Windows System

Windows.Sys.AppcompatShims

Application Compatibility shims are a way to persist malware. This table presents the AppCompat Shim information from the registry in a nice format.

Arg Default Description
shimKeys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\*
customKeys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\*\*
View Artifact Source

Windows.Sys.CertificateAuthorities

Certificate Authorities installed in Keychains/ca-bundles.

View Artifact Source

Windows.Sys.DiskInfo

Retrieve basic information about the physical disks of a system.

View Artifact Source

Windows.Sys.Drivers

Details for in-use Windows device drivers. This does not display installed but unused drivers.

View Artifact Source

Windows.Sys.FirewallRules

List windows firewall rules.

Arg Default Description
regKey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\**\FirewallRules\*
View Artifact Source

Windows.Sys.Interfaces

Report information about the systems interfaces. This artifact simply parses the output from ipconfig /all.

View Artifact Source

Windows.Sys.PhysicalMemoryRanges

List Windows physical memory ranges.

Arg Default Description
physicalMemoryKey HKEY_LOCAL_MACHINE\HARDWARE\RESOURCEMAP\System Resources\Physical Memory\.Translated
Profile {\n “CM_RESOURCE_LIST”: [0, {\n “Count”: [0, [“uint32”]],\n “List”: [4, [“CM_FULL_RESOURCE_DESCRIPTOR”]]\n }],\n “CM_FULL_RESOURCE_DESCRIPTOR”: [0, {\n “PartialResourceList”: [8, [“CM_PARTIAL_RESOURCE_LIST”]]\n }],\n\n “CM_PARTIAL_RESOURCE_LIST”: [0, {\n “Version”: [0, [“uint16”]],\n “Revision”: [2, [“uint16”]],\n “Count”: [4, [“uint32”]],\n “PartialDescriptors”: [8, [“Array”, {\n “Target”: “CM_PARTIAL_RESOURCE_DESCRIPTOR”\n }]]\n }],\n\n “CM_PARTIAL_RESOURCE_DESCRIPTOR”: [20, {\n “Type”: [0, [“char”]],\n “ShareDisposition”: [1, [“char”]],\n “Flags”: [2, [“uint16”]],\n “Start”: [4, [“int64”]],\n “Length”: [12, [“uint32”]]\n }]\n}\n
View Artifact Source

Windows.Sys.Programs

Represents products as they are installed by Windows Installer. A product generally correlates to one installation package on Windows. Some fields may be blank as Windows installation details are left to the discretion of the product author.

Arg Default Description
programKeys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*, HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*, HKEY_USERS\*\Software\Microsoft\Windows\CurrentVersion\Uninstall\*
View Artifact Source

Windows.Sys.StartupItems

Applications that will be started up from the various run key locations.

Arg Default Description
runKeyGlobs HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*, HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\* HKEY_USERS\\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\, HKEY_USERS\*\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\, HKEY_USERS\*\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*\n
startupApprovedGlobs HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\*, HKEY_USERS\*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\*\n
startupFolderDirectories C:/ProgramData/Microsoft/Windows/Start Menu/Programs/Startup/, C:/Users/*/AppData/Roaming/Microsoft/Windows/StartMenu/Programs/Startup/\n
View Artifact Source

Windows.Sys.Users

List User accounts. We combine two data sources - the output from the NetUserEnum() call and the list of SIDs in the registry.

Arg Default Description
remoteRegKey HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\*
View Artifact Source

Windows.System.Amcache

Get information from the system’s amcache.

The Amcache.hve file is a registry file that stores the information of executed applications. Amcache.hve records the recent processes that were run and lists the path of the files that’s executed which can then be used to find the executed program.

This artifact works on Windows 10 1607 version.

References: https://www.andreafortuna.org/cybersecurity/amcache-and-shimcache-in-forensic-analysis/ https://www.ssi.gouv.fr/uploads/2019/01/anssi-coriin_2019-analysis_amcache.pdf

Arg Default Description
amCacheGlob %SYSTEMROOT%/appcompat/Programs/Amcache.hve
amCacheRegPath /Root/InventoryApplicationFile/*
View Artifact Source

Windows.System.CriticalServices

This artifact returns information about any services which are considered critical.

The default list contains virus scanners. If the software is not installed at all, it will not be shown.

ATT&CK: T1089

References:

Arg Default Description
lookupTable ServiceName\nWinDefend\nMpsSvc\nSepMasterService\nSAVAdminService\nSavService\nwscsvc\nwuauserv\n
View Artifact Source

Windows.System.Pslist

List processes and their running binaries.

Arg Default Description
processRegex .
View Artifact Source

Windows.System.SVCHost

Typically a windows system will have many svchost.exe processes. Sometimes attackers name their processes svchost.exe to try to hide. Typically svchost.exe is spawned by services.exe.

This artifact lists all the processes named svchost.exe and their parents if the parent is not also named services.exe.

View Artifact Source

Windows.System.Services

List all the installed services.

Arg Default Description
servicesKeyGlob HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
View Artifact Source

Windows.System.UntrustedBinaries

Windows runs a number of services and binaries as part of the operating system. Sometimes malware pretends to run as those well known names in order to hide itself in plain sight. For example, a malware service might call itself svchost.exe so it shows up in the process listing as a benign service.

This artifact checks that the common systems binaries are signed. If a malware replaces these files or names itself in this way their signature might not be correct.

Note that unfortunately Microsoft does not sign all their common binaries so many will not be signed (e.g. conhost.exe).

Arg Default Description
processNamesRegex (?i)lsass svchost
View Artifact Source