reg_hunter
reg_hunter copied to clipboard
theflakes
Blueteam operational triage registry hunting/forensic tool.
Not sure how to do this in a performant manner. But, would be nice to have the FN timestamps along with the SI timestamps. Then a simple hunt could be...
For any file examined, look for alternate data streams and also pull the first X bytes of the stream. Running hunts on the first X bytes would help determine if...
Examine and report on WMI filters, consumers, and bindings. Fields: timestamp device_domain device_name wmi_filter wmi_consumer wmi_binding
Pull info and hunt Bitsadmin persistence. Fields: timestamp device_domain device_name default_hash job_id display_name transfer_type account_domain account_name priority files_transferred files_total bytes_transferred bytes_total creation_time modified_time minimum_retry_delay no_progress_timeout proxy_usage proxy_list proxy_bypass_list transient_error_count detail
More interesting directories: Drive roots Temp directories Root of every user's profile Public profile Each users MyDocuments and Downloads Programdata Appdata Windows root directory ...
Fields (not all fields will apply to all browsers' extensions): timestamp device_domain device_name default_hash extension_id name description key version permissions default_locale update_url homepage_url options_page web_accessible_resources content_security_policy web_url path dev_tools_page offline_enabled...
There are three issues open with the winreg crate that would help this tool do more. 1. Identify registry keys of type REG_LINK 2. Read registry key ACLs (resolve any...
Need to figure out a way to keep the TCP conn open for the entire run of the tool when network output is specified. Wasteful having all the TCP conn...
Would it be possible to add the ability to run this against a mounted image?
Figure out how to properly specify command line switch requirements so that "--all" has to be specified along with a specific and/or custom hunt; etc.