts/webbrowser.yaml new file mode 100644 index 0000000..ac7d0d0 --- /dev/null +++ b/config/artifacts/webbrowser.yaml @@ -0,0 +1,295 @@ +# Web browser artifacts. + +name: BrowserHistory +doc: Web browser history of multiple web browsers. +sources: + - type: ARTIFACT_GROUP + attributes: + names: + - 'ChromiumBasedBrowsersHistoryDatabaseFile' + - 'FirefoxHistoryFile' + - 'InternetExplorerHistoryFile' + - 'OperaHistoryFile' + - 'SafariDownloadFile' + - 'SafariHistoryFile' +supported_os: [ Darwin,Linux,Windows ] +--- +name: ChromiumBasedBrowsersHistoryDatabaseFile +doc: >- + Browsing history database file for multiple Chromium-based browsers, such as + Google Chrome, Brave, Chromium, Yandex, Opera, Edge, EdgeBeta. +sources: + - type: FILE + attributes: + paths: + - '%%users.homedir%%/Library/Application Support/BraveSoftware/Brave-Browser/*/Archived + History' + - '%%users.homedir%%/Library/Application Support/BraveSoftware/Brave-Browser/*/Archived + History-journal' + - '%%users.homedir%%/Library/Application Support/BraveSoftware/Brave-Browser/*/History' + - '%%users.homedir%%/Library/Application Support/BraveSoftware/Brave-Browser/*/History-journal' + - '%%users.homedir%%/Library/Application Support/Chromium/*/Archived History' + - '%%users.homedir%%/Library/Application Support/Chromium/*/Archived History-journal' + - '%%users.homedir%%/Library/Application Support/Chromium/*/History' + - '%%users.homedir%%/Library/Application Support/Chromium/*/History-journal' + - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Archived + History' + - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Archived + History-journal' + - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/History' + - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/History-journal' + - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Archived History' + - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Archived History-journal' + - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/History' + - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/History-journal' + - '%%users.homedir%%/Library/Application Support/Microsoft Edge Beta/*/Archived + History' + - '%%users.homedir%%/Library/Application Support/Microsoft Edge Beta/*/Archived + History-journal' + - '%%users.homedir%%/Library/Application Support/Microsoft Edge Beta/*/History' + - '%%users.homedir%%/Library/Application Support/Microsoft Edge Beta/*/History-journal' + - '%%users.homedir%%/Library/Application Support/Microsoft Edge/*/Archived History' + - '%%users.homedir%%/Library/Application Support/Microsoft Edge/*/Archived History-journal' + - '%%users.homedir%%/Library/Application Support/Microsoft Edge/*/History' + - '%%users.homedir%%/Library/Application Support/Microsoft Edge/*/History-journal' + - '%%users.homedir%%/Library/Application Support/Yandex/YandexBrowser/*/Archived + History' + - '%%users.homedir%%/Library/Application Support/Yandex/YandexBrowser/*/Archived + History-journal' + - '%%users.homedir%%/Library/Application Support/Yandex/YandexBrowser/*/History' + - '%%users.homedir%%/Library/Application Support/Yandex/YandexBrowser/*/History-journal' + - '%%users.homedir%%/Library/Application Support/com.operasoftware.Opera/*/Archived + History' + - '%%users.homedir%%/Library/Application Support/com.operasoftware.Opera/*/Archived + History-journal' + - '%%users.homedir%%/Library/Application Support/com.operasoftware.Opera/*/History' + - '%%users.homedir%%/Library/Application Support/com.operasoftware.Opera/*/History-journal' + supported_os: + - Darwin + - type: FILE + attributes: + paths: + - '%%users.homedir%%/.config/BraveSoftware/Brave-Browser/*/Archived History' + - '%%users.homedir%%/.config/BraveSoftware/Brave-Browser/*/Archived History-journal' + - '%%users.homedir%%/.config/BraveSoftware/Brave-Browser/*/History' + - '%%users.homedir%%/.config/BraveSoftware/Brave-Browser/*/History-journal' + - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Archived + History' + - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Archived + History-journal' + - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/History' + - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/History-journal' + - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Archived History' + - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Archived History-journal' + - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/History' + - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/History-journal' + - '%%users.homedir%%/.config/chromium/*/Archived History' + - '%%users.homedir%%/.config/chromium/*/Archived History-journal' + - '%%users.homedir%%/.config/chromium/*/History' + - '%%users.homedir%%/.config/chromium/*/History-journal' + - '%%users.homedir%%/.config/google-chrome-beta/*/Archived History' + - '%%users.homedir%%/.config/google-chrome-beta/*/Archived History-journal' + - '%%users.homedir%%/.config/google-chrome-beta/*/History' + - '%%users.homedir%%/.config/google-chrome-beta/*/History-journal' + - '%%users.homedir%%/.config/google-chrome/*/Archived History' + - '%%users.homedir%%/.config/google-chrome/*/Archived History-journal' + - '%%users.homedir%%/.config/google-chrome/*/History' + - '%%users.homedir%%/.config/google-chrome/*/History-journal' + - '%%users.homedir%%/.config/microsoft-edge/*/Archived History' + - '%%users.homedir%%/.config/microsoft-edge/*/Archived History-journal' + - '%%users.homedir%%/.config/microsoft-edge/*/History' + - '%%users.homedir%%/.config/microsoft-edge/*/History-journal' + - '%%users.homedir%%/.config/opera/*/Archived History' + - '%%users.homedir%%/.config/opera/*/Archived History-journal' + - '%%users.homedir%%/.config/opera/*/History' + - '%%users.homedir%%/.config/opera/*/History-journal' + - '%%users.homedir%%/.config/yandex-browser-beta/*/Archived History' + - '%%users.homedir%%/.config/yandex-browser-beta/*/Archived History-journal' + - '%%users.homedir%%/.config/yandex-browser-beta/*/History' + - '%%users.homedir%%/.config/yandex-browser-beta/*/History-journal' + - '%%users.homedir%%/snap/chromium/common/chromium/*/Archived History' + - '%%users.homedir%%/snap/chromium/common/chromium/*/Archived History-journal' + - '%%users.homedir%%/snap/chromium/common/chromium/*/History' + - '%%users.homedir%%/snap/chromium/common/chromium/*/History-journal' + supported_os: + - Linux + - type: FILE + attributes: + paths: + - '%%users.appdata%%\Brave\*\Archived History' + - '%%users.appdata%%\Brave\*\Archived History-journal' + - '%%users.appdata%%\Brave\*\History' + - '%%users.appdata%%\Brave\*\History-journal' + - '%%users.appdata%%\BraveSoftware\Brave-Browser\User Data\*\History' + - '%%users.appdata%%\BraveSoftware\Brave-Browser\User Data\*\History-journal' + - '%%users.appdata%%\Opera Software\Opera Stable\*\Archived History' + - '%%users.appdata%%\Opera Software\Opera Stable\*\Archived History-journal' + - '%%users.appdata%%\Opera Software\Opera Stable\*\History' + - '%%users.appdata%%\Opera Software\Opera Stable\*\History-journal' + - '%%users.localappdata%%\Chromium\*\Archived History' + - '%%users.localappdata%%\Chromium\*\Archived History-journal' + - '%%users.localappdata%%\Chromium\*\History' + - '%%users.localappdata%%\Chromium\*\History-journal' + - '%%users.localappdata%%\Chromium\User Data\*\Archived History' + - '%%users.localappdata%%\Chromium\User Data\*\Archived History-journal' + - '%%users.localappdata%%\Chromium\User Data\*\History' + - '%%users.localappdata%%\Chromium\User Data\*\History-journal' + - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Archived History' + - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Archived History-journal' + - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\History' + - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\History-journal' + - '%%users.localappdata%%\Google\Chrome\User Data\*\Archived History' + - '%%users.localappdata%%\Google\Chrome\User Data\*\Archived History-journal' + - '%%users.localappdata%%\Google\Chrome\User Data\*\History' + - '%%users.localappdata%%\Google\Chrome\User Data\*\History-journal' + - '%%users.localappdata%%\Microsoft\Edge Beta\User Data\*\Archived History' + - '%%users.localappdata%%\Microsoft\Edge Beta\User Data\*\Archived History-journal' + - '%%users.localappdata%%\Microsoft\Edge Beta\User Data\*\History' + - '%%users.localappdata%%\Microsoft\Edge Beta\User Data\*\History-journal' + - '%%users.localappdata%%\Microsoft\Edge\User Data\*\Archived History' + - '%%users.localappdata%%\Microsoft\Edge\User Data\*\Archived History-journal' + - '%%users.localappdata%%\Microsoft\Edge\User Data\*\History' + - '%%users.localappdata%%\Microsoft\Edge\User Data\*\History-journal' + - '%%users.localappdata%%\Yandex\YandexBrowser\User Data\*\Archived History' + - '%%users.localappdata%%\Yandex\YandexBrowser\User Data\*\Archived History-journal' + - '%%users.localappdata%%\Yandex\YandexBrowser\User Data\*\History' + - '%%users.localappdata%%\Yandex\YandexBrowser\User Data\*\History-journal' + separator: \ + supported_os: + - Windows +supported_os: + - Darwin + - Linux + - Windows +--- +name: FirefoxHistoryFile +doc: Firefox browser history (places.sqlite). +sources: + - type: FILE + attributes: + paths: + - '%%users.localappdata%%\Mozilla\Firefox\Profiles\*\places.sqlite' + - '%%users.localappdata%%\Mozilla\Firefox\Profiles\*\places.sqlite-wal' + - '%%users.appdata%%\Mozilla\Firefox\Profiles\*\places.sqlite' + - '%%users.localappdata%%\Mozilla\Firefox\Profiles\*\places.sqlite-wal' + separator: '\' + supported_os: [ Windows ] + - type: FILE + attributes: + paths: + - '%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/places.sqlite' + - '%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/places.sqlite-wal' + supported_os: [ Darwin ] + - type: FILE + attributes: + paths: + - '%%users.homedir%%/.mozilla/firefox/*/places.sqlite' + - '%%users.homedir%%/.mozilla/firefox/*/places.sqlite-wal' + - '%%users.homedir%%/snap/firefox/common/.mozilla/firefox/*/places.sqlite' + - '%%users.homedir%%/snap/firefox/common/.mozilla/firefox/*/places.sqlite-wal' + supported_os: [ Linux ] +supported_os: [ Windows,Darwin,Linux ] +--- +name: InternetExplorerBrowserHelperObjectsRegistryKeys +doc: Loaded on Internet Explorer startup +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*' +supported_os: [ Windows ] +--- +name: InternetExplorerCookiesFile +doc: | + Microsoft Internet Explorer (MSIE) browser cookies. + + * MSIE 4 - 9 Cache files (index.dat) +sources: + - type: FILE + attributes: + paths: + - '%%users.appdata%%\Microsoft\Windows\Cookies\index.dat' + - '%%users.appdata%%\Microsoft\Windows\Cookies\Low\index.dat' + - '%%users.userprofile%%\Cookies\index.dat' + separator: '\' +supported_os: [ Windows ] +--- +name: InternetExplorerHistoryFile +doc: | + Microsoft Internet Explorer (MSIE) browser history. + + * MSIE 4 - 9 Cache files (index.dat); + * MSIE 10 WebCacheV*.dat files. +sources: + - type: FILE + attributes: + paths: + - '%%users.appdata%%\Microsoft\Windows\IEDownloadHistory\index.dat' + - '%%users.localappdata%%\Microsoft\Feeds Cache\index.dat' + - '%%users.localappdata%%\Microsoft\Windows\History\History.IE5\*\index.dat' + - '%%users.localappdata%%\Microsoft\Windows\History\History.IE5\index.dat' + - '%%users.localappdata%%\Microsoft\Windows\History\Low\History.IE5\*\index.dat' + - '%%users.localappdata%%\Microsoft\Windows\History\Low\History.IE5\index.dat' + - '%%users.localappdata%%\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat' + - '%%users.localappdata%%\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat' + - '%%users.localappdata%%\Microsoft\Windows\WebCache\WebCacheV*.dat' + - '%%users.userprofile%%\Local Settings\History\History.IE5\index.dat' + - '%%users.userprofile%%\Local Settings\History\History.IE5\*\index.dat' + - '%%users.userprofile%%\Local Settings\History\Temporary Internet Files\Content.IE5\index.dat' + - '%%users.userprofile%%\Local Settings\Temporary Internet Files\Content.IE5\index.dat' + separator: '\' +supported_os: [ Windows ] +--- +name: OperaHistoryFile +doc: Opera browser history (global_history.dat). +sources: + - type: FILE + attributes: { paths: [ '%%users.homedir%%/Library/Opera/global_history.dat' ] } + supported_os: [ Darwin ] + - type: FILE + attributes: { paths: [ '%%users.homedir%%/.opera/global_history.dat' ] } + supported_os: [ Linux ] + - type: FILE + attributes: + paths: + - '%%users.appdata%%\Opera\Opera\global_history.dat' + - '%%users.appdata%%\Opera Software\Opera Stable\History' + - '%%users.appdata%%\Opera Software\Opera Stable\History-journal' + separator: '\' + supported_os: [ Windows ] +supported_os: [ Windows,Darwin,Linux ] +--- +name: SafariDownloadFile +doc: Safari downloads history (Downloads.plist). +sources: + - type: FILE + attributes: { paths: [ '%%users.homedir%%/Library/Safari/Downloads.plist' ] } + supported_os: [ Darwin ] + - type: FILE + attributes: + paths: + - '%%users.localappdata%%\Apple Computer\Safari\Downloads.plist' + - '%%users.appdata%%\Apple Computer\Safari\Downloads.plist' + separator: '\' + supported_os: [ Windows ] +supported_os: [ Darwin, Windows ] +--- +name: SafariHistoryFile +doc: Safari browser history (History.plist). +sources: + - type: FILE + attributes: + paths: + - '%%users.localappdata%%\Apple Computer\Safari\History.plist' + - '%%users.appdata%%\Apple Computer\Safari\History.plist' + separator: '\' + supported_os: [ Windows ] + - type: FILE + attributes: + paths: + - '%%users.homedir%%/Library/Safari/History.plist' + - '%%users.homedir%%/Library/Safari/History.db' + - '%%users.homedir%%/Library/Safari/History.db-wal' + supported_os: [ Darwin ] +supported_os: [ Windows, Darwin ] diff --git a/config/artifacts/windows.yaml b/config/artifacts/windows.yaml new file mode 100644 index 0000000..63d46d8 --- /dev/null +++ b/config/artifacts/windows.yaml @@ -0,0 +1,1404 @@ +# Windows specific artifacts. + +name: WindowsActiveDesktop +doc: Windows Active Desktop settings and components. +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Desktop\Components\*' + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Desktop\General' +supported_os: [ Windows ] +--- +name: WindowsActivitiesCacheDatabase +doc: SQLite database containing the Windows activities cache. +sources: + - type: FILE + attributes: + paths: [ '%%users.localappdata%%\ConnectedDevicesPlatform\L.%%users.username%%\ActivitiesCache.db' ] + separator: '\' +supported_os: [ Windows ] +--- +name: WindowsAlternateShell +doc: Alternate Shell to be run via Userinit. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot', value: 'AlternateShell' } + - { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option', value: 'UseAlternateShell' } +supported_os: [ Windows ] +--- +name: WindowsAMCacheHveFile +doc: The AMCache file, stored in the Windows NT Registry file format. +sources: + - type: FILE + attributes: + paths: + - '%%environ_systemroot%%\AppCompat\Programs\Amcache.hve' + - '%%environ_systemroot%%\AppCompat\Programs\Amcache.hve.LOG1' + - '%%environ_systemroot%%\AppCompat\Programs\Amcache.hve.LOG2' + separator: '\' +supported_os: [ Windows ] +--- +name: WindowsAppCertDLLs +doc: Windows AppCertDLLs persistence. +sources: + - type: REGISTRY_KEY + attributes: + keys: [ 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDLLs' ] +supported_os: [ Windows ] +--- +name: WindowsAppCompatCache +doc: Windows Application Compatibility Cache +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility', value: 'AppCompatCache' } + - { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatCache', value: 'AppCompatCache' } +supported_os: [ Windows ] +--- +name: WindowsAppInitDLLs +doc: | + Windows Application Initial (AppInit) DLLs persistence. + + AppInit DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded + into each user mode process on the system. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows', value: 'AppInit_DLLs' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows', value: 'AppInit_DLLs' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Windows', value: 'AppInit_DLLs' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows', value: 'AppInit_DLLs' } +supported_os: [ Windows ] +--- +name: WindowsApplicationCompatibilityInstalledShimDatabases +doc: | + Windows Application Compatibility Installed Shim Databases. + + drvmain.sdb, frxmain.sdb, msimain.sdb, pcamain.sdb, and sysmain.sdb are + shim database files (SDB files) that are provided by Windows, and contain + many predefined shims that address known application compatibility issues. + Note that these database files are not signed. + + Windows also supports custom shim database. These are typically installed + by the sdbinst.exe utility. Note, that shim database files can also exist + elsewhere in the file system. + + Windows application shims provide a way for the operating system to + apply patches to executables before they are run, ultimately providing + a lightweight mechanism for applying hot fixes and making modifications to + ensure compatibility across the various versions of Windows. This + functionality can also be leveraged maliciously to change how certain + programs operate, or to provide capabilities to malware, such as the + ability to bypass UAC, gain persistence by injecting loading into legitimate + processes, or avoid detection by disabling anti-virus software. +sources: + - type: FILE + attributes: + paths: + - '%%environ_systemroot%%\AppPatch\drvmain.sdb' + - '%%environ_systemroot%%\AppPatch\frxmain.sdb' + - '%%environ_systemroot%%\AppPatch\msimain.sdb' + - '%%environ_systemroot%%\AppPatch\pcamain.sdb' + - '%%environ_systemroot%%\AppPatch\sysmain.sdb' + - '%%environ_systemroot%%\AppPatch\AppPatch64\Custom\*' + - '%%environ_systemroot%%\AppPatch\Custom\*' + - '%%environ_systemroot%%\AppPatch\Custom\Custom64\*' + - '%%environ_systemroot%%\AppPatch\CustomSDB\*' + separator: '\' +supported_os: [ Windows ] +--- +name: WindowsApplicationCompatibilityShimDatabaseMappings +doc: | + Windows Application Compatibility Shim Database Mappings. + + Mappings between the Windows Application Compatibility shim database files and + the programs that they apply to. + + Windows allows for custom application shims to be installed via the + sdbinst.exe application. For example a mapping for 'notepad.exe': + + Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ + AppCompatFlags\Custom\notepad.exe + Value: {00000000-1111-2222-3333-444444444444}.sdb = 0 + + Key: AppCompatFlags\InstalledSDB\{00000000-1111-2222-3333-444444444444} + Value: DatabasePath = + "C:\Windows\AppPatch\Custom\{00000000-1111-2222-3333-444444444444}.sdb" + + Windows application shims provide a way for the operating system to + apply patches to executables before they are run, ultimately providing + a lightweight mechanism for applying hot fixes and making modifications to + ensure compatibility across the various versions of Windows. This + functionality can also be leveraged maliciously to change how certain + programs operate, or to provide capabilities to malware, such as the + ability to bypass UAC, gain persistence by injecting loading into legitimate + processes, or avoid detection by disabling anti-virus software. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\*', value: 'DatabaseDescription' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\*', value: 'DatabasePath' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\*', value: '*' } +supported_os: [ Windows ] +--- +name: WindowsApplicationCompatibilityShims +doc: Windows Application Compatibility Shim Database Files and Application Mappings +sources: + - type: ARTIFACT_GROUP + attributes: + names: + - 'WindowsApplicationCompatibilityInstalledShimDatabases' + - 'WindowsApplicationCompatibilityShimDatabaseMappings' +supported_os: [ Windows ] +--- +name: WindowsBootVerificationProgram +doc: Path to custom startup verification program. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: [ { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\BootVerificationProgram', value: 'ImagePath' } ] +supported_os: [ Windows ] +--- +name: WindowsComputerName +doc: The name of the system. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ComputerName', value: 'ComputerName' } + - { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ActiveComputerName', value: 'ComputerName' } +supported_os: [ Windows ] +--- +name: WindowsCommandProcessorAutoRun +doc: Commands that are run each time the Command Processor (Cmd.exe) is started. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor', value: 'AutoRun' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Command Processor', value: 'AutoRun' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Command Processor', value: 'AutoRun' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Command Processor', value: 'AutoRun' } +supported_os: [ Windows ] +--- +name: WindowsCOMProperties +doc: | + Various properties of Windows COM Objects. + + These artifacts are meant to highlight properties of COM objects that, + although legitimate, are known to be associated with persistence techniques + or other capabilities that malware can leverage. + + ShellFolder\HideOnDesktop, ShellFolder\Attributes (specifically with value + 0xf090013d), and InprocServer\LoadWithoutCOM are associated with a technique + to cause iexplore or explorer to load a malicious DLL by registering a COM + object and invoking it through the use of Junction Folders. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\ShellFolder', value: 'Attributes' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*\ShellFolder', value: 'Attributes' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\ShellFolder', value: 'Attributes' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*\ShellFolder', value: 'Attributes' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\ShellFolder', value: 'HideOnDesktop' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*\ShellFolder', value: 'HideOnDesktop' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\ShellFolder', value: 'HideOnDesktop' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*\ShellFolder', value: 'HideOnDesktop' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\InprocServer32', value: 'LoadWithoutCOM' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*\InprocServer32', value: 'LoadWithoutCOM' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\InprocServer32', value: 'LoadWithoutCOM' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*\InprocServer32', value: 'LoadWithoutCOM' } +supported_os: [ Windows ] +--- +name: WindowsSearchFilterHandlers +doc: | + Windows Search filter handlers configured for file types and applications. + + Windows Search loads DLLs that implement the IFilter interface in order to + scan files for text and extract certain types of information. Malware can + replace the filter handler for a given file type or CLSID with itself to gain + execution when a search operation is performed on that file. Search + operations can be performed indirectly in a number of cases; for instance, + the .txt, .html, and .rtf filter handlers are invoked when indexing email + message bodies. + + The filter handler to use is specified indirectly via a persistent handler. + The persistent handler GUID is indicated via the PersistentHandler subkey for + a file type or application GUID. The filter handler CLSID is indicated via + the PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF} subkey + under the persistent handler GUID key path. This artifact inspects both of + these paths. + + NOTE: Only the HKEY_LOCAL_MACHINE root key needs be checked, because these + are the only keys used. SearchFilterHost.exe runs under the SYSTEM account, + which does not have access to HKEY_CURRENT_USER. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Classes\*\PersistentHandler', value: '' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\PersistentHandler', value: '' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\PersistentHandler', value: '' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\PersistentHandler', value: '' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF}', value: '' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF}', value: '' } +supported_os: [ Windows ] +--- +name: WindowsCredentialProviderFilters +doc: Windows Credential Provider Filters +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\*' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\*' +supported_os: [ Windows ] +--- +name: WindowsCredentialProviders +doc: CLSIDs of applications to use as Credential Providers +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\*' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\*' +supported_os: [ Windows ] +--- +name: WindowsDebugger +doc: Windows Debugger peristence or AV disable. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*', value: 'Debugger' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*', value: 'Debugger' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*', value: 'Debugger' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*', value: 'Debugger' } +supported_os: [ Windows ] +--- +name: WindowsEnvironmentUserLoginScripts +doc: User login scripts configured via Windows environment variables. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_USERS\%%users.sid%%\Environment', value: 'UserInitLogonServer' } + - { key: 'HKEY_USERS\%%users.sid%%\Environment', value: 'UserInitLogonScript' } + - { key: 'HKEY_USERS\%%users.sid%%\Environment', value: 'UserInitMprLogonScript' } +supported_os: [ Windows ] +--- +name: WindowsEnvironmentVariableAllUsersProfile +doc: The system-wide %AllUsersProfile% environment variable contains the path of the of the "All Users" or "Common" profile directory. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'AllUsersProfile' } + provides: + - key: environ_allusersappdata + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'ProgramData' } + provides: + - key: environ_allusersappdata + - type: PATH + attributes: + paths: + - '\ProgramData' + - '\Documents and Settings\All Users' + separator: '\' + provides: + - key: environ_allusersappdata +supported_os: [ Windows ] +--- +name: WindowsEnvironmentVariableProfilesDirectory +doc: The %ProfilesDirectory% environment variable contain a path of a directory that contains the users' profile directories, typically "%SystemDrive%\Users". +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'ProfilesDirectory' } + provides: + - key: environ_profilesdirectory +supported_os: [ Windows ] +--- +name: WindowsEnvironmentVariableSystemRoot +doc: The %SystemRoot%, environment variable contains the path of the system directory, typically "C:\Windows". +sources: + - type: PATH + attributes: + paths: + - '\Windows' + - '\WinNT' + - '\WINNT35' + - '\WTSRV' + separator: '\' + provides: + - key: environ_systemroot + - key: environ_systemdrive + regex: '^(..)' + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion', value: 'SystemRoot' } + provides: + - key: environ_systemroot + - key: environ_systemdrive + regex: '^(..)' +supported_os: [ Windows ] +--- +name: WindowsExplorerAutoplayHandlers +doc: Handlers for autoplay events in Windows Explorer. +sources: + - type: REGISTRY_KEY + attributes: + keys: [ 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\*' ] +supported_os: [ Windows ] +--- +name: WindowsFileTypeAutorunAssociations +doc: | + Registry value for what application class identifier (CLSID) to launch for a file extension. + + Extension subkeys start with a dot. The '(Default)' value will be a ProgID, + which points to another entry in HKCR specifying the command to run to open + a file of the given type. The WindowsShellOpenCommand artifact is associated + with these ProgID command invocations. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Classes\.*', value: '' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\.*', value: '' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Classes\.*', value: '' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\.*', value: '' } +supported_os: [ Windows ] +--- +name: WindowsGroupPolicyScripts +doc: Windows group policy scripts +sources: + - type: FILE + attributes: + paths: + - '%%environ_systemroot%%\System32\GroupPolicy\User\Scripts\psscripts.ini' + - '%%environ_systemroot%%\System32\GroupPolicy\User\Scripts\scripts.ini' + - '%%environ_systemroot%%\System32\GroupPolicy\User\Scripts\Logoff\*' + - '%%environ_systemroot%%\System32\GroupPolicy\User\Scripts\Logon\*' + - '%%environ_systemroot%%\System32\GroupPolicy\Machine\Scripts\psscripts.ini' + - '%%environ_systemroot%%\System32\GroupPolicy\Machine\Scripts\scripts.ini' + - '%%environ_systemroot%%\System32\GroupPolicy\Machine\Scripts\Shutdown\*' + - '%%environ_systemroot%%\System32\GroupPolicy\Machine\Scripts\Startup\*' + separator: '\' +supported_os: [ Windows ] +--- +name: WindowsLogoffScript +doc: Windows policy logoff script +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\Windows\System\Scripts', value: 'Logoff' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Scripts', value: 'Logoff' } +supported_os: [ Windows ] +--- +name: WindowsLogonScript +doc: Windows policy logon script +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\Windows\System\Scripts', value: 'Logon' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Scripts', value: 'Logon' } +supported_os: [ Windows ] +--- +name: WindowsLSAAuthenticationPackages +doc: Authentication Packages can be injected into LSASS. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa', value: 'Authentication Packages' } + - { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig', value: 'Authentication Packages' } +supported_os: [ Windows ] +--- +name: WindowsLSANotificationPackages +doc: Notification Packages can be injected into LSASS. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa', value: 'Notification Packages' } + - { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig', value: 'Notification Packages' } +supported_os: [ Windows ] +--- +name: WindowsLSASecurityPackages +doc: Security Packages can be injected into LSASS. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa', value: 'Security Packages' } + - { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig', value: 'Security Packages' } +supported_os: [ Windows ] +--- +name: WindowsMostRecentApplication +doc: Windows Most Recent Application name key +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\*\MostRecentApplication', value: 'Name' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\*\MostRecentApplication', value: 'Name' } +supported_os: [ Windows ] +--- +name: WindowsMSDTCDLLs +doc: Windows MSDTC attempts to load these DLLs on start +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\MSDTC\MTxOCI\*' + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\MSDTC\MTxOCI\*' +supported_os: [ Windows ] +--- +name: WindowsMultiMediaDrivers +doc: Configured drivers for different multimedia filetypes. +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\*' + - 'HKEY_USERS\%%users.sid%%\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\*' + - 'HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32\*' + - 'HKEY_USERS\%%users.sid%%\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32\*' +supported_os: [ Windows ] +--- +name: WindowsNetworkShellHelpers +doc: Windows Network Shell (netsh) helpers are loaded on boot +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Netsh' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Netsh' +supported_os: [ Windows ] +--- +name: WindowsOpenSaveMRU +doc: Information about files opened or saved in a Windows shell dialog. +sources: + - type: REGISTRY_KEY + attributes: + keys: [ 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDIg32\OpenSaveMRU\*' ] +supported_os: [ Windows ] +--- +name: WindowsOpenSavePidlMRU +doc: Information about files opened or saved in a Windows shell dialog. +sources: + - type: REGISTRY_KEY + attributes: + keys: [ 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\*' ] +supported_os: [ Windows ] +--- +name: WindowsPendingGPOs +doc: | + Windows Pending GPOs registry settings. + + This is a persistence mechanism known to be used by the Gootkit malware family. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\IEAK\GroupPolicy\PendingGPOs', value: 'Path1' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\IEAK\GroupPolicy\PendingGPOs', value: 'Path1' } +supported_os: [ Windows ] +--- +name: WindowsPersistenceMechanisms +doc: Persistence mechanisms in Windows. +sources: + - type: ARTIFACT_GROUP + attributes: + names: + - WindowsPersistenceRegistryKeys + - WindowsPowerShellDefaultProfiles + - WindowsServices + - WindowsJobFiles +supported_os: [ Windows ] +--- +name: WindowsPersistenceRegistryKeys +doc: Windows Registry keys used for persistence. +sources: + - type: ARTIFACT_GROUP + attributes: + names: + - InternetExplorerBrowserHelperObjectsRegistryKeys + - WindowsActiveDesktop + - WindowsActiveSyncAutoStart + - WindowsAlternateShell + - WindowsAppCertDLLs + - WindowsAppInitDLLs + - WindowsBootVerificationProgram + - WindowsCommandProcessorAutoRun + - WindowsCredentialProviderFilters + - WindowsCredentialProviders + - WindowsDebugger + - WindowsEnvironmentUserLoginScripts + - WindowsExplorerAutoplayHandlers + - WindowsFileTypeAutorunAssociations + - WindowsFontDrivers + - WindowsIconServiceLib + - WindowsLSAAuthenticationPackages + - WindowsLSANotificationPackages + - WindowsLSASecurityPackages + - WindowsMSDTCDLLs + - WindowsMultiMediaDrivers + - WindowsNetworkShellHelpers + - WindowsPendingGPOs + - WindowsPLAPProviders + - WindowsPrintMonitors + - WindowsRunGrpConv + - WindowsRunKeys + - WindowsRunServices + - WindowsScreenSaverExecutable + - WindowsSearchFilterHandlers + - WindowsSecurityProviders + - WindowsServiceControlManagerExtension + - WindowsSessionManagerBootExecute + - WindowsSessionManagerExecute + - WindowsSessionManagerS0InitialCommand + - WindowsSessionManagerSetupExecute + - WindowsSessionManagerSubSystems + - WindowsSessionManagerWOWCommandLine + - WindowsSetupCommandLine + - WindowsSharedTaskScheduler + - WindowsShellExecuteHooks + - WindowsShellExtensions + - WindowsShellIconOverlayIdentifiers + - WindowsShellLoadAndRun + - WindowsShellOpenCommand + - WindowsShellRunasCommand + - WindowsShellServiceObjects + - WindowsStubPaths + - WindowsSystemPolicyShell + - WindowsTerminalServerInitialProgram + - WindowsTerminalServerRunKeys + - WindowsTerminalServerStartupPrograms + - WindowsToolPaths + - WindowsWinlogonAppSetup + - WindowsWinlogonAvailableShells + - WindowsWinlogonGinaDLL + - WindowsWinlogonGPExtensions + - WindowsWinlogonNotify + - WindowsWinlogonShell + - WindowsWinlogonSystem + - WindowsWinlogonTaskman + - WindowsWinlogonUiHost + - WindowsWinlogonUserinit + - WindowsWinlogonVMApplet + - WinSock2LayeredServiceProviders + - WinSock2NamespaceProviders +supported_os: [ Windows ] +--- +name: WindowsPLAPProviders +doc: Windows Pre-Logon Access Provider (PLAP) Providers +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\*' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\*' +supported_os: [ Windows ] +--- +name: WindowsPowerShellDefaultProfiles +doc: Default PowerShell Profile files. These files are executed by default when PowerShell starts up. +sources: + - type: FILE + attributes: + paths: + - '%%environ_systemroot%%\system32\WindowsPowerShell\v1.0\profile.ps1' + - '%%environ_systemroot%%\system32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1' + - '%%users.userprofile%%\Documents\WindowsPowerShell\profile.ps1' + - '%%users.userprofile%%\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1' + separator: '\' +supported_os: [ Windows ] +--- +name: WindowsPrefetchFiles +doc: Windows Prefetch files. +sources: + - type: FILE + attributes: + paths: [ '%%environ_systemroot%%\Prefetch\*.pf' ] + separator: '\' +supported_os: [ Windows ] +--- +name: WindowsPrintMonitors +doc: Windows Print Monitor DLL config. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: [ { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Monitors\*', value: 'Driver' } ] +supported_os: [ Windows ] +--- +name: WindowsRecycleBin +doc: Windows Recycle Bin (Recyler, $Recycle.Bin) files. +sources: + - type: FILE + attributes: + paths: + - '\$Recycle.Bin\**' + - '\Recycler\**' + separator: '\' +supported_os: [ Windows ] +--- +name: WindowsRegistryProfileSIDs +doc: Get SIDs for all users on the system with profiles present in the Registry. +sources: + - type: REGISTRY_KEY + attributes: { keys: [ 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\*' ] } + provides: + - key: users.sid + regex: 'ProfileList\\(.+)$' +supported_os: [ Windows ] +--- +name: WindowsRegistryProfiles +doc: | + Get SIDs for all users on the system with profiles present in the Registry. + + This looks in the Windows Registry where the profiles are stored and retrieves + the paths for each profile. +sources: + - type: REGISTRY_VALUE + attributes: { key_value_pairs: [ { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\*', value: 'ProfileImagePath' } ] } + provides: + - key: users.userprofile + - key: users.username + regex: '.*\\(.+)' +supported_os: [ Windows ] +--- +name: WindowsRunGrpConv +doc: | + The Windows RunGrpConv Registry value. + + When this Registry value is non-zero userinit.exe will launch grpconv.exe at user login. +sources: + - type: REGISTRY_VALUE + attributes: { key_value_pairs: [ { key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'RunGrpConv' } ] } +supported_os: [ Windows ] +--- +name: WindowsRunKeys +doc: | + Windows Run and RunOnce keys. + + Note users.sid will currently only expand to SIDs with profiles + on the system, not all SIDs. +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run' + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run' + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce' + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup' + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Setup' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run' + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run' + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Run' + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\RunOnce' + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup' + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\RunOnceEx' + - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run' + - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run' + - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce' + - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Setup' + - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx' +supported_os: [ Windows ] +--- +name: WindowsRunServices +doc: Windows Run Services. +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce' + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices' + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce' + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\RunServices' + - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce' + - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices' +supported_os: [ Windows ] +--- +name: WindowsScheduledTasks +doc: Windows Scheduled Tasks. +sources: + - type: FILE + attributes: + paths: + - '%%environ_systemroot%%\Tasks\**10' + - '%%environ_systemroot%%\System32\Tasks\**10' + - '%%environ_systemroot%%\SysWow64\Tasks\**10' + separator: '\' +supported_os: [ Windows ] +--- +name: WindowsScreenSaverExecutable +doc: ScreenSaver Executable +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\Windows\Control Panel\Desktop', value: 'scrnsave.exe' } + - { key: 'HKEY_USERS\%%users.sid%%\Control Panel\Desktop', value: 'scrnsave.exe' } +supported_os: [ Windows ] +--- +name: WindowsSecurityProviders +doc: Security Providers DLLs +sources: + - type: REGISTRY_KEY + attributes: + keys: [ 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders' ] +supported_os: [ Windows ] +--- +name: WindowsServiceControlManagerExtension +doc: Windows service control manager extension +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: [ { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control', value: 'ServiceControlManagerExtension' } ] +supported_os: [ Windows ] +--- +name: WindowsServices +doc: | + Windows services from the Registry. + + Malware can add new services to gain persistence, or modify + existing ones to avoid detection. For example, the ZeroAccess + rootkit will make the following changes to the WSCSVC (Windows + Security Service Center), WINDEFEND (Windows Defender), + and MPSSVC (Windows Firewall) services, among others + + * Set 'Start' to 4, indicating that the service should be disabled + * Set 'DeleteFlag' to 1, indicating that the service should be removed + * Set 'ErrorControl' to 0 and 'Type' to 32, causing it to fail to be + started by the Service Controller and no error messages generated +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\*' + - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\*\Parameters' +supported_os: [ Windows ] +--- +name: WindowsFontDrivers +doc: Windows font drivers from the Registry. +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Font Drivers\*' +supported_os: [ Windows ] +--- +name: WindowsSessionManagerBootExecute +doc: Windows Session Manager BootExecute persistence. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: [ { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager', value: 'BootExecute' } ] +supported_os: [ Windows ] +--- +name: WindowsSessionManagerExecute +doc: | + Windows Session Manager Execute persistence + + This entry shouldn't be populated after Windows has been installed +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: [ { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager', value: 'Execute' } ] +supported_os: [ Windows ] +--- +name: WindowsSessionManagerS0InitialCommand +doc: | + Windows Session Manager S0InitialCommand persistence + + This entry shouldn't be populated after Windows has been installed +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: [ { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager', value: 'S0InitialCommand' } ] +supported_os: [ Windows ] +--- +name: WindowsSessionManagerSetupExecute +doc: | + Windows Session Manager SetupExecute persistence + + This entry shouldn't be populated after Windows has been installed +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: [ { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager', value: 'SetupExecute' } ] +supported_os: [ Windows ] +--- +name: WindowsSessionManagerSubSystems +doc: Windows Session Manager SubSystems persistence +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: [ { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems', value: 'Windows' } ] +supported_os: [ Windows ] +--- +name: WindowsSessionManagerWOWCommandLine +doc: Windows Session Manager Windows-on-Windows (WOW) command line +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\WOW', value: 'cmdline' } + - { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\WOW', value: 'wowcmdline' } +supported_os: [ Windows ] +--- +name: WindowsSetupCommandLine +doc: Command line invocation used for custom setup and deployment tasks +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\System\Setup', value: 'CmdLine' } +supported_os: [ Windows ] +--- +name: WindowsSharedTaskScheduler +doc: Runs on windows boot. +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\*' + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\*' +supported_os: [ Windows ] +--- +name: WindowsShellExecuteHooks +doc: Shell execution hooks are called when ShellExecuteEx() is called. +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks' +supported_os: [ Windows ] +--- +name: WindowsShellExtensions +doc: Approved extensions to the Windows Shell (explorer.exe). +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved' + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved' + - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved' +supported_os: [ Windows ] +--- +name: WindowsShellIconOverlayIdentifiers +doc: Called to display custom icons. +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*' + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*' + - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*' +supported_os: [ Windows ] +--- +name: WindowsShellLoadAndRun +doc: Windows Shell Load and Run values +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Windows', value: 'Load' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Windows', value: 'Run' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows', value: 'Load' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows', value: 'Run' } +supported_os: [ Windows ] +--- +name: WindowsIconServiceLib +doc: | + Windows Icon Service Library Name + + The value should default to 'IconCodecService.dll' +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows', value: 'IconServiceLib' } +supported_os: [ Windows ] +--- +name: WindowsShellOpenCommand +doc: Executed every time this file type is opened. For most file types, the value should be '"%1" %*'. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Classes\*\shell\open\command', value: '' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Classes\*\shell\open\command', value: 'IsolatedCommand' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\shell\open\command', value: '' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\shell\open\command', value: 'IsolatedCommand' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Classes\*\shell\open\command', value: '' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Classes\*\shell\open\command', value: 'IsolatedCommand' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\*\shell\open\command', value: '' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\*\shell\open\command', value: 'IsolatedCommand' } +supported_os: [ Windows ] +--- +name: WindowsShellRunasCommand +doc: | + Executed every time an executable or script file type is run as administrator. + + For most file types, the value should be '"%1" %*' or something similar. + Example file type subkeys include 'exefile', 'batfile', and 'cmdfile'. These + keys can be modified by malware as a way to be periodically executed or to + bypass UAC. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Classes\*\shell\runas\command', value: '' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Classes\*\shell\runas\command', value: 'IsolatedCommand' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\shell\runas\command', value: '' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\shell\runas\command', value: 'IsolatedCommand' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Classes\*\shell\runas\command', value: '' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Classes\*\shell\runas\command', value: 'IsolatedCommand' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\*\shell\runas\command', value: '' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\*\shell\runas\command', value: 'IsolatedCommand' } +supported_os: [ Windows ] +--- +name: WindowsShellServiceObjects +doc: Windows Shell (explorer.exe) service objects delayed load. +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad' +supported_os: [ Windows ] +--- +name: WindowsSetupApiLogs +doc: Windows setup API logs. +sources: + - type: FILE + attributes: + paths: + - '%%environ_systemroot%%\setupapi.log' + - '%%environ_systemroot%%\inf\setupapi.app.log' + - '%%environ_systemroot%%\inf\setupapi.dev.log' + - '%%environ_systemroot%%\inf\setupapi.offline.log' + separator: '\' +supported_os: [ Windows ] +--- +name: WindowsStartupFolders +doc: Windows startup folder persistence. +sources: + - type: FILE + attributes: + paths: + - '%%environ_allusersappdata%%\Microsoft\Windows\Start Menu\Programs\Startup\*' + - '%%environ_allusersappdata%%\Start Menu\Programs\Startup\*' + - '%%users.appdata%%\Microsoft\Windows\Start Menu\Programs\Startup\*' + - '%%users.userprofile%%\Start Menu\Programs\Startup\*' + separator: '\' +supported_os: [ Windows ] +--- +name: WindowsStartupScript +doc: Windows policy startup script +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Scripts', value: 'Startup' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\*\*', value: 'Script' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\*\*', value: 'Parameters' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup\*\*', value: 'Script' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup\*\*', value: 'Parameters' } +supported_os: [ Windows ] +--- +name: WindowsStubPaths +doc: | + Windows StubPath persistence. + + Each time a user logs in, the Active Setup Installed Components in HKLM + are compared ot the ones in HKCU, and if any are missing, or if the + associated version is less, the program is executed. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\*', value: 'StubPath' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\*', value: 'Version' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\*', value: 'StubPath' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\*', value: 'Version' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Active Setup\Installed Components\*', value: 'StubPath' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Active Setup\Installed Components\*', value: 'Version' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\*', value: 'StubPath' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\*', value: 'Version' } +supported_os: [ Windows ] +--- +name: WindowsSystemPolicyShell +doc: Windows System policy replacement shell (custom user interface). +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System', value: 'Shell' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System', value: 'Shell' } +supported_os: [ Windows ] +--- +name: WindowsSystemRegistryFiles +doc: Windows system Registry files. +sources: + - type: FILE + attributes: + paths: + - '%%environ_systemdrive%%\System Volume Information\Syscache.hve' + - '%%environ_systemroot%%\System32\config\SAM' + - '%%environ_systemroot%%\System32\config\SECURITY' + - '%%environ_systemroot%%\System32\config\SOFTWARE' + - '%%environ_systemroot%%\System32\config\SYSTEM' + separator: '\' +supported_os: [ Windows ] +--- +name: WindowsSystemResourceUsageMonitorDatabaseFile +doc: Windows System Resource Usage Monitor (SRUM) database file. +sources: + - type: FILE + attributes: + paths: [ '%%environ_systemroot%%\System32\sru\SRUDB.dat' ] + separator: '\' +supported_os: [ Windows ] +--- +name: WindowsTerminalServerRunKeys +doc: Windows Terminal Server Run keys +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce\*' + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx\*' + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\*' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce\*' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx\*' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\*' + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce\*' + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx\*' + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\*' + - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce\*' + - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx\*' + - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\*' +supported_os: [ Windows ] +--- +name: WindowsTerminalServerStartupPrograms +doc: Windows Terminal Server Startup Programs +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd', value: 'StartupPrograms' } +supported_os: [ Windows ] +--- +name: WindowsTerminalServerInitialProgram +doc: Windows Terminal Server Initial Program +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp', value: 'InitialProgram' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services', value: 'InitialProgram' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\Windows NT\Terminal Services', value: 'InitialProgram' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Policies\Microsoft\Windows NT\Terminal Services', value: 'InitialProgram' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Policies\Microsoft\Windows NT\Terminal Services', value: 'InitialProgram' } +supported_os: [ Windows ] +--- +name: WindowsActiveSyncAutoStart +doc: Windows ActiveSync AutoStart entries +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows CE Services\AutoStartOnConnect\*' + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows CE Services\AutoStartOnDisconnect\*' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows CE Services\AutoStartOnConnect\*' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows CE Services\AutoStartOnDisconnect\*' +supported_os: [ Windows ] +--- +name: WindowsTimezone +doc: The time zone of the system as a Windows time zone name or in MUI form. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation', value: 'StandardName' } + - { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation', value: 'TimeZoneKeyName' } +supported_os: [ Windows ] +--- +name: WindowsToolPaths +doc: Paths to windows tools such as defrag, chkdsk. +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\BackupPath' + - 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\ChkDskPath' + - 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\cleanuppath' + - 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\DefragPath' +supported_os: [ Windows ] +--- +name: WindowsUninstallKeys +doc: Uninstall Registry keys +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\*' + - 'HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*' + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Uninstall\*' +supported_os: [ Windows ] +--- +name: WindowsUserShellFoldersOfInterest +doc: The Shell Folders information for Windows users, defined as single values for knowledge base extraction +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'AppData' } + provides: [ { key: users.appdata } ] + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Local AppData' } + provides: [ { key: users.localappdata } ] +supported_os: [ Windows ] +--- +name: WindowsWinlogonGinaDLL +doc: Windows Gina DLL replacement. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'GinaDLL' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'GinaDLL' } +supported_os: [ Windows ] +--- +name: WindowsWinlogonNotify +doc: Windows Winlogon Notify DLL names. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\*', value: 'DLLName' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\*', value: 'DLLName' } +supported_os: [ Windows ] +--- +name: WindowsWinlogonShell +doc: Windows shell replacement. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Shell' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Shell' } +supported_os: [ Windows ] +--- +name: WindowsWinlogonSystem +doc: Applications launched by Winlogon in the system context during the system initialisation. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'System' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'System' } +supported_os: [ Windows ] +--- +name: WindowsWinlogonTaskman +doc: Windows Winlogon Taskman replacement. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Taskman' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Taskman' } +supported_os: [ Windows ] +--- +name: WindowsWinlogonUiHost +doc: Windows Winlogon UI screen application +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'UiHost' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'UiHost' } +supported_os: [ Windows ] +--- +name: WindowsWinlogonUserinit +doc: Windows Winlogon Userinit replacement. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Userinit' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Userinit' } +supported_os: [ Windows ] +--- +name: WindowsWinlogonAvailableShells +doc: | + Windows Server Winlogon Available Shells + + Used to specify an alternate shell application to be launched when + logging into Windows Server 2012 and later. Legitimate keys under + AvailableShells should just cause cmd.exe or explorer.exe to be executed, + whereas malicious programs may create keys that cause malware to be run + when a user logs in. +sources: + - type: REGISTRY_KEY + attributes: + keys: [ 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells\AvailableShells\*' ] +supported_os: [ Windows ] +--- +name: WindowsWinlogonVMApplet +doc: Windows VMApplet replacement. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'VMApplet' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'VMApplet' } +supported_os: [ Windows ] +--- +name: WindowsWinlogonAppSetup +doc: Windows Winlogon Appsetup +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'AppSetup' } +supported_os: [ Windows ] +--- +name: WindowsWinlogonGPExtensions +doc: | + Windows Winlogon Group Policy Extensions + + These keys specify DLLs that should be loaded when the group policy + engine loads, and can act as a persistence mechanism for malware. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\*', value: '' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\*', value: 'DllName' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\*', value: '' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\*', value: 'DllName' } +supported_os: [ Windows ] +--- +name: WinSock2LayeredServiceProviders +doc: Used to filter TCP/IP traffic through WinSock2. +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\*' + - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\*' +supported_os: [ Windows ] +--- +name: WinSock2NamespaceProviders +doc: Used to provide name-resolution services through WinSock2 +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\*', value: 'LibraryPath' } + - { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\*', value: 'LibraryPath' } +supported_os: [ Windows ] +--- +name: WindowsJobFiles +doc: Files for the Windows Task Scheduler +sources: + - type: FILE + attributes: + paths: + - '%%environ_systemroot%%\system32\Tasks\**10' + - '%%environ_systemroot%%\Tasks\**10' + separator: '\' +supported_os: [ Windows ] +--- +name: WindowsNetworkInterfaceInformation +doc: Details for network interfaces and their names +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\SYSTEM\ControlSet*\Services\Tcpip\Parameters\Interfaces\*' + - 'HKEY_LOCAL_MACHINE\SYSTEM\ControlSet*\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\*\Connection' +supported_os: [ Windows ] +--- +name: WindowsHotfixes +doc: Windows Registry Keys that contain Hotfix information +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\*' + - 'HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Updates\*\*' + - 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\*\*' +supported_os: [ Windows ] +--- +name: WindowsDefaultPaths +doc: Default Paths for many parameters +sources: + - type: PATH + attributes: + paths: + - '%%environ_systemdrive%%\Users' + separator: '\' + provides: [ { key: environ_profilesdirectory } ] + - type: PATH + attributes: + paths: + - '%%environ_profilesdirectory%%\*' + - '\Users\*' + separator: '\' + provides: + - { key: users.userprofile } + - { key: users.username, regex: '.*\\(.+)' } + - type: PATH + attributes: + paths: + - '%%environ_profilesdirectory%%\*\AppData\Roaming' + - '\Users\*\AppData\Roaming' + separator: '\' + provides: [ { key: users.appdata } ] + - type: PATH + attributes: + paths: + - '%%environ_profilesdirectory%%\*\AppData\Local' + - '\Users\*\AppData\Local' + separator: '\' + provides: [ { key: users.localappdata } ] +supported_os: [ Windows ] +--- +name: WindowsUserSIDDefaultKeys +doc: Bruteforce SIDs +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_USERS\*' + provides: [ { key: users.sid, regex: '.*\\(.+)' } ] +supported_os: [ Windows ] diff --git a/config/artifacts/windows_logs.yaml b/config/artifacts/windows_logs.yaml new file mode 100644 index 0000000..7870592 --- /dev/null +++ b/config/artifacts/windows_logs.yaml @@ -0,0 +1,101 @@ +# Windows event logs. + +name: WindowsEventLogs +doc: Windows Event logs. +sources: + - type: ARTIFACT_GROUP + attributes: + names: + - 'WindowsEventLogApplicationFile' + - 'WindowsEventLogSecurityFile' + - 'WindowsEventLogSystemFile' + - 'WindowsXMLEventLogApplicationFile' + - 'WindowsXMLEventLogSecurityFile' + - 'WindowsXMLEventLogSysmonFile' + - 'WindowsXMLEventLogSystemFile' + - 'WindowsXMLEventLogTerminalServicesFile' +supported_os: [ Windows ] +--- +name: WindowsEventLogPath +doc: Windows Event log locations. +sources: + - type: PATH + attributes: + paths: + - '%%environ_systemroot%%\System32\config' + - '%%environ_systemroot%%\System32\winevt\Logs' + separator: '\' + provides: [ { key: windows_event_logs } ] +supported_os: [ Windows ] +--- +name: WindowsEventLogApplicationFile +doc: Application Windows Event Log. +sources: + - type: FILE + attributes: + paths: [ '%%windows_event_logs%%\AppEvent.evt' ] + separator: '\' +supported_os: [ Windows ] +--- +name: WindowsEventLogSecurityFile +doc: Security Windows Event Log. +sources: + - type: FILE + attributes: + paths: [ '%%windows_event_logs%%\SecEvent.evt' ] + separator: '\' +supported_os: [ Windows ] +--- +name: WindowsEventLogSystemFile +doc: System Windows Event Log. +sources: + - type: FILE + attributes: + paths: [ '%%windows_event_logs%%\SysEvent.evt' ] + separator: '\' +supported_os: [ Windows ] +--- +name: WindowsXMLEventLogApplicationFile +doc: Application Windows XML Event Log. +sources: + - type: FILE + attributes: + paths: [ '%%windows_event_logs%%\Application.evtx' ] + separator: '\' +supported_os: [ Windows ] +--- +name: WindowsXMLEventLogSecurityFile +doc: Security Windows XML Event Log. +sources: + - type: FILE + attributes: + paths: [ '%%windows_event_logs%%\Security.evtx' ] + separator: '\' +supported_os: [ Windows ] +--- +name: WindowsXMLEventLogSysmonFile +doc: Sysmon Windows XML Event Log. +sources: + - type: FILE + attributes: + paths: [ '%%windows_event_logs%%\Microsoft-Windows-Sysmon%4Operational.evtx' ] + separator: '\' +supported_os: [ Windows ] +--- +name: WindowsXMLEventLogSystemFile +doc: System Windows XML Event Log. +sources: + - type: FILE + attributes: + paths: [ '%%windows_event_logs%%\System.evtx' ] + separator: '\' +supported_os: [ Windows ] +--- +name: WindowsXMLEventLogTerminalServicesFile +doc: TerminalServices Windows XML Event Log. +sources: + - type: FILE + attributes: + paths: [ '%%windows_event_logs%%\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx' ] + separator: '\' +supported_os: [ Windows ] diff --git a/config/artifacts/windows_persistence.yaml b/config/artifacts/windows_persistence.yaml new file mode 100644 index 0000000..d40facd --- /dev/null +++ b/config/artifacts/windows_persistence.yaml @@ -0,0 +1,190 @@ +# Arifacts used for persistence on Windows. + +name: WindowsPersistence +doc: Windows persistence mechanisms. +sources: + - type: ARTIFACT_GROUP + attributes: + names: + - 'WindowsEnvironmentVariableSystemRoot' + - 'WindowsRegistryProfiles' + - 'WindowsPersistenceMechanisms' + - 'WindowsApplicationCompatibilityShims' + - 'WindowsAppCertDLLsAlt' + - 'WindowsCOMProperties' + - 'WindowsBrowserPersistenceKeys' + - 'InternetExplorerBrowserHelperObjectsRegistryKeys' + - 'WindowsBrowserPersistenceFiles' + - 'WindowsFileAssociation' + - 'WindowsScheduledTasks' + - 'WindowsTimeProviders' + - 'WindowsSIPandTrustProviderHijacking' + - 'WindowsKnownDLLs' + - 'WindowsOfficeApplicationStartup' + - 'WindowsImageHijacks' + - 'WindowsCommandProcessorAutoRun' + - 'WindowsDebugger' + - 'WindowsCodecs' + - 'WindowsFontDriversAlt' + - 'WindowsStartupFolders' + - 'WindowsStartupScript' + - 'WindowsGroupPolicyScripts' + - 'WindowsLogonScript' + - 'WindowsLogoffScript' +supported_os: [ Windows ] +--- +name: WindowsBrowserPersistenceKeys +doc: Registry keys for various browser extensions or wrapper objects. +sources: + - type: REGISTRY_KEY + attributes: + keys: + # - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*' + # - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*' + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\*' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\*' +supported_os: [ Windows ] +--- +name: WindowsBrowserPersistenceFiles +doc: Windows Scheduled Tasks. +sources: + - type: FILE + attributes: + paths: + - '%%users.appdata%%\Mozilla\Firefox\Profiles\*\extensions.json' + separator: '\' +supported_os: [ Windows ] +--- +name: WindowsFileAssociation +doc: User file association preferences +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\*\OpenWithList' + - 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\*\OpenWithList' +supported_os: [ Windows ] +--- +name: WindowsImageHijacks +doc: Various image hijack mechanisms used for persistence. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + # - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*', value: 'Debugger'} + # - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*', value: 'Debugger'} + # - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*', value: 'Debugger'} + # - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*', value: 'Debugger'} + - { key: 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\*', value: 'MonitorProcess' } + # - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Command Processor', value: 'AutoRun'} + # - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor', value: 'AutoRun'} + # - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Command Processor', value: 'AutoRun'} + # - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Command Processor', value: 'AutoRun'} + # - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Command Processor', value: 'AutoRun'} + - { key: 'HKEY_LOCAL_MACHINE\Software\Classes\Exefile\Shell\Open\Command', value: '' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Exefile\Shell\Open\Command', value: '' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Classes\Htmlfile\Shell\Open\Command', value: '' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Htmlfile\Shell\Open\Command', value: '' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Classes\.cmd', value: '' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Classes\.cmd', value: '' } + - { key: 'HKEY_LOCAL_MACHINE\Software\Classes\.exe', value: '' } + - { key: 'HKEY_USERS\%%users.sid%%\Software\Classes\.exe', value: '' } +supported_os: [ Windows ] +--- +name: WindowsTimeProviders +doc: Windows time provider services. +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\*' +supported_os: [ Windows ] +--- +name: WindowsSIPandTrustProviderHijacking +doc: SIP are responsible for signature procession and can be abused by adversaries. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\*', value: 'Dll' } + - { key: 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\*', value: 'Dll' } + - { key: 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\*', value: '`$DLL' } + - { key: 'HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\*', value: 'Dll' } + - { key: 'HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\*', value: 'Dll' } + - { key: 'HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\*', value: '`$DLL' } +supported_os: [ Windows ] +--- +name: WindowsKnownDLLs +doc: DLLs that can be abused by search order hijacking. +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs' +supported_os: [ Windows ] +--- +name: WindowsOfficeApplicationStartup +doc: Add-ins and plug-ins registered to hook into office apps. +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Office test\Special\Perf' + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Office test\Special\Perf' + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Office\*\Addins\*' + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Office\*\Addins\*' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Office\*\Addins\*' + - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Office\*\Addins\*' + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Office\*\Outlook\WebView\Calendar\URL' + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Office\*\Outlook\WebView\Calendar\URL' + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Office\*\Outlook\WebView\Inbox' + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Office\*\Outlook\WebView\Inbox' +supported_os: [ Windows ] +--- +name: WindowsCodecs +doc: Codecs are executable software that can be loaded by media playback software. They could be abused for system persistence. +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance' + - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance' + - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Classes\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance' + - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Classes\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance' + - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Classes\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32' + - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32' + - 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance' + - 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance' + - 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance' + - 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance' + - 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance' + - 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance' + - 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance' + - 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance' + - 'HKEY_LOCAL_MACHINE\Software\Classes\Filter' + - 'HKEY_USERS\%%users.sid%%\Software\Classes\Filter' + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Drivers32' + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Drivers32' +supported_os: [ Windows ] +--- +name: WindowsAppCertDLLsAlt +doc: Windows AppCertDLLs persistence. +sources: + - type: REGISTRY_VALUE + attributes: + key_value_pairs: + - { key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager', value: 'AppCertDLLs' } +supported_os: [ Windows ] +--- +name: WindowsFontDriversAlt +doc: Windows font drivers from the Registry. +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Font Drivers' +supported_os: [ Windows ] diff --git a/config/artifacts/windows_usb.yaml b/config/artifacts/windows_usb.yaml new file mode 100644 index 0000000..ce21e6f --- /dev/null +++ b/config/artifacts/windows_usb.yaml @@ -0,0 +1,59 @@ +# USB Artifacts + +name: WindowsUSBInformation +doc: Windows Event logs. +sources: + - type: ARTIFACT_GROUP + attributes: + names: + - 'WindowsUSBDeviceInformations' + - 'WindowsUSBVolumeAndDriveMapping' + - 'WindowsUSBUserMountedDevices' + - 'WindowsDeviceSetupFile' +supported_os: [ Windows ] +--- +name: WindowsUSBDeviceInformations +doc: | + Windows USB Device Informations. + + USBSTOR subkey only exists when there ever was an USB device mounted. +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\**' +supported_os: [ Windows ] +--- +name: WindowsUSBVolumeAndDriveMapping +doc: | + Windows USB volume and drive mapping. + + Displays the mapping of USB devices to drives and volumes. +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices' +supported_os: [ Windows ] +--- +name: WindowsUSBUserMountedDevices +doc: | + Windows USB user mounted devices. + + Shows the GUIDs of all devices the user has ever mounted. +sources: + - type: REGISTRY_KEY + attributes: + keys: + - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\**' +supported_os: [ Windows ] +--- +name: WindowsDeviceSetupFile +doc: Logfiles for Windows PNP driver installation +sources: + - type: FILE + attributes: + paths: + - '%%environ_systemroot%%\inf\setupapi*.log' + separator: '\' +supported_os: [ Windows ] diff --git a/tools/artifactvalidator/main.go b/tools/artifactvalidator/main.go index dd1352e..17e34b6 100644 --- a/tools/artifactvalidator/main.go +++ b/tools/artifactvalidator/main.go @@ -41,6 +41,7 @@ import ( "path/filepath" "runtime" "sort" + "strings" "github.com/olekukonko/tablewriter" @@ -52,6 +53,7 @@ func main() { // nolint:gocyclo,gocognit,funlen exitcode := 0 // parse flags + var entrypoints string var verbose, summary, quite, nofail bool flag.BoolVar(&verbose, "verbose", false, "show common flaws as well") flag.BoolVar(&verbose, "v", false, "show common flaws as well"+" (shorthand)") @@ -60,6 +62,7 @@ func main() { // nolint:gocyclo,gocognit,funlen flag.BoolVar(&summary, "summary", false, "show summary") flag.BoolVar(&summary, "s", false, "show summary"+" (shorthand)") flag.BoolVar(&nofail, "no-fail", false, "do not fail on flaws") + flag.StringVar(&entrypoints, "entrypoints", "", "entrypoint for the artifact collection which are not marked as unused, e.g. 'DefaultCollection1', can be a comma separated list") flag.Parse() // setup logging @@ -88,7 +91,7 @@ func main() { // nolint:gocyclo,gocognit,funlen } // parse artifacts - flaws, err := ValidateFiles(args) + flaws, err := ValidateFiles(args, strings.Split(entrypoints, ",")) if err != nil { slog.ErrorContext(ctx, err.Error()) diff --git a/tools/artifactvalidator/validator.go b/tools/artifactvalidator/validator.go index 26792fe..6765cfc 100644 --- a/tools/artifactvalidator/validator.go +++ b/tools/artifactvalidator/validator.go @@ -24,10 +24,12 @@ package main import ( "bufio" "fmt" + "maps" "net/http" "os" "path/filepath" "regexp" + "slices" "sort" "strings" "sync" @@ -90,7 +92,7 @@ func (r *validator) addErrorf(filename, artifactDefiniton, format string, a ...i } // ValidateFiles checks a list of files for various flaws. -func ValidateFiles(filenames []string) (flaws []Flaw, err error) { +func ValidateFiles(filenames []string, entrypoints []string) (flaws []Flaw, err error) { artifactDefinitionMap := map[string][]artifacts.ArtifactDefinition{} // decode file @@ -106,19 +108,19 @@ func ValidateFiles(filenames []string) (flaws []Flaw, err error) { } // validate - flaws = append(flaws, ValidateArtifactDefinitions(artifactDefinitionMap)...) + flaws = append(flaws, ValidateArtifactDefinitions(artifactDefinitionMap, entrypoints)...) return } // ValidateArtifactDefinitions validates a map of artifact definitions and returns any flaws found in those. -func ValidateArtifactDefinitions(artifactDefinitionMap map[string][]artifacts.ArtifactDefinition) []Flaw { +func ValidateArtifactDefinitions(artifactDefinitionMap map[string][]artifacts.ArtifactDefinition, entrypoints []string) []Flaw { r := newValidator() - r.validateArtifactDefinitions(artifactDefinitionMap) + r.validateArtifactDefinitions(artifactDefinitionMap, entrypoints) return r.flaws } // validateArtifactDefinitions validates single artifacts. -func (r *validator) validateArtifactDefinitions(artifactDefinitionMap map[string][]artifacts.ArtifactDefinition) { +func (r *validator) validateArtifactDefinitions(artifactDefinitionMap map[string][]artifacts.ArtifactDefinition, entrypoints []string) { var globalArtifactDefinitions []artifacts.ArtifactDefinition for filename, artifactDefinitions := range artifactDefinitionMap { @@ -139,6 +141,7 @@ func (r *validator) validateArtifactDefinitions(artifactDefinitionMap map[string r.validateGroupMemberExist(globalArtifactDefinitions) r.validateNoCycles(globalArtifactDefinitions) r.validateParametersProvided(globalArtifactDefinitions) + r.validateUnused(globalArtifactDefinitions, entrypoints) r.validateArtifactURLs(artifactDefinitionMap) } @@ -155,6 +158,7 @@ func (r *validator) validateArtifactDefinition(filename string, artifactDefiniti r.validateNamePrefix(filename, artifactDefinition) r.validateOSSpecific(filename, artifactDefinition) r.validateArtifactOS(filename, artifactDefinition) + r.validateNoDefinitionLabels(filename, artifactDefinition) r.validateNoDefinitionConditions(filename, artifactDefinition) r.validateNoDefinitionProvides(filename, artifactDefinition) if macosArtifact { @@ -368,6 +372,48 @@ func (r *validator) validateParametersProvided(artifactDefinitions []artifacts.A } } } + + for operatingSystem := range knownProvides { + for key := range knownProvides[operatingSystem] { + if !slices.Contains(slices.Collect(maps.Keys(parametersRequired[operatingSystem])), key) { + r.addWarningf( + "", knownProvides[operatingSystem][key], + "Provided key %s is not used for %s", key, operatingSystem, + ) + } + } + } +} + +func (r *validator) validateUnused(artifactDefinitions []artifacts.ArtifactDefinition, entrypoints []string) { + used := map[string]bool{} + + for _, entrypoint := range entrypoints { + used[entrypoint] = true + } + + for _, artifactDefinition := range artifactDefinitions { + for _, source := range artifactDefinition.Sources { + for _, path := range source.Attributes.Names { + used[path] = true + } + + for _, source := range artifactDefinition.Sources { + if len(source.Provides) > 0 { + used[artifactDefinition.Name] = true + } + } + } + } + + for _, artifactDefinition := range artifactDefinitions { + if _, ok := used[artifactDefinition.Name]; !ok { + r.addInfof( + "", artifactDefinition.Name, + "Artifact %s is not used", artifactDefinition.Name, + ) + } + } } func (r *validator) validateArtifactURLs(artifactDefinitionMap map[string][]artifacts.ArtifactDefinition) { @@ -566,6 +612,12 @@ func (r *validator) validateArtifactOS(filename string, artifactDefinition artif } } +func (r *validator) validateNoDefinitionLabels(filename string, artifactDefinition artifacts.ArtifactDefinition) { + if len(artifactDefinition.Labels) > 0 { + r.addInfof(filename, artifactDefinition.Name, "Definition labels are deprecated") + } +} + func (r *validator) validateNoDefinitionConditions(filename string, artifactDefinition artifacts.ArtifactDefinition) { if len(artifactDefinition.Conditions) > 0 { r.addInfof(filename, artifactDefinition.Name, "Definition conditions are deprecated") diff --git a/tools/artifactvalidator/validator_test.go b/tools/artifactvalidator/validator_test.go index 1f9aba9..7f61b56 100644 --- a/tools/artifactvalidator/validator_test.go +++ b/tools/artifactvalidator/validator_test.go @@ -117,7 +117,7 @@ func TestValidator_ValidateFilesInvalid(t *testing.T) { tt.yamlfile: ads, } - r.validateArtifactDefinitions(artifactDefinitionMap) + r.validateArtifactDefinitions(artifactDefinitionMap, nil) if len(flaws)+len(r.flaws) == 0 { t.Errorf("Validator.ValidateFiles() %s has no flaws", tt.yamlfile) From 1f2ee3489df0d96944ea9901cba29fbf275ad554 Mon Sep 17 00:00:00 2001 From: Jonas Plum Date: Sat, 19 Oct 2024 13:30:05 +0200 Subject: [PATCH 2/4] fix: generate --- assets/artifacts.generated.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/artifacts.generated.go b/assets/artifacts.generated.go index 7cd30a3..7150aef 100644 --- a/assets/artifacts.generated.go +++ b/assets/artifacts.generated.go @@ -2,4 +2,4 @@ package assets import "github.com/forensicanalysis/artifactcollector/artifacts" -var Artifacts = []artifacts.ArtifactDefinition{{Name: "Bit9LocalCache", Doc: "Bit9 local cache database.", Sources: []artifacts.Source{{Parent: "Bit9LocalCache", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_allusersappdata%%\\Bit9\\Parity Agent\\cache.*"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "CrowdstrikeQuarantine", Doc: "Crowdstrike stores quarantined files encoded on disk.", Sources: []artifacts.Source{{Parent: "CrowdstrikeQuarantine", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/Library/CS/Quarantine/*", "/Library/Application Support/Crowdstrike/Falcon/Quarantine/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}, {Parent: "CrowdstrikeQuarantine", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemroot%%\\System32\\drivers\\CrowdStrike\\Quarantine\\*"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin", "Windows"}, Urls: []string(nil)}, {Name: "CrowdstrikeAgentID", Doc: "Identifier of a CrowdStrike agent.", Sources: []artifacts.Source{{Parent: "CrowdstrikeAgentID", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/Library/CS/registry.base"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}, {Parent: "CrowdstrikeAgentID", Type: "COMMAND", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "/opt/CrowdStrike/falconctl", Args: []string{"-g", "--cid", "--aid"}, Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}, {Parent: "CrowdstrikeAgentID", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\CSAgent\\Sim", Value: "AG"}}}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin", "Linux", "Windows"}, Urls: []string(nil)}, {Name: "EsetAVQuarantine", Doc: "Eset Anti-Virus Quarantine (Infected) files.", Sources: []artifacts.Source{{Parent: "EsetAVQuarantine", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/Library/Application Support/ESET/esets/cache/quarantine/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}, {Parent: "EsetAVQuarantine", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_allusersappdata%%\\ESET\\ESET NOD32 Antivirus\\Logs\\**"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Antivirus"}, SupportedOs: []string{"Darwin", "Windows"}, Urls: []string(nil)}, {Name: "MicrosoftAVQuarantine", Doc: "Microsoft Anti-Virus Quarantine (Infected) files.", Sources: []artifacts.Source{{Parent: "MicrosoftAVQuarantine", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_allusersappdata%%\\Microsoft\\Microsoft Antimalware\\Quarantine\\**", "%%environ_allusersappdata%%\\Microsoft\\Windows Defender\\Quarantine\\**"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Antivirus"}, SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "MicrosoftAVLogs", Doc: "Microsoft Anti-Virus log files.", Sources: []artifacts.Source{{Parent: "MicrosoftAVLogs", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_allusersappdata%%\\Microsoft\\Windows AntiMalware\\Support\\MPDetection-*.log", "%%environ_allusersappdata%%\\Microsoft\\Windows AntiMalware\\Support\\MPLog-*.log", "%%environ_allusersappdata%%\\Microsoft\\Windows Defender\\Scans\\History\\Service\\DetectionHistory\\**", "%%environ_allusersappdata%%\\Microsoft\\Windows Defender\\Support\\MPDetection-*.log", "%%environ_allusersappdata%%\\Microsoft\\Windows Defender\\Support\\MPLog-*.log", "%%environ_systemroot%%\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\MpCmdRun.log", "%%environ_systemroot%%\\Temp\\MpCmdRun.log", "%%users.temp%%\\MpCmdRun.log"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Antivirus", "Logs"}, SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsDefenderScanDetectionHistoryFiles", Doc: "Microsoft Windows Defender scan detection history files.", Sources: []artifacts.Source{{Parent: "WindowsDefenderScanDetectionHistoryFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_allusersappdata%%\\Microsoft\\Windows Defender\\Scans\\History\\Service\\DetectionHistory\\*\\*-*-*-*"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Antivirus", "Logs"}, SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsDefenderExclusions", Doc: "Directories, processes and extensions configured not to be scanned by Windows Defender.\nThe can be set locally or through group policy objects (GPO).\n\nCertain malware families (for example, Tofsee) are known to add directories to the\nPaths list in order to avoid being detected by Windows Defender. Other malware\n(for example, REvil) use the existing exclusions to be ignored by Anti-Virus products.\n", Sources: []artifacts.Source{{Parent: "WindowsDefenderExclusions", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows Defender\\Exclusions\\Paths\\*", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows Defender\\Exclusions\\Processes\\*", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows Defender\\Exclusions\\Extensions\\*", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows Defender\\Exclusions\\TemporaryPaths\\*", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Exclusions\\Paths\\*", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Exclusions\\Processes\\*", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Exclusions\\Extensions\\*", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Exclusions\\TemporaryPaths\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://blog.malwarebytes.com/detections/pum-optional-msexclusion/", "https://answers.microsoft.com/en-us/protect/forum/all/windows-defender-how-to-remove-exclusions/2a0cc465-97b2-46ea-ae77-b87075ed124e", "https://blog.talosintelligence.com/2019/05/threat-roundup-0503-0510.html", "https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/"}}, {Name: "SantaLogs", Doc: "Local Santa logs.", Sources: []artifacts.Source{{Parent: "SantaLogs", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/db/santa/*", "/private/var/db/santa/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string(nil)}, {Name: "SophosAVLogs", Doc: "Sophos Anti-Virus log files.", Sources: []artifacts.Source{{Parent: "SophosAVLogs", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/Library/Logs/Sophos*.log"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}, {Parent: "SophosAVLogs", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_allusersappdata%%\\Sophos\\Sophos Anti-Virus\\Logs\\*"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Antivirus", "Logs"}, SupportedOs: []string{"Darwin", "Windows"}, Urls: []string(nil)}, {Name: "SophosAVQuarantine", Doc: "Sophos Anti-Virus Quarantine (Infected) files.", Sources: []artifacts.Source{{Parent: "SophosAVQuarantine", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/Users/Shared/Infected/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}, {Parent: "SophosAVQuarantine", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_allusersappdata%%\\Sophos\\Sophos Anti-Virus\\INFECTED\\*"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Antivirus"}, SupportedOs: []string{"Darwin", "Windows"}, Urls: []string(nil)}, {Name: "SymantecAVLogs", Doc: "Symantec Anti-Virus Log Files.", Sources: []artifacts.Source{{Parent: "SymantecAVLogs", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_allusersappdata%%\\Symantec\\Symantec Endpoint Protection\\*\\Data\\Logs\\*.log", "%%environ_allusersappdata%%\\Symantec\\Symantec Endpoint Protection\\*\\Data\\Logs\\AV\\*.log", "%%environ_allusersappdata%%\\Symantec\\Symantec Endpoint Protection\\Logs\\AV\\*.log", "%%users.localappdata%%\\Symantec\\Symantec Endpoint Protection\\Logs\\*.log"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Antivirus", "Logs"}, SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "SymantecAVQuarantine", Doc: "Symantec Anti-Virus quarantine (infected) and cloud submission files.", Sources: []artifacts.Source{{Parent: "SymantecAVQuarantine", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_allusersappdata%%\\Symantec\\Symantec Endpoint Protection\\**5\\*.vbn", "%%environ_allusersappdata%%\\Symantec\\Symantec Endpoint Protection\\Quarantine\\**", "%%environ_allusersappdata%%\\Symantec\\Symantec Endpoint Protection\\*\\Data\\Quarantine\\**", "%%environ_allusersappdata%%\\Symantec\\Symantec Endpoint Protection\\*\\Data\\CmnClnt\\ccSubSDK\\**"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Antivirus", "Logs"}, SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "MicrosoftOfficeAutosave", Doc: "Automatically created Microsoft Office recovery files.", Sources: []artifacts.Source{{Parent: "MicrosoftOfficeAutosave", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.appdata%%\\Microsoft\\Word\\**", "%%users.appdata%%\\Microsoft\\Excel\\**", "%%users.appdata%%\\Microsoft\\Powerpoint\\**", "%%users.appdata%%\\Microsoft\\Publisher\\**"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Windows#Microsoft_Office_Autosave"}}, {Name: "MicrosoftOfficeTrustRecords", Doc: "Trust records showing document and locations with macros enabled", Sources: []artifacts.Source{{Parent: "MicrosoftOfficeTrustRecords", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Office\\*\\*\\Security\\Trusted Documents\\", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Office\\*\\*\\Security\\Trusted Documents\\TrustRecords", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Office\\*\\*\\Security\\Trusted Locations\\Location*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://twitter.com/inversecos/status/1494174785621819397"}}, {Name: "MicrosoftOfficeMRU", Doc: "Microsoft Office Most Recently Used", Sources: []artifacts.Source{{Parent: "MicrosoftOfficeMRU", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Preferences/com.microsoft.office.plist", "%%users.homedir%%/Library/Containers/com.microsoft.*/Data/Library/Preferences/com.microsoft.*.securebookmarks.plist"}, Separator: "/", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}, {Parent: "MicrosoftOfficeMRU", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Office\\*\\*\\File MRU", Value: "Item *"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Office\\*\\*\\Place MRU", Value: "Item *"}}}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin", "Windows"}, Urls: []string{"https://github.com/mac4n6/macMRU-Parser"}}, {Name: "MicrosoftOutlookPABFiles", Doc: "Microsoft Outlook PAB Files", Sources: []artifacts.Source{{Parent: "MicrosoftOutlookPABFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\Microsoft\\Outlook\\*.pab", "%%users.userprofile%%\\Documents\\Outlook Files\\*.pab"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users", "Mail"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Personal_Folder_File_(PAB,_PST,_OST)"}}, {Name: "MicrosoftOutlookPSTFiles", Doc: "Microsoft Outlook PST Files", Sources: []artifacts.Source{{Parent: "MicrosoftOutlookPSTFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\Microsoft\\Outlook\\*.pst", "%%users.userprofile%%\\Documents\\Outlook Files\\*.pst"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users", "Mail"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Personal_Folder_File_(PAB,_PST,_OST)"}}, {Name: "MicrosoftOutlookOSTFiles", Doc: "Microsoft Outlook OST Files", Sources: []artifacts.Source{{Parent: "MicrosoftOutlookOSTFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\Microsoft\\Outlook\\*.ost", "%%users.userprofile%%\\Documents\\Outlook Files\\*.ost"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users", "Mail"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Personal_Folder_File_(PAB,_PST,_OST)"}}, {Name: "MicrosoftOutlookDownloadedDirectory", Doc: "Microsoft Outlook Downloads", Sources: []artifacts.Source{{Parent: "MicrosoftOutlookDownloadedDirectory", Type: "DIRECTORY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\Temporary Internet Files\\Content.Outlook\\**"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users", "Mail"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Personal_Folder_File_(PAB,_PST,_OST)"}}, {Name: "NodeJSPackageManagerCacheFiles", Doc: "Node JS package manager (NPM) cache files", Sources: []artifacts.Source{{Parent: "NodeJSPackageManagerCacheFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.npm/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin", "Linux"}, Provides: []artifacts.Provide(nil)}, {Parent: "NodeJSPackageManagerCacheFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.appdata%%\\npm-cache\\*"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin", "Linux", "Windows"}, Urls: []string{"https://docs.npmjs.com/cli/cache"}}, {Name: "WinRARExternalViewer", Doc: "Executable run when a file is opened by WinRAR inside an archive.", Sources: []artifacts.Source{{Parent: "WinRARExternalViewer", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_USERS\\%%users.sid%%\\Software\\WinRAR\\Viewer\\", Value: "ExternalViewer"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"http://www.hexacorn.com/blog/2012/09/16/beyond-good-ol-run-key-part-2/", "http://acritum.com/software/manuals/winrar/html/helpinterfaceviewing.htm"}}, {Name: "WinRARAVScan", Doc: "Executable run to scan a file when it is opened by WinRAR.", Sources: []artifacts.Source{{Parent: "WinRARAVScan", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_USERS\\%%users.sid%%\\Software\\WinRAR\\VirusScan\\", Value: "Name"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"http://www.hexacorn.com/blog/2012/09/16/beyond-good-ol-run-key-part-2/", "http://acritum.com/software/manuals/winrar/html/helpcommandsvirusscan.htm"}}, {Name: "MicrosoftSqlServerErrorLogs", Doc: "Microsoft SQL Server's error log files.", Sources: []artifacts.Source{{Parent: "MicrosoftSqlServerErrorLogs", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_programfiles%%\\Microsoft SQL Server\\*\\MSSQL\\LOG\\ERRORLOG*", "%%environ_programfilesx86%%\\Microsoft SQL Server\\*\\MSSQL\\LOG\\ERRORLOG*"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Software", "Logs"}, SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "MozillaThunderbird", Doc: "Mozilla Thunderbird files.", Sources: []artifacts.Source{{Parent: "MozillaThunderbird", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.thunderbird/**"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "GnomeEvolution", Doc: "Gnome Evolution files.", Sources: []artifacts.Source{{Parent: "GnomeEvolution", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.cache/evolution/**", "%%users.homedir%%/.config/evolution/**", "%%users.homedir%%/.local/share/evolution/**"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "VSCodeExtensionsPath", Doc: "Get paths of Visual Studio Code extensions", Sources: []artifacts.Source{{Parent: "VSCodeExtensionsPath", Type: "PATH", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.userprofile%%/.vscode/extensions/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}, {Parent: "VSCodeExtensionsPath", Type: "PATH", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.vscode/extensions/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin", "Linux"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin", "Linux", "Windows"}, Urls: []string{"https://code.visualstudio.com/"}}, {Name: "WindowsSiemensWinCCLogFile", Doc: "Siemens WinCC software logs.", Sources: []artifacts.Source{{Parent: "WindowsSiemensWinCCLogFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_programfiles%%\\Siemens\\WinCC\\Diagnose\\*", "%%environ_programfiles%%\\Common Files\\Siemens\\ace\\bin\\Diagnosis\\*", "%%environ_programfilesx86%%\\Siemens\\WinCC\\Diagnose\\*", "%%environ_programfilesx86%%\\Common Files\\Siemens\\ace\\bin\\Diagnosis\\*", "%%environ_windir%%\\security\\SecurityController\\*", "%%environ_allusersappdata%%\\Siemens\\Automation\\Logfiles\\*", "%%environ_allusersappdata%%\\Siemens\\Automation\\Logfiles\\Setup\\*", "%%environ_allusersappdata%%\\Siemens\\Logs\\*"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://cache.industry.siemens.com/dl/files/865/109757865/att_963121/v5/109757865_WinCC_Diagnostics_en.pdf"}}, {Name: "NpmPackagesPath", Doc: "Get path of NPM packages that are globally installed (currently linux only).", Sources: []artifacts.Source{{Parent: "NpmPackagesPath", Type: "PATH", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/usr/local/lib/node_modules/*", "/usr/lib/node_modules/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string{"https://docs.npmjs.com/"}}, {Name: "CloudStorageClients", Doc: "Multiple cloud storage client artifacts.", Sources: []artifacts.Source{{Parent: "CloudStorageClients", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"DropboxClient", "GoogleDriveClient", "SkyDriveClient"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Cloud Storage"}, SupportedOs: []string{"Darwin", "Linux", "Windows"}, Urls: []string(nil)}, {Name: "DropboxClient", Doc: "Dropbox cloud storage client artifacts.", Sources: []artifacts.Source{{Parent: "DropboxClient", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.appdata%%\\Dropbox\\*.db*", "%%users.localappdata%%\\Dropbox\\*.db*", "%%users.localappdata%%\\Dropbox\\instance*\\sync_history.db"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}, {Parent: "DropboxClient", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.dropbox/*.db*", "%%users.homedir%%/.dropbox/instance*/sync_history.db"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin", "Linux"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Cloud Storage"}, SupportedOs: []string{"Darwin", "Linux", "Windows"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Dropbox"}}, {Name: "GoogleDriveClient", Doc: "Google Drive cloud storage client artifacts.", Sources: []artifacts.Source{{Parent: "GoogleDriveClient", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\Google\\Drive\\snapshot.db", "%%users.localappdata%%\\Google\\Drive\\sync_config.db", "%%users.localappdata%%\\Google\\Drive\\sync_config.log*", "%%users.localappdata%%\\Google\\Drive\\user_default\\snapshot.db", "%%users.localappdata%%\\Google\\Drive\\user_default\\sync_config.db", "%%users.localappdata%%\\Google\\Drive\\user_default\\sync_config.log*", "%%users.localappdata%%\\Google\\Drive\\user_default\\sync_log.log*"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}, {Parent: "GoogleDriveClient", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Application Support/Google/Drive/snapshot.db", "%%users.homedir%%/Library/Application Support/Google/Drive/sync_config.db", "%%users.homedir%%/Library/Application Support/Google/Drive/sync_config.log*", "%%users.homedir%%/Library/Application Support/Google/Drive/user_default/snapshot.db", "%%users.homedir%%/Library/Application Support/Google/Drive/user_default/sync_config.db", "%%users.homedir%%/Library/Application Support/Google/Drive/user_default/sync_config.log*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Cloud Storage"}, SupportedOs: []string{"Darwin", "Windows"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Google_Drive"}}, {Name: "SkyDriveClient", Doc: "Microsoft Sky Drive cloud storage client artifacts.\n\nNote that Sky Drive was renamed to One Drive.\n", Sources: []artifacts.Source{{Parent: "SkyDriveClient", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\Microsoft\\SkyDrive\\logs\\*.log", "%%users.localappdata%%\\Microsoft\\SkyDrive\\setup\\logs\\*.log", "%%users.localappdata%%\\Microsoft\\SkyDrive\\settings\\ApplicationSettings.xml", "%%users.localappdata%%\\Microsoft\\SkyDrive\\settings\\*.dat", "%%users.localappdata%%\\Microsoft\\SkyDrive\\settings\\*.ini"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Cloud Storage"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=One_Drive#Sky_Drive_client"}}, {Name: "DefaultCollection1", Doc: "Predefined opinionated collections", Sources: []artifacts.Source{{Parent: "DefaultCollection1", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"FOR500", "Elementary"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}, {Parent: "DefaultCollection1", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"BrowserHistory", "IPTablesRules", "LinuxAtJobs", "LinuxAuditLogs", "LinuxCronTabs", "LinuxHostnameFile"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}, {Parent: "DefaultCollection1", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"BrowserHistory", "MacOSAtJobs", "MacOSAuditLogFiles", "MacOSBashHistory", "MacOSCronTabs", "MacOSHostsFile", "MacOSLastlogFile", "MacOSMiscLogs", "MacOSRecentItems", "MacOSSystemLogFiles", "MacOSUserTrash"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin", "Linux", "Windows"}, Urls: []string(nil)}, {Name: "Elementary", Doc: "Artifacts supported by elementary (https://github.com/forensicanalysis/elementary) tasks", Sources: []artifacts.Source{{Parent: "Elementary", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"WindowsComputerName", "WindowsEventLogs", "WindowsHotfixes", "WindowsNetworkInterfaceInformation", "WindowsPersistence", "WindowsRunKeys", "WindowsServices", "WindowsUninstallKeys", "WindowsUSBInformation"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string(nil), Urls: []string(nil)}, {Name: "FOR500", Doc: "Windows Forensic Analysis", Sources: []artifacts.Source{{Parent: "FOR500", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"WindowsBrowserArtifacts", "WindowsProgramExecution", "WindowsDeletedFiles", "WindowsNetworkActivity", "AccountUsage", "ExternalDevice"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://www.sans.org/security-resources/posters/windows-forensic-analysis/170/download"}}, {Name: "WindowsBrowserArtifacts", Doc: "WindowsBrowserArtifacts", Sources: []artifacts.Source{{Parent: "WindowsBrowserArtifacts", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"WindowsOpenSaveMRU", "WindowsOpenSavePidlMRU", "BrowserHistory"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsProgramExecution", Doc: "Program Execution", Sources: []artifacts.Source{{Parent: "WindowsProgramExecution", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"WindowsActivitiesCacheDatabase", "WindowsMostRecentApplication", "WindowsAppCompatCache", "WindowsAMCacheHveFile", "WindowsSystemResourceUsageMonitorDatabaseFile", "WindowsPrefetchFiles"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsDeletedFiles", Doc: "Deleted Files", Sources: []artifacts.Source{{Parent: "WindowsDeletedFiles", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"WindowsRecycleBin"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsNetworkActivity", Doc: "Network Activity", Sources: []artifacts.Source{{Parent: "WindowsNetworkActivity", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"WindowsTimezone", "InternetExplorerCookies"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "AccountUsage", Doc: "Account Usage", Sources: []artifacts.Source{{Parent: "AccountUsage", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"WindowsSystemRegistryFiles", "WindowsXMLEventLogSecurity"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "ExternalDevice", Doc: "External Device", Sources: []artifacts.Source{{Parent: "ExternalDevice", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"WindowsSetupApiLogs"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "JupyterConfigFile", Doc: "Jupyter notebook configuration file", Sources: []artifacts.Source{{Parent: "JupyterConfigFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.jupyter/jupyter_notebook_config.py"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Configuration Files"}, SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "NfsExportsFile", Doc: "NFS Exports configuration", Sources: []artifacts.Source{{Parent: "NfsExportsFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/exports", "/private/etc/exports"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}, {Parent: "NfsExportsFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/exports"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Configuration Files"}, SupportedOs: []string{"Linux", "Darwin"}, Urls: []string(nil)}, {Name: "RedisConfigFile", Doc: "Redis configuration file", Sources: []artifacts.Source{{Parent: "RedisConfigFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_programfiles%%\\Redis\\conf\\redis.windows.conf", "%%environ_programfiles%%\\Redis\\conf\\redis.conf"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}, {Parent: "RedisConfigFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/redis/redis.conf"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}, {Parent: "RedisConfigFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/redis/redis.conf", "/private/etc/redis/redis.conf"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Configuration Files"}, SupportedOs: []string{"Darwin", "Linux", "Windows"}, Urls: []string(nil)}, {Name: "SambaConfigFile", Doc: "Samba configuration file", Sources: []artifacts.Source{{Parent: "SambaConfigFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/samba/smb.conf"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "SshdConfigFile", Doc: "Sshd configuration", Sources: []artifacts.Source{{Parent: "SshdConfigFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/ssh/sshd_config", "/private/etc/ssh/sshd_config"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}, {Parent: "SshdConfigFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/ssh/sshd_config"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Configuration Files"}, SupportedOs: []string{"Linux", "Darwin"}, Urls: []string(nil)}, {Name: "SshUserConfigFile", Doc: "User ssh configuration file", Sources: []artifacts.Source{{Parent: "SshUserConfigFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.ssh/config"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Configuration Files"}, SupportedOs: []string{"Linux", "Darwin"}, Urls: []string(nil)}, {Name: "ContainerdConfig", Doc: "containerd configuration files", Sources: []artifacts.Source{{Parent: "ContainerdConfig", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/containerd/config.toml", "/var/lib/containerd/io.containerd.metadata.v1.bolt/meta.db", "/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/metadata.db", "/var/run/containerd/io.containerd.runtime.v2.task/*/*/config.json", "/var/run/containerd/io.containerd.runtime.v2.task/*/*/options.json"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Containerd", "Configuration Files"}, SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "ContainerdLogs", Doc: "containerd related events in the log files", Sources: []artifacts.Source{{Parent: "ContainerdLogs", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/run/containerd/io.containerd.runtime.v2.task/*/*/log.json", "/var/log/daemon.log", "/var/log/daemon.log.*.gz", "/var/log/syslog*", "/var/log/message*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Containerd", "Logs"}, SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "ElasticSearchLogs", Doc: "Location where ElasticSearch logs are stored.", Sources: []artifacts.Source{{Parent: "ElasticSearchLogs", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/log/elasticsearch/*.log", "/var/log/elasticsearch/*.json", "/var/log/elasticsearch/*.json.gz"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "ElasticSearchAccessLog", Doc: "Location where ElasticSearch access logs are stored.", Sources: []artifacts.Source{{Parent: "ElasticSearchAccessLog", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/log/elasticsearch/*_access.log"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "ElasticSearchAuditLog", Doc: "Location where ElasticSearch audit logs are stored.", Sources: []artifacts.Source{{Parent: "ElasticSearchAuditLog", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/log/elasticsearch/*_audit.json", "/var/log/elasticsearch/*_audit.log"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string{"https://www.elastic.co/guide/en/elasticsearch/reference/current/audit-log-output.html"}}, {Name: "ElasticSearchGCLog", Doc: "Location where ElasticSearch GC logs are stored.", Sources: []artifacts.Source{{Parent: "ElasticSearchGCLog", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/log/elasticsearch/gc.log", "/var/log/elasticsearch/gc.log.[0-9]"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string{"https://www.elastic.co/guide/en/elasticsearch/reference/current/important-settings.html#gc-logging"}}, {Name: "ElasticSearchServerLog", Doc: "Location where ElasticSearch server logs are stored.", Sources: []artifacts.Source{{Parent: "ElasticSearchServerLog", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/log/elasticsearch/*_server.json", "/var/log/elasticsearch/*-*.json", "/var/log/elasticsearch/*-*.json.gz"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string{"https://www.elastic.co/guide/en/elasticsearch/reference/current/logging.html#loggin-configuration"}}, {Name: "MongoDBConfigurationFile", Doc: "MongoDB configuration file.", Sources: []artifacts.Source{{Parent: "MongoDBConfigurationFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/mongod.conf"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}, {Parent: "MongoDBConfigurationFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/usr/local/etc/mongod.conf", "/opt/homebrew/etc/mongod.conf"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin", "Linux"}, Urls: []string{"https://www.mongodb.com/docs/manual/reference/configuration-options/"}}, {Name: "MongoDBLogFiles", Doc: "MongoDB log files.", Sources: []artifacts.Source{{Parent: "MongoDBLogFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/log/mongodb/mongod.log*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "MongoDBDatabasePath", Doc: "MongoDB database Path.", Sources: []artifacts.Source{{Parent: "MongoDBDatabasePath", Type: "PATH", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/data/db/*", "/var/lib/mongo/*", "/var/lib/mongodb/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}, {Parent: "MongoDBDatabasePath", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/usr/local/var/mongodb/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}, {Parent: "MongoDBDatabasePath", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"\\data\\db\\*"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin", "Linux", "Windows"}, Urls: []string{"https://www.mongodb.com/docs/manual/reference/configuration-options/#mongodb-setting-storage.dbPath"}}, {Name: "MySQLConfigurationFiles", Doc: "MySQL configuration files.", Sources: []artifacts.Source{{Parent: "MySQLConfigurationFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/my.cnf", "/etc/mysql/mysql.conf.d/mysqld.cnf"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "MySQLLogFiles", Doc: "MySQL log files.", Sources: []artifacts.Source{{Parent: "MySQLLogFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/log/mysql/error.log*", "/var/log/mysql.log*", "/var/log/*.log*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "MySQLDataDictionary", Doc: "MySQL data dictionary.", Sources: []artifacts.Source{{Parent: "MySQLDataDictionary", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/lib/mysql/mysql.ibd"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string{"https://dev.mysql.com/doc/refman/8.0/en/data-dictionary-transactional-storage.html"}}, {Name: "MySQLDataDirectory", Doc: "MySQL data directory.", Sources: []artifacts.Source{{Parent: "MySQLDataDirectory", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/lib/mysql/*", "/var/lib/mysql/*/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string{"https://dev.mysql.com/doc/refman/8.0/en/data-directory.html", "https://dev.mysql.com/doc/refman/8.0/en/innodb-architecture.html"}}, {Name: "OpenSearchLogFiles", Doc: "OpenSearch log files.", Sources: []artifacts.Source{{Parent: "OpenSearchLogFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/log/opensearch/*.log", "/var/log/opensearch/*.json"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string{"https://opensearch.org/docs/latest/opensearch/logs/"}}, {Name: "PostgreSQLConfigurationFiles", Doc: "PostgreSQL configuration files.", Sources: []artifacts.Source{{Parent: "PostgreSQLConfigurationFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/postgresql/*/*/postgresql.conf", "/etc/postgresql/*/*/pg_hba.conf", "/etc/postgresql/*/*/pg_ident.conf", "/var/lib/pgsql/postgresql.conf", "/var/lib/pgsql/pg_hba.conf", "/var/lib/pgsql/pg_ident.conf", "/var/lib/pgsql/data/postgresql.conf", "/var/lib/pgsql/data/pg_hba.conf", "/var/lib/pgsql/data/pg_ident.conf"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string{"https://www.postgresql.org/docs/current/runtime-config-file-locations.html", "https://docs.fedoraproject.org/en-US/quick-docs/postgresql/", "https://wiki.debian.org/PostgreSql"}}, {Name: "PostgreSQLDataDirectory", Doc: "PostgreSQL data directory.", Sources: []artifacts.Source{{Parent: "PostgreSQLDataDirectory", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/lib/pgsql/data/*", "/var/lib/pgsql/data-old/*", "/var/lib/pgsql/*/*", "/var/lib/postgresql/*/main/*/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string{"https://www.postgresql.org/docs/current/storage-file-layout.html", "https://docs.fedoraproject.org/en-US/quick-docs/postgresql/", "https://wiki.debian.org/PostgreSql"}}, {Name: "PostgreSQLLogFiles", Doc: "PostgreSQL log files.", Sources: []artifacts.Source{{Parent: "PostgreSQLLogFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/log/postgresql/postgresql.log*", "/var/log/postgresql/postgresql.csv*", "/var/log/postgresql/postgresql-*.log*", "/var/log/postgresql/postgresql-*.csv*", "/var/log/postgresql/postgresql-*-*.log*", "/var/log/postgresql/postgresql-*-*.csv*", "/var/lib/pgsql/data/log/postgresql.log*", "/var/lib/pgsql/data/log/postgresql.csv*", "/var/lib/pgsql/data/log/postgresql-*.log*", "/var/lib/pgsql/data/log/postgresql-*.csv*", "/var/lib/pgsql/data/log/postgresql-*-*.log*", "/var/lib/pgsql/data/log/postgresql-*-*.csv*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string{"https://www.postgresql.org/docs/14/runtime-config-logging.html"}}, {Name: "RedisConfigurationFile", Doc: "Redis configuration files.", Sources: []artifacts.Source{{Parent: "RedisConfigurationFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/redis/*", "/etc/init.d/redis_*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "RedisLogFiles", Doc: "Redis log files.", Sources: []artifacts.Source{{Parent: "RedisLogFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/log/redis/redis*.log*", "/var/log/redis*.log*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "RedisDataDirectory", Doc: "Redis Data Directory.", Sources: []artifacts.Source{{Parent: "RedisDataDirectory", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/redis/*", "/var/redis/*/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "DockerContainerConfig", Doc: "Docker container configuration files", Sources: []artifacts.Source{{Parent: "DockerContainerConfig", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/lib/docker/containers/*/config.v2.json", "/var/lib/docker/containers/*/config.json"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Docker", "Configuration Files"}, SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "GKEDockerContainerLogs", Doc: "Location where stdout and stderr from containers is logged in a Google Kubernetes Engine (GKE) environment.", Sources: []artifacts.Source{{Parent: "GKEDockerContainerLogs", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/lib/docker/containers/*/*-json.log*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Docker", "Logs"}, SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "ESXApiForwarder", Doc: "Records activities related to the vSphere Trust Authority API forwarder.", Sources: []artifacts.Source{{Parent: "ESXApiForwarder", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/run/log/esxapiadapter.log"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"ESXi"}, Urls: []string(nil)}, {Name: "ESXiAttestationService", Doc: "Records activities related to the vSphere Trust Authority Attestation Service.", Sources: []artifacts.Source{{Parent: "ESXiAttestationService", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/run/log/attestd.log"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"ESXi"}, Urls: []string(nil)}, {Name: "ESXiAuthenticationLog", Doc: "Contains all events related to authentication for the local system.", Sources: []artifacts.Source{{Parent: "ESXiAuthenticationLog", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/log/auth.log"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"ESXi"}, Urls: []string(nil)}, {Name: "ESXiHostAgentLog", Doc: "Contains information about the agent that manages and configures the ESXi host and its virtual machines.", Sources: []artifacts.Source{{Parent: "ESXiHostAgentLog", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/log/hostd.log"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"ESXi"}, Urls: []string(nil)}, {Name: "ESXiKeyProviderService", Doc: "Records activities related to the vSphere Trust Authority Key Provider Service.", Sources: []artifacts.Source{{Parent: "ESXiKeyProviderService", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/run/log/kmxd.log"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"ESXi"}, Urls: []string(nil)}, {Name: "ESXiQuickBootLog", Doc: "Contains all events related to restarting an ESXi host through Quick Boot.", Sources: []artifacts.Source{{Parent: "ESXiQuickBootLog", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/log/loadESX.log"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"ESXi"}, Urls: []string(nil)}, {Name: "ESXiShellLog", Doc: "Contains a record of all commands typed into the ESXi Shell and shell events (for example, when the shell was enabled)", Sources: []artifacts.Source{{Parent: "ESXiShellLog", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/log/shell.log"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"ESXi"}, Urls: []string(nil)}, {Name: "ESXiSystemLogsDirectory", Doc: "ESXi System Logs Directory", Sources: []artifacts.Source{{Parent: "ESXiSystemLogsDirectory", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/run/log/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"ESXi"}, Urls: []string{"https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.monitoring.doc/GUID-DACC9E0E-E857-4AE1-A469-3FDAE2B391A0.html"}}, {Name: "ESXiSystemMessageslog", Doc: "Contains all general log messages and can be used for troubleshooting. This information was formerly located in the messages log file.", Sources: []artifacts.Source{{Parent: "ESXiSystemMessageslog", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/log/syslog.log"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"ESXi"}, Urls: []string(nil)}, {Name: "ESXTokenService", Doc: "Records activities related to the vSphere Trust Authority ESX Token Service.", Sources: []artifacts.Source{{Parent: "ESXTokenService", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/run/log/esxtokend.log"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"ESXi"}, Urls: []string(nil)}, {Name: "ESXiTrustedInfrastructureAgentLog", Doc: "Records activities related to the Client Service on the ESXi Trusted Host.", Sources: []artifacts.Source{{Parent: "ESXiTrustedInfrastructureAgentLog", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/run/log/kmxa.log"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"ESXi"}, Urls: []string(nil)}, {Name: "ESXiVMKernelLog", Doc: "Records activities related to virtual machines and ESXi.", Sources: []artifacts.Source{{Parent: "ESXiVMKernelLog", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/log/vmkernel.log"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"ESXi"}, Urls: []string(nil)}, {Name: "ESXiVMKernelSummaryLog", Doc: "Used to determine uptime and availability statistics for ESXi (comma separated).", Sources: []artifacts.Source{{Parent: "ESXiVMKernelSummaryLog", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/log/vmksummarylog.log"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"ESXi"}, Urls: []string(nil)}, {Name: "ESXiVMKernelWarningsLog", Doc: "Records activities related to virtual machines.", Sources: []artifacts.Source{{Parent: "ESXiVMKernelWarningsLog", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/log/vmkwarning.log"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"ESXi"}, Urls: []string(nil)}, {Name: "vCenterServerAgentLog", Doc: "Contains information about the agent that communicates with vCenter Server (if the host is managed by vCenter Server).", Sources: []artifacts.Source{{Parent: "vCenterServerAgentLog", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/log/vxpa.log"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"ESXi"}, Urls: []string(nil)}, {Name: "vSphereClientLogsDirectory", Doc: "vSphere Client Logs Directory", Sources: []artifacts.Source{{Parent: "vSphereClientLogsDirectory", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/log/vmware/vsphere-ui/logs/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"ESXi"}, Urls: []string{"https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.monitoring.doc/GUID-7E10C58F-16EA-44AB-8AA0-8D4A66399879.html"}}, {Name: "HadoopAppRoot", Doc: "Location where Hadoop application files are stored", Sources: []artifacts.Source{{Parent: "HadoopAppRoot", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/hadoop/yarn/system/rmstore/FSRMStateRoot/RMAppRoot/application_*/application_*", "/**2/hadoop/yarn/system/rmstore/FSRMStateRoot/RMAppRoot/application_*/application_*", "/hadoop/*/yarn/system/rmstore/FSRMStateRoot/RMAppRoot/application_*/application_*", "/**2/hadoop/*/yarn/system/rmstore/FSRMStateRoot/RMAppRoot/application_*/application_*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Hadoop"}, SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "HadoopYarnLogs", Doc: "Location where Hadoop Yarn LevelDB/Timeline files are stored", Sources: []artifacts.Source{{Parent: "HadoopYarnLogs", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/hadoop/yarn/timeline/leveldb-timeline-store.ldb/*", "/**2/hadoop/yarn/timeline/leveldb-timeline-store.ldb/*", "/hadoop/*/yarn/timeline/leveldb-timeline-store.ldb/*", "/**2/hadoop/*/yarn/timeline/leveldb-timeline-store.ldb/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Hadoop"}, SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "HadoopAppLogs", Doc: "Location where Hadoop application logs are stored", Sources: []artifacts.Source{{Parent: "HadoopAppLogs", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/hadoop/logs/*", "/**2/hadoop/logs/*", "/hadoop/logs/userlogs/application_*/container_*/*", "/**2/hadoop/logs/userlogs/application_*/container_*/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Hadoop"}, SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "PythonDistInfo", Doc: "Python module files distributed in the dist-info format of PEP-0376\n(currently linux only).\n\ndist-info is always a directory that must contain METADATA, RECORD and\nINSTALLER. It may also contain REQUESTED.\n", Sources: []artifacts.Source{{Parent: "PythonDistInfo", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.local/lib/python*/dist-packages/*.dist-info/*", "%%users.homedir%%/.local/lib/python*/site-packages/*.dist-info/*", "/usr/lib/python*/dist-packages/*.dist-info/*", "/usr/lib/python*/site-packages/*.dist-info/*", "/usr/lib64/python*/dist-packages/*.dist-info/*", "/usr/lib64/python*/site-packages/*.dist-info/*", "/usr/local/lib/python*/dist-packages/*.dist-info/*", "/usr/local/lib/python*/site-packages/*.dist-info/*", "/usr/local/lib64/python*/dist-packages/*.dist-info/*", "/usr/local/lib64/python*/site-packages/*.dist-info/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Software"}, SupportedOs: []string{"Linux"}, Urls: []string{"https://www.python.org/dev/peps/pep-0376/"}}, {Name: "PythonEggInfo", Doc: "Python module files distributed in .egg formats (currently linux only).\n\nPython eggs can have multiple formats, as described by setuptools.\n\n.egg files can be either a zipfile or a directory that contains an info file.\n.egg-info files can be either a directory or a file. If they are directories,\nthey should contain a MANIFEST that identifies the installed module.\n\nPEP-0370 describes a default install location for per-user modules.\n", Sources: []artifacts.Source{{Parent: "PythonEggInfo", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.local/lib/python*/site-packages/*.egg", "%%users.homedir%%/.local/lib/python*/site-packages/*.egg-info", "%%users.homedir%%/.cache/pip/*.egg", "%%users.homedir%%/.cache/pip/*.egg-info", "/usr/lib/python*/dist-packages/*.egg", "/usr/lib/python*/dist-packages/*.egg-info", "/usr/lib/python*/site-packages/*.egg", "/usr/lib/python*/site-packages/*.egg-info", "/usr/lib64/python*/dist-packages/*.egg", "/usr/lib64/python*/dist-packages/*.egg-info", "/usr/lib64/python*/site-packages/*.egg", "/usr/lib64/python*/site-packages/*.egg-info", "/usr/local/lib/python*/dist-packages/*.egg", "/usr/local/lib/python*/dist-packages/*.egg-info", "/usr/local/lib/python*/site-packages/*.egg", "/usr/local/lib/python*/site-packages/*.egg-info", "/usr/local/lib64/python*/dist-packages/*.egg", "/usr/local/lib64/python*/dist-packages/*.egg-info", "/usr/local/lib64/python*/site-packages/*.egg", "/usr/local/lib64/python*/site-packages/*.egg-info", "/usr/share/pyshared/*.egg", "/usr/share/pyshared/*.egg-info", "%%users.homedir%%/.local/lib/python*/site-packages/*.egg/*", "%%users.homedir%%/.local/lib/python*/site-packages/*.egg-info/*", "%%users.homedir%%/.cache/pip/*.egg/*", "%%users.homedir%%/.cache/pip/*.egg-info/*", "/usr/lib/python*/dist-packages/*.egg/*", "/usr/lib/python*/dist-packages/*.egg-info/*", "/usr/lib/python*/site-packages/*.egg/*", "/usr/lib/python*/site-packages/*.egg-info/*", "/usr/lib64/python*/dist-packages/*.egg/*", "/usr/lib64/python*/dist-packages/*.egg-info/*", "/usr/lib64/python*/site-packages/*.egg/*", "/usr/lib64/python*/site-packages/*.egg-info/*", "/usr/local/lib/python*/dist-packages/*.egg/*", "/usr/local/lib/python*/dist-packages/*.egg-info/*", "/usr/local/lib/python*/site-packages/*.egg/*", "/usr/local/lib/python*/site-packages/*.egg-info/*", "/usr/local/lib64/python*/dist-packages/*.egg/*", "/usr/local/lib64/python*/dist-packages/*.egg-info/*", "/usr/local/lib64/python*/site-packages/*.egg/*", "/usr/local/lib64/python*/site-packages/*.egg-info/*", "/usr/share/pyshared/*.egg/*", "/usr/share/pyshared/*.egg-info/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Software"}, SupportedOs: []string{"Linux"}, Urls: []string{"https://pythonhosted.org/setuptools/formats.html", "https://www.python.org/dev/peps/pep-0370/"}}, {Name: "PythonModuleInfo", Doc: "Python module installation information.", Sources: []artifacts.Source{{Parent: "PythonModuleInfo", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"PythonDistInfo", "PythonEggInfo", "PythonWheelInfo"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Software"}, SupportedOs: []string(nil), Urls: []string(nil)}, {Name: "PythonWheelInfo", Doc: "Python module files distributed in the wheel format (currently linux only).\n\nZip archives with the .whl extension.\n\nWheels are installed per the standard installer described in PEP-0376, so\nshould mostly be discoverable as dist-info entries.\n", Sources: []artifacts.Source{{Parent: "PythonWheelInfo", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/usr/share/python-wheels/*.whl", "%%users.homedir%%/.cache/pip/wheels/*.whl"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Software"}, SupportedOs: []string{"Linux"}, Urls: []string{"https://wheel.readthedocs.org/en/latest/", "http://pip.readthedocs.org/en/stable/reference/pip_install/"}}, {Name: "RubyGems", Doc: "Ruby Gems (currently linux only).", Sources: []artifacts.Source{{Parent: "RubyGems", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.gem/ruby/**2/*.gemspec", "/var/lib/gems/**2/*.gemspec", "/usr/share/rubygems-integration/**2/*.gemspec"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string{"http://guides.rubygems.org"}}, {Name: "SkypeChatSync", Doc: "Chat Sync Directory", Sources: []artifacts.Source{{Parent: "SkypeChatSync", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Application Support/Skype/*/chatsync/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Skype"}}, {Name: "SkypeDb", Doc: "Main Skype database", Sources: []artifacts.Source{{Parent: "SkypeDb", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Application Support/Skype/*/Main.db"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Skype"}}, {Name: "SkypeMainDirectory", Doc: "Skype Directory", Sources: []artifacts.Source{{Parent: "SkypeMainDirectory", Type: "DIRECTORY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Application Support/Skype/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string(nil)}, {Name: "SkypePreferences", Doc: "Skype Preferences and Recent Searches", Sources: []artifacts.Source{{Parent: "SkypePreferences", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Preferences/com.skype.skype.plist"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Skype"}}, {Name: "SkypeUserProfile", Doc: "Skype User profile", Sources: []artifacts.Source{{Parent: "SkypeUserProfile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Application Support/Skype/*/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Skype"}}, {Name: "SignalApplicationContent", Doc: "Signal Application Content and Configuration", Sources: []artifacts.Source{{Parent: "SignalApplicationContent", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.var/app/org.signal.Signal/*/attachments.noindex/*", "%%users.homedir%%/.var/app/org.signal.Signal/*/Cache/*", "%%users.homedir%%/.var/app/org.signal.Signal/*/logs/*", "%%users.homedir%%/.var/app/org.signal.Signal/config.json"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "SignalDatabase", Doc: "Signal Database file.", Sources: []artifacts.Source{{Parent: "SignalDatabase", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.var/app/org.signal.Signal/db.sqlite"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "XChatLogs", Doc: "XChat Log Files", Sources: []artifacts.Source{{Parent: "XChatLogs", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.xchat2/xchatlogs/*.log", "%%users.homedir%%/.xchat2/xchatlogs/*/*.log"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string{"http://xchat.org/faq/#q222"}}, {Name: "JavaCacheFiles", Doc: "Java Plug-in cache.", Sources: []artifacts.Source{{Parent: "JavaCacheFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.java/deployment/cache/**"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}, {Parent: "JavaCacheFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Caches/Java/cache/**"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}, {Parent: "JavaCacheFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.appdata%%\\Sun\\Java\\Deployment\\cache\\**", "%%users.localappdata_low%%\\Sun\\Java\\Deployment\\cache\\**"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows", "Linux", "Darwin"}, Urls: []string(nil)}, {Name: "KasperskyCaretoDarwinFiles", Doc: "Darwin Careto IOCs.", Sources: []artifacts.Source{{Parent: "KasperskyCaretoDarwinFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/Applications/.DS_Store.app/**10", "/Library/LaunchAgents/com.apple.launchport.plist"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string{"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20133638/unveilingthemask_v1.0.pdf"}}, {Name: "KasperskyCaretoIndicators", Doc: "Kaspersky Careto Indicators.", Sources: []artifacts.Source{{Parent: "KasperskyCaretoIndicators", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"KasperskyCaretoWindowsFiles", "KasperskyCaretoWindowsRegKeys", "KasperskyCaretoDarwinFiles"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows", "Darwin"}, Urls: []string{"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20133638/unveilingthemask_v1.0.pdf"}}, {Name: "KasperskyCaretoWindowsFiles", Doc: "Windows Careto IOCs.", Sources: []artifacts.Source{{Parent: "KasperskyCaretoWindowsFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemroot%%\\System32\\objframe.dll", "%%environ_systemroot%%\\System32\\shlink32.dll", "%%environ_systemroot%%\\System32\\shlink64.dll", "%%environ_systemroot%%\\System32\\cdllait32.dll", "%%environ_systemroot%%\\System32\\cdllait64.dll", "%%environ_systemroot%%\\System32\\cdlluninstallws32.dll", "%%environ_systemroot%%\\System32\\cdlluninstallws64.dll", "%%environ_systemroot%%\\System32\\cdlluninstallsgh32.dll", "%%environ_systemroot%%\\System32\\cdlluninstallsgh64.dll", "%%environ_systemroot%%\\System32\\c_50225.nls", "%%environ_systemroot%%\\System32\\c_50227.nls", "%%environ_systemroot%%\\System32\\c_50229.nls", "%%environ_systemroot%%\\System32\\c_51932.nls", "%%environ_systemroot%%\\System32\\c_51936.nls", "%%environ_systemroot%%\\System32\\c_51949.nls", "%%environ_systemroot%%\\System32\\c_51950.nls", "%%environ_systemroot%%\\System32\\c_57002.nls", "%%environ_systemroot%%\\System32\\c_57006.nls", "%%environ_systemroot%%\\System32\\c_57008.nls", "%%environ_systemroot%%\\System32\\c_57010.nls", "%%environ_systemroot%%\\System32\\cdgext32.dll", "%%environ_systemroot%%\\System32\\cfgbkmgrs.dll", "%%environ_systemroot%%\\System32\\cfgmgr64.dll", "%%environ_systemroot%%\\System32\\comsvrpcs.dll", "%%environ_systemroot%%\\System32\\d3dx8_20.dll", "%%environ_systemroot%%\\System32\\dllcomm.dll", "%%environ_systemroot%%\\System32\\drivers\\wmimgr.sys", "%%environ_systemroot%%\\System32\\drvinfo.bin", "%%environ_systemroot%%\\System32\\FCache.bin", "%%environ_systemroot%%\\System32\\FFExtendedCommand.dll", "%%environ_systemroot%%\\System32\\gpktcsp32.dll", "%%environ_systemroot%%\\System32\\HPQueue.bin", "%%environ_systemroot%%\\System32\\LPQueue.bin", "%%environ_systemroot%%\\System32\\mdwmnsp.dll", "%%environ_systemroot%%\\System32\\rpcdist.dll", "%%environ_systemroot%%\\System32\\scsvrft.dll", "%%environ_systemroot%%\\System32\\sdptbw.dll", "%%environ_systemroot%%\\System32\\slbkbw.dll", "%%environ_systemroot%%\\System32\\skypeie6plugin.dll", "%%environ_systemroot%%\\System32\\wmspdmgr.dll", "%%environ_systemroot%%\\System32\\mfcn30.dll", "%%environ_systemroot%%\\System32\\siiw9x.dll", "%%environ_systemroot%%\\System32\\nmwcdlog.dll", "%%environ_systemroot%%\\System32\\WifiScan.dll", "%%environ_systemroot%%\\System32\\awview32.dll", "%%environ_systemroot%%\\System32\\awcodc32.dll", "%%users.temp%%\\~DF01AC74D8BE15EE01.tmp", "%%users.temp%%\\~DF23BF45A473C42B56.tmp", "%%users.temp%%\\~DFA0528CD81300F372.tmp", "%%users.temp%%\\~DF8471938479DA49221.tmp", "%%users.appdata%%\\microsoft\\c_27803.nls", "%%users.appdata%%\\microsoft\\objframe.dll", "%%users.appdata%%\\microsoft\\shmgr.dll"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20133638/unveilingthemask_v1.0.pdf"}}, {Name: "KasperskyCaretoWindowsRegKeys", Doc: "Windows Careto IOCs.", Sources: []artifacts.Source{{Parent: "KasperskyCaretoWindowsRegKeys", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WindowsUpdate", Value: "CISCNF4654"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WindowsUpdate", Value: "CISCNF0654"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WindowsUpdate", Value: "CISCNF4654"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WindowsUpdate", Value: "CISCNF0654"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\\\CLSID\\{ECD4FC4D-521C-11D0-B792-00A0C90312E1}", Value: "InprocServer32"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{E6BB64BE-0618-4353-9193-0AFE606D6F0C}", Value: "InprocServer32"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20133638/unveilingthemask_v1.0.pdf"}}, {Name: "KubernetesLogs", Doc: "Log files that contain information about the Kubernetes installation of a node.", Sources: []artifacts.Source{{Parent: "KubernetesLogs", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/log/syslog*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Kubernetes", "Logs"}, SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "KubernetesCertificates", Doc: "Certificate files that are used for a Kubernetes cluster.\n\nThe files are typically only present on the control-plane node.\n", Sources: []artifacts.Source{{Parent: "KubernetesCertificates", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/kubernetes/admin.conf", "/etc/kubernetes/controller-manager.conf", "/etc/kubernetes/kubelet.conf", "/etc/kubernetes/scheduler.conf"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Kubernetes", "Configuration Files"}, SupportedOs: []string{"Linux"}, Urls: []string{"https://kubernetes.io/docs/setup/best-practices/certificates/"}}, {Name: "KubernetesClusterDatabase", Doc: "Kubernetes cluster (etcd) database.\n\nThe cluster database is hosted within a Pod and can be configured to be\ndeployed as distributed environment or single instance. The database is\nmounted from the local file system into the corresponding containers\nscheduled by a pod.\n\nThe database contains information about the clusters state, deployed\nresources and also deleted components.\n", Sources: []artifacts.Source{{Parent: "KubernetesClusterDatabase", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/lib/etcd/member/snap/db"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Kubernetes", "Configuration Files"}, SupportedOs: []string{"Linux"}, Urls: []string{"https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/", "https://github.com/etcd-io/etcd", "https://github.com/etcd-io/etcd/tree/main/tools/etcd-dump-db"}}, {Name: "KubernetesKubelet", Doc: "Installation path of the (Kubernetes) Kubelet component.\n\nThis component is installed on all nodes that are member of a Kubernetes cluster.\n", Sources: []artifacts.Source{{Parent: "KubernetesKubelet", Type: "PATH", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/lib/kubelet"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Kubernetes"}, SupportedOs: []string{"Linux"}, Urls: []string{"https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/"}}, {Name: "KubernetesKubeletConfiguration", Doc: "Files that stores the configuration of the local (Kubernetes) Kubelet.", Sources: []artifacts.Source{{Parent: "KubernetesKubeletConfiguration", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/lib/kubelet/config.yaml", "/etc/kubernetes/kubelet.conf"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Kubernetes", "Configuration Files"}, SupportedOs: []string{"Linux"}, Urls: []string{"https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/", "https://kubernetes.io/docs/reference/config-api/kubelet-config.v1beta1/"}}, {Name: "KubernetesKubeletNetworkPKI", Doc: "Certificates and other keyfiles used for Kubelet and Kubernetes general PKI.", Sources: []artifacts.Source{{Parent: "KubernetesKubeletNetworkPKI", Type: "PATH", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/kubernetes/pki", "/var/lib/kubelet/pki"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Kubernetes", "Configuration Files"}, SupportedOs: []string{"Linux"}, Urls: []string{"https://kubernetes.io/docs/setup/best-practices/certificates"}}, {Name: "KubernetesKubeletPod", Doc: "Path of (Kubernetes) Kubelet component information about Pods scheduled to run on a particular node.", Sources: []artifacts.Source{{Parent: "KubernetesKubeletPod", Type: "PATH", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/lib/kubelet/pods"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Kubernetes"}, SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "KubernetesKubeletPodManifest", Doc: "Manifest file that has been used to deploy a (Kubernetes) Pod.\n\nThe manifest contains the Pods specification.\n", Sources: []artifacts.Source{{Parent: "KubernetesKubeletPodManifest", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/kubernetes/manifests/*.yaml"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Kubernetes"}, SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "KubernetesKubeletPodContainer", Doc: "Path where the container resources created within a (Kubernetes) Pod are located.\n\nThe paths naming would explain as the following:\n'/var/lib/kubelet/pods//containers//*'\n\nThe Pod itself gets created/scheduled by the Kubelet component. The path\n'containers/' does contain a directory for each container scheduled in that\nPod. In each of that path there is a file located that gets mounted into\nthe container at '/dev/termination-log'.\n\nThis is the logfile that stores termination information in case a container\nterminates. The pod identifier of that file can be correlated to the container\nruntime installed on the host to find out the mount configuration.\n", Sources: []artifacts.Source{{Parent: "KubernetesKubeletPodContainer", Type: "PATH", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/lib/kubelet/pods/*/containers"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Kubernetes"}, SupportedOs: []string{"Linux"}, Urls: []string{"https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#container-v1-core"}}, {Name: "KubernetesKubeletPodVolumes", Doc: "Volumes and other objects that are mounted into a (Kubernetes) Pod and respectively into the scheduled container(s).\n\nThe type of volumes (or objects) are identified by the name appended to a tilde.\n\nExamples:\n* 'volumes/kubernetes.io~projected' -> describes a projected volume\n* 'volumes/kubernetes.io~configmap' -> describes a Kubernetes ConfigMap resource\n", Sources: []artifacts.Source{{Parent: "KubernetesKubeletPodVolumes", Type: "PATH", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/lib/kubelet/pods/*/volumes/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Kubernetes"}, SupportedOs: []string{"Linux"}, Urls: []string{"https://kubernetes.io/docs/concepts/storage/volumes", "https://kubernetes.io/docs/concepts/storage/projected-volumes/", "https://kubernetes.io/docs/concepts/storage/volumes/#configmap"}}, {Name: "KubernetesKubeletPodLogs", Doc: "Location where the log data of (Kubernetes) Pods can be found.\n\nThe path's name would contain the following elements:\n'/var/log/pods/__//.log'\nIncludes also redirected stdout, stderr and (if applicable) stdin of container executions.\n", Sources: []artifacts.Source{{Parent: "KubernetesKubeletPodLogs", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/log/pods/*/*/*.log"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Kubernetes", "Logs"}, SupportedOs: []string{"Linux"}, Urls: []string{"https://github.com/kubernetes/kubernetes/pull/74441", "https://kubernetes.io/docs/concepts/cluster-administration/logging/"}}, {Name: "AnacronFiles", Doc: "Anacron files.", Sources: []artifacts.Source{{Parent: "AnacronFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/anacrontab", "/etc/cron.daily/*", "/etc/cron.hourly/*", "/etc/cron.monthly/*", "/etc/cron.weekly/*", "/var/spool/anacron/cron.daily", "/var/spool/anacron/cron.hourly", "/var/spool/anacron/cron.monthly", "/var/spool/anacron/cron.weekly"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Configuration Files"}, SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "AptitudeLogFiles", Doc: "Linux aptitude package manager log files.", Sources: []artifacts.Source{{Parent: "AptitudeLogFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/log/aptitude*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string{"https://www.debian.org/doc/manuals/aptitude/rn01re01.en.html"}}, {Name: "APTSources", Doc: "APT package sources list", Sources: []artifacts.Source{{Parent: "APTSources", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/apt/sources.list", "/etc/apt/sources.list.d/*.list"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Configuration Files", "System"}, SupportedOs: []string{"Linux"}, Urls: []string{"http://manpages.ubuntu.com/manpages/trusty/en/man5/sources.list.5.html"}}, {Name: "APTTrustKeys", Doc: "APT trusted keys", Sources: []artifacts.Source{{Parent: "APTTrustKeys", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/apt/trusted.gpg", "/etc/apt/trusted.gpg.d/*.gpg", "/etc/apt/trustdb.gpg", "/usr/share/keyrings/*.gpg"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Configuration Files", "System"}, SupportedOs: []string{"Linux"}, Urls: []string{"https://wiki.debian.org/SecureApt"}}, {Name: "CronAtAllowDenyFiles", Doc: "Files containing users authorised to run cron or at jobs.", Sources: []artifacts.Source{{Parent: "CronAtAllowDenyFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/cron.allow", "/etc/cron.deny", "/etc/at.allow", "/etc/at.deny"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Configuration Files"}, SupportedOs: []string{"Linux"}, Urls: []string{"http://manpages.ubuntu.com/manpages/saucy/man5/at.allow.5.html", "http://manpages.ubuntu.com/manpages/precise/en/man1/crontab.1.html"}}, {Name: "DebianPackagesLogFiles", Doc: "Linux dpkg log files.", Sources: []artifacts.Source{{Parent: "DebianPackagesLogFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/log/dpkg.log*", "/var/log/apt/history.log*", "/var/log/apt/term.log*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "DebianPackagesStatus", Doc: "Linux dpkg status file.", Sources: []artifacts.Source{{Parent: "DebianPackagesStatus", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/lib/dpkg/status"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Software"}, SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "DebianVersion", Doc: "Debian version information.", Sources: []artifacts.Source{{Parent: "DebianVersion", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/debian_version"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "os_release", Regex: "", WMIKey: ""}}}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Software"}, SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "DNSResolvConfFile", Doc: "DNS Resolver configuration file.", Sources: []artifacts.Source{{Parent: "DNSResolvConfFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/resolv.conf"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Configuration Files"}, SupportedOs: []string{"Linux"}, Urls: []string{"http://man7.org/linux/man-pages/man5/resolv.conf.5.html"}}, {Name: "GnomeApplicationState", Doc: "Gnome application state for frequent application data.", Sources: []artifacts.Source{{Parent: "GnomeApplicationState", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.local/share/gnome-shell/application_state"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Configuration Files"}, SupportedOs: []string{"Linux"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Gnome_Desktop_Environment"}}, {Name: "FreeDesktopTrashInfoFiles", Doc: "FreeDesktop.org Trash Info Files.", Sources: []artifacts.Source{{Parent: "FreeDesktopTrashInfoFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.local/share/Trash/info/*.trashinfo"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string{"https://specifications.freedesktop.org/trash-spec/trashspec-latest.html"}}, {Name: "FreeDesktopTrashFiles", Doc: "FreeDesktop.org Trash Files.", Sources: []artifacts.Source{{Parent: "FreeDesktopTrashFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.local/share/Trash/files/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string{"https://specifications.freedesktop.org/trash-spec/trashspec-latest.html"}}, {Name: "GnomeTracker", Doc: "Gnome Tracker database and backup files.", Sources: []artifacts.Source{{Parent: "GnomeTracker", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.cache/tracker/*", "%%users.homedir%%/.local/share/tracker/data/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string{"https://wiki.gnome.org/Projects/Tracker/Documentation/GettingStarted"}}, {Name: "GTKRecentlyUsedDatabase", Doc: "GTK Recent Manager database.", Sources: []artifacts.Source{{Parent: "GTKRecentlyUsedDatabase", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.local/share/recently-used.xbel"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "HostAccessPolicyConfiguration", Doc: "Linux files related to host access policy configuration.", Sources: []artifacts.Source{{Parent: "HostAccessPolicyConfiguration", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/hosts.allow", "/etc/hosts.deny"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Configuration Files"}, SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "IPTablesRules", Doc: "List IPTables rules.", Sources: []artifacts.Source{{Parent: "IPTablesRules", Type: "COMMAND", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "/sbin/iptables", Args: []string{"-L", "-n", "-v"}, Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "KernelModules", Doc: "Kernel modules to be loaded on boot.", Sources: []artifacts.Source{{Parent: "KernelModules", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/modules.conf", "/etc/modprobe.d/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "LinuxAtJobs", Doc: "Linux at jobs.", Sources: []artifacts.Source{{Parent: "LinuxAtJobs", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/spool/at/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Configuration Files"}, SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "LinuxAtJobsTemporaryOutputs", Doc: "Linux at jobs temporary outputs.", Sources: []artifacts.Source{{Parent: "LinuxAtJobsTemporaryOutputs", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/spool/at/spool/*", "/var/spool/cron/atspool/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "LinuxAuditLogs", Doc: "Linux audit log files.", Sources: []artifacts.Source{{Parent: "LinuxAuditLogs", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/log/audit/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Logs"}, SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "LinuxAuthLogs", Doc: "Linux authentication log files.", Sources: []artifacts.Source{{Parent: "LinuxAuthLogs", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/log/auth.log*", "/var/log/secure*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Logs", "Authentication"}, SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "LinuxCACertificatesConfiguration", Doc: "Linux CA Certificates configuration file.", Sources: []artifacts.Source{{Parent: "LinuxCACertificatesConfiguration", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/ca-certificates.conf"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "LinuxCACertificates", Doc: "Linux CA Certificates.", Sources: []artifacts.Source{{Parent: "LinuxCACertificates", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/ssl/certs/ca-certificates.crt", "/usr/share/ca-certificates/*", "/usr/local/share/ca-certificates/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "LinuxCronLogs", Doc: "Linux cron log files.", Sources: []artifacts.Source{{Parent: "LinuxCronLogs", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/log/cron.log*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Logs"}, SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "LinuxCronTabs", Doc: "Crontab files.", Sources: []artifacts.Source{{Parent: "LinuxCronTabs", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/crontab", "/etc/cron.d/*", "/var/spool/cron/**"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Configuration Files"}, SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "LinuxDaemonLogFiles", Doc: "Linux daemon log files.", Sources: []artifacts.Source{{Parent: "LinuxDaemonLogFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/log/daemon.log*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Logs"}, SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "LinuxDHCPConfigurationFile", Doc: "Linux DHCP Configuration File", Sources: []artifacts.Source{{Parent: "LinuxDHCPConfigurationFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/dhcp/dhcp.conf"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "LinuxDistributionRelease", Doc: "Linux distribution release information of non-LSB compliant systems.", Sources: []artifacts.Source{{Parent: "LinuxDistributionRelease", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/centos-release", "/etc/enterprise-release", "/etc/oracle-release", "/etc/redhat-release", "/etc/rocky-release", "/etc/SuSE-release", "/etc/system-release"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "os_release", Regex: "", WMIKey: ""}}}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Software"}, SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "LinuxDSDTTable", Doc: "Linux file containing DSDT table.", Sources: []artifacts.Source{{Parent: "LinuxDSDTTable", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/sys/firmware/acpi/tables/DSDT"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Linux"}, Urls: []string{"https://www.kernel.org/doc/Documentation/acpi/initrd_table_override.txt"}}, {Name: "LinuxFstab", Doc: "Linux fstab file.", Sources: []artifacts.Source{{Parent: "LinuxFstab", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/fstab"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System", "Configuration Files"}, SupportedOs: []string{"Linux"}, Urls: []string{"http://en.wikipedia.org/wiki/Fstab"}}, {Name: "LinuxGrubConfiguration", Doc: "Linux grub configuration file.", Sources: []artifacts.Source{{Parent: "LinuxGrubConfiguration", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/boot/grub/grub.cfg", "/boot/grub2/grub.cfg"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System", "Configuration Files"}, SupportedOs: []string{"Linux"}, Urls: []string{"https://en.wikipedia.org/wiki/GNU_GRUB"}}, {Name: "LinuxHostnameFile", Doc: "Linux hostname file.", Sources: []artifacts.Source{{Parent: "LinuxHostnameFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/hostname"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Configuration Files", "System"}, SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "LinuxIfUpDownScripts", Doc: "ifupdown scripts executed whenever a network interface goes up or down respectively.", Sources: []artifacts.Source{{Parent: "LinuxIfUpDownScripts", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/network/if-up.d/*", "/etc/network/if-down.d/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "LinuxInitrdFiles", Doc: "Initrd (initramfs) files in /boot/ executed on startup.", Sources: []artifacts.Source{{Parent: "LinuxInitrdFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/boot/initramfs*", "/boot/initrd*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Configuration Files", "System"}, SupportedOs: []string{"Linux"}, Urls: []string{"http://en.wikipedia.org/wiki/Initrd", "https://www.kernel.org/doc/html/latest/admin-guide/initrd.html"}}, {Name: "LinuxIssueFile", Doc: "Linux prelogin message and identification (issue) file.", Sources: []artifacts.Source{{Parent: "LinuxIssueFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/issue", "/etc/issue.net"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Configuration Files", "System"}, SupportedOs: []string{"Linux"}, Urls: []string{"https://linux.die.net/man/5/issue"}}, {Name: "LinuxKerberosConfiguration", Doc: "Linux Kerberos configuration information.", Sources: []artifacts.Source{{Parent: "LinuxKerberosConfiguration", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/krb5.conf"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string{"https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html"}}, {Name: "LinuxKernelLogFiles", Doc: "Linux kernel log files.", Sources: []artifacts.Source{{Parent: "LinuxKernelLogFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/log/kern.log*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Logs"}, SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "LinuxLastlogFile", Doc: "Linux lastlog file.", Sources: []artifacts.Source{{Parent: "LinuxLastlogFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/log/lastlog"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Logs", "Authentication"}, SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "LinuxLoaderSystemPreloadFile", Doc: "Linux dynamic linker/loader system-wide preload file (ld.so.preload).", Sources: []artifacts.Source{{Parent: "LinuxLoaderSystemPreloadFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/ld.so.preload"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Configuration Files"}, SupportedOs: []string{"Linux"}, Urls: []string{"http://man7.org/linux/man-pages/man8/ld.so.8.html"}}, {Name: "LinuxLSBInit", Doc: "Linux LSB-style init scripts.", Sources: []artifacts.Source{{Parent: "LinuxLSBInit", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/init.d/*", "/etc/insserv.conf", "/etc/insserv.conf.d/**"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Configuration Files", "System"}, SupportedOs: []string{"Linux"}, Urls: []string{"https://wiki.debian.org/LSBInitScripts"}}, {Name: "LinuxLocalTime", Doc: "Local time zone configuation", Sources: []artifacts.Source{{Parent: "LinuxLocalTime", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/localtime"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "LinuxLSBRelease", Doc: "Linux Standard Base (LSB) release information", Sources: []artifacts.Source{{Parent: "LinuxLSBRelease", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/lsb-release"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "os_release", Regex: "", WMIKey: ""}}}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Software"}, SupportedOs: []string{"Linux"}, Urls: []string{"https://linux.die.net/man/1/lsb_release"}}, {Name: "LinuxMessagesLogFiles", Doc: "Linux messages log files.", Sources: []artifacts.Source{{Parent: "LinuxMessagesLogFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/log/messages*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Logs"}, SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "LinuxMountCmd", Doc: "Linux output of mount", Sources: []artifacts.Source{{Parent: "LinuxMountCmd", Type: "COMMAND", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "/bin/mount", Args: []string{}, Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "LinuxMountInfo", Doc: "Linux mount options.", Sources: []artifacts.Source{{Parent: "LinuxMountInfo", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"LinuxFstab", "LinuxProcMounts"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System", "Configuration Files"}, SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "LinuxNetworkManager", Doc: "Linux NetworkManager files.", Sources: []artifacts.Source{{Parent: "LinuxNetworkManager", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/NetworkManager/conf.d/name.conf", "/etc/NetworkManager/NetworkManager.conf", "/etc/NetworkManager/system-connections", "/run/NetworkManager/conf.d/name.conf", "/usr/lib/NetworkManager/conf.d/name.conf", "/var/lib/NetworkManager/NetworkManager-intern.conf", "/var/lib/NetworkManager/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string{"https://linux.die.net/man/5/networkmanager.conf", "https://man.archlinux.org/man/NetworkManager.conf.5.en#FILE_FORMAT"}}, {Name: "LinuxPamConfigs", Doc: "Configuration files for PAM.", Sources: []artifacts.Source{{Parent: "LinuxPamConfigs", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/pam.conf", "/etc/pam.d", "/etc/pam.d/common-password", "/etc/pam.d/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Authentication", "Configuration Files"}, SupportedOs: []string{"Linux"}, Urls: []string{"http://www.linux-pam.org/"}}, {Name: "LinuxPasswdFile", Doc: "Linux passwd file.\n\nA passwd file consist of colon separated values in the format:\nusername:password:uid:gid:full name:home directory:shell\n", Sources: []artifacts.Source{{Parent: "LinuxPasswdFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/passwd"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "users.username", Regex: "(.*?):.*", WMIKey: ""}, {Key: "users.homedir", Regex: ".*:(.*?):.*", WMIKey: ""}}}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Configuration Files", "System"}, SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "LinuxHome", Doc: "Users directories in /home", Sources: []artifacts.Source{{Parent: "LinuxHome", Type: "DIRECTORY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/home/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users"}, SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "LinuxHomePath", Doc: "Users directories in /home", Sources: []artifacts.Source{{Parent: "LinuxHomePath", Type: "PATH", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/home/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "users.username", Regex: "/home/([^/]+)", WMIKey: ""}, {Key: "users.homedir", Regex: "", WMIKey: ""}}}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users"}, SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "LinuxReleaseInfo", Doc: "Release information for Linux platforms.", Sources: []artifacts.Source{{Parent: "LinuxReleaseInfo", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"LinuxDistributionRelease", "LinuxLSBRelease", "LinuxSystemdOSRelease"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Software"}, SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "LinuxRsyslogConfigs", Doc: "Linux rsyslog configurations.", Sources: []artifacts.Source{{Parent: "LinuxRsyslogConfigs", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/rsyslog.conf", "/etc/rsyslog.d", "/etc/rsyslog.d/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Configuration Files", "Logs"}, SupportedOs: []string{"Linux"}, Urls: []string{"http://www.rsyslog.com/doc/rsyslog_conf.html"}}, {Name: "LinuxScheduleFiles", Doc: "All Linux job scheduling files.", Sources: []artifacts.Source{{Parent: "LinuxScheduleFiles", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"AnacronFiles", "LinuxCronTabs", "LinuxAtJobs"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Configuration Files"}, SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "LinuxServices", Doc: "Services running on a Linux system.", Sources: []artifacts.Source{{Parent: "LinuxServices", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"LinuxXinetd", "LinuxLSBInit", "LinuxSysVInit", "LinuxSystemdServices"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Configuration Files", "System"}, SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "LinuxSSDTTables", Doc: "Linux files containing SSDT table.", Sources: []artifacts.Source{{Parent: "LinuxSSDTTables", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/sys/firmware/acpi/tables/SSDT*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Linux"}, Urls: []string{"https://www.kernel.org/doc/Documentation/acpi/initrd_table_override.txt"}}, {Name: "LinuxSudoReplayLogs", Doc: "Linux sudoreplay log files.", Sources: []artifacts.Source{{Parent: "LinuxSudoReplayLogs", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/log/sudo-io/**"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Logs", "Authentication"}, SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "LinuxSysctlConfigurationFiles", Doc: "Linux sysctl preload/configuration files.", Sources: []artifacts.Source{{Parent: "LinuxSysctlConfigurationFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/sysctl.d/*.conf", "/run/sysctl.d/*.conf", "/usr/local/lib/sysctl.d/*.conf", "/usr/lib/sysctl.d/*.conf", "/lib/sysctl.d/*.conf", "/etc/sysctl.con"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string{"https://man7.org/linux/man-pages/man5/sysctl.conf.5.html"}}, {Name: "LinuxSysLogFiles", Doc: "Linux syslog log files.", Sources: []artifacts.Source{{Parent: "LinuxSysLogFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/log/syslog.log*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Logs"}, SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "LinuxSyslogNgConfigs", Doc: "Linux syslog-ng configurations.", Sources: []artifacts.Source{{Parent: "LinuxSyslogNgConfigs", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/syslog-ng/syslog-ng.conf", "/etc/syslog-ng/conf-d/*.conf"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Configuration Files", "Logs"}, SupportedOs: []string{"Linux"}, Urls: []string{"http://linux.die.net/man/5/syslog-ng.conf"}}, {Name: "LinuxSystemdJournalConfig", Doc: "Linux systemd journal config file", Sources: []artifacts.Source{{Parent: "LinuxSystemdJournalConfig", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/systemd/journald.conf"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string{"https://wiki.archlinux.org/title/Systemd/Journal"}}, {Name: "LinuxSystemdJournalLogs", Doc: "Linux systemd journal log files", Sources: []artifacts.Source{{Parent: "LinuxSystemdJournalLogs", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/log/journal/*/*.journal", "/var/log/journal/*/*.journal~"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string{"https://wiki.archlinux.org/title/Systemd/Journal"}}, {Name: "LinuxSystemdOSRelease", Doc: "Linux systemd /etc/os-release file", Sources: []artifacts.Source{{Parent: "LinuxSystemdOSRelease", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/os-release", "/usr/lib/os-release"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "os_release", Regex: "", WMIKey: ""}}}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Software"}, SupportedOs: []string{"Linux"}, Urls: []string{"https://www.freedesktop.org/software/systemd/man/os-release.html"}}, {Name: "LinuxSystemdServices", Doc: "Linux systemd service unit files", Sources: []artifacts.Source{{Parent: "LinuxSystemdServices", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/systemd/system.control/*.service", "/etc/systemd/systemd.attached/*.service", "/etc/systemd/system/*.service", "/etc/systemd/user/*.service", "/lib/systemd/system/*.service", "/lib/systemd/user/*.service", "/run/systemd/generator.early/*.service", "/run/systemd/generator.late/*.service", "/run/systemd/generator/*.service", "/run/systemd/system.control/*.service", "/run/systemd/systemd.attached/*.service", "/run/systemd/system/*.service", "/run/systemd/transient/*.service", "/run/systemd/user/*.service", "/run/user/*/systemd/generator.early/*.service", "/run/user/*/systemd/generator.late/*.service", "/run/user/*/systemd/generator/*.service", "/run/user/*/systemd/transient/*.service", "/run/user/*/systemd/user.control/*.service", "/run/user/*/systemd/user/*.service", "/usr/lib/systemd/system/*.service", "/usr/lib/systemd/user/*.service", "%%users.homedir%%/.config/systemd/user.control/*.service", "%%users.homedir%%/.config/systemd/user/*.service", "%%users.homedir%%/.local/share/systemd/user/*.service"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Configuration Files", "System"}, SupportedOs: []string{"Linux"}, Urls: []string{"https://www.freedesktop.org/software/systemd/man/systemd.unit.html#System%20Unit%20Search%20Path"}}, {Name: "LinuxSystemdTimers", Doc: "Linux systemd Timer files", Sources: []artifacts.Source{{Parent: "LinuxSystemdTimers", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/systemd/system.control/*.timer", "/etc/systemd/systemd.attached/*.timer", "/etc/systemd/system/*.timer", "/etc/systemd/user/*.timer", "/lib/systemd/system/*.timer", "/lib/systemd/user/*.timer", "/run/systemd/generator.early/*.timer", "/run/systemd/generator.late/*.timer", "/run/systemd/generator/*.timer", "/run/systemd/system.control/*.timer", "/run/systemd/systemd.attached/*.timer", "/run/systemd/system/*.timer", "/run/systemd/transient/*.timer", "/run/systemd/user/*.timer", "/run/user/*/systemd/generator.early/*.timer", "/run/user/*/systemd/generator.late/*.timer", "/run/user/*/systemd/generator/*.timer", "/run/user/*/systemd/transient/*.timer", "/run/user/*/systemd/user.control/*.timer", "/run/user/*/systemd/user/*.timer", "/usr/lib/systemd/system/*.timer", "/usr/lib/systemd/user/*.timer", "%%users.homedir%%/.config/systemd/user.control/*.timer", "%%users.homedir%%/.config/systemd/user/*.timer", "%%users.homedir%%/.local/share/systemd/user/*.timer"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string{"https://www.freedesktop.org/software/systemd/man/systemd.timer.html#"}}, {Name: "LinuxSysVInit", Doc: "Services started by sysv-style init scripts.", Sources: []artifacts.Source{{Parent: "LinuxSysVInit", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/rc.local", "/etc/rc*.d", "/etc/rc*.d/*", "/etc/rc.d/rc*.d/*", "/etc/rc.d/init.d/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Configuration Files", "System"}, SupportedOs: []string{"Linux"}, Urls: []string{"http://savannah.nongnu.org/projects/sysvinit", "http://docs.oracle.com/cd/E37670_01/E41138/html/ol_svcscripts.html"}}, {Name: "LinuxTimezoneFile", Doc: "Linux timezone file.", Sources: []artifacts.Source{{Parent: "LinuxTimezoneFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/timezone"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Configuration Files", "System"}, SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "LinuxUdevRules", Doc: "Linux udev rules for the events received by the udev's daemon from the Linux kernel.", Sources: []artifacts.Source{{Parent: "LinuxUdevRules", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/usr/lib/udev/rules.d/*", "/etc/udev/rules.d/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string{"https://wiki.archlinux.org/title/Udev"}}, {Name: "LinuxUtmpFiles", Doc: "Linux btmp, utmp and wtmp login record files.", Sources: []artifacts.Source{{Parent: "LinuxUtmpFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/log/btmp", "/var/log/wtmp", "/var/run/utmp"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Logs", "Authentication"}, SupportedOs: []string{"Linux"}, Urls: []string{"https://github.com/libyal/dtformats/blob/main/documentation/Utmp%20login%20records%20format.asciidoc"}}, {Name: "LinuxWtmp", Doc: "Linux wtmp login record file", Sources: []artifacts.Source{{Parent: "LinuxWtmp", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/log/wtmp"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Logs", "Authentication"}, SupportedOs: []string{"Linux"}, Urls: []string{"https://github.com/libyal/dtformats/blob/main/documentation/Utmp%20login%20records%20format.asciidoc"}}, {Name: "LinuxXinetd", Doc: "Linux xinetd configurations.", Sources: []artifacts.Source{{Parent: "LinuxXinetd", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/xinetd.conf", "/etc/xinetd.d/**"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Configuration Files", "System"}, SupportedOs: []string{"Linux"}, Urls: []string{"http://en.wikipedia.org/wiki/Xinetd"}}, {Name: "ListProcessesPsCommand", Doc: "Full process listing via the 'ps' command.", Sources: []artifacts.Source{{Parent: "ListProcessesPsCommand", Type: "COMMAND", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "/bin/ps", Args: []string{"-ef"}, Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string{"https://gitlab.com/procps-ng/procps"}}, {Name: "LoadedKernelModules", Doc: "Linux output of lsmod.", Sources: []artifacts.Source{{Parent: "LoadedKernelModules", Type: "COMMAND", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "/sbin/lsmod", Args: []string{}, Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "LocateDatabase", Doc: "locate/mlocate database and updatedb configuration.", Sources: []artifacts.Source{{Parent: "LocateDatabase", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/lib/mlocate/mlocate.db", "/etc/updatedb.conf"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string{"https://linux.die.net/man/1/locate", "https://linux.die.net/man/8/updatedb"}}, {Name: "LoginPolicyConfiguration", Doc: "Linux files related to login policy configuration.", Sources: []artifacts.Source{{Parent: "LoginPolicyConfiguration", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/netgroup", "/etc/nsswitch.conf", "/etc/passwd", "/etc/shadow", "/etc/security/access.conf", "/root/.k5login"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Authentication", "Configuration Files"}, SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "MySQLHistoryFile", Doc: "MySQL History file.", Sources: []artifacts.Source{{Parent: "MySQLHistoryFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/.mysql_history", "/root/.mysql_history", "%%users.homedir%%/.mysql_history"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "NanoHistoryFile", Doc: "nano history file that logs search and replace strings.", Sources: []artifacts.Source{{Parent: "NanoHistoryFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.nano_history"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string{"https://www.nano-editor.org/dist/v2.2/nano.html"}}, {Name: "NetgroupConfiguration", Doc: "Linux netgroup configuration.", Sources: []artifacts.Source{{Parent: "NetgroupConfiguration", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/netgroup"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Authentication", "Configuration Files"}, SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "NtpConfFile", Doc: "The configuration file for ntpd. e.g. ntp.conf.", Sources: []artifacts.Source{{Parent: "NtpConfFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/ntp.conf"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Configuration Files"}, SupportedOs: []string{"Linux"}, Urls: []string{"https://www.freebsd.org/cgi/man.cgi?query=ntp.conf&sektion=5"}}, {Name: "PCIDevicesInfoFiles", Doc: "Info and config files for PCI devices located on the system.", Sources: []artifacts.Source{{Parent: "PCIDevicesInfoFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/sys/bus/pci/devices/*/vendor", "/sys/bus/pci/devices/*/device", "/sys/bus/pci/devices/*/class", "/sys/bus/pci/devices/*/config"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Configuration Files", "System"}, SupportedOs: []string{"Linux"}, Urls: []string{"https://www.kernel.org/doc/Documentation/ABI/testing/sysfs-bus-pci", "https://www.kernel.org/doc/Documentation/filesystems/sysfs-pci.txt", "https://wiki.debian.org/HowToIdentifyADevice/PCI"}}, {Name: "PostgreSQLHistoryFile", Doc: "PostgreSQL History file.", Sources: []artifacts.Source{{Parent: "PostgreSQLHistoryFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/.psql_history", "/root/.psql_history", "/var/lib/postgresql/.psql_history", "/var/lib/pgsql/.psql_history", "%%users.homedir%%/.psql_history"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "PythonHistoryFile", Doc: "Python REPL history file.", Sources: []artifacts.Source{{Parent: "PythonHistoryFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.python_history"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "RHostsFile", Doc: "RHosts file.", Sources: []artifacts.Source{{Parent: "RHostsFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.rhosts"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "SambaLogFiles", Doc: "Samba log files.", Sources: []artifacts.Source{{Parent: "SambaLogFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/log/samba/*.log"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string{"https://wiki.samba.org/index.php/Configuring_Logging_on_a_Samba_Server"}}, {Name: "SecretsServiceDatabaseFile", Doc: "The System Security Services Daemon (SSSD) database file.", Sources: []artifacts.Source{{Parent: "SecretsServiceDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/lib/sss/secrets/secrets.ldb", "/var/lib/sss/secrets/.secrets.mkey"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System", "Configuration Files"}, SupportedOs: []string{"Linux"}, Urls: []string{"https://docs.pagure.org/sssd.sssd/design_pages/secrets_service.html", "https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html"}}, {Name: "SQLiteHistoryFile", Doc: "SQLite History file.", Sources: []artifacts.Source{{Parent: "SQLiteHistoryFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.sqlite_history"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "SSHAuthorizedKeysFiles", Doc: "SSH authorized keys files.", Sources: []artifacts.Source{{Parent: "SSHAuthorizedKeysFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.ssh/authorized_keys", "%%users.homedir%%/.ssh/authorized_keys2"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "SSHHostPubKeys", Doc: "SSH host public keys", Sources: []artifacts.Source{{Parent: "SSHHostPubKeys", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/ssh/ssh_host_*_key.pub"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Authentication", "Configuration Files"}, SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "SSHKnownHostsFiles", Doc: "SSH known_hosts files.", Sources: []artifacts.Source{{Parent: "SSHKnownHostsFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.ssh/known_hosts", "/etc/ssh/known_hosts"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "ThumbnailCacheFolder", Doc: "Thumbnail cache folder.", Sources: []artifacts.Source{{Parent: "ThumbnailCacheFolder", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.thumbnails/**3"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users"}, SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "UFWConfigFiles", Doc: "UFW Configuration files.", Sources: []artifacts.Source{{Parent: "UFWConfigFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/default/ufw", "/etc/ufw/sysctl.conf", "/etc/ufw/*.rules", "/etc/ufw/applications.d/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "UFWLogFile", Doc: "UFW Log file.", Sources: []artifacts.Source{{Parent: "UFWLogFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/log/ufw.log"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "Viminfo", Doc: "Viminfo file.", Sources: []artifacts.Source{{Parent: "Viminfo", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.viminfo"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "WgetHSTSdatabase", Doc: "Default wget HTTP Strict Transport Security (HSTS) database", Sources: []artifacts.Source{{Parent: "WgetHSTSdatabase", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.wget-hsts"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string{"https://www.gnu.org/software/wget/manual/html_node/HTTPS-_0028SSL_002fTLS_0029-Options.html"}}, {Name: "XDGAutostartEntries", Doc: "XDG Autostart Entries", Sources: []artifacts.Source{{Parent: "XDGAutostartEntries", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/xdg/autostart/*.desktop", "%%users.homedir%%/.config/autostart/*.desktop"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string{"https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html"}}, {Name: "YumSources", Doc: "Yum package sources list", Sources: []artifacts.Source{{Parent: "YumSources", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/yum.conf", "/etc/yum.repos.d/*.repo"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Configuration Files", "System"}, SupportedOs: []string{"Linux"}, Urls: []string{"https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/sec-configuring_yum_and_yum_repositories"}}, {Name: "ZeitgeistDatabase", Doc: "Zeitgeist user activity database.", Sources: []artifacts.Source{{Parent: "ZeitgeistDatabase", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.local/share/zeitgeist/activity.sqlite", "%%users.homedir%%/.local/share/zeitgeist/activity.sqlite-wal"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users", "Logs"}, SupportedOs: []string{"Linux"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Zeitgeist"}}, {Name: "FlatpakAppPaths", Doc: "Get paths of installed Flatpak app.", Sources: []artifacts.Source{{Parent: "FlatpakAppPaths", Type: "PATH", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/lib/flatpak/app/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string{"https://docs.flatpak.org/"}}, {Name: "LinuxNssCachePasswdFile", Doc: "Local NSS database for remote directory services.", Sources: []artifacts.Source{{Parent: "LinuxNssCachePasswdFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/passwd.cache"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string{"https://github.com/google/nsscache"}}, {Name: "LessHistoryFile", Doc: "less history file which remembers search and shell commands", Sources: []artifacts.Source{{Parent: "LessHistoryFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.lesshst"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string{"https://man7.org/linux/man-pages/man1/less.1.html"}}, {Name: "PythonDistInfoPath", Doc: "Get the path of Python module files distributed in the dist-info format of\nPEP-0376 (currently Linux only).\n\ndist-info is always a directory that must contain METADATA, RECORD and\nINSTALLER. It may also contain REQUESTED.\n", Sources: []artifacts.Source{{Parent: "PythonDistInfoPath", Type: "PATH", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.local/lib/python*/dist-packages/*.dist-info", "%%users.homedir%%/.local/lib/python*/site-packages/*.dist-info", "/usr/lib/python*/dist-packages/*.dist-info", "/usr/lib/python*/site-packages/*.dist-info", "/usr/lib64/python*/dist-packages/*.dist-info", "/usr/lib64/python*/site-packages/*.dist-info", "/usr/local/lib/python*/dist-packages/*.dist-info", "/usr/local/lib/python*/site-packages/*.dist-info", "/usr/local/lib64/python*/dist-packages/*.dist-info", "/usr/local/lib64/python*/site-packages/*.dist-info"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string{"https://www.python.org/dev/peps/pep-0376/"}}, {Name: "LinuxASLREnabled", Doc: "Kernel ASLR state.", Sources: []artifacts.Source{{Parent: "LinuxASLREnabled", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/proc/sys/kernel/randomize_va_space"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Linux"}, Urls: []string{"https://www.kernel.org/doc/Documentation/sysctl/kernel.txt"}}, {Name: "LinuxIgnoreICMPBroadcasts", Doc: "Whether the system ignores ICMP pings.", Sources: []artifacts.Source{{Parent: "LinuxIgnoreICMPBroadcasts", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Network", "System"}, SupportedOs: []string{"Linux"}, Urls: []string{"https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt"}}, {Name: "LinuxKernelBootloader", Doc: "Bootloader state acquired from the kernel.", Sources: []artifacts.Source{{Parent: "LinuxKernelBootloader", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/proc/sys/kernel/bootloader_type", "/proc/sys/kernel/bootloader_version"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Linux"}, Urls: []string{"https://www.kernel.org/doc/Documentation/sysctl/kernel.txt"}}, {Name: "LinuxKernelModuleRestrictions", Doc: "Module loading controls.", Sources: []artifacts.Source{{Parent: "LinuxKernelModuleRestrictions", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/proc/sys/kernel/kexec_load_disabled", "/proc/sys/kernel/modules_disabled"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Linux"}, Urls: []string{"https://www.kernel.org/doc/Documentation/sysctl/kernel.txt"}}, {Name: "LinuxKernelModuleTaintStatus", Doc: "Taint state of loaded modules (binary blobs, unsigned modules etc).", Sources: []artifacts.Source{{Parent: "LinuxKernelModuleTaintStatus", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/proc/sys/kernel/tainted"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Linux"}, Urls: []string{"https://www.kernel.org/doc/Documentation/sysctl/kernel.txt"}}, {Name: "LinuxNetworkIpForwardingState", Doc: "IP forwarding states.", Sources: []artifacts.Source{{Parent: "LinuxNetworkIpForwardingState", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/proc/sys/net/ipv*/conf/*/forwarding", "/proc/sys/net/ipv4/conf/*/mc_forwarding", "/proc/sys/net/ipv4/ip_forward"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Network", "System"}, SupportedOs: []string{"Linux"}, Urls: []string{"https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt"}}, {Name: "LinuxNetworkPathFilteringSettings", Doc: "States that determine how the system responds to route manipulation.", Sources: []artifacts.Source{{Parent: "LinuxNetworkPathFilteringSettings", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/proc/sys/net/ipv*/conf/*/accept_source_route", "/proc/sys/net/ipv4/conf/*/rp_filter", "/proc/sys/net/ipv4/conf/*/log_martians"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Network", "System"}, SupportedOs: []string{"Linux"}, Urls: []string{"https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt"}}, {Name: "LinuxNetworkRedirectState", Doc: "Redirect send/receive states.", Sources: []artifacts.Source{{Parent: "LinuxNetworkRedirectState", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/proc/sys/net/ipv*/conf/*/accept_redirects", "/proc/sys/net/ipv4/conf/*/secure_redirects", "/proc/sys/net/ipv4/conf/*/send_redirects"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Network", "System"}, SupportedOs: []string{"Linux"}, Urls: []string{"https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt"}}, {Name: "LinuxProcArp", Doc: "ARP table via /proc/net/arp.", Sources: []artifacts.Source{{Parent: "LinuxProcArp", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/proc/net/arp"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Network"}, SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "LinuxProcMounts", Doc: "Current mounted filesystems.", Sources: []artifacts.Source{{Parent: "LinuxProcMounts", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/proc/mounts"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Linux"}, Urls: []string{"https://www.kernel.org/doc/Documentation/filesystems/proc.txt"}}, {Name: "LinuxProcSysHardeningSettings", Doc: "Linux sysctl settings obtained from /proc/sys.", Sources: []artifacts.Source{{Parent: "LinuxProcSysHardeningSettings", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"LinuxASLREnabled", "LinuxIgnoreICMPBroadcasts", "LinuxKernelBootloader", "LinuxKernelModuleTaintStatus", "LinuxKernelModuleRestrictions", "LinuxNetworkIpForwardingState", "LinuxNetworkPathFilteringSettings", "LinuxNetworkRedirectState", "LinuxRestrictedDmesgReadPrivileges", "LinuxRestrictedKernelPointerReadPrivileges", "LinuxSecureSuidCoreDumps", "LinuxSecureFsLinks", "LinuxSyncookieState"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "LinuxRestrictedDmesgReadPrivileges", Doc: "Restrict whether non-privileged users can read dmesg.", Sources: []artifacts.Source{{Parent: "LinuxRestrictedDmesgReadPrivileges", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/proc/sys/kernel/dmesg_restrict"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Linux"}, Urls: []string{"https://www.kernel.org/doc/Documentation/sysctl/kernel.txt"}}, {Name: "LinuxRestrictedKernelPointerReadPrivileges", Doc: "Memory address obfuscation settings.", Sources: []artifacts.Source{{Parent: "LinuxRestrictedKernelPointerReadPrivileges", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/proc/sys/kernel/kptr_restrict"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Linux"}, Urls: []string{"https://www.kernel.org/doc/Documentation/sysctl/kernel.txt"}}, {Name: "LinuxSecureFsLinks", Doc: "Security controls to restrict operations on links in world writable directories.", Sources: []artifacts.Source{{Parent: "LinuxSecureFsLinks", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/proc/sys/fs/protected_hardlinks", "/proc/sys/fs/protected_symlinks"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Linux"}, Urls: []string{"https://www.kernel.org/doc/Documentation/sysctl/fs.txt"}}, {Name: "LinuxSecureSuidCoreDumps", Doc: "Security controls for suid core dumps.", Sources: []artifacts.Source{{Parent: "LinuxSecureSuidCoreDumps", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/proc/sys/fs/suid_dumpable"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Linux"}, Urls: []string{"https://www.kernel.org/doc/Documentation/sysctl/fs.txt"}}, {Name: "LinuxSyncookieState", Doc: "Whether the system uses syncookies.", Sources: []artifacts.Source{{Parent: "LinuxSyncookieState", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/proc/sys/net/ipv4/tcp_syncookies"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Network", "System"}, SupportedOs: []string{"Linux"}, Urls: []string{"https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt"}}, {Name: "LinuxSysctlCmd", Doc: "Linux output of systctl -a.", Sources: []artifacts.Source{{Parent: "LinuxSysctlCmd", Type: "COMMAND", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "/sbin/sysctl", Args: []string{"-a"}, Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string{"https://www.kernel.org/doc/Documentation/sysctl"}}, {Name: "ApacheKafkaLogFiles", Doc: "Apache Kafka Log files", Sources: []artifacts.Source{{Parent: "ApacheKafkaLogFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/opt/kafka/logs/*", "/opt/kafka/logs/controller.log*", "/opt/kafka/logs/kafka-*.log*", "/opt/kafka/logs/server.log*", "/opt/kafka/logs/state-change.log*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "HAProxyLogFiles", Doc: "HAProxy Log files", Sources: []artifacts.Source{{Parent: "HAProxyLogFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/log/haproxy/*", "/var/log/haproxy.log", "/var/log/haproxy-traffic.log", "/var/log/haproxy-admin.log"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string{"https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#8", "https://www.haproxy.com/blog/introduction-to-haproxy-logging/"}}, {Name: "JenkinsLogFile", Doc: "Jenkins log file", Sources: []artifacts.Source{{Parent: "JenkinsLogFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/log/jenkins/jenkins.log"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string{"https://wiki.jenkins.io/display/JENKINS/Logging.html"}}, {Name: "OsqueryLogFiles", Doc: "Osquery daemon log files", Sources: []artifacts.Source{{Parent: "OsqueryLogFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/log/osquery/osqueryd.results.log", "/var/log/osquery/osqueryd.snapshots.log"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string{"https://osquery.readthedocs.io/en/stable/deployment/logging/"}}, {Name: "MacOSAppleSystemLogFiles", Doc: "Apple system log (ASL) files", Sources: []artifacts.Source{{Parent: "MacOSAppleSystemLogFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/private/var/log/asl/*.asl", "/private/var/log/DiagnosticMessages/*.asl", "/var/log/asl/*.asl", "/var/log/DiagnosticMessages/*.asl"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System", "Logs"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Logs"}}, {Name: "MacOSApplications", Doc: "Applications", Sources: []artifacts.Source{{Parent: "MacOSApplications", Type: "DIRECTORY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/Applications/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users", "Software"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#User_Directories"}}, {Name: "MacOSApplicationsRecentItems", Doc: "Recent Items application specific", Sources: []artifacts.Source{{Parent: "MacOSApplicationsRecentItems", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Preferences/*.LSSharedFileList.plist"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users", "Software"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Recent_Items"}}, {Name: "MacOSApplicationSupport", Doc: "Application Support Directory", Sources: []artifacts.Source{{Parent: "MacOSApplicationSupport", Type: "DIRECTORY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Application Support/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users", "Software"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Misc."}}, {Name: "MacOSAtJobs", Doc: "MacOS at jobs", Sources: []artifacts.Source{{Parent: "MacOSAtJobs", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/usr/lib/cron/jobs/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Info_Misc.", "https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/at.1.html#//apple_ref/doc/man/1/at"}}, {Name: "MacOSAuditLogFiles", Doc: "Audit log files", Sources: []artifacts.Source{{Parent: "MacOSAuditLogFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/private/var/audit/*", "/var/audit/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System", "Logs"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Logs"}}, {Name: "MacOSBashHistory", Doc: "Terminal Commands History", Sources: []artifacts.Source{{Parent: "MacOSBashHistory", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.bash_history"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users", "Logs"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Logs"}}, {Name: "MacOSBashSessions", Doc: "Terminal Commands Sessions", Sources: []artifacts.Source{{Parent: "MacOSBashSessions", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.bash_sessions/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users", "Logs"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://www.swiftforensics.com/2018/05/bash-sessions-in-macos.html"}}, {Name: "MacOSBluetoothPlistFile", Doc: "Bluetooth preferences and paired device information plist file", Sources: []artifacts.Source{{Parent: "MacOSBluetoothPlistFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/Library/Preferences/com.apple.Bluetooth.plist"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System", "Logs"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Preferences"}}, {Name: "MacOSCoreAnalyticsFiles", Doc: "macOS 10.13 (High Sierra) CoreAnalytics log files.", Sources: []artifacts.Source{{Parent: "MacOSCoreAnalyticsFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/Library/Logs/DiagnosticReports/*.core_analytics", "/private/var/db/analyticsd/aggregates/*", "/var/db/analyticsd/aggregates/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Logs", "System"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X#Diagnostic_Reports", "https://www.crowdstrike.com/blog/i-know-what-you-did-last-month-a-new-artifact-of-execution-on-macos-10-13/"}}, {Name: "MacOSCronTabs", Doc: "Cron tabs", Sources: []artifacts.Source{{Parent: "MacOSCronTabs", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/crontab", "/private/etc/crontab", "/usr/lib/cron/tabs/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Info_Misc."}}, {Name: "MacOSDock", Doc: "Dock database", Sources: []artifacts.Source{{Parent: "MacOSDock", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Preferences/com.apple.Dock.plist"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Preferences"}}, {Name: "MacOSGlobalPreferencesPlistFile", Doc: "Global Preferences plist file", Sources: []artifacts.Source{{Parent: "MacOSGlobalPreferencesPlistFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/Library/Preferences/.GlobalPreferences.plist"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Preferences"}}, {Name: "MacOSHostsFile", Doc: "Hosts file", Sources: []artifacts.Source{{Parent: "MacOSHostsFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/hosts", "/private/etc/hosts"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System", "Network"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Networking"}}, {Name: "MacOSiCloudAccounts", Doc: "iCloud Accounts", Sources: []artifacts.Source{{Parent: "MacOSiCloudAccounts", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Application Support/iCloud/Accounts/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users", "Software", "Cloud", "ExternalAccount"}, SupportedOs: []string{"Darwin"}, Urls: []string(nil)}, {Name: "MacOSiCloudPreferences", Doc: "iCloud user preferences", Sources: []artifacts.Source{{Parent: "MacOSiCloudPreferences", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Preferences/MobileMeAccounts.plist"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users", "Cloud", "ExternalAccount"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Preferences"}}, {Name: "MacOSiDevices", Doc: "Attached iDevices", Sources: []artifacts.Source{{Parent: "MacOSiDevices", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Preferences/com.apple.iPod.plist"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users", "External Media"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Preferences"}}, {Name: "MacOSInstallationHistory", Doc: "Software Installation History", Sources: []artifacts.Source{{Parent: "MacOSInstallationHistory", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/Library/Receipts/InstallHistory.plist"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Software_Installation"}}, {Name: "MacOSInstallationLogFile", Doc: "Installation log file", Sources: []artifacts.Source{{Parent: "MacOSInstallationLogFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/private/var/log/install.log", "/var/log/install.log"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System", "Logs"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Logs"}}, {Name: "MacOSiOSBackupInfo", Doc: "iOS device backup information", Sources: []artifacts.Source{{Parent: "MacOSiOSBackupInfo", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Application Support/MobileSync/Backup/*/info.plist"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users", "iOS"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#iDevice_Backup"}}, {Name: "MacOSiOSBackupManifest", Doc: "iOS device backup apps information", Sources: []artifacts.Source{{Parent: "MacOSiOSBackupManifest", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Application Support/MobileSync/Backup/*/Manifest.plist"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users", "iOS"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#iDevice_Backup"}}, {Name: "MacOSiOSBackupMbdb", Doc: "iOS device backup files information", Sources: []artifacts.Source{{Parent: "MacOSiOSBackupMbdb", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Application Support/MobileSync/Backup/*/Manifest.mdbd"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users", "iOS"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#iDevice_Backup"}}, {Name: "MacOSiOSBackupsMainDirectory", Doc: "iOS device backups directory", Sources: []artifacts.Source{{Parent: "MacOSiOSBackupsMainDirectory", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Application Support/MobileSync/Backup/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users", "iOS"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#iDevice_Backup"}}, {Name: "MacOSiOSBackupStatus", Doc: "iOS device backup status information", Sources: []artifacts.Source{{Parent: "MacOSiOSBackupStatus", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Application Support/MobileSync/Backup/*/Status.plist"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users", "iOS"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#iDevice_Backup"}}, {Name: "MacOSKeychains", Doc: "Keychain Directory", Sources: []artifacts.Source{{Parent: "MacOSKeychains", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Keychains/*.keychain"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Misc."}}, {Name: "MacOSKeyboardLayoutPlistFile", Doc: "Keyboard layout plist file", Sources: []artifacts.Source{{Parent: "MacOSKeyboardLayoutPlistFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/Library/Preferences/com.apple.HIToolbox.plist"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Darwin"}, Urls: []string(nil)}, {Name: "MacOSKextFiles", Doc: "Kernel extension (.kext) files", Sources: []artifacts.Source{{Parent: "MacOSKextFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/System/Library/Extensions/*", "/Library/Extensions/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Kernel_Extension"}}, {Name: "MacOSDuetKnowledgeBase", Doc: "KnowledgeC User and Application usage database", Sources: []artifacts.Source{{Parent: "MacOSDuetKnowledgeBase", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Application Support/Knowledge/knowledgeC.db", "/private/var/db/CoreDuet/Knowledge/knowledgeC.db", "/var/db/CoreDuet/Knowledge/knowledgeC.db"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users", "Logs"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://www.mac4n6.com/blog/2018/8/5/knowledge-is-power-using-the-knowledgecdb-database-on-macos-and-ios-to-determine-precise-user-and-application-usage"}}, {Name: "MacOSLaunchAgentsPlistFiles", Doc: "Launch Agents plist files", Sources: []artifacts.Source{{Parent: "MacOSLaunchAgentsPlistFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/Library/LaunchAgents/*.plist", "/System/Library/LaunchAgents/*.plist", "%%users.homedir%%/Library/LaunchAgents/*.plist"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Autorun_Locations"}}, {Name: "MacOSLaunchDaemonsPlistFiles", Doc: "Launch Daemons plist files", Sources: []artifacts.Source{{Parent: "MacOSLaunchDaemonsPlistFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/Library/LaunchDaemons/*.plist", "/System/Library/LaunchDaemons/*.plist", "%%users.homedir%%/Library/LaunchDaemons/*.plist"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Autorun_Locations"}}, {Name: "MacOSLastlogFile", Doc: "Mac OS X lastlog file.", Sources: []artifacts.Source{{Parent: "MacOSLastlogFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/private/var/log/lastlog", "/var/log/lastlog"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Logs", "Authentication"}, SupportedOs: []string{"Darwin"}, Urls: []string(nil)}, {Name: "MacOSLoadedKexts", Doc: "MacOS Loaded Kernel Extensions.", Sources: []artifacts.Source{{Parent: "MacOSLoadedKexts", Type: "COMMAND", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "/usr/sbin/kextstat", Args: []string{}, Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Darwin"}, Urls: []string(nil)}, {Name: "MacOSLocalTime", Doc: "Local time zone configuation", Sources: []artifacts.Source{{Parent: "MacOSLocalTime", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/localtime", "/private/etc/localtime"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Info_Misc."}}, {Name: "MacOSLoginWindowPlistFile", Doc: "Log-in window information property list (plist) file", Sources: []artifacts.Source{{Parent: "MacOSLoginWindowPlistFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/Library/Preferences/com.apple.loginwindow.plist", "%%users.homedir%%/Library/Preferences/ByHost/com.apple.loginwindow.plist", "%%users.homedir%%/Library/Preferences/ByHost/com.apple.loginwindow.*.plist", "/var/root/Library/Preferences/com.apple.loginwindow.plist", "/private/var/root/Library/Preferences/com.apple.loginwindow.plist"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensics.wiki/mac_os_x_10.9_artifacts_location#system-preferences", "https://taomm.org/PDFs/vol1/CH%200x02%20Persistence.pdf", "https://developer.apple.com/documentation/devicemanagement/loginwindowscripts"}}, {Name: "MacOSMailAccounts", Doc: "Mail Accounts. Until now only V2, V3 and V5 have been observed.", Sources: []artifacts.Source{{Parent: "MacOSMailAccounts", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Mail/V[0-9]/MailData/Accounts.plist"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users", "Software", "Mail"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Mail"}}, {Name: "MacOSMailBackupTOC", Doc: "Mail Backup Table of Content. Until now only V2, V3 and V5 have been observed.", Sources: []artifacts.Source{{Parent: "MacOSMailBackupTOC", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Mail/V[0-9]/MailData/BackupTOC.plist"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users", "Software", "Mail"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Mail"}}, {Name: "MacOSMailboxes", Doc: "Mail Mailbox Directory. Until now only V2, V3 and V5 have been observed.", Sources: []artifacts.Source{{Parent: "MacOSMailboxes", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Mail/V[0-9]/Mailboxes/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users", "Software", "Mail"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Mail"}}, {Name: "MacOSMailDownloadAttachments", Doc: "Mail Downloads Directory", Sources: []artifacts.Source{{Parent: "MacOSMailDownloadAttachments", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Containers/com.apple.mail/Data/Library/Mail Downloads/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users", "Software", "Mail"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Mail"}}, {Name: "MacOSMailEnvelopIndex", Doc: "Mail Envelope Index. Until now only V2, V3 and V5 have been observed.", Sources: []artifacts.Source{{Parent: "MacOSMailEnvelopIndex", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Mail/V[0-9]/MailData/Envelope Index"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users", "Software", "Mail"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Mail"}}, {Name: "MacOSMailIMAP", Doc: "Mail IMAP Synched Mailboxes. Until now only V2, V3 and V5 have been observed.", Sources: []artifacts.Source{{Parent: "MacOSMailIMAP", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Mail/V[0-9]/IMAP-*/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users", "Software", "Mail"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Mail"}}, {Name: "MacOSMailMainDirectory", Doc: "Mail Main Folder. Until now only V2, V3 and V5 have been observed.", Sources: []artifacts.Source{{Parent: "MacOSMailMainDirectory", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Mail/V[0-9]/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users", "Software", "Mail"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Mail"}}, {Name: "MacOSMailOpenedAttachments", Doc: "Mail Opened Attachments", Sources: []artifacts.Source{{Parent: "MacOSMailOpenedAttachments", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Mail/V[0-9]/MailData/OpenedAttachmentsV2.plist"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users", "Software", "Mail"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Mail"}}, {Name: "MacOSMailPOP", Doc: "Mail POP Synched Mailboxes. Until now only V2, V3 and V5 have been observed.", Sources: []artifacts.Source{{Parent: "MacOSMailPOP", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Mail/V[0-9]/POP-*/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users", "Software", "Mail"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Mail"}}, {Name: "MacOSMailPreferences", Doc: "Mail Preferences", Sources: []artifacts.Source{{Parent: "MacOSMailPreferences", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Preferences/com.apple.Mail.plist"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users", "Software", "Mail"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Mail"}}, {Name: "MacOSMailRecentContacts", Doc: "Mail Recent Contacts", Sources: []artifacts.Source{{Parent: "MacOSMailRecentContacts", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Application Support/AddressBook/MailRecents-v4.abcdmr"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users", "Software", "Mail"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Mail"}}, {Name: "MacOSMailSignatures", Doc: "Mail Signatures by Account. Until now only V2, V3 and V5 have been observed.", Sources: []artifacts.Source{{Parent: "MacOSMailSignatures", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Mail/V[0-9]/MailData/Signatures/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users", "Software", "Mail"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Mail"}}, {Name: "MacOSMiscLogs", Doc: "Misc. Logs", Sources: []artifacts.Source{{Parent: "MacOSMiscLogs", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/Library/Logs/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users", "Logs"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Logs"}}, {Name: "MacOSMountedDMGs", Doc: "MacOS Mounted DMG files.", Sources: []artifacts.Source{{Parent: "MacOSMountedDMGs", Type: "COMMAND", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "/usr/bin/hdiutil", Args: []string{"info"}, Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Darwin"}, Urls: []string(nil)}, {Name: "MacOSNotificationCenter", Doc: "MacOS NotificationCenter database", Sources: []artifacts.Source{{Parent: "MacOSNotificationCenter", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Application Support/NotificationCenter/*.db", "/private/var/folders/[a-z][0-9]/*/0/com.apple.notificationcenter/db/db", "/private/var/folders/[a-z][0-9]/*/0/com.apple.notificationcenter/db2/db", "/var/folders/[a-z][0-9]/*/0/com.apple.notificationcenter/db/db", "/var/folders/[a-z][0-9]/*/0/com.apple.notificationcenter/db2/db"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users", "Logs"}, SupportedOs: []string{"Darwin"}, Urls: []string(nil)}, {Name: "MacOSPeriodicSystemFunctions", Doc: "Periodic system functions scripts and configuration", Sources: []artifacts.Source{{Parent: "MacOSPeriodicSystemFunctions", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/daily.local/*", "/etc/defaults/periodic.conf", "/etc/monthly.local/*", "/etc/periodic/**2", "/etc/periodic.conf", "/etc/periodic.conf.local", "/etc/periodic/daily/*", "/etc/periodic/monthly/*", "/etc/periodic/weekly/*", "/etc/weekly.local/*", "/private/etc/daily.local/*", "/private/etc/defaults/periodic.conf", "/private/etc/monthly.local/*", "/private/etc/periodic/**2", "/private/etc/periodic.conf", "/private/etc/periodic.conf.local", "/private/etc/periodic/daily/*", "/private/etc/periodic/monthly/*", "/private/etc/periodic/weekly/*", "/private/etc/weekly.local/*", "/usr/local/etc/periodic/**2"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Info_Misc.", "https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/periodic.8.html#//apple_ref/doc/man/8/periodic"}}, {Name: "MacOSQuarantineEvents", Doc: "Quarantine Event Database", Sources: []artifacts.Source{{Parent: "MacOSQuarantineEvents", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Preferences/com.apple.LaunchServices.QuarantineEvents", "%%users.homedir%%/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users", "Software"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Preferences"}}, {Name: "MacOSRecentItems", Doc: "Recent Items", Sources: []artifacts.Source{{Parent: "MacOSRecentItems", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Preferences/com.apple.recentitems.plist"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Recent_Items"}}, {Name: "MacOSRemoteDesktopAdministratorSystem", Doc: "Apple Remote Desktop (ARD) was first released in 2002 and is Apple’s desktop management system for software distribution, asset management, and remote assistance.", Sources: []artifacts.Source{{Parent: "MacOSRemoteDesktopAdministratorSystem", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/private/var/db/RemoteManagement/ClientCaches/*", "/var/db/RemoteManagement/ClientCaches/*", "/private/var/db/RemoteManagement/RMDB/rmdb.sqlite3", "/var/db/RemoteManagement/RMDB/rmdb.sqlite3"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System", "Network"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://help.apple.com/remotedesktop/mac/3.9/", "https://www.fireeye.com/blog/threat-research/2019/10/leveraging-apple-remote-desktop-for-good-and-evil.html", "https://github.com/fireeye/ARDvark#ard-artifacts-to-parse"}}, {Name: "MacOSRemoteDesktopClientSystem", Doc: "Apple Remote Desktop (ARD) was first released in 2002 and is Apple’s desktop management system for software distribution, asset management, and remote assistance.", Sources: []artifacts.Source{{Parent: "MacOSRemoteDesktopClientSystem", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/private/var/db/RemoteManagement/caches/AppUsage.plist", "/var/db/RemoteManagement/caches/AppUsage.plist", "/private/var/db/RemoteManagement/caches/UserAcct.tmp", "/var/db/RemoteManagement/caches/UserAcct.tmp"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System", "Network"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://help.apple.com/remotedesktop/mac/3.9/", "https://www.fireeye.com/blog/threat-research/2019/10/leveraging-apple-remote-desktop-for-good-and-evil.html", "https://github.com/fireeye/ARDvark#ard-artifacts-to-parse"}}, {Name: "MacOSSidebarLists", Doc: "Sidebar Lists Preferences\n\nThis plist contains the names of volumes mounted on the desktop that have appeared in the sidebar list.\n", Sources: []artifacts.Source{{Parent: "MacOSSidebarLists", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Preferences/com.apple.sidebarlists.plist", "%%users.homedir%%/Preferences/com.apple.sidebarlists.plist"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users", "External Media"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Preferences"}}, {Name: "MacOSSleepimageFile", Doc: "Sleepimage file which contains the content of memory before going to sleep", Sources: []artifacts.Source{{Parent: "MacOSSleepimageFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/private/var/vm/sleepimage", "/var/vm/sleepimage"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Sleep.2FHibernate_and_Swap_Image_File"}}, {Name: "MacOSStartupItemsPlistFiles", Doc: "Startup Items plist files", Sources: []artifacts.Source{{Parent: "MacOSStartupItemsPlistFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/Library/StartupItems/*.plist", "/System/Library/StartupItems/*.plist"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Autorun_Locations"}}, {Name: "MacOSSwapFiles", Doc: "Swap files", Sources: []artifacts.Source{{Parent: "MacOSSwapFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/private/var/vm/swapfile[0-9]", "/var/vm/swapfile[0-9]"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Sleep.2FHibernate_and_Swap_Image_File"}}, {Name: "MacOSSystemConfigurationPreferencesPlistFile", Doc: "System configuration preferences plist file", Sources: []artifacts.Source{{Parent: "MacOSSystemConfigurationPreferencesPlistFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/Library/Preferences/SystemConfiguration/preferences.plist"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Darwin"}, Urls: []string(nil)}, {Name: "MacOSSystemInstallationTime", Doc: "System installation time", Sources: []artifacts.Source{{Parent: "MacOSSystemInstallationTime", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/private/var/db/.AppleSetupDone", "/var/db/.AppleSetupDone"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Settings_and_Informations"}}, {Name: "MacOSSystemLogFiles", Doc: "System log files", Sources: []artifacts.Source{{Parent: "MacOSSystemLogFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/private/var/log/*", "/var/log/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System", "Logs"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Logs"}}, {Name: "MacOSSystemPreferencesPlistFiles", Doc: "System Preferences plist files", Sources: []artifacts.Source{{Parent: "MacOSSystemPreferencesPlistFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/Library/Preferences/**/*.plist"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Preferences"}}, {Name: "MacOSSystemVersionPlistFile", Doc: "Operating system name and version plist file", Sources: []artifacts.Source{{Parent: "MacOSSystemVersionPlistFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/System/Library/CoreServices/SystemVersion.plist"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Settings_and_Informations"}}, {Name: "MacOSTimeMachinePlistFile", Doc: "Time Machine information plist file", Sources: []artifacts.Source{{Parent: "MacOSTimeMachinePlistFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/Library/Preferences/com.apple.TimeMachine.plist"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Preferences"}}, {Name: "MacOSUnifiedLogging", Doc: "Apple Unified Logging and Activity Tracing", Sources: []artifacts.Source{{Parent: "MacOSUnifiedLogging", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/private/var/db/diagnostics/*.tracev3", "/private/var/db/diagnostics/*/*.tracev3", "/private/var/db/uuidtext/*/*", "/var/db/diagnostics/*.tracev3", "/var/db/diagnostics/*/*.tracev3", "/var/db/uuidtext/*/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System", "Logs"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://github.com/mac4n6/Presentations/blob/master/Logs%20Unite!%20-%20Forensic%20Analysis%20of%20Apple%20Unified%20Logs/LogsUnite.pdf"}}, {Name: "MacOSUpdate", Doc: "Software Update", Sources: []artifacts.Source{{Parent: "MacOSUpdate", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/Library/Preferences/com.apple.SoftwareUpdate.plist"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Software_Installation"}}, {Name: "MacOSUserApplicationLogs", Doc: "User and Applications Logs Directory", Sources: []artifacts.Source{{Parent: "MacOSUserApplicationLogs", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Logs/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users", "Logs"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Logs"}}, {Name: "MacOSUserDesktopDirectory", Doc: "Desktop Directory", Sources: []artifacts.Source{{Parent: "MacOSUserDesktopDirectory", Type: "DIRECTORY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Desktop/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#User_Directories"}}, {Name: "MacOSUserDocumentsDirectory", Doc: "Documents Directory", Sources: []artifacts.Source{{Parent: "MacOSUserDocumentsDirectory", Type: "DIRECTORY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Documents/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#User_Directories"}}, {Name: "MacOSUserDownloadsDirectory", Doc: "User downloads directory", Sources: []artifacts.Source{{Parent: "MacOSUserDownloadsDirectory", Type: "DIRECTORY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Downloads/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#User_Directories"}}, {Name: "MacOSUserGlobalPreferences", Doc: "User Global Preferences", Sources: []artifacts.Source{{Parent: "MacOSUserGlobalPreferences", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Preferences/.GlobalPreferences.plist"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Preferences"}}, {Name: "MacOSUserLibraryDirectory", Doc: "Library Directory", Sources: []artifacts.Source{{Parent: "MacOSUserLibraryDirectory", Type: "DIRECTORY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#User_Directories"}}, {Name: "MacOSUserLoginItemsPlistFile", Doc: "User login items property list (plist) file.", Sources: []artifacts.Source{{Parent: "MacOSUserLoginItemsPlistFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Preferences/com.apple.loginitems.plist", "%%users.homedir%%/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm", "/private/var/db/com.apple.backgroundtaskmanagement/BackgroundItems-v*.btm", "/var/db/com.apple.backgroundtaskmanagement/BackgroundItems-v*.btm"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensics.wiki/mac_os_x_10.9_artifacts_location#autorun-locations-2", "https://objective-see.org/blog/blog_0x31.html"}}, {Name: "MacOSUserMoviesDirectory", Doc: "Movies Directory", Sources: []artifacts.Source{{Parent: "MacOSUserMoviesDirectory", Type: "DIRECTORY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Movies/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#User_Directories"}}, {Name: "MacOSUserMusicDirectory", Doc: "Music Directory", Sources: []artifacts.Source{{Parent: "MacOSUserMusicDirectory", Type: "DIRECTORY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Music/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#User_Directories"}}, {Name: "MacOSUserPasswordHashesPlistFiles", Doc: "User password hashes plist files", Sources: []artifacts.Source{{Parent: "MacOSUserPasswordHashesPlistFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/private/var/db/dslocal/nodes/Default/users/*.plist", "/var/db/dslocal/nodes/Default/users/*.plist"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System", "Users", "Authentication"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Settings_and_Informations"}}, {Name: "MacOSUserPicturesDirectory", Doc: "Pictures Directory", Sources: []artifacts.Source{{Parent: "MacOSUserPicturesDirectory", Type: "DIRECTORY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Pictures/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#User_Directories"}}, {Name: "MacOSUserPreferences", Doc: "User preferences directory", Sources: []artifacts.Source{{Parent: "MacOSUserPreferences", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Preferences/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Preferences"}}, {Name: "MacOSUserPublicDirectory", Doc: "Public Directory", Sources: []artifacts.Source{{Parent: "MacOSUserPublicDirectory", Type: "DIRECTORY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Public/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#User_Directories"}}, {Name: "MacOSUsers", Doc: "Users directories in /Users", Sources: []artifacts.Source{{Parent: "MacOSUsers", Type: "DIRECTORY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/Users/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Users"}}, {Name: "MacOSUsersPath", Doc: "Users directories in /Users", Sources: []artifacts.Source{{Parent: "MacOSUsersPath", Type: "PATH", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/Users/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "users.username", Regex: "/Users/([^/]+)", WMIKey: ""}, {Key: "users.homedir", Regex: "", WMIKey: ""}}}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users"}, SupportedOs: []string{"Darwin"}, Urls: []string(nil)}, {Name: "MacOSUserSocialAccounts", Doc: "User's Social Accounts", Sources: []artifacts.Source{{Parent: "MacOSUserSocialAccounts", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Accounts/Accounts3.sqlite", "%%users.homedir%%/Library/Accounts/Accounts3.sqlite-wal", "%%users.homedir%%/Library/Accounts/Accounts4.sqlite", "%%users.homedir%%/Library/Accounts/Accounts4.sqlite-wal"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users", "ExternalAccount"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#User.27s_Accounts", "https://lab.wallarm.com/hunting-the-files-34caa0c1496"}}, {Name: "MacOSUserTrash", Doc: "User Trash Folder", Sources: []artifacts.Source{{Parent: "MacOSUserTrash", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.Trash/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Misc."}}, {Name: "MacOSUtmpFile", Doc: "Mac OS X utmp and wmtp login record file.", Sources: []artifacts.Source{{Parent: "MacOSUtmpFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/private/var/log/btmp", "/private/var/log/wtmp", "/private/var/run/utmp", "/var/log/btmp", "/var/log/wtmp", "/var/run/utmp"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Logs", "Authentication"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://github.com/libyal/dtformats/blob/main/documentation/Utmp%20login%20records%20format.asciidoc"}}, {Name: "MacOSUtmpxFile", Doc: "Mac OS X 10.5 utmpx login record file.", Sources: []artifacts.Source{{Parent: "MacOSUtmpxFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/private/var/run/utmpx", "/var/run/utmpx"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Logs", "Authentication"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://github.com/libyal/dtformats/blob/main/documentation/Utmp%20login%20records%20format.asciidoc"}}, {Name: "MacOSWirelessNetworks", Doc: "Remembered Wireless Networks", Sources: []artifacts.Source{{Parent: "MacOSWirelessNetworks", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System", "Network"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Networking"}}, {Name: "MacOSFSEvents", Doc: "Mac OS X file system event log", Sources: []artifacts.Source{{Parent: "MacOSFSEvents", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/.fseventsd/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Logs", "System", "Users"}, SupportedOs: []string{"Darwin"}, Urls: []string{"http://nicoleibrahim.com/apple-fsevents-forensics/", "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1498158287.pdf"}}, {Name: "MacOSTCC", Doc: "Apple's Transparency, Consent, Control (TCC) framework database", Sources: []artifacts.Source{{Parent: "MacOSTCC", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/Library/Application Support/com.apple.TCC/TCC.db", "%%users.homedir%%/Library/Application Support/com.apple.TCC/TCC.db"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Darwin"}, Urls: []string{"https://blog.fleetsmith.com/tcc-a-quick-primer/", "https://carlashley.com/2018/09/06/reading-tcc-logs-in-macos/"}}, {Name: "MacOSDirectoryServicesLocalNodesSQLiteDatabaseFile", Doc: "Directory services local nodes database.", Sources: []artifacts.Source{{Parent: "MacOSDirectoryServicesLocalNodesSQLiteDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/private/var/db/dslocal/nodes/Default/sqlindex", "/var/db/dslocal/nodes/Default/sqlindex"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string(nil)}, {Name: "MacOSNetworkUsageSQLiteDatabaseFile", Doc: "Network usage SQLite database file.", Sources: []artifacts.Source{{Parent: "MacOSNetworkUsageSQLiteDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/private/var/networkd/netusage.sqlite", "/var/networkd/netusage.sqlite"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string(nil)}, {Name: "MacOSIdentityServicesSQLiteDatabaseFile", Doc: "Identity services SQLite database file.", Sources: []artifacts.Source{{Parent: "MacOSIdentityServicesSQLiteDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/IdentityServices/ids.db"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string(nil)}, {Name: "MacOSUserAccountsSQLiteDatabaseFile", Doc: "User Accounts SQLite database files.\n\nSeen Accounts3.sqlite and Accounts4.sqlite\n", Sources: []artifacts.Source{{Parent: "MacOSUserAccountsSQLiteDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Accounts/Accounts*.sqlite", "%%users.homedir%%/Library/Accounts/Accounts*.sqlite-wal"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensics.wiki/mac_os_x_10.9_artifacts_location#user.27s-accounts"}}, {Name: "MacOSNotesSQLiteDatabaseFile", Doc: "Notes SQLite database file.", Sources: []artifacts.Source{{Parent: "MacOSNotesSQLiteDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Containers/com.apple.Notes/Data/Library/Notes/NotesV*.storedata"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string(nil)}, {Name: "MacOSAuthorizationRulesSQLiteDatabaseFile", Doc: "Authorization rules SQLite database file.\n\nSuperscedes /etc/authorization seen Mac OS X 10.8 Mountain Lion and earlier versions.\n", Sources: []artifacts.Source{{Parent: "MacOSAuthorizationRulesSQLiteDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/private/var/db/auth.db", "/var/db/auth.db"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string(nil)}, {Name: "MacOSMessageChatSQLiteDatabaseFile", Doc: "iMessage chat SQLite database file.", Sources: []artifacts.Source{{Parent: "MacOSMessageChatSQLiteDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Messages/chat.db"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string(nil)}, {Name: "MacOSStartupItemsPlistFile", Doc: "Startup Items property list (plist) files.", Sources: []artifacts.Source{{Parent: "MacOSStartupItemsPlistFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/Library/StartupItems/**/*.plist", "/System/Library/StartupItems/**/*.plist"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensics.wiki/mac_os_x_10.9_artifacts_location#autorun-locations", "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html"}}, {Name: "MacOSSystemPolicySQLiteDatabaseFile", Doc: "System policy database.", Sources: []artifacts.Source{{Parent: "MacOSSystemPolicySQLiteDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/private/var/db/SystemPolicy", "/var/db/SystemPolicy"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string(nil)}, {Name: "MacOSTextReplacementsSQLiteDatabaseFile", Doc: "Text replacements SQLite database file.", Sources: []artifacts.Source{{Parent: "MacOSTextReplacementsSQLiteDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/KeyboardServices/TextReplacements.db"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string(nil)}, {Name: "MacOSWalletSQLiteDatabaseFile", Doc: "Apple Wallet SQLite database file.", Sources: []artifacts.Source{{Parent: "MacOSWalletSQLiteDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Passes/passes23.sqlite"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string(nil)}, {Name: "MacOSXcodeiOSDeviceLogsSQLiteDatabaseFile", Doc: "Xcode iOS Device Logs SQLite database file.", Sources: []artifacts.Source{{Parent: "MacOSXcodeiOSDeviceLogsSQLiteDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Developer/Xcode/iOS Device Logs/iOS Device Logs *.db"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string(nil)}, {Name: "MacOSAddressBookImagesSQLiteDatabaseFile", Doc: "Address book images SQLite database file.", Sources: []artifacts.Source{{Parent: "MacOSAddressBookImagesSQLiteDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/Applications/Xcode.app/Contents/Developer/Platforms/*.platform/Developer/Library/CoreSimulator/Profiles/Runtimes/*.simruntime/Contents/Resources/SampleContent/Library/AddressBook/AddressBookImages.sqlitedb", "%%users.homedir%%/Library/Developer/CoreSimulator/Devices/*/data/Library/AddressBook/AddressBookImages.sqlitedb"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string(nil)}, {Name: "SafariAutoFillCorrectionsSQLiteDatabaseFile", Doc: "Safari browser auto-fill corrections SQLite database file.", Sources: []artifacts.Source{{Parent: "SafariAutoFillCorrectionsSQLiteDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Safari/AutoFillCorrections.db", "%%users.homedir%%/Library/Safari/AutoFillCorrections.db-wal"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensics.wiki/apple_safari"}}, {Name: "MacOSSiriSuggestionsSnippetsSQLiteDatabaseFile", Doc: "Siri suggestions snippets SQLite database file.", Sources: []artifacts.Source{{Parent: "MacOSSiriSuggestionsSnippetsSQLiteDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Suggestions/snippets.db", "%%users.homedir%%/Library/Suggestions/snippets.db-wal"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string(nil)}, {Name: "SafariCookies", Doc: "Safari Cookies database.", Sources: []artifacts.Source{{Parent: "SafariCookies", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Cookies/Cookies.binarycookies", "%%users.homedir%%/Library/Containers/com.apple.Safari/Data/Library/Cookies/Cookies.binarycookies"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensics.wiki/apple_safari"}}, {Name: "MacOSSiriSuggestionsPendingQueueSQLiteDatabaseFile", Doc: "Siri suggestions pending queue SQLite database file.", Sources: []artifacts.Source{{Parent: "MacOSSiriSuggestionsPendingQueueSQLiteDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Suggestions/pending/queue.db", "%%users.homedir%%/Library/Suggestions/pending/queue.db-wal"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string(nil)}, {Name: "MacOSSiriAnalyticsSQLiteDatabaseFile", Doc: "Siri analytics SQLite database file.", Sources: []artifacts.Source{{Parent: "MacOSSiriAnalyticsSQLiteDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Assistant/SiriAnalytics.db"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string(nil)}, {Name: "MacOSUserLocalItemsKeychainRecordsSQLiteDatabaseFile", Doc: "User (iCloud) local items keychain encrypted records SQLite database file.", Sources: []artifacts.Source{{Parent: "MacOSUserLocalItemsKeychainRecordsSQLiteDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Keychains/*/keychain-2.db"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string(nil)}, {Name: "MacOSDuetinteractionCSQLiteDatabaseFile", Doc: "Duet interactionC database.", Sources: []artifacts.Source{{Parent: "MacOSDuetinteractionCSQLiteDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/private/var/db/CoreDuet/People/interactionC.db", "/var/db/CoreDuet/People/interactionC.db"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string(nil)}, {Name: "MacOSDuetSystemEventsSQLiteDatabaseFile", Doc: "Duet system events database.", Sources: []artifacts.Source{{Parent: "MacOSDuetSystemEventsSQLiteDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/private/var/db/CoreDuet/coreduetd.db", "/var/db/CoreDuet/coreduetd.db"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string(nil)}, {Name: "MacOSGatekeeperOpaqueConfigurationSQLiteDatabaseFile", Doc: "Gatekeeper opaque configuration database.", Sources: []artifacts.Source{{Parent: "MacOSGatekeeperOpaqueConfigurationSQLiteDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/private/var/db/gkopaque.bundle/Contents/Resources/gkopaque.db", "/var/db/gkopaque.bundle/Contents/Resources/gkopaque.db"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string(nil)}, {Name: "MacOSUserKeychainOCSPCacheSQLiteDatabaseFile", Doc: "User keychain CRL and OCSP cache SQLite database file.", Sources: []artifacts.Source{{Parent: "MacOSUserKeychainOCSPCacheSQLiteDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Keychains/*/ocspcache.sqlite3"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string(nil)}, {Name: "MacOSUserLocalItemsKeychainKeybagSQLiteDatabaseFile", Doc: "User (iCloud) local items keychain keybag SQLite database file.", Sources: []artifacts.Source{{Parent: "MacOSUserLocalItemsKeychainKeybagSQLiteDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Keychains/*/user.db"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string(nil)}, {Name: "MacOSSiriSuggestionsEntitiesSQLiteDatabaseFile", Doc: "Siri suggestions entities SQLite database file.", Sources: []artifacts.Source{{Parent: "MacOSSiriSuggestionsEntitiesSQLiteDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Suggestions/entities.db", "%%users.homedir%%/Library/Suggestions/entities.db-wal"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string(nil)}, {Name: "MacOSApplicationBundleCacheSQLiteDatabaseFile", Doc: "Application bundle cache SQLite database file.", Sources: []artifacts.Source{{Parent: "MacOSApplicationBundleCacheSQLiteDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Caches/*/Cache.db"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string(nil)}, {Name: "SafariPerSitePreferencesSQLiteDatabaseFile", Doc: "Safari browser per site preferences SQLite database file.", Sources: []artifacts.Source{{Parent: "SafariPerSitePreferencesSQLiteDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Safari/PerSitePreferences.db", "%%users.homedir%%/Library/Safari/PerSitePreferences.db-wal"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensics.wiki/apple_safari"}}, {Name: "MacOSApplePushServiceSQLiteDatabaseFile", Doc: "Apple push service SQLite database file.", Sources: []artifacts.Source{{Parent: "MacOSApplePushServiceSQLiteDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/Library/Application Support/ApplePushService/aps.db"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string(nil)}, {Name: "MacOSCallHistoryCacheSQLiteDatabaseFile", Doc: "Call history cache SQLite database file.", Sources: []artifacts.Source{{Parent: "MacOSCallHistoryCacheSQLiteDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Application Support/CallHistoryDB/CallHistory.storedata"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string(nil)}, {Name: "WebKitPubSubSQLiteDatabaseFile", Doc: "WebKit RSS feed (PubSub) SQLite database file.", Sources: []artifacts.Source{{Parent: "WebKitPubSubSQLiteDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/PubSub/Database/Database.sqlite3"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string(nil)}, {Name: "MacOSDuetActivitySchedulerSQLiteDatabaseFile", Doc: "Duet activity scheduler database.", Sources: []artifacts.Source{{Parent: "MacOSDuetActivitySchedulerSQLiteDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/private/var/db/DuetActivityScheduler/DuetActivitySchedulerClassC.db", "/var/db/DuetActivityScheduler/DuetActivitySchedulerClassC.db"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string(nil)}, {Name: "MacOSUserDockDesktopPictureSQLiteDatabaseFile", Doc: "Dock user desktop picture SQLite database file.", Sources: []artifacts.Source{{Parent: "MacOSUserDockDesktopPictureSQLiteDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Application Support/Dock/desktoppicture.db"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string(nil)}, {Name: "MacOSWirelessDiagnosticDataPersistentSQLiteDatabaseFile", Doc: "Apple Wireless Diagnostic Data (AWDD) persistent SQLite database file.", Sources: []artifacts.Source{{Parent: "MacOSWirelessDiagnosticDataPersistentSQLiteDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/private/var/db/awdd/persistent.db", "/var/db/awdd/persistent.db"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string(nil)}, {Name: "MacOSDuetSQLiteDatabaseFile", Doc: "Duet database.", Sources: []artifacts.Source{{Parent: "MacOSDuetSQLiteDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/private/var/db/CoreDuet/coreduetd.db", "/var/db/CoreDuet/coreduetd.db"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string(nil)}, {Name: "MacOSAssetCacheInfoSQLiteDatabaseFile", Doc: "Asset cache information SQLite database file.", Sources: []artifacts.Source{{Parent: "MacOSAssetCacheInfoSQLiteDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/Library/Caches/com.apple.AssetCache/AssetInfo.db"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string(nil)}, {Name: "MacOSCalendarCacheSQLiteDatabaseFile", Doc: "Calendar cache SQLite database file.", Sources: []artifacts.Source{{Parent: "MacOSCalendarCacheSQLiteDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Calendars/Calendar Cache"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string(nil)}, {Name: "NTFSMFTFiles", Doc: "The NTFS $MFT and $MFTMirr file system metadata files.\n\nGRR collection note: you currently need to specify 'use tsk' and\n'ignore download size limits' for this artifact to work. This will go away in\nthe future.\n", Sources: []artifacts.Source{{Parent: "NTFSMFTFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemdrive%%\\$MFT", "%%environ_systemdrive%%\\$MFTMirr"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "NTFSLogFile", Doc: "The NTFS $LogFile file system metadata file.\n\nGRR collection note: you currently need to specify 'use tsk' and\n'ignore download size limits' for this artifact to work. This will go away in\nthe future.\n", Sources: []artifacts.Source{{Parent: "NTFSLogFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemdrive%%\\$LogFile"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://sourceforge.net/projects/linux-ntfs/"}}, {Name: "NTFSUSNJournal", Doc: "The NTFS $UsnJnrl file system metadata file.\n\nNote that this currently does not include the $J alternate data stream name.\n", Sources: []artifacts.Source{{Parent: "NTFSUSNJournal", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemdrive%%\\$Extend\\$UsnJrnl"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://artifacts-kb.readthedocs.io/en/latest/sources/file_systems/NTFS.html"}}, {Name: "BashShellConfigurationFile", Doc: "Bourne Again shell (bash) configuration files.", Sources: []artifacts.Source{{Parent: "BashShellConfigurationFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.bash_logout", "%%users.homedir%%/.bash_profile", "%%users.homedir%%/.bashrc", "/etc/bash.bashrc", "/etc/bashrc"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin", "Linux"}, Provides: []artifacts.Provide(nil)}, {Parent: "BashShellConfigurationFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/private/etc/bash.bashrc", "/private/etc/bashrc"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}, {Parent: "BashShellConfigurationFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\Packages\\*\\LocalState\\rootfs\\home\\*\\.bash_logout", "%%users.localappdata%%\\Packages\\*\\LocalState\\rootfs\\home\\*\\.bash_profile", "%%users.localappdata%%\\Packages\\*\\LocalState\\rootfs\\home\\*\\.bashrc"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin", "Linux", "Windows"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Bash_shell"}}, {Name: "BashShellHistoryFile", Doc: "Bourne Again shell (bash) history files.", Sources: []artifacts.Source{{Parent: "BashShellHistoryFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.bash_history"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin", "Linux"}, Provides: []artifacts.Provide(nil)}, {Parent: "BashShellHistoryFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\Packages\\*\\LocalState\\rootfs\\home\\*\\.bash_history"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin", "Linux", "Windows"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Bash_shell"}}, {Name: "BashShellSessionFile", Doc: "Bourne Again shell (bash) session files.", Sources: []artifacts.Source{{Parent: "BashShellSessionFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.bash_sessions/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Bash_shell"}}, {Name: "BourneShellHistoryFile", Doc: "Bourne shell (sh) history files.", Sources: []artifacts.Source{{Parent: "BourneShellHistoryFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.sh_history"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin", "Linux"}, Provides: []artifacts.Provide(nil)}, {Parent: "BourneShellHistoryFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\Packages\\*\\LocalState\\rootfs\\home\\*\\.sh_history"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin", "Linux", "Windows"}, Urls: []string{"https://en.wikipedia.org/wiki/Bourne_shell"}}, {Name: "CShellConfigurationFile", Doc: "C shell (csh) configuration files.", Sources: []artifacts.Source{{Parent: "CShellConfigurationFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.cshrc", "/etc/csh.cshrc", "/etc/csh.login", "/etc/csh.logout"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin", "Linux"}, Provides: []artifacts.Provide(nil)}, {Parent: "CShellConfigurationFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/private/etc/csh.cshrc", "/private/etc/csh.login", "/private/etc/csh.logout"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}, {Parent: "CShellConfigurationFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\Packages\\*\\LocalState\\rootfs\\home\\*\\.cshrc"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin", "Linux", "Windows"}, Urls: []string{"https://en.wikipedia.org/wiki/C_shell"}}, {Name: "FishShellConfigurationFile", Doc: "FishShell (fish) configuration files.", Sources: []artifacts.Source{{Parent: "FishShellConfigurationFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.config/fish/conf.d/config.fish", "/etc/fish/conf.d/*.fish", "%%users.homedir%%/.config/fish/config.fish", "/etc/fish/config.fish"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string{"https://fishshell.com/docs/current/language.html#configuration"}}, {Name: "FishShellHistoryFile", Doc: "Fish shell (fish) history files.", Sources: []artifacts.Source{{Parent: "FishShellHistoryFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.local/share/fish/fish_history"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string{"https://fishshell.com/docs/current/cmds/history.html"}}, {Name: "KornShellConfigurationFile", Doc: "KornShell (ksh) configuration files.", Sources: []artifacts.Source{{Parent: "KornShellConfigurationFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.ksh", "/etc/kshrc"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin", "Linux"}, Provides: []artifacts.Provide(nil)}, {Parent: "KornShellConfigurationFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/private/etc/kshrc"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}, {Parent: "KornShellConfigurationFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\Packages\\*\\LocalState\\rootfs\\home\\*\\.ksh"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin", "Linux", "Windows"}, Urls: []string{"https://en.wikipedia.org/wiki/KornShell"}}, {Name: "RootUserShellConfigs", Doc: "Common Unix root shell configuration files.", Sources: []artifacts.Source{{Parent: "RootUserShellConfigs", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/root/.bash_logout", "/root/.bash_profile", "/root/.bashrc", "/root/.cshrc", "/root/.ksh", "/root/.config/fish/config.fish", "/root/.logout", "/root/.profile", "/root/.tcsh", "/root/.zlogin", "/root/.zlogout", "/root/.zprofile"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin", "Linux"}, Urls: []string(nil)}, {Name: "RootUserShellHistory", Doc: "Common Unix root shell history files.", Sources: []artifacts.Source{{Parent: "RootUserShellHistory", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/root/.bash_history", "/root/.local/share/fish/fish_history", "/root/.sh_history", "/root/.zhistory", "/root/.zsh_history"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin", "Linux"}, Urls: []string(nil)}, {Name: "ShellConfigurationFile", Doc: "Group of shell configuration files.", Sources: []artifacts.Source{{Parent: "ShellConfigurationFile", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"BashShellConfigurationFile", "CShellConfigurationFile", "FishShellConfigurationFile", "KornShellConfigurationFile", "ShellLogoutFile", "ShellProfileFile", "TeeShellConfigurationFile", "ZShellConfigurationFile"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin", "Linux", "Windows"}, Urls: []string(nil)}, {Name: "ShellHistoryFile", Doc: "Group of shell history files.", Sources: []artifacts.Source{{Parent: "ShellHistoryFile", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"BashShellHistoryFile", "BourneShellHistoryFile", "FishShellHistoryFile", "ZShellHistoryFile"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin", "Linux", "Windows"}, Urls: []string(nil)}, {Name: "ShellLogoutFile", Doc: "Shell logout file.", Sources: []artifacts.Source{{Parent: "ShellLogoutFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.logout"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin", "Linux"}, Provides: []artifacts.Provide(nil)}, {Parent: "ShellLogoutFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\Packages\\*\\LocalState\\rootfs\\home\\*\\.logout"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin", "Linux", "Windows"}, Urls: []string(nil)}, {Name: "ShellProfileFile", Doc: "Shell profile file.", Sources: []artifacts.Source{{Parent: "ShellProfileFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.profile", "/etc/profile"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin", "Linux"}, Provides: []artifacts.Provide(nil)}, {Parent: "ShellProfileFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/private/etc/profile"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}, {Parent: "ShellProfileFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\Packages\\*\\LocalState\\rootfs\\home\\*\\.profile"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin", "Linux", "Windows"}, Urls: []string(nil)}, {Name: "TeeShellConfigurationFile", Doc: "Tee shell (tcsh) configuration files.", Sources: []artifacts.Source{{Parent: "TeeShellConfigurationFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.tcsh"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin", "Linux"}, Provides: []artifacts.Provide(nil)}, {Parent: "TeeShellConfigurationFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\Packages\\*\\LocalState\\rootfs\\home\\*\\.tcsh"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin", "Linux", "Windows"}, Urls: []string{"https://en.wikipedia.org/wiki/Tcsh"}}, {Name: "ZShellConfigurationFile", Doc: "Z shell (zsh) configuration files.", Sources: []artifacts.Source{{Parent: "ZShellConfigurationFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.zlogin", "%%users.homedir%%/.zlogout", "%%users.homedir%%/.zprofile", "/etc/zshenv", "/etc/zshrc", "/etc/zsh/zlogin", "/etc/zsh/zlogout", "/etc/zsh/zprofile", "/etc/zsh/zshenv", "/etc/zsh/zshrc"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin", "Linux"}, Provides: []artifacts.Provide(nil)}, {Parent: "ZShellConfigurationFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/private/etc/zshenv", "/private/etc/zshrc", "/private/etc/zsh/zlogin", "/private/etc/zsh/zlogout", "/private/etc/zsh/zprofile", "/private/etc/zsh/zshenv", "/private/etc/zsh/zshrc"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}, {Parent: "ZShellConfigurationFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\Packages\\*\\LocalState\\rootfs\\home\\*\\.zlogin", "%%users.localappdata%%\\Packages\\*\\LocalState\\rootfs\\home\\*\\.zlogout", "%%users.localappdata%%\\Packages\\*\\LocalState\\rootfs\\home\\*\\.zprofile"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin", "Linux", "Windows"}, Urls: []string{"https://en.wikipedia.org/wiki/Z_shell"}}, {Name: "ZShellHistoryFile", Doc: "Z shell (zsh) history files.", Sources: []artifacts.Source{{Parent: "ZShellHistoryFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.zhistory", "%%users.homedir%%/.zsh_history"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin", "Linux"}, Provides: []artifacts.Provide(nil)}, {Parent: "ZShellHistoryFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\Packages\\*\\LocalState\\rootfs\\home\\*\\.zhistory", "%%users.localappdata%%\\Packages\\*\\LocalState\\rootfs\\home\\*\\.zsh_history"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin", "Linux", "Windows"}, Urls: []string{"https://en.wikipedia.org/wiki/Z_shell"}}, {Name: "TomcatFiles", Doc: "Tomcat files.", Sources: []artifacts.Source{{Parent: "TomcatFiles", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"TomcatLogFiles", "TomcatPasswordFile"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Software"}, SupportedOs: []string{"Darwin", "Linux", "Windows"}, Urls: []string(nil)}, {Name: "TomcatLogFiles", Doc: "Tomcat log files.", Sources: []artifacts.Source{{Parent: "TomcatLogFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_allusersappdata%%\\Apache Software Foundation\\Tomcat*\\logs\\**\\access_log*", "%%environ_allusersappdata%%\\Apache Software Foundation\\Tomcat*\\logs\\access_log*", "%%environ_allusersappdata%%\\Apache Software Foundation\\Tomcat*\\logs\\**\\catalina.out", "%%environ_allusersappdata%%\\Apache Software Foundation\\Tomcat*\\logs\\catalina.out", "%%environ_programfiles%%\\Apache Software Foundation\\Tomcat*\\logs\\**\\access_log*", "%%environ_programfiles%%\\Apache Software Foundation\\Tomcat*\\logs\\access_log*", "%%environ_programfiles%%\\Apache Software Foundation\\Tomcat*\\logs\\**\\catalina.out", "%%environ_programfiles%%\\Apache Software Foundation\\Tomcat*\\logs\\catalina.out", "%%environ_programfilesx86%%\\Apache Software Foundation\\Tomcat*\\logs\\**\\access_log*", "%%environ_programfilesx86%%\\Apache Software Foundation\\Tomcat*\\logs\\access_log*", "%%environ_programfilesx86%%\\Apache Software Foundation\\Tomcat*\\logs\\**\\catalina.out", "%%environ_programfilesx86%%\\Apache Software Foundation\\Tomcat*\\logs\\catalina.out"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}, {Parent: "TomcatLogFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/opt/tomcat*/logs/**/access_log*", "/opt/tomcat*/logs/access_log*", "/opt/tomcat*/logs/**/catalina.out", "/opt/tomcat*/logs/catalina.out", "/usr/local/tomcat*/logs/**/access_log*", "/usr/local/tomcat*/logs/access_log*", "/usr/local/tomcat*/logs/**/catalina.out", "/usr/local/tomcat*/logs/catalina.out", "/usr/share/tomcat*/logs/**/access_log*", "/usr/share/tomcat*/logs/access_log*", "/usr/share/tomcat*/logs/**/catalina.out", "/usr/share/tomcat*/logs/catalina.out", "/var/lib/tomcat*/logs/**/access_log*", "/var/lib/tomcat*/logs/access_log*", "/var/lib/tomcat*/logs/**/catalina.out", "/var/lib/tomcat*/logs/catalina.out"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}, {Parent: "TomcatLogFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/Library/Tomcat/logs/**/access_log*", "/Library/Tomcat/logs/access_log*", "/Library/Tomcat/logs/**/catalina.out", "/Library/Tomcat/logs/catalina.out", "/usr/local/apache-tomcat*/logs/**/access_log*", "/usr/local/apache-tomcat*/logs/access_log*", "/usr/local/apache-tomcat*/logs/**/catalina.out", "/usr/local/apache-tomcat*/logs/catalina.out", "/usr/local/Cellar/tomcat*/logs/**/access_log*", "/usr/local/Cellar/tomcat*/logs/access_log*", "/usr/local/Cellar/tomcat*/logs/**/catalina.out", "/usr/local/Cellar/tomcat*/logs/catalina.out"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows", "Linux", "Darwin"}, Urls: []string{"https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Access_Logging", "https://tomcat.apache.org/tomcat-8.0-doc/logging.html"}}, {Name: "TomcatPasswordFile", Doc: "Tomcat password file.", Sources: []artifacts.Source{{Parent: "TomcatPasswordFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_allusersappdata%%\\Apache Software Foundation\\Tomcat*\\conf\\tomcat-users.xml", "%%environ_programfiles%%\\Apache Software Foundation\\Tomcat*\\conf\\tomcat-users.xml", "%%environ_programfilesx86%%\\Apache Software Foundation\\Tomcat*\\conf\\tomcat-users.xml"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}, {Parent: "TomcatPasswordFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/opt/tomcat*/conf/tomcat-users.xml", "/private/var/lib/tomcat*/conf/tomcat-users.xml", "/usr/local/tomcat*/conf/tomcat-users.xml", "/usr/share/tomcat*/conf/tomcat-users.xml", "/var/lib/tomcat*/conf/tomcat-users.xml"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}, {Parent: "TomcatPasswordFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/Library/Tomcat/conf/tomcat-users.xml", "/usr/local/apache-tomcat-*/conf/tomcat-users.xml", "/usr/local/Cellar/tomcat/*/conf/tomcat-users.xml"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows", "Linux", "Darwin"}, Urls: []string{"https://tomcat.apache.org/tomcat-8.0-doc/manager-howto.html#Configuring_Manager_Application_Access"}}, {Name: "UnixGroups", Doc: "Unix groups file.", Sources: []artifacts.Source{{Parent: "UnixGroups", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/group", "/private/etc/group"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}, {Parent: "UnixGroups", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/group"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Authentication"}, SupportedOs: []string{"Linux", "Darwin"}, Urls: []string(nil)}, {Name: "UnixHostsFile", Doc: "Unix hosts file", Sources: []artifacts.Source{{Parent: "UnixHostsFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/hosts", "/private/etc/hosts"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}, {Parent: "UnixHostsFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/hosts"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Configuration Files"}, SupportedOs: []string{"Linux", "Darwin"}, Urls: []string(nil)}, {Name: "UnixPasswd", Doc: "Unix /etc/passwd file.", Sources: []artifacts.Source{{Parent: "UnixPasswd", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/passwd", "/private/etc/passwd"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}, {Parent: "UnixPasswd", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/passwd"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Authentication"}, SupportedOs: []string{"Linux", "Darwin"}, Urls: []string(nil)}, {Name: "UnixShadowFile", Doc: "Unix /etc/shadow file.", Sources: []artifacts.Source{{Parent: "UnixShadowFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/shadow", "/private/etc/shadow"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}, {Parent: "UnixShadowFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/shadow"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Authentication"}, SupportedOs: []string{"Linux", "Darwin"}, Urls: []string(nil)}, {Name: "UnixSudoersConfiguration", Doc: "Unix sudoers configuration.", Sources: []artifacts.Source{{Parent: "UnixSudoersConfiguration", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/sudoers", "/private/etc/sudoers"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}, {Parent: "UnixSudoersConfiguration", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/sudoers"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Authentication", "Configuration Files"}, SupportedOs: []string{"Linux", "Darwin"}, Urls: []string(nil)}, {Name: "UnixUsersGroups", Doc: "Unix users and groups files.", Sources: []artifacts.Source{{Parent: "UnixUsersGroups", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"UnixGroups", "UnixPasswd", "UnixShadowFile"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Authentication"}, SupportedOs: []string{"Linux", "Darwin"}, Urls: []string(nil)}, {Name: "BrowserCache", Doc: "Web browser cache of multiple web browsers.", Sources: []artifacts.Source{{Parent: "BrowserCache", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"ChromeCache", "FirefoxCache", "InternetExplorerCache", "SafariCacheSQLiteDatabaseFile"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Browser"}, SupportedOs: []string{"Darwin", "Linux", "Windows"}, Urls: []string(nil)}, {Name: "BrowserHistory", Doc: "Web browser history of multiple web browsers.", Sources: []artifacts.Source{{Parent: "BrowserHistory", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"ChromiumBasedBrowsersHistoryDatabaseFile", "FirefoxHistory", "InternetExplorerHistory", "OperaHistoryFile", "SafariDownloads", "SafariHistory"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Browser"}, SupportedOs: []string{"Darwin", "Linux", "Windows"}, Urls: []string(nil)}, {Name: "ChromeStorage", Doc: "Google Chrome, Canary and Chromium browser artifacts for Storage APIs.\n\nIncludes Web Storage (sessionStorage for session-only data and\nlocalStorage for persistent data), IndexedDB (used for structured data),\nand FileSystem (object storage in a virtual file system).\n", Sources: []artifacts.Source{{Parent: "ChromeStorage", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"ChromeLocalStorage", "ChromeSessionStorage", "ChromeFileSystem", "ChromeIndexedDB"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Browser"}, SupportedOs: []string{"Darwin", "Linux", "Windows"}, Urls: []string{"https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API", "https://developer.mozilla.org/en-US/docs/Web/API/IndexedDB_API", "https://developer.mozilla.org/en-US/docs/Web/API/FileSystem"}}, {Name: "ChromeCache", Doc: "Google Chrome, Canary and Chromium browser caches.\n\nCanary uses \"Chrome SxS\" on windows.\n\n* Disk cache (or Cache)\n* Media cache\n* Application cache\n* GPU shader cache\n* PNaCl translation cache\n", Sources: []artifacts.Source{{Parent: "ChromeCache", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\Google\\Chrome\\User Data\\*\\Application Cache\\Cache\\*", "%%users.localappdata%%\\Google\\Chrome\\User Data\\*\\Cache\\*", "%%users.localappdata%%\\Google\\Chrome\\User Data\\*\\Media Cache\\*", "%%users.localappdata%%\\Google\\Chrome\\User Data\\*\\GPUCache\\*", "%%users.localappdata%%\\Google\\Chrome SxS\\User Data\\*\\Application Cache\\Cache\\*", "%%users.localappdata%%\\Google\\Chrome SxS\\User Data\\*\\Cache\\*", "%%users.localappdata%%\\Google\\Chrome SxS\\User Data\\*\\Media Cache\\*", "%%users.localappdata%%\\Google\\Chrome SxS\\User Data\\*\\GPUCache\\*", "%%users.localappdata%%\\Chromium\\User Data\\*\\Application Cache\\Cache\\*", "%%users.localappdata%%\\Chromium\\User Data\\*\\Cache\\*", "%%users.localappdata%%\\Chromium\\User Data\\*\\Media Cache\\*", "%%users.localappdata%%\\Chromium\\User Data\\*\\GPUCache\\*", "%%users.localappdata%%\\Microsoft\\Edge\\User Data\\*\\Cache\\*", "%%users.localappdata%%\\Microsoft\\Edge\\User Data\\*\\GPUCache\\*"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}, {Parent: "ChromeCache", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Caches/Google/Chrome/*/Cache/*", "%%users.homedir%%/Library/Caches/Google/Chrome/*/Cache/*", "%%users.homedir%%/Library/Caches/Google/Chrome/*/Media Cache/*", "%%users.homedir%%/Library/Application Support/Google/Chrome/*/Application Cache/Cache/*", "%%users.homedir%%/Library/Application Support/Google/Chrome/*/GPUCache/*", "%%users.homedir%%/Library/Caches/Google/Chrome/PnaclTranslationCache/*", "%%users.homedir%%/Caches/Google/Chrome Canary/*/Cache/*", "%%users.homedir%%/Library/Caches/Google/Chrome Canary/*/Cache/*", "%%users.homedir%%/Library/Caches/Google/Chrome Canary/*/Media Cache/*", "%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Application Cache/Cache/*", "%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/GPUCache/*", "%%users.homedir%%/Library/Caches/Google/Chrome Canary/PnaclTranslationCache/*", "%%users.homedir%%/Caches/Chromium/*/Cache/*", "%%users.homedir%%/Library/Caches/Chromium/*/Cache/*", "%%users.homedir%%/Library/Caches/Chromium/*/Media Cache/*", "%%users.homedir%%/Library/Application Support/Chromium/*/Application Cache/Cache/*", "%%users.homedir%%/Library/Application Support/Chromium/*/GPUCache/*", "%%users.homedir%%/Library/Caches/Chromium/PnaclTranslationCache/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}, {Parent: "ChromeCache", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.cache/google-chrome/Cache/*", "%%users.homedir%%/.cache/google-chrome/*/Cache/*", "%%users.homedir%%/.cache/google-chrome/*/Media Cache/*", "%%users.homedir%%/.cache/google-chrome/PnaclTranslationCache/*", "%%users.homedir%%/.config/google-chrome/*/Application Cache/*", "%%users.homedir%%/.config/google-chrome/*/Cache/*", "%%users.homedir%%/.config/google-chrome/*/Media Cache/*", "%%users.homedir%%/.config/google-chrome/*/GPUCache/*", "%%users.homedir%%/.cache/chromium/Cache/*", "%%users.homedir%%/.cache/chromium/*/Cache/*", "%%users.homedir%%/.cache/chromium/*/Media Cache/*", "%%users.homedir%%/.cache/chromium/PnaclTranslationCache/*", "%%users.homedir%%/.config/chromium/*/Application Cache/*", "%%users.homedir%%/.config/chromium/*/Cache/*", "%%users.homedir%%/.config/chromium/*/Media Cache/*", "%%users.homedir%%/.config/chromium/*/GPUCache/*", "%%users.homedir%%/.cache/chrome-remote-desktop/chrome-profile/Cache/*", "%%users.homedir%%/.cache/chrome-remote-desktop/chrome-profile/*/Cache/*", "%%users.homedir%%/.cache/chrome-remote-desktop/chrome-profile/*/Media Cache/*", "%%users.homedir%%/.cache/chrome-remote-desktop/chrome-profile/PnaclTranslationCache/*", "%%users.homedir%%/.cache/chrome-remote-desktop/chrome-config/google-chrome/Cache/*", "%%users.homedir%%/.cache/chrome-remote-desktop/chrome-config/google-chrome/*/Cache/*", "%%users.homedir%%/.cache/chrome-remote-desktop/chrome-config/google-chrome/*/Media Cache/*", "%%users.homedir%%/.cache/chrome-remote-desktop/chrome-config/google-chrome/PnaclTranslationCache/*", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Application Cache/*", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Cache/*", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Media Cache/*", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/GPUCache/*", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Application Cache/*", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Cache/*", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Media Cache/*", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/GPUCache/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Browser"}, SupportedOs: []string{"Windows", "Darwin", "Linux"}, Urls: []string{"https://developer.chrome.com/apps/fileSystem", "https://developer.mozilla.org/en-US/docs/Web/API/FileSystem", "https://dfir.blog/deciphering-browser-hieroglyphics-leveldb-filesystem/"}}, {Name: "ChromiumBasedBrowsersCache", Doc: "Caches of multiple Chromium-based browsers (Google Chrome, Brave, Chromium,\nYandex, Opera, Edge, EdgeBeta).\n\nCanary uses \"Chrome SxS\" on windows.\n\n* Disk cache (or Cache)\n* Media cache\n* Application cache\n* GPU shader cache\n* PNaCl translation cache\n", Sources: []artifacts.Source{{Parent: "ChromiumBasedBrowsersCache", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.appdata%%\\Brave\\*\\Application Cache\\Cache\\*", "%%users.appdata%%\\Brave\\*\\Cache\\*", "%%users.appdata%%\\Brave\\*\\Cache\\Cache_Data\\*", "%%users.appdata%%\\Brave\\*\\GPUCache\\*", "%%users.appdata%%\\Brave\\*\\Media Cache\\*", "%%users.appdata%%\\Opera Software\\Opera Stable\\*\\Application Cache\\Cache\\*", "%%users.appdata%%\\Opera Software\\Opera Stable\\*\\Cache\\*", "%%users.appdata%%\\Opera Software\\Opera Stable\\*\\Cache\\Cache_Data\\*", "%%users.appdata%%\\Opera Software\\Opera Stable\\*\\GPUCache\\*", "%%users.appdata%%\\Opera Software\\Opera Stable\\*\\Media Cache\\*", "%%users.localappdata%%\\BraveSoftware\\Brave-Browser\\User Data\\*\\Application Cache\\Cache\\*", "%%users.localappdata%%\\BraveSoftware\\Brave-Browser\\User Data\\*\\Cache\\*", "%%users.localappdata%%\\BraveSoftware\\Brave-Browser\\User Data\\*\\Cache\\Cache_Data\\*", "%%users.localappdata%%\\BraveSoftware\\Brave-Browser\\User Data\\*\\GPUCache\\*", "%%users.localappdata%%\\BraveSoftware\\Brave-Browser\\User Data\\*\\Media Cache\\*", "%%users.localappdata%%\\Chromium\\*\\Application Cache\\Cache\\*", "%%users.localappdata%%\\Chromium\\*\\Cache\\*", "%%users.localappdata%%\\Chromium\\*\\Cache\\Cache_Data\\*", "%%users.localappdata%%\\Chromium\\*\\GPUCache\\*", "%%users.localappdata%%\\Chromium\\*\\Media Cache\\*", "%%users.localappdata%%\\Chromium\\User Data\\*\\Application Cache\\Cache\\*", "%%users.localappdata%%\\Chromium\\User Data\\*\\Cache\\*", "%%users.localappdata%%\\Chromium\\User Data\\*\\Cache\\Cache_Data\\*", "%%users.localappdata%%\\Chromium\\User Data\\*\\GPUCache\\*", "%%users.localappdata%%\\Chromium\\User Data\\*\\Media Cache\\*", "%%users.localappdata%%\\Google\\Chrome SxS\\User Data\\*\\Application Cache\\Cache\\*", "%%users.localappdata%%\\Google\\Chrome SxS\\User Data\\*\\Cache\\*", "%%users.localappdata%%\\Google\\Chrome SxS\\User Data\\*\\Cache\\Cache_Data\\*", "%%users.localappdata%%\\Google\\Chrome SxS\\User Data\\*\\GPUCache\\*", "%%users.localappdata%%\\Google\\Chrome SxS\\User Data\\*\\Media Cache\\*", "%%users.localappdata%%\\Google\\Chrome\\User Data\\*\\Application Cache\\Cache\\*", "%%users.localappdata%%\\Google\\Chrome\\User Data\\*\\Cache\\*", "%%users.localappdata%%\\Google\\Chrome\\User Data\\*\\Cache\\Cache_Data\\*", "%%users.localappdata%%\\Google\\Chrome\\User Data\\*\\GPUCache\\*", "%%users.localappdata%%\\Google\\Chrome\\User Data\\*\\Media Cache\\*", "%%users.localappdata%%\\Microsoft\\Edge Beta\\User Data\\*\\Application Cache\\Cache\\*", "%%users.localappdata%%\\Microsoft\\Edge Beta\\User Data\\*\\Cache\\*", "%%users.localappdata%%\\Microsoft\\Edge Beta\\User Data\\*\\Cache\\Cache_Data\\*", "%%users.localappdata%%\\Microsoft\\Edge Beta\\User Data\\*\\GPUCache\\*", "%%users.localappdata%%\\Microsoft\\Edge Beta\\User Data\\*\\Media Cache\\*", "%%users.localappdata%%\\Microsoft\\Edge\\User Data\\*\\Application Cache\\Cache\\*", "%%users.localappdata%%\\Microsoft\\Edge\\User Data\\*\\Cache\\*", "%%users.localappdata%%\\Microsoft\\Edge\\User Data\\*\\Cache\\Cache_Data\\*", "%%users.localappdata%%\\Microsoft\\Edge\\User Data\\*\\GPUCache\\*", "%%users.localappdata%%\\Microsoft\\Edge\\User Data\\*\\Media Cache\\*", "%%users.localappdata%%\\Opera Software\\Opera Stable\\*\\Cache_Data\\*", "%%users.localappdata%%\\Yandex\\YandexBrowser\\User Data\\*\\Application Cache\\Cache\\*", "%%users.localappdata%%\\Yandex\\YandexBrowser\\User Data\\*\\Cache\\*", "%%users.localappdata%%\\Yandex\\YandexBrowser\\User Data\\*\\Cache\\Cache_Data\\*", "%%users.localappdata%%\\Yandex\\YandexBrowser\\User Data\\*\\GPUCache\\*", "%%users.localappdata%%\\Yandex\\YandexBrowser\\User Data\\*\\Media Cache\\*"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}, {Parent: "ChromiumBasedBrowsersCache", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Caches/Chromium/*/Cache/*", "%%users.homedir%%/Caches/Google/Chrome/*/Cache/*", "%%users.homedir%%/Caches/Google/Chrome Canary/*/Cache/*", "%%users.homedir%%/Library/Application Support/BraveSoftware/Brave-Browser/*/Application Cache/*", "%%users.homedir%%/Library/Application Support/BraveSoftware/Brave-Browser/*/Cache/*", "%%users.homedir%%/Library/Application Support/BraveSoftware/Brave-Browser/Cache/*", "%%users.homedir%%/Library/Application Support/BraveSoftware/Brave-Browser/*/GPUCache/*", "%%users.homedir%%/Library/Application Support/BraveSoftware/Brave-Browser/*/Media Cache/*", "%%users.homedir%%/Library/Application Support/BraveSoftware/Brave-Browser/PnaclTranslationCache/*", "%%users.homedir%%/Library/Application Support/Chromium/*/Application Cache/*", "%%users.homedir%%/Library/Application Support/Chromium/*/Application Cache/Cache/*", "%%users.homedir%%/Library/Application Support/Chromium/*/Cache/*", "%%users.homedir%%/Library/Application Support/Chromium/Cache/*", "%%users.homedir%%/Library/Application Support/Chromium/*/GPUCache/*", "%%users.homedir%%/Library/Application Support/Chromium/*/Media Cache/*", "%%users.homedir%%/Library/Application Support/Chromium/PnaclTranslationCache/*", "%%users.homedir%%/Library/Application Support/com.operasoftware.Opera/*/Application Cache/*", "%%users.homedir%%/Library/Application Support/com.operasoftware.Opera/*/Cache/*", "%%users.homedir%%/Library/Application Support/com.operasoftware.Opera/Cache/*", "%%users.homedir%%/Library/Application Support/com.operasoftware.Opera/*/GPUCache/*", "%%users.homedir%%/Library/Application Support/com.operasoftware.Opera/*/Media Cache/*", "%%users.homedir%%/Library/Application Support/com.operasoftware.Opera/PnaclTranslationCache/*", "%%users.homedir%%/Library/Application Support/Google/Chrome/*/Application Cache/*", "%%users.homedir%%/Library/Application Support/Google/Chrome/*/Application Cache/Cache/*", "%%users.homedir%%/Library/Application Support/Google/Chrome/*/Cache/*", "%%users.homedir%%/Library/Application Support/Google/Chrome/Cache/*", "%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Application Cache/*", "%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Application Cache/Cache/*", "%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Cache/*", "%%users.homedir%%/Library/Application Support/Google/Chrome Canary/Cache/*", "%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/GPUCache/*", "%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Media Cache/*", "%%users.homedir%%/Library/Application Support/Google/Chrome Canary/PnaclTranslationCache/*", "%%users.homedir%%/Library/Application Support/Google/Chrome/*/GPUCache/*", "%%users.homedir%%/Library/Application Support/Google/Chrome/*/Media Cache/*", "%%users.homedir%%/Library/Application Support/Google/Chrome/PnaclTranslationCache/*", "%%users.homedir%%/Library/Application Support/Microsoft Edge/*/Application Cache/*", "%%users.homedir%%/Library/Application Support/Microsoft Edge Beta/*/Application Cache/*", "%%users.homedir%%/Library/Application Support/Microsoft Edge Beta/*/Cache/*", "%%users.homedir%%/Library/Application Support/Microsoft Edge Beta/Cache/*", "%%users.homedir%%/Library/Application Support/Microsoft Edge Beta/*/GPUCache/*", "%%users.homedir%%/Library/Application Support/Microsoft Edge Beta/*/Media Cache/*", "%%users.homedir%%/Library/Application Support/Microsoft Edge Beta/PnaclTranslationCache/*", "%%users.homedir%%/Library/Application Support/Microsoft Edge/*/Cache/*", "%%users.homedir%%/Library/Application Support/Microsoft Edge/Cache/*", "%%users.homedir%%/Library/Application Support/Microsoft Edge/*/GPUCache/*", "%%users.homedir%%/Library/Application Support/Microsoft Edge/*/Media Cache/*", "%%users.homedir%%/Library/Application Support/Microsoft Edge/PnaclTranslationCache/*", "%%users.homedir%%/Library/Application Support/Yandex/YandexBrowser/*/Application Cache/*", "%%users.homedir%%/Library/Application Support/Yandex/YandexBrowser/*/Cache/*", "%%users.homedir%%/Library/Application Support/Yandex/YandexBrowser/Cache/*", "%%users.homedir%%/Library/Application Support/Yandex/YandexBrowser/*/GPUCache/*", "%%users.homedir%%/Library/Application Support/Yandex/YandexBrowser/*/Media Cache/*", "%%users.homedir%%/Library/Application Support/Yandex/YandexBrowser/PnaclTranslationCache/*", "%%users.homedir%%/Library/Caches/Chromium/*/Application Cache/*", "%%users.homedir%%/Library/Caches/Chromium/*/Cache/*", "%%users.homedir%%/Library/Caches/Chromium/Cache/*", "%%users.homedir%%/Library/Caches/Chromium/*/GPUCache/*", "%%users.homedir%%/Library/Caches/Chromium/*/Media Cache/*", "%%users.homedir%%/Library/Caches/Chromium/PnaclTranslationCache/*", "%%users.homedir%%/Library/Caches/Google/Chrome/*/Cache/*", "%%users.homedir%%/Library/Caches/Google/Chrome/Cache/*", "%%users.homedir%%/Library/Caches/Google/Chrome Canary/*/Cache/*", "%%users.homedir%%/Library/Caches/Google/Chrome Canary/Cache/*", "%%users.homedir%%/Library/Caches/Google/Chrome Canary/*/Media Cache/*", "%%users.homedir%%/Library/Caches/Google/Chrome Canary/PnaclTranslationCache/*", "%%users.homedir%%/Library/Caches/Google/Chrome/*/Media Cache/*", "%%users.homedir%%/Library/Caches/Google/Chrome/PnaclTranslationCache/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}, {Parent: "ChromiumBasedBrowsersCache", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.cache/BraveSoftware/Brave-Browser/*/Cache/Cache_Data/*", "%%users.homedir%%/.cache/BraveSoftware/Brave-Browser/Cache/Cache_Data/*", "%%users.homedir%%/.cache/chrome-remote-desktop/chrome-config/google-chrome/*/Cache/*", "%%users.homedir%%/.cache/chrome-remote-desktop/chrome-config/google-chrome/Cache/*", "%%users.homedir%%/.cache/chrome-remote-desktop/chrome-config/google-chrome/*/Cache/Cache_Data/*", "%%users.homedir%%/.cache/chrome-remote-desktop/chrome-config/google-chrome/*/Media Cache/*", "%%users.homedir%%/.cache/chrome-remote-desktop/chrome-config/google-chrome/PnaclTranslationCache/*", "%%users.homedir%%/.cache/chrome-remote-desktop/chrome-profile/*/Cache/*", "%%users.homedir%%/.cache/chrome-remote-desktop/chrome-profile/Cache/*", "%%users.homedir%%/.cache/chrome-remote-desktop/chrome-profile/*/Cache/Cache_Data/*", "%%users.homedir%%/.cache/chrome-remote-desktop/chrome-profile/*/Media Cache/*", "%%users.homedir%%/.cache/chrome-remote-desktop/chrome-profile/PnaclTranslationCache/*", "%%users.homedir%%/.cache/chromium/*/Cache/*", "%%users.homedir%%/.cache/chromium/Cache/*", "%%users.homedir%%/.cache/chromium/*/Cache/Cache_Data/*", "%%users.homedir%%/.cache/chromium/*/Media Cache/*", "%%users.homedir%%/.cache/chromium/PnaclTranslationCache/*", "%%users.homedir%%/.cache/google-chrome/*/Cache/*", "%%users.homedir%%/.cache/google-chrome/Cache/*", "%%users.homedir%%/.cache/google-chrome/*/Cache/Cache_Data/*", "%%users.homedir%%/.cache/google-chrome/*/Media Cache/*", "%%users.homedir%%/.cache/google-chrome/PnaclTranslationCache/*", "%%users.homedir%%/.cache/microsoft-edge/*/Cache/Cache_Data/*", "%%users.homedir%%/.cache/opera/*/Cache_Data/*", "%%users.homedir%%/.config/BraveSoftware/Brave-Browser/*/Application Cache/*", "%%users.homedir%%/.config/BraveSoftware/Brave-Browser/*/Cache/*", "%%users.homedir%%/.config/BraveSoftware/Brave-Browser/Cache/*", "%%users.homedir%%/.config/BraveSoftware/Brave-Browser/*/GPUCache/*", "%%users.homedir%%/.config/BraveSoftware/Brave-Browser/*/Media Cache/*", "%%users.homedir%%/.config/BraveSoftware/Brave-Browser/PnaclTranslationCache/*", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Application Cache/*", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Cache/*", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/Cache/*", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Cache/Cache_Data/*", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/GPUCache/*", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Media Cache/*", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/PnaclTranslationCache/*", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Application Cache/*", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Cache/*", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/Cache/*", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Cache/Cache_Data/*", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/GPUCache/*", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Media Cache/*", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/PnaclTranslationCache/*", "%%users.homedir%%/.config/chromium/*/Application Cache/*", "%%users.homedir%%/.config/chromium/*/Cache/*", "%%users.homedir%%/.config/chromium/Cache/*", "%%users.homedir%%/.config/chromium/*/Cache/Cache_Data/*", "%%users.homedir%%/.config/chromium/*/GPUCache/*", "%%users.homedir%%/.config/chromium/*/Media Cache/*", "%%users.homedir%%/.config/chromium/PnaclTranslationCache/*", "%%users.homedir%%/.config/google-chrome/*/Application Cache/*", "%%users.homedir%%/.config/google-chrome-beta/*/Application Cache/*", "%%users.homedir%%/.config/google-chrome-beta/*/Cache/*", "%%users.homedir%%/.config/google-chrome-beta/Cache/*", "%%users.homedir%%/.config/google-chrome-beta/*/GPUCache/*", "%%users.homedir%%/.config/google-chrome-beta/*/Media Cache/*", "%%users.homedir%%/.config/google-chrome-beta/PnaclTranslationCache/*", "%%users.homedir%%/.config/google-chrome/*/Cache/*", "%%users.homedir%%/.config/google-chrome/Cache/*", "%%users.homedir%%/.config/google-chrome/*/Cache/Cache_Data/*", "%%users.homedir%%/.config/google-chrome/*/GPUCache/*", "%%users.homedir%%/.config/google-chrome/*/Media Cache/*", "%%users.homedir%%/.config/google-chrome/PnaclTranslationCache/*", "%%users.homedir%%/.config/microsoft-edge/*/GPUCache/*", "%%users.homedir%%/.config/opera/*/Application Cache/*", "%%users.homedir%%/.config/opera/*/Cache/*", "%%users.homedir%%/.config/opera/Cache/*", "%%users.homedir%%/.config/opera/*/GPUCache/*", "%%users.homedir%%/.config/opera/GPUCache/*", "%%users.homedir%%/.config/opera/*/Media Cache/*", "%%users.homedir%%/.config/opera/PnaclTranslationCache/*", "%%users.homedir%%/.config/yandex-browser-beta/*/Application Cache/*", "%%users.homedir%%/.config/yandex-browser-beta/*/Cache/*", "%%users.homedir%%/.config/yandex-browser-beta/Cache/*", "%%users.homedir%%/.config/yandex-browser-beta/*/GPUCache/*", "%%users.homedir%%/.config/yandex-browser-beta/*/Media Cache/*", "%%users.homedir%%/.config/yandex-browser-beta/PnaclTranslationCache/*", "%%users.homedir%%/snap/chromium/common/chromium/*/Application Cache/*", "%%users.homedir%%/snap/chromium/common/chromium/*/Cache/*", "%%users.homedir%%/snap/chromium/common/chromium/Cache/*", "%%users.homedir%%/snap/chromium/common/chromium/*/GPUCache/*", "%%users.homedir%%/snap/chromium/common/chromium/*/Media Cache/*", "%%users.homedir%%/snap/chromium/common/chromium/PnaclTranslationCache/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin", "Linux", "Windows"}, Urls: []string{"https://artifacts-kb.readthedocs.io/en/latest/sources/webbrowser/ChromeCache.html"}}, {Name: "ChromiumBasedBrowsersCookiesDatabaseFile", Doc: "Cookies database file for multiple Chromium-based browsers, such as Google Chrome, Brave, Chromium, Yandex, Opera, Edge, EdgeBeta.", Sources: []artifacts.Source{{Parent: "ChromiumBasedBrowsersCookiesDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\BraveSoftware\\Brave-Browser\\User Data\\*\\Network\\Cookies", "%%users.localappdata%%\\BraveSoftware\\Brave-Browser\\User Data\\*\\Network\\Cookies-journal", "%%users.localappdata%%\\Chromium\\User Data\\*\\Cookies", "%%users.localappdata%%\\Chromium\\User Data\\*\\Cookies-journal", "%%users.localappdata%%\\Chromium\\User Data\\*\\Network\\Cookies", "%%users.localappdata%%\\Chromium\\User Data\\*\\Network\\Cookies-journal", "%%users.localappdata%%\\Google\\Chrome SxS\\User Data\\*\\Cookies", "%%users.localappdata%%\\Google\\Chrome SxS\\User Data\\*\\Cookies-journal", "%%users.localappdata%%\\Google\\Chrome SxS\\User Data\\*\\Network\\Cookies", "%%users.localappdata%%\\Google\\Chrome SxS\\User Data\\*\\Network\\Cookies-journal", "%%users.localappdata%%\\Google\\Chrome\\User Data\\*\\Cookies", "%%users.localappdata%%\\Google\\Chrome\\User Data\\*\\Cookies-journal", "%%users.localappdata%%\\Google\\Chrome\\User Data\\*\\Network\\Cookies", "%%users.localappdata%%\\Google\\Chrome\\User Data\\*\\Network\\Cookies-journal", "%%users.localappdata%%\\Microsoft\\Edge\\User Data\\*\\Cookies", "%%users.localappdata%%\\Microsoft\\Edge\\User Data\\*\\Cookies-journal", "%%users.localappdata%%\\Microsoft\\Edge\\User Data\\*\\Network\\Cookies", "%%users.localappdata%%\\Microsoft\\Edge\\User Data\\*\\Network\\Cookies-journal", "%%users.appdata%%\\Opera Software\\Opera Stable\\Network\\Cookies", "%%users.appdata%%\\Opera Software\\Opera Stable\\Network\\Cookies-journal"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}, {Parent: "ChromiumBasedBrowsersCookiesDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.config/BraveSoftware/Brave-Browser/*/Cookies", "%%users.homedir%%/.config/BraveSoftware/Brave-Browser/*/Cookies-journal", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Cookies", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Cookies-journal", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Network/Cookies", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Network/Cookies-journal", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Cookies", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Cookies-journal", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Network/Cookies", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Network/Cookies-journal", "%%users.homedir%%/.config/chromium/*/Cookies", "%%users.homedir%%/.config/chromium/*/Cookies-journal", "%%users.homedir%%/.config/chromium/*/Network/Cookies", "%%users.homedir%%/.config/chromium/*/Network/Cookies-journal", "%%users.homedir%%/.config/google-chrome-beta/*/Cookies", "%%users.homedir%%/.config/google-chrome-beta/*/Cookies-journal", "%%users.homedir%%/.config/google-chrome-beta/*/Network/Cookies", "%%users.homedir%%/.config/google-chrome-beta/*/Network/Cookies-journal", "%%users.homedir%%/.config/google-chrome/*/Cookies", "%%users.homedir%%/.config/google-chrome/*/Cookies-journal", "%%users.homedir%%/.config/google-chrome/*/Network/Cookies", "%%users.homedir%%/.config/google-chrome/*/Network/Cookies-journal", "%%users.homedir%%/.config/microsoft-edge/*/Cookies", "%%users.homedir%%/.config/microsoft-edge/*/Cookies-journal", "%%users.homedir%%/.config/opera/Cookies", "%%users.homedir%%/.config/opera/Cookies-journal"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}, {Parent: "ChromiumBasedBrowsersCookiesDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Application Support/Chromium/*/Cookies", "%%users.homedir%%/Library/Application Support/Chromium/*/Cookies-journal", "%%users.homedir%%/Library/Application Support/Chromium/*/Network/Cookies", "%%users.homedir%%/Library/Application Support/Chromium/*/Network/Cookies-journal", "%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Cookies", "%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Cookies-journal", "%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Network/Cookies", "%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Network/Cookies-journal", "%%users.homedir%%/Library/Application Support/Google/Chrome/*/Cookies", "%%users.homedir%%/Library/Application Support/Google/Chrome/*/Cookies-journal", "%%users.homedir%%/Library/Application Support/Google/Chrome/*/Network/Cookies", "%%users.homedir%%/Library/Application Support/Google/Chrome/*/Network/Cookies-journal"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin", "Linux", "Windows"}, Urls: []string(nil)}, {Name: "ChromeExtensionActivity", Doc: "Chrome Extension Activity database.", Sources: []artifacts.Source{{Parent: "ChromeExtensionActivity", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.appdata%%\\Brave\\*\\Extension Activity", "%%users.appdata%%\\Opera Software\\Opera Stable\\*\\Extension Activity", "%%users.localappdata%%\\Chromium\\*\\Extension Activity", "%%users.localappdata%%\\Chromium\\User Data\\*\\Extension Activity", "%%users.localappdata%%\\Google\\Chrome SxS\\User Data\\*\\Extension Activity", "%%users.localappdata%%\\Google\\Chrome\\User Data\\*\\Extension Activity", "%%users.localappdata%%\\Microsoft\\Edge Beta\\User Data\\*\\Extension Activity", "%%users.localappdata%%\\Microsoft\\Edge\\User Data\\*\\Extension Activity", "%%users.localappdata%%\\Yandex\\YandexBrowser\\User Data\\*\\Extension Activity"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}, {Parent: "ChromeExtensionActivity", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Application Support/BraveSoftware/Brave-Browser/*/Extension Activity", "%%users.homedir%%/Library/Application Support/Chromium/*/Extension Activity", "%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Extension Activity", "%%users.homedir%%/Library/Application Support/Google/Chrome/*/Extension Activity", "%%users.homedir%%/Library/Application Support/Microsoft Edge Beta/*/Extension Activity", "%%users.homedir%%/Library/Application Support/Microsoft Edge/*/Extension Activity", "%%users.homedir%%/Library/Application Support/Yandex/YandexBrowser/*/Extension Activity", "%%users.homedir%%/Library/Application Support/com.operasoftware.Opera/*/Extension Activity"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}, {Parent: "ChromeExtensionActivity", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.config/BraveSoftware/Brave-Browser/*/Extension Activity", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Extension Activity", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Extension Activity", "%%users.homedir%%/.config/chromium/*/Extension Activity", "%%users.homedir%%/.config/google-chrome-beta/*/Extension Activity", "%%users.homedir%%/.config/google-chrome/*/Extension Activity", "%%users.homedir%%/.config/opera/*/Extension Activity", "%%users.homedir%%/.config/yandex-browser-beta/*/Extension Activity", "%%users.homedir%%/snap/chromium/common/chromium/*/Extension Activity"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Browser"}, SupportedOs: []string{"Windows", "Darwin", "Linux"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Google_Chrome#Extension_Activity_database"}}, {Name: "ChromeExtensions", Doc: "Chrome browser extension files.", Sources: []artifacts.Source{{Parent: "ChromeExtensions", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\Google\\Chrome\\User Data\\*\\Extensions\\**10", "%%users.localappdata%%\\Chromium\\User Data\\*\\Extensions\\**10", "%%users.localappdata%%\\Google\\Chrome SxS\\User Data\\*\\Extensions\\**10", "%%users.localappdata%%\\Microsoft\\Edge\\User Data\\*\\Extensions\\**10"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}, {Parent: "ChromeExtensions", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Application Support/Google/Chrome/*/Extensions/**10", "%%users.homedir%%/Library/Application Support/Chromium/*/Extensions/**10", "%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Extensions/**10"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}, {Parent: "ChromeExtensions", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.config/google-chrome/*/Extensions/**10", "%%users.homedir%%/.config/google-chrome-beta/*/Extensions/**10", "%%users.homedir%%/.config/chromium/*/Extensions/**10", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Extensions/**10", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Extensions/**10"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Browser"}, SupportedOs: []string{"Windows", "Darwin", "Linux"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Google_Chrome#Extensions"}}, {Name: "ChromiumBasedBrowsersExtensions", Doc: "Browser extension files for multiple Chromium-based browsers (Google Chrome, Brave, Chromium, Yandex, Opera, Edge, EdgeBeta).", Sources: []artifacts.Source{{Parent: "ChromiumBasedBrowsersExtensions", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.appdata%%\\Opera Software\\Opera Stable\\*\\Extensions\\**10", "%%users.appdata%%\\Brave\\*\\Extensions\\**10", "%%users.localappdata%%\\Chromium\\*\\Extensions\\**10", "%%users.localappdata%%\\Chromium\\User Data\\*\\Extensions\\**10", "%%users.localappdata%%\\Google\\Chrome SxS\\User Data\\*\\Extensions\\**10", "%%users.localappdata%%\\Google\\Chrome\\User Data\\*\\Extensions\\**10", "%%users.localappdata%%\\Microsoft\\Edge Beta\\User Data\\*\\Extensions\\**10", "%%users.localappdata%%\\Microsoft\\Edge\\User Data\\*\\Extensions\\**10", "%%users.localappdata%%\\Yandex\\YandexBrowser\\User Data\\*\\Extensions\\**10"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}, {Parent: "ChromiumBasedBrowsersExtensions", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Application Support/BraveSoftware/Brave-Browser/*/Extensions/**10", "%%users.homedir%%/Library/Application Support/Chromium/*/Extensions/**10", "%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Extensions/**10", "%%users.homedir%%/Library/Application Support/Google/Chrome/*/Extensions/**10", "%%users.homedir%%/Library/Application Support/Microsoft Edge Beta/*/Extensions/**10", "%%users.homedir%%/Library/Application Support/Microsoft Edge/*/Extensions/**10", "%%users.homedir%%/Library/Application Support/Yandex/YandexBrowser/*/Extensions/**10", "%%users.homedir%%/Library/Application Support/com.operasoftware.Opera/*/Extensions/**10"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}, {Parent: "ChromiumBasedBrowsersExtensions", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.config/BraveSoftware/Brave-Browser/*/Extensions/**10", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Extensions/**10", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Extensions/**10", "%%users.homedir%%/.config/chromium/*/Extensions/**10", "%%users.homedir%%/.config/google-chrome-beta/*/Extensions/**10", "%%users.homedir%%/.config/google-chrome/*/Extensions/**10", "%%users.homedir%%/.config/opera/*/Extensions/**10", "%%users.homedir%%/.config/yandex-browser-beta/*/Extensions/**10", "%%users.homedir%%/snap/chromium/common/chromium/*/Extensions/**10"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Browser"}, SupportedOs: []string{"Windows", "Darwin", "Linux"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Google_Chrome#Extensions", "https://forensicswiki.xyz/wiki/index.php?title=Google_Chrome#Chromium-based_Browsers"}}, {Name: "ChromiumBasedBrowsersExtensionActivity", Doc: "Browser Extension Activity database for multiple Chromium-based browsers (Google Chrome, Brave, Chromium, Yandex, Opera, Edge, EdgeBeta).", Sources: []artifacts.Source{{Parent: "ChromiumBasedBrowsersExtensionActivity", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.appdata%%\\Opera Software\\Opera Stable\\*\\Extension Activity", "%%users.appdata%%\\Brave\\*\\Extension Activity", "%%users.localappdata%%\\Chromium\\*\\Extension Activity", "%%users.localappdata%%\\Chromium\\User Data\\*\\Extension Activity", "%%users.localappdata%%\\Google\\Chrome SxS\\User Data\\*\\Extension Activity", "%%users.localappdata%%\\Google\\Chrome\\User Data\\*\\Extension Activity", "%%users.localappdata%%\\Microsoft\\Edge Beta\\User Data\\*\\Extension Activity", "%%users.localappdata%%\\Microsoft\\Edge\\User Data\\*\\Extension Activity", "%%users.localappdata%%\\Yandex\\YandexBrowser\\User Data\\*\\Extension Activity"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}, {Parent: "ChromiumBasedBrowsersExtensionActivity", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Application Support/BraveSoftware/Brave-Browser/*/Extensions/**10", "%%users.homedir%%/Library/Application Support/Chromium/*/Extensions/**10", "%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Extensions/**10", "%%users.homedir%%/Library/Application Support/Google/Chrome/*/Extensions/**10", "%%users.homedir%%/Library/Application Support/Microsoft Edge Beta/*/Extensions/**10", "%%users.homedir%%/Library/Application Support/Microsoft Edge/*/Extensions/**10", "%%users.homedir%%/Library/Application Support/Yandex/YandexBrowser/*/Extensions/**10", "%%users.homedir%%/Library/Application Support/com.operasoftware.Opera/*/Extensions/**10"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}, {Parent: "ChromiumBasedBrowsersExtensionActivity", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.config/BraveSoftware/Brave-Browser/*/Extensions/**10", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Extensions/**10", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Extensions/**10", "%%users.homedir%%/.config/chromium/*/Extensions/**10", "%%users.homedir%%/.config/google-chrome-beta/*/Extensions/**10", "%%users.homedir%%/.config/google-chrome/*/Extensions/**10", "%%users.homedir%%/.config/opera/*/Extensions/**10", "%%users.homedir%%/.config/yandex-browser-beta/*/Extensions/**10", "%%users.homedir%%/snap/chromium/common/chromium/*/Extensions/**10"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Browser"}, SupportedOs: []string{"Windows", "Darwin", "Linux"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Google_Chrome#Extension_Activity_database", "https://forensicswiki.xyz/wiki/index.php?title=Google_Chrome#Chromium-based_Browsers"}}, {Name: "ChromeExtensionRegistryKeys", Doc: "Chrome extensions installed by writing windows registry keys.", Sources: []artifacts.Source{{Parent: "ChromeExtensionRegistryKeys", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Google\\Chrome\\Extensions\\**5", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Google\\Chrome\\Extensions\\**5"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Browser"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://developer.chrome.com/extensions/external_extensions#registry"}}, {Name: "ChromeFileSystem", Doc: "Google Chrome, Canary and Chromium File System files.\n\nThe File System directory backs Chrome's fileSystem API. Inside this\ndirectory are a mixture of the data files saved using the fileSystem\nAPI and LevelDB directories that track the logical structure of the\nvirtual file system.\n", Sources: []artifacts.Source{{Parent: "ChromeFileSystem", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\Chromium\\User Data\\*\\File System\\**5", "%%users.localappdata%%\\Google\\Chrome SxS\\User Data\\*\\File System\\**5", "%%users.localappdata%%\\Google\\Chrome\\User Data\\*\\File System\\**5", "%%users.localappdata%%\\Microsoft\\Edge\\User Data\\*\\File System\\**5"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}, {Parent: "ChromeFileSystem", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.config/google-chrome/*/File System/**5", "%%users.homedir%%/.config/chromium/*/File System/**5", "%%users.homedir%%/.config/google-chrome-beta/*/File System/**5", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/File System/**5", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/File System/**5"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}, {Parent: "ChromeFileSystem", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Application Support/Chromium/*/File System/**5", "%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/File System/**5", "%%users.homedir%%/Library/Application Support/Google/Chrome/*/File System/**5"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Browser"}, SupportedOs: []string{"Windows", "Darwin", "Linux"}, Urls: []string{"https://developer.chrome.com/apps/fileSystem", "https://developer.mozilla.org/en-US/docs/Web/API/FileSystem", "https://dfir.blog/deciphering-browser-hieroglyphics-leveldb-filesystem/"}}, {Name: "ChromiumBasedBrowsersHistoryDatabaseFile", Doc: "Browsing history database file for multiple Chromium-based browsers, such as Google Chrome, Brave, Chromium, Yandex, Opera, Edge, EdgeBeta.", Sources: []artifacts.Source{{Parent: "ChromiumBasedBrowsersHistoryDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Application Support/BraveSoftware/Brave-Browser/*/Archived History", "%%users.homedir%%/Library/Application Support/BraveSoftware/Brave-Browser/*/Archived History-journal", "%%users.homedir%%/Library/Application Support/BraveSoftware/Brave-Browser/*/History", "%%users.homedir%%/Library/Application Support/BraveSoftware/Brave-Browser/*/History-journal", "%%users.homedir%%/Library/Application Support/Chromium/*/Archived History", "%%users.homedir%%/Library/Application Support/Chromium/*/Archived History-journal", "%%users.homedir%%/Library/Application Support/Chromium/*/History", "%%users.homedir%%/Library/Application Support/Chromium/*/History-journal", "%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Archived History", "%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Archived History-journal", "%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/History", "%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/History-journal", "%%users.homedir%%/Library/Application Support/Google/Chrome/*/Archived History", "%%users.homedir%%/Library/Application Support/Google/Chrome/*/Archived History-journal", "%%users.homedir%%/Library/Application Support/Google/Chrome/*/History", "%%users.homedir%%/Library/Application Support/Google/Chrome/*/History-journal", "%%users.homedir%%/Library/Application Support/Microsoft Edge Beta/*/Archived History", "%%users.homedir%%/Library/Application Support/Microsoft Edge Beta/*/Archived History-journal", "%%users.homedir%%/Library/Application Support/Microsoft Edge Beta/*/History", "%%users.homedir%%/Library/Application Support/Microsoft Edge Beta/*/History-journal", "%%users.homedir%%/Library/Application Support/Microsoft Edge/*/Archived History", "%%users.homedir%%/Library/Application Support/Microsoft Edge/*/Archived History-journal", "%%users.homedir%%/Library/Application Support/Microsoft Edge/*/History", "%%users.homedir%%/Library/Application Support/Microsoft Edge/*/History-journal", "%%users.homedir%%/Library/Application Support/Yandex/YandexBrowser/*/Archived History", "%%users.homedir%%/Library/Application Support/Yandex/YandexBrowser/*/Archived History-journal", "%%users.homedir%%/Library/Application Support/Yandex/YandexBrowser/*/History", "%%users.homedir%%/Library/Application Support/Yandex/YandexBrowser/*/History-journal", "%%users.homedir%%/Library/Application Support/com.operasoftware.Opera/*/Archived History", "%%users.homedir%%/Library/Application Support/com.operasoftware.Opera/*/Archived History-journal", "%%users.homedir%%/Library/Application Support/com.operasoftware.Opera/*/History", "%%users.homedir%%/Library/Application Support/com.operasoftware.Opera/*/History-journal"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}, {Parent: "ChromiumBasedBrowsersHistoryDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.config/BraveSoftware/Brave-Browser/*/Archived History", "%%users.homedir%%/.config/BraveSoftware/Brave-Browser/*/Archived History-journal", "%%users.homedir%%/.config/BraveSoftware/Brave-Browser/*/History", "%%users.homedir%%/.config/BraveSoftware/Brave-Browser/*/History-journal", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Archived History", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Archived History-journal", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/History", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/History-journal", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Archived History", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Archived History-journal", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/History", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/History-journal", "%%users.homedir%%/.config/chromium/*/Archived History", "%%users.homedir%%/.config/chromium/*/Archived History-journal", "%%users.homedir%%/.config/chromium/*/History", "%%users.homedir%%/.config/chromium/*/History-journal", "%%users.homedir%%/.config/google-chrome-beta/*/Archived History", "%%users.homedir%%/.config/google-chrome-beta/*/Archived History-journal", "%%users.homedir%%/.config/google-chrome-beta/*/History", "%%users.homedir%%/.config/google-chrome-beta/*/History-journal", "%%users.homedir%%/.config/google-chrome/*/Archived History", "%%users.homedir%%/.config/google-chrome/*/Archived History-journal", "%%users.homedir%%/.config/google-chrome/*/History", "%%users.homedir%%/.config/google-chrome/*/History-journal", "%%users.homedir%%/.config/microsoft-edge/*/Archived History", "%%users.homedir%%/.config/microsoft-edge/*/Archived History-journal", "%%users.homedir%%/.config/microsoft-edge/*/History", "%%users.homedir%%/.config/microsoft-edge/*/History-journal", "%%users.homedir%%/.config/opera/*/Archived History", "%%users.homedir%%/.config/opera/*/Archived History-journal", "%%users.homedir%%/.config/opera/*/History", "%%users.homedir%%/.config/opera/*/History-journal", "%%users.homedir%%/.config/yandex-browser-beta/*/Archived History", "%%users.homedir%%/.config/yandex-browser-beta/*/Archived History-journal", "%%users.homedir%%/.config/yandex-browser-beta/*/History", "%%users.homedir%%/.config/yandex-browser-beta/*/History-journal", "%%users.homedir%%/snap/chromium/common/chromium/*/Archived History", "%%users.homedir%%/snap/chromium/common/chromium/*/Archived History-journal", "%%users.homedir%%/snap/chromium/common/chromium/*/History", "%%users.homedir%%/snap/chromium/common/chromium/*/History-journal"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}, {Parent: "ChromiumBasedBrowsersHistoryDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.appdata%%\\Brave\\*\\Archived History", "%%users.appdata%%\\Brave\\*\\Archived History-journal", "%%users.appdata%%\\Brave\\*\\History", "%%users.appdata%%\\Brave\\*\\History-journal", "%%users.appdata%%\\BraveSoftware\\Brave-Browser\\User Data\\*\\History", "%%users.appdata%%\\BraveSoftware\\Brave-Browser\\User Data\\*\\History-journal", "%%users.appdata%%\\Opera Software\\Opera Stable\\*\\Archived History", "%%users.appdata%%\\Opera Software\\Opera Stable\\*\\Archived History-journal", "%%users.appdata%%\\Opera Software\\Opera Stable\\*\\History", "%%users.appdata%%\\Opera Software\\Opera Stable\\*\\History-journal", "%%users.localappdata%%\\Chromium\\*\\Archived History", "%%users.localappdata%%\\Chromium\\*\\Archived History-journal", "%%users.localappdata%%\\Chromium\\*\\History", "%%users.localappdata%%\\Chromium\\*\\History-journal", "%%users.localappdata%%\\Chromium\\User Data\\*\\Archived History", "%%users.localappdata%%\\Chromium\\User Data\\*\\Archived History-journal", "%%users.localappdata%%\\Chromium\\User Data\\*\\History", "%%users.localappdata%%\\Chromium\\User Data\\*\\History-journal", "%%users.localappdata%%\\Google\\Chrome SxS\\User Data\\*\\Archived History", "%%users.localappdata%%\\Google\\Chrome SxS\\User Data\\*\\Archived History-journal", "%%users.localappdata%%\\Google\\Chrome SxS\\User Data\\*\\History", "%%users.localappdata%%\\Google\\Chrome SxS\\User Data\\*\\History-journal", "%%users.localappdata%%\\Google\\Chrome\\User Data\\*\\Archived History", "%%users.localappdata%%\\Google\\Chrome\\User Data\\*\\Archived History-journal", "%%users.localappdata%%\\Google\\Chrome\\User Data\\*\\History", "%%users.localappdata%%\\Google\\Chrome\\User Data\\*\\History-journal", "%%users.localappdata%%\\Microsoft\\Edge Beta\\User Data\\*\\Archived History", "%%users.localappdata%%\\Microsoft\\Edge Beta\\User Data\\*\\Archived History-journal", "%%users.localappdata%%\\Microsoft\\Edge Beta\\User Data\\*\\History", "%%users.localappdata%%\\Microsoft\\Edge Beta\\User Data\\*\\History-journal", "%%users.localappdata%%\\Microsoft\\Edge\\User Data\\*\\Archived History", "%%users.localappdata%%\\Microsoft\\Edge\\User Data\\*\\Archived History-journal", "%%users.localappdata%%\\Microsoft\\Edge\\User Data\\*\\History", "%%users.localappdata%%\\Microsoft\\Edge\\User Data\\*\\History-journal", "%%users.localappdata%%\\Yandex\\YandexBrowser\\User Data\\*\\Archived History", "%%users.localappdata%%\\Yandex\\YandexBrowser\\User Data\\*\\Archived History-journal", "%%users.localappdata%%\\Yandex\\YandexBrowser\\User Data\\*\\History", "%%users.localappdata%%\\Yandex\\YandexBrowser\\User Data\\*\\History-journal"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin", "Linux", "Windows"}, Urls: []string{"https://forensics.wiki/google_chrome", "https://forensics.wiki/google_chrome#chromium-based-browsers"}}, {Name: "ChromeIndexedDB", Doc: "Google Chrome, Canary and Chromium IndexedDB files.\n\nThe IndexedDB directory contains one directory per origin that uses\nIndexedDB, named like https_www.example.com_0.indexeddb.leveldb,\nchrome-extension_app-id-xxx_0.indexeddb.leveldb, or\nhttps_www.example.com_0.indexeddb.blob. Inside each of the *.leveldb\ndirectories are the files the comprise a LevelDB database, which in turn\nholds IndexedDB data for that origin. There may be an accompanying .blob\ndirectory, which contains a nested folder structure of blobs.\n", Sources: []artifacts.Source{{Parent: "ChromeIndexedDB", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\Chromium\\User Data\\*\\IndexedDB\\**5", "%%users.localappdata%%\\Google\\Chrome SxS\\User Data\\*\\IndexedDB\\**5", "%%users.localappdata%%\\Google\\Chrome\\User Data\\*\\IndexedDB\\**5", "%%users.localappdata%%\\Microsoft\\Edge\\User Data\\*\\IndexedDB\\**5"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}, {Parent: "ChromeIndexedDB", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.config/google-chrome/*/IndexedDB/**5", "%%users.homedir%%/.config/chromium/*/IndexedDB/**5", "%%users.homedir%%/.config/google-chrome-beta/*/IndexedDB/**5", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/IndexedDB/**5", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/IndexedDB/**5"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}, {Parent: "ChromeIndexedDB", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Application Support/Chromium/*/IndexedDB/**5", "%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/IndexedDB/**5", "%%users.homedir%%/Library/Application Support/Google/Chrome/*/IndexedDB/**5"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Browser"}, SupportedOs: []string{"Windows", "Darwin", "Linux"}, Urls: []string{"https://developer.mozilla.org/en-US/docs/Web/API/IndexedDB_API"}}, {Name: "ChromeLocalStorage", Doc: "Google Chrome, Canary and Chromium Local Storage files.\n\n* Chrome v60 and below used individual .sqlite files per origin for Local Storage,\n stored in the Local Storage directory root.\n* In Chrome v61, a leveldb directory was added inside the root Local Storage directory,\n and new origins saved Local Storage data in a single LevelDB there.\n* Existing .sqlite files are kept (not moved to leveldb), so it is possible for a\n single Chrome profile to use both SQLite and LevelDB for Local Storage.\n", Sources: []artifacts.Source{{Parent: "ChromeLocalStorage", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\Chromium\\User Data\\*\\Local Storage\\**", "%%users.localappdata%%\\Google\\Chrome SxS\\User Data\\*\\Local Storage\\**", "%%users.localappdata%%\\Google\\Chrome\\User Data\\*\\Local Storage\\**", "%%users.localappdata%%\\Microsoft\\Edge\\User Data\\*\\Local Storage\\**"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}, {Parent: "ChromeLocalStorage", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.config/google-chrome/*/Local Storage/**", "%%users.homedir%%/.config/chromium/*/Local Storage/**", "%%users.homedir%%/.config/google-chrome-beta/*/Local Storage/**", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Local Storage/**", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Local Storage/**"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}, {Parent: "ChromeLocalStorage", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.config/google-chrome/*/Extensions/**10", "%%users.homedir%%/.config/google-chrome-beta/*/Extensions/**10", "%%users.homedir%%/.config/chromium/*/Extensions/**10"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}, {Parent: "ChromeLocalStorage", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Application Support/Chromium/*/Local Storage/**", "%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Local Storage/**", "%%users.homedir%%/Library/Application Support/Google/Chrome/*/Local Storage/**"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Browser"}, SupportedOs: []string{"Windows", "Darwin", "Linux"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Google_Chrome#Extensions"}}, {Name: "ChromePreferences", Doc: "Chrome Preferences file.", Sources: []artifacts.Source{{Parent: "ChromePreferences", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\Chromium\\User Data\\*\\Preferences", "%%users.localappdata%%\\Chromium\\User Data\\*\\Secure Preferences", "%%users.localappdata%%\\Google\\Chrome SxS\\User Data\\*\\Preferences", "%%users.localappdata%%\\Google\\Chrome SxS\\User Data\\*\\Secure Preferences", "%%users.localappdata%%\\Google\\Chrome\\User Data\\*\\Preferences", "%%users.localappdata%%\\Google\\Chrome\\User Data\\*\\Secure Preferences", "%%users.localappdata%%\\Microsoft\\Edge\\User Data\\*\\Preferences"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}, {Parent: "ChromePreferences", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Application Support/Chromium/*/Preferences", "%%users.homedir%%/Library/Application Support/Chromium/*/Secure Preferences", "%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Preferences", "%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Secure Preferences", "%%users.homedir%%/Library/Application Support/Google/Chrome/*/Preferences", "%%users.homedir%%/Library/Application Support/Google/Chrome/*/Secure Preferences"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}, {Parent: "ChromePreferences", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Preferences", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Secure Preferences", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Preferences", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Secure Preferences", "%%users.homedir%%/.config/chromium/*/Preferences", "%%users.homedir%%/.config/chromium/*/Secure Preferences", "%%users.homedir%%/.config/google-chrome/*/Preferences", "%%users.homedir%%/.config/google-chrome/*/Secure Preferences"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Browser"}, SupportedOs: []string{"Windows", "Darwin", "Linux"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Google_Chrome#Configuration"}}, {Name: "ChromeSessionStorage", Doc: "Google Chrome, Canary and Chromium Sessions and Session Storage files.\n\nThe Sessions directory contains information for restoring tabs and windows\nfrom a browsing session.\n\nThe Session Storage directory contains the files that comprise a LevelDB\ndatabase, which in turn holds the Session Storage data.\n", Sources: []artifacts.Source{{Parent: "ChromeSessionStorage", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Application Support/Chromium/*/Session Storage/*", "%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Session Storage/*", "%%users.homedir%%/Library/Application Support/Google/Chrome/*/Session Storage/*", "%%users.homedir%%/Library/Application Support/Chromium/*/Sessions/Session_*", "%%users.homedir%%/Library/Application Support/Chromium/*/Sessions/Tabs_*", "%%users.homedir%%/Library/Application Support/Google/Chrome/*/Sessions/Session_*", "%%users.homedir%%/Library/Application Support/Google/Chrome/*/Sessions/Tabs_*", "%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Sessions/Session_*", "%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Sessions/Tabs_*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}, {Parent: "ChromeSessionStorage", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.config/google-chrome/*/Session Storage/*", "%%users.homedir%%/.config/chromium/*/Session Storage/*", "%%users.homedir%%/.config/google-chrome-beta/*/Session Storage/*", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Session Storage/*", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Session Storage/*", "%%users.homedir%%/.config/google-chrome/*/Sessions/Session_*", "%%users.homedir%%/.config/google-chrome/*/Sessions/Tabs_*", "%%users.homedir%%/.config/chromium/*/Sessions/Session_*", "%%users.homedir%%/.config/chromium/*/Sessions/Tabs_*", "%%users.homedir%%/.config/google-chrome-beta/*/Sessions/Session_*", "%%users.homedir%%/.config/google-chrome-beta/*/Sessions/Tabs_*", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Sessions/Session_*", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Sessions/Tabs_*", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Sessions/Session_*", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Sessions/Tabs_*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}, {Parent: "ChromeSessionStorage", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\Chromium\\User Data\\*\\Session Storage\\*", "%%users.localappdata%%\\Google\\Chrome SxS\\User Data\\*\\Session Storage\\*", "%%users.localappdata%%\\Google\\Chrome\\User Data\\*\\Session Storage\\*", "%%users.localappdata%%\\Microsoft\\Edge\\User Data\\*\\Session Storage\\*", "%%users.localappdata%%\\Chromium\\User Data\\*\\Sessions\\Session_*", "%%users.localappdata%%\\Chromium\\User Data\\*\\Sessions\\Tabs_*", "%%users.localappdata%%\\Google\\Chrome SxS\\User Data\\*\\Sessions\\Session_*", "%%users.localappdata%%\\Google\\Chrome SxS\\User Data\\*\\Sessions\\Tabs_*", "%%users.localappdata%%\\Google\\Chrome\\User Data\\*\\Sessions\\Session_*", "%%users.localappdata%%\\Google\\Chrome\\User Data\\*\\Sessions\\Tabs_*", "%%users.localappdata%%\\Microsoft\\Edge\\User Data\\*\\Sessions\\Session_*", "%%users.localappdata%%\\Microsoft\\Edge\\User Data\\*\\Sessions\\Tabs_*"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin", "Linux", "Windows"}, Urls: []string(nil)}, {Name: "FirefoxCache", Doc: "Mozilla Firefox browser caches.", Sources: []artifacts.Source{{Parent: "FirefoxCache", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Caches/Firefox/Profiles/*.default/Cache/*", "%%users.homedir%%/Library/Caches/Firefox/Profiles/*.default/cache2/*", "%%users.homedir%%/Library/Caches/Firefox/Profiles/*.default/cache2/doomed/*", "%%users.homedir%%/Library/Caches/Firefox/Profiles/*.default/cache2/entries/*", "%%users.homedir%%/Library/Caches/Firefox/Profiles/*.default-*/Cache/*", "%%users.homedir%%/Library/Caches/Firefox/Profiles/*.default-*/cache2/*", "%%users.homedir%%/Library/Caches/Firefox/Profiles/*.default-*/cache2/doomed/*", "%%users.homedir%%/Library/Caches/Firefox/Profiles/*.default-*/cache2/entries/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}, {Parent: "FirefoxCache", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.mozilla/firefox/*.default/Cache/*", "%%users.homedir%%/.cache/mozilla/firefox/*.default/Cache/*", "%%users.homedir%%/.cache/mozilla/firefox/*.default/cache2/*", "%%users.homedir%%/.cache/mozilla/firefox/*.default/cache2/doomed/*", "%%users.homedir%%/.cache/mozilla/firefox/*.default/cache2/entries/*", "%%users.homedir%%/.cache/mozilla/firefox/*.default-*/Cache/*", "%%users.homedir%%/.cache/mozilla/firefox/*.default-*/cache2/*", "%%users.homedir%%/.cache/mozilla/firefox/*.default-*/cache2/doomed/*", "%%users.homedir%%/.cache/mozilla/firefox/*.default-*/cache2/entries/*", "%%users.homedir%%/snap/firefox/common/.cache/mozilla/firefox/*.default/Cache/*", "%%users.homedir%%/snap/firefox/common/.cache/mozilla/firefox/*.default/cache2/*", "%%users.homedir%%/snap/firefox/common/.cache/mozilla/firefox/*.default/cache2/doomed/*", "%%users.homedir%%/snap/firefox/common/.cache/mozilla/firefox/*.default/cache2/entries/*", "%%users.homedir%%/snap/firefox/common/.cache/mozilla/firefox/*.default-*/Cache/*", "%%users.homedir%%/snap/firefox/common/.cache/mozilla/firefox/*.default-*/cache2/*", "%%users.homedir%%/snap/firefox/common/.cache/mozilla/firefox/*.default-*/cache2/doomed/*", "%%users.homedir%%/snap/firefox/common/.cache/mozilla/firefox/*.default-*/cache2/entries/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}, {Parent: "FirefoxCache", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\Mozilla\\Firefox\\Profiles\\*.default\\Cache\\*", "%%users.localappdata%%\\Mozilla\\Firefox\\Profiles\\*.default\\cache2\\*", "%%users.localappdata%%\\Mozilla\\Firefox\\Profiles\\*.default\\cache2\\doomed\\*", "%%users.localappdata%%\\Mozilla\\Firefox\\Profiles\\*.default\\cache2\\entries\\*", "%%users.localappdata%%\\Mozilla\\Firefox\\Profiles\\*.default-*\\Cache\\*", "%%users.localappdata%%\\Mozilla\\Firefox\\Profiles\\*.default-*\\cache2\\*", "%%users.localappdata%%\\Mozilla\\Firefox\\Profiles\\*.default-*\\cache2\\doomed\\*", "%%users.localappdata%%\\Mozilla\\Firefox\\Profiles\\*.default-*\\cache2\\entries\\*"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin", "Linux", "Windows"}, Urls: []string{"https://artifacts-kb.readthedocs.io/en/latest/sources/webbrowser/FirefoxCache.html"}}, {Name: "FirefoxHistory", Doc: "Firefox browser history (places.sqlite).", Sources: []artifacts.Source{{Parent: "FirefoxHistory", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\Mozilla\\Firefox\\Profiles\\*\\places.sqlite", "%%users.localappdata%%\\Mozilla\\Firefox\\Profiles\\*\\places.sqlite-wal", "%%users.appdata%%\\Mozilla\\Firefox\\Profiles\\*\\places.sqlite", "%%users.localappdata%%\\Mozilla\\Firefox\\Profiles\\*\\places.sqlite-wal"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}, {Parent: "FirefoxHistory", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/places.sqlite", "%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/places.sqlite-wal"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}, {Parent: "FirefoxHistory", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.mozilla/firefox/*/places.sqlite", "%%users.homedir%%/.mozilla/firefox/*/places.sqlite-wal", "%%users.homedir%%/snap/firefox/common/.mozilla/firefox/*/places.sqlite", "%%users.homedir%%/snap/firefox/common/.mozilla/firefox/*/places.sqlite-wal"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Browser"}, SupportedOs: []string{"Windows", "Darwin", "Linux"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mozilla_Firefox"}}, {Name: "FirefoxAddOns", Doc: "Firefox browser add-ons/extensions.", Sources: []artifacts.Source{{Parent: "FirefoxAddOns", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.appdata%%\\Mozilla\\Firefox\\Profiles\\*\\addons.json", "%%users.appdata%%\\Mozilla\\Firefox\\Profiles\\*\\extensions.json", "%%users.appdata%%\\Mozilla\\Firefox\\Profiles\\*\\webapps\\webapps.json", "%%users.localappdata%%\\Mozilla\\Firefox\\Profiles\\*\\addons.json", "%%users.localappdata%%\\Mozilla\\Firefox\\Profiles\\*\\extensions.json", "%%users.localappdata%%\\Mozilla\\Firefox\\Profiles\\*\\webapps\\webapps.json"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}, {Parent: "FirefoxAddOns", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/addons.json", "%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/extensions.json", "%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/webapps/webapps.json"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}, {Parent: "FirefoxAddOns", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.mozilla/firefox/*/addons.json", "%%users.homedir%%/.mozilla/firefox/*/extensions.json", "%%users.homedir%%/.mozilla/firefox/*/webapps/webapps.json"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Browser"}, SupportedOs: []string{"Windows", "Darwin", "Linux"}, Urls: []string{"https://github.com/osquery/osquery/blob/6969e075fd4118e36f6cab54b0956e53dde5ba3f/osquery/tables/applications/browser_firefox.cpp#"}}, {Name: "InternetExplorerBrowserHelperObjects", Doc: "Loaded on Internet Explorer startup", Sources: []artifacts.Source{{Parent: "InternetExplorerBrowserHelperObjects", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\\*", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"http://gladiator-antivirus.com/forum/index.php?showtopic=24610", "http://regenerus.com/malware-common-loadpoints/", "https://code.google.com/p/regripper/wiki/ASEPs"}}, {Name: "InternetExplorerCache", Doc: "Microsoft Internet Explorer (MSIE) browser cache.\n\n* MSIE 4 - 9 Temporary Internet files.\n* MSIE 10 INetCache files.\n", Sources: []artifacts.Source{{Parent: "InternetExplorerCache", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\*\\*", "%%users.localappdata%%\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\*\\*", "%%users.localappdata%%\\Microsoft\\Windows\\INetCache\\IE\\*\\*", "%%users.localappdata%%\\Microsoft\\Windows\\INetCache\\Low\\*\\*"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Browser"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Internet_Explorer"}}, {Name: "InternetExplorerCookies", Doc: "Microsoft Internet Explorer (MSIE) browser cookies.\n\n* MSIE 4 - 9 Cache files (index.dat)\n", Sources: []artifacts.Source{{Parent: "InternetExplorerCookies", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.appdata%%\\Microsoft\\Windows\\Cookies\\index.dat", "%%users.appdata%%\\Microsoft\\Windows\\Cookies\\Low\\index.dat", "%%users.userprofile%%\\Cookies\\index.dat"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Browser"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Internet_Explorer"}}, {Name: "InternetExplorerHistory", Doc: "Microsoft Internet Explorer (MSIE) browser history.\n\n* MSIE 4 - 9 Cache files (index.dat);\n* MSIE 10 WebCacheV*.dat files.\n", Sources: []artifacts.Source{{Parent: "InternetExplorerHistory", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.appdata%%\\Microsoft\\Windows\\IEDownloadHistory\\index.dat", "%%users.localappdata%%\\Microsoft\\Feeds Cache\\index.dat", "%%users.localappdata%%\\Microsoft\\Windows\\History\\History.IE5\\*\\index.dat", "%%users.localappdata%%\\Microsoft\\Windows\\History\\History.IE5\\index.dat", "%%users.localappdata%%\\Microsoft\\Windows\\History\\Low\\History.IE5\\*\\index.dat", "%%users.localappdata%%\\Microsoft\\Windows\\History\\Low\\History.IE5\\index.dat", "%%users.localappdata%%\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat", "%%users.localappdata%%\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\index.dat", "%%users.localappdata%%\\Microsoft\\Windows\\WebCache\\WebCacheV*.dat", "%%users.userprofile%%\\Local Settings\\History\\History.IE5\\index.dat", "%%users.userprofile%%\\Local Settings\\History\\History.IE5\\*\\index.dat", "%%users.userprofile%%\\Local Settings\\History\\Temporary Internet Files\\Content.IE5\\index.dat", "%%users.userprofile%%\\Local Settings\\Temporary Internet Files\\Content.IE5\\index.dat"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Browser"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Internet_Explorer"}}, {Name: "InternetExplorerProtectedModeElevationPolicies", Doc: "Trust levels of apps launched from low rights IE sessions.\n\nThe ElevationPolicy dictates how IE handles applications that want to execute\nin other applications that reside outside of the Low Rights IE session.\n\n* AppName is the executable\n* AppPath is the directory\n* CLSID is used if it launches a COM server through CoCreateInstance\n* Policy (DWORD) is the trust level, of 0 through 3.\n\n* 3 Protected Mode silently launches the broker as a medium integrity process.\n* 2 Protected Mode prompts the user for permission to launch the process. If\n permission is granted, the process is launched as a medium integrity process.\n* 1 Protected Mode silently launches the broker as a low integrity process.\n* 0 Protected Mode prevents the process from launching.\n", Sources: []artifacts.Source{{Parent: "InternetExplorerProtectedModeElevationPolicies", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Low Rights\\ElevationPolicy\\*", Value: "Policy"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Low Rights\\ElevationPolicy\\*", Value: "AppName"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Low Rights\\ElevationPolicy\\*", Value: "AppPath"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Low Rights\\ElevationPolicy\\*", Value: "CLSID"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Internet Explorer\\Low Rights\\ElevationPolicy\\*", Value: "Policy"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Internet Explorer\\Low Rights\\ElevationPolicy\\*", Value: "AppName"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Internet Explorer\\Low Rights\\ElevationPolicy\\*", Value: "AppPath"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Internet Explorer\\Low Rights\\ElevationPolicy\\*", Value: "CLSID"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Browser"}, SupportedOs: []string{"Windows"}, Urls: []string{"http://blogs.technet.com/b/juanand/archive/2010/10/29/internet-explorer-protected-mode-elevation-policy-and-administrative-templates.aspx", "https://msdn.microsoft.com/en-us/library/bb250462(VS.85).aspx"}}, {Name: "InternetExplorerProtectedModeDisable", Doc: "Microsoft Internet Explorer (MSIE) Protected Mode Banner can be suppressed\nby setting NoProtectedModeBanner.\n\n* Applies to versions 7-11\n", Sources: []artifacts.Source{{Parent: "InternetExplorerProtectedModeDisable", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Internet Explorer\\Main\\NoProtectedModeBanner"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Browser"}, SupportedOs: []string{"Windows"}, Urls: []string{"http://www.blackforce.co.uk/2014/01/07/disable-protected-mode-is-turned-off-for-the-internet-zone-group-policy"}}, {Name: "InternetExplorer6Settings", Doc: "Registry keys affecting default behavior for Microsoft Internet Explorer 6.", Sources: []artifacts.Source{{Parent: "InternetExplorer6Settings", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer", Value: "AboutURLs"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer", Value: "UrlSearchHooks"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer", Value: "Extensions"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer", Value: "ExplorerBars"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer", Value: "Toolbar"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer", Value: "SearchURL"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main", Value: "Default_Page_URL"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main", Value: "Default_Search_URL"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main", Value: "Search Page"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main", Value: "Start Page"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main", Value: "Search Bar"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Search", Value: "CustomizeSearch"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Internet Explorer", Value: "UrlSearchHooks"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Internet Explorer", Value: "Extensions"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Internet Explorer", Value: "ExplorerBars"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Internet Explorer", Value: "Toolbar"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Internet Explorer", Value: "SearchURL"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Internet Explorer\\Main", Value: "Default_Page_URL"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Internet Explorer\\Main", Value: "Default_Search_URL"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Internet Explorer\\Main", Value: "Search Page"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Internet Explorer\\Main", Value: "Start Page"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Internet Explorer\\Main", Value: "Search Bar"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Browser"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://support.microsoft.com/en-us/kb/895339", "http://gladiator-antivirus.com/forum/index.php?showtopic=24610"}}, {Name: "InternetExplorerTypedURLsKeys", Doc: "Microsoft Internet Explorer TypedUrls keys.", Sources: []artifacts.Source{{Parent: "InternetExplorerTypedURLsKeys", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Internet Explorer\\TypedURLs\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Browser"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Internet_Explorer#Typed_URLs"}}, {Name: "OperaHistoryFile", Doc: "Opera browser history (global_history.dat).", Sources: []artifacts.Source{{Parent: "OperaHistoryFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Opera/global_history.dat"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}, {Parent: "OperaHistoryFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.opera/global_history.dat"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}, {Parent: "OperaHistoryFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.appdata%%\\Opera\\Opera\\global_history.dat", "%%users.appdata%%\\Opera Software\\Opera Stable\\History", "%%users.appdata%%\\Opera Software\\Opera Stable\\History-journal"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Browser"}, SupportedOs: []string{"Windows", "Darwin", "Linux"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Opera"}}, {Name: "SafariCacheSQLiteDatabaseFile", Doc: "Safari browser cache (cache.db).", Sources: []artifacts.Source{{Parent: "SafariCacheSQLiteDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\Apple Computer\\Safari\\cache.db"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}, {Parent: "SafariCacheSQLiteDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Caches/com.apple.Safari/Cache.db", "%%users.homedir%%/Library/Caches/com.apple.Safari/Cache.db-wal", "%%users.homedir%%/Library/Containers/com.apple.Safari/Data/Library/Caches/com.apple.Safari/Cache.db", "%%users.homedir%%/Library/Containers/com.apple.Safari/Data/Library/Caches/com.apple.Safari/Cache.db-wal"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Browser"}, SupportedOs: []string{"Windows", "Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Apple_Safari"}}, {Name: "SafariDownloads", Doc: "Safari downloads history (Downloads.plist).", Sources: []artifacts.Source{{Parent: "SafariDownloads", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Safari/Downloads.plist"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}, {Parent: "SafariDownloads", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\Apple Computer\\Safari\\Downloads.plist", "%%users.appdata%%\\Apple Computer\\Safari\\Downloads.plist"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users", "Browser"}, SupportedOs: []string{"Darwin", "Windows"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X", "https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Safari", "https://www.forensicswiki.org/wiki/Apple_Safari"}}, {Name: "SafariHistory", Doc: "Safari browser history (History.plist).", Sources: []artifacts.Source{{Parent: "SafariHistory", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\Apple Computer\\Safari\\History.plist", "%%users.appdata%%\\Apple Computer\\Safari\\History.plist"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}, {Parent: "SafariHistory", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Safari/History.plist", "%%users.homedir%%/Library/Safari/History.db", "%%users.homedir%%/Library/Safari/History.db-wal"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Browser"}, SupportedOs: []string{"Windows", "Darwin"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Apple_Safari"}}, {Name: "SafariExtensions", Doc: "Safari browser Extensions.", Sources: []artifacts.Source{{Parent: "SafariExtensions", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Safari/Extensions/**"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Browser"}, SupportedOs: []string{"Darwin"}, Urls: []string{"http://www.forensicswiki.org/wiki/Apple_Safari"}}, {Name: "SafariTouchIconCacheSettingsSQLiteDatabaseFile", Doc: "Safari browser touch icon cache settings SQLite database file.", Sources: []artifacts.Source{{Parent: "SafariTouchIconCacheSettingsSQLiteDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Safari/Touch Icons Cache/TouchIconCacheSettings.db", "%%users.homedir%%/Library/Safari/Touch Icons Cache/TouchIconCacheSettings.db-wal"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensics.wiki/apple_safari"}}, {Name: "ChromiumBasedBrowsersWebDataDatabaseFile", Doc: "Web Data database file for multiple Chromium-based browsers, such as Google Chrome, Brave, Chromium, Yandex, Opera, Edge, EdgeBeta.", Sources: []artifacts.Source{{Parent: "ChromiumBasedBrowsersWebDataDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\BraveSoftware\\Brave-Browser\\User Data\\*\\Network\\Web Data", "%%users.localappdata%%\\BraveSoftware\\Brave-Browser\\User Data\\*\\Network\\Web Data-journal", "%%users.localappdata%%\\Chromium\\User Data\\*\\Web Data", "%%users.localappdata%%\\Chromium\\User Data\\*\\Web Data-journal", "%%users.localappdata%%\\Chromium\\User Data\\*\\Network\\Web Data", "%%users.localappdata%%\\Chromium\\User Data\\*\\Network\\Web Data-journal", "%%users.localappdata%%\\Google\\Chrome SxS\\User Data\\*\\Web Data", "%%users.localappdata%%\\Google\\Chrome SxS\\User Data\\*\\Web Data-journal", "%%users.localappdata%%\\Google\\Chrome SxS\\User Data\\*\\Network\\Web Data", "%%users.localappdata%%\\Google\\Chrome SxS\\User Data\\*\\Network\\Web Data-journal", "%%users.localappdata%%\\Google\\Chrome\\User Data\\*\\Web Data", "%%users.localappdata%%\\Google\\Chrome\\User Data\\*\\Web Data-journal", "%%users.localappdata%%\\Google\\Chrome\\User Data\\*\\Network\\Web Data", "%%users.localappdata%%\\Google\\Chrome\\User Data\\*\\Network\\Web Data-journal", "%%users.localappdata%%\\Microsoft\\Edge\\User Data\\*\\Web Data", "%%users.localappdata%%\\Microsoft\\Edge\\User Data\\*\\Web Data-journal", "%%users.localappdata%%\\Microsoft\\Edge\\User Data\\*\\Network\\Web Data", "%%users.localappdata%%\\Microsoft\\Edge\\User Data\\*\\Network\\Web Data-journal", "%%users.appdata%%\\Opera Software\\Opera Stable\\Network\\Web Data", "%%users.appdata%%\\Opera Software\\Opera Stable\\Network\\Web Data-journal"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}, {Parent: "ChromiumBasedBrowsersWebDataDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.config/BraveSoftware/Brave-Browser/*/Web Data", "%%users.homedir%%/.config/BraveSoftware/Brave-Browser/*/Web Data-journal", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Web Data", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Web Data-journal", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Network/Web Data", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Network/Web Data-journal", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Web Data", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Web Data-journal", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Network/Web Data", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Network/Web Data-journal", "%%users.homedir%%/.config/chromium/*/Web Data", "%%users.homedir%%/.config/chromium/*/Web Data-journal", "%%users.homedir%%/.config/chromium/*/Network/Web Data", "%%users.homedir%%/.config/chromium/*/Network/Web Data-journal", "%%users.homedir%%/.config/google-chrome-beta/*/Web Data", "%%users.homedir%%/.config/google-chrome-beta/*/Web Data-journal", "%%users.homedir%%/.config/google-chrome-beta/*/Network/Web Data", "%%users.homedir%%/.config/google-chrome-beta/*/Network/Web Data-journal", "%%users.homedir%%/.config/google-chrome/*/Web Data", "%%users.homedir%%/.config/google-chrome/*/Web Data-journal", "%%users.homedir%%/.config/google-chrome/*/Network/Web Data", "%%users.homedir%%/.config/google-chrome/*/Network/Web Data-journal", "%%users.homedir%%/.config/microsoft-edge/*/Web Data", "%%users.homedir%%/.config/microsoft-edge/*/Web Data-journal", "%%users.homedir%%/.config/opera/Web Data", "%%users.homedir%%/.config/opera/Web Data-journal"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}, {Parent: "ChromiumBasedBrowsersWebDataDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Application Support/Chromium/*/Web Data", "%%users.homedir%%/Library/Application Support/Chromium/*/Web Data-journal", "%%users.homedir%%/Library/Application Support/Chromium/*/Network/Web Data", "%%users.homedir%%/Library/Application Support/Chromium/*/Network/Web Data-journal", "%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Web Data", "%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Web Data-journal", "%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Network/Web Data", "%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Network/Web Data-journal", "%%users.homedir%%/Library/Application Support/Google/Chrome/*/Web Data", "%%users.homedir%%/Library/Application Support/Google/Chrome/*/Web Data-journal", "%%users.homedir%%/Library/Application Support/Google/Chrome/*/Network/Web Data", "%%users.homedir%%/Library/Application Support/Google/Chrome/*/Network/Web Data-journal"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin", "Linux", "Windows"}, Urls: []string(nil)}, {Name: "ChromiumBasedBrowsersFaviconsDatabaseFile", Doc: "Favicons database file for multiple Chromium-based browsers, such as Google Chrome, Brave, Chromium, Yandex, Opera, Edge, EdgeBeta.", Sources: []artifacts.Source{{Parent: "ChromiumBasedBrowsersFaviconsDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\BraveSoftware\\Brave-Browser\\User Data\\*\\Network\\Favicons", "%%users.localappdata%%\\BraveSoftware\\Brave-Browser\\User Data\\*\\Network\\Favicons-journal", "%%users.localappdata%%\\Chromium\\User Data\\*\\Favicons", "%%users.localappdata%%\\Chromium\\User Data\\*\\Favicons-journal", "%%users.localappdata%%\\Chromium\\User Data\\*\\Network\\Favicons", "%%users.localappdata%%\\Chromium\\User Data\\*\\Network\\Favicons-journal", "%%users.localappdata%%\\Google\\Chrome SxS\\User Data\\*\\Favicons", "%%users.localappdata%%\\Google\\Chrome SxS\\User Data\\*\\Favicons-journal", "%%users.localappdata%%\\Google\\Chrome SxS\\User Data\\*\\Network\\Favicons", "%%users.localappdata%%\\Google\\Chrome SxS\\User Data\\*\\Network\\Favicons-journal", "%%users.localappdata%%\\Google\\Chrome\\User Data\\*\\Favicons", "%%users.localappdata%%\\Google\\Chrome\\User Data\\*\\Favicons-journal", "%%users.localappdata%%\\Google\\Chrome\\User Data\\*\\Network\\Favicons", "%%users.localappdata%%\\Google\\Chrome\\User Data\\*\\Network\\Favicons-journal", "%%users.localappdata%%\\Microsoft\\Edge\\User Data\\*\\Favicons", "%%users.localappdata%%\\Microsoft\\Edge\\User Data\\*\\Favicons-journal", "%%users.localappdata%%\\Microsoft\\Edge\\User Data\\*\\Network\\Favicons", "%%users.localappdata%%\\Microsoft\\Edge\\User Data\\*\\Network\\Favicons-journal", "%%users.appdata%%\\Opera Software\\Opera Stable\\Network\\Favicons", "%%users.appdata%%\\Opera Software\\Opera Stable\\Network\\Favicons-journal"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}, {Parent: "ChromiumBasedBrowsersFaviconsDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.config/BraveSoftware/Brave-Browser/*/Favicons", "%%users.homedir%%/.config/BraveSoftware/Brave-Browser/*/Favicons-journal", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Favicons", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Favicons-journal", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Network/Favicons", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Network/Favicons-journal", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Favicons", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Favicons-journal", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Network/Favicons", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Network/Favicons-journal", "%%users.homedir%%/.config/chromium/*/Favicons", "%%users.homedir%%/.config/chromium/*/Favicons-journal", "%%users.homedir%%/.config/chromium/*/Network/Favicons", "%%users.homedir%%/.config/chromium/*/Network/Favicons-journal", "%%users.homedir%%/.config/google-chrome-beta/*/Favicons", "%%users.homedir%%/.config/google-chrome-beta/*/Favicons-journal", "%%users.homedir%%/.config/google-chrome-beta/*/Network/Favicons", "%%users.homedir%%/.config/google-chrome-beta/*/Network/Favicons-journal", "%%users.homedir%%/.config/google-chrome/*/Favicons", "%%users.homedir%%/.config/google-chrome/*/Favicons-journal", "%%users.homedir%%/.config/google-chrome/*/Network/Favicons", "%%users.homedir%%/.config/google-chrome/*/Network/Favicons-journal", "%%users.homedir%%/.config/microsoft-edge/*/Favicons", "%%users.homedir%%/.config/microsoft-edge/*/Favicons-journal", "%%users.homedir%%/.config/opera/Favicons", "%%users.homedir%%/.config/opera/Favicons-journal"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}, {Parent: "ChromiumBasedBrowsersFaviconsDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Application Support/Chromium/*/Favicons", "%%users.homedir%%/Library/Application Support/Chromium/*/Favicons-journal", "%%users.homedir%%/Library/Application Support/Chromium/*/Network/Favicons", "%%users.homedir%%/Library/Application Support/Chromium/*/Network/Favicons-journal", "%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Favicons", "%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Favicons-journal", "%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Network/Favicons", "%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Network/Favicons-journal", "%%users.homedir%%/Library/Application Support/Google/Chrome/*/Favicons", "%%users.homedir%%/Library/Application Support/Google/Chrome/*/Favicons-journal", "%%users.homedir%%/Library/Application Support/Google/Chrome/*/Network/Favicons", "%%users.homedir%%/Library/Application Support/Google/Chrome/*/Network/Favicons-journal"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin", "Linux", "Windows"}, Urls: []string(nil)}, {Name: "ChromiumBasedBrowsersLoginDataDatabaseFile", Doc: "Login Data database file for multiple Chromium-based browsers, such as Google Chrome, Brave, Chromium, Yandex, Opera, Edge, EdgeBeta.", Sources: []artifacts.Source{{Parent: "ChromiumBasedBrowsersLoginDataDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\BraveSoftware\\Brave-Browser\\User Data\\*\\Network\\Login Data", "%%users.localappdata%%\\BraveSoftware\\Brave-Browser\\User Data\\*\\Network\\Login Data-journal", "%%users.localappdata%%\\Chromium\\User Data\\*\\Login Data", "%%users.localappdata%%\\Chromium\\User Data\\*\\Login Data-journal", "%%users.localappdata%%\\Chromium\\User Data\\*\\Network\\Login Data", "%%users.localappdata%%\\Chromium\\User Data\\*\\Network\\Login Data-journal", "%%users.localappdata%%\\Google\\Chrome SxS\\User Data\\*\\Login Data", "%%users.localappdata%%\\Google\\Chrome SxS\\User Data\\*\\Login Data-journal", "%%users.localappdata%%\\Google\\Chrome SxS\\User Data\\*\\Network\\Login Data", "%%users.localappdata%%\\Google\\Chrome SxS\\User Data\\*\\Network\\Login Data-journal", "%%users.localappdata%%\\Google\\Chrome\\User Data\\*\\Login Data", "%%users.localappdata%%\\Google\\Chrome\\User Data\\*\\Login Data-journal", "%%users.localappdata%%\\Google\\Chrome\\User Data\\*\\Network\\Login Data", "%%users.localappdata%%\\Google\\Chrome\\User Data\\*\\Network\\Login Data-journal", "%%users.localappdata%%\\Microsoft\\Edge\\User Data\\*\\Login Data", "%%users.localappdata%%\\Microsoft\\Edge\\User Data\\*\\Login Data-journal", "%%users.localappdata%%\\Microsoft\\Edge\\User Data\\*\\Network\\Login Data", "%%users.localappdata%%\\Microsoft\\Edge\\User Data\\*\\Network\\Login Data-journal", "%%users.appdata%%\\Opera Software\\Opera Stable\\Network\\Login Data", "%%users.appdata%%\\Opera Software\\Opera Stable\\Network\\Login Data-journal"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}, {Parent: "ChromiumBasedBrowsersLoginDataDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.config/BraveSoftware/Brave-Browser/*/Login Data", "%%users.homedir%%/.config/BraveSoftware/Brave-Browser/*/Login Data-journal", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Login Data", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Login Data-journal", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Network/Login Data", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Network/Login Data-journal", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Login Data", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Login Data-journal", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Network/Login Data", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Network/Login Data-journal", "%%users.homedir%%/.config/chromium/*/Login Data", "%%users.homedir%%/.config/chromium/*/Login Data-journal", "%%users.homedir%%/.config/chromium/*/Network/Login Data", "%%users.homedir%%/.config/chromium/*/Network/Login Data-journal", "%%users.homedir%%/.config/google-chrome-beta/*/Login Data", "%%users.homedir%%/.config/google-chrome-beta/*/Login Data-journal", "%%users.homedir%%/.config/google-chrome-beta/*/Network/Login Data", "%%users.homedir%%/.config/google-chrome-beta/*/Network/Login Data-journal", "%%users.homedir%%/.config/google-chrome/*/Login Data", "%%users.homedir%%/.config/google-chrome/*/Login Data-journal", "%%users.homedir%%/.config/google-chrome/*/Network/Login Data", "%%users.homedir%%/.config/google-chrome/*/Network/Login Data-journal", "%%users.homedir%%/.config/microsoft-edge/*/Login Data", "%%users.homedir%%/.config/microsoft-edge/*/Login Data-journal", "%%users.homedir%%/.config/opera/Login Data", "%%users.homedir%%/.config/opera/Login Data-journal"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}, {Parent: "ChromiumBasedBrowsersLoginDataDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Application Support/Chromium/*/Login Data", "%%users.homedir%%/Library/Application Support/Chromium/*/Login Data-journal", "%%users.homedir%%/Library/Application Support/Chromium/*/Network/Login Data", "%%users.homedir%%/Library/Application Support/Chromium/*/Network/Login Data-journal", "%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Login Data", "%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Login Data-journal", "%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Network/Login Data", "%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Network/Login Data-journal", "%%users.homedir%%/Library/Application Support/Google/Chrome/*/Login Data", "%%users.homedir%%/Library/Application Support/Google/Chrome/*/Login Data-journal", "%%users.homedir%%/Library/Application Support/Google/Chrome/*/Network/Login Data", "%%users.homedir%%/Library/Application Support/Google/Chrome/*/Network/Login Data-journal"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin", "Linux", "Windows"}, Urls: []string(nil)}, {Name: "SafariFaviconsCacheSQLiteDatabaseFile", Doc: "Safari browser favicons cache SQLite database file.", Sources: []artifacts.Source{{Parent: "SafariFaviconsCacheSQLiteDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Safari/Favicon Cache/favicons.db", "%%users.homedir%%/Library/Safari/Favicon Cache/favicons.db-wal"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensics.wiki/apple_safari"}}, {Name: "FirefoxCookies", Doc: "Firefox browser cookies (cookies.sqlite).", Sources: []artifacts.Source{{Parent: "FirefoxCookies", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/cookies.sqlite", "%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/cookies.sqlite-wal"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}, {Parent: "FirefoxCookies", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.mozilla/firefox/*/cookies.sqlite", "%%users.homedir%%/.mozilla/firefox/*/cookies.sqlite-shm", "%%users.homedir%%/.mozilla/firefox/*/cookies.sqlite-wal"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}, {Parent: "FirefoxCookies", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\Mozilla\\Firefox\\Profiles\\*\\cookies.sqlite", "%%users.localappdata%%\\Mozilla\\Firefox\\Profiles\\*\\cookies.sqlite-wal", "%%users.appdata%%\\Mozilla\\Firefox\\Profiles\\*\\cookies.sqlite", "%%users.localappdata%%\\Mozilla\\Firefox\\Profiles\\*\\cookies.sqlite-wal"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin", "Linux", "Windows"}, Urls: []string{"https://forensics.wiki/mozilla_firefox"}}, {Name: "FirefoxDownloads", Doc: "Firefox browser downloads (downloads.sqlite).", Sources: []artifacts.Source{{Parent: "FirefoxDownloads", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/downloads.sqlite", "%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/downloads.sqlite-wal"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}, {Parent: "FirefoxDownloads", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.mozilla/firefox/*/downloads.sqlite", "%%users.homedir%%/.mozilla/firefox/*/downloads.sqlite-wal"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}, {Parent: "FirefoxDownloads", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\Mozilla\\Firefox\\Profiles\\*\\downloads.sqlite", "%%users.localappdata%%\\Mozilla\\Firefox\\Profiles\\*\\downloads.sqlite-wal", "%%users.appdata%%\\Mozilla\\Firefox\\Profiles\\*\\downloads.sqlite", "%%users.localappdata%%\\Mozilla\\Firefox\\Profiles\\*\\downloads.sqlite-wal"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin", "Linux", "Windows"}, Urls: []string{"https://forensics.wiki/mozilla_firefox"}}, {Name: "SafariCloudAutoFillCorrectionsSQLiteDatabaseFile", Doc: "Safari browser cloud auto-fill corrections SQLite database file.", Sources: []artifacts.Source{{Parent: "SafariCloudAutoFillCorrectionsSQLiteDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Safari/CloudAutoFillCorrections.db", "%%users.homedir%%/Library/Safari/CloudAutoFillCorrections.db-wal"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensics.wiki/apple_safari"}}, {Name: "ChromePlatformNotifications", Doc: "Google Chrome Platform Notifications LevelDB.\n\nThe Platform Notifications directory contains the files that comprise a LevelDB\ndatabase, which in turn holds platform notification data.\n", Sources: []artifacts.Source{{Parent: "ChromePlatformNotifications", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Application Support/Google/Chrome/*/Platform Notifications/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}, {Parent: "ChromePlatformNotifications", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.config/google-chrome/*/Platform Notifications/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}, {Parent: "ChromePlatformNotifications", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\Google\\Chrome\\User Data\\*\\Platform Notifications\\*"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin", "Linux", "Windows"}, Urls: []string(nil)}, {Name: "SafariTabSnapshotsMetadataSQLiteDatabaseFile", Doc: "Safari browser tab snapshots metadata SQLite database file.", Sources: []artifacts.Source{{Parent: "SafariTabSnapshotsMetadataSQLiteDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Caches/com.apple.Safari/TabSnapshots/Metadata.db"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string{"https://forensics.wiki/apple_safari"}}, {Name: "ApacheConfigurationFolder", Doc: "Location where Apache keeps configuration files", Sources: []artifacts.Source{{Parent: "ApacheConfigurationFolder", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/apache2/*.conf", "/etc/httpd/*.conf", "/etc/httpd/conf.d/*.conf", "/etc/httpd/conf.modules.d/*.conf"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "ApacheDefaultSiteConfigurationFile", Doc: "Location where Apache keeps the default site configuration file.", Sources: []artifacts.Source{{Parent: "ApacheDefaultSiteConfigurationFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/apache2/sites-available/000-default.conf"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "ApacheAccessLogs", Doc: "Location where Apache access logs are stored", Sources: []artifacts.Source{{Parent: "ApacheAccessLogs", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/log/apache/access.log*", "/var/log/apache/access_log*", "/var/log/apache2/access.log*", "/var/log/apache2/other_vhosts_access_log*", "/var/log/apache2/other_vhosts_access.log*", "/var/log/apache2/access_log*", "/var/log/httpd/access.log*", "/var/log/httpd/access_log*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}, {Parent: "ApacheAccessLogs", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemdrive%%\\**6\\logs\\access.log*"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux", "Windows"}, Urls: []string(nil)}, {Name: "ApacheErrorLogs", Doc: "Location where Apache error logs are stored", Sources: []artifacts.Source{{Parent: "ApacheErrorLogs", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/log/apache/error.log*", "/var/log/apache/error*", "/var/log/apache2/error.log*", "/var/log/apache2/error*", "/var/log/httpd/error.log*", "/var/log/httpd/error*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}, {Parent: "ApacheErrorLogs", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemdrive%%\\**6\\logs\\error.log*"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux", "Windows"}, Urls: []string(nil)}, {Name: "NginxAccessLogs", Doc: "Location where nginx access logs are stored", Sources: []artifacts.Source{{Parent: "NginxAccessLogs", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/log/nginx/access.log*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}, {Parent: "NginxAccessLogs", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemdrive%%\\nginx\\logs\\*.log*"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Software", "Logs"}, SupportedOs: []string{"Linux", "Windows"}, Urls: []string(nil)}, {Name: "NginxErrorLogs", Doc: "Location where nginx error logs are stored", Sources: []artifacts.Source{{Parent: "NginxErrorLogs", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/log/nginx/error.log*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "WordpressConfigFile", Doc: "WordPress configuration file", Sources: []artifacts.Source{{Parent: "WordpressConfigFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/private/var/www/**/wp-config.php", "/private/var/www/wp-config.php", "/var/www/**/wp-config.php", "/var/www/wp-config.php", "/wp/wp-config.php"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Configuration Files"}, SupportedOs: []string{"Linux", "Darwin"}, Urls: []string(nil)}, {Name: "MicrosoftIISLogs", Doc: "Internet Information Services (IIS) web server's log files.", Sources: []artifacts.Source{{Parent: "MicrosoftIISLogs", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemroot%%\\System32\\LogFiles\\W3SVC*\\*.log", "%%environ_systemdrive%%\\inetpub\\logs\\LogFiles\\*.log", "%%environ_systemdrive%%\\Resources\\Directory\\*\\LogFiles\\Web\\W3SVC*\\*.log"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Software", "Logs"}, SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsActiveDesktop", Doc: "Windows Active Desktop settings and components.", Sources: []artifacts.Source{{Parent: "WindowsActiveDesktop", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Internet Explorer\\Desktop\\Components\\*", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Internet Explorer\\Desktop\\General"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://artifacts-kb.readthedocs.io/en/latest/sources/windows/ActiveDesktop.html"}}, {Name: "WindowsActiveDirectoryDatabase", Doc: "Windows Active Directory data store file.", Sources: []artifacts.Source{{Parent: "WindowsActiveDirectoryDatabase", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemroot%%\\ntds\\ntds.dit"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc772829(v=ws.10)"}}, {Name: "WindowsActivitiesCacheDatabase", Doc: "SQLite database containing the Windows activities cache.", Sources: []artifacts.Source{{Parent: "WindowsActivitiesCacheDatabase", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\ConnectedDevicesPlatform\\L.%%users.username%%\\ActivitiesCache.db"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://artifacts-kb.readthedocs.io/en/latest/sources/windows/ActivitiesCacheDatabase.html"}}, {Name: "WindowsAlternateShell", Doc: "Alternate Shell to be run via Userinit.", Sources: []artifacts.Source{{Parent: "WindowsAlternateShell", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SafeBoot", Value: "AlternateShell"}, {Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SafeBoot\\Option", Value: "UseAlternateShell"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://www.microsoftpressstore.com/articles/article.aspx", "https://technet.microsoft.com/en-us/library/cc976124.aspx", "http://gladiator-antivirus.com/forum/index.php?showtopic=24610"}}, {Name: "WindowsAMCacheHveFile", Doc: "The AMCache file, stored in the Windows NT Registry file format.", Sources: []artifacts.Source{{Parent: "WindowsAMCacheHveFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemroot%%\\AppCompat\\Programs\\Amcache.hve", "%%environ_systemroot%%\\AppCompat\\Programs\\Amcache.hve.LOG1", "%%environ_systemroot%%\\AppCompat\\Programs\\Amcache.hve.LOG2"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://artifacts-kb.readthedocs.io/en/latest/sources/windows/AMCache.html"}}, {Name: "WindowsAppCertDLLs", Doc: "Windows AppCertDLLs persistence.", Sources: []artifacts.Source{{Parent: "WindowsAppCertDLLs", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\AppCertDLLs"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"http://blogs.technet.com/b/mmpc/archive/2011/03/19/how-to-defang-the-fake-defragmenter.aspx"}}, {Name: "WindowsAppCompatCache", Doc: "Windows Application Compatibility Cache", Sources: []artifacts.Source{{Parent: "WindowsAppCompatCache", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\AppCompatibility", Value: "AppCompatCache"}, {Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\AppCompatCache", Value: "AppCompatCache"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://github.com/libyal/winreg-kb/blob/main/documentation/Application%20Compatibility%20Cache%20key.asciidoc"}}, {Name: "WindowsAppInitDLLs", Doc: "Windows Application Initial (AppInit) DLLs persistence.\n\nAppInit DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded\ninto each user mode process on the system.\n", Sources: []artifacts.Source{{Parent: "WindowsAppInitDLLs", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows", Value: "AppInit_DLLs"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows", Value: "AppInit_DLLs"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows", Value: "AppInit_DLLs"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows", Value: "AppInit_DLLs"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://msdn.microsoft.com/en-us/library/windows/desktop/dd744762(v=vs.85).aspx", "https://support.microsoft.com/en-us/kb/197571"}}, {Name: "WindowsApplicationRegistration", Doc: "Windows Application Registration (AppPath) Registry keys.", Sources: []artifacts.Source{{Parent: "WindowsApplicationRegistration", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\*", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\App Paths\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://github.com/keydet89/RegRipper2.8/blob/master/plugins/apppaths.pl", "http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", "https://msdn.microsoft.com/en-us/library/windows/desktop/ee872121(v=vs.85).aspx"}}, {Name: "WindowsApplicationCompatibilityInstalledShimDatabases", Doc: "Windows Application Compatibility Installed Shim Databases.\n\ndrvmain.sdb, frxmain.sdb, msimain.sdb, pcamain.sdb, and sysmain.sdb are\nshim database files (SDB files) that are provided by Windows, and contain\nmany predefined shims that address known application compatibility issues.\nNote that these database files are not signed.\n\nWindows also supports custom shim database. These are typically installed\nby the sdbinst.exe utility. Note, that shim database files can also exist\nelsewhere in the file system.\n\nWindows application shims provide a way for the operating system to\napply patches to executables before they are run, ultimately providing\na lightweight mechanism for applying hot fixes and making modifications to\nensure compatibility across the various versions of Windows. This\nfunctionality can also be leveraged maliciously to change how certain\nprograms operate, or to provide capabilities to malware, such as the\nability to bypass UAC, gain persistence by injecting loading into legitimate\nprocesses, or avoid detection by disabling anti-virus software.\n", Sources: []artifacts.Source{{Parent: "WindowsApplicationCompatibilityInstalledShimDatabases", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemroot%%\\AppPatch\\drvmain.sdb", "%%environ_systemroot%%\\AppPatch\\frxmain.sdb", "%%environ_systemroot%%\\AppPatch\\msimain.sdb", "%%environ_systemroot%%\\AppPatch\\pcamain.sdb", "%%environ_systemroot%%\\AppPatch\\sysmain.sdb", "%%environ_systemroot%%\\AppPatch\\AppPatch64\\Custom\\*", "%%environ_systemroot%%\\AppPatch\\Custom\\*", "%%environ_systemroot%%\\AppPatch\\Custom\\Custom64\\*", "%%environ_systemroot%%\\AppPatch\\CustomSDB\\*"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://attack.mitre.org/techniques/T1138/", "https://countercept.com/blog/hunting-for-application-shim-databases/", "http://files.brucon.org/2015/Tomczak_and_Ballenthin_Shims_for_the_Win.pdf", "https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf"}}, {Name: "WindowsApplicationCompatibilityShimDatabaseMappings", Doc: "Windows Application Compatibility Shim Database Mappings.\n\nMappings between the Windows Application Compatibility shim database files and\nthe programs that they apply to.\n\nWindows allows for custom application shims to be installed via the\nsdbinst.exe application. For example a mapping for 'notepad.exe':\n\nKey: HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\\n AppCompatFlags\\Custom\\notepad.exe\nValue: {00000000-1111-2222-3333-444444444444}.sdb = 0\n\nKey: AppCompatFlags\\InstalledSDB\\{00000000-1111-2222-3333-444444444444}\nValue: DatabasePath =\n \"C:\\Windows\\AppPatch\\Custom\\{00000000-1111-2222-3333-444444444444}.sdb\"\n\nWindows application shims provide a way for the operating system to\napply patches to executables before they are run, ultimately providing\na lightweight mechanism for applying hot fixes and making modifications to\nensure compatibility across the various versions of Windows. This\nfunctionality can also be leveraged maliciously to change how certain\nprograms operate, or to provide capabilities to malware, such as the\nability to bypass UAC, gain persistence by injecting loading into legitimate\nprocesses, or avoid detection by disabling anti-virus software.\n", Sources: []artifacts.Source{{Parent: "WindowsApplicationCompatibilityShimDatabaseMappings", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB\\*", Value: "DatabaseDescription"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB\\*", Value: "DatabasePath"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\*", Value: "*"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://attack.mitre.org/techniques/T1138/", "https://countercept.com/blog/hunting-for-application-shim-databases/"}}, {Name: "WindowsApplicationCompatibilityShims", Doc: "Windows Application Compatibility Shim Database Files and Application Mappings", Sources: []artifacts.Source{{Parent: "WindowsApplicationCompatibilityShims", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"WindowsApplicationCompatibilityInstalledShimDatabases", "WindowsApplicationCompatibilityShimDatabaseMappings"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WinAppXRT", Doc: "WinAppXRT DLL loaded by .Net applications when the APPX_PROCESS environment variable is set.", Sources: []artifacts.Source{{Parent: "WinAppXRT", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemroot%%\\system32\\WinAppXRT.dll", "%%environ_systemroot%%\\WinAppXRT.dll", "%%environ_systemroot%%\\System32\\Wbem\\WinAppXRT.dll", "%%environ_systemroot%%\\System32\\WindowsPowerShell\\v1.0\\WinAppXRT.dll"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"http://www.hexacorn.com/blog/2014/08/31/beyond-good-ol-run-key-part-17/"}}, {Name: "WindowsAutoexecBat", Doc: "Windows autoexec.bat file", Sources: []artifacts.Source{{Parent: "WindowsAutoexecBat", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemdrive%%\\autoexec.bat", "%%environ_systemroot%%\\autoexec.nt"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsAutomaticDebugging", Doc: "Windows automatic debugging (Aedebug)", Sources: []artifacts.Source{{Parent: "WindowsAutomaticDebugging", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AeDebug", Value: "Debugger"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://msdn.microsoft.com/en-us/library/windows/desktop/bb204634(v=vs.85).aspx", "http://gladiator-antivirus.com/forum/index.php?showtopic=24610"}}, {Name: "WindowsAutomaticDebuggingExclusionList", Doc: "Windows automatic debugging (Aedebug) exclusion list", Sources: []artifacts.Source{{Parent: "WindowsAutomaticDebuggingExclusionList", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AutoExclusionList\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://msdn.microsoft.com/en-us/library/windows/desktop/bb204634(v=vs.85).aspx"}}, {Name: "WindowsAutorun", Doc: "Filebased Tests.", Sources: []artifacts.Source{{Parent: "WindowsAutorun", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemdrive%%\\autorun.inf"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsAvailableTimeZones", Doc: "Timezones available on a Windows system.", Sources: []artifacts.Source{{Parent: "WindowsAvailableTimeZones", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Time Zones\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://github.com/libyal/winreg-kb/blob/main/documentation/Time%20zone%20keys.asciidoc"}}, {Name: "WindowsBackgroundActivityModeratorKeys", Doc: "Windows Background Activity Moderator (BAM) and Desktop Activity Moderator (DAM) registry keys.", Sources: []artifacts.Source{{Parent: "WindowsBackgroundActivityModeratorKeys", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\*", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\*", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\dam\\UserSettings\\*", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\dam\\State\\UserSettings\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://dfir.ru/2020/04/08/bam-internals/", "https://notes.qazeer.io/dfir/windows/_artefacts_overview"}}, {Name: "WindowsBITSQueueManagerDatabases", Doc: "Databases that contain the Windows BITS jobs definition and state.", Sources: []artifacts.Source{{Parent: "WindowsBITSQueueManagerDatabases", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_allusersappdata%%\\Microsoft\\Network\\Downloader\\qmgr*.dat", "%%environ_allusersappdata%%\\Microsoft\\Network\\Downloader\\qmgr.db"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"http://dfrws.org/2015/proceedings/presentations/DFRWS2015-pres3.pdf"}}, {Name: "WindowsBootConfigurationDataRegistryFiles", Doc: "Boot Configuration Data (BCD) Windows Registry files.", Sources: []artifacts.Source{{Parent: "WindowsBootConfigurationDataRegistryFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"\\Boot\\BCD", "\\Boot\\BCD.LOG", "\\Boot\\BCD.LOG1", "\\Boot\\BCD.LOG2", "\\EFI\\Microsoft\\Boot\\BCD", "\\EFI\\Microsoft\\Boot\\BCD.LOG", "\\EFI\\Microsoft\\Boot\\BCD.LOG1", "\\EFI\\Microsoft\\Boot\\BCD.LOG2", "\\EFI\\Microsoft\\Recovery\\BCD", "\\EFI\\Microsoft\\Recovery\\BCD.LOG", "\\EFI\\Microsoft\\Recovery\\BCD.LOG1", "\\EFI\\Microsoft\\Recovery\\BCD.LOG2"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RegistryFiles.html"}}, {Name: "WindowsBootVerificationProgram", Doc: "Path to custom startup verification program.", Sources: []artifacts.Source{{Parent: "WindowsBootVerificationProgram", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\BootVerificationProgram", Value: "ImagePath"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://technet.microsoft.com/en-us/library/cc786702(WS.10).aspx", "http://gladiator-antivirus.com/forum/index.php?showtopic=24610"}}, {Name: "WindowsCIMRepositoryFiles", Doc: "Windows Common Information Model (CIM) repository.\n\nPersistent database that holds the schema, also called the object repository or class store,\nthat models the managed environment and defines every piece of data exposed by WMI.\n\nThis definition does not specify the copies of the CIM repository that are stored in system restore points.\n", Sources: []artifacts.Source{{Parent: "WindowsCIMRepositoryFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemroot%%\\System\\Wbem\\Repository\\cim.rep", "%%environ_systemroot%%\\System32\\wbem\\Repository\\CIM.REC", "%%environ_systemroot%%\\System32\\wbem\\Repository\\CIM.REP", "%%environ_systemroot%%\\System32\\wbem\\Repository\\INDEX.BTR", "%%environ_systemroot%%\\System32\\wbem\\Repository\\INDEX.MAP", "%%environ_systemroot%%\\System32\\wbem\\Repository\\MAPPING.VER", "%%environ_systemroot%%\\System32\\wbem\\Repository\\MAPPING[1-3].MAP", "%%environ_systemroot%%\\System32\\wbem\\Repository\\OBJECTS.DATA", "%%environ_systemroot%%\\System32\\wbem\\Repository\\OBJECTS.MAP", "%%environ_systemroot%%\\System32\\wbem\\Repository\\FS\\INDEX.BTR", "%%environ_systemroot%%\\System32\\wbem\\Repository\\FS\\INDEX.MAP", "%%environ_systemroot%%\\System32\\wbem\\Repository\\FS\\MAPPING.VER", "%%environ_systemroot%%\\System32\\wbem\\Repository\\FS\\MAPPING[1-2].MAP", "%%environ_systemroot%%\\System32\\wbem\\Repository\\FS\\OBJECTS.DATA", "%%environ_systemroot%%\\System32\\wbem\\Repository\\FS\\OBJECTS.MAP", "%%environ_systemroot%%\\System32\\wbem\\Repository.00[1-9]\\INDEX.BTR", "%%environ_systemroot%%\\System32\\wbem\\Repository.00[1-9]\\INDEX.MAP", "%%environ_systemroot%%\\System32\\wbem\\Repository.00[1-9]\\MAPPING.VER", "%%environ_systemroot%%\\System32\\wbem\\Repository.00[1-9]\\MAPPING[1-3].MAP", "%%environ_systemroot%%\\System32\\wbem\\Repository.00[1-9]\\OBJECTS.DATA", "%%environ_systemroot%%\\System32\\wbem\\Repository.00[1-9]\\OBJECTS.MAP", "%%environ_systemroot%%\\System32\\wbem\\Repository.00[1-9]\\FS\\INDEX.BTR", "%%environ_systemroot%%\\System32\\wbem\\Repository.00[1-9]\\FS\\INDEX.MAP", "%%environ_systemroot%%\\System32\\wbem\\Repository.00[1-9]\\FS\\MAPPING.VER", "%%environ_systemroot%%\\System32\\wbem\\Repository.00[1-9]\\FS\\MAPPING[1-2].MAP", "%%environ_systemroot%%\\System32\\wbem\\Repository.00[1-9]\\FS\\OBJECTS.DATA", "%%environ_systemroot%%\\System32\\wbem\\Repository.00[1-9]\\FS\\OBJECTS.MAP"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://github.com/libyal/dtformats/blob/main/documentation/WMI%20repository%20file%20format.asciidoc", "https://forensicswiki.xyz/wiki/index.php?title=WMI"}}, {Name: "WindowsCodePage", Doc: "The code page of the system.", Sources: []artifacts.Source{{Parent: "WindowsCodePage", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CodePage", Value: "ACP"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "code_page", Regex: "", WMIKey: ""}}}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"http://en.wikipedia.org/wiki/Windows_code_page"}}, {Name: "WindowsComputerName", Doc: "The name of the system.", Sources: []artifacts.Source{{Parent: "WindowsComputerName", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\ComputerName\\ComputerName", Value: "ComputerName"}, {Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\ComputerName\\ActiveComputerName", Value: "ComputerName"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsCommandProcessorAutoRun", Doc: "Commands that are run each time the Command Processor (Cmd.exe) is started.", Sources: []artifacts.Source{{Parent: "WindowsCommandProcessorAutoRun", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor", Value: "AutoRun"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Command Processor", Value: "AutoRun"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Command Processor", Value: "AutoRun"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Command Processor", Value: "AutoRun"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://technet.microsoft.com/en-us/library/cc779439(v=ws.10).aspx", "http://gladiator-antivirus.com/forum/index.php?showtopic=24610", "http://blogs.msdn.com/b/oldnewthing/archive/2007/11/21/6447771.aspx", "https://technet.microsoft.com/en-us/library/cc756720(v=ws.10).aspx"}}, {Name: "WindowsCOMInprocHandlers", Doc: "Windows COM in-process handlers", Sources: []artifacts.Source{{Parent: "WindowsCOMInprocHandlers", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\*", Value: "InprocHandler"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\*", Value: "InprocHandler32"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\Wow6432Node\\CLSID\\*", Value: "InprocHandler"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\Wow6432Node\\CLSID\\*", Value: "InprocHandler32"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\CLSID\\*", Value: "InprocHandler"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\CLSID\\*", Value: "InprocHandler32"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\Wow6432Node\\CLSID\\*", Value: "InprocHandler"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\Wow6432Node\\CLSID\\*", Value: "InprocHandler32"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://msdn.microsoft.com/en-us/library/windows/desktop/ms694515(v=vs.85).aspx", "https://msdn.microsoft.com/en-us/library/windows/desktop/ms691354(v=vs.85).aspx", "https://msdn.microsoft.com/en-us/library/windows/desktop/ms693485(v=vs.85).aspx"}}, {Name: "WindowsCOMInprocServers", Doc: "Windows COM in-process servers", Sources: []artifacts.Source{{Parent: "WindowsCOMInprocServers", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\*\\InprocServer", Value: ""}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\*\\InprocServer32", Value: ""}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\Wow6432Node\\CLSID\\*\\InprocServer", Value: ""}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\Wow6432Node\\CLSID\\*\\InprocServer32", Value: ""}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\CLSID\\*\\InprocServer", Value: ""}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\CLSID\\*\\InprocServer32", Value: ""}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\Wow6432Node\\CLSID\\*\\InprocServer", Value: ""}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\Wow6432Node\\CLSID\\*\\InprocServer32", Value: ""}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://msdn.microsoft.com/en-us/library/windows/desktop/ms694515(v=vs.85).aspx", "https://msdn.microsoft.com/en-us/library/windows/desktop/ms682390(v=vs.85).aspx", "https://msdn.microsoft.com/en-us/library/windows/desktop/ms694328(v=vs.85).aspx"}}, {Name: "WindowsCOMLocalServers", Doc: "Windows COM local servers", Sources: []artifacts.Source{{Parent: "WindowsCOMLocalServers", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\*", Value: "LocalServer"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\*\\LocalServer32", Value: ""}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\*\\LocalServer32", Value: "ServerExecutable"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\Wow6432Node\\CLSID\\*", Value: "LocalServer"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\Wow6432Node\\CLSID\\*\\LocalServer32", Value: ""}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\Wow6432Node\\CLSID\\*\\LocalServer32", Value: "ServerExecutable"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\CLSID\\*", Value: "LocalServer"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\CLSID\\*\\LocalServer32", Value: ""}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\CLSID\\*\\LocalServer32", Value: "ServerExecutable"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\Wow6432Node\\CLSID\\*", Value: "LocalServer"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\Wow6432Node\\CLSID\\*\\LocalServer32", Value: ""}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\Wow6432Node\\CLSID\\*\\LocalServer32", Value: "ServerExecutable"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://msdn.microsoft.com/en-us/library/windows/desktop/ms694515(v=vs.85).aspx", "https://msdn.microsoft.com/en-us/library/windows/desktop/ms686595(v=vs.85).aspx"}}, {Name: "WindowsCOMProperties", Doc: "Various properties of Windows COM Objects.\n\nThese artifacts are meant to highlight properties of COM objects that,\nalthough legitimate, are known to be associated with persistence techniques\nor other capabilities that malware can leverage.\n\nShellFolder\\HideOnDesktop, ShellFolder\\Attributes (specifically with value\n0xf090013d), and InprocServer\\LoadWithoutCOM are associated with a technique\nto cause iexplore or explorer to load a malicious DLL by registering a COM\nobject and invoking it through the use of Junction Folders.\n", Sources: []artifacts.Source{{Parent: "WindowsCOMProperties", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\*\\ShellFolder", Value: "Attributes"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\CLSID\\*\\ShellFolder", Value: "Attributes"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\Wow6432Node\\CLSID\\*\\ShellFolder", Value: "Attributes"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\Wow6432Node\\CLSID\\*\\ShellFolder", Value: "Attributes"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\*\\ShellFolder", Value: "HideOnDesktop"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\CLSID\\*\\ShellFolder", Value: "HideOnDesktop"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\Wow6432Node\\CLSID\\*\\ShellFolder", Value: "HideOnDesktop"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\Wow6432Node\\CLSID\\*\\ShellFolder", Value: "HideOnDesktop"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\*\\InprocServer32", Value: "LoadWithoutCOM"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\CLSID\\*\\InprocServer32", Value: "LoadWithoutCOM"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\Wow6432Node\\CLSID\\*\\InprocServer32", Value: "LoadWithoutCOM"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\Wow6432Node\\CLSID\\*\\InprocServer32", Value: "LoadWithoutCOM"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://ired.team/offensive-security/code-execution/forcing-iexplore.exe-to-load-a-malicious-dll-via-com-abuse", "https://labs.nettitude.com/blog/com-and-the-powerthief/"}}, {Name: "WindowsCOMRegisteredTypeLibraries", Doc: "Windows COM registered type libraries", Sources: []artifacts.Source{{Parent: "WindowsCOMRegisteredTypeLibraries", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\Typelib\\*\\*\\*\\*", Value: ""}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\Wow6432Node\\Typelib\\*\\*\\*\\*", Value: ""}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\Typelib\\*\\*\\*\\*", Value: ""}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\Wow6432Node\\Typelib\\*\\*\\*\\*", Value: ""}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://github.com/libyal/winreg-kb/blob/main/documentation/Component%20Object%20Model%20keys.asciidoc#type-libraries-key"}}, {Name: "WindowsSearchFilterHandlers", Doc: "Windows Search filter handlers configured for file types and applications.\n\nWindows Search loads DLLs that implement the IFilter interface in order to\nscan files for text and extract certain types of information. Malware can\nreplace the filter handler for a given file type or CLSID with itself to gain\nexecution when a search operation is performed on that file. Search\noperations can be performed indirectly in a number of cases; for instance,\nthe .txt, .html, and .rtf filter handlers are invoked when indexing email\nmessage bodies.\n\nThe filter handler to use is specified indirectly via a persistent handler.\nThe persistent handler GUID is indicated via the PersistentHandler subkey for\na file type or application GUID. The filter handler CLSID is indicated via\nthe PersistentAddinsRegistered\\{89BCB740-6119-101A-BCB7-00DD010655AF} subkey\nunder the persistent handler GUID key path. This artifact inspects both of\nthese paths.\n\nNOTE: Only the HKEY_LOCAL_MACHINE root key needs be checked, because these\nare the only keys used. SearchFilterHost.exe runs under the SYSTEM account,\nwhich does not have access to HKEY_CURRENT_USER.\n", Sources: []artifacts.Source{{Parent: "WindowsSearchFilterHandlers", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\*\\PersistentHandler", Value: ""}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\Wow6432Node\\*\\PersistentHandler", Value: ""}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\*\\PersistentHandler", Value: ""}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\Wow6432Node\\CLSID\\*\\PersistentHandler", Value: ""}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\*\\PersistentAddinsRegistered\\{89BCB740-6119-101A-BCB7-00DD010655AF}", Value: ""}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\Wow6432Node\\CLSID\\*\\PersistentAddinsRegistered\\{89BCB740-6119-101A-BCB7-00DD010655AF}", Value: ""}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://docs.microsoft.com/en-us/windows/desktop/search/-search-ifilter-about", "https://docs.microsoft.com/en-us/windows/desktop/search/-search-ifilter-implementations", "https://docs.microsoft.com/en-us/windows/desktop/search/-search-ifilter-registering-filters"}}, {Name: "WindowsConfigSys", Doc: "Windows config.sys file", Sources: []artifacts.Source{{Parent: "WindowsConfigSys", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemdrive%%\\config.sys", "%%environ_systemroot%%\\config.nt"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsControlPanelFilePaths", Doc: "DLLs listed here will be run when the user opens the Windows Control Panel.", Sources: []artifacts.Source{{Parent: "WindowsControlPanelFilePaths", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Control Panel\\CPLs", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Control Panel\\CPLs", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Control Panel\\CPLs", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Control Panel\\CPLs"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://msdn.microsoft.com/en-us/library/windows/desktop/hh127454(v=vs.85).aspx", "http://www.geoffchappell.com/studies/windows/shell/shell32/classes/controlpanel.htm", "https://msdn.microsoft.com/en-us/library/windows/desktop/ms683844(v=vs.85).aspx"}}, {Name: "WindowsNetworkProviderOrder", Doc: "Windows Network Provider list that can be used to steal credentials", Sources: []artifacts.Source{{Parent: "WindowsNetworkProviderOrder", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\NetworkProvider\\Order", Value: "ProviderOrder"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy"}}, {Name: "WindowsCredentialProviderFilters", Doc: "Windows Credential Provider Filters", Sources: []artifacts.Source{{Parent: "WindowsCredentialProviderFilters", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Provider Filters\\*", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Provider Filters\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"http://blog.leetsys.com/2012/01/02/capturing-windows-7-credentials-at-logon-using-custom-credential-provider/"}}, {Name: "WindowsCredentialProviders", Doc: "CLSIDs of applications to use as Credential Providers", Sources: []artifacts.Source{{Parent: "WindowsCredentialProviders", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\*", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"http://gladiator-antivirus.com/forum/index.php?showtopic=24610", "http://blogs.technet.com/b/ad/archive/2009/05/26/thoughts-on-single-sign-on-and-credential-providers.aspx", "http://blog.leetsys.com/2012/01/02/capturing-windows-7-credentials-at-logon-using-custom-credential-provider/", "https://www.sophos.com/en-us/support/knowledgebase/114190.aspx"}}, {Name: "WindowsCommonFilePlacementAttacks", Doc: "Common files associated with search order hijacking and other file placement attacks.", Sources: []artifacts.Source{{Parent: "WindowsCommonFilePlacementAttacks", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_programfiles%%\\Internet Explorer\\sxs.dll", "%%environ_programfilesx86%%\\Internet Explorer\\sxs.dll", "%%environ_systemdrive%%\\explorer.exe", "%%environ_systemdrive%%\\program.exe", "%%environ_systemroot%%\\linkinfo.dll", "%%environ_systemroot%%\\ntshrui.dll", "%%environ_systemroot%%\\System32\\oci.dll", "%%environ_systemroot%%\\System32\\sysprep\\cryptbase.dll", "%%environ_systemroot%%\\SysWOW64\\oci.dll", "%%environ_systemroot%%\\SysWOW64\\sysprep\\cryptbase.dll"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"http://web.cs.ucdavis.edu/~su/publications/issta10-loading.pdf", "https://www.mandiant.com/blog/fxsst/"}}, {Name: "WindowsCurrentVersion", Doc: "The Windows current version", Sources: []artifacts.Source{{Parent: "WindowsCurrentVersion", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion", Value: "CurrentVersion"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://github.com/libyal/winreg-kb/blob/main/documentation/System%20keys.asciidoc"}}, {Name: "WindowsDebugger", Doc: "Windows Debugger peristence or AV disable.", Sources: []artifacts.Source{{Parent: "WindowsDebugger", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*", Value: "Debugger"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*", Value: "Debugger"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*", Value: "Debugger"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*", Value: "Debugger"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://msdn.microsoft.com/en-us/library/a329t4ed%28VS.71%29.aspx"}}, {Name: "WindowsDomainCachedCredentials", Doc: "Windows domain cached credentials", Sources: []artifacts.Source{{Parent: "WindowsDomainCachedCredentials", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Security\\Cache", Value: "NL$*"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"http://juggernaut.wikidot.com/cached-credentials"}}, {Name: "WindowsDomainName", Doc: "The domain the system is connected to.", Sources: []artifacts.Source{{Parent: "WindowsDomainName", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", Value: "Domain"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "domain", Regex: "", WMIKey: ""}}}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsEnvironmentUserLoginScripts", Doc: "User login scripts configured via Windows environment variables.", Sources: []artifacts.Source{{Parent: "WindowsEnvironmentUserLoginScripts", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_USERS\\%%users.sid%%\\Environment", Value: "UserInitLogonServer"}, {Key: "HKEY_USERS\\%%users.sid%%\\Environment", Value: "UserInitLogonScript"}, {Key: "HKEY_USERS\\%%users.sid%%\\Environment", Value: "UserInitMprLogonScript"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/", "https://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/cb6f1d6f-60a6-4369-803e-ec03d902e638/gina-how-to-run-domain-scripts-after-logon"}}, {Name: "WindowsEnvironmentVariableAllUsersProfile", Doc: "The system-wide %AllUsersProfile% environment variable contains the path of the of the \"All Users\" or \"Common\" profile directory.", Sources: []artifacts.Source{{Parent: "WindowsEnvironmentVariableAllUsersProfile", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList", Value: "AllUsersProfile"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "environ_allusersappdata", Regex: "", WMIKey: ""}, {Key: "environ_programdata", Regex: "", WMIKey: ""}}}, {Parent: "WindowsEnvironmentVariableAllUsersProfile", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList", Value: "ProgramData"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "environ_allusersappdata", Regex: "", WMIKey: ""}, {Key: "environ_programdata", Regex: "", WMIKey: ""}}}, {Parent: "WindowsEnvironmentVariableAllUsersProfile", Type: "PATH", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"\\ProgramData", "\\Documents and Settings\\All Users"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "environ_allusersappdata", Regex: "", WMIKey: ""}, {Key: "environ_programdata", Regex: "", WMIKey: ""}}}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html"}}, {Name: "WindowsEnvironmentVariableAppxProcess", Doc: "The user-specific %APPX_PROCESS% environment variable is used for .NET applications.\n\nIf set, a .NET applications will attempt to load WinAppXRT.dll from %PATH%, which can be used as a persistence mechanism by malware.\n", Sources: []artifacts.Source{{Parent: "WindowsEnvironmentVariableAppxProcess", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_USERS\\%%users.sid%%\\Environment", Value: "APPX_PROCESS"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html"}}, {Name: "WindowsEnvironmentVariableCommonProgramFiles", Doc: "The %COMMONPROGRAMFILES% environment variable contains the path of the common program files folder.", Sources: []artifacts.Source{{Parent: "WindowsEnvironmentVariableCommonProgramFiles", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion", Value: "CommonFilesDir"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html"}}, {Name: "WindowsEnvironmentVariableCommonProgramFilesX86", Doc: "The %COMMONPROGRAMFILES(X86)% environment variable contains the path of the 32-bit common program files folder on a 64-bit Windows installation.", Sources: []artifacts.Source{{Parent: "WindowsEnvironmentVariableCommonProgramFilesX86", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion", Value: "CommonFilesDir (x86)"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html"}}, {Name: "WindowsEnvironmentVariableComSpec", Doc: "The %ComSpec% environment variable contains the path of the command processor, typically \"cmd.exe\".", Sources: []artifacts.Source{{Parent: "WindowsEnvironmentVariableComSpec", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment", Value: "ComSpec"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html"}}, {Name: "WindowsEnvironmentVariableDriverData", Doc: "The %DriverData% environment variable contains the path of the directory used for temporary state files of user-mode drivers.", Sources: []artifacts.Source{{Parent: "WindowsEnvironmentVariableDriverData", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment", Value: "DriverData"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html"}}, {Name: "WindowsEnvironmentVariablePath", Doc: "The %PATH% environment variable contains an ordered list of paths of directories that will be searched on execution request without a specific path.", Sources: []artifacts.Source{{Parent: "WindowsEnvironmentVariablePath", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\Environment", Value: "Path"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "environ_path", Regex: "", WMIKey: ""}}}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html"}}, {Name: "WindowsEnvironmentVariableProfilesDirectory", Doc: "The %ProfilesDirectory% environment variable contain a path of a directory that contains the users' profile directories, typically \"%SystemDrive%\\Users\".", Sources: []artifacts.Source{{Parent: "WindowsEnvironmentVariableProfilesDirectory", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList", Value: "ProfilesDirectory"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "environ_profilesdirectory", Regex: "", WMIKey: ""}}}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html"}}, {Name: "WindowsEnvironmentVariableProgramFiles", Doc: "The %ProgramFiles% environment variable contains a path of the \"Program Files\" directory.", Sources: []artifacts.Source{{Parent: "WindowsEnvironmentVariableProgramFiles", Type: "PATH", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"\\Program Files"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "environ_programfiles", Regex: "", WMIKey: ""}}}, {Parent: "WindowsEnvironmentVariableProgramFiles", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion", Value: "ProgramFilesDir"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "environ_programfiles", Regex: "", WMIKey: ""}}}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html"}}, {Name: "WindowsEnvironmentVariableProgramFilesX86", Doc: "The %ProgramFiles(x86)% environment variable contains a path of the 32-bit \"Program Files\" directory on a 64-bit Windows installation.", Sources: []artifacts.Source{{Parent: "WindowsEnvironmentVariableProgramFilesX86", Type: "PATH", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"\\Program Files (x86)"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "environ_programfilesx86", Regex: "", WMIKey: ""}}}, {Parent: "WindowsEnvironmentVariableProgramFilesX86", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion", Value: "ProgramFilesDir (x86)"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "environ_programfilesx86", Regex: "", WMIKey: ""}}}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html"}}, {Name: "WindowsEnvironmentVariableSystemRoot", Doc: "The %SystemRoot%, environment variable contains the path of the system directory, typically \"C:\\Windows\".", Sources: []artifacts.Source{{Parent: "WindowsEnvironmentVariableSystemRoot", Type: "PATH", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"\\Windows", "\\WinNT", "\\WINNT35", "\\WTSRV"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "environ_systemroot", Regex: "", WMIKey: ""}, {Key: "environ_systemdrive", Regex: "^(..)", WMIKey: ""}}}, {Parent: "WindowsEnvironmentVariableSystemRoot", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion", Value: "SystemRoot"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "environ_systemroot", Regex: "", WMIKey: ""}, {Key: "environ_systemdrive", Regex: "^(..)", WMIKey: ""}}}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html"}}, {Name: "WindowsEnvironmentVariableTemp", Doc: "The %TEMP% environment variable.", Sources: []artifacts.Source{{Parent: "WindowsEnvironmentVariableTemp", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\Environment", Value: "TEMP"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "environ_temp", Regex: "", WMIKey: ""}}}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html"}}, {Name: "WindowsEnvironmentVariableWinDir", Doc: "The %WinDir%, environment variable contains the path of the Windows directory, typically \"C:\\Windows\".", Sources: []artifacts.Source{{Parent: "WindowsEnvironmentVariableWinDir", Type: "PATH", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"\\Windows", "\\WinNT", "\\WINNT35", "\\WTSRV"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "environ_windir", Regex: "", WMIKey: ""}}}, {Parent: "WindowsEnvironmentVariableWinDir", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\Environment", Value: "windir"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "environ_windir", Regex: "", WMIKey: ""}}}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html"}}, {Name: "WindowsEventLogProviders", Doc: "Windows EventLog provider Registry keys.", Sources: []artifacts.Source{{Parent: "WindowsEventLogProviders", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\EventLog\\*\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://winreg-kb.readthedocs.io/en/latest/sources/EventLog-keys.html"}}, {Name: "WindowsExcludeFromKnownDLLs", Doc: "ExcludeFromKnownDLLs can be used to bypass search order hijacking protection.", Sources: []artifacts.Source{{Parent: "WindowsExcludeFromKnownDLLs", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager", Value: "ExcludeFromKnownDLLs"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://msdn.microsoft.com/en-us/library/windows/desktop/ms682586%28v=vs.85%29.aspx"}}, {Name: "WindowsExplorerAppKey", Doc: "Handlers for special keys on some keyboards (file path or CLSID).", Sources: []artifacts.Source{{Parent: "WindowsExplorerAppKey", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AppKey\\*", Value: "ShellExecute"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"http://answers.microsoft.com/en-us/windows/forum/windows_vista-hardware/assigning-the-special-keys-at-the-top-of-the/d1ab2e13-5297-457d-a8e8-bc2c883d8b58?db=5", "http://h30434.www3.hp.com/t5/Notebook-Hardware/How-do-I-customize-the-Action-Keys/td-p/379207"}}, {Name: "WindowsExplorerAutoplayHandlers", Doc: "Handlers for autoplay events in Windows Explorer.", Sources: []artifacts.Source{{Parent: "WindowsExplorerAutoplayHandlers", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoplayHandlers\\Handlers\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"http://gladiator-antivirus.com/forum/index.php?showtopic=24610", "https://msdn.microsoft.com/en-us/library/windows/desktop/aa468474.aspx"}}, {Name: "WindowsExplorerContextMenuHandlers", Doc: "Handlers for subcommands on context menu", Sources: []artifacts.Source{{Parent: "WindowsExplorerContextMenuHandlers", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CommandStore\\shell\\*", Value: "CommandStateHandler"}, {Key: "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CommandStore\\shell\\*", Value: "ExplorerCommandHandler"}, {Key: "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CommandStore\\shell\\*", Value: "command"}, {Key: "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CommandStore\\shell\\*\\command", Value: "DelegateExecute"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://msdn.microsoft.com/en-us/library/windows/desktop/hh127467(v=vs.85).aspx", "https://msdn.microsoft.com/en-us/library/windows/desktop/cc144171(v=vs.85).aspx", "http://www.windowrdb.com/w.php?w=hklm-software-microsoft-windows-currentversion-explorer-commandstore-shell-windows-closewindow", "http://www.checkfilename.com/view-details/Windows-7-Ultimate/RespageIndex/4/sTab/2/"}}, {Name: "WindowsExplorerNamespaceCommonPlaces", Doc: "CLSIDs listed here are used to populate the Common Places items.", Sources: []artifacts.Source{{Parent: "WindowsExplorerNamespaceCommonPlaces", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CommonPlaces\\NameSpace", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CommonPlaces\\NameSpace", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CommonPlaces\\NameSpace", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CommonPlaces\\NameSpace", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CommonPlaces\\NameSpace\\DelegateFolders", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CommonPlaces\\NameSpace\\DelegateFolders", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CommonPlaces\\NameSpace\\DelegateFolders", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CommonPlaces\\NameSpace\\DelegateFolders", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\*\\CommonPlaces\\NameSpace", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\*\\CommonPlaces\\NameSpace", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\*\\CommonPlaces\\NameSpace\\DelegateFolders", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\*\\CommonPlaces\\NameSpace\\DelegateFolders"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://msdn.microsoft.com/en-us/library/windows/desktop/hh127450(v=vs.85).aspx", "http://www.geoffchappell.com/studies/windows/shell/shell32/classes/commonplacesfolder.htm", "http://www.windowrdb.com/w.php?w=hklm-software-microsoft-windows-currentversion-explorer-commonplaces"}}, {Name: "WindowsExplorerNamespaceControlPanel", Doc: "CLSIDs listed here are used to populate the Control Panel items.", Sources: []artifacts.Source{{Parent: "WindowsExplorerNamespaceControlPanel", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel\\NameSpace", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel\\NameSpace", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel\\NameSpace\\DelegateFolders", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel\\NameSpace\\DelegateFolders", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\*\\ControlPanel\\NameSpace", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\*\\ControlPanel\\NameSpace\\DelegateFolders", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanelWOW64\\NameSpace", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanelWOW64\\NameSpace", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel\\NameSpaceWOW64\\DelegateFolders", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanelWOW64\\NameSpace\\DelegateFolders", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\*\\ControlPanelWOW64\\NameSpace", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\*\\ControlPanelWOW64\\NameSpace\\DelegateFolders", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel\\NameSpace", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel\\NameSpace", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel\\NameSpace\\DelegateFolders", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel\\NameSpace\\DelegateFolders", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\*\\ControlPanel\\NameSpace", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\*\\ControlPanel\\NameSpace\\DelegateFolders", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanelWOW64\\NameSpace", "HKEY_USERS\\%%users.sid%%\\Wow6432Node\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\*\\ControlPanelWOW64\\NameSpace\\DelegateFolders"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://msdn.microsoft.com/en-us/library/windows/desktop/hh127450(v=vs.85).aspx", "http://www.geoffchappell.com/studies/windows/shell/shell32/classes/controlpanel.htm"}}, {Name: "WindowsExplorerNamespaceDesktop", Doc: "CLSIDs listed here are used to populate the Desktop items.", Sources: []artifacts.Source{{Parent: "WindowsExplorerNamespaceDesktop", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\*\\Desktop\\NameSpace", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\*\\Desktop\\NameSpace\\DelegateFolders", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Wow6432Node\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\*\\Desktop\\NameSpace", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\*\\Desktop\\NameSpace\\DelegateFolders"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://social.technet.microsoft.com/Forums/windowsserver/en-US/2760309c-89d1-414c-a04c-ce4178e90787/hide-libraries-icon-from-desktop", "http://www.geoffchappell.com/studies/windows/shell/shell32/classes/regfolder.htm", "http://www.geoffchappell.com/notes/windows/shell/controlpanel/desktopicons.htm", "https://support.microsoft.com/en-us/kb/321777"}}, {Name: "WindowsExplorerNamespaceMyComputer", Doc: "CLSIDs listed here are used to populate the MyComputer items.", Sources: []artifacts.Source{{Parent: "WindowsExplorerNamespaceMyComputer", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace\\DelegateFolders", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace\\DelegateFolders", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\*\\MyComputer\\NameSpace", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\*\\MyComputer\\NameSpace\\DelegateFolders", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Wow6432Node\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace\\DelegateFolders", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace\\DelegateFolders", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\*\\MyComputer\\NameSpace", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\*\\MyComputer\\NameSpace\\DelegateFolders"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"http://www.geoffchappell.com/studies/windows/shell/shell32/classes/mycomputer.htm", "http://www.howtogeek.com/168081/how-to-remove-the-folders-from-my-computer-in-windows-8.1/", "http://answers.microsoft.com/en-us/windows/forum/windows8_1-files/how-to-remove-these-folders-from-windows-81/777c4ba3-7853-453e-bfa0-9a0f4245b9e1?db=5"}}, {Name: "WindowsExplorerNamespaceNetworkNeighborhood", Doc: "CLSIDs listed here are used to populate the Network Neighborhood items.", Sources: []artifacts.Source{{Parent: "WindowsExplorerNamespaceNetworkNeighborhood", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\NetworkNeighborhood\\NameSpace", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\NetworkNeighborhood\\NameSpace", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\NetworkNeighborhood\\NameSpace\\DelegateFolders", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\NetworkNeighborhood\\NameSpace\\DelegateFolders", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\*\\NetworkNeighborhood\\NameSpace", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\*\\NetworkNeighborhood\\NameSpace\\DelegateFolders", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\NetworkNeighborhood\\NameSpace", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\NetworkNeighborhood\\NameSpace", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\NetworkNeighborhood\\NameSpace\\DelegateFolders", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\NetworkNeighborhood\\NameSpace\\DelegateFolders", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\*\\NetworkNeighborhood\\NameSpace", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\*\\NetworkNeighborhood\\NameSpace\\DelegateFolders"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"http://www.geoffchappell.com/studies/windows/shell/shell32/classes/regfolder.htm", "http://www.lavasoft.com/mylavasoft/rogues/secretservice", "http://www.wikihow.com/Manually-Remove-Macatte-Malware"}}, {Name: "WindowsExplorerNamespacePrintersAndFaxes", Doc: "CLSIDs listed here are used to populate the Printer and Fax items.", Sources: []artifacts.Source{{Parent: "WindowsExplorerNamespacePrintersAndFaxes", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\PrintersAndFaxes\\NameSpace", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\PrintersAndFaxes\\NameSpace", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\PrintersAndFaxes\\NameSpace\\DelegateFolders", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\PrintersAndFaxes\\NameSpace\\DelegateFolders", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\*\\PrintersAndFaxes\\NameSpace", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\*\\PrintersAndFaxes\\NameSpace\\DelegateFolders", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\PrintersAndFaxes\\NameSpace", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\PrintersAndFaxes\\NameSpace", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\PrintersAndFaxes\\NameSpace\\DelegateFolders", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\PrintersAndFaxes\\NameSpace\\DelegateFolders", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\*\\PrintersAndFaxes\\NameSpace", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\*\\PrintersAndFaxes\\NameSpace\\DelegateFolders"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"http://www.geoffchappell.com/studies/windows/shell/shell32/classes/printers.htm"}}, {Name: "WindowsFileTypeAutorunAssociations", Doc: "Registry value for what application class identifier (CLSID) to launch for a file extension.\n\nExtension subkeys start with a dot. The '(Default)' value will be a ProgID,\nwhich points to another entry in HKCR specifying the command to run to open\na file of the given type. The WindowsShellOpenCommand artifact is associated\nwith these ProgID command invocations.\n", Sources: []artifacts.Source{{Parent: "WindowsFileTypeAutorunAssociations", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\.*", Value: ""}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\Wow6432Node\\.*", Value: ""}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\.*", Value: ""}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\Wow6432Node\\.*", Value: ""}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://msdn.microsoft.com/en-us/library/windows/desktop/ms678415(v=vs.85).aspx", "https://docs.microsoft.com/en-us/windows/desktop/shell/fa-file-types"}}, {Name: "WindowsFirewallLogFile", Doc: "Windows Firewall default logfile", Sources: []artifacts.Source{{Parent: "WindowsFirewallLogFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemroot%%\\System32\\logfiles\\firewall\\pfirewall.log"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://docs.microsoft.com/en-us/windows/access-protection/windows-firewall/configure-the-windows-firewall-log"}}, {Name: "WindowsFirewallEnabledRules", Doc: "Command to list the enabled Windows Firewall rules.", Sources: []artifacts.Source{{Parent: "WindowsFirewallEnabledRules", Type: "COMMAND", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "netsh.exe", Args: []string{"advfirewall", "monitor", "show", "firewall", "rule", "name=all"}, Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsFirewallRules", Doc: "Command to list the configured Windows Firewall rules.", Sources: []artifacts.Source{{Parent: "WindowsFirewallRules", Type: "COMMAND", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "netsh.exe", Args: []string{"advfirewall", "firewall", "show", "rule", "name=all"}, Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsGroupPolicyScripts", Doc: "Windows group policy scripts", Sources: []artifacts.Source{{Parent: "WindowsGroupPolicyScripts", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemroot%%\\System32\\GroupPolicy\\User\\Scripts\\psscripts.ini", "%%environ_systemroot%%\\System32\\GroupPolicy\\User\\Scripts\\scripts.ini", "%%environ_systemroot%%\\System32\\GroupPolicy\\User\\Scripts\\Logoff\\*", "%%environ_systemroot%%\\System32\\GroupPolicy\\User\\Scripts\\Logon\\*", "%%environ_systemroot%%\\System32\\GroupPolicy\\Machine\\Scripts\\psscripts.ini", "%%environ_systemroot%%\\System32\\GroupPolicy\\Machine\\Scripts\\scripts.ini", "%%environ_systemroot%%\\System32\\GroupPolicy\\Machine\\Scripts\\Shutdown\\*", "%%environ_systemroot%%\\System32\\GroupPolicy\\Machine\\Scripts\\Startup\\*"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsHostsFiles", Doc: "The Windows hosts and lmhosts file.", Sources: []artifacts.Source{{Parent: "WindowsHostsFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemroot%%\\System32\\Drivers\\etc\\Lmhosts", "%%environ_systemroot%%\\System32\\Drivers\\etc\\hosts"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsHotkeyReplacement", Doc: "Hotkey executable replacement.", Sources: []artifacts.Source{{Parent: "WindowsHotkeyReplacement", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemroot%%\\System32\\magnifier.exe", "%%environ_systemroot%%\\System32\\sethc.exe", "%%environ_systemroot%%\\System32\\utilman.exe"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsInstallationDateTime", Doc: "Windows installation date and time", Sources: []artifacts.Source{{Parent: "WindowsInstallationDateTime", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion", Value: "InstallDate"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsLogoffScript", Doc: "Windows policy logoff script", Sources: []artifacts.Source{{Parent: "WindowsLogoffScript", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_USERS\\%%users.sid%%\\Software\\Policies\\Microsoft\\Windows\\System\\Scripts", Value: "Logoff"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System\\Scripts", Value: "Logoff"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://technet.microsoft.com/en-us/library/ff404236.aspx"}}, {Name: "WindowsLogonScript", Doc: "Windows policy logon script", Sources: []artifacts.Source{{Parent: "WindowsLogonScript", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_USERS\\%%users.sid%%\\Software\\Policies\\Microsoft\\Windows\\System\\Scripts", Value: "Logon"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System\\Scripts", Value: "Logon"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://technet.microsoft.com/en-us/library/ff404236.aspx"}}, {Name: "WindowsLSAAuthenticationPackages", Doc: "Authentication Packages can be injected into LSASS.", Sources: []artifacts.Source{{Parent: "WindowsLSAAuthenticationPackages", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa", Value: "Authentication Packages"}, {Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\OSConfig", Value: "Authentication Packages"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"http://gladiator-antivirus.com/forum/index.php?showtopic=24610", "https://technet.microsoft.com/en-us/library/cc963218.aspx"}}, {Name: "WindowsLSANotificationPackages", Doc: "Notification Packages can be injected into LSASS.", Sources: []artifacts.Source{{Parent: "WindowsLSANotificationPackages", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa", Value: "Notification Packages"}, {Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\OSConfig", Value: "Notification Packages"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"http://gladiator-antivirus.com/forum/index.php?showtopic=24610", "https://technet.microsoft.com/en-us/library/cc963221.aspx"}}, {Name: "WindowsLSASecurityPackages", Doc: "Security Packages can be injected into LSASS.", Sources: []artifacts.Source{{Parent: "WindowsLSASecurityPackages", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa", Value: "Security Packages"}, {Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\OSConfig", Value: "Security Packages"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://msdn.microsoft.com/en-us/library/windows/desktop/aa379392(v=vs.85).aspx", "https://dl.mandiant.com/EE/library/MIRcon2014/MIRcon_2014_IR_Track_Analysis_of_Malicious_SSP.pdf"}}, {Name: "WindowsMapNetworkDriveMRU", Doc: "Recently mapped network shares.", Sources: []artifacts.Source{{Parent: "WindowsMapNetworkDriveMRU", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Map Network Drive MRU"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsMetroApplicationCache", Doc: "Windows Metro application cache.", Sources: []artifacts.Source{{Parent: "WindowsMetroApplicationCache", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\Packages\\*\\AC\\INetCache"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"http://www.forensicmag.com/article/2012/09/microsoft-windows-8-forensic-first-look"}}, {Name: "WindowsMetroApplicationCookies", Doc: "Windows Metro application cookies.", Sources: []artifacts.Source{{Parent: "WindowsMetroApplicationCookies", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\Packages\\*\\AC\\INetCookies"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"http://www.forensicmag.com/article/2012/09/microsoft-windows-8-forensic-first-look"}}, {Name: "WindowsMetroApplicationHistory", Doc: "Windows Metro application history.", Sources: []artifacts.Source{{Parent: "WindowsMetroApplicationHistory", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\Packages\\*\\AC\\INetHistory"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"http://www.forensicmag.com/article/2012/09/microsoft-windows-8-forensic-first-look"}}, {Name: "WindowsMetroUserPinnedFavoriteTiles", Doc: "Windows Metro user-pinned favorite tiles.", Sources: []artifacts.Source{{Parent: "WindowsMetroUserPinnedFavoriteTiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\Microsoft\\Windows\\RoamingTiles"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"http://www.forensicmag.com/article/2012/09/microsoft-windows-8-forensic-first-look"}}, {Name: "WindowsMostRecentApplication", Doc: "Windows Most Recent Application name key", Sources: []artifacts.Source{{Parent: "WindowsMostRecentApplication", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\*\\MostRecentApplication", Value: "Name"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\*\\MostRecentApplication", Value: "Name"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_ransom.smc7", "https://www.symantec.com/security_response/writeup.jsp?docid=2014-092314-3644-99&tabid=2"}}, {Name: "WindowsMSDTCDLLs", Doc: "Windows MSDTC attempts to load these DLLs on start", Sources: []artifacts.Source{{Parent: "WindowsMSDTCDLLs", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\MSDTC\\MTxOCI\\*", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\MSDTC\\MTxOCI\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://www.mandiant.com/blog/hikit-rootkit-advanced-persistent-attack-techniques-part-1-2/"}}, {Name: "WindowsMultiMediaDrivers", Doc: "Configured drivers for different multimedia filetypes.", Sources: []artifacts.Source{{Parent: "WindowsMultiMediaDrivers", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\*", "HKEY_USERS\\%%users.sid%%\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\*", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\*", "HKEY_USERS\\%%users.sid%%\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"http://gladiator-antivirus.com/forum/index.php?showtopic=24610", "https://support.microsoft.com/en-us/kb/126054", "https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2"}}, {Name: "WindowsNetworkShellHelpers", Doc: "Windows Network Shell (netsh) helpers are loaded on boot", Sources: []artifacts.Source{{Parent: "WindowsNetworkShellHelpers", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Netsh", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Netsh"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://support.microsoft.com/en-us/kb/242468"}}, {Name: "WindowsOpenSaveMRU", Doc: "Information about files opened or saved in a Windows shell dialog.", Sources: []artifacts.Source{{Parent: "WindowsOpenSaveMRU", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDIg32\\OpenSaveMRU\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=OpenSaveMRU", "https://digital-forensics.sans.org/blog/2010/04/02/openrunsavemru-lastvisitedmru"}}, {Name: "WindowsOpenSavePidlMRU", Doc: "Information about files opened or saved in a Windows shell dialog.", Sources: []artifacts.Source{{Parent: "WindowsOpenSavePidlMRU", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\OpenSavePidlMRU\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://digital-forensics.sans.org/blog/2010/04/02/openrunsavemru-lastvisitedmru", "https://forensicswiki.xyz/wiki/index.php?title=OpenSavePidlMRU"}}, {Name: "WindowsPendingFileRenames", Doc: "Windows Pending file renames on reboot", Sources: []artifacts.Source{{Parent: "WindowsPendingFileRenames", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager", Value: "PendingFileRenameOperations"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://technet.microsoft.com/en-us/library/cc960241.aspx"}}, {Name: "WindowsPendingGPOs", Doc: "Windows Pending GPOs registry settings.\n\nThis is a persistence mechanism known to be used by the Gootkit malware family.\n", Sources: []artifacts.Source{{Parent: "WindowsPendingGPOs", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\IEAK\\GroupPolicy\\PendingGPOs", Value: "Path1"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\IEAK\\GroupPolicy\\PendingGPOs", Value: "Path1"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://www.certego.net/en/news/malware-tales-gootkit/"}}, {Name: "WindowsPersistenceMechanisms", Doc: "Persistence mechanisms in Windows.", Sources: []artifacts.Source{{Parent: "WindowsPersistenceMechanisms", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"WindowsPersistenceRegistryKeys", "WindowsPowerShellDefaultProfiles", "WindowsServices", "WindowsJobFiles"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Software"}, SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsPersistenceRegistryKeys", Doc: "Windows Registry keys used for persistence.", Sources: []artifacts.Source{{Parent: "WindowsPersistenceRegistryKeys", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"InternetExplorerBrowserHelperObjects", "WindowsActiveDesktop", "WindowsActiveSyncAutoStart", "WindowsAlternateShell", "WindowsAppCertDLLs", "WindowsAppInitDLLs", "WindowsBootVerificationProgram", "WindowsCommandProcessorAutoRun", "WindowsCredentialProviderFilters", "WindowsCredentialProviders", "WindowsDebugger", "WindowsEnvironmentUserLoginScripts", "WindowsExplorerAutoplayHandlers", "WindowsFileTypeAutorunAssociations", "WindowsFontDrivers", "WindowsIconServiceLib", "WindowsLSAAuthenticationPackages", "WindowsLSANotificationPackages", "WindowsLSASecurityPackages", "WindowsMSDTCDLLs", "WindowsMultiMediaDrivers", "WindowsNetworkShellHelpers", "WindowsPendingGPOs", "WindowsPLAPProviders", "WindowsPrintMonitors", "WindowsRunGrpConv", "WindowsRunKeys", "WindowsRunServices", "WindowsScreenSaverExecutable", "WindowsSearchFilterHandlers", "WindowsSecurityProviders", "WindowsServiceControlManagerExtension", "WindowsSessionManagerBootExecute", "WindowsSessionManagerExecute", "WindowsSessionManagerS0InitialCommand", "WindowsSessionManagerSetupExecute", "WindowsSessionManagerSubSystems", "WindowsSessionManagerWOWCommandLine", "WindowsSetupCommandLine", "WindowsSharedTaskScheduler", "WindowsShellExecuteHooks", "WindowsShellExtensions", "WindowsShellIconOverlayIdentifiers", "WindowsShellLoadAndRun", "WindowsShellOpenCommand", "WindowsShellRunasCommand", "WindowsShellServiceObjects", "WindowsStubPaths", "WindowsSystemPolicyShell", "WindowsTerminalServerInitialProgram", "WindowsTerminalServerRunKeys", "WindowsTerminalServerStartupPrograms", "WindowsToolPaths", "WindowsWinlogonAppSetup", "WindowsWinlogonAvailableShells", "WindowsWinlogonGinaDLL", "WindowsWinlogonGPExtensions", "WindowsWinlogonNotify", "WindowsWinlogonShell", "WindowsWinlogonSystem", "WindowsWinlogonTaskman", "WindowsWinlogonUiHost", "WindowsWinlogonUserinit", "WindowsWinlogonVMApplet", "WinSock2LayeredServiceProviders", "WinSock2NamespaceProviders"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Software"}, SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsPLAPProviders", Doc: "Windows Pre-Logon Access Provider (PLAP) Providers", Sources: []artifacts.Source{{Parent: "WindowsPLAPProviders", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Authentication\\PLAP Providers\\*", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Authentication\\PLAP Providers\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://msdn.microsoft.com/en-us/library/windows/desktop/bb530584(v=vs.85).aspx"}}, {Name: "WindowsPolicyDisallowRun", Doc: "Restrict users from running specific applications, typically used by malware to block AV.", Sources: []artifacts.Source{{Parent: "WindowsPolicyDisallowRun", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisallowRun\\*", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisallowRun\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://support.microsoft.com/en-us/kb/323525", "https://blog.malwarebytes.com/detections/pum-optional-disallowrun/"}}, {Name: "WindowsPowerShellDefaultProfiles", Doc: "Default PowerShell Profile files. These files are executed by default when PowerShell starts up.", Sources: []artifacts.Source{{Parent: "WindowsPowerShellDefaultProfiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemroot%%\\system32\\WindowsPowerShell\\v1.0\\profile.ps1", "%%environ_systemroot%%\\system32\\WindowsPowerShell\\v1.0\\Microsoft.PowerShell_profile.ps1", "%%users.userprofile%%\\Documents\\WindowsPowerShell\\profile.ps1", "%%users.userprofile%%\\Documents\\WindowsPowerShell\\Microsoft.PowerShell_profile.ps1"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://technet.microsoft.com/en-us/magazine/2008.10.windowspowershell.aspx#id0190010", "http://www.hexacorn.com/blog/2014/08/27/beyond-good-ol-run-key-part-16/"}}, {Name: "WindowsPowerShellEnableScripts", Doc: "Registry keys that control whether PowerShell scripts can execute directly.", Sources: []artifacts.Source{{Parent: "WindowsPowerShellEnableScripts", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_USERS\\%%users.sid%%\\Software\\Policies\\Microsoft\\Windows\\PowerShell", Value: "EnableScripts"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\PowerShell", Value: "EnableScripts"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://technet.microsoft.com/library/hh847748.aspx", "http://www.hexacorn.com/blog/2014/08/27/beyond-good-ol-run-key-part-16/"}}, {Name: "WindowsPowerShellExecutionPolicies", Doc: "PowerShell Script Execution Policies for all users, and the system.", Sources: []artifacts.Source{{Parent: "WindowsPowerShellExecutionPolicies", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_USERS\\%%users.sid%%\\Software\\Policies\\Microsoft\\Windows\\PowerShell", Value: "ExecutionPolicy"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\PowerShell", Value: "ExecutionPolicy"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://technet.microsoft.com/library/hh847748.aspx", "http://www.hexacorn.com/blog/2014/08/27/beyond-good-ol-run-key-part-16/"}}, {Name: "WindowsPowerShellHistory", Doc: "History of commands executed in an interactive PowerShell session.", Sources: []artifacts.Source{{Parent: "WindowsPowerShellHistory", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.appdata%%\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://0xdf.gitlab.io/2018/11/08/powershell-history-file.html", "https://docs.microsoft.com/en-us/powershell/module/psreadline/get-psreadlineoption?view=powershell-7.1"}}, {Name: "WindowsPrefetchFiles", Doc: "Windows Prefetch files.", Sources: []artifacts.Source{{Parent: "WindowsPrefetchFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemroot%%\\Prefetch\\*.pf"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Prefetch"}}, {Name: "WindowsPrintMonitors", Doc: "Windows Print Monitor DLL config.", Sources: []artifacts.Source{{Parent: "WindowsPrintMonitors", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Print\\Monitors\\*", Value: "Driver"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"http://gladiator-antivirus.com/forum/index.php?showtopic=24610", "https://support.microsoft.com/en-us/kb/102966"}}, {Name: "WindowsProductName", Doc: "The Windows product name", Sources: []artifacts.Source{{Parent: "WindowsProductName", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion", Value: "ProductName"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://github.com/libyal/winreg-kb/blob/main/documentation/System%20keys.asciidoc"}}, {Name: "WindowsProgramsCache", Doc: "Windows Programs Cache", Sources: []artifacts.Source{{Parent: "WindowsProgramsCache", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartPage", Value: "ProgramsCache"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartPage2", Value: "ProgramsCache"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://github.com/libyal/winreg-kb/blob/main/documentation/Programs%20Cache%20values.asciidoc"}}, {Name: "WindowsProgramsCacheJumpLists", Doc: "Windows Programs Cache Jump Lists", Sources: []artifacts.Source{{Parent: "WindowsProgramsCacheJumpLists", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartPage2", Value: "ProgramsCacheSMP"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartPage2", Value: "ProgramsCacheTBP"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://artifacts-kb.readthedocs.io/en/latest/sources/windows/JumpLists.html"}}, {Name: "WindowsProxyPACAutoConfigURL", Doc: "Windows Proxy PAC AutoConfigURL.", Sources: []artifacts.Source{{Parent: "WindowsProxyPACAutoConfigURL", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", Value: "AutoConfigURL"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System", "Network"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://blogs.msdn.microsoft.com/askie/2015/07/17/how-can-i-configure-proxy-autoconfigurl-setting-using-group-policy-preference-gpp/"}}, {Name: "WindowsProxyServerSettings", Doc: "Windows Proxy Server Settings.\n\nMalware can modify these settings to redirect traffic through\na malicious program running on the machine (for instance, by\nspecifying 127.0.0.1 as the IP address of the proxy server to\nuse) or to a malicious host on the local network or internet.\n", Sources: []artifacts.Source{{Parent: "WindowsProxyServerSettings", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", Value: "ProxyServer"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", Value: "ProxyServer"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", Value: "ProxyServer"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", Value: "ProxyServer"}, {Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\NlaSvc\\Parameters\\Internet\\ManualProxies", Value: "ProxyServer"}, {Key: "HKEY_USERS\\%%users.sid%%\\System\\CurrentControlSet\\Services\\NlaSvc\\Parameters\\Internet\\ManualProxies", Value: "ProxyServer"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System", "Network"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://blog.malwarebytes.com/detections/pum-optional-proxyhijacker/"}}, {Name: "WindowsRecentFileCacheBCF", Doc: "The RecentFileCache.bcf file.", Sources: []artifacts.Source{{Parent: "WindowsRecentFileCacheBCF", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemroot%%\\AppCompat\\Programs\\RecentFileCache.bcf"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RecentFileCache.html"}}, {Name: "WindowsRecycleBin", Doc: "Windows Recycle Bin (Recyler, $Recycle.Bin) files.", Sources: []artifacts.Source{{Parent: "WindowsRecycleBin", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"\\$Recycle.Bin\\**", "\\Recycler\\**"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Windows#Recycle_Bin"}}, {Name: "WindowsRecycleBinMetadata", Doc: "Windows Recycle Bin (Recyler, $Recycle.Bin) metadata files only.", Sources: []artifacts.Source{{Parent: "WindowsRecycleBinMetadata", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"\\$Recycle.Bin\\*\\$I*", "\\Recycler\\*\\INFO2"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Windows#Recycle_Bin"}}, {Name: "WindowsRegistryCurrentControlSet", Doc: "The current control set of the Windows Registry.", Sources: []artifacts.Source{{Parent: "WindowsRegistryCurrentControlSet", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\Select", Value: "Current"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "current_control_set", Regex: "", WMIKey: ""}}}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://github.com/libyal/winreg-kb/blob/main/documentation/System%20keys.asciidoc"}}, {Name: "WindowsRegistryFilesAndTransactionLogs", Doc: "Windows user and system Registry files and transaction logs.", Sources: []artifacts.Source{{Parent: "WindowsRegistryFilesAndTransactionLogs", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"WindowsSystemRegistryFiles", "WindowsSystemRegistryTransactionLogFiles", "WindowsUserRegistryFiles", "WindowsUserRegistryTransactionLogFiles"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System", "Users"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RegistryFiles.html"}}, {Name: "WindowsRegistryProfileSIDs", Doc: "Get SIDs for all users on the system with profiles present in the Registry.", Sources: []artifacts.Source{{Parent: "WindowsRegistryProfileSIDs", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "users.sid", Regex: "ProfileList\\\\(.+)$", WMIKey: ""}}}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users"}, SupportedOs: []string{"Windows"}, Urls: []string{"http://msdn.microsoft.com/en-us/library/windows/desktop/bb776892(v=vs.85).aspx"}}, {Name: "WindowsRegistryProfiles", Doc: "Get SIDs for all users on the system with profiles present in the Registry.\n\nThis looks in the Windows Registry where the profiles are stored and retrieves\nthe paths for each profile.\n", Sources: []artifacts.Source{{Parent: "WindowsRegistryProfiles", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\*", Value: "ProfileImagePath"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "users.userprofile", Regex: "", WMIKey: ""}, {Key: "users.homedir", Regex: "", WMIKey: ""}, {Key: "users.username", Regex: ".*\\\\(.+)", WMIKey: ""}}}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users"}, SupportedOs: []string{"Windows"}, Urls: []string{"http://msdn.microsoft.com/en-us/library/windows/desktop/bb776892(v=vs.85).aspx"}}, {Name: "WindowsReleaseIdentifier", Doc: "The Windows 10 release identifier (or version number).\n\nThis Windows Registry value contains the semi-annual Windows 10 version number.\n", Sources: []artifacts.Source{{Parent: "WindowsReleaseIdentifier", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion", Value: "ReleaseID"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://www.microsoft.com/en-us/itpro/windows-10/release-information"}}, {Name: "WindowsRoverAutostartDLL", Doc: "Windows Rover autostart DLL.\n\nThe DLL loaded via the Windows Rover autostart mechanism.\nIf this file exists, and the Rover autostart Registry key is set,\nuserinit.exe will load this file and call its RunMonitor export.\n", Sources: []artifacts.Source{{Parent: "WindowsRoverAutostartDLL", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemroot%%\\System32\\rover.dll"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"http://www.hexacorn.com/blog/2014/05/21/beyond-good-ol-run-key-part-12/"}}, {Name: "WindowsRoverAutostartKey", Doc: "Windows Rover autostart Registry key.\n\nWhen set userinit.exe will load the DLL at %SystemRoot%\\System32\\rover.dll and call its RunMonitor export.\n", Sources: []artifacts.Source{{Parent: "WindowsRoverAutostartKey", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_CLASSES_ROOT\\CLSID\\{16d12736-7a9e-4765-bec6-f301d679caaa}"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"http://www.hexacorn.com/blog/2014/05/21/beyond-good-ol-run-key-part-12/"}}, {Name: "WindowsRunGrpConv", Doc: "The Windows RunGrpConv Registry value.\n\nWhen this Registry value is non-zero userinit.exe will launch grpconv.exe at user login.\n", Sources: []artifacts.Source{{Parent: "WindowsRunGrpConv", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", Value: "RunGrpConv"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"http://www.hexacorn.com/blog/2014/06/18/beyond-good-ol-run-key-part-13/", "http://www.exploit-id.com/local-exploits/windows-xp-sp2-grpconv-exe"}}, {Name: "WindowsRunKeys", Doc: "Windows Run and RunOnce keys.\n\nNote users.sid will currently only expand to SIDs with profiles\non the system, not all SIDs.\n", Sources: []artifacts.Source{{Parent: "WindowsRunKeys", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Setup", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Setup", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Setup", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Setup", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Software"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://msdn.microsoft.com/en-us/library/windows/desktop/aa376977%28v=vs.85%29.aspx", "https://support.microsoft.com/en-us/kb/137367", "http://gladiator-antivirus.com/forum/index.php?showtopic=24610", "https://technet.microsoft.com/en-us/magazine/ee851671.aspx"}}, {Name: "WindowsRunServices", Doc: "Windows Run Services.", Sources: []artifacts.Source{{Parent: "WindowsRunServices", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunServices", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunServices"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://support.microsoft.com/en-us/kb/179365", "https://threatvector.cylance.com/en_us/home/windows-registry-persistence-part-2-the-run-keys-and-search-order.html"}}, {Name: "WindowsScheduledTasks", Doc: "Windows Scheduled Tasks.", Sources: []artifacts.Source{{Parent: "WindowsScheduledTasks", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemroot%%\\Tasks\\**10", "%%environ_systemroot%%\\System32\\Tasks\\**10", "%%environ_systemroot%%\\SysWow64\\Tasks\\**10"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Windows#Scheduled_Tasks"}}, {Name: "WindowsScreenSaverExecutable", Doc: "ScreenSaver Executable", Sources: []artifacts.Source{{Parent: "WindowsScreenSaverExecutable", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_USERS\\%%users.sid%%\\Software\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop", Value: "scrnsave.exe"}, {Key: "HKEY_USERS\\%%users.sid%%\\Control Panel\\Desktop", Value: "scrnsave.exe"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"http://gladiator-antivirus.com/forum/index.php?showtopic=24610", "https://technet.microsoft.com/en-us/library/cc737855(v=ws.10).aspx", "https://technet.microsoft.com/en-us/library/cc957840.aspx"}}, {Name: "WindowsSearchDatabase", Doc: "Windows Search database (Windows.edb).", Sources: []artifacts.Source{{Parent: "WindowsSearchDatabase", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_allusersappdata%%\\Microsoft\\Search\\Data\\Applications\\Windows\\Windows.edb"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Software"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Windows_Desktop_Search"}}, {Name: "WindowsSecurityProviders", Doc: "Security Providers DLLs", Sources: []artifacts.Source{{Parent: "WindowsSecurityProviders", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"http://gladiator-antivirus.com/forum/index.php?showtopic=24610", "https://github.com/wmark/security-configuration/blob/master/Windows/disable-weak-ciphers-and-enable-TLS1.x.reg"}}, {Name: "WindowsServiceControlManagerExtension", Doc: "Windows service control manager extension", Sources: []artifacts.Source{{Parent: "WindowsServiceControlManagerExtension", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control", Value: "ServiceControlManagerExtension"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Software"}, SupportedOs: []string{"Windows"}, Urls: []string{"http://forum.sysinternals.com/autoruns-and-windows-7_topic19770.html", "https://support.microsoft.com/en-us/kb/102985", "http://gladiator-antivirus.com/forum/index.php?showtopic=24610", "http://www.silentrunners.org/Silent%20Runners.vbs"}}, {Name: "WindowsServices", Doc: "Windows services from the Registry.\n\nMalware can add new services to gain persistence, or modify\nexisting ones to avoid detection. For example, the ZeroAccess\nrootkit will make the following changes to the WSCSVC (Windows\nSecurity Service Center), WINDEFEND (Windows Defender),\nand MPSSVC (Windows Firewall) services, among others\n\n* Set 'Start' to 4, indicating that the service should be disabled\n* Set 'DeleteFlag' to 1, indicating that the service should be removed\n* Set 'ErrorControl' to 0 and 'Type' to 32, causing it to fail to be\n started by the Service Controller and no error messages generated\n", Sources: []artifacts.Source{{Parent: "WindowsServices", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\*", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\*\\Parameters"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Software"}, SupportedOs: []string{"Windows"}, Urls: []string{"http://support.microsoft.com/kb/103000", "https://github.com/libyal/winreg-kb/blob/main/documentation/System%20keys.asciidoc"}}, {Name: "WindowsActionCenterSettings", Doc: "Windows Action Center Settings\n\nMalware can modify these keys to disable notifications that occur\nwhen various security features are disabled. One malware family\nknown to modify these keys is Kovter, a well-known trojan.\n", Sources: []artifacts.Source{{Parent: "WindowsActionCenterSettings", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\{e8433b72-5842-4d43-8645-bc2c35960837}.check.*", Value: "CheckSetting"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\{e8433b72-5842-4d43-8645-bc2c35960837}.check.*", Value: "CheckSetting"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Notifications\\Settings\\Windows.SystemToast.SecurityAndMaintenance", Value: "Enabled"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Notifications\\Settings\\Windows.SystemToast.SecurityAndMaintenance", Value: "Enabled"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://winaero.com/blog/registry-tweak-to-disable-action-center-notifications-in-windows-7/", "https://blog.talosintelligence.com/2019/05/threat-roundup-0517-0524.html", "https://blogs.technet.microsoft.com/platforms_lync_cloud/2017/05/05/disabling-windows-10-action-center-notifications/"}}, {Name: "WindowsBootConfigurationSettings", Doc: "Windows Boot Configuration Settings.\n\nThese Windows Registry values are associated with the Windows Boot\nConfiguration Settings. Malware, like Cerber (ransomware), is known to\nchange the Windows Boot Configuration Settings and disable recovery options\nlike the ability to boot into safe mode.\n\n'bcdedit.exe' can be used to modify the Windows Boot Configuration Settings.\nThe mappings of registry key to associated bcdedit commands is as\nfollows:\n* 16000009: 'bcdedit.exe /set {default} recoveryenabled '\n * 00 gets stored for 'no', 01 gets stored for 'yes'\n* 250000e0: 'bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures'\n * 01 00 00 00 00 00 00 00 gets stored. Otherwise, the key is not present\n\nThe wildcard component of the Windows Registry key is the identifier\nassociated with the Windows Boot Loader instance on a given machine. This\nidentifier can be determined by running 'bcdedit.exe /v' and looking at the\n'identifier' under the Windows Boot Loader section (on Windows 7 and\nWindows 10, '{default}' [used by Cerber] points to this instance).\n", Sources: []artifacts.Source{{Parent: "WindowsBootConfigurationSettings", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\BCD00000000\\Objects\\*\\Elements\\16000009", Value: "Element"}, {Key: "HKEY_LOCAL_MACHINE\\BCD00000000\\Objects\\*\\Elements\\250000e0", Value: "Element"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/bcd-system-store-settings-for-uefi", "https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html"}}, {Name: "WindowsDisallowedSystemCertificates", Doc: "Windows Disallowed System Certificates\n\nMalware can add code-signing certificates associated with\nantivirus programs to the disallowed list to prevent the\nAV programs from running.\n", Sources: []artifacts.Source{{Parent: "WindowsDisallowedSystemCertificates", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates\\*", "HKEY_USERS\\%%users.sid%%\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates\\*", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates\\*", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://blog.malwarebytes.com/detections/pum-optional-misplacedcertificate/"}}, {Name: "WindowsExplorerSettings", Doc: "Windows Explorer Settings\n\nMalware can modify these keys to make it more difficult for the\nuser to detect and remove malicious software.\n", Sources: []artifacts.Source{{Parent: "WindowsExplorerSettings", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", Value: "Hidden"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", Value: "Hidden"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", Value: "Hidden"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", Value: "Hidden"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", Value: "HideFileExt"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", Value: "HideFileExt"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", Value: "HideFileExt"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", Value: "HideFileExt"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", Value: "ShowSuperHidden"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", Value: "ShowSuperHidden"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", Value: "ShowSuperHidden"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", Value: "ShowSuperHidden"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", Value: "HideSCAHealth"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", Value: "HideSCAHealth"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", Value: "HideSCAHealth"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", Value: "HideSCAHealth"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", Value: "NoControlPanel"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", Value: "NoControlPanel"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", Value: "NoControlPanel"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", Value: "NoControlPanel"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", Value: "NoFolderOptions"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", Value: "NoFolderOptions"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", Value: "NoFolderOptions"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", Value: "NoFolderOptions"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", Value: "NoRun"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", Value: "NoRun"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", Value: "NoRun"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", Value: "NoRun"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", Value: "NoViewContextMenu"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", Value: "NoViewContextMenu"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", Value: "NoViewContextMenu"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", Value: "NoViewContextMenu"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", Value: "ShowControlPanel"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", Value: "ShowControlPanel"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", Value: "ShowControlPanel"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", Value: "ShowControlPanel"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", Value: "TaskbarNoNotification"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", Value: "TaskbarNoNotification"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", Value: "TaskbarNoNotification"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", Value: "TaskbarNoNotification"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://www.sdkhere.com/2016/02/analysis-of-malware-using-wmi-query.html", "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_mandrom.e", "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_deleter.ah", "https://blog.malwarebytes.com/detections/pum-optional-disabledrightclick/", "https://blog.malwarebytes.com/detections/pum-optional-disableshowcontrolpanel/"}}, {Name: "WindowsSystemSettings", Doc: "Windows System Settings\n\nMalware can modify these keys to make it more difficult for the\nuser to detect and remove malicious software.\n", Sources: []artifacts.Source{{Parent: "WindowsSystemSettings", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", Value: "DisableCAD"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", Value: "DisableCAD"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", Value: "DisableCAD"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", Value: "DisableCAD"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", Value: "DisableRegistryTools"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", Value: "DisableRegistryTools"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", Value: "DisableRegistryTools"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", Value: "DisableRegistryTools"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", Value: "DisableTaskMgr"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", Value: "DisableTaskMgr"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", Value: "DisableTaskMgr"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", Value: "DisableTaskMgr"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", Value: "NoDispCPL"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", Value: "NoDispCPL"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", Value: "NoDispCPL"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", Value: "NoDispCPL"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System", Value: "DisableCMD"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Policies\\Microsoft\\Windows\\System", Value: "DisableCMD"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Policies\\Microsoft\\Windows\\System", Value: "DisableCMD"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Policies\\Microsoft\\Windows\\System", Value: "DisableCMD"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://www.sdkhere.com/2016/02/analysis-of-malware-using-wmi-query.html", "https://www.thewindowsclub.com/enable-disable-command-prompt-windows", "https://blog.malwarebytes.com/detections/pum-optional-disableregistrytools/", "https://blog.malwarebytes.com/detections/pum-optional-disabletaskmgr/", "https://www.stigviewer.com/stig/windows_7/2014-04-02/finding/V-1154", "https://blog.malwarebytes.com/detections/pum-optional-nodispcpl/", "https://blog.malwarebytes.com/detections/pum-optional-disablecmdprompt/"}}, {Name: "WindowsFirewallAuthorizedApplications", Doc: "Windows Firewall Authorized Applications\n\nMalware can add paths to this list to more easily communicate\nover the network on an infected machine. For instance, Emotet\nmodifies some these settings after gaining execution.\n", Sources: []artifacts.Source{{Parent: "WindowsFirewallAuthorizedApplications", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\DomainProfile\\AuthorizedApplications\\List\\*", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\StandardProfile\\AuthorizedApplications\\List\\*", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\DomainProfile\\AuthorizedApplications\\List\\*", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\PublicProfile\\AuthorizedApplications\\List\\*", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://threatvector.cylance.com/en_us/home/threat-spotlight-eyepyramid-malware.html", "https://blog.talosintelligence.com/2019/05/threat-roundup-0524-0531.html"}}, {Name: "WindowsFirewallGloballyOpenPorts", Doc: "Windows Firewall Globally Open Ports\n\nMalware can add to the list of open ports to avoid\nhaving to create Windows Firewall exceptions tied\nto specific applications.\n", Sources: []artifacts.Source{{Parent: "WindowsFirewallGloballyOpenPorts", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\DomainProfile\\GloballyOpenPorts\\List\\*", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\StandardProfile\\GloballyOpenPorts\\List\\*", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\DomainProfile\\GloballyOpenPorts\\List\\*", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\PublicProfile\\GloballyOpenPorts\\List\\*", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\GloballyOpenPorts\\List\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://qaforce.wordpress.com/2009/10/06/windows-firewall-registry-keys/", "https://github.com/steeve85/Malwares/wiki/Registry"}}, {Name: "WindowsFirewallPolicySettings", Doc: "Windows Firewall Policy Settings\n\nMalware can modify these settings to more easily communicate\nover the network on an infected machine. For instance, Emotet\nmodifies some these settings after gaining execution.\n", Sources: []artifacts.Source{{Parent: "WindowsFirewallPolicySettings", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\DomainProfile", Value: "EnableFirewall"}, {Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\DomainProfile", Value: "DisableNotifications"}, {Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\DomainProfile", Value: "DoNotAllowExceptions"}, {Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\DomainProfile", Value: "DefaultInboundAction"}, {Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\DomainProfile", Value: "DefaultOutboundAction"}, {Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\PublicProfile", Value: "EnableFirewall"}, {Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\PublicProfile", Value: "DisableNotifications"}, {Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\PublicProfile", Value: "DoNotAllowExceptions"}, {Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\PublicProfile", Value: "DefaultInboundAction"}, {Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\PublicProfile", Value: "DefaultOutboundAction"}, {Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile", Value: "EnableFirewall"}, {Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile", Value: "DisableNotifications"}, {Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile", Value: "DoNotAllowExceptions"}, {Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile", Value: "DefaultInboundAction"}, {Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile", Value: "DefaultOutboundAction"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/networking-mpssvc-svc-privateprofile-enablefirewall", "https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/networking-mpssvc-svc-privateprofile-disablenotifications", "https://blog.talosintelligence.com/2019/05/threat-roundup-0503-0510.html"}}, {Name: "WindowsSecurityCenterSettings", Doc: "Windows Security Center Settings\n\nMalware can modify these settings to avoid detection on\nan infected machine. For instance, Emotet modifies some of\nthese settings after gaining execution.\n", Sources: []artifacts.Source{{Parent: "WindowsSecurityCenterSettings", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Security Center", Value: "AntiSpyWareDisableNotify"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Security Center", Value: "AntiSpyWareDisableNotify"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Security Center", Value: "AntiVirusDisableNotify"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Security Center", Value: "AntiVirusDisableNotify"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Security Center", Value: "AntiVirusOverride"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Security Center", Value: "AntiVirusOverride"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Security Center", Value: "AutoUpdateDisableNotify"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Security Center", Value: "AutoUpdateDisableNotify"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Security Center", Value: "FirewallDisableNotify"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Security Center", Value: "FirewallDisableNotify"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Security Center", Value: "FirewallOverride"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Security Center", Value: "FirewallOverride"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Security Center", Value: "UpdatesDisableNotify"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Security Center", Value: "UpdatesDisableNotify"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Security Center", Value: "UpdatesOverride"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Security Center", Value: "UpdatesOverride"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Security Center", Value: "UacDisableNotify"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Security Center", Value: "UacDisableNotify"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://blog.talosintelligence.com/2019/05/threat-roundup-0503-0510.html", "https://blog.appriver.com/phorphiex/trik-botnet-campaign-leads-to-multiple-infections-ransomware-banking-trojan-cryptojacking", "https://ccm.net/faq/1446-disabling-security-alerts-under-vista"}}, {Name: "WindowsSystemRestoreSettings", Doc: "Windows System Restore Settings\n\nSome malware, especially ransomware, will disable system restore\nto make system recovery more difficult.\n", Sources: []artifacts.Source{{Parent: "WindowsSystemRestoreSettings", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\SystemRestore", Value: "DisableConfig"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore", Value: "DisableConfig"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Policies\\Microsoft\\Windows NT\\SystemRestore", Value: "DisableConfig"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore", Value: "DisableConfig"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\SystemRestore", Value: "DisableSR"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore", Value: "DisableSR"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Policies\\Microsoft\\Windows NT\\SystemRestore", Value: "DisableSR"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore", Value: "DisableSR"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Installer", Value: "LimitSystemRestoreCheckpointing"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Policies\\Microsoft\\Windows\\Installer", Value: "LimitSystemRestoreCheckpointing"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://blog.talosintelligence.com/2019/05/threat-roundup-0503-0510.html", "https://www.windows-commandline.com/enable-disable-system-restore-service/", "https://docs.microsoft.com/en-us/windows/desktop/msi/limitsystemrestorecheckpointing"}}, {Name: "WindowsUserAccountControlSettings", Doc: "Windows User Account Control Settings\n\nMalware sometimes disables UAC to make it easier to perform\nactions on an infected machine.\n", Sources: []artifacts.Source{{Parent: "WindowsUserAccountControlSettings", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", Value: "EnableLUA"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", Value: "EnableLUA"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", Value: "ConsentPromptBehaviorAdmin"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", Value: "ConsentPromptBehaviorAdmin"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpsb/958053ae-5397-4f96-977f-b7700ee461ec", "https://blog.talosintelligence.com/2019/05/threat-roundup-0503-0510.html", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpsb/341747f5-6b5d-4d30-85fc-fa1cc04038d4"}}, {Name: "WindowsUpgradeSettings", Doc: "Windows Upgrade Settings\n\nMalware sometimes disables a machine ability to upgrade from\nprevious versions of Windows to Windows 10. One malware family\nknown to modify these keys is Kovter, a well-known trojan.\n", Sources: []artifacts.Source{{Parent: "WindowsUpgradeSettings", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate", Value: "DisableOSUpgrade"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Policies\\Microsoft\\Windows\\WindowsUpdate", Value: "DisableOSUpgrade"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\OSUpgrade", Value: "ReservationsAllowed"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Policies\\Microsoft\\Windows\\WindowsUpdate\\OSUpgrade", Value: "ReservationsAllowed"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://www.ghacks.net/2016/01/08/disableosupgrade-prevents-the-upgrade-to-windows-10/", "https://blog.talosintelligence.com/2019/05/threat-roundup-0517-0524.html"}}, {Name: "WindowsUpdateSettings", Doc: "Windows Update Settings", Sources: []artifacts.Source{{Parent: "WindowsUpdateSettings", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU", Value: "NoAutoUpdate"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU", Value: "NoAutoUpdate"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://docs.microsoft.com/en-us/windows/deployment/update/waas-wu-settings", "https://blog.talosintelligence.com/2019/06/threat-roundup-0531-0607.html"}}, {Name: "WindowsFontDrivers", Doc: "Windows font drivers from the Registry.", Sources: []artifacts.Source{{Parent: "WindowsFontDrivers", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Font Drivers\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Software"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2"}}, {Name: "WindowsSessionManagerBootExecute", Doc: "Windows Session Manager BootExecute persistence.", Sources: []artifacts.Source{{Parent: "WindowsSessionManagerBootExecute", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager", Value: "BootExecute"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://technet.microsoft.com/en-us/library/cc963230.aspx"}}, {Name: "WindowsSessionManagerExecute", Doc: "Windows Session Manager Execute persistence\n\nThis entry shouldn't be populated after Windows has been installed\n", Sources: []artifacts.Source{{Parent: "WindowsSessionManagerExecute", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager", Value: "Execute"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://technet.microsoft.com/en-us/library/cc976130.aspx", "https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2"}}, {Name: "WindowsSessionManagerS0InitialCommand", Doc: "Windows Session Manager S0InitialCommand persistence\n\nThis entry shouldn't be populated after Windows has been installed\n", Sources: []artifacts.Source{{Parent: "WindowsSessionManagerS0InitialCommand", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager", Value: "S0InitialCommand"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://msdn.microsoft.com/en-us/library/windows/desktop/dd392286%28v=vs.85%29.aspx", "https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2"}}, {Name: "WindowsSessionManagerSetupExecute", Doc: "Windows Session Manager SetupExecute persistence\n\nThis entry shouldn't be populated after Windows has been installed\n", Sources: []artifacts.Source{{Parent: "WindowsSessionManagerSetupExecute", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager", Value: "SetupExecute"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://msdn.microsoft.com/en-us/library/windows/desktop/dd392286%28v=vs.85%29.aspx", "https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2"}}, {Name: "WindowsSessionManagerSubSystems", Doc: "Windows Session Manager SubSystems persistence", Sources: []artifacts.Source{{Parent: "WindowsSessionManagerSubSystems", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\SubSystems", Value: "Windows"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://technet.microsoft.com/en-us/library/cc976130.aspx", "http://gladiator-antivirus.com/forum/index.php?showtopic=24610"}}, {Name: "WindowsSessionManagerWOWCommandLine", Doc: "Windows Session Manager Windows-on-Windows (WOW) command line", Sources: []artifacts.Source{{Parent: "WindowsSessionManagerWOWCommandLine", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\WOW", Value: "cmdline"}, {Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\WOW", Value: "wowcmdline"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://support.microsoft.com/en-us/kb/102986"}}, {Name: "WindowsSetupCommandLine", Doc: "Command line invocation used for custom setup and deployment tasks", Sources: []artifacts.Source{{Parent: "WindowsSetupCommandLine", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\Setup", Value: "CmdLine"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2"}}, {Name: "WindowsSharedTaskScheduler", Doc: "Runs on windows boot.", Sources: []artifacts.Source{{Parent: "WindowsSharedTaskScheduler", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SharedTaskScheduler\\*", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SharedTaskScheduler\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"http://gladiator-antivirus.com/forum/index.php?showtopic=24610", "http://www.bleepingcomputer.com/tutorials/windows-program-automatic-startup-locations/"}}, {Name: "WindowsShellExecuteHooks", Doc: "Shell execution hooks are called when ShellExecuteEx() is called.", Sources: []artifacts.Source{{Parent: "WindowsShellExecuteHooks", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellExecuteHooks", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellExecuteHooks"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"http://gladiator-antivirus.com/forum/index.php?showtopic=24610", "http://regenerus.com/malware-common-loadpoints/", "https://code.google.com/p/regripper/wiki/ASEPs"}}, {Name: "WindowsShellExtensions", Doc: "Approved extensions to the Windows Shell (explorer.exe).", Sources: []artifacts.Source{{Parent: "WindowsShellExtensions", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Approved", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Approved", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Approved", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Approved"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://msdn.microsoft.com/en-us/library/windows/desktop/cc144110(v=vs.85).aspx"}}, {Name: "WindowsShellHandlersRegistryKeys", Doc: "Windows registry values for shell handler artifacts.\n\nContextMenuHandlers are added to right-click menus.\nCopyHookHandlers, DragDropHandlers, and ColumnHandlers are similar contextual\nsettings to trigger on these actions.\n", Sources: []artifacts.Source{{Parent: "WindowsShellHandlersRegistryKeys", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Classes\\*\\ShellEx\\ColumnHandlers\\*", "HKEY_LOCAL_MACHINE\\Software\\Classes\\*\\ShellEx\\ContextMenuHandlers\\*", "HKEY_LOCAL_MACHINE\\Software\\Classes\\*\\ShellEx\\CopyHookHandlers\\*", "HKEY_LOCAL_MACHINE\\Software\\Classes\\*\\ShellEx\\DragDropHandlers\\*", "HKEY_LOCAL_MACHINE\\Software\\Classes\\*\\ShellEx\\PropertySheetHandlers\\*", "HKEY_LOCAL_MACHINE\\Software\\Classes\\Directory\\Background\\ShellEx\\ContextMenuHandlers\\*", "HKEY_LOCAL_MACHINE\\Software\\Classes\\Directory\\Background\\ShellEx\\CopyHookHandlers\\*", "HKEY_LOCAL_MACHINE\\Software\\Classes\\Directory\\Background\\ShellEx\\DragDropHandlers\\*", "HKEY_LOCAL_MACHINE\\Software\\Classes\\Directory\\Background\\ShellEx\\PropertySheetHandlers\\*", "HKEY_LOCAL_MACHINE\\Software\\Classes\\Wow6432Node\\*\\ShellEx\\ColumnHandlers\\*", "HKEY_LOCAL_MACHINE\\Software\\Classes\\Wow6432Node\\*\\ShellEx\\ContextMenuHandlers\\*", "HKEY_LOCAL_MACHINE\\Software\\Classes\\Wow6432Node\\*\\ShellEx\\CopyHookHandlers\\*", "HKEY_LOCAL_MACHINE\\Software\\Classes\\Wow6432Node\\*\\ShellEx\\DragDropHandlers\\*", "HKEY_LOCAL_MACHINE\\Software\\Classes\\Wow6432Node\\*\\ShellEx\\PropertySheetHandlers\\*", "HKEY_LOCAL_MACHINE\\Software\\Classes\\Wow6432Node\\Directory\\Background\\ShellEx\\ContextMenuHandlers\\*", "HKEY_LOCAL_MACHINE\\Software\\Classes\\Wow6432Node\\Directory\\Background\\ShellEx\\CopyHookHandlers\\*", "HKEY_LOCAL_MACHINE\\Software\\Classes\\Wow6432Node\\Directory\\Background\\ShellEx\\DragDropHandlers\\*", "HKEY_LOCAL_MACHINE\\Software\\Classes\\Wow6432Node\\Directory\\Background\\ShellEx\\PropertySheetHandlers\\*", "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\*\\ShellEx\\ColumnHandlers\\*", "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\*\\ShellEx\\ContextMenuHandlers\\*", "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\*\\ShellEx\\CopyHookHandlers\\*", "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\*\\ShellEx\\DragDropHandlers\\*", "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\*\\ShellEx\\PropertySheetHandlers\\*", "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\Directory\\Background\\ShellEx\\ContextMenuHandlers\\*", "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\Directory\\Background\\ShellEx\\CopyHookHandlers\\*", "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\Directory\\Background\\ShellEx\\DragDropHandlers\\*", "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\Directory\\Background\\ShellEx\\PropertySheetHandlers\\*", "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\Wow6432Node\\*\\ShellEx\\ColumnHandlers\\*", "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\Wow6432Node\\*\\ShellEx\\ContextMenuHandlers\\*", "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\Wow6432Node\\*\\ShellEx\\CopyHookHandlers\\*", "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\Wow6432Node\\*\\ShellEx\\DragDropHandlers\\*", "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\Wow6432Node\\*\\ShellEx\\PropertySheetHandlers\\*", "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\Wow6432Node\\Directory\\Background\\ShellEx\\ContextMenuHandlers\\*", "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\Wow6432Node\\Directory\\Background\\ShellEx\\CopyHookHandlers\\*", "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\Wow6432Node\\Directory\\Background\\ShellEx\\DragDropHandlers\\*", "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\Wow6432Node\\Directory\\Background\\ShellEx\\PropertySheetHandlers\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"http://gladiator-antivirus.com/forum/index.php?showtopic=24610", "http://www.codeguru.com/cpp/com-tech/shell/article.php/c4515/Logging-the-Shell-Activity.htm", "http://www.trendmicro.com/vinfo/us/threat-encyclopedia/archive/malware/troj_qoolaid.r"}}, {Name: "WindowsShellIconOverlayIdentifiers", Doc: "Called to display custom icons.", Sources: []artifacts.Source{{Parent: "WindowsShellIconOverlayIdentifiers", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers\\*", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers\\*", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers\\*", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"http://gladiator-antivirus.com/forum/index.php?showtopic=24610", "https://msdn.microsoft.com/en-us/library/windows/desktop/hh127455(v=vs.85).aspx"}}, {Name: "WindowsShellLoadAndRun", Doc: "Windows Shell Load and Run values", Sources: []artifacts.Source{{Parent: "WindowsShellLoadAndRun", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows", Value: "Load"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows", Value: "Run"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows", Value: "Load"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows", Value: "Run"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://support.microsoft.com/en-us/kb/103865"}}, {Name: "WindowsIconServiceLib", Doc: "Windows Icon Service Library Name\n\nThe value should default to 'IconCodecService.dll'\n", Sources: []artifacts.Source{{Parent: "WindowsIconServiceLib", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows", Value: "IconServiceLib"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2"}}, {Name: "WindowsShellOpenCommand", Doc: "Executed every time this file type is opened. For most file types, the value should be '\"%1\" %*'.", Sources: []artifacts.Source{{Parent: "WindowsShellOpenCommand", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\*\\shell\\open\\command", Value: ""}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\*\\shell\\open\\command", Value: "IsolatedCommand"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\Wow6432Node\\*\\shell\\open\\command", Value: ""}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\Wow6432Node\\*\\shell\\open\\command", Value: "IsolatedCommand"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\*\\shell\\open\\command", Value: ""}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\*\\shell\\open\\command", Value: "IsolatedCommand"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\Wow6432Node\\*\\shell\\open\\command", Value: ""}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\Wow6432Node\\*\\shell\\open\\command", Value: "IsolatedCommand"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"http://gladiator-antivirus.com/forum/index.php?showtopic=24610", "https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2", "https://pentestlab.blog/2017/06/09/uac-bypass-sdclt/"}}, {Name: "WindowsShellRunasCommand", Doc: "Executed every time an executable or script file type is run as administrator.\n\nFor most file types, the value should be '\"%1\" %*' or something similar.\nExample file type subkeys include 'exefile', 'batfile', and 'cmdfile'. These\nkeys can be modified by malware as a way to be periodically executed or to\nbypass UAC.\n", Sources: []artifacts.Source{{Parent: "WindowsShellRunasCommand", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\*\\shell\\runas\\command", Value: ""}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\*\\shell\\runas\\command", Value: "IsolatedCommand"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\Wow6432Node\\*\\shell\\runas\\command", Value: ""}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\Wow6432Node\\*\\shell\\runas\\command", Value: "IsolatedCommand"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\*\\shell\\runas\\command", Value: ""}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\*\\shell\\runas\\command", Value: "IsolatedCommand"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\Wow6432Node\\*\\shell\\runas\\command", Value: ""}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\Wow6432Node\\*\\shell\\runas\\command", Value: "IsolatedCommand"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"http://gladiator-antivirus.com/forum/index.php?showtopic=24610", "https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2", "https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/"}}, {Name: "WindowsShellServiceObjects", Doc: "Windows Shell (explorer.exe) service objects delayed load.", Sources: []artifacts.Source{{Parent: "WindowsShellServiceObjects", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=TrojanClicker:Win32/Zirit.X#tab=2"}}, {Name: "WindowsSetupApiLogs", Doc: "Windows setup API logs.", Sources: []artifacts.Source{{Parent: "WindowsSetupApiLogs", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemroot%%\\setupapi.log", "%%environ_systemroot%%\\inf\\setupapi.app.log", "%%environ_systemroot%%\\inf\\setupapi.dev.log", "%%environ_systemroot%%\\inf\\setupapi.offline.log"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Logs"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Setup_API_Logs"}}, {Name: "WindowsShutdownScript", Doc: "Windows policy shutdown script", Sources: []artifacts.Source{{Parent: "WindowsShutdownScript", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System\\Scripts", Value: "Shutdown"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\Scripts\\Shutdown\\*\\*", Value: "Script"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\Scripts\\Shutdown\\*\\*", Value: "Parameters"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\State\\Machine\\Scripts\\Shutdown\\*\\*", Value: "Script"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\State\\Machine\\Scripts\\Shutdown\\*\\*", Value: "Parameters"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://technet.microsoft.com/en-us/library/ff404236.aspx", "https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2"}}, {Name: "WindowsStartupFolderModification", Doc: "Windows startup folder Registry values.", Sources: []artifacts.Source{{Parent: "WindowsStartupFolderModification", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", Value: "Common Startup"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", Value: "Startup"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", Value: "Common Startup"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", Value: "Startup"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", Value: "Common Startup"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", Value: "Startup"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", Value: "Common Startup"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", Value: "Startup"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", Value: "Common Startup"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", Value: "Common Startup"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", Value: "Startup"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", Value: "Common Startup"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", Value: "Startup"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", Value: "Common Startup"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", Value: "Startup"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}, {Parent: "WindowsStartupFolderModification", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", Value: "Startup"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "users.startup", Regex: "", WMIKey: ""}}}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsStartupFolders", Doc: "Windows startup folder persistence.", Sources: []artifacts.Source{{Parent: "WindowsStartupFolders", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_allusersappdata%%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*", "%%environ_allusersappdata%%\\Start Menu\\Programs\\Startup\\*", "%%users.appdata%%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*", "%%users.userprofile%%\\Start Menu\\Programs\\Startup\\*"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsStartupScript", Doc: "Windows policy startup script", Sources: []artifacts.Source{{Parent: "WindowsStartupScript", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System\\Scripts", Value: "Startup"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\Scripts\\Startup\\*\\*", Value: "Script"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\Scripts\\Startup\\*\\*", Value: "Parameters"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\State\\Machine\\Scripts\\Startup\\*\\*", Value: "Script"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\State\\Machine\\Scripts\\Startup\\*\\*", Value: "Parameters"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://technet.microsoft.com/en-us/library/ff404236.aspx", "https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2"}}, {Name: "WindowsStubPaths", Doc: "Windows StubPath persistence.\n\nEach time a user logs in, the Active Setup Installed Components in HKLM\nare compared ot the ones in HKCU, and if any are missing, or if the\nassociated version is less, the program is executed.\n", Sources: []artifacts.Source{{Parent: "WindowsStubPaths", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Active Setup\\Installed Components\\*", Value: "StubPath"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Active Setup\\Installed Components\\*", Value: "Version"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Active Setup\\Installed Components\\*", Value: "StubPath"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Active Setup\\Installed Components\\*", Value: "Version"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Active Setup\\Installed Components\\*", Value: "StubPath"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Active Setup\\Installed Components\\*", Value: "Version"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Active Setup\\Installed Components\\*", Value: "StubPath"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Active Setup\\Installed Components\\*", Value: "Version"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2", "http://bonemanblog.blogspot.com/2004/12/active-setup-registry-keys-and-their.html"}}, {Name: "WindowsSuperFetchFiles", Doc: "Windows SuperFetch files.", Sources: []artifacts.Source{{Parent: "WindowsSuperFetchFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemroot%%\\Prefetch\\Ag*.db", "%%environ_systemroot%%\\Prefetch\\Ag*.db.trx"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=SuperFetch"}}, {Name: "WindowsSystemIniFiles", Doc: "Windows system ini files", Sources: []artifacts.Source{{Parent: "WindowsSystemIniFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemdrive%%\\system.ini", "%%environ_systemroot%%\\win.ini", "%%environ_systemroot%%\\wininit.ini"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsSystemPolicyShell", Doc: "Windows System policy replacement shell (custom user interface).", Sources: []artifacts.Source{{Parent: "WindowsSystemPolicyShell", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", Value: "Shell"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", Value: "Shell"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://technet.microsoft.com/en-us/library/cc728472(v=ws.10).aspx"}}, {Name: "WindowsSystemRegistryFilesBackup", Doc: "Backup of Windows system Registry files.", Sources: []artifacts.Source{{Parent: "WindowsSystemRegistryFilesBackup", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemroot%%\\System32\\config\\RegBack\\SAM", "%%environ_systemroot%%\\System32\\config\\RegBack\\SECURITY", "%%environ_systemroot%%\\System32\\config\\RegBack\\SOFTWARE", "%%environ_systemroot%%\\System32\\config\\RegBack\\SYSTEM"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RegistryFiles.html"}}, {Name: "WindowsSystemRegistryTransactionLogFilesBackup", Doc: "Backup of Windows system Registry transaction log files.\n\nThese files have been observed to be typically 0 byte in size.\n", Sources: []artifacts.Source{{Parent: "WindowsSystemRegistryTransactionLogFilesBackup", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemroot%%\\System32\\config\\RegBack\\SAM.LOG", "%%environ_systemroot%%\\System32\\config\\RegBack\\SAM.LOG1", "%%environ_systemroot%%\\System32\\config\\RegBack\\SAM.LOG2", "%%environ_systemroot%%\\System32\\config\\RegBack\\SECURITY.LOG", "%%environ_systemroot%%\\System32\\config\\RegBack\\SECURITY.LOG1", "%%environ_systemroot%%\\System32\\config\\RegBack\\SECURITY.LOG2", "%%environ_systemroot%%\\System32\\config\\RegBack\\SOFTWARE.LOG", "%%environ_systemroot%%\\System32\\config\\RegBack\\SOFTWARE.LOG1", "%%environ_systemroot%%\\System32\\config\\RegBack\\SOFTWARE.LOG2", "%%environ_systemroot%%\\System32\\config\\RegBack\\SYSTEM.LOG", "%%environ_systemroot%%\\System32\\config\\RegBack\\SYSTEM.LOG1", "%%environ_systemroot%%\\System32\\config\\RegBack\\SYSTEM.LOG2"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RegistryFiles.html"}}, {Name: "WindowsSystemRegistryFilesAndTransactionLogsBackup", Doc: "Backup of Windows system Registry files and transaction logs.", Sources: []artifacts.Source{{Parent: "WindowsSystemRegistryFilesAndTransactionLogsBackup", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"WindowsSystemRegistryFilesBackup", "WindowsSystemRegistryTransactionLogFilesBackup"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System", "Users"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RegistryFiles.html"}}, {Name: "WindowsSystemRegistryFiles", Doc: "Windows system Registry files.", Sources: []artifacts.Source{{Parent: "WindowsSystemRegistryFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemdrive%%\\System Volume Information\\Syscache.hve", "%%environ_systemroot%%\\System32\\config\\SAM", "%%environ_systemroot%%\\System32\\config\\SECURITY", "%%environ_systemroot%%\\System32\\config\\SOFTWARE", "%%environ_systemroot%%\\System32\\config\\SYSTEM"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RegistryFiles.html"}}, {Name: "WindowsSystemRegistryTransactionLogFiles", Doc: "Windows system Registry transaction log files.", Sources: []artifacts.Source{{Parent: "WindowsSystemRegistryTransactionLogFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemroot%%\\System32\\config\\SAM.LOG", "%%environ_systemroot%%\\System32\\config\\SAM.LOG1", "%%environ_systemroot%%\\System32\\config\\SAM.LOG2", "%%environ_systemroot%%\\System32\\config\\SECURITY.LOG", "%%environ_systemroot%%\\System32\\config\\SECURITY.LOG1", "%%environ_systemroot%%\\System32\\config\\SECURITY.LOG2", "%%environ_systemroot%%\\System32\\config\\SOFTWARE.LOG", "%%environ_systemroot%%\\System32\\config\\SOFTWARE.LOG1", "%%environ_systemroot%%\\System32\\config\\SOFTWARE.LOG2", "%%environ_systemroot%%\\System32\\config\\SYSTEM.LOG", "%%environ_systemroot%%\\System32\\config\\SYSTEM.LOG1", "%%environ_systemroot%%\\System32\\config\\SYSTEM.LOG2"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RegistryFiles.html"}}, {Name: "WindowsSystemRegistryFilesAndTransactionLogs", Doc: "Windows system Registry files and transaction logs.", Sources: []artifacts.Source{{Parent: "WindowsSystemRegistryFilesAndTransactionLogs", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"WindowsSystemRegistryFiles", "WindowsSystemRegistryTransactionLogFiles"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RegistryFiles.html"}}, {Name: "WindowsSystemResourceUsageMonitorDatabaseFile", Doc: "Windows System Resource Usage Monitor (SRUM) database file.", Sources: []artifacts.Source{{Parent: "WindowsSystemResourceUsageMonitorDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemroot%%\\System32\\sru\\SRUDB.dat"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://github.com/libyal/esedb-kb/blob/main/documentation/System%20Resource%20Usage%20Monitor%20(SRUM).asciidoc"}}, {Name: "WindowsTempDirectories", Doc: "Contents of the Windows temporary directories", Sources: []artifacts.Source{{Parent: "WindowsTempDirectories", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemdrive%%\\Temp\\*", "%%environ_systemroot%%\\Temp\\*", "%%users.localappdata%%\\Temp\\*"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsTerminalServerRunKeys", Doc: "Windows Terminal Server Run keys", Sources: []artifacts.Source{{Parent: "WindowsTerminalServerRunKeys", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Runonce\\*", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\RunonceEx\\*", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Runonce\\*", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\RunonceEx\\*", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Runonce\\*", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\RunonceEx\\*", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Runonce\\*", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\RunonceEx\\*", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"http://gladiator-antivirus.com/forum/index.php?showtopic=24610"}}, {Name: "WindowsTerminalServerStartupPrograms", Doc: "Windows Terminal Server Startup Programs", Sources: []artifacts.Source{{Parent: "WindowsTerminalServerStartupPrograms", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Terminal Server\\Wds\\rdpwd", Value: "StartupPrograms"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"http://forum.sysinternals.com/rdpclip_topic4729.html"}}, {Name: "WindowsTerminalServerInitialProgram", Doc: "Windows Terminal Server Initial Program", Sources: []artifacts.Source{{Parent: "WindowsTerminalServerInitialProgram", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp", Value: "InitialProgram"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services", Value: "InitialProgram"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services", Value: "InitialProgram"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Policies\\Microsoft\\Windows NT\\Terminal Services", Value: "InitialProgram"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Policies\\Microsoft\\Windows NT\\Terminal Services", Value: "InitialProgram"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2"}}, {Name: "WindowsActiveSyncAutoStart", Doc: "Windows ActiveSync AutoStart entries", Sources: []artifacts.Source{{Parent: "WindowsActiveSyncAutoStart", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows CE Services\\AutoStartOnConnect\\*", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows CE Services\\AutoStartOnDisconnect\\*", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows CE Services\\AutoStartOnConnect\\*", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows CE Services\\AutoStartOnDisconnect\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2"}}, {Name: "WindowsTimezone", Doc: "The time zone of the system as a Windows time zone name or in MUI form.", Sources: []artifacts.Source{{Parent: "WindowsTimezone", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\TimeZoneInformation", Value: "StandardName"}, {Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\TimeZoneInformation", Value: "TimeZoneKeyName"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/Time-zones.html"}}, {Name: "WindowsToolPaths", Doc: "Paths to windows tools such as defrag, chkdsk.", Sources: []artifacts.Source{{Parent: "WindowsToolPaths", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\BackupPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\ChkDskPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\cleanuppath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\DefragPath"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"http://gladiator-antivirus.com/forum/index.php?showtopic=24610", "http://www.liutilities.com/products/registrybooster/tweaklibrary/tweaks/11118/"}}, {Name: "WindowsUninstallKeys", Doc: "Uninstall Registry keys", Sources: []artifacts.Source{{Parent: "WindowsUninstallKeys", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*", "HKEY_LOCAL_MACHINE\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://msdn.microsoft.com/en-us/library/aa372105(v=vs.85).aspx"}}, {Name: "WindowsUpdateBuildRevision", Doc: "Windows kernel update build revision (UBR).\n\nThis Windows Registry value contains the monthly rollup patch version.\n", Sources: []artifacts.Source{{Parent: "WindowsUpdateBuildRevision", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion", Value: "UBR"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://social.technet.microsoft.com/Forums/en-US/cadee4de-24d0-403e-9f3e-75868abf8f34"}}, {Name: "WindowsUpdateStatus", Doc: "Windows auto update status.", Sources: []artifacts.Source{{Parent: "WindowsUpdateStatus", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate\\Auto Update\\Results\\Detect", Value: "LastError"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate\\Auto Update\\Results\\Detect", Value: "LastSuccessTime"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate\\Auto Update\\Results\\Download", Value: "LastError"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate\\Auto Update\\Results\\Download", Value: "LastSuccessTime"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate\\Auto Update\\Results\\Install", Value: "LastError"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate\\Auto Update\\Results\\Install", Value: "LastSuccessTime"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Windows_Update", "http://blogs.msdn.com/b/aruns_blog/archive/2011/06/20/active-setup-registry-key-what-it-is-and-how-to-create-in-the-package-using-admin-studio-install-shield.aspx"}}, {Name: "WindowsUserAutomaticDestinationsJumpLists", Doc: "Windows user AutomaticDestinations Jump Lists.", Sources: []artifacts.Source{{Parent: "WindowsUserAutomaticDestinationsJumpLists", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.appdata%%\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\*.automaticDestinations-ms"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://artifacts-kb.readthedocs.io/en/latest/sources/windows/JumpLists.html"}}, {Name: "WindowsUserCustomDestinationsJumpLists", Doc: "Windows user CustomDestinations Jump Lists.", Sources: []artifacts.Source{{Parent: "WindowsUserCustomDestinationsJumpLists", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.appdata%%\\Microsoft\\Windows\\Recent\\CustomDestinations\\*.customDestinations-ms"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://artifacts-kb.readthedocs.io/en/latest/sources/windows/JumpLists.html"}}, {Name: "WindowsUserDownloadsDirectory", Doc: "User downloads directory", Sources: []artifacts.Source{{Parent: "WindowsUserDownloadsDirectory", Type: "DIRECTORY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.userprofile%%\\Downloads\\*"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users"}, SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsUserJumpLists", Doc: "Windows user Jump Lists.", Sources: []artifacts.Source{{Parent: "WindowsUserJumpLists", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"WindowsProgramsCacheJumpLists", "WindowsUserAutomaticDestinationsJumpLists", "WindowsUserCustomDestinationsJumpLists"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://artifacts-kb.readthedocs.io/en/latest/sources/windows/JumpLists.html"}}, {Name: "WindowsUserRecentFiles", Doc: "Windows user specific recent files.", Sources: []artifacts.Source{{Parent: "WindowsUserRecentFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.appdata%%\\Microsoft\\Office\\Recent\\*", "%%users.appdata%%\\Microsoft\\Windows\\Recent\\*"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users"}, SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsUserRegistryFiles", Doc: "Windows user specific Registry files.", Sources: []artifacts.Source{{Parent: "WindowsUserRegistryFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.userprofile%%\\NTUSER.DAT", "%%users.userprofile%%\\NTUSER.MAN", "%%users.localappdata%%\\Microsoft\\Windows\\UsrClass.dat"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RegistryFiles.html"}}, {Name: "WindowsUserRegistryTransactionLogFiles", Doc: "Windows user Registry transaction log files.", Sources: []artifacts.Source{{Parent: "WindowsUserRegistryTransactionLogFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.userprofile%%\\NTUSER.DAT.LOG", "%%users.userprofile%%\\NTUSER.DAT.LOG1", "%%users.userprofile%%\\NTUSER.DAT.LOG2", "%%users.localappdata%%\\Microsoft\\Windows\\UsrClass.dat.LOG", "%%users.localappdata%%\\Microsoft\\Windows\\UsrClass.dat.LOG1", "%%users.localappdata%%\\Microsoft\\Windows\\UsrClass.dat.LOG2"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RegistryFiles.html"}}, {Name: "WindowsUserRegistryFilesAndTransactionLogs", Doc: "Windows user Registry files and transaction logs.", Sources: []artifacts.Source{{Parent: "WindowsUserRegistryFilesAndTransactionLogs", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"WindowsUserRegistryFiles", "WindowsUserRegistryTransactionLogFiles"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RegistryFiles.html"}}, {Name: "WindowsUserShellFoldersOfInterest", Doc: "The Shell Folders information for Windows users, defined as single values for knowledge base extraction", Sources: []artifacts.Source{{Parent: "WindowsUserShellFoldersOfInterest", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", Value: "AppData"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "users.appdata", Regex: "", WMIKey: ""}}}, {Parent: "WindowsUserShellFoldersOfInterest", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", Value: "Cookies"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "users.cookies", Regex: "", WMIKey: ""}}}, {Parent: "WindowsUserShellFoldersOfInterest", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", Value: "Personal"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "users.documents", Regex: "", WMIKey: ""}}}, {Parent: "WindowsUserShellFoldersOfInterest", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", Value: "Desktop"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "users.desktop", Regex: "", WMIKey: ""}}}, {Parent: "WindowsUserShellFoldersOfInterest", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", Value: "Cache"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "users.internet_cache", Regex: "", WMIKey: ""}}}, {Parent: "WindowsUserShellFoldersOfInterest", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", Value: "Local AppData"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "users.localappdata", Regex: "", WMIKey: ""}}}, {Parent: "WindowsUserShellFoldersOfInterest", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", Value: "{A520A1A4-1780-4FF6-BD18-167343C5AF16}"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "users.localappdata_low", Regex: "", WMIKey: ""}}}, {Parent: "WindowsUserShellFoldersOfInterest", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", Value: "Recent"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "users.recent", Regex: "", WMIKey: ""}}}, {Parent: "WindowsUserShellFoldersOfInterest", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_USERS\\%%users.sid%%\\Environment", Value: "TEMP"}, {Key: "HKEY_USERS\\%%users.sid%%\\Environment", Value: "TMP"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "users.temp", Regex: "", WMIKey: ""}}}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsUserShellFolders", Doc: "The Shell Folders information for Windows users.", Sources: []artifacts.Source{{Parent: "WindowsUserShellFolders", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", "HKEY_USERS\\%%users.sid%%\\Environment", "HKEY_USERS\\%%users.sid%%\\Volatile Environment"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsWinlogonGinaDLL", Doc: "Windows Gina DLL replacement.", Sources: []artifacts.Source{{Parent: "WindowsWinlogonGinaDLL", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", Value: "GinaDLL"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", Value: "GinaDLL"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://technet.microsoft.com/en-us/library/cc939701.aspx"}}, {Name: "WindowsWinlogonNotify", Doc: "Windows Winlogon Notify DLL names.", Sources: []artifacts.Source{{Parent: "WindowsWinlogonNotify", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\*", Value: "DLLName"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\*", Value: "DLLName"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://msdn.microsoft.com/en-us/library/windows/desktop/aa379402(v=vs.85).aspx"}}, {Name: "WindowsWinlogonShell", Doc: "Windows shell replacement.", Sources: []artifacts.Source{{Parent: "WindowsWinlogonShell", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", Value: "Shell"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", Value: "Shell"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://msdn.microsoft.com/en-us/library/ms838576%28v=winembedded.5%29.aspx"}}, {Name: "WindowsWinlogonSystem", Doc: "Applications launched by Winlogon in the system context during the system initialisation.", Sources: []artifacts.Source{{Parent: "WindowsWinlogonSystem", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", Value: "System"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", Value: "System"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://code.google.com/p/regripper/wiki/ASEPs", "http://gladiator-antivirus.com/forum/index.php?showtopic=24610", "http://regenerus.com/malware-common-loadpoints/"}}, {Name: "WindowsWinlogonTaskman", Doc: "Windows Winlogon Taskman replacement.", Sources: []artifacts.Source{{Parent: "WindowsWinlogonTaskman", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", Value: "Taskman"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", Value: "Taskman"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://technet.microsoft.com/en-us/library/cc939701.aspx"}}, {Name: "WindowsWinlogonUiHost", Doc: "Windows Winlogon UI screen application", Sources: []artifacts.Source{{Parent: "WindowsWinlogonUiHost", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", Value: "UiHost"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", Value: "UiHost"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"http://gladiator-antivirus.com/forum/index.php?showtopic=24610", "http://www.bleepingcomputer.com/forums/t/14028/change-the-loginwelcome-screen/"}}, {Name: "WindowsWinlogonUserinit", Doc: "Windows Winlogon Userinit replacement.", Sources: []artifacts.Source{{Parent: "WindowsWinlogonUserinit", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", Value: "Userinit"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", Value: "Userinit"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://technet.microsoft.com/en-us/library/cc939862.aspx"}}, {Name: "WindowsWinlogonAvailableShells", Doc: "Windows Server Winlogon Available Shells\n\nUsed to specify an alternate shell application to be launched when\nlogging into Windows Server 2012 and later. Legitimate keys under\nAvailableShells should just cause cmd.exe or explorer.exe to be executed,\nwhereas malicious programs may create keys that cause malware to be run\nwhen a user logs in.\n", Sources: []artifacts.Source{{Parent: "WindowsWinlogonAvailableShells", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\AlternateShells\\AvailableShells\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://andymorgan.wordpress.com/2012/03/30/changing-the-default-shell-of-windows-server-8-core/", "https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2"}}, {Name: "WindowsWinlogonVMApplet", Doc: "Windows VMApplet replacement.", Sources: []artifacts.Source{{Parent: "WindowsWinlogonVMApplet", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", Value: "VMApplet"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", Value: "VMApplet"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://technet.microsoft.com/en-us/library/cc939701.aspx"}}, {Name: "WindowsWinstart", Doc: "Windows winstart.bat file", Sources: []artifacts.Source{{Parent: "WindowsWinstart", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemroot%%\\winstart.bat", "%%environ_systemroot%%\\dosstart.bat"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsWinlogonAppSetup", Doc: "Windows Winlogon Appsetup", Sources: []artifacts.Source{{Parent: "WindowsWinlogonAppSetup", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", Value: "AppSetup"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://technet.microsoft.com/en-us/library/cc939701.aspx"}}, {Name: "WindowsWinlogonGPExtensions", Doc: "Windows Winlogon Group Policy Extensions\n\nThese keys specify DLLs that should be loaded when the group policy\nengine loads, and can act as a persistence mechanism for malware.\n", Sources: []artifacts.Source{{Parent: "WindowsWinlogonGPExtensions", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\GPExtensions\\*", Value: ""}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\GPExtensions\\*", Value: "DllName"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\GPExtensions\\*", Value: ""}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\GPExtensions\\*", Value: "DllName"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2"}}, {Name: "WinSock2LayeredServiceProviders", Doc: "Used to filter TCP/IP traffic through WinSock2.", Sources: []artifacts.Source{{Parent: "WinSock2LayeredServiceProviders", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\WinSock2\\Parameters\\Protocol_Catalog9\\Catalog_Entries\\*", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\WinSock2\\Parameters\\Protocol_Catalog9\\Catalog_Entries64\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"http://gladiator-antivirus.com/forum/index.php?showtopic=24610", "https://en.wikipedia.org/wiki/Layered_Service_Provider", "https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2"}}, {Name: "WinSock2NamespaceProviders", Doc: "Used to provide name-resolution services through WinSock2", Sources: []artifacts.Source{{Parent: "WinSock2NamespaceProviders", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\WinSock2\\Parameters\\NameSpace_Catalog5\\Catalog_Entries\\*", Value: "LibraryPath"}, {Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\WinSock2\\Parameters\\NameSpace_Catalog5\\Catalog_Entries64\\*", Value: "LibraryPath"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://www.symantec.com/security_response/writeup.jsp?docid=2012-020609-4221-99&tabid=2", "http://www.nirsoft.net/utils/winsock_service_providers.html", "https://msdn.microsoft.com/en-us/library/windows/desktop/ms739923(v=vs.85).aspx", "https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2"}}, {Name: "WindowsDNSSettings", Doc: "Windows Registry Keys that contain DNS and DHCP settings.", Sources: []artifacts.Source{{Parent: "WindowsDNSSettings", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", Value: "NameServer"}, {Key: "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\*", Value: "NameServer"}, {Key: "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Dnscache\\Parameters", Value: "NameServer"}, {Key: "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\Tcpip\\Parameters\\Interfaces\\*", Value: "DhcpNameServer"}, {Key: "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\Tcpip\\Parameters\\Interfaces\\*", Value: "DhcpServer"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System", "Network"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://technet.microsoft.com/en-us/library/dd197418(v=ws.10).aspx"}}, {Name: "CurrentControlSet", Doc: "The control set the system is currently using.", Sources: []artifacts.Source{{Parent: "CurrentControlSet", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\SYSTEM\\Select", Value: "Current"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "current_control_set", Regex: "", WMIKey: ""}}}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://github.com/libyal/winreg-kb/blob/master/documentation/System%20keys.asciidoc"}}, {Name: "WindowsJobFiles", Doc: "Files for the Windows Task Scheduler", Sources: []artifacts.Source{{Parent: "WindowsJobFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemroot%%\\system32\\Tasks\\**10", "%%environ_systemroot%%\\Tasks\\**10"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://stackoverflow.com/questions/2913816/how-to-find-the-location-of-the-scheduled-tasks-folder"}}, {Name: "WindowsNetworkInterfaceInformation", Doc: "Details for network interfaces and their names", Sources: []artifacts.Source{{Parent: "WindowsNetworkInterfaceInformation", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet*\\Services\\Tcpip\\Parameters\\Interfaces\\*", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet*\\Control\\Network\\{4D36E972-E325-11CE-BFC1-08002BE10318}\\*\\Connection"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System", "Network"}, SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsHotfixes", Doc: "Windows Registry Keys that contain Hotfix information", Sources: []artifacts.Source{{Parent: "WindowsHotfixes", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Component Based Servicing\\Packages\\*", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Updates\\*\\*", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Updates\\*\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsDefaultPaths", Doc: "Default Paths for many parameters", Sources: []artifacts.Source{{Parent: "WindowsDefaultPaths", Type: "PATH", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemdrive%%\\Users"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "environ_profilesdirectory", Regex: "", WMIKey: ""}}}, {Parent: "WindowsDefaultPaths", Type: "PATH", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemroot%%\\TEMP"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "environ_temp", Regex: "", WMIKey: ""}}}, {Parent: "WindowsDefaultPaths", Type: "PATH", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_profilesdirectory%%\\*", "\\Users\\*"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "users.userprofile", Regex: "", WMIKey: ""}, {Key: "users.username", Regex: ".*\\\\(.+)", WMIKey: ""}}}, {Parent: "WindowsDefaultPaths", Type: "PATH", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.appdata%%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "users.startup", Regex: "", WMIKey: ""}}}, {Parent: "WindowsDefaultPaths", Type: "PATH", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_profilesdirectory%%\\*\\AppData\\Roaming", "\\Users\\*\\AppData\\Roaming"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "users.appdata", Regex: "", WMIKey: ""}}}, {Parent: "WindowsDefaultPaths", Type: "PATH", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\Microsoft\\Windows\\INetCookies"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "users.cookies", Regex: "", WMIKey: ""}}}, {Parent: "WindowsDefaultPaths", Type: "PATH", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.userprofile%%\\Documents"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "users.documents", Regex: "", WMIKey: ""}}}, {Parent: "WindowsDefaultPaths", Type: "PATH", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.userprofile%%\\Desktop"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "users.desktop", Regex: "", WMIKey: ""}}}, {Parent: "WindowsDefaultPaths", Type: "PATH", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\Microsoft\\Windows\\INetCache"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "users.internet_cache", Regex: "", WMIKey: ""}}}, {Parent: "WindowsDefaultPaths", Type: "PATH", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_profilesdirectory%%\\*\\AppData\\Local", "\\Users\\*\\AppData\\Local"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "users.localappdata", Regex: "", WMIKey: ""}}}, {Parent: "WindowsDefaultPaths", Type: "PATH", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_profilesdirectory%%\\*\\AppData\\LocalLow", "\\Users\\*\\AppData\\LocalLow"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "users.localappdata_low", Regex: "", WMIKey: ""}}}, {Parent: "WindowsDefaultPaths", Type: "PATH", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\Temp"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "users.temp", Regex: "", WMIKey: ""}}}, {Parent: "WindowsDefaultPaths", Type: "PATH", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.appdata%%\\Microsoft\\Windows\\Recent"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "users.recent", Regex: "", WMIKey: ""}}}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "UserSIDDefaultKeys", Doc: "Bruteforce SIDs", Sources: []artifacts.Source{{Parent: "UserSIDDefaultKeys", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_USERS\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "users.sid", Regex: ".*\\\\(.+)", WMIKey: ""}}}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsUserAssist", Doc: "Artifact of execution in the user's UserAssist key", Sources: []artifacts.Source{{Parent: "WindowsUserAssist", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{75048700-EF1F-11D0-9888-006097DEACF9}\\Count", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{5E6AB780-7743-11CF-A12B-00AA004AE837}\\Count", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://www.aldeid.com/wiki/Windows-userassist-keys"}}, {Name: "WindowsRDPClientBitmapCache", Doc: "Artifacts of RDP connection contents", Sources: []artifacts.Source{{Parent: "WindowsRDPClientBitmapCache", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\Microsoft\\Terminal Server Client\\Cache\\*.*"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://github.com/BSI-Bund/RdpCacheStitcher"}}, {Name: "WindowsStartupInfo", Doc: "StartupInfo XML files.\n\nThe files include the user account's Security Identifier (SID) in the name\nand there could be up to 5 per user account. They contain a list of processes\nthat were executed within the first 90 seconds from the time the user logged\nin. The info includes start time, the full command line and the parent\nprocess info, among other things.\n", Sources: []artifacts.Source{{Parent: "WindowsStartupInfo", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemroot%%\\System32\\WDI\\LogFiles\\StartupInfo\\*.xml"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Execution"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Windows#Startup_info"}}, {Name: "WindowsCrashDumps", Doc: "Windows Error Reporting (WER) files and crash dumps.\n\nThe files include information about the crashed processes and potentially\nprocess dumps, whether auto-generated upon a crash or by a user. It's helpful\nto analyze them to identify unexpected process executions or exploitation\nattempts.\n", Sources: []artifacts.Source{{Parent: "WindowsCrashDumps", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_allusersappdata%%\\Microsoft\\Windows\\WER\\**", "%%environ_systemroot%%\\*.dmp", "%%environ_systemroot%%\\Minidump\\*.dmp", "%%environ_systemroot%%\\ServiceProfiles\\AppData\\Local\\CrashDumps\\**", "%%environ_systemroot%%\\ServiceProfiles\\AppData\\Local\\Temp\\*.dmp", "%%environ_systemroot%%\\System32\\config\\systemprofile\\AppData\\Local\\CrashDumps\\**", "%%environ_systemroot%%\\System32\\config\\systemprofile\\AppData\\Local\\Temp\\*.dmp", "%%environ_systemroot%%\\Temp\\*.dmp", "%%users.localappdata%%\\CrashDumps\\**", "%%users.localappdata%%\\Microsoft\\Windows\\WER\\**", "%%users.localappdata%%\\Temp\\*.dmp"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Execution"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Windows#Crash_and_minidumps"}}, {Name: "WindowsMsOfficeAutosave", Doc: "Recovery files automatically created by Microsoft Office applications.", Sources: []artifacts.Source{{Parent: "WindowsMsOfficeAutosave", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.appdata%%\\Microsoft\\Word\\**", "%%users.appdata%%\\Microsoft\\Excel\\**", "%%users.appdata%%\\Microsoft\\Powerpoint\\**", "%%users.appdata%%\\Microsoft\\Publisher\\**"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Windows#Microsoft_Office_Autosave"}}, {Name: "WindowsUserAccessLogging", Doc: "User Access Logging (UAL) databases.\n\nUAL is a local data aggregation feature (enabled by default) on Windows\nServers 2012 and above, recording client usage by role and product on each\nsystem providing the resource. It's typically between 2 and 4 extensible\nstorage engine (ESE) databases (\"Current.mdb\", \"SystemIdentity.mdb, and\n\".mdb\").\n", Sources: []artifacts.Source{{Parent: "WindowsUserAccessLogging", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemroot%%\\System32\\LogFiles\\SUM\\*.mdb"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Windows#User_Access_Logging_(UAL)"}}, {Name: "WindowsEventTracingLogFiles", Doc: "Event Tracing for Windows (ETW) log files.", Sources: []artifacts.Source{{Parent: "WindowsEventTracingLogFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_allusersappdata%%\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\*.etl", "%%environ_allusersappdata%%\\Microsoft\\DiagnosticLogCSP\\Collectors\\*.etl", "%%environ_allusersappdata%%\\Microsoft\\Windows\\wfp\\*.etl", "%%environ_allusersappdata%%\\Microsoft\\Windows Security Health\\Logs\\*.etl", "%%environ_allusersappdata%%\\USOShared\\Logs\\System\\*.etl", "%%users.localappdata%%\\Microsoft\\OneDrive\\logs\\Personal\\*.etl", "%%users.localappdata%%\\Microsoft\\Windows\\Explorer\\*.etl", "%%users.localappdata%%\\Packages\\Microsoft.Windows.Photos_*\\LocalState\\*.etl", "%%environ_systemroot%%\\Logs\\*\\*.etl", "%%environ_systemroot%%\\Panther\\*.etl", "%%environ_systemroot%%\\Security\\Logs\\*.etl", "%%environ_systemroot%%\\ServiceProfiles\\NetworkService\\AppData\\Local\\Microsoft\\Windows\\DeliveryOptimization\\Logs\\*.etl", "%%environ_systemroot%%\\System32\\LogFiles\\WMI\\*.etl", "%%environ_systemroot%%\\System32\\LogFiles\\WMI\\*.etl.0*", "%%environ_systemroot%%\\System32\\LogFiles\\WMI\\RtBackup\\*.etl", "%%environ_systemroot%%\\System32\\SleepStudy\\*.etl", "%%environ_systemroot%%\\System32\\SleepStudy\\ScreenOn\\*.etl", "%%environ_systemroot%%\\System32\\WDI\\LogFiles\\*.etl", "%%environ_systemroot%%\\System32\\WDI\\LogFiles\\*.etl.0*", "%%environ_systemroot%%\\System32\\WDI\\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\\*\\*.etl"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Event_Tracing_for_Windows_(ETW)"}}, {Name: "WindowsMountedDevices", Doc: "Windows mounted devices", Sources: []artifacts.Source{{Parent: "WindowsMountedDevices", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\System\\MountedDevices"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/Mounted-devices.html"}}, {Name: "WindowsLanguage", Doc: "The system language.", Sources: []artifacts.Source{{Parent: "WindowsLanguage", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\Language", Value: "Default"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/Language.html"}}, {Name: "WindowsPortProxyConfiguration", Doc: "Windows PortProxy registry keys (set by netsh portproxy command or manually).", Sources: []artifacts.Source{{Parent: "WindowsPortProxyConfiguration", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\PortProxy\\*\\*\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://adepts.of0x.cc/netsh-portproxy-code/", "https://www.dfirnotes.net/portproxy_detection/"}}, {Name: "WindowsEventLogPublishers", Doc: "Windows EventLog publishers (or providers) Registry keys.", Sources: []artifacts.Source{{Parent: "WindowsEventLogPublishers", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Publishers\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://winreg-kb.readthedocs.io/en/latest/sources/EventLog-keys.html"}}, {Name: "WindowsCortanaDatabase", Doc: "Windows Cortana database", Sources: []artifacts.Source{{Parent: "WindowsCortanaDatabase", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\Packages\\Microsoft.Windows.Cortana_*\\AppData\\Indexed DB\\IndexedDB.edb", "%%users.localappdata%%\\Packages\\Microsoft.Windows.Cortana_*\\LocalState\\ESEDatabase_CortanaCoreInstance\\CortanaCoreDb.dat"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Cortana"}}, {Name: "WindowsCryptnetUrlCacheContent", Doc: "Content of a Windows cache of files downloaded from the internet.\n\nHelpful when investigating the use of \"Living of the Land\" tools that allow\nattackers to download arbitrary files from the internet, such as\n\"certutil.exe\".\n", Sources: []artifacts.Source{{Parent: "WindowsCryptnetUrlCacheContent", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemroot%%\\System32\\config\\systemprofile\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\*", "%%environ_systemroot%%\\SysWOW64\\config\\systemprofile\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\*", "%%users.localappdata_low%%\\Microsoft\\CryptnetUrlCache\\Content\\*"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Windows#Cryptnet_URL_Cache"}}, {Name: "WindowsCryptnetUrlCacheMetadata", Doc: "Metadata of a Windows cache of files downloaded from the internet.\n\nHelpful when investigating the use of \"Living of the Land\" tools that allow\nattackers to download arbitrary files from the internet, such as\n\"certutil.exe\".\n", Sources: []artifacts.Source{{Parent: "WindowsCryptnetUrlCacheMetadata", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemroot%%\\System32\\config\\systemprofile\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\*", "%%environ_systemroot%%\\SysWOW64\\config\\systemprofile\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\*", "%%users.localappdata_low%%\\Microsoft\\CryptnetUrlCache\\MetaData\\*"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Windows#Cryptnet_URL_Cache"}}, {Name: "WindowsSecuritySettingsDatabases", Doc: "Windows security settings databases (secedit.sdb and spsecupd.sdb)", Sources: []artifacts.Source{{Parent: "WindowsSecuritySettingsDatabases", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemroot%%\\security\\Database\\secedit.sdb", "%%environ_systemroot%%\\security\\templates\\spsecupd.sdb"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsTileDataLayerDatabase", Doc: "Windows tile data layer database (vedatamodel.edb)\n\nThe tile data layer database is used to store information about Start Tiles.\n", Sources: []artifacts.Source{{Parent: "WindowsTileDataLayerDatabase", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\TileDataLayer\\Database\\vedatamodel.edb"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Extensible_Storage_Engine_(ESE)_Database_File_(EDB)_format#Tile_Data_Layer_database"}}, {Name: "WindowsWordWheelQueryRegistryKey", Doc: "Keywords searched in from the Windows start menu, potentially resulting in files or folders access or program executions.", Sources: []artifacts.Source{{Parent: "WindowsWordWheelQueryRegistryKey", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WordWheelQuery\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsWebCacheStorageQuotaDatabaseFile", Doc: "Windows WebCache storage quota database file (CacheStorage.edb)", Sources: []artifacts.Source{{Parent: "WindowsWebCacheStorageQuotaDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\Packages\\*\\AppData\\CacheStorage\\CacheStorage.edb"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsStateRepositoryMachineDatabaseFile", Doc: "The State Reposistory machine database file (StateRepository-Machine.srd).", Sources: []artifacts.Source{{Parent: "WindowsStateRepositoryMachineDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_programdata%%\\Microsoft\\Windows\\AppRepository\\StateRepository-Machine.srd"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsPushNotificationDatabaseFile", Doc: "The Windows Push Notification (WPN) database file.", Sources: []artifacts.Source{{Parent: "WindowsPushNotificationDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\Microsoft\\Windows\\Notifications\\wpndatabase.db", "%%environ_systemroot%%\\System32\\config\\ystemprofile\\AppData\\Local\\Microsoft\\Windows\\Notifications\\wpndatabase.db"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsStateRepositoryDeploymentDatabaseFile", Doc: "The State Reposistory deployment database file (StateRepository-Deployment.srd).", Sources: []artifacts.Source{{Parent: "WindowsStateRepositoryDeploymentDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_programdata%%\\Microsoft\\Windows\\AppRepository\\StateRepository-Deployment.srd"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsUpdateStoreDatabaseFile", Doc: "The Update Service Orchestrator (USO) private update store database file.", Sources: []artifacts.Source{{Parent: "WindowsUpdateStoreDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_programdata%%\\USOPrivate\\UpdateStore\\store.db"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsUpdateDataStoreDatabaseFile", Doc: "Windows Update data store database file (DataStore.edb).", Sources: []artifacts.Source{{Parent: "WindowsUpdateDataStoreDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_windir%%\\SoftwareDistribution\\DataStore\\DataStore.edb"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsSmsRouterInterceptStoreDatabaseFile", Doc: "Windows SmsRouter intercept store database file (SmsInterceptStore.db)", Sources: []artifacts.Source{{Parent: "WindowsSmsRouterInterceptStoreDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_programdata%%\\Microsoft\\SmsRouter\\MessageStore\\SmsInterceptStore.db"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsUpdateCatalogDatabaseFile", Doc: "Windows Update catalog package signatures database file (catdb).", Sources: []artifacts.Source{{Parent: "WindowsUpdateCatalogDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemroot%%\\System32\\catroot2\\{*-*-*-*-*}\\catdb"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://learn.microsoft.com/en-us/windows-hardware/drivers/install/catalog-files"}}, {Name: "DLLHijackLocations", Doc: "DLL search order hijacking locations collected from base Windows 7.", Sources: []artifacts.Source{{Parent: "DLLHijackLocations", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_windir%%\\EXPLORERFRAME.dll", "%%environ_windir%%\\DUser.dll", "%%environ_windir%%\\DUI70.dll", "%%environ_windir%%\\UxTheme.dll", "%%environ_windir%%\\POWRPROF.dll", "%%environ_windir%%\\dwmapi.dll", "%%environ_windir%%\\slc.dll", "%%environ_windir%%\\gdiplus.dll", "%%environ_windir%%\\Secur32.dll", "%%environ_windir%%\\SSPICLI.dll", "%%environ_windir%%\\PROPSYS.dll", "%%environ_windir%%\\WINSTA.dll", "%%environ_windir%%\\CRYPTBASE.dll", "%%environ_windir%%\\WindowsCodecs.dll", "%%environ_windir%%\\profapi.dll", "%%environ_windir%%\\apphelp.dll", "%%environ_windir%%\\EhStorShell.dll", "%%environ_windir%%\\cscui.dll", "%%environ_windir%%\\CSCDLL.dll", "%%environ_windir%%\\CSCAPI.dll", "%%environ_windir%%\\ntshrui.dll", "%%environ_windir%%\\srvcli.dll", "%%environ_windir%%\\IconCodecService.dll", "%%environ_windir%%\\CRYPTSP.dll", "%%environ_windir%%\\rsaenh.dll", "%%environ_windir%%\\RpcRtRemote.dll", "%%environ_windir%%\\SndVolSSO.dll", "%%environ_windir%%\\HID.dll", "%%environ_windir%%\\MMDevApi.dll", "%%environ_windir%%\\timedate.cpl", "%%environ_windir%%\\ATL.dll", "%%environ_windir%%\\actxprxy.dll", "%%environ_windir%%\\ntmarta.dll", "%%environ_windir%%\\shdocvw.dll", "%%environ_windir%%\\LINKINFO.dll", "%%environ_windir%%\\USERENV.dll", "%%environ_windir%%\\shacct.dll", "%%environ_windir%%\\gameux.dll", "%%environ_windir%%\\XmlLite.dll", "%%environ_windir%%\\wer.dll", "%%environ_windir%%\\SAMLIB.dll", "%%environ_windir%%\\msls31.dll", "%%environ_windir%%\\tiptsf.dll", "%%environ_windir%%\\authui.dll", "%%environ_windir%%\\CRYPTUI.dll", "%%environ_windir%%\\msiltcfg.dll", "%%environ_windir%%\\VERSION.dll", "%%environ_windir%%\\msi.dll", "%%environ_windir%%\\NetworkExplorer.dll", "%%environ_windir%%\\WINMM.dll", "%%environ_windir%%\\wdmaud.drv", "%%environ_windir%%\\ksuser.dll", "%%environ_windir%%\\AVRT.dll", "%%environ_windir%%\\AUDIOSES.dll", "%%environ_windir%%\\msacm32.drv", "%%environ_windir%%\\MSACM32.dll", "%%environ_windir%%\\midimap.dll", "%%environ_windir%%\\netutils.dll", "%%environ_windir%%\\stobject.dll", "%%environ_windir%%\\BatMeter.dll", "%%environ_windir%%\\WTSAPI32.dll", "%%environ_windir%%\\es.dll", "%%environ_windir%%\\prnfldr.dll", "%%environ_windir%%\\WINSPOOL.DRV", "%%environ_windir%%\\dxp.dll", "%%environ_windir%%\\Syncreg.dll", "%%environ_windir%%\\netshell.dll", "%%environ_windir%%\\IPHLPAPI.dll", "%%environ_windir%%\\WINNSI.dll", "%%environ_windir%%\\nlaapi.dll", "%%environ_windir%%\\AltTab.dll", "%%environ_windir%%\\pnidui.dll", "%%environ_windir%%\\QUtil.dll", "%%environ_windir%%\\wevtapi.dll", "%%environ_windir%%\\dhcpcsvc6.dll", "%%environ_windir%%\\dhcpcsvc.dll", "%%environ_windir%%\\credssp.dll", "%%environ_windir%%\\npmproxy.dll", "%%environ_windir%%\\cscobj.dll", "%%environ_windir%%\\Wlanapi.dll", "%%environ_windir%%\\wlanutil.dll", "%%environ_windir%%\\wwanapi.dll", "%%environ_windir%%\\wwapi.dll", "%%environ_windir%%\\QAgent.dll", "%%environ_windir%%\\srchadmin.dll", "%%environ_windir%%\\mssprxy.dll", "%%environ_windir%%\\bthprops.cpl", "%%environ_windir%%\\ieframe.dll", "%%environ_windir%%\\OLEACC.dll", "%%environ_windir%%\\SyncCenter.dll", "%%environ_windir%%\\Actioncenter.dll", "%%environ_windir%%\\imapi2.dll", "%%environ_windir%%\\SXS.dll", "%%environ_windir%%\\hgcpl.dll", "%%environ_windir%%\\provsvc.dll", "%%environ_windir%%\\wkscli.dll", "%%environ_windir%%\\fxsst.dll", "%%environ_windir%%\\FXSAPI.dll", "%%environ_windir%%\\FXSRESM.dll", "%%environ_windir%%\\ieproxy.dll", "%%environ_windir%%\\thumbcache.dll", "%%environ_windir%%\\rasadhlp.dll", "%%environ_windir%%\\MPR.dll", "%%environ_windir%%\\vmhgfs.dll", "%%environ_windir%%\\drprov.dll", "%%environ_windir%%\\ntlanman.dll", "%%environ_windir%%\\davclnt.dll", "%%environ_windir%%\\DAVHLPR.dll", "%%environ_windir%%\\StructuredQuery.dll", "%%environ_windir%%\\UIAnimation.dll", "%%environ_windir%%\\DEVRTL.dll", "%%environ_windir%%\\MLANG.dll", "%%environ_windir%%\\wscinterop.dll", "%%environ_windir%%\\WSCAPI.dll", "%%environ_windir%%\\wscui.cpl", "%%environ_windir%%\\werconcpl.dll", "%%environ_windir%%\\framedynos.dll", "%%environ_windir%%\\wercplsupport.dll", "%%environ_windir%%\\msxml6.dll", "%%environ_windir%%\\hcproviders.dll", "%%environ_windir%%\\zipfldr.dll", "%%environ_windir%%\\rarext.dll", "%%environ_windir%%\\7-zip.dll", "%%environ_windir%%\\twext.dll", "%%environ_windir%%\\WinCDEmuContextMenu.dll", "%%environ_windir%%\\syncui.dll", "%%environ_windir%%\\SYNCENG.dll", "%%environ_windir%%\\shlext010.dll", "%%environ_windir%%\\ATL90.dll", "%%environ_windir%%\\acppage.dll", "%%environ_windir%%\\sfc.dll", "%%environ_windir%%\\sfc_os.dll", "%%environ_windir%%\\dsrole.dll", "%%environ_windir%%\\ACLUI.dll", "%%environ_windir%%\\NTDSAPI.dll", "%%environ_windir%%\\PhotoBase.dll", "%%environ_windir%%\\sbdrop.dll", "%%environ_windir%%\\tquery.dll", "%%environ_windir%%\\EhStorAPI.dll", "%%environ_windir%%\\SearchFolder.dll", "%%environ_windir%%\\NaturalLanguage6.dll", "%%environ_windir%%\\NLSData0009.dll", "%%environ_windir%%\\NLSLexicons0009.dll", "%%environ_windir%%\\MsftEdit.dll", "%%environ_windir%%\\dnsapi.dll", "%%environ_windir%%\\RASAPI32.dll", "%%environ_windir%%\\rasman.dll", "%%environ_windir%%\\rtutils.dll", "%%environ_windir%%\\sensapi.dll"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://www.fireeye.com/blog/threat-research/2010/07/malware-persistence-windows-registry.html"}}, {Name: "WindowsEventLogs", Doc: "Windows Event logs.", Sources: []artifacts.Source{{Parent: "WindowsEventLogs", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"WindowsEventLogApplication", "WindowsEventLogSecurity", "WindowsEventLogSystem", "WindowsXMLEventLogApplication", "WindowsXMLEventLogSecurity", "WindowsXMLEventLogSysmon", "WindowsXMLEventLogSystem", "WindowsXMLEventLogTerminalServices"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Logs"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html"}}, {Name: "WindowsEventLogPath", Doc: "Windows Event log locations.", Sources: []artifacts.Source{{Parent: "WindowsEventLogPath", Type: "PATH", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemroot%%\\System32\\config", "%%environ_systemroot%%\\System32\\winevt\\Logs"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "windows_event_logs", Regex: "", WMIKey: ""}}}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html"}}, {Name: "WindowsAllEventLogs", Doc: "All Windows Event log locations.", Sources: []artifacts.Source{{Parent: "WindowsAllEventLogs", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%windows_event_logs%%\\*.evt", "%%windows_event_logs%%\\*.evtx"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html"}}, {Name: "WindowsEventLogApplication", Doc: "Application Windows Event Log.", Sources: []artifacts.Source{{Parent: "WindowsEventLogApplication", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%windows_event_logs%%\\AppEvent.evt"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Logs"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html"}}, {Name: "WindowsEventLogSecurity", Doc: "Security Windows Event Log.", Sources: []artifacts.Source{{Parent: "WindowsEventLogSecurity", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%windows_event_logs%%\\SecEvent.evt"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Logs"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html"}}, {Name: "WindowsEventLogSystem", Doc: "System Windows Event Log.", Sources: []artifacts.Source{{Parent: "WindowsEventLogSystem", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%windows_event_logs%%\\SysEvent.evt"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Logs"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html"}}, {Name: "WindowsXMLEventLogApplication", Doc: "Application Windows XML Event Log.", Sources: []artifacts.Source{{Parent: "WindowsXMLEventLogApplication", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%windows_event_logs%%\\Application.evtx"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Logs"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html"}}, {Name: "WindowsXMLEventLogSecurity", Doc: "Security Windows XML Event Log.", Sources: []artifacts.Source{{Parent: "WindowsXMLEventLogSecurity", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%windows_event_logs%%\\Security.evtx"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Logs"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html"}}, {Name: "WindowsXMLEventLogSysmon", Doc: "Sysmon Windows XML Event Log.", Sources: []artifacts.Source{{Parent: "WindowsXMLEventLogSysmon", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%windows_event_logs%%\\Microsoft-Windows-Sysmon%4Operational.evtx"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Logs"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html"}}, {Name: "WindowsXMLEventLogSystem", Doc: "System Windows XML Event Log.", Sources: []artifacts.Source{{Parent: "WindowsXMLEventLogSystem", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%windows_event_logs%%\\System.evtx"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Logs"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html"}}, {Name: "WindowsXMLEventLogTerminalServices", Doc: "TerminalServices Windows XML Event Log.", Sources: []artifacts.Source{{Parent: "WindowsXMLEventLogTerminalServices", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%windows_event_logs%%\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Logs"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html"}}, {Name: "WindowsUpdateLogFile", Doc: "Windows Update log files.", Sources: []artifacts.Source{{Parent: "WindowsUpdateLogFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_programdata%%\\USOShared\\Logs\\System\\*.etl", "%%environ_systemroot%%\\Logs\\CBS\\CBS*.log", "%%environ_systemroot%%\\Logs\\WindowsUpdate\\WindowsUpdate*.etl"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://learn.microsoft.com/en-us/windows/deployment/update/windows-update-logs"}}, {Name: "WindowsPersistence", Doc: "Windows persistence mechanisms.", Sources: []artifacts.Source{{Parent: "WindowsPersistence", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"WindowsEnvironmentVariableSystemRoot", "WindowsRegistryProfiles", "WindowsPersistenceMechanisms", "WindowsApplicationCompatibilityShims", "WindowsAppCertDLLsAlt", "WindowsCOMProperties", "WindowsBrowserPersistenceKeys", "InternetExplorerBrowserHelperObjects", "WindowsBrowserPersistenceFiles", "WindowsFileAssociation", "WindowsScheduledTasks", "WindowsTimeProviders", "WindowsSIPandTrustProviderHijacking", "WindowsKnownDLLs", "WindowsOfficeApplicationStartup", "WindowsImageHijacks", "WindowsCommandProcessorAutoRun", "WindowsDebugger", "WindowsCodecs", "WindowsFontDriversAlt", "WindowsStartupFolders", "WindowsStartupScript", "WindowsGroupPolicyScripts", "WindowsLogonScript", "WindowsLogoffScript"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsBrowserPersistenceKeys", Doc: "Registry keys for various browser extensions or wrapper objects.", Sources: []artifacts.Source{{Parent: "WindowsBrowserPersistenceKeys", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Extensions\\*", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Internet Explorer\\Extensions\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsBrowserPersistenceFiles", Doc: "Windows Scheduled Tasks.", Sources: []artifacts.Source{{Parent: "WindowsBrowserPersistenceFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.appdata%%\\Mozilla\\Firefox\\Profiles\\*\\extensions.json"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsFileAssociation", Doc: "User file association preferences", Sources: []artifacts.Source{{Parent: "WindowsFileAssociation", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\*\\OpenWithList", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\*\\OpenWithList"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://attack.mitre.org/techniques/T1042/"}}, {Name: "WindowsImageHijacks", Doc: "Various image hijack mechanisms used for persistence.", Sources: []artifacts.Source{{Parent: "WindowsImageHijacks", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*", Value: "MonitorProcess"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\Exefile\\Shell\\Open\\Command", Value: ""}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\Exefile\\Shell\\Open\\Command", Value: ""}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\Htmlfile\\Shell\\Open\\Command", Value: ""}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\Htmlfile\\Shell\\Open\\Command", Value: ""}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\.cmd", Value: ""}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\.cmd", Value: ""}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\.exe", Value: ""}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\.exe", Value: ""}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://attack.mitre.org/techniques/T1183/", "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", "https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/", "https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2"}}, {Name: "WindowsTimeProviders", Doc: "Windows time provider services.", Sources: []artifacts.Source{{Parent: "WindowsTimeProviders", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://attack.mitre.org/techniques/T1209/"}}, {Name: "WindowsSIPandTrustProviderHijacking", Doc: "SIP are responsible for signature procession and can be abused by adversaries.", Sources: []artifacts.Source{{Parent: "WindowsSIPandTrustProviderHijacking", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\*", Value: "Dll"}, {Key: "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\*", Value: "Dll"}, {Key: "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\*", Value: "`$DLL"}, {Key: "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\*", Value: "Dll"}, {Key: "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\*", Value: "Dll"}, {Key: "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\*", Value: "`$DLL"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://attack.mitre.org/techniques/T1198/", "https://www.jaiminton.com/cheatsheet/DFIR/#t1198-sip-and-trust-provider-hijacking"}}, {Name: "WindowsKnownDLLs", Doc: "DLLs that can be abused by search order hijacking.", Sources: []artifacts.Source{{Parent: "WindowsKnownDLLs", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\KnownDLLs"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://attack.mitre.org/techniques/T1209/"}}, {Name: "WindowsOfficeApplicationStartup", Doc: "Add-ins and plug-ins registered to hook into office apps.", Sources: []artifacts.Source{{Parent: "WindowsOfficeApplicationStartup", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Office test\\Special\\Perf", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Office test\\Special\\Perf", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Office\\*\\Addins\\*", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Office\\*\\Addins\\*", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Office\\*\\Addins\\*", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Office\\*\\Addins\\*", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Office\\*\\Outlook\\WebView\\Calendar\\URL", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Office\\*\\Outlook\\WebView\\Calendar\\URL", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Office\\*\\Outlook\\WebView\\Inbox", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Office\\*\\Outlook\\WebView\\Inbox"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://www.jaiminton.com/cheatsheet/DFIR/#t1137-office-application-startup", "https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html"}}, {Name: "WindowsCodecs", Doc: "Codecs are executable software that can be loaded by media playback software. They could be abused for system persistence.", Sources: []artifacts.Source{{Parent: "WindowsCodecs", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Classes\\CLSID\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\Instance", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Classes\\CLSID\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\Instance", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Classes\\CLSID\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\Instance", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Classes\\CLSID\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\Instance", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Classes\\CLSID\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\Instance", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Classes\\CLSID\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\Instance", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Classes\\CLSID\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\Instance", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Classes\\CLSID\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\Instance", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\Instance", "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\CLSID\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\Instance", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\Instance", "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\CLSID\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\Instance", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\Instance", "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\CLSID\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\Instance", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\Instance", "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\CLSID\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\Instance", "HKEY_LOCAL_MACHINE\\Software\\Classes\\Filter", "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\Filter", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2"}}, {Name: "WindowsAppCertDLLsAlt", Doc: "Windows AppCertDLLs persistence.", Sources: []artifacts.Source{{Parent: "WindowsAppCertDLLsAlt", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager", Value: "AppCertDLLs"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://www.jaiminton.com/cheatsheet/DFIR/#t1182-appcert-dlls"}}, {Name: "WindowsFontDriversAlt", Doc: "Windows font drivers from the Registry.", Sources: []artifacts.Source{{Parent: "WindowsFontDriversAlt", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Font Drivers"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Software"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2"}}, {Name: "WindowsUSBInformation", Doc: "Windows Event logs.", Sources: []artifacts.Source{{Parent: "WindowsUSBInformation", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"WindowsUSBDeviceInformations", "WindowsUSBVolumeAndDriveMapping", "WindowsUSBUserMountedDevices", "WindowsDeviceSetup"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsUSBDeviceInformations", Doc: "Windows USB Device Informations.\n\nUSBSTOR subkey only exists when there ever was an USB device mounted.\n", Sources: []artifacts.Source{{Parent: "WindowsUSBDeviceInformations", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR\\**"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://www.researchgate.net/publication/318514858_USB_Storage_Device_Forensics_for_Windows_10"}}, {Name: "WindowsUSBVolumeAndDriveMapping", Doc: "Windows USB volume and drive mapping.\n\nDisplays the mapping of USB devices to drives and volumes.\n", Sources: []artifacts.Source{{Parent: "WindowsUSBVolumeAndDriveMapping", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\SYSTEM\\MountedDevices"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"https://www.forensicswiki.org/wiki/USB_History_Viewing"}}, {Name: "WindowsUSBUserMountedDevices", Doc: "Windows USB user mounted devices.\n\nShows the GUIDs of all devices the user has ever mounted.\n", Sources: []artifacts.Source{{Parent: "WindowsUSBUserMountedDevices", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\**"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string{"http://techgenix.com/extracting-usb-artifacts-from-windows-7/"}}, {Name: "WindowsDeviceSetup", Doc: "Logfiles for Windows PNP driver installation", Sources: []artifacts.Source{{Parent: "WindowsDeviceSetup", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemroot%%\\inf\\setupapi*.log"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WMIAccountUsersDomain", Doc: "Fill out user AD domain information based on username.\n\nWe expect this artifact to be collected with WindowsRegistryProfiles\nto supply the rest of the user information. This artifact optimizes retrieval\nof user information by limiting the WMI query to users for which we have\na username for. Specifically this solves the issue that in a domain setting,\nquerying for all users via WMI will give you the list of all local and domain\naccounts which means a large data transfer from an Active Directory server.\nThis artifact relies on having the users.username field populated in the knowledge\nbase. Unfortunately even limiting by username this query can be slow, and\nthis artifact runs it for each user present on the system.\n", Sources: []artifacts.Source{{Parent: "WMIAccountUsersDomain", Type: "WMI", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "SELECT * FROM Win32_UserAccount WHERE name='%%users.username%%'", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users"}, SupportedOs: []string{"Windows"}, Urls: []string{"http://msdn.microsoft.com/en-us/library/windows/desktop/aa394507(v=vs.85).aspx"}}, {Name: "WMIAntivirusProduct", Doc: "Enumerate the registered antivirus.", Sources: []artifacts.Source{{Parent: "WMIAntivirusProduct", Type: "WMI", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "SELECT * FROM AntivirusProduct", BaseObject: "winmgmts:\\root\\SecurityCenter2", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WMIComputerSystemProduct", Doc: "Computer System Product including Identifiying number queried from WMI.", Sources: []artifacts.Source{{Parent: "WMIComputerSystemProduct", Type: "WMI", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "SELECT * FROM Win32_ComputerSystemProduct", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Windows"}, Urls: []string{"http://msdn.microsoft.com/en-us/library/aa394105(v=vs.85).aspx"}}, {Name: "WMIDNSClientCache", Doc: "DNS client cache via Windows Management Instrumentation (WMI).", Sources: []artifacts.Source{{Parent: "WMIDNSClientCache", Type: "WMI", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "SELECT * from MSFT_DNSClientCache", BaseObject: "winmgmts:\\root\\StandardCimv2", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Network"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://docs.microsoft.com/en-us/previous-versions/windows/desktop/dnsclientcimprov/msft-dnsclientcache"}}, {Name: "WMIDrivers", Doc: "Installed drivers via Windows Management Instrumentation (WMI).", Sources: []artifacts.Source{{Parent: "WMIDrivers", Type: "WMI", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "SELECT DisplayName, Description, InstallDate, Name, PathName, Status, State, ServiceType from Win32_SystemDriver", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Software"}, SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WMIEnumerateASEC", Doc: "Enumerate instances of ActiveScriptEventConsumer.", Sources: []artifacts.Source{{Parent: "WMIEnumerateASEC", Type: "WMI", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "SELECT * FROM ActiveScriptEventConsumer", BaseObject: "winmgmts:\\root\\subscription", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WMIEnumerateCLEC", Doc: "Enumerate instances of CommandLineEventConsumer.", Sources: []artifacts.Source{{Parent: "WMIEnumerateCLEC", Type: "WMI", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "SELECT * FROM CommandLineEventConsumer", BaseObject: "winmgmts:\\root\\subscription", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WMIHotFixes", Doc: "Installed hotfixes via Windows Management Instrumentation (WMI).", Sources: []artifacts.Source{{Parent: "WMIHotFixes", Type: "WMI", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "SELECT * from Win32_QuickFixEngineering", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Software"}, SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WMIInstalledSoftware", Doc: "Installed software via Windows Management Instrumentation (WMI).", Sources: []artifacts.Source{{Parent: "WMIInstalledSoftware", Type: "WMI", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "SELECT Name, Vendor, Description, InstallDate, InstallDate2, Version from Win32_Product", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Software"}, SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WMILastBootupTime", Doc: "Last system boot time (UTC) retrieved from WMI.", Sources: []artifacts.Source{{Parent: "WMILastBootupTime", Type: "WMI", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "SELECT LastBootUpTime FROM Win32_OperatingSystem", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://msdn.microsoft.com/en-us/library/windows/desktop/aa394239(v=vs.85).aspx"}}, {Name: "WMILogicalDisks", Doc: "Disk information via Windows Management Instrumentation (WMI).", Sources: []artifacts.Source{{Parent: "WMILogicalDisks", Type: "WMI", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "SELECT * FROM Win32_LogicalDisk", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Windows"}, Urls: []string{"http://msdn.microsoft.com/en-us/library/aa394173(v=vs.85).aspx"}}, {Name: "WMILoggedOnSessions", Doc: "Logged on users queried from WMI.", Sources: []artifacts.Source{{Parent: "WMILoggedOnSessions", Type: "WMI", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "SELECT * FROM Win32_LogonSession", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WMILoggedOnUsers", Doc: "Logged on users queried from WMI.", Sources: []artifacts.Source{{Parent: "WMILoggedOnUsers", Type: "WMI", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "SELECT * FROM Win32_LoggedonUser", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WMILoginUsers", Doc: "Login Users via Windows Management Instrumentation (WMI).\n\nThis WMI query may take a long time to complete when run on a domain and\nwill create load on a domain controller.\n", Sources: []artifacts.Source{{Parent: "WMILoginUsers", Type: "WMI", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "SELECT * from Win32_GroupUser where Name = \"login_users\"", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Software"}, SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WMINetNeighbors", Doc: "TCP/IP neighbors via Windows Management Instrumentation (WMI).", Sources: []artifacts.Source{{Parent: "WMINetNeighbors", Type: "WMI", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "SELECT * from MSFT_NetNeighbor", BaseObject: "winmgmts:\\root\\StandardCimv2", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Network"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://docs.microsoft.com/en-us/previous-versions/windows/desktop/nettcpipprov/msft-netneighbor"}}, {Name: "WMINetTCPConnections", Doc: "TCP connections via Windows Management Instrumentation (WMI).", Sources: []artifacts.Source{{Parent: "WMINetTCPConnections", Type: "WMI", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "SELECT * from MSFT_NetTCPConnection", BaseObject: "winmgmts:\\root\\StandardCimv2", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Network"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://docs.microsoft.com/en-us/previous-versions/windows/desktop/nettcpipprov/msft-nettcpconnection"}}, {Name: "WMINetUDPEndpoints", Doc: "UDP endpoints via Windows Management Instrumentation (WMI).", Sources: []artifacts.Source{{Parent: "WMINetUDPEndpoints", Type: "WMI", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "SELECT * from MSFT_NetUDPEndpoint", BaseObject: "winmgmts:\\root\\StandardCimv2", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Network"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://docs.microsoft.com/en-us/previous-versions/windows/desktop/nettcpipprov/msft-netudpendpoint"}}, {Name: "WMIOperatingSystem", Doc: "Operating system installed on the computer via Windows Management Instrumentation (WMI).", Sources: []artifacts.Source{{Parent: "WMIOperatingSystem", Type: "WMI", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "SELECT * from Win32_OperatingSystem", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://docs.microsoft.com/en-us/windows/desktop/cimwin32prov/win32-operatingsystem"}}, {Name: "WMIPhysicalMemory", Doc: "Physical memory information via Windows Management Instrumentation (WMI).", Sources: []artifacts.Source{{Parent: "WMIPhysicalMemory", Type: "WMI", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "SELECT * from Win32_PhysicalMemory", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Windows"}, Urls: []string{"http://msdn.microsoft.com/en-us/library/aa394347%28v=vs.85%29.aspx"}}, {Name: "WMIProcessList", Doc: "Process listing via Windows Management Instrumentation (WMI).", Sources: []artifacts.Source{{Parent: "WMIProcessList", Type: "WMI", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "SELECT * from Win32_Process", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Software"}, SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WMIProfileUsersHomeDir", Doc: "Get user homedir from Win32_UserProfile based on a known user's SID.\n\nThis artifact relies on having the SID field users.sid populated in the knowledge\nbase. We expect it to be collected with WindowsRegistryProfiles to\nsupply the rest of the user information.\n", Sources: []artifacts.Source{{Parent: "WMIProfileUsersHomeDir", Type: "WMI", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "SELECT * FROM Win32_UserProfile WHERE SID='%%users.sid%%'", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users"}, SupportedOs: []string{"Windows"}, Urls: []string{"http://msdn.microsoft.com/en-us/library/windows/desktop/ee886409(v=vs.85).aspx"}}, {Name: "WMIScheduledTasks", Doc: "Scheduled tasks that are registered on the computer via Windows Management Instrumentation (WMI).", Sources: []artifacts.Source{{Parent: "WMIScheduledTasks", Type: "WMI", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "SELECT * from MSFT_ScheduledTask", BaseObject: "winmgmts:\\root\\Microsoft\\Windows\\TaskScheduler", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://wutils.com/wmi/root/microsoft/windows/taskscheduler/msft_scheduledtask/"}}, {Name: "WMIServices", Doc: "Services queried from WMI.", Sources: []artifacts.Source{{Parent: "WMIServices", Type: "WMI", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "SELECT * FROM Win32_Service", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WMIStartupCommands", Doc: "Commands that run automatically when a user logs onto the computer system via Windows Management Instrumentation (WMI).", Sources: []artifacts.Source{{Parent: "WMIStartupCommands", Type: "WMI", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "SELECT * from Win32_StartupCommand", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://docs.microsoft.com/en-us/windows/desktop/cimwin32prov/win32-startupcommand"}}, {Name: "WMIUsers", Doc: "Users via Windows Management Instrumentation (WMI).\n\nNote that in a domain setup, this will probably return all users in the\ndomain which will be expensive and slow. Consider limiting by SID like\nWMIProfileUsersHomeDir.\n", Sources: []artifacts.Source{{Parent: "WMIUsers", Type: "WMI", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "SELECT * FROM Win32_UserAccount", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Users"}, SupportedOs: []string{"Windows"}, Urls: []string{"http://msdn.microsoft.com/en-us/library/windows/desktop/aa394507(v=vs.85).aspx"}}, {Name: "WMIVolumeShadowCopies", Doc: "A List of Volume Shadow Copies from WMI.", Sources: []artifacts.Source{{Parent: "WMIVolumeShadowCopies", Type: "WMI", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "SELECT * FROM Win32_ShadowCopy", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"System"}, SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WMICCMRUA", Doc: "Enumerate instances of CCM_RecentlyUsedApps.", Sources: []artifacts.Source{{Parent: "WMICCMRUA", Type: "WMI", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "SELECT * FROM CCM_RecentlyUsedApps", BaseObject: "winmgmts:\\root\\ccm\\SoftwareMeteringAgent", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string{"Execution"}, SupportedOs: []string{"Windows"}, Urls: []string{"https://forensicswiki.xyz/wiki/index.php?title=Windows#CCM_RecentlyUsedApps"}}} +var Artifacts = []artifacts.ArtifactDefinition{{Name: "DefaultCollection1", Doc: "Predefined opinionated collections", Sources: []artifacts.Source{{Parent: "DefaultCollection1", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"FOR500", "WindowsComputerName", "WindowsEventLogs", "WindowsHotfixes", "WindowsNetworkInterfaceInformation", "WindowsPersistence", "WindowsRunKeys", "WindowsServices", "WindowsUninstallKeys", "WindowsUSBInformation"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}, {Parent: "DefaultCollection1", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"BrowserHistory", "LinuxIPTablesRulesCommand", "LinuxAtJobsFiles", "LinuxAuditLogFiles", "LinuxCronTabFiles", "LinuxHostnameFile"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}, {Parent: "DefaultCollection1", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"BrowserHistory", "MacOSAtJobsFile", "MacOSAuditLogFiles", "MacOSBashHistoryFile", "MacOSCronTabFile", "MacOSHostsFile", "MacOSLastlogFile", "MacOSMiscLogFiles", "MacOSRecentItemsFiles", "MacOSSystemLogFiles", "MacOSUserTrashFiles"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin", "Linux", "Windows"}, Urls: []string(nil)}, {Name: "FOR500", Doc: "Windows Forensic Analysis", Sources: []artifacts.Source{{Parent: "FOR500", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"WindowsBrowserArtifacts", "WindowsProgramExecution", "WindowsDeletedFiles", "WindowsNetworkActivity", "AccountUsage", "ExternalDevice"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsBrowserArtifacts", Doc: "WindowsBrowserArtifacts", Sources: []artifacts.Source{{Parent: "WindowsBrowserArtifacts", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"WindowsOpenSaveMRU", "WindowsOpenSavePidlMRU", "BrowserHistory"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsProgramExecution", Doc: "Program Execution", Sources: []artifacts.Source{{Parent: "WindowsProgramExecution", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"WindowsActivitiesCacheDatabase", "WindowsMostRecentApplication", "WindowsAppCompatCache", "WindowsAMCacheHveFile", "WindowsSystemResourceUsageMonitorDatabaseFile", "WindowsPrefetchFiles"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsDeletedFiles", Doc: "Deleted Files", Sources: []artifacts.Source{{Parent: "WindowsDeletedFiles", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"WindowsRecycleBin"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsNetworkActivity", Doc: "Network Activity", Sources: []artifacts.Source{{Parent: "WindowsNetworkActivity", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"WindowsTimezone", "InternetExplorerCookiesFile"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "AccountUsage", Doc: "Account Usage", Sources: []artifacts.Source{{Parent: "AccountUsage", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"WindowsSystemRegistryFiles", "WindowsXMLEventLogSecurityFile"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "ExternalDevice", Doc: "External Device", Sources: []artifacts.Source{{Parent: "ExternalDevice", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"WindowsSetupApiLogs"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "LinuxIPTablesRulesCommand", Doc: "List IPTables rules.", Sources: []artifacts.Source{{Parent: "LinuxIPTablesRulesCommand", Type: "COMMAND", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "/sbin/iptables", Args: []string{"-L", "-n", "-v"}, Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "LinuxAtJobsFiles", Doc: "Linux at jobs.", Sources: []artifacts.Source{{Parent: "LinuxAtJobsFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/spool/at/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "LinuxAuditLogFiles", Doc: "Linux audit log files.", Sources: []artifacts.Source{{Parent: "LinuxAuditLogFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/var/log/audit/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "LinuxCronTabFiles", Doc: "Crontab files.", Sources: []artifacts.Source{{Parent: "LinuxCronTabFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/crontab", "/etc/cron.d/*", "/var/spool/cron/**"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "LinuxHostnameFile", Doc: "Linux hostname file.", Sources: []artifacts.Source{{Parent: "LinuxHostnameFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/hostname"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "LinuxPasswdFile", Doc: "Linux passwd file.\n\nA passwd file consist of colon separated values in the format:\nusername:password:uid:gid:full name:home directory:shell\n", Sources: []artifacts.Source{{Parent: "LinuxPasswdFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/passwd"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "users.homedir", Regex: ".*:(.*?):.*", WMIKey: ""}}}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "LinuxHomePath", Doc: "Users directories in /home", Sources: []artifacts.Source{{Parent: "LinuxHomePath", Type: "PATH", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/home/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "users.homedir", Regex: "", WMIKey: ""}}}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Linux"}, Urls: []string(nil)}, {Name: "MacOSAtJobsFile", Doc: "MacOS at jobs", Sources: []artifacts.Source{{Parent: "MacOSAtJobsFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/usr/lib/cron/jobs/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string(nil)}, {Name: "MacOSAuditLogFiles", Doc: "Audit log files", Sources: []artifacts.Source{{Parent: "MacOSAuditLogFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/private/var/audit/*", "/var/audit/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string(nil)}, {Name: "MacOSBashHistoryFile", Doc: "Terminal Commands History", Sources: []artifacts.Source{{Parent: "MacOSBashHistoryFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.bash_history"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string(nil)}, {Name: "MacOSCronTabFile", Doc: "Cron tabs", Sources: []artifacts.Source{{Parent: "MacOSCronTabFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/crontab", "/private/etc/crontab", "/usr/lib/cron/tabs/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string(nil)}, {Name: "MacOSHostsFile", Doc: "Hosts file", Sources: []artifacts.Source{{Parent: "MacOSHostsFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/etc/hosts", "/private/etc/hosts"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string(nil)}, {Name: "MacOSLastlogFile", Doc: "Mac OS X lastlog file.", Sources: []artifacts.Source{{Parent: "MacOSLastlogFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/private/var/log/lastlog", "/var/log/lastlog"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string(nil)}, {Name: "MacOSMiscLogFiles", Doc: "Misc. Logs", Sources: []artifacts.Source{{Parent: "MacOSMiscLogFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/Library/Logs/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string(nil)}, {Name: "MacOSRecentItemsFiles", Doc: "Recent Items", Sources: []artifacts.Source{{Parent: "MacOSRecentItemsFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Preferences/com.apple.recentitems.plist"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string(nil)}, {Name: "MacOSSystemLogFiles", Doc: "System log files", Sources: []artifacts.Source{{Parent: "MacOSSystemLogFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/private/var/log/*", "/var/log/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string(nil)}, {Name: "MacOSUsersPath", Doc: "Users directories in /Users", Sources: []artifacts.Source{{Parent: "MacOSUsersPath", Type: "PATH", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"/Users/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "users.homedir", Regex: "", WMIKey: ""}}}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string(nil)}, {Name: "MacOSUserTrashFiles", Doc: "User Trash Folder", Sources: []artifacts.Source{{Parent: "MacOSUserTrashFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.Trash/*"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin"}, Urls: []string(nil)}, {Name: "BrowserHistory", Doc: "Web browser history of multiple web browsers.", Sources: []artifacts.Source{{Parent: "BrowserHistory", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"ChromiumBasedBrowsersHistoryDatabaseFile", "FirefoxHistoryFile", "InternetExplorerHistoryFile", "OperaHistoryFile", "SafariDownloadFile", "SafariHistoryFile"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin", "Linux", "Windows"}, Urls: []string(nil)}, {Name: "ChromiumBasedBrowsersHistoryDatabaseFile", Doc: "Browsing history database file for multiple Chromium-based browsers, such as Google Chrome, Brave, Chromium, Yandex, Opera, Edge, EdgeBeta.", Sources: []artifacts.Source{{Parent: "ChromiumBasedBrowsersHistoryDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Application Support/BraveSoftware/Brave-Browser/*/Archived History", "%%users.homedir%%/Library/Application Support/BraveSoftware/Brave-Browser/*/Archived History-journal", "%%users.homedir%%/Library/Application Support/BraveSoftware/Brave-Browser/*/History", "%%users.homedir%%/Library/Application Support/BraveSoftware/Brave-Browser/*/History-journal", "%%users.homedir%%/Library/Application Support/Chromium/*/Archived History", "%%users.homedir%%/Library/Application Support/Chromium/*/Archived History-journal", "%%users.homedir%%/Library/Application Support/Chromium/*/History", "%%users.homedir%%/Library/Application Support/Chromium/*/History-journal", "%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Archived History", "%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Archived History-journal", "%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/History", "%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/History-journal", "%%users.homedir%%/Library/Application Support/Google/Chrome/*/Archived History", "%%users.homedir%%/Library/Application Support/Google/Chrome/*/Archived History-journal", "%%users.homedir%%/Library/Application Support/Google/Chrome/*/History", "%%users.homedir%%/Library/Application Support/Google/Chrome/*/History-journal", "%%users.homedir%%/Library/Application Support/Microsoft Edge Beta/*/Archived History", "%%users.homedir%%/Library/Application Support/Microsoft Edge Beta/*/Archived History-journal", "%%users.homedir%%/Library/Application Support/Microsoft Edge Beta/*/History", "%%users.homedir%%/Library/Application Support/Microsoft Edge Beta/*/History-journal", "%%users.homedir%%/Library/Application Support/Microsoft Edge/*/Archived History", "%%users.homedir%%/Library/Application Support/Microsoft Edge/*/Archived History-journal", "%%users.homedir%%/Library/Application Support/Microsoft Edge/*/History", "%%users.homedir%%/Library/Application Support/Microsoft Edge/*/History-journal", "%%users.homedir%%/Library/Application Support/Yandex/YandexBrowser/*/Archived History", "%%users.homedir%%/Library/Application Support/Yandex/YandexBrowser/*/Archived History-journal", "%%users.homedir%%/Library/Application Support/Yandex/YandexBrowser/*/History", "%%users.homedir%%/Library/Application Support/Yandex/YandexBrowser/*/History-journal", "%%users.homedir%%/Library/Application Support/com.operasoftware.Opera/*/Archived History", "%%users.homedir%%/Library/Application Support/com.operasoftware.Opera/*/Archived History-journal", "%%users.homedir%%/Library/Application Support/com.operasoftware.Opera/*/History", "%%users.homedir%%/Library/Application Support/com.operasoftware.Opera/*/History-journal"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}, {Parent: "ChromiumBasedBrowsersHistoryDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.config/BraveSoftware/Brave-Browser/*/Archived History", "%%users.homedir%%/.config/BraveSoftware/Brave-Browser/*/Archived History-journal", "%%users.homedir%%/.config/BraveSoftware/Brave-Browser/*/History", "%%users.homedir%%/.config/BraveSoftware/Brave-Browser/*/History-journal", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Archived History", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Archived History-journal", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/History", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/History-journal", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Archived History", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Archived History-journal", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/History", "%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/History-journal", "%%users.homedir%%/.config/chromium/*/Archived History", "%%users.homedir%%/.config/chromium/*/Archived History-journal", "%%users.homedir%%/.config/chromium/*/History", "%%users.homedir%%/.config/chromium/*/History-journal", "%%users.homedir%%/.config/google-chrome-beta/*/Archived History", "%%users.homedir%%/.config/google-chrome-beta/*/Archived History-journal", "%%users.homedir%%/.config/google-chrome-beta/*/History", "%%users.homedir%%/.config/google-chrome-beta/*/History-journal", "%%users.homedir%%/.config/google-chrome/*/Archived History", "%%users.homedir%%/.config/google-chrome/*/Archived History-journal", "%%users.homedir%%/.config/google-chrome/*/History", "%%users.homedir%%/.config/google-chrome/*/History-journal", "%%users.homedir%%/.config/microsoft-edge/*/Archived History", "%%users.homedir%%/.config/microsoft-edge/*/Archived History-journal", "%%users.homedir%%/.config/microsoft-edge/*/History", "%%users.homedir%%/.config/microsoft-edge/*/History-journal", "%%users.homedir%%/.config/opera/*/Archived History", "%%users.homedir%%/.config/opera/*/Archived History-journal", "%%users.homedir%%/.config/opera/*/History", "%%users.homedir%%/.config/opera/*/History-journal", "%%users.homedir%%/.config/yandex-browser-beta/*/Archived History", "%%users.homedir%%/.config/yandex-browser-beta/*/Archived History-journal", "%%users.homedir%%/.config/yandex-browser-beta/*/History", "%%users.homedir%%/.config/yandex-browser-beta/*/History-journal", "%%users.homedir%%/snap/chromium/common/chromium/*/Archived History", "%%users.homedir%%/snap/chromium/common/chromium/*/Archived History-journal", "%%users.homedir%%/snap/chromium/common/chromium/*/History", "%%users.homedir%%/snap/chromium/common/chromium/*/History-journal"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}, {Parent: "ChromiumBasedBrowsersHistoryDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.appdata%%\\Brave\\*\\Archived History", "%%users.appdata%%\\Brave\\*\\Archived History-journal", "%%users.appdata%%\\Brave\\*\\History", "%%users.appdata%%\\Brave\\*\\History-journal", "%%users.appdata%%\\BraveSoftware\\Brave-Browser\\User Data\\*\\History", "%%users.appdata%%\\BraveSoftware\\Brave-Browser\\User Data\\*\\History-journal", "%%users.appdata%%\\Opera Software\\Opera Stable\\*\\Archived History", "%%users.appdata%%\\Opera Software\\Opera Stable\\*\\Archived History-journal", "%%users.appdata%%\\Opera Software\\Opera Stable\\*\\History", "%%users.appdata%%\\Opera Software\\Opera Stable\\*\\History-journal", "%%users.localappdata%%\\Chromium\\*\\Archived History", "%%users.localappdata%%\\Chromium\\*\\Archived History-journal", "%%users.localappdata%%\\Chromium\\*\\History", "%%users.localappdata%%\\Chromium\\*\\History-journal", "%%users.localappdata%%\\Chromium\\User Data\\*\\Archived History", "%%users.localappdata%%\\Chromium\\User Data\\*\\Archived History-journal", "%%users.localappdata%%\\Chromium\\User Data\\*\\History", "%%users.localappdata%%\\Chromium\\User Data\\*\\History-journal", "%%users.localappdata%%\\Google\\Chrome SxS\\User Data\\*\\Archived History", "%%users.localappdata%%\\Google\\Chrome SxS\\User Data\\*\\Archived History-journal", "%%users.localappdata%%\\Google\\Chrome SxS\\User Data\\*\\History", "%%users.localappdata%%\\Google\\Chrome SxS\\User Data\\*\\History-journal", "%%users.localappdata%%\\Google\\Chrome\\User Data\\*\\Archived History", "%%users.localappdata%%\\Google\\Chrome\\User Data\\*\\Archived History-journal", "%%users.localappdata%%\\Google\\Chrome\\User Data\\*\\History", "%%users.localappdata%%\\Google\\Chrome\\User Data\\*\\History-journal", "%%users.localappdata%%\\Microsoft\\Edge Beta\\User Data\\*\\Archived History", "%%users.localappdata%%\\Microsoft\\Edge Beta\\User Data\\*\\Archived History-journal", "%%users.localappdata%%\\Microsoft\\Edge Beta\\User Data\\*\\History", "%%users.localappdata%%\\Microsoft\\Edge Beta\\User Data\\*\\History-journal", "%%users.localappdata%%\\Microsoft\\Edge\\User Data\\*\\Archived History", "%%users.localappdata%%\\Microsoft\\Edge\\User Data\\*\\Archived History-journal", "%%users.localappdata%%\\Microsoft\\Edge\\User Data\\*\\History", "%%users.localappdata%%\\Microsoft\\Edge\\User Data\\*\\History-journal", "%%users.localappdata%%\\Yandex\\YandexBrowser\\User Data\\*\\Archived History", "%%users.localappdata%%\\Yandex\\YandexBrowser\\User Data\\*\\Archived History-journal", "%%users.localappdata%%\\Yandex\\YandexBrowser\\User Data\\*\\History", "%%users.localappdata%%\\Yandex\\YandexBrowser\\User Data\\*\\History-journal"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin", "Linux", "Windows"}, Urls: []string(nil)}, {Name: "FirefoxHistoryFile", Doc: "Firefox browser history (places.sqlite).", Sources: []artifacts.Source{{Parent: "FirefoxHistoryFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\Mozilla\\Firefox\\Profiles\\*\\places.sqlite", "%%users.localappdata%%\\Mozilla\\Firefox\\Profiles\\*\\places.sqlite-wal", "%%users.appdata%%\\Mozilla\\Firefox\\Profiles\\*\\places.sqlite", "%%users.localappdata%%\\Mozilla\\Firefox\\Profiles\\*\\places.sqlite-wal"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}, {Parent: "FirefoxHistoryFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/places.sqlite", "%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/places.sqlite-wal"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}, {Parent: "FirefoxHistoryFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.mozilla/firefox/*/places.sqlite", "%%users.homedir%%/.mozilla/firefox/*/places.sqlite-wal", "%%users.homedir%%/snap/firefox/common/.mozilla/firefox/*/places.sqlite", "%%users.homedir%%/snap/firefox/common/.mozilla/firefox/*/places.sqlite-wal"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows", "Darwin", "Linux"}, Urls: []string(nil)}, {Name: "InternetExplorerBrowserHelperObjectsRegistryKeys", Doc: "Loaded on Internet Explorer startup", Sources: []artifacts.Source{{Parent: "InternetExplorerBrowserHelperObjectsRegistryKeys", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\\*", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "InternetExplorerCookiesFile", Doc: "Microsoft Internet Explorer (MSIE) browser cookies.\n\n* MSIE 4 - 9 Cache files (index.dat)\n", Sources: []artifacts.Source{{Parent: "InternetExplorerCookiesFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.appdata%%\\Microsoft\\Windows\\Cookies\\index.dat", "%%users.appdata%%\\Microsoft\\Windows\\Cookies\\Low\\index.dat", "%%users.userprofile%%\\Cookies\\index.dat"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "InternetExplorerHistoryFile", Doc: "Microsoft Internet Explorer (MSIE) browser history.\n\n* MSIE 4 - 9 Cache files (index.dat);\n* MSIE 10 WebCacheV*.dat files.\n", Sources: []artifacts.Source{{Parent: "InternetExplorerHistoryFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.appdata%%\\Microsoft\\Windows\\IEDownloadHistory\\index.dat", "%%users.localappdata%%\\Microsoft\\Feeds Cache\\index.dat", "%%users.localappdata%%\\Microsoft\\Windows\\History\\History.IE5\\*\\index.dat", "%%users.localappdata%%\\Microsoft\\Windows\\History\\History.IE5\\index.dat", "%%users.localappdata%%\\Microsoft\\Windows\\History\\Low\\History.IE5\\*\\index.dat", "%%users.localappdata%%\\Microsoft\\Windows\\History\\Low\\History.IE5\\index.dat", "%%users.localappdata%%\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat", "%%users.localappdata%%\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\index.dat", "%%users.localappdata%%\\Microsoft\\Windows\\WebCache\\WebCacheV*.dat", "%%users.userprofile%%\\Local Settings\\History\\History.IE5\\index.dat", "%%users.userprofile%%\\Local Settings\\History\\History.IE5\\*\\index.dat", "%%users.userprofile%%\\Local Settings\\History\\Temporary Internet Files\\Content.IE5\\index.dat", "%%users.userprofile%%\\Local Settings\\Temporary Internet Files\\Content.IE5\\index.dat"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "OperaHistoryFile", Doc: "Opera browser history (global_history.dat).", Sources: []artifacts.Source{{Parent: "OperaHistoryFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Opera/global_history.dat"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}, {Parent: "OperaHistoryFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/.opera/global_history.dat"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Linux"}, Provides: []artifacts.Provide(nil)}, {Parent: "OperaHistoryFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.appdata%%\\Opera\\Opera\\global_history.dat", "%%users.appdata%%\\Opera Software\\Opera Stable\\History", "%%users.appdata%%\\Opera Software\\Opera Stable\\History-journal"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows", "Darwin", "Linux"}, Urls: []string(nil)}, {Name: "SafariDownloadFile", Doc: "Safari downloads history (Downloads.plist).", Sources: []artifacts.Source{{Parent: "SafariDownloadFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Safari/Downloads.plist"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}, {Parent: "SafariDownloadFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\Apple Computer\\Safari\\Downloads.plist", "%%users.appdata%%\\Apple Computer\\Safari\\Downloads.plist"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Darwin", "Windows"}, Urls: []string(nil)}, {Name: "SafariHistoryFile", Doc: "Safari browser history (History.plist).", Sources: []artifacts.Source{{Parent: "SafariHistoryFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\Apple Computer\\Safari\\History.plist", "%%users.appdata%%\\Apple Computer\\Safari\\History.plist"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Windows"}, Provides: []artifacts.Provide(nil)}, {Parent: "SafariHistoryFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.homedir%%/Library/Safari/History.plist", "%%users.homedir%%/Library/Safari/History.db", "%%users.homedir%%/Library/Safari/History.db-wal"}, Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string{"Darwin"}, Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows", "Darwin"}, Urls: []string(nil)}, {Name: "WindowsActiveDesktop", Doc: "Windows Active Desktop settings and components.", Sources: []artifacts.Source{{Parent: "WindowsActiveDesktop", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Internet Explorer\\Desktop\\Components\\*", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Internet Explorer\\Desktop\\General"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsActivitiesCacheDatabase", Doc: "SQLite database containing the Windows activities cache.", Sources: []artifacts.Source{{Parent: "WindowsActivitiesCacheDatabase", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.localappdata%%\\ConnectedDevicesPlatform\\L.%%users.username%%\\ActivitiesCache.db"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsAlternateShell", Doc: "Alternate Shell to be run via Userinit.", Sources: []artifacts.Source{{Parent: "WindowsAlternateShell", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SafeBoot", Value: "AlternateShell"}, {Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SafeBoot\\Option", Value: "UseAlternateShell"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsAMCacheHveFile", Doc: "The AMCache file, stored in the Windows NT Registry file format.", Sources: []artifacts.Source{{Parent: "WindowsAMCacheHveFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemroot%%\\AppCompat\\Programs\\Amcache.hve", "%%environ_systemroot%%\\AppCompat\\Programs\\Amcache.hve.LOG1", "%%environ_systemroot%%\\AppCompat\\Programs\\Amcache.hve.LOG2"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsAppCertDLLs", Doc: "Windows AppCertDLLs persistence.", Sources: []artifacts.Source{{Parent: "WindowsAppCertDLLs", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\AppCertDLLs"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsAppCompatCache", Doc: "Windows Application Compatibility Cache", Sources: []artifacts.Source{{Parent: "WindowsAppCompatCache", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\AppCompatibility", Value: "AppCompatCache"}, {Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\AppCompatCache", Value: "AppCompatCache"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsAppInitDLLs", Doc: "Windows Application Initial (AppInit) DLLs persistence.\n\nAppInit DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded\ninto each user mode process on the system.\n", Sources: []artifacts.Source{{Parent: "WindowsAppInitDLLs", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows", Value: "AppInit_DLLs"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows", Value: "AppInit_DLLs"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows", Value: "AppInit_DLLs"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows", Value: "AppInit_DLLs"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsApplicationCompatibilityInstalledShimDatabases", Doc: "Windows Application Compatibility Installed Shim Databases.\n\ndrvmain.sdb, frxmain.sdb, msimain.sdb, pcamain.sdb, and sysmain.sdb are\nshim database files (SDB files) that are provided by Windows, and contain\nmany predefined shims that address known application compatibility issues.\nNote that these database files are not signed.\n\nWindows also supports custom shim database. These are typically installed\nby the sdbinst.exe utility. Note, that shim database files can also exist\nelsewhere in the file system.\n\nWindows application shims provide a way for the operating system to\napply patches to executables before they are run, ultimately providing\na lightweight mechanism for applying hot fixes and making modifications to\nensure compatibility across the various versions of Windows. This\nfunctionality can also be leveraged maliciously to change how certain\nprograms operate, or to provide capabilities to malware, such as the\nability to bypass UAC, gain persistence by injecting loading into legitimate\nprocesses, or avoid detection by disabling anti-virus software.\n", Sources: []artifacts.Source{{Parent: "WindowsApplicationCompatibilityInstalledShimDatabases", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemroot%%\\AppPatch\\drvmain.sdb", "%%environ_systemroot%%\\AppPatch\\frxmain.sdb", "%%environ_systemroot%%\\AppPatch\\msimain.sdb", "%%environ_systemroot%%\\AppPatch\\pcamain.sdb", "%%environ_systemroot%%\\AppPatch\\sysmain.sdb", "%%environ_systemroot%%\\AppPatch\\AppPatch64\\Custom\\*", "%%environ_systemroot%%\\AppPatch\\Custom\\*", "%%environ_systemroot%%\\AppPatch\\Custom\\Custom64\\*", "%%environ_systemroot%%\\AppPatch\\CustomSDB\\*"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsApplicationCompatibilityShimDatabaseMappings", Doc: "Windows Application Compatibility Shim Database Mappings.\n\nMappings between the Windows Application Compatibility shim database files and\nthe programs that they apply to.\n\nWindows allows for custom application shims to be installed via the\nsdbinst.exe application. For example a mapping for 'notepad.exe':\n\nKey: HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\\n AppCompatFlags\\Custom\\notepad.exe\nValue: {00000000-1111-2222-3333-444444444444}.sdb = 0\n\nKey: AppCompatFlags\\InstalledSDB\\{00000000-1111-2222-3333-444444444444}\nValue: DatabasePath =\n \"C:\\Windows\\AppPatch\\Custom\\{00000000-1111-2222-3333-444444444444}.sdb\"\n\nWindows application shims provide a way for the operating system to\napply patches to executables before they are run, ultimately providing\na lightweight mechanism for applying hot fixes and making modifications to\nensure compatibility across the various versions of Windows. This\nfunctionality can also be leveraged maliciously to change how certain\nprograms operate, or to provide capabilities to malware, such as the\nability to bypass UAC, gain persistence by injecting loading into legitimate\nprocesses, or avoid detection by disabling anti-virus software.\n", Sources: []artifacts.Source{{Parent: "WindowsApplicationCompatibilityShimDatabaseMappings", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB\\*", Value: "DatabaseDescription"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB\\*", Value: "DatabasePath"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\*", Value: "*"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsApplicationCompatibilityShims", Doc: "Windows Application Compatibility Shim Database Files and Application Mappings", Sources: []artifacts.Source{{Parent: "WindowsApplicationCompatibilityShims", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"WindowsApplicationCompatibilityInstalledShimDatabases", "WindowsApplicationCompatibilityShimDatabaseMappings"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsBootVerificationProgram", Doc: "Path to custom startup verification program.", Sources: []artifacts.Source{{Parent: "WindowsBootVerificationProgram", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\BootVerificationProgram", Value: "ImagePath"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsComputerName", Doc: "The name of the system.", Sources: []artifacts.Source{{Parent: "WindowsComputerName", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\ComputerName\\ComputerName", Value: "ComputerName"}, {Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\ComputerName\\ActiveComputerName", Value: "ComputerName"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsCommandProcessorAutoRun", Doc: "Commands that are run each time the Command Processor (Cmd.exe) is started.", Sources: []artifacts.Source{{Parent: "WindowsCommandProcessorAutoRun", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor", Value: "AutoRun"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Command Processor", Value: "AutoRun"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Command Processor", Value: "AutoRun"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Command Processor", Value: "AutoRun"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsCOMProperties", Doc: "Various properties of Windows COM Objects.\n\nThese artifacts are meant to highlight properties of COM objects that,\nalthough legitimate, are known to be associated with persistence techniques\nor other capabilities that malware can leverage.\n\nShellFolder\\HideOnDesktop, ShellFolder\\Attributes (specifically with value\n0xf090013d), and InprocServer\\LoadWithoutCOM are associated with a technique\nto cause iexplore or explorer to load a malicious DLL by registering a COM\nobject and invoking it through the use of Junction Folders.\n", Sources: []artifacts.Source{{Parent: "WindowsCOMProperties", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\*\\ShellFolder", Value: "Attributes"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\CLSID\\*\\ShellFolder", Value: "Attributes"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\Wow6432Node\\CLSID\\*\\ShellFolder", Value: "Attributes"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\Wow6432Node\\CLSID\\*\\ShellFolder", Value: "Attributes"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\*\\ShellFolder", Value: "HideOnDesktop"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\CLSID\\*\\ShellFolder", Value: "HideOnDesktop"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\Wow6432Node\\CLSID\\*\\ShellFolder", Value: "HideOnDesktop"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\Wow6432Node\\CLSID\\*\\ShellFolder", Value: "HideOnDesktop"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\*\\InprocServer32", Value: "LoadWithoutCOM"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\CLSID\\*\\InprocServer32", Value: "LoadWithoutCOM"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\Wow6432Node\\CLSID\\*\\InprocServer32", Value: "LoadWithoutCOM"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\Wow6432Node\\CLSID\\*\\InprocServer32", Value: "LoadWithoutCOM"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsSearchFilterHandlers", Doc: "Windows Search filter handlers configured for file types and applications.\n\nWindows Search loads DLLs that implement the IFilter interface in order to\nscan files for text and extract certain types of information. Malware can\nreplace the filter handler for a given file type or CLSID with itself to gain\nexecution when a search operation is performed on that file. Search\noperations can be performed indirectly in a number of cases; for instance,\nthe .txt, .html, and .rtf filter handlers are invoked when indexing email\nmessage bodies.\n\nThe filter handler to use is specified indirectly via a persistent handler.\nThe persistent handler GUID is indicated via the PersistentHandler subkey for\na file type or application GUID. The filter handler CLSID is indicated via\nthe PersistentAddinsRegistered\\{89BCB740-6119-101A-BCB7-00DD010655AF} subkey\nunder the persistent handler GUID key path. This artifact inspects both of\nthese paths.\n\nNOTE: Only the HKEY_LOCAL_MACHINE root key needs be checked, because these\nare the only keys used. SearchFilterHost.exe runs under the SYSTEM account,\nwhich does not have access to HKEY_CURRENT_USER.\n", Sources: []artifacts.Source{{Parent: "WindowsSearchFilterHandlers", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\*\\PersistentHandler", Value: ""}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\Wow6432Node\\*\\PersistentHandler", Value: ""}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\*\\PersistentHandler", Value: ""}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\Wow6432Node\\CLSID\\*\\PersistentHandler", Value: ""}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\*\\PersistentAddinsRegistered\\{89BCB740-6119-101A-BCB7-00DD010655AF}", Value: ""}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\Wow6432Node\\CLSID\\*\\PersistentAddinsRegistered\\{89BCB740-6119-101A-BCB7-00DD010655AF}", Value: ""}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsCredentialProviderFilters", Doc: "Windows Credential Provider Filters", Sources: []artifacts.Source{{Parent: "WindowsCredentialProviderFilters", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Provider Filters\\*", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Provider Filters\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsCredentialProviders", Doc: "CLSIDs of applications to use as Credential Providers", Sources: []artifacts.Source{{Parent: "WindowsCredentialProviders", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\*", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsDebugger", Doc: "Windows Debugger peristence or AV disable.", Sources: []artifacts.Source{{Parent: "WindowsDebugger", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*", Value: "Debugger"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*", Value: "Debugger"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*", Value: "Debugger"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*", Value: "Debugger"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsEnvironmentUserLoginScripts", Doc: "User login scripts configured via Windows environment variables.", Sources: []artifacts.Source{{Parent: "WindowsEnvironmentUserLoginScripts", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_USERS\\%%users.sid%%\\Environment", Value: "UserInitLogonServer"}, {Key: "HKEY_USERS\\%%users.sid%%\\Environment", Value: "UserInitLogonScript"}, {Key: "HKEY_USERS\\%%users.sid%%\\Environment", Value: "UserInitMprLogonScript"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsEnvironmentVariableAllUsersProfile", Doc: "The system-wide %AllUsersProfile% environment variable contains the path of the of the \"All Users\" or \"Common\" profile directory.", Sources: []artifacts.Source{{Parent: "WindowsEnvironmentVariableAllUsersProfile", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList", Value: "AllUsersProfile"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "environ_allusersappdata", Regex: "", WMIKey: ""}}}, {Parent: "WindowsEnvironmentVariableAllUsersProfile", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList", Value: "ProgramData"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "environ_allusersappdata", Regex: "", WMIKey: ""}}}, {Parent: "WindowsEnvironmentVariableAllUsersProfile", Type: "PATH", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"\\ProgramData", "\\Documents and Settings\\All Users"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "environ_allusersappdata", Regex: "", WMIKey: ""}}}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsEnvironmentVariableProfilesDirectory", Doc: "The %ProfilesDirectory% environment variable contain a path of a directory that contains the users' profile directories, typically \"%SystemDrive%\\Users\".", Sources: []artifacts.Source{{Parent: "WindowsEnvironmentVariableProfilesDirectory", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList", Value: "ProfilesDirectory"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "environ_profilesdirectory", Regex: "", WMIKey: ""}}}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsEnvironmentVariableSystemRoot", Doc: "The %SystemRoot%, environment variable contains the path of the system directory, typically \"C:\\Windows\".", Sources: []artifacts.Source{{Parent: "WindowsEnvironmentVariableSystemRoot", Type: "PATH", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"\\Windows", "\\WinNT", "\\WINNT35", "\\WTSRV"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "environ_systemroot", Regex: "", WMIKey: ""}, {Key: "environ_systemdrive", Regex: "^(..)", WMIKey: ""}}}, {Parent: "WindowsEnvironmentVariableSystemRoot", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion", Value: "SystemRoot"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "environ_systemroot", Regex: "", WMIKey: ""}, {Key: "environ_systemdrive", Regex: "^(..)", WMIKey: ""}}}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsExplorerAutoplayHandlers", Doc: "Handlers for autoplay events in Windows Explorer.", Sources: []artifacts.Source{{Parent: "WindowsExplorerAutoplayHandlers", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoplayHandlers\\Handlers\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsFileTypeAutorunAssociations", Doc: "Registry value for what application class identifier (CLSID) to launch for a file extension.\n\nExtension subkeys start with a dot. The '(Default)' value will be a ProgID,\nwhich points to another entry in HKCR specifying the command to run to open\na file of the given type. The WindowsShellOpenCommand artifact is associated\nwith these ProgID command invocations.\n", Sources: []artifacts.Source{{Parent: "WindowsFileTypeAutorunAssociations", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\.*", Value: ""}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\Wow6432Node\\.*", Value: ""}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\.*", Value: ""}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\Wow6432Node\\.*", Value: ""}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsGroupPolicyScripts", Doc: "Windows group policy scripts", Sources: []artifacts.Source{{Parent: "WindowsGroupPolicyScripts", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemroot%%\\System32\\GroupPolicy\\User\\Scripts\\psscripts.ini", "%%environ_systemroot%%\\System32\\GroupPolicy\\User\\Scripts\\scripts.ini", "%%environ_systemroot%%\\System32\\GroupPolicy\\User\\Scripts\\Logoff\\*", "%%environ_systemroot%%\\System32\\GroupPolicy\\User\\Scripts\\Logon\\*", "%%environ_systemroot%%\\System32\\GroupPolicy\\Machine\\Scripts\\psscripts.ini", "%%environ_systemroot%%\\System32\\GroupPolicy\\Machine\\Scripts\\scripts.ini", "%%environ_systemroot%%\\System32\\GroupPolicy\\Machine\\Scripts\\Shutdown\\*", "%%environ_systemroot%%\\System32\\GroupPolicy\\Machine\\Scripts\\Startup\\*"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsLogoffScript", Doc: "Windows policy logoff script", Sources: []artifacts.Source{{Parent: "WindowsLogoffScript", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_USERS\\%%users.sid%%\\Software\\Policies\\Microsoft\\Windows\\System\\Scripts", Value: "Logoff"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System\\Scripts", Value: "Logoff"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsLogonScript", Doc: "Windows policy logon script", Sources: []artifacts.Source{{Parent: "WindowsLogonScript", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_USERS\\%%users.sid%%\\Software\\Policies\\Microsoft\\Windows\\System\\Scripts", Value: "Logon"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System\\Scripts", Value: "Logon"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsLSAAuthenticationPackages", Doc: "Authentication Packages can be injected into LSASS.", Sources: []artifacts.Source{{Parent: "WindowsLSAAuthenticationPackages", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa", Value: "Authentication Packages"}, {Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\OSConfig", Value: "Authentication Packages"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsLSANotificationPackages", Doc: "Notification Packages can be injected into LSASS.", Sources: []artifacts.Source{{Parent: "WindowsLSANotificationPackages", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa", Value: "Notification Packages"}, {Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\OSConfig", Value: "Notification Packages"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsLSASecurityPackages", Doc: "Security Packages can be injected into LSASS.", Sources: []artifacts.Source{{Parent: "WindowsLSASecurityPackages", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa", Value: "Security Packages"}, {Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\OSConfig", Value: "Security Packages"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsMostRecentApplication", Doc: "Windows Most Recent Application name key", Sources: []artifacts.Source{{Parent: "WindowsMostRecentApplication", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\*\\MostRecentApplication", Value: "Name"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\*\\MostRecentApplication", Value: "Name"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsMSDTCDLLs", Doc: "Windows MSDTC attempts to load these DLLs on start", Sources: []artifacts.Source{{Parent: "WindowsMSDTCDLLs", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\MSDTC\\MTxOCI\\*", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\MSDTC\\MTxOCI\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsMultiMediaDrivers", Doc: "Configured drivers for different multimedia filetypes.", Sources: []artifacts.Source{{Parent: "WindowsMultiMediaDrivers", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\*", "HKEY_USERS\\%%users.sid%%\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\*", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\*", "HKEY_USERS\\%%users.sid%%\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsNetworkShellHelpers", Doc: "Windows Network Shell (netsh) helpers are loaded on boot", Sources: []artifacts.Source{{Parent: "WindowsNetworkShellHelpers", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Netsh", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Netsh"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsOpenSaveMRU", Doc: "Information about files opened or saved in a Windows shell dialog.", Sources: []artifacts.Source{{Parent: "WindowsOpenSaveMRU", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDIg32\\OpenSaveMRU\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsOpenSavePidlMRU", Doc: "Information about files opened or saved in a Windows shell dialog.", Sources: []artifacts.Source{{Parent: "WindowsOpenSavePidlMRU", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\OpenSavePidlMRU\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsPendingGPOs", Doc: "Windows Pending GPOs registry settings.\n\nThis is a persistence mechanism known to be used by the Gootkit malware family.\n", Sources: []artifacts.Source{{Parent: "WindowsPendingGPOs", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\IEAK\\GroupPolicy\\PendingGPOs", Value: "Path1"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\IEAK\\GroupPolicy\\PendingGPOs", Value: "Path1"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsPersistenceMechanisms", Doc: "Persistence mechanisms in Windows.", Sources: []artifacts.Source{{Parent: "WindowsPersistenceMechanisms", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"WindowsPersistenceRegistryKeys", "WindowsPowerShellDefaultProfiles", "WindowsServices", "WindowsJobFiles"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsPersistenceRegistryKeys", Doc: "Windows Registry keys used for persistence.", Sources: []artifacts.Source{{Parent: "WindowsPersistenceRegistryKeys", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"InternetExplorerBrowserHelperObjectsRegistryKeys", "WindowsActiveDesktop", "WindowsActiveSyncAutoStart", "WindowsAlternateShell", "WindowsAppCertDLLs", "WindowsAppInitDLLs", "WindowsBootVerificationProgram", "WindowsCommandProcessorAutoRun", "WindowsCredentialProviderFilters", "WindowsCredentialProviders", "WindowsDebugger", "WindowsEnvironmentUserLoginScripts", "WindowsExplorerAutoplayHandlers", "WindowsFileTypeAutorunAssociations", "WindowsFontDrivers", "WindowsIconServiceLib", "WindowsLSAAuthenticationPackages", "WindowsLSANotificationPackages", "WindowsLSASecurityPackages", "WindowsMSDTCDLLs", "WindowsMultiMediaDrivers", "WindowsNetworkShellHelpers", "WindowsPendingGPOs", "WindowsPLAPProviders", "WindowsPrintMonitors", "WindowsRunGrpConv", "WindowsRunKeys", "WindowsRunServices", "WindowsScreenSaverExecutable", "WindowsSearchFilterHandlers", "WindowsSecurityProviders", "WindowsServiceControlManagerExtension", "WindowsSessionManagerBootExecute", "WindowsSessionManagerExecute", "WindowsSessionManagerS0InitialCommand", "WindowsSessionManagerSetupExecute", "WindowsSessionManagerSubSystems", "WindowsSessionManagerWOWCommandLine", "WindowsSetupCommandLine", "WindowsSharedTaskScheduler", "WindowsShellExecuteHooks", "WindowsShellExtensions", "WindowsShellIconOverlayIdentifiers", "WindowsShellLoadAndRun", "WindowsShellOpenCommand", "WindowsShellRunasCommand", "WindowsShellServiceObjects", "WindowsStubPaths", "WindowsSystemPolicyShell", "WindowsTerminalServerInitialProgram", "WindowsTerminalServerRunKeys", "WindowsTerminalServerStartupPrograms", "WindowsToolPaths", "WindowsWinlogonAppSetup", "WindowsWinlogonAvailableShells", "WindowsWinlogonGinaDLL", "WindowsWinlogonGPExtensions", "WindowsWinlogonNotify", "WindowsWinlogonShell", "WindowsWinlogonSystem", "WindowsWinlogonTaskman", "WindowsWinlogonUiHost", "WindowsWinlogonUserinit", "WindowsWinlogonVMApplet", "WinSock2LayeredServiceProviders", "WinSock2NamespaceProviders"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsPLAPProviders", Doc: "Windows Pre-Logon Access Provider (PLAP) Providers", Sources: []artifacts.Source{{Parent: "WindowsPLAPProviders", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Authentication\\PLAP Providers\\*", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Authentication\\PLAP Providers\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsPowerShellDefaultProfiles", Doc: "Default PowerShell Profile files. These files are executed by default when PowerShell starts up.", Sources: []artifacts.Source{{Parent: "WindowsPowerShellDefaultProfiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemroot%%\\system32\\WindowsPowerShell\\v1.0\\profile.ps1", "%%environ_systemroot%%\\system32\\WindowsPowerShell\\v1.0\\Microsoft.PowerShell_profile.ps1", "%%users.userprofile%%\\Documents\\WindowsPowerShell\\profile.ps1", "%%users.userprofile%%\\Documents\\WindowsPowerShell\\Microsoft.PowerShell_profile.ps1"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsPrefetchFiles", Doc: "Windows Prefetch files.", Sources: []artifacts.Source{{Parent: "WindowsPrefetchFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemroot%%\\Prefetch\\*.pf"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsPrintMonitors", Doc: "Windows Print Monitor DLL config.", Sources: []artifacts.Source{{Parent: "WindowsPrintMonitors", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Print\\Monitors\\*", Value: "Driver"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsRecycleBin", Doc: "Windows Recycle Bin (Recyler, $Recycle.Bin) files.", Sources: []artifacts.Source{{Parent: "WindowsRecycleBin", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"\\$Recycle.Bin\\**", "\\Recycler\\**"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsRegistryProfileSIDs", Doc: "Get SIDs for all users on the system with profiles present in the Registry.", Sources: []artifacts.Source{{Parent: "WindowsRegistryProfileSIDs", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "users.sid", Regex: "ProfileList\\\\(.+)$", WMIKey: ""}}}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsRegistryProfiles", Doc: "Get SIDs for all users on the system with profiles present in the Registry.\n\nThis looks in the Windows Registry where the profiles are stored and retrieves\nthe paths for each profile.\n", Sources: []artifacts.Source{{Parent: "WindowsRegistryProfiles", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\*", Value: "ProfileImagePath"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "users.userprofile", Regex: "", WMIKey: ""}, {Key: "users.username", Regex: ".*\\\\(.+)", WMIKey: ""}}}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsRunGrpConv", Doc: "The Windows RunGrpConv Registry value.\n\nWhen this Registry value is non-zero userinit.exe will launch grpconv.exe at user login.\n", Sources: []artifacts.Source{{Parent: "WindowsRunGrpConv", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", Value: "RunGrpConv"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsRunKeys", Doc: "Windows Run and RunOnce keys.\n\nNote users.sid will currently only expand to SIDs with profiles\non the system, not all SIDs.\n", Sources: []artifacts.Source{{Parent: "WindowsRunKeys", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Setup", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Setup", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Setup", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Setup", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsRunServices", Doc: "Windows Run Services.", Sources: []artifacts.Source{{Parent: "WindowsRunServices", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunServices", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunServices"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsScheduledTasks", Doc: "Windows Scheduled Tasks.", Sources: []artifacts.Source{{Parent: "WindowsScheduledTasks", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemroot%%\\Tasks\\**10", "%%environ_systemroot%%\\System32\\Tasks\\**10", "%%environ_systemroot%%\\SysWow64\\Tasks\\**10"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsScreenSaverExecutable", Doc: "ScreenSaver Executable", Sources: []artifacts.Source{{Parent: "WindowsScreenSaverExecutable", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_USERS\\%%users.sid%%\\Software\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop", Value: "scrnsave.exe"}, {Key: "HKEY_USERS\\%%users.sid%%\\Control Panel\\Desktop", Value: "scrnsave.exe"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsSecurityProviders", Doc: "Security Providers DLLs", Sources: []artifacts.Source{{Parent: "WindowsSecurityProviders", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsServiceControlManagerExtension", Doc: "Windows service control manager extension", Sources: []artifacts.Source{{Parent: "WindowsServiceControlManagerExtension", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control", Value: "ServiceControlManagerExtension"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsServices", Doc: "Windows services from the Registry.\n\nMalware can add new services to gain persistence, or modify\nexisting ones to avoid detection. For example, the ZeroAccess\nrootkit will make the following changes to the WSCSVC (Windows\nSecurity Service Center), WINDEFEND (Windows Defender),\nand MPSSVC (Windows Firewall) services, among others\n\n* Set 'Start' to 4, indicating that the service should be disabled\n* Set 'DeleteFlag' to 1, indicating that the service should be removed\n* Set 'ErrorControl' to 0 and 'Type' to 32, causing it to fail to be\n started by the Service Controller and no error messages generated\n", Sources: []artifacts.Source{{Parent: "WindowsServices", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\*", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\*\\Parameters"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsFontDrivers", Doc: "Windows font drivers from the Registry.", Sources: []artifacts.Source{{Parent: "WindowsFontDrivers", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Font Drivers\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsSessionManagerBootExecute", Doc: "Windows Session Manager BootExecute persistence.", Sources: []artifacts.Source{{Parent: "WindowsSessionManagerBootExecute", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager", Value: "BootExecute"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsSessionManagerExecute", Doc: "Windows Session Manager Execute persistence\n\nThis entry shouldn't be populated after Windows has been installed\n", Sources: []artifacts.Source{{Parent: "WindowsSessionManagerExecute", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager", Value: "Execute"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsSessionManagerS0InitialCommand", Doc: "Windows Session Manager S0InitialCommand persistence\n\nThis entry shouldn't be populated after Windows has been installed\n", Sources: []artifacts.Source{{Parent: "WindowsSessionManagerS0InitialCommand", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager", Value: "S0InitialCommand"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsSessionManagerSetupExecute", Doc: "Windows Session Manager SetupExecute persistence\n\nThis entry shouldn't be populated after Windows has been installed\n", Sources: []artifacts.Source{{Parent: "WindowsSessionManagerSetupExecute", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager", Value: "SetupExecute"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsSessionManagerSubSystems", Doc: "Windows Session Manager SubSystems persistence", Sources: []artifacts.Source{{Parent: "WindowsSessionManagerSubSystems", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\SubSystems", Value: "Windows"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsSessionManagerWOWCommandLine", Doc: "Windows Session Manager Windows-on-Windows (WOW) command line", Sources: []artifacts.Source{{Parent: "WindowsSessionManagerWOWCommandLine", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\WOW", Value: "cmdline"}, {Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\WOW", Value: "wowcmdline"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsSetupCommandLine", Doc: "Command line invocation used for custom setup and deployment tasks", Sources: []artifacts.Source{{Parent: "WindowsSetupCommandLine", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\Setup", Value: "CmdLine"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsSharedTaskScheduler", Doc: "Runs on windows boot.", Sources: []artifacts.Source{{Parent: "WindowsSharedTaskScheduler", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SharedTaskScheduler\\*", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SharedTaskScheduler\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsShellExecuteHooks", Doc: "Shell execution hooks are called when ShellExecuteEx() is called.", Sources: []artifacts.Source{{Parent: "WindowsShellExecuteHooks", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellExecuteHooks", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellExecuteHooks"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsShellExtensions", Doc: "Approved extensions to the Windows Shell (explorer.exe).", Sources: []artifacts.Source{{Parent: "WindowsShellExtensions", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Approved", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Approved", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Approved", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Approved"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsShellIconOverlayIdentifiers", Doc: "Called to display custom icons.", Sources: []artifacts.Source{{Parent: "WindowsShellIconOverlayIdentifiers", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers\\*", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers\\*", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers\\*", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsShellLoadAndRun", Doc: "Windows Shell Load and Run values", Sources: []artifacts.Source{{Parent: "WindowsShellLoadAndRun", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows", Value: "Load"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows", Value: "Run"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows", Value: "Load"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows", Value: "Run"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsIconServiceLib", Doc: "Windows Icon Service Library Name\n\nThe value should default to 'IconCodecService.dll'\n", Sources: []artifacts.Source{{Parent: "WindowsIconServiceLib", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows", Value: "IconServiceLib"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsShellOpenCommand", Doc: "Executed every time this file type is opened. For most file types, the value should be '\"%1\" %*'.", Sources: []artifacts.Source{{Parent: "WindowsShellOpenCommand", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\*\\shell\\open\\command", Value: ""}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\*\\shell\\open\\command", Value: "IsolatedCommand"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\Wow6432Node\\*\\shell\\open\\command", Value: ""}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\Wow6432Node\\*\\shell\\open\\command", Value: "IsolatedCommand"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\*\\shell\\open\\command", Value: ""}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\*\\shell\\open\\command", Value: "IsolatedCommand"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\Wow6432Node\\*\\shell\\open\\command", Value: ""}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\Wow6432Node\\*\\shell\\open\\command", Value: "IsolatedCommand"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsShellRunasCommand", Doc: "Executed every time an executable or script file type is run as administrator.\n\nFor most file types, the value should be '\"%1\" %*' or something similar.\nExample file type subkeys include 'exefile', 'batfile', and 'cmdfile'. These\nkeys can be modified by malware as a way to be periodically executed or to\nbypass UAC.\n", Sources: []artifacts.Source{{Parent: "WindowsShellRunasCommand", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\*\\shell\\runas\\command", Value: ""}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\*\\shell\\runas\\command", Value: "IsolatedCommand"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\Wow6432Node\\*\\shell\\runas\\command", Value: ""}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\Wow6432Node\\*\\shell\\runas\\command", Value: "IsolatedCommand"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\*\\shell\\runas\\command", Value: ""}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\*\\shell\\runas\\command", Value: "IsolatedCommand"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\Wow6432Node\\*\\shell\\runas\\command", Value: ""}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\Wow6432Node\\*\\shell\\runas\\command", Value: "IsolatedCommand"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsShellServiceObjects", Doc: "Windows Shell (explorer.exe) service objects delayed load.", Sources: []artifacts.Source{{Parent: "WindowsShellServiceObjects", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsSetupApiLogs", Doc: "Windows setup API logs.", Sources: []artifacts.Source{{Parent: "WindowsSetupApiLogs", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemroot%%\\setupapi.log", "%%environ_systemroot%%\\inf\\setupapi.app.log", "%%environ_systemroot%%\\inf\\setupapi.dev.log", "%%environ_systemroot%%\\inf\\setupapi.offline.log"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsStartupFolders", Doc: "Windows startup folder persistence.", Sources: []artifacts.Source{{Parent: "WindowsStartupFolders", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_allusersappdata%%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*", "%%environ_allusersappdata%%\\Start Menu\\Programs\\Startup\\*", "%%users.appdata%%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*", "%%users.userprofile%%\\Start Menu\\Programs\\Startup\\*"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsStartupScript", Doc: "Windows policy startup script", Sources: []artifacts.Source{{Parent: "WindowsStartupScript", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System\\Scripts", Value: "Startup"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\Scripts\\Startup\\*\\*", Value: "Script"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\Scripts\\Startup\\*\\*", Value: "Parameters"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\State\\Machine\\Scripts\\Startup\\*\\*", Value: "Script"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\State\\Machine\\Scripts\\Startup\\*\\*", Value: "Parameters"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsStubPaths", Doc: "Windows StubPath persistence.\n\nEach time a user logs in, the Active Setup Installed Components in HKLM\nare compared ot the ones in HKCU, and if any are missing, or if the\nassociated version is less, the program is executed.\n", Sources: []artifacts.Source{{Parent: "WindowsStubPaths", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Active Setup\\Installed Components\\*", Value: "StubPath"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Active Setup\\Installed Components\\*", Value: "Version"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Active Setup\\Installed Components\\*", Value: "StubPath"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Active Setup\\Installed Components\\*", Value: "Version"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Active Setup\\Installed Components\\*", Value: "StubPath"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Active Setup\\Installed Components\\*", Value: "Version"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Active Setup\\Installed Components\\*", Value: "StubPath"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Active Setup\\Installed Components\\*", Value: "Version"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsSystemPolicyShell", Doc: "Windows System policy replacement shell (custom user interface).", Sources: []artifacts.Source{{Parent: "WindowsSystemPolicyShell", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", Value: "Shell"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", Value: "Shell"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsSystemRegistryFiles", Doc: "Windows system Registry files.", Sources: []artifacts.Source{{Parent: "WindowsSystemRegistryFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemdrive%%\\System Volume Information\\Syscache.hve", "%%environ_systemroot%%\\System32\\config\\SAM", "%%environ_systemroot%%\\System32\\config\\SECURITY", "%%environ_systemroot%%\\System32\\config\\SOFTWARE", "%%environ_systemroot%%\\System32\\config\\SYSTEM"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsSystemResourceUsageMonitorDatabaseFile", Doc: "Windows System Resource Usage Monitor (SRUM) database file.", Sources: []artifacts.Source{{Parent: "WindowsSystemResourceUsageMonitorDatabaseFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemroot%%\\System32\\sru\\SRUDB.dat"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsTerminalServerRunKeys", Doc: "Windows Terminal Server Run keys", Sources: []artifacts.Source{{Parent: "WindowsTerminalServerRunKeys", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Runonce\\*", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\RunonceEx\\*", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Runonce\\*", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\RunonceEx\\*", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Runonce\\*", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\RunonceEx\\*", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Runonce\\*", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\RunonceEx\\*", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsTerminalServerStartupPrograms", Doc: "Windows Terminal Server Startup Programs", Sources: []artifacts.Source{{Parent: "WindowsTerminalServerStartupPrograms", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Terminal Server\\Wds\\rdpwd", Value: "StartupPrograms"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsTerminalServerInitialProgram", Doc: "Windows Terminal Server Initial Program", Sources: []artifacts.Source{{Parent: "WindowsTerminalServerInitialProgram", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp", Value: "InitialProgram"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services", Value: "InitialProgram"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services", Value: "InitialProgram"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Policies\\Microsoft\\Windows NT\\Terminal Services", Value: "InitialProgram"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Policies\\Microsoft\\Windows NT\\Terminal Services", Value: "InitialProgram"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsActiveSyncAutoStart", Doc: "Windows ActiveSync AutoStart entries", Sources: []artifacts.Source{{Parent: "WindowsActiveSyncAutoStart", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows CE Services\\AutoStartOnConnect\\*", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows CE Services\\AutoStartOnDisconnect\\*", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows CE Services\\AutoStartOnConnect\\*", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows CE Services\\AutoStartOnDisconnect\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsTimezone", Doc: "The time zone of the system as a Windows time zone name or in MUI form.", Sources: []artifacts.Source{{Parent: "WindowsTimezone", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\TimeZoneInformation", Value: "StandardName"}, {Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\TimeZoneInformation", Value: "TimeZoneKeyName"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsToolPaths", Doc: "Paths to windows tools such as defrag, chkdsk.", Sources: []artifacts.Source{{Parent: "WindowsToolPaths", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\BackupPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\ChkDskPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\cleanuppath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\DefragPath"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsUninstallKeys", Doc: "Uninstall Registry keys", Sources: []artifacts.Source{{Parent: "WindowsUninstallKeys", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*", "HKEY_LOCAL_MACHINE\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsUserShellFoldersOfInterest", Doc: "The Shell Folders information for Windows users, defined as single values for knowledge base extraction", Sources: []artifacts.Source{{Parent: "WindowsUserShellFoldersOfInterest", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", Value: "AppData"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "users.appdata", Regex: "", WMIKey: ""}}}, {Parent: "WindowsUserShellFoldersOfInterest", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", Value: "Local AppData"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "users.localappdata", Regex: "", WMIKey: ""}}}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsWinlogonGinaDLL", Doc: "Windows Gina DLL replacement.", Sources: []artifacts.Source{{Parent: "WindowsWinlogonGinaDLL", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", Value: "GinaDLL"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", Value: "GinaDLL"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsWinlogonNotify", Doc: "Windows Winlogon Notify DLL names.", Sources: []artifacts.Source{{Parent: "WindowsWinlogonNotify", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\*", Value: "DLLName"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\*", Value: "DLLName"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsWinlogonShell", Doc: "Windows shell replacement.", Sources: []artifacts.Source{{Parent: "WindowsWinlogonShell", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", Value: "Shell"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", Value: "Shell"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsWinlogonSystem", Doc: "Applications launched by Winlogon in the system context during the system initialisation.", Sources: []artifacts.Source{{Parent: "WindowsWinlogonSystem", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", Value: "System"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", Value: "System"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsWinlogonTaskman", Doc: "Windows Winlogon Taskman replacement.", Sources: []artifacts.Source{{Parent: "WindowsWinlogonTaskman", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", Value: "Taskman"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", Value: "Taskman"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsWinlogonUiHost", Doc: "Windows Winlogon UI screen application", Sources: []artifacts.Source{{Parent: "WindowsWinlogonUiHost", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", Value: "UiHost"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", Value: "UiHost"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsWinlogonUserinit", Doc: "Windows Winlogon Userinit replacement.", Sources: []artifacts.Source{{Parent: "WindowsWinlogonUserinit", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", Value: "Userinit"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", Value: "Userinit"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsWinlogonAvailableShells", Doc: "Windows Server Winlogon Available Shells\n\nUsed to specify an alternate shell application to be launched when\nlogging into Windows Server 2012 and later. Legitimate keys under\nAvailableShells should just cause cmd.exe or explorer.exe to be executed,\nwhereas malicious programs may create keys that cause malware to be run\nwhen a user logs in.\n", Sources: []artifacts.Source{{Parent: "WindowsWinlogonAvailableShells", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\AlternateShells\\AvailableShells\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsWinlogonVMApplet", Doc: "Windows VMApplet replacement.", Sources: []artifacts.Source{{Parent: "WindowsWinlogonVMApplet", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", Value: "VMApplet"}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", Value: "VMApplet"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsWinlogonAppSetup", Doc: "Windows Winlogon Appsetup", Sources: []artifacts.Source{{Parent: "WindowsWinlogonAppSetup", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", Value: "AppSetup"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsWinlogonGPExtensions", Doc: "Windows Winlogon Group Policy Extensions\n\nThese keys specify DLLs that should be loaded when the group policy\nengine loads, and can act as a persistence mechanism for malware.\n", Sources: []artifacts.Source{{Parent: "WindowsWinlogonGPExtensions", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\GPExtensions\\*", Value: ""}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\GPExtensions\\*", Value: "DllName"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\GPExtensions\\*", Value: ""}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\GPExtensions\\*", Value: "DllName"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WinSock2LayeredServiceProviders", Doc: "Used to filter TCP/IP traffic through WinSock2.", Sources: []artifacts.Source{{Parent: "WinSock2LayeredServiceProviders", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\WinSock2\\Parameters\\Protocol_Catalog9\\Catalog_Entries\\*", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\WinSock2\\Parameters\\Protocol_Catalog9\\Catalog_Entries64\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WinSock2NamespaceProviders", Doc: "Used to provide name-resolution services through WinSock2", Sources: []artifacts.Source{{Parent: "WinSock2NamespaceProviders", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\WinSock2\\Parameters\\NameSpace_Catalog5\\Catalog_Entries\\*", Value: "LibraryPath"}, {Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\WinSock2\\Parameters\\NameSpace_Catalog5\\Catalog_Entries64\\*", Value: "LibraryPath"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsJobFiles", Doc: "Files for the Windows Task Scheduler", Sources: []artifacts.Source{{Parent: "WindowsJobFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemroot%%\\system32\\Tasks\\**10", "%%environ_systemroot%%\\Tasks\\**10"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsNetworkInterfaceInformation", Doc: "Details for network interfaces and their names", Sources: []artifacts.Source{{Parent: "WindowsNetworkInterfaceInformation", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet*\\Services\\Tcpip\\Parameters\\Interfaces\\*", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet*\\Control\\Network\\{4D36E972-E325-11CE-BFC1-08002BE10318}\\*\\Connection"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsHotfixes", Doc: "Windows Registry Keys that contain Hotfix information", Sources: []artifacts.Source{{Parent: "WindowsHotfixes", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Component Based Servicing\\Packages\\*", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Updates\\*\\*", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Updates\\*\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsDefaultPaths", Doc: "Default Paths for many parameters", Sources: []artifacts.Source{{Parent: "WindowsDefaultPaths", Type: "PATH", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemdrive%%\\Users"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "environ_profilesdirectory", Regex: "", WMIKey: ""}}}, {Parent: "WindowsDefaultPaths", Type: "PATH", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_profilesdirectory%%\\*", "\\Users\\*"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "users.userprofile", Regex: "", WMIKey: ""}, {Key: "users.username", Regex: ".*\\\\(.+)", WMIKey: ""}}}, {Parent: "WindowsDefaultPaths", Type: "PATH", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_profilesdirectory%%\\*\\AppData\\Roaming", "\\Users\\*\\AppData\\Roaming"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "users.appdata", Regex: "", WMIKey: ""}}}, {Parent: "WindowsDefaultPaths", Type: "PATH", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_profilesdirectory%%\\*\\AppData\\Local", "\\Users\\*\\AppData\\Local"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "users.localappdata", Regex: "", WMIKey: ""}}}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsUserSIDDefaultKeys", Doc: "Bruteforce SIDs", Sources: []artifacts.Source{{Parent: "WindowsUserSIDDefaultKeys", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_USERS\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "users.sid", Regex: ".*\\\\(.+)", WMIKey: ""}}}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsEventLogs", Doc: "Windows Event logs.", Sources: []artifacts.Source{{Parent: "WindowsEventLogs", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"WindowsEventLogApplicationFile", "WindowsEventLogSecurityFile", "WindowsEventLogSystemFile", "WindowsXMLEventLogApplicationFile", "WindowsXMLEventLogSecurityFile", "WindowsXMLEventLogSysmonFile", "WindowsXMLEventLogSystemFile", "WindowsXMLEventLogTerminalServicesFile"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsEventLogPath", Doc: "Windows Event log locations.", Sources: []artifacts.Source{{Parent: "WindowsEventLogPath", Type: "PATH", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemroot%%\\System32\\config", "%%environ_systemroot%%\\System32\\winevt\\Logs"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide{{Key: "windows_event_logs", Regex: "", WMIKey: ""}}}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsEventLogApplicationFile", Doc: "Application Windows Event Log.", Sources: []artifacts.Source{{Parent: "WindowsEventLogApplicationFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%windows_event_logs%%\\AppEvent.evt"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsEventLogSecurityFile", Doc: "Security Windows Event Log.", Sources: []artifacts.Source{{Parent: "WindowsEventLogSecurityFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%windows_event_logs%%\\SecEvent.evt"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsEventLogSystemFile", Doc: "System Windows Event Log.", Sources: []artifacts.Source{{Parent: "WindowsEventLogSystemFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%windows_event_logs%%\\SysEvent.evt"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsXMLEventLogApplicationFile", Doc: "Application Windows XML Event Log.", Sources: []artifacts.Source{{Parent: "WindowsXMLEventLogApplicationFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%windows_event_logs%%\\Application.evtx"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsXMLEventLogSecurityFile", Doc: "Security Windows XML Event Log.", Sources: []artifacts.Source{{Parent: "WindowsXMLEventLogSecurityFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%windows_event_logs%%\\Security.evtx"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsXMLEventLogSysmonFile", Doc: "Sysmon Windows XML Event Log.", Sources: []artifacts.Source{{Parent: "WindowsXMLEventLogSysmonFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%windows_event_logs%%\\Microsoft-Windows-Sysmon%4Operational.evtx"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsXMLEventLogSystemFile", Doc: "System Windows XML Event Log.", Sources: []artifacts.Source{{Parent: "WindowsXMLEventLogSystemFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%windows_event_logs%%\\System.evtx"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsXMLEventLogTerminalServicesFile", Doc: "TerminalServices Windows XML Event Log.", Sources: []artifacts.Source{{Parent: "WindowsXMLEventLogTerminalServicesFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%windows_event_logs%%\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsPersistence", Doc: "Windows persistence mechanisms.", Sources: []artifacts.Source{{Parent: "WindowsPersistence", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"WindowsEnvironmentVariableSystemRoot", "WindowsRegistryProfiles", "WindowsPersistenceMechanisms", "WindowsApplicationCompatibilityShims", "WindowsAppCertDLLsAlt", "WindowsCOMProperties", "WindowsBrowserPersistenceKeys", "InternetExplorerBrowserHelperObjectsRegistryKeys", "WindowsBrowserPersistenceFiles", "WindowsFileAssociation", "WindowsScheduledTasks", "WindowsTimeProviders", "WindowsSIPandTrustProviderHijacking", "WindowsKnownDLLs", "WindowsOfficeApplicationStartup", "WindowsImageHijacks", "WindowsCommandProcessorAutoRun", "WindowsDebugger", "WindowsCodecs", "WindowsFontDriversAlt", "WindowsStartupFolders", "WindowsStartupScript", "WindowsGroupPolicyScripts", "WindowsLogonScript", "WindowsLogoffScript"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsBrowserPersistenceKeys", Doc: "Registry keys for various browser extensions or wrapper objects.", Sources: []artifacts.Source{{Parent: "WindowsBrowserPersistenceKeys", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Extensions\\*", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Internet Explorer\\Extensions\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsBrowserPersistenceFiles", Doc: "Windows Scheduled Tasks.", Sources: []artifacts.Source{{Parent: "WindowsBrowserPersistenceFiles", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%users.appdata%%\\Mozilla\\Firefox\\Profiles\\*\\extensions.json"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsFileAssociation", Doc: "User file association preferences", Sources: []artifacts.Source{{Parent: "WindowsFileAssociation", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\*\\OpenWithList", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\*\\OpenWithList"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsImageHijacks", Doc: "Various image hijack mechanisms used for persistence.", Sources: []artifacts.Source{{Parent: "WindowsImageHijacks", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*", Value: "MonitorProcess"}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\Exefile\\Shell\\Open\\Command", Value: ""}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\Exefile\\Shell\\Open\\Command", Value: ""}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\Htmlfile\\Shell\\Open\\Command", Value: ""}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\Htmlfile\\Shell\\Open\\Command", Value: ""}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\.cmd", Value: ""}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\.cmd", Value: ""}, {Key: "HKEY_LOCAL_MACHINE\\Software\\Classes\\.exe", Value: ""}, {Key: "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\.exe", Value: ""}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsTimeProviders", Doc: "Windows time provider services.", Sources: []artifacts.Source{{Parent: "WindowsTimeProviders", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\*"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsSIPandTrustProviderHijacking", Doc: "SIP are responsible for signature procession and can be abused by adversaries.", Sources: []artifacts.Source{{Parent: "WindowsSIPandTrustProviderHijacking", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\*", Value: "Dll"}, {Key: "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\*", Value: "Dll"}, {Key: "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\*", Value: "`$DLL"}, {Key: "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\*", Value: "Dll"}, {Key: "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\*", Value: "Dll"}, {Key: "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\*", Value: "`$DLL"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsKnownDLLs", Doc: "DLLs that can be abused by search order hijacking.", Sources: []artifacts.Source{{Parent: "WindowsKnownDLLs", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\KnownDLLs"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsOfficeApplicationStartup", Doc: "Add-ins and plug-ins registered to hook into office apps.", Sources: []artifacts.Source{{Parent: "WindowsOfficeApplicationStartup", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Office test\\Special\\Perf", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Office test\\Special\\Perf", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Office\\*\\Addins\\*", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Office\\*\\Addins\\*", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Office\\*\\Addins\\*", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Office\\*\\Addins\\*", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Office\\*\\Outlook\\WebView\\Calendar\\URL", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Office\\*\\Outlook\\WebView\\Calendar\\URL", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Office\\*\\Outlook\\WebView\\Inbox", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Office\\*\\Outlook\\WebView\\Inbox"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsCodecs", Doc: "Codecs are executable software that can be loaded by media playback software. They could be abused for system persistence.", Sources: []artifacts.Source{{Parent: "WindowsCodecs", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Classes\\CLSID\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\Instance", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Classes\\CLSID\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\Instance", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Classes\\CLSID\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\Instance", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Classes\\CLSID\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\Instance", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Classes\\CLSID\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\Instance", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Classes\\CLSID\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\Instance", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Classes\\CLSID\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\Instance", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Classes\\CLSID\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\Instance", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32", "HKEY_USERS\\%%users.sid%%\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\Instance", "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\CLSID\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\Instance", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\Instance", "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\CLSID\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\Instance", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\Instance", "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\CLSID\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\Instance", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\Instance", "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\CLSID\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\Instance", "HKEY_LOCAL_MACHINE\\Software\\Classes\\Filter", "HKEY_USERS\\%%users.sid%%\\Software\\Classes\\Filter", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32", "HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsAppCertDLLsAlt", Doc: "Windows AppCertDLLs persistence.", Sources: []artifacts.Source{{Parent: "WindowsAppCertDLLsAlt", Type: "REGISTRY_VALUE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair{{Key: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager", Value: "AppCertDLLs"}}}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsFontDriversAlt", Doc: "Windows font drivers from the Registry.", Sources: []artifacts.Source{{Parent: "WindowsFontDriversAlt", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Font Drivers"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsUSBInformation", Doc: "Windows Event logs.", Sources: []artifacts.Source{{Parent: "WindowsUSBInformation", Type: "ARTIFACT_GROUP", Attributes: artifacts.Attributes{Names: []string{"WindowsUSBDeviceInformations", "WindowsUSBVolumeAndDriveMapping", "WindowsUSBUserMountedDevices", "WindowsDeviceSetupFile"}, Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsUSBDeviceInformations", Doc: "Windows USB Device Informations.\n\nUSBSTOR subkey only exists when there ever was an USB device mounted.\n", Sources: []artifacts.Source{{Parent: "WindowsUSBDeviceInformations", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR\\**"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsUSBVolumeAndDriveMapping", Doc: "Windows USB volume and drive mapping.\n\nDisplays the mapping of USB devices to drives and volumes.\n", Sources: []artifacts.Source{{Parent: "WindowsUSBVolumeAndDriveMapping", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_LOCAL_MACHINE\\SYSTEM\\MountedDevices"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsUSBUserMountedDevices", Doc: "Windows USB user mounted devices.\n\nShows the GUIDs of all devices the user has ever mounted.\n", Sources: []artifacts.Source{{Parent: "WindowsUSBUserMountedDevices", Type: "REGISTRY_KEY", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string(nil), Separator: "", Cmd: "", Args: []string(nil), Keys: []string{"HKEY_USERS\\%%users.sid%%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\**"}, Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}, {Name: "WindowsDeviceSetupFile", Doc: "Logfiles for Windows PNP driver installation", Sources: []artifacts.Source{{Parent: "WindowsDeviceSetupFile", Type: "FILE", Attributes: artifacts.Attributes{Names: []string(nil), Paths: []string{"%%environ_systemroot%%\\inf\\setupapi*.log"}, Separator: "\\", Cmd: "", Args: []string(nil), Keys: []string(nil), Query: "", BaseObject: "", KeyValuePairs: []artifacts.KeyValuePair(nil)}, Conditions: []string(nil), SupportedOs: []string(nil), Provides: []artifacts.Provide(nil)}}, Conditions: []string(nil), Provides: []string(nil), Labels: []string(nil), SupportedOs: []string{"Windows"}, Urls: []string(nil)}} From 9d23cc226c0133ea2145024702089bcd80d025c9 Mon Sep 17 00:00:00 2001 From: Jonas Plum Date: Sat, 19 Oct 2024 13:45:51 +0200 Subject: [PATCH 3/4] chore: cleanup --- Makefile | 15 --------------- README.md | 23 +++++++++++++++-------- config/ac.yaml | 3 +++ 3 files changed, 18 insertions(+), 23 deletions(-) diff --git a/Makefile b/Makefile index 549583c..5004810 100644 --- a/Makefile +++ b/Makefile @@ -72,21 +72,6 @@ generate-win: generate rsrc -arch amd64 -manifest build/win/artifactcollector.exe.user.manifest -ico build/win/artifactcollector.ico -o build/win/artifactcollector.user.syso rsrc -arch 386 -manifest build/win/artifactcollector32.exe.user.manifest -ico build/win/artifactcollector.ico -o build/win/artifactcollector32.user.syso -.PHONY: build -build: generate - @echo "Building..." - go build -o build/bin/artifactcollector . - -.PHONY: build-linux -build-linux: generate - @echo "Building for Linux..." - GOOS=linux GOARCH=amd64 go build -o build/bin/artifactcollector-linux . - -.PHONY: build-darwin -build-darwin: generate - @echo "Building for macOS..." - GOOS=darwin GOARCH=amd64 go build -o build/bin/artifactcollector-darwin . - .PHONY: build-win build-win: generate-win @echo "Building for Windows..." diff --git a/README.md b/README.md index 76e50ae..71075f4 100644 --- a/README.md +++ b/README.md @@ -61,18 +61,18 @@ The zip file contains the results of the extraction and needs to be transferred ## Build your own artifactcollector 1. Clone the repository: `git clone https://github.com/forensicanalysis/artifactcollector`. -2. Add artifact definition yaml files as needed in `config/artifacts`. Do not edit the - artifact definitions, as they will be overwritten. +2. Add and edit artifact definition yaml files as needed in `config/artifacts`. 3. Edit `config/ac.yaml` and add the artifacts you want to collect. 4. On windows, you can move the syso into the root folder (e.g. `cp resources\artifactcollector.syso .`) to enable the icon for the executable and the UAC popup. -5. Run `make build` to generate the artifactcollector binary. +5. Run `go build .` to generate the artifactcollector binary. + 1. You can also use `GOOS=windows GOARCH=amd64 go build -o artifactcollector.exe .` to cross-compile for Windows. ## Embed binaries Binaries can be added to `config/bin` and then included into the artifactcollector -in the `make build` step. Additionally, a corresponding COMMAND artifact like -the following is required. +in the `go build` step. Additionally, a corresponding COMMAND artifact like +the following is required: ```yaml name: Autoruns @@ -84,12 +84,19 @@ sources: supported_os: [ Windows ] ``` -The command output to stdout and stderr is saved, but generated -files are not collected. +The command output to stdout and stderr is saved, but generated files are not collected. + +## Acknowledgement + +The artifactcollector uses on the following great projects: + +- [config/artifacts](config/artifacts) is based on the awesome [Forensic Artifacts](https://github.com/ForensicArtifacts/artifacts) project. +- [doublestar](doublestar) is based on [Bob Matcuk's](https://github.com/bmatcuk) great [doublestar](https://github.com/bmatcuk/doublestar) package. +- [store/aczip](store/aczip) and [build/go](build/go) contain code from the Go standard library. ## License Most of the artifactcollector is licensed under the MIT License. See [MIT license](LICENSE) for the full license text. The directories [store/aczip](store/aczip) and [build/go](build/go) contain code from the Go standard library -which is licensed under the [BSD-3-Clause license](LICENSE-BSD). \ No newline at end of file +which is licensed under the [BSD-3-Clause license](LICENSE-BSD). diff --git a/config/ac.yaml b/config/ac.yaml index 9800c96..9cfe97a 100644 --- a/config/ac.yaml +++ b/config/ac.yaml @@ -1 +1,4 @@ artifacts: ["DefaultCollection1"] # artifact definitions to collect +user: false # optional, if true, do not request admin permissions +case: "" # optional case name +output_dir: "" # optional output directory \ No newline at end of file From 64bb1793fc81ebb84b4703dfce57e35c2673b66c Mon Sep 17 00:00:00 2001 From: Jonas Plum Date: Sat, 19 Oct 2024 13:48:51 +0200 Subject: [PATCH 4/4] fix: win builds --- build/win2k/Dockerfile | 2 -- build/winxp/Dockerfile | 2 -- 2 files changed, 4 deletions(-) diff --git a/build/win2k/Dockerfile b/build/win2k/Dockerfile index 06ffe05..7a9d40d 100644 --- a/build/win2k/Dockerfile +++ b/build/win2k/Dockerfile @@ -7,8 +7,6 @@ WORKDIR /repo RUN go install golang.org/x/tools/cmd/goimports@v0.1.7 RUN go install github.com/forensicanalysis/go-resources/cmd/resources@v0.4.0 RUN go install github.com/akavel/rsrc@v0.10.2 -RUN rm -rf config/artifacts -RUN git clone https://github.com/forensicanalysis/artifacts.git config/artifacts RUN go run tools/yaml2go/main.go config/ac.yaml config/artifacts/*.yaml RUN resources -package assets -output assets/bin.generated.go config/bin/* RUN rsrc -arch amd64 -manifest build/win/artifactcollector.exe.manifest -ico build/win/artifactcollector.ico -o build/win/artifactcollector.syso diff --git a/build/winxp/Dockerfile b/build/winxp/Dockerfile index 88773f1..2699e98 100644 --- a/build/winxp/Dockerfile +++ b/build/winxp/Dockerfile @@ -7,8 +7,6 @@ WORKDIR /repo RUN go install golang.org/x/tools/cmd/goimports@v0.1.7 RUN go install github.com/forensicanalysis/go-resources/cmd/resources@v0.4.0 RUN go install github.com/akavel/rsrc@v0.10.2 -RUN rm -rf config/artifacts -RUN git clone https://github.com/forensicanalysis/artifacts.git config/artifacts RUN go run tools/yaml2go/main.go config/ac.yaml config/artifacts/*.yaml RUN resources -package assets -output assets/bin.generated.go config/bin/* RUN rsrc -arch amd64 -manifest build/win/artifactcollector.exe.manifest -ico build/win/artifactcollector.ico -o build/win/artifactcollector.syso