Add application_execution tag to certain Amcache entries

(Win10)

Reference:
https://www.ssi.gouv.fr/uploads/2019/01/anssi-coriin_2019-analysis_amcache.pdf

Author: pyllyukko

data/tag_windows.txt

@@ -11,6 +11,7 @@ application_execution
   data_type is 'windows:registry:mrulistex' AND entries contains '.exe'
   data_type is 'windows:registry:userassist' AND value_name contains '.exe'
   data_type is 'windows:tasks:job'
+  parser is 'winreg/amcache' AND data_type is 'windows:registry:key_value' AND key_path contains 'InventoryApplicationFile\\'
 
 # Tags Windows application installation events.
 application_install

tests/data/tag_windows.py

@@ -5,6 +5,7 @@
 import unittest
 
 from plaso.containers import events
+from plaso.containers import windows_events
 from plaso.lib import definitions
 from plaso.parsers import filestat
 from plaso.parsers import winevt
@@ -168,6 +169,18 @@ def testApplicationExecution(self):
         winjob.WinJobEventData, attribute_values_per_name,
         ['application_execution'])
 
+    # Test: parser is 'winreg/amcache' AND
+    #       data_type is 'windows:registry:key_value' AND
+    #       key_path contains 'InventoryApplicationFile\\'
+    event = events.EventObject()
+    event.timestamp = self._TEST_TIMESTAMP
+    event.timestamp_desc = definitions.TIME_DESCRIPTION_MODIFICATION
+    event_data = windows_events.WindowsRegistryEventData()
+    event_data.key_path = '\\Root\\InventoryApplicationFile\\7z.exe|afe683e0fa522625'
+    event_data.parser = 'winreg/amcache'
+    storage_writer = self._TagEvent(event, event_data, None)
+    self._CheckLabels(storage_writer, ['application_execution'])
+
   def testApplicationInstall(self):
     """Tests the application_install tagging rule."""
     # Test: data_type is 'windows:evtx:record' AND