I thought I’d continue The Next Step series of blog posts with something a little different. This “The Next Step” blog post is about taking a tool such as RegRipper to “the next step”, which is something I started doing in August, 2020. At first, I added MITRE ATT&CK mapping and Analysis Tips, to provide information as to why the plugin was written, and what an analyst should look for in the plugin output. The Analysis Tips also served as a good way of displaying reference URLs, on which the plugin may have been based. While the reference URLs are very often included in the header of the plugin itself, it’s often simply much easier to have them available in the output of the plugin, so that they follow along and are available with the data and the case itself.
So, in the spirit of the blog series, here are a couple of “the next steps” for RegRipper…
JSON
Something I’ve looked at doing is creating plugins that provide JSON-formatted output. This was something a friend asked for, and more importantly, was willing to discuss. When he asked about the format, my concern was that I would not be able to develop a consistent output format across all plugins, but during the discussion, he made it clear that that wasn’t necessary. I was concerned about a consistent, normalized format, and he said that as long as it was JSON format, he could run his searches across the data. I figured, “okay, then”, and gave it a shot. I started with the appcompatcache.pl plugin, as it meant just a little bit of code that repeated the process over and over again…an easy win. From there, I modifying the run.pl plugin, as well.
An excerpt of sample output from the appcompatcache_json.pl plugin, run against the System hive from the BSides Amman image appears as follows:
{
“value”: “C:\Users\Joker\DCode.exe”
“data”: “2019-02-15 04:59:23”
},
{
“value”: “C:\Windows\SysWOW64\OneDriveSetup.exe”
“data”: “2018-04-11 23:3
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: