diff --git a/objects/regripper-software-hive-BHO/definition.json b/objects/regripper-software-hive-BHO/definition.json new file mode 100644 index 0000000..4b70d4a --- /dev/null +++ b/objects/regripper-software-hive-BHO/definition.json @@ -0,0 +1,55 @@ +{ + "required": [ + "key", + "BHO-name" + ], + "attributes": { + "key": { + "description": "Software hive key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "BHO-name": { + "description": "Name of the browser helper object.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "BHO-key-last-write-time": { + "description": "Date and time when the BHO key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "class": { + "description": "Class to which the BHO belongs to.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "module": { + "description": "DLL module the BHO belongs to.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "comments": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "references": { + "description": "References to the BHO.", + "ui-priority": 0, + "misp-attribute": "links", + "multiple":true + } + }, + "version": 1, + "description": "Regripper Object template designed to gather information of the browser helper objects installed on the system.", + "meta-category": "misc", + "uuid": "e7b46b5a-d2d2-4a05-bc25-2ac8d4683ae2", + "name": "regripper-software-hive-BHO" + } + \ No newline at end of file diff --git a/objects/regripper-software-hive-appInit-DLLS/definition.json b/objects/regripper-software-hive-appInit-DLLS/definition.json new file mode 100644 index 0000000..9aa9753 --- /dev/null +++ b/objects/regripper-software-hive-appInit-DLLS/definition.json @@ -0,0 +1,51 @@ +{ + "required": [ + "key", + "DLL-name", + "DLL-path" + ], + "attributes": { + "key": { + "description": "Software hive key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "DLL-name": { + "description": "Name of the DLL file.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "DLL-path": { + "description": "Path where the DLL file is stored.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "DLL-last-write-time": { + "description": "Date and time when the DLL file was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "comments": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "references": { + "description": "References to the DLL file.", + "ui-priority": 0, + "misp-attribute": "links", + "multiple":true + } + }, + "version": 1, + "description": "Regripper Object template designed to gather information of the DLL files installed on the system.", + "meta-category": "misc", + "uuid": "7893be05-8398-451e-ab1e-5e25ea4a8859", + "name": "regripper-software-hive-appInit-DLLS" + } + \ No newline at end of file diff --git a/objects/regripper-software-hive-application-paths/definition.json b/objects/regripper-software-hive-application-paths/definition.json new file mode 100644 index 0000000..80787f8 --- /dev/null +++ b/objects/regripper-software-hive-application-paths/definition.json @@ -0,0 +1,48 @@ +{ + "required": [ + "key", + "executable-file-name", + "path" + ], + "attributes": { + "key": { + "description": "Software hive key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "executable-file-name": { + "description": "Name of the executable file.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple":true + }, + "path": { + "description": "Path of the executable file.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple":true + }, + "comments": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "references": { + "description": "References to the application installed.", + "ui-priority": 0, + "misp-attribute": "links", + "multiple":true + } + }, + "version": 1, + "description": "Regripper Object template designed to gather information of the application paths.", + "meta-category": "misc", + "uuid": "9f2d3c9b-9a82-42a7-82c2-733115d101c8", + "name": "regripper-software-hive-application-paths" + } + \ No newline at end of file diff --git a/objects/regripper-software-hive-applications-installed/definition.json b/objects/regripper-software-hive-applications-installed/definition.json new file mode 100644 index 0000000..f3bcddb --- /dev/null +++ b/objects/regripper-software-hive-applications-installed/definition.json @@ -0,0 +1,55 @@ +{ + "required": [ + "key", + "app-name" + ], + "attributes": { + "key": { + "description": "Software hive key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "key-path": { + "description": "Path of the key.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "app-name": { + "description": "Name of the application.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "app-last-write-time": { + "description": "Date and time when the application key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "version": { + "description": "Version of the application.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "comments": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "references": { + "description": "References to the application installed.", + "ui-priority": 0, + "misp-attribute": "links", + "multiple":true + } + }, + "version": 1, + "description": "Regripper Object template designed to gather information of the applications installed on the system.", + "meta-category": "misc", + "uuid": "7a8fb6b4-cbbd-4de5-b893-7b0a5c4858cd", + "name": "regripper-software-hive-applications-installed" + } + \ No newline at end of file diff --git a/objects/regripper-software-hive-command-shell/definition.json b/objects/regripper-software-hive-command-shell/definition.json new file mode 100644 index 0000000..fc98778 --- /dev/null +++ b/objects/regripper-software-hive-command-shell/definition.json @@ -0,0 +1,53 @@ +{ + "required": [ + "key", + "shell", + "shell-path" + ], + "attributes": { + "key": { + "description": "Software hive key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "shell": { + "description": "Type of shell used to execute the command.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default":[ + "exe", + "cmd", + "bat", + "hta", + "pif", + "Other" + ] + }, + "shell-path": { + "description": "Path of the shell.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "command": { + "description": "Command executed.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "comments": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text" + } + }, + "version": 1, + "description": "Regripper Object template designed to gather information of the shell commands executed on the system.", + "meta-category": "misc", + "uuid": "a7dc3697-89ce-46dc-a64d-0b1015457978", + "name": "regripper-software-hive-command-shell" + } + \ No newline at end of file diff --git a/objects/regripper-software-hive-general-windows-info/definition.json b/objects/regripper-software-hive-general-windows-info/definition.json new file mode 100644 index 0000000..01dff3e --- /dev/null +++ b/objects/regripper-software-hive-general-windows-info/definition.json @@ -0,0 +1,114 @@ +{ + "required": [ + "win-cv-path", + "CurrentVersion" + ], + "attributes": { + "win-cv-path": { + "description": "key where the windows information is retrieved from", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "RegisteredOrganization": { + "description": "Name of the registered organization.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "RegisteredOwner": { + "description": "Name of the registered owner.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "CurrentVersion": { + "description": "Current version of windows", + "ui-priority": 0, + "misp-attribute": "text" + }, + "CurrentBuild": { + "description": "Build number of the windows OS.", + "ui-priority": 0, + "misp-attribute": "number" + }, + "SoftwareType": { + "description": "Software type of windows.", + "ui-priority": 0, + "sane_default":[ + "System", + "Application", + "other" + ], + "misp-attribute": "text" + }, + "InstallationType": { + "description": "Type of windows installation.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "InstallDate": { + "description": "Date when windows was installed.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "SystemRoot": { + "description": "Root directory.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "PathName": { + "description": "Path to the root directory.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "EditionID": { + "description": "Windows edition.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "ProductName": { + "description": "Name of the windows version.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "ProductID": { + "description": "ID of the product version.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "CSDVersion": { + "description": "Version of the service pack installed.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "CurrentType": { + "description": "Current build type of the OS.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "BuildLab": { + "description": "Windows BuildLab string.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "BuildGUID": { + "description": "Build ID.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "BuildLabEx": { + "description": "Windows BuildLabEx string.", + "ui-priority": 0, + "misp-attribute": "text" + } + }, + "version": 1, + "description": "Regripper Object template designed to gather general windows information extracted from the software-hive.", + "meta-category": "misc", + "uuid": "03200c25-4bf5-4282-9852-001a51ab20f1", + "name": "regripper-software-hive-windows-general-info" + } + \ No newline at end of file diff --git a/objects/regripper-software-hive-software-run/definition.json b/objects/regripper-software-hive-software-run/definition.json new file mode 100644 index 0000000..83b968c --- /dev/null +++ b/objects/regripper-software-hive-software-run/definition.json @@ -0,0 +1,60 @@ +{ + "required": [ + "key", + "application-name", + "application-path" + ], + "attributes": { + "key": { + "description": "Software hive key where the information is retrieved from.", + "ui-priority": 0, + "sane_default": [ + "Run", + "RunOnce", + "Runservices", + "Terminal", + "Other" + ], + "misp-attribute": "text" + }, + "key-path": { + "description": "Path of the key.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "application-name": { + "description": "Name of the application run.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple":true + }, + "application-path": { + "description": "Path where the application is installed.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple":true + }, + "comments": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "references": { + "description": "References to the applications.", + "ui-priority": 0, + "misp-attribute": "links", + "multiple":true + } + }, + "version": 1, + "description": "Regripper Object template designed to gather information of the applications set to run on the system.", + "meta-category": "misc", + "uuid": "4bae06d1-3996-4028-88ec-7c7d54cc1d94", + "name": "regripper-software-hive-software-run" + } + \ No newline at end of file diff --git a/objects/regripper-software-hive-userprofile-winlogon/definition.json b/objects/regripper-software-hive-userprofile-winlogon/definition.json new file mode 100644 index 0000000..0dd3289 --- /dev/null +++ b/objects/regripper-software-hive-userprofile-winlogon/definition.json @@ -0,0 +1,138 @@ +{ + "required": [ + "user-profile-key-path", + "SID" + ], + "attributes": { + "user-profile-key-path": { + "description": "key where the user-profile information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "user-profile-key-last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "user-profile-path": { + "description": "Path of the user profile on the system", + "ui-priority": 0, + "misp-attribute": "text" + }, + "SID": { + "description": "Security identifier assigned to the user profile.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "user-profile-last-write-time": { + "description": "Date and time when the user profile was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "winlogon-key-path": { + "description": "winlogon key referred in order to retrieve default user information", + "ui-priority": 0, + "misp-attribute": "text" + }, + "winlogon-key-last-write-time": { + "description": "Date and time when the winlogon key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "DefaultUserName": { + "description": "user-name of the default user.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "Shell": { + "description": "Shell set to run when the user logs onto the system.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "UserInit": { + "description": "Applications and files set to run when the user logs onto the system (User logon activity).", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "Legal-notice-caption": { + "description": "Message title set to display when the user logs-in.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "Legal-notice-text": { + "description": "Message set to display when the user logs-in.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "PreCreateKnownFolders": { + "description": "create known folders key", + "ui-priority": 0, + "misp-attribute": "text" + }, + "ReportBootOk": { + "description": "Flag to check if the reboot was successful.", + "ui-priority": 0, + "misp-attribute": "boolean" + }, + "AutoRestartShell": { + "description": "Value of the flag set to auto restart the shell if it crashes or shuts down automatically.", + "ui-priority": 0, + "misp-attribute": "boolean" + }, + "PasswordExpiryWarining": { + "description": "Number of times the password expiry warning appeared.", + "ui-priority": 0, + "misp-attribute": "number" + }, + "PowerdownAfterShutDown": { + "description": "Flag value- if the system is set to power down after it is shutdown.", + "ui-priority": 0, + "misp-attribute": "boolean" + }, + "ShutdownWithoutLogon": { + "description": "Value of the flag set to enable shutdown without requiring a user to login.", + "ui-priority": 0, + "misp-attribute": "boolean" + }, + "WinStationsDisabled": { + "description": "Flag value set to enable/disable logons to the system.", + "ui-priority": 0, + "misp-attribute": "boolean" + }, + "DisableCAD": { + "description": "Flag to determine if user login is enabled by pressing Ctrl+ALT+Delete.", + "ui-priority": 0, + "misp-attribute": "boolean" + }, + "AutoAdminLogon": { + "description": "Flag value to determine if autologon is enabled for a user without entering the password.", + "ui-priority": 0, + "misp-attribute": "boolean" + }, + "CachedLogonCount": { + "description": "Number of times the user has logged into the system.", + "ui-priority": 0, + "misp-attribute": "number" + }, + "ShutdownFlags": { + "description": "Number of times shutdown is initiated from a process when the user is logged-in.", + "ui-priority": 0, + "misp-attribute": "number" + }, + "Comments": + { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text" + } + }, + "version": 1, + "description": "Regripper Object template designed to gather user profile information when the user logs onto the system, gathered from the software hive.", + "meta-category": "misc", + "uuid": "df03d0e4-3e6b-4e56-951a-142eae4cad59", + "name": "regripper-software-hive-userprofile-winlogon" +} diff --git a/objects/regripper-system-hive-firewall-configuration/definition.json b/objects/regripper-system-hive-firewall-configuration/definition.json index 7f361d8..cd44858 100644 --- a/objects/regripper-system-hive-firewall-configuration/definition.json +++ b/objects/regripper-system-hive-firewall-configuration/definition.json @@ -8,7 +8,8 @@ "ui-priority": 0, "sane-default":[ "Domain Profile", - "Standard Profile" + "Standard Profile", + "other" ], "misp-attribute": "text" },