Windows Incident Response

RegRipper Value Proposition

I recently posted to LinkedIn, asking my network for their input regarding the value proposition of RegRipper; specifically, how is RegRipper v3.0 of “value” to them, how does it enhance their work? I did this because I really wanted to get the perspective of folks who use RegRipper; what I do with RegRipper could be referred to as both “maintain” and “abuse”. Just kidding, but the point is that I know, beyond the shadow of a doubt, that I’m not a “typical user” of RegRipper…and that’s the perspective I was looking for.
Unfortunately, things didn’t go the way I’d hoped. The direct question of “what is the value proposition of RegRipper v3.0” was not directly answered. Other ideas came in, but what I wasn’t getting was the perspective of folks who use the tool. As such, I thought I’d try something a little different…I thought I’d share my perspective.
From my perspective, and based on the original intent of RegRipper when it was first released in 2008, the value proposition for RegRipper consists of:
Development of Intrusion Intel
When an analyst finds something new, either through research, review of open reporting, or through their investigative process, they can write a plugin to address the finding, and include references, statements/comments, etc.
For example, several years ago, I read about Project Taj Mahal, and found it fascinating how simple it was to modify the Registry to “tell” printers to not delete copies of printed jobs. This provides an investigator the opportunity to detect a potential insider threat, just as much as it provides a threat actor with a means of data collection. I wrote a

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

This article has been indexed from Windows Incident Response

Read the original article: