2018-10-01 13:18:55 +02:00
{
"required" : [
"user-profile-key-path" ,
"SID"
] ,
"attributes" : {
"user-profile-key-path" : {
"description" : "key where the user-profile information is retrieved from." ,
"ui-priority" : 0 ,
2018-10-02 11:14:19 +02:00
"misp-attribute" : "text" ,
"disable_correlation" : true
2018-10-01 13:18:55 +02:00
} ,
"user-profile-key-last-write-time" : {
"description" : "Date and time when the key was last updated." ,
"ui-priority" : 0 ,
2018-10-02 11:14:19 +02:00
"misp-attribute" : "datetime" ,
"disable_correlation" : true
2018-10-01 13:18:55 +02:00
} ,
"user-profile-path" : {
"description" : "Path of the user profile on the system" ,
"ui-priority" : 0 ,
2018-10-02 11:14:19 +02:00
"misp-attribute" : "text" ,
"disable_correlation" : true
2018-10-01 13:18:55 +02:00
} ,
"SID" : {
"description" : "Security identifier assigned to the user profile." ,
"ui-priority" : 0 ,
2018-10-02 11:14:19 +02:00
"misp-attribute" : "text" ,
"disable_correlation" : true
2018-10-01 13:18:55 +02:00
} ,
"user-profile-last-write-time" : {
"description" : "Date and time when the user profile was last updated." ,
"ui-priority" : 0 ,
2018-10-02 11:14:19 +02:00
"misp-attribute" : "datetime" ,
"disable_correlation" : true
2018-10-01 13:18:55 +02:00
} ,
"winlogon-key-path" : {
"description" : "winlogon key referred in order to retrieve default user information" ,
"ui-priority" : 0 ,
2018-10-02 11:14:19 +02:00
"misp-attribute" : "text" ,
"disable_correlation" : true
2018-10-01 13:18:55 +02:00
} ,
"winlogon-key-last-write-time" : {
"description" : "Date and time when the winlogon key was last updated." ,
"ui-priority" : 0 ,
2018-10-02 11:14:19 +02:00
"misp-attribute" : "datetime" ,
"disable_correlation" : true
2018-10-01 13:18:55 +02:00
} ,
"DefaultUserName" : {
"description" : "user-name of the default user." ,
"ui-priority" : 0 ,
2018-10-02 11:14:19 +02:00
"misp-attribute" : "text" ,
"disable_correlation" : true
2018-10-01 13:18:55 +02:00
} ,
"Shell" : {
"description" : "Shell set to run when the user logs onto the system." ,
"ui-priority" : 0 ,
"misp-attribute" : "text" ,
2018-10-02 11:14:19 +02:00
"disable_correlation" : true ,
2018-10-01 13:18:55 +02:00
"multiple" : true
} ,
"UserInit" : {
"description" : "Applications and files set to run when the user logs onto the system (User logon activity)." ,
"ui-priority" : 0 ,
"misp-attribute" : "text" ,
"multiple" : true
} ,
"Legal-notice-caption" : {
"description" : "Message title set to display when the user logs-in." ,
"ui-priority" : 0 ,
"misp-attribute" : "text" ,
2018-10-02 11:14:19 +02:00
"multiple" : true ,
"disable_correlation" : true
2018-10-01 13:18:55 +02:00
} ,
"Legal-notice-text" : {
"description" : "Message set to display when the user logs-in." ,
"ui-priority" : 0 ,
"misp-attribute" : "text" ,
2018-10-02 11:14:19 +02:00
"multiple" : true ,
"disable_correlation" : true
2018-10-01 13:18:55 +02:00
} ,
"PreCreateKnownFolders" : {
"description" : "create known folders key" ,
"ui-priority" : 0 ,
2018-10-02 11:14:19 +02:00
"misp-attribute" : "text" ,
"disable_correlation" : true
2018-10-01 13:18:55 +02:00
} ,
"ReportBootOk" : {
"description" : "Flag to check if the reboot was successful." ,
"ui-priority" : 0 ,
2018-10-02 11:14:19 +02:00
"misp-attribute" : "boolean" ,
"disable_correlation" : true
2018-10-01 13:18:55 +02:00
} ,
"AutoRestartShell" : {
"description" : "Value of the flag set to auto restart the shell if it crashes or shuts down automatically." ,
"ui-priority" : 0 ,
2018-10-02 11:14:19 +02:00
"misp-attribute" : "boolean" ,
"disable_correlation" : true
2018-10-01 13:18:55 +02:00
} ,
"PasswordExpiryWarining" : {
"description" : "Number of times the password expiry warning appeared." ,
"ui-priority" : 0 ,
2018-10-02 11:14:19 +02:00
"misp-attribute" : "counter" ,
"disable_correlation" : true
2018-10-01 13:18:55 +02:00
} ,
"PowerdownAfterShutDown" : {
"description" : "Flag value- if the system is set to power down after it is shutdown." ,
"ui-priority" : 0 ,
2018-10-02 11:14:19 +02:00
"misp-attribute" : "boolean" ,
"disable_correlation" : true
2018-10-01 13:18:55 +02:00
} ,
"ShutdownWithoutLogon" : {
"description" : "Value of the flag set to enable shutdown without requiring a user to login." ,
"ui-priority" : 0 ,
2018-10-02 11:14:19 +02:00
"misp-attribute" : "boolean" ,
"disable_correlation" : true
2018-10-01 13:18:55 +02:00
} ,
"WinStationsDisabled" : {
"description" : "Flag value set to enable/disable logons to the system." ,
"ui-priority" : 0 ,
2018-10-02 11:14:19 +02:00
"misp-attribute" : "boolean" ,
"disable_correlation" : true
2018-10-01 13:18:55 +02:00
} ,
"DisableCAD" : {
"description" : "Flag to determine if user login is enabled by pressing Ctrl+ALT+Delete." ,
"ui-priority" : 0 ,
2018-10-02 11:14:19 +02:00
"misp-attribute" : "boolean" ,
"disable_correlation" : true
2018-10-01 13:18:55 +02:00
} ,
"AutoAdminLogon" : {
"description" : "Flag value to determine if autologon is enabled for a user without entering the password." ,
"ui-priority" : 0 ,
2018-10-02 11:14:19 +02:00
"misp-attribute" : "boolean" ,
"disable_correlation" : true
2018-10-01 13:18:55 +02:00
} ,
"CachedLogonCount" : {
"description" : "Number of times the user has logged into the system." ,
"ui-priority" : 0 ,
2018-10-02 11:14:19 +02:00
"misp-attribute" : "counter" ,
"disable_correlation" : true
2018-10-01 13:18:55 +02:00
} ,
"ShutdownFlags" : {
"description" : "Number of times shutdown is initiated from a process when the user is logged-in." ,
"ui-priority" : 0 ,
2018-10-02 11:14:19 +02:00
"misp-attribute" : "counter" ,
"disable_correlation" : true
2018-10-01 13:18:55 +02:00
} ,
"Comments" :
{
"description" : "Additional comments." ,
"ui-priority" : 0 ,
2018-10-02 11:14:19 +02:00
"misp-attribute" : "text" ,
"disable_correlation" : true
2018-10-01 13:18:55 +02:00
}
} ,
"version" : 1 ,
"description" : "Regripper Object template designed to gather user profile information when the user logs onto the system, gathered from the software hive." ,
"meta-category" : "misc" ,
"uuid" : "df03d0e4-3e6b-4e56-951a-142eae4cad59" ,
"name" : "regripper-software-hive-userprofile-winlogon"
}