Add: Regripper objects (System + Software Hive)

pull/118/head
aksha 2018-10-01 12:18:55 +01:00
parent 58f39ff62d
commit 44d92e95be
9 changed files with 576 additions and 1 deletions

View File

@ -0,0 +1,55 @@
{
"required": [
"key",
"BHO-name"
],
"attributes": {
"key": {
"description": "Software hive key where the information is retrieved from.",
"ui-priority": 0,
"misp-attribute": "text"
},
"last-write-time": {
"description": "Date and time when the key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime"
},
"BHO-name": {
"description": "Name of the browser helper object.",
"ui-priority": 0,
"misp-attribute": "text"
},
"BHO-key-last-write-time": {
"description": "Date and time when the BHO key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime"
},
"class": {
"description": "Class to which the BHO belongs to.",
"ui-priority": 0,
"misp-attribute": "text"
},
"module": {
"description": "DLL module the BHO belongs to.",
"ui-priority": 0,
"misp-attribute": "text"
},
"comments": {
"description": "Additional comments.",
"ui-priority": 0,
"misp-attribute": "text"
},
"references": {
"description": "References to the BHO.",
"ui-priority": 0,
"misp-attribute": "links",
"multiple":true
}
},
"version": 1,
"description": "Regripper Object template designed to gather information of the browser helper objects installed on the system.",
"meta-category": "misc",
"uuid": "e7b46b5a-d2d2-4a05-bc25-2ac8d4683ae2",
"name": "regripper-software-hive-BHO"
}

View File

@ -0,0 +1,51 @@
{
"required": [
"key",
"DLL-name",
"DLL-path"
],
"attributes": {
"key": {
"description": "Software hive key where the information is retrieved from.",
"ui-priority": 0,
"misp-attribute": "text"
},
"last-write-time": {
"description": "Date and time when the key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime"
},
"DLL-name": {
"description": "Name of the DLL file.",
"ui-priority": 0,
"misp-attribute": "text"
},
"DLL-path": {
"description": "Path where the DLL file is stored.",
"ui-priority": 0,
"misp-attribute": "text"
},
"DLL-last-write-time": {
"description": "Date and time when the DLL file was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime"
},
"comments": {
"description": "Additional comments.",
"ui-priority": 0,
"misp-attribute": "text"
},
"references": {
"description": "References to the DLL file.",
"ui-priority": 0,
"misp-attribute": "links",
"multiple":true
}
},
"version": 1,
"description": "Regripper Object template designed to gather information of the DLL files installed on the system.",
"meta-category": "misc",
"uuid": "7893be05-8398-451e-ab1e-5e25ea4a8859",
"name": "regripper-software-hive-appInit-DLLS"
}

View File

@ -0,0 +1,48 @@
{
"required": [
"key",
"executable-file-name",
"path"
],
"attributes": {
"key": {
"description": "Software hive key where the information is retrieved from.",
"ui-priority": 0,
"misp-attribute": "text"
},
"last-write-time": {
"description": "Date and time when the key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime"
},
"executable-file-name": {
"description": "Name of the executable file.",
"ui-priority": 0,
"misp-attribute": "text",
"multiple":true
},
"path": {
"description": "Path of the executable file.",
"ui-priority": 0,
"misp-attribute": "text",
"multiple":true
},
"comments": {
"description": "Additional comments.",
"ui-priority": 0,
"misp-attribute": "text"
},
"references": {
"description": "References to the application installed.",
"ui-priority": 0,
"misp-attribute": "links",
"multiple":true
}
},
"version": 1,
"description": "Regripper Object template designed to gather information of the application paths.",
"meta-category": "misc",
"uuid": "9f2d3c9b-9a82-42a7-82c2-733115d101c8",
"name": "regripper-software-hive-application-paths"
}

View File

@ -0,0 +1,55 @@
{
"required": [
"key",
"app-name"
],
"attributes": {
"key": {
"description": "Software hive key where the information is retrieved from.",
"ui-priority": 0,
"misp-attribute": "text"
},
"key-path": {
"description": "Path of the key.",
"ui-priority": 0,
"misp-attribute": "text"
},
"last-write-time": {
"description": "Date and time when the key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime"
},
"app-name": {
"description": "Name of the application.",
"ui-priority": 0,
"misp-attribute": "text"
},
"app-last-write-time": {
"description": "Date and time when the application key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime"
},
"version": {
"description": "Version of the application.",
"ui-priority": 0,
"misp-attribute": "text"
},
"comments": {
"description": "Additional comments.",
"ui-priority": 0,
"misp-attribute": "text"
},
"references": {
"description": "References to the application installed.",
"ui-priority": 0,
"misp-attribute": "links",
"multiple":true
}
},
"version": 1,
"description": "Regripper Object template designed to gather information of the applications installed on the system.",
"meta-category": "misc",
"uuid": "7a8fb6b4-cbbd-4de5-b893-7b0a5c4858cd",
"name": "regripper-software-hive-applications-installed"
}

View File

@ -0,0 +1,53 @@
{
"required": [
"key",
"shell",
"shell-path"
],
"attributes": {
"key": {
"description": "Software hive key where the information is retrieved from.",
"ui-priority": 0,
"misp-attribute": "text"
},
"last-write-time": {
"description": "Date and time when the key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime"
},
"shell": {
"description": "Type of shell used to execute the command.",
"ui-priority": 0,
"misp-attribute": "text",
"sane_default":[
"exe",
"cmd",
"bat",
"hta",
"pif",
"Other"
]
},
"shell-path": {
"description": "Path of the shell.",
"ui-priority": 0,
"misp-attribute": "text"
},
"command": {
"description": "Command executed.",
"ui-priority": 0,
"misp-attribute": "text"
},
"comments": {
"description": "Additional comments.",
"ui-priority": 0,
"misp-attribute": "text"
}
},
"version": 1,
"description": "Regripper Object template designed to gather information of the shell commands executed on the system.",
"meta-category": "misc",
"uuid": "a7dc3697-89ce-46dc-a64d-0b1015457978",
"name": "regripper-software-hive-command-shell"
}

View File

@ -0,0 +1,114 @@
{
"required": [
"win-cv-path",
"CurrentVersion"
],
"attributes": {
"win-cv-path": {
"description": "key where the windows information is retrieved from",
"ui-priority": 0,
"misp-attribute": "text"
},
"last-write-time": {
"description": "Date and time when the key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime"
},
"RegisteredOrganization": {
"description": "Name of the registered organization.",
"ui-priority": 0,
"misp-attribute": "text"
},
"RegisteredOwner": {
"description": "Name of the registered owner.",
"ui-priority": 0,
"misp-attribute": "text"
},
"CurrentVersion": {
"description": "Current version of windows",
"ui-priority": 0,
"misp-attribute": "text"
},
"CurrentBuild": {
"description": "Build number of the windows OS.",
"ui-priority": 0,
"misp-attribute": "number"
},
"SoftwareType": {
"description": "Software type of windows.",
"ui-priority": 0,
"sane_default":[
"System",
"Application",
"other"
],
"misp-attribute": "text"
},
"InstallationType": {
"description": "Type of windows installation.",
"ui-priority": 0,
"misp-attribute": "text"
},
"InstallDate": {
"description": "Date when windows was installed.",
"ui-priority": 0,
"misp-attribute": "datetime"
},
"SystemRoot": {
"description": "Root directory.",
"ui-priority": 0,
"misp-attribute": "text"
},
"PathName": {
"description": "Path to the root directory.",
"ui-priority": 0,
"misp-attribute": "text"
},
"EditionID": {
"description": "Windows edition.",
"ui-priority": 0,
"misp-attribute": "text"
},
"ProductName": {
"description": "Name of the windows version.",
"ui-priority": 0,
"misp-attribute": "text"
},
"ProductID": {
"description": "ID of the product version.",
"ui-priority": 0,
"misp-attribute": "text"
},
"CSDVersion": {
"description": "Version of the service pack installed.",
"ui-priority": 0,
"misp-attribute": "text"
},
"CurrentType": {
"description": "Current build type of the OS.",
"ui-priority": 0,
"misp-attribute": "text"
},
"BuildLab": {
"description": "Windows BuildLab string.",
"ui-priority": 0,
"misp-attribute": "text"
},
"BuildGUID": {
"description": "Build ID.",
"ui-priority": 0,
"misp-attribute": "text"
},
"BuildLabEx": {
"description": "Windows BuildLabEx string.",
"ui-priority": 0,
"misp-attribute": "text"
}
},
"version": 1,
"description": "Regripper Object template designed to gather general windows information extracted from the software-hive.",
"meta-category": "misc",
"uuid": "03200c25-4bf5-4282-9852-001a51ab20f1",
"name": "regripper-software-hive-windows-general-info"
}

View File

@ -0,0 +1,60 @@
{
"required": [
"key",
"application-name",
"application-path"
],
"attributes": {
"key": {
"description": "Software hive key where the information is retrieved from.",
"ui-priority": 0,
"sane_default": [
"Run",
"RunOnce",
"Runservices",
"Terminal",
"Other"
],
"misp-attribute": "text"
},
"key-path": {
"description": "Path of the key.",
"ui-priority": 0,
"misp-attribute": "text"
},
"last-write-time": {
"description": "Date and time when the key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime"
},
"application-name": {
"description": "Name of the application run.",
"ui-priority": 0,
"misp-attribute": "text",
"multiple":true
},
"application-path": {
"description": "Path where the application is installed.",
"ui-priority": 0,
"misp-attribute": "text",
"multiple":true
},
"comments": {
"description": "Additional comments.",
"ui-priority": 0,
"misp-attribute": "text"
},
"references": {
"description": "References to the applications.",
"ui-priority": 0,
"misp-attribute": "links",
"multiple":true
}
},
"version": 1,
"description": "Regripper Object template designed to gather information of the applications set to run on the system.",
"meta-category": "misc",
"uuid": "4bae06d1-3996-4028-88ec-7c7d54cc1d94",
"name": "regripper-software-hive-software-run"
}

View File

@ -0,0 +1,138 @@
{
"required": [
"user-profile-key-path",
"SID"
],
"attributes": {
"user-profile-key-path": {
"description": "key where the user-profile information is retrieved from.",
"ui-priority": 0,
"misp-attribute": "text"
},
"user-profile-key-last-write-time": {
"description": "Date and time when the key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime"
},
"user-profile-path": {
"description": "Path of the user profile on the system",
"ui-priority": 0,
"misp-attribute": "text"
},
"SID": {
"description": "Security identifier assigned to the user profile.",
"ui-priority": 0,
"misp-attribute": "text"
},
"user-profile-last-write-time": {
"description": "Date and time when the user profile was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime"
},
"winlogon-key-path": {
"description": "winlogon key referred in order to retrieve default user information",
"ui-priority": 0,
"misp-attribute": "text"
},
"winlogon-key-last-write-time": {
"description": "Date and time when the winlogon key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime"
},
"DefaultUserName": {
"description": "user-name of the default user.",
"ui-priority": 0,
"misp-attribute": "text"
},
"Shell": {
"description": "Shell set to run when the user logs onto the system.",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
},
"UserInit": {
"description": "Applications and files set to run when the user logs onto the system (User logon activity).",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
},
"Legal-notice-caption": {
"description": "Message title set to display when the user logs-in.",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
},
"Legal-notice-text": {
"description": "Message set to display when the user logs-in.",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
},
"PreCreateKnownFolders": {
"description": "create known folders key",
"ui-priority": 0,
"misp-attribute": "text"
},
"ReportBootOk": {
"description": "Flag to check if the reboot was successful.",
"ui-priority": 0,
"misp-attribute": "boolean"
},
"AutoRestartShell": {
"description": "Value of the flag set to auto restart the shell if it crashes or shuts down automatically.",
"ui-priority": 0,
"misp-attribute": "boolean"
},
"PasswordExpiryWarining": {
"description": "Number of times the password expiry warning appeared.",
"ui-priority": 0,
"misp-attribute": "number"
},
"PowerdownAfterShutDown": {
"description": "Flag value- if the system is set to power down after it is shutdown.",
"ui-priority": 0,
"misp-attribute": "boolean"
},
"ShutdownWithoutLogon": {
"description": "Value of the flag set to enable shutdown without requiring a user to login.",
"ui-priority": 0,
"misp-attribute": "boolean"
},
"WinStationsDisabled": {
"description": "Flag value set to enable/disable logons to the system.",
"ui-priority": 0,
"misp-attribute": "boolean"
},
"DisableCAD": {
"description": "Flag to determine if user login is enabled by pressing Ctrl+ALT+Delete.",
"ui-priority": 0,
"misp-attribute": "boolean"
},
"AutoAdminLogon": {
"description": "Flag value to determine if autologon is enabled for a user without entering the password.",
"ui-priority": 0,
"misp-attribute": "boolean"
},
"CachedLogonCount": {
"description": "Number of times the user has logged into the system.",
"ui-priority": 0,
"misp-attribute": "number"
},
"ShutdownFlags": {
"description": "Number of times shutdown is initiated from a process when the user is logged-in.",
"ui-priority": 0,
"misp-attribute": "number"
},
"Comments":
{
"description": "Additional comments.",
"ui-priority": 0,
"misp-attribute": "text"
}
},
"version": 1,
"description": "Regripper Object template designed to gather user profile information when the user logs onto the system, gathered from the software hive.",
"meta-category": "misc",
"uuid": "df03d0e4-3e6b-4e56-951a-142eae4cad59",
"name": "regripper-software-hive-userprofile-winlogon"
}

View File

@ -8,7 +8,8 @@
"ui-priority": 0, "ui-priority": 0,
"sane-default":[ "sane-default":[
"Domain Profile", "Domain Profile",
"Standard Profile" "Standard Profile",
"other"
], ],
"misp-attribute": "text" "misp-attribute": "text"
}, },