From 8b38a31d4cee9394fb9cffd1556e9d1c0707e2f9 Mon Sep 17 00:00:00 2001 From: reece394 <31659691+reece394@users.noreply.github.com> Date: Fri, 6 Sep 2024 18:11:14 +0100 Subject: [PATCH] Fixes JPCert and Adds DEFAULT registry rule and LogonStats --- BatchExamples/DFIRBatch.md | 1 + BatchExamples/DFIRBatch.reb | 45 ++++++++++++++++++++++++++++++++----- 2 files changed, 40 insertions(+), 6 deletions(-) diff --git a/BatchExamples/DFIRBatch.md b/BatchExamples/DFIRBatch.md index 39b30e3..8c68680 100644 --- a/BatchExamples/DFIRBatch.md +++ b/BatchExamples/DFIRBatch.md @@ -52,6 +52,7 @@ Example entry, please follow this format: | 2.03 | 2024-08-18 | Added Various Windows Defender and SmartScreen artifacts | | 2.04 | 2024-08-25 | Added Various Windows Defender, Microsoft Security Essentials and SmartScreen artifacts. Also added LogonBanner and SpecialAccounts | | 2.05 | 2024-09-01 | Added new artifacts related to the third party application MobaTek MobaXTerm | +| 2.06 | 2024-09-06 | Added various JPCert artifacts around remote access tools, Added LogonStats and an example of DEFAULT registry hive use with WinSCP | # Documentation diff --git a/BatchExamples/DFIRBatch.reb b/BatchExamples/DFIRBatch.reb index 3681fc5..0abcf1d 100644 --- a/BatchExamples/DFIRBatch.reb +++ b/BatchExamples/DFIRBatch.reb @@ -1,6 +1,6 @@ Description: DFIR RECmd Batch File Author: Andrew Rathbun -Version: 2.05 +Version: 2.06 Id: 2e1589f5-e31a-4bef-822f-075d56afdddd Keys: # @@ -1734,6 +1734,32 @@ Keys: # USER ACTIVITY # -------------------- + - + Description: LogonStats + HiveType: NTUSER + Category: User Activity + KeyPath: software\Microsoft\Windows\CurrentVersion\Explorer\LogonStats + ValueName: FirstLogonTime + IncludeBinary: true + BinaryConvert: SYSTEMTIME + Recursive: false + Comment: "First Time a User Logs in to a System." + +# https://x.com/jasonshale/status/623081308722475009 + + - + Description: LogonStats + HiveType: NTUSER + Category: User Activity + KeyPath: software\Microsoft\Windows\CurrentVersion\Explorer\LogonStats + ValueName: FirstLogonTimeOnCurrentInstallation + IncludeBinary: true + BinaryConvert: SYSTEMTIME + Recursive: false + Comment: "First Time a User Logs in to a System with Current Installation." + +# https://x.com/jasonshale/status/623081308722475009 + - Description: Pinned Taskbar Items HiveType: NTUSER @@ -2565,6 +2591,13 @@ Keys: KeyPath: Software\Martin Prikryl Recursive: true Comment: "WinSCP" + - + Description: WinSCP + HiveType: Other + Category: Third Party Applications + KeyPath: Software\Martin Prikryl + Recursive: true + Comment: "WinSCP" - Description: WinSCP HiveType: SOFTWARE @@ -2757,7 +2790,7 @@ Keys: Category: Third Party Applications KeyPath: Usoris\Remote Utilities\RManService\Host\Parameters Recursive: true - Comment: "Displays artifacts relating to Portable RemoteUtilities Configuration" + Comment: "Displays artifacts relating to RemoteUtilities Configuration - Base64 decode output" - Description: RemoteUtilities HiveType: NTUSER @@ -2765,7 +2798,7 @@ Keys: KeyPath: Software\Usoris\Remote Utilities\RManService\Host\Parameters ValueName: General Recursive: false - Comment: "Displays artifacts relating to RemoteUtilities Configuration - Base64 decode output" + Comment: "Displays artifacts relating to Portable RemoteUtilities Configuration" - Description: RemoteUtilities HiveType: NTUSER @@ -2820,7 +2853,7 @@ Keys: Category: Third Party Applications KeyPath: CurrentControlSet\Services\TeamViewer Recursive: true - Comment: "Displays artifacts relating to Splashtop" + Comment: "Displays artifacts relating to TeamViewer" # https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_1_yamashige-nakatani-tanaka_en.pdf # Third Party Applications -> TightVNC - https://www.tightvnc.com/ @@ -2829,7 +2862,7 @@ Keys: Description: TightVNC HiveType: SYSTEM Category: Third Party Applications - KeyPath: tvnserver + KeyPath: CurrentControlSet\Services\tvnserver Recursive: true Comment: "Displays artifacts relating to TightVNC" - @@ -2859,7 +2892,7 @@ Keys: Description: FreeFileSync HiveType: SOFTWARE Category: Third Party Applications - KeyPath: WOW6432Node\FileZilla Client* + KeyPath: WOW6432Node\FreeFileSync Recursive: true Comment: "Displays artifacts relating to FreeFileSync"