Fixes JPCert and Adds DEFAULT registry rule and LogonStats

EricZimmerman · Sep 6, 2024 · 8b38a31 · 8b38a31
1 parent e29c729
commit 8b38a31
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 6 deletions.
diff --git a/BatchExamples/DFIRBatch.md b/BatchExamples/DFIRBatch.md
@@ -52,6 +52,7 @@ Example entry, please follow this format:
 | 2.03 | 2024-08-18 | Added Various Windows Defender and SmartScreen artifacts |
 | 2.04 | 2024-08-25 | Added Various Windows Defender, Microsoft Security Essentials and SmartScreen artifacts. Also added LogonBanner and SpecialAccounts |
 | 2.05 | 2024-09-01 | Added new artifacts related to the third party application MobaTek MobaXTerm |
+| 2.06 | 2024-09-06 | Added various JPCert artifacts around remote access tools, Added LogonStats and an example of DEFAULT registry hive use with WinSCP  |
 
 # Documentation
 

diff --git a/BatchExamples/DFIRBatch.reb b/BatchExamples/DFIRBatch.reb
@@ -1,6 +1,6 @@
 Description: DFIR RECmd Batch File
 Author: Andrew Rathbun
-Version: 2.05
+Version: 2.06
 Id: 2e1589f5-e31a-4bef-822f-075d56afdddd
 Keys:
 #
@@ -1734,6 +1734,32 @@ Keys:
 # USER ACTIVITY
 # --------------------
 
+    -
+        Description: LogonStats
+        HiveType: NTUSER
+        Category: User Activity
+        KeyPath: software\Microsoft\Windows\CurrentVersion\Explorer\LogonStats
+        ValueName: FirstLogonTime
+        IncludeBinary: true
+        BinaryConvert: SYSTEMTIME
+        Recursive: false
+        Comment: "First Time a User Logs in to a System."
+
+# https://x.com/jasonshale/status/623081308722475009
+
+    -
+        Description: LogonStats
+        HiveType: NTUSER
+        Category: User Activity
+        KeyPath: software\Microsoft\Windows\CurrentVersion\Explorer\LogonStats
+        ValueName: FirstLogonTimeOnCurrentInstallation
+        IncludeBinary: true
+        BinaryConvert: SYSTEMTIME
+        Recursive: false
+        Comment: "First Time a User Logs in to a System with Current Installation."
+
+# https://x.com/jasonshale/status/623081308722475009
+
     -
         Description: Pinned Taskbar Items
         HiveType: NTUSER
@@ -2565,6 +2591,13 @@ Keys:
         KeyPath: Software\Martin Prikryl
         Recursive: true
         Comment: "WinSCP"
+    -
+        Description: WinSCP
+        HiveType: Other
+        Category: Third Party Applications
+        KeyPath: Software\Martin Prikryl
+        Recursive: true
+        Comment: "WinSCP"
     -
         Description: WinSCP
         HiveType: SOFTWARE
@@ -2757,15 +2790,15 @@ Keys:
         Category: Third Party Applications
         KeyPath: Usoris\Remote Utilities\RManService\Host\Parameters
         Recursive: true
-        Comment: "Displays artifacts relating to Portable RemoteUtilities Configuration"
+        Comment: "Displays artifacts relating to RemoteUtilities Configuration - Base64 decode output"
     -
         Description: RemoteUtilities
         HiveType: NTUSER
         Category: Third Party Applications
         KeyPath: Software\Usoris\Remote Utilities\RManService\Host\Parameters
         ValueName: General
         Recursive: false
-        Comment: "Displays artifacts relating to RemoteUtilities Configuration - Base64 decode output"
+        Comment: "Displays artifacts relating to Portable RemoteUtilities Configuration"
     -
         Description: RemoteUtilities
         HiveType: NTUSER
@@ -2820,7 +2853,7 @@ Keys:
         Category: Third Party Applications
         KeyPath: CurrentControlSet\Services\TeamViewer
         Recursive: true
-        Comment: "Displays artifacts relating to Splashtop"
+        Comment: "Displays artifacts relating to TeamViewer"
 # https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_1_yamashige-nakatani-tanaka_en.pdf
 
 # Third Party Applications -> TightVNC - https://www.tightvnc.com/
@@ -2829,7 +2862,7 @@ Keys:
         Description: TightVNC
         HiveType: SYSTEM
         Category: Third Party Applications
-        KeyPath: tvnserver
+        KeyPath: CurrentControlSet\Services\tvnserver
         Recursive: true
         Comment: "Displays artifacts relating to TightVNC"
     -
@@ -2859,7 +2892,7 @@ Keys:
         Description: FreeFileSync
         HiveType: SOFTWARE
         Category: Third Party Applications
-        KeyPath: WOW6432Node\FileZilla Client*
+        KeyPath: WOW6432Node\FreeFileSync
         Recursive: true
         Comment: "Displays artifacts relating to FreeFileSync"