misp-objects/objects/regripper-software-hive-userprofile-winlogon/definition.json

{
  "required": [
    "user-profile-key-path",
    "SID"
  ],
  "attributes": {
    "user-profile-key-path": {
      "description": "key where the user-profile information is retrieved from.",
      "ui-priority": 0,
      "misp-attribute": "text",
      "disable_correlation": true
    },
    "user-profile-key-last-write-time": {
      "description": "Date and time when the key was last updated.",
      "ui-priority": 0,
      "misp-attribute": "datetime",
      "disable_correlation": true
    },
    "user-profile-path": {
      "description": "Path of the user profile on the system",
      "ui-priority": 0,
      "misp-attribute": "text",
      "disable_correlation": true
    },
    "SID": {
      "description": "Security identifier assigned to the user profile.",
      "ui-priority": 0,
      "misp-attribute": "text",
      "disable_correlation": true
    },
    "user-profile-last-write-time": {
      "description": "Date and time when the user profile was last updated.",
      "ui-priority": 0,
      "misp-attribute": "datetime",
      "disable_correlation": true
    },
    "winlogon-key-path": {
      "description": "winlogon key referred in order to retrieve default user information",
      "ui-priority": 0,
      "misp-attribute": "text",
      "disable_correlation": true
    },
    "winlogon-key-last-write-time": {
      "description": "Date and time when the winlogon key was last updated.",
      "ui-priority": 0,
      "misp-attribute": "datetime",
      "disable_correlation": true
    },
    "DefaultUserName": {
      "description": "user-name of the default user.",
      "ui-priority": 0,
      "misp-attribute": "text",
      "disable_correlation": true
    },
    "Shell": {
      "description": "Shell set to run when the user logs onto the system.",
      "ui-priority": 0,
      "misp-attribute": "text",
      "disable_correlation": true,
      "multiple": true
    },
    "UserInit": {
      "description": "Applications and files set to run when the user logs onto the system (User logon activity).",
      "ui-priority": 0,
      "misp-attribute": "text",
      "multiple": true
    },
    "Legal-notice-caption": {
      "description": "Message title set to display when the user logs-in.",
      "ui-priority": 0,
      "misp-attribute": "text",
      "multiple": true,
      "disable_correlation": true
    },
    "Legal-notice-text": {
      "description": "Message set to display when the user logs-in.",
      "ui-priority": 0,
      "misp-attribute": "text",
      "multiple": true,
      "disable_correlation": true
    },
    "PreCreateKnownFolders": {
      "description": "create known folders key",
      "ui-priority": 0,
      "misp-attribute": "text",
      "disable_correlation": true
    },
    "ReportBootOk": {
      "description": "Flag to check if the reboot was successful.",
      "ui-priority": 0,
      "misp-attribute": "boolean",
      "disable_correlation": true
    },
    "AutoRestartShell": {
      "description": "Value of the flag set to auto restart the shell if it crashes or shuts down automatically.",
      "ui-priority": 0,
      "misp-attribute": "boolean",
      "disable_correlation": true
    },
    "PasswordExpiryWarining": {
      "description": "Number of times the password expiry warning appeared.",
      "ui-priority": 0,
      "misp-attribute": "counter",
      "disable_correlation": true
    },
    "PowerdownAfterShutDown": {
      "description": "Flag value- if the system is set to power down after it is shutdown.",
      "ui-priority": 0,
      "misp-attribute": "boolean",
      "disable_correlation": true
    },
    "ShutdownWithoutLogon": {
      "description": "Value of the flag set to enable shutdown without requiring a user to login.",
      "ui-priority": 0,
      "misp-attribute": "boolean",
      "disable_correlation": true
    },
    "WinStationsDisabled": {
      "description": "Flag value set to enable/disable logons to the system.",
      "ui-priority": 0,
      "misp-attribute": "boolean",
      "disable_correlation": true
    },
    "DisableCAD": {
      "description": "Flag to determine if user login is enabled by pressing Ctrl+ALT+Delete.",
      "ui-priority": 0,
      "misp-attribute": "boolean",
      "disable_correlation": true
    },
    "AutoAdminLogon": {
      "description": "Flag value to determine if autologon is enabled for a user without entering the password.",
      "ui-priority": 0,
      "misp-attribute": "boolean",
      "disable_correlation": true
    },
    "CachedLogonCount": {
      "description": "Number of times the user has logged into the system.",
      "ui-priority": 0,
      "misp-attribute": "counter",
      "disable_correlation": true
    },
    "ShutdownFlags": {
      "description": "Number of times shutdown is initiated from a process when the user is logged-in.",
      "ui-priority": 0,
      "misp-attribute": "counter",
      "disable_correlation": true
    },
    "Comments": {
      "description": "Additional comments.",
      "ui-priority": 0,
      "misp-attribute": "text",
      "disable_correlation": true
    }
  },
  "version": 1,
  "description": "Regripper Object template designed to gather user profile information when the user logs onto the system, gathered from the software hive.",
  "meta-category": "misc",
  "uuid": "df03d0e4-3e6b-4e56-951a-142eae4cad59",
  "name": "regripper-software-hive-userprofile-winlogon"
}