Started to import rules from RegRipper (Velocidex#13)

Also remove some rules that generate a lot of rows in favor of rules
 that combine multiple values into a Details dict

Author: scudette

README.md

@@ -12,7 +12,7 @@ This project maintains a set of `Rules` which are YAML files following
 a simple format. This project implements a compiler which compiles
 these rules into a VQL artifact that may be consumed by Velociraptor.
 
-The Rule file starts with the attibute Rules and contains a list of
+The Rule file starts with the attribute `Rules` and contains a list of
 rules:
 
 ```

RECmd_Batch/RegistryASEPs.reb

@@ -1161,38 +1161,7 @@ Keys:
         ValueName: DbgManagedDebugger
         Recursive: false
         Comment:
-    -
-        Description: Active Setup Installed Components
-        HiveType: Software
-        Category: ASEP
-        KeyPath: Microsoft\Active Setup\Installed Components\*
-        ValueName: (default)
-        Recursive: false
-        Comment:
-    -
-        Description: Active Setup Installed Components
-        HiveType: Software
-        Category: ASEP
-        KeyPath: Microsoft\Active Setup\Installed Components\*
-        ValueName: LocalizedName
-        Recursive: false
-        Comment:
-    -
-        Description: Active Setup Installed Components
-        HiveType: Software
-        Category: ASEP
-        KeyPath: Microsoft\Active Setup\Installed Components\*
-        ValueName: ShellComponent
-        Recursive: false
-        Comment:
-    -
-        Description: Active Setup Installed Components
-        HiveType: Software
-        Category: ASEP
-        KeyPath: Microsoft\Active Setup\Installed Components\*
-        ValueName: StubPath
-        Recursive: false
-        Comment:
+
     -
         Description: Command Processor
         HiveType: Software
@@ -2050,30 +2019,6 @@ Keys:
         ValueName: DbgManagedDebugger
         Recursive: false
         Comment:
-    -
-        Description: Wow6432 Active Setup Installed Components
-        HiveType: Software
-        Category: ASEP
-        KeyPath: Wow6432Node\Microsoft\Active Setup\Installed Components\*
-        ValueName: (default)
-        Recursive: true
-        Comment:
-    -
-        Description: Wow6432 Active Setup Installed Components
-        HiveType: Software
-        Category: ASEP
-        KeyPath: Wow6432Node\Microsoft\Active Setup\Installed Components\*
-        ValueName: ShellComponent
-        Recursive: true
-        Comment:
-    -
-        Description: Wow6432 Active Setup Installed Components
-        HiveType: Software
-        Category: ASEP
-        KeyPath: Wow6432Node\Microsoft\Active Setup\Installed Components\*
-        ValueName: StubPath
-        Recursive: true
-        Comment:
     -
         Description: WOW6432 Command Processor Autorun
         HiveType: Software
@@ -2878,13 +2823,6 @@ Keys:
         ValueName: path
         Recursive: true
         Comment:
-    -
-        Description: Active Setup
-        HiveType: ntuser
-        Category: ASEP
-        KeyPath: Software\Microsoft\Active Setup\Installed Components
-        Recursive: true
-        Comment:
     -
         Description: Command Processor
         HiveType: ntuser
@@ -3425,13 +3363,6 @@ Keys:
         KeyPath: Software\Policies\Microsoft\WindowsFirewall\StandardProfile\AuthorizedApplications
         Recursive: true
         Comment:
-    -
-        Description: Wow6432 Active Setup
-        HiveType: ntuser
-        Category: ASEP
-        KeyPath: Software\Wow6432Node\Microsoft\Active Setup\Installed Components
-        Recursive: true
-        Comment:
     -
         Description: Wow6432 Command Processor
         HiveType: ntuser

Rules/RECmdBatch.yaml

@@ -2079,26 +2079,6 @@ Rules:
   Category: ASEP
   Glob: Microsoft\.NETFramework\DbgManagedDebugger
   Root: HKEY_LOCAL_MACHINE\Software
-- Author: Troy Larson
-  Description: Active Setup Installed Components
-  Category: ASEP
-  Glob: Microsoft\Active Setup\Installed Components\*\@
-  Root: HKEY_LOCAL_MACHINE\Software
-- Author: Troy Larson
-  Description: Active Setup Installed Components
-  Category: ASEP
-  Glob: Microsoft\Active Setup\Installed Components\*\LocalizedName
-  Root: HKEY_LOCAL_MACHINE\Software
-- Author: Troy Larson
-  Description: Active Setup Installed Components
-  Category: ASEP
-  Glob: Microsoft\Active Setup\Installed Components\*\ShellComponent
-  Root: HKEY_LOCAL_MACHINE\Software
-- Author: Troy Larson
-  Description: Active Setup Installed Components
-  Category: ASEP
-  Glob: Microsoft\Active Setup\Installed Components\*\StubPath
-  Root: HKEY_LOCAL_MACHINE\Software
 - Author: Troy Larson
   Description: Command Processor
   Category: ASEP
@@ -2660,21 +2640,6 @@ Rules:
   Category: ASEP
   Glob: WOW6432Node\Microsoft\.NETFramework\DbgManagedDebugger
   Root: HKEY_LOCAL_MACHINE\Software
-- Author: Troy Larson
-  Description: Wow6432 Active Setup Installed Components
-  Category: ASEP
-  Glob: Wow6432Node\Microsoft\Active Setup\Installed Components\*\**\@
-  Root: HKEY_LOCAL_MACHINE\Software
-- Author: Troy Larson
-  Description: Wow6432 Active Setup Installed Components
-  Category: ASEP
-  Glob: Wow6432Node\Microsoft\Active Setup\Installed Components\*\**\ShellComponent
-  Root: HKEY_LOCAL_MACHINE\Software
-- Author: Troy Larson
-  Description: Wow6432 Active Setup Installed Components
-  Category: ASEP
-  Glob: Wow6432Node\Microsoft\Active Setup\Installed Components\*\**\StubPath
-  Root: HKEY_LOCAL_MACHINE\Software
 - Author: Troy Larson
   Description: WOW6432 Command Processor Autorun
   Category: ASEP
@@ -3202,11 +3167,6 @@ Rules:
   Category: ASEP
   Glob: '*\Software\Google\Chrome\Extensions\**\path'
   Root: HKEY_USERS
-- Author: Troy Larson
-  Description: Active Setup
-  Category: ASEP
-  Glob: '*\Software\Microsoft\Active Setup\Installed Components\**'
-  Root: HKEY_USERS
 - Author: Troy Larson
   Description: Command Processor
   Category: ASEP
@@ -3567,11 +3527,6 @@ Rules:
   Category: ASEP
   Glob: '*\Software\Policies\Microsoft\WindowsFirewall\StandardProfile\AuthorizedApplications\**'
   Root: HKEY_USERS
-- Author: Troy Larson
-  Description: Wow6432 Active Setup
-  Category: ASEP
-  Glob: '*\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\**'
-  Root: HKEY_USERS
 - Author: Troy Larson
   Description: Wow6432 Command Processor
   Category: ASEP

Rules/RegRipper.yaml

@@ -0,0 +1,123 @@
+# These rules are converted from RegRipper
+Preamble:
+  - |
+    LET GetProviderDllForGUID(GUID) = GetValue(
+        OSPath="HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\" + GUID + "\\InProcServer32\\@")
+
+  - |
+    LET _CharToString(X) = SELECT
+      format(format="%c", args=_value) AS C FROM foreach(row=X)
+  -  LET CharsToString(X) = join(array=_CharToString(X=X).C)
+
+Rules:
+- Description: Parse AmCache InventoryApplicationFile
+  Author: M. Cohen & H. Carvey
+  Reference: https://github.com/keydet89/RegRipper4.0/blob/main/plugins/amcache.pl
+  Category: ASEP
+  Root: Amcache
+  Glob: Root\\InventoryApplication*\\*
+  Filter: x=>true
+  Details: |
+    x=>FetchKeyValuesWithRegex(OSPath=OSPath, Regex='.')
+
+- Description: Parse AmCache DriverBinary
+  Author: M. Cohen & H. Carvey
+  Reference: https://github.com/keydet89/RegRipper4.0/blob/main/plugins/amcache.pl
+  Category: ASEP
+  Root: Amcache
+  Glob: Root\\InventoryDriverBinary\\*
+  Filter: x=>IsDir
+  Details: |
+    x=>FetchKeyValuesWithRegex(OSPath=OSPath, Regex='.') + dict(Driver=OSPath.Basename)
+
+- Description: Parse AmCache InventoryApplicationShortcut
+  Author: M. Cohen & H. Carvey
+  Reference: https://github.com/keydet89/RegRipper4.0/blob/main/plugins/amcache.pl
+  Category: ASEP
+  Root: Amcache
+  Glob: Root\\InventoryApplicationShortcut\\*
+  Filter: x=>true
+  Details: |
+    x=>FetchKeyValuesWithRegex(OSPath=OSPath, Regex='.')
+
+- Description: Active Setup Installed Components
+  Category: ASEP
+  Root: HKEY_LOCAL_MACHINE\Software
+  Glob: Microsoft\Active Setup\Installed Components\*
+  Filter: x=>true
+  Details: |
+    x=>FetchKeyValuesWithRegex(OSPath=OSPath, Regex='.')
+
+- Description: Active Setup Installed Components
+  Category: ASEP
+  Root: HKEY_LOCAL_MACHINE\Software
+  Glob: Wow6432Node\Microsoft\Active Setup\Installed Components\*
+  Filter: x=>true
+  Details: |
+    x=>FetchKeyValuesWithRegex(OSPath=OSPath, Regex='.')
+
+- Description: AMSI Providers
+  Comment: |
+    The AMSI provider for Windows Defender seems to have been
+    removed/could not be found.
+
+    Analysis Tip: AMSI providers can be used for persistence.
+
+    The FeatureBit check determines if Authenicode signing is enabled or not.
+      0x01 - signing check is disabled; this is the default behavior (applies if value not found)
+      0x02 - signing check is enabled
+  Reference: |
+    https://pentestlab.blog/2021/05/17/persistence-amsi/
+
+  Author: M. Cohen & H. Carvey
+  Category: System Info
+  Root: HKEY_LOCAL_MACHINE/SOFTWARE
+  Filter: x=>true
+  Glob: 'Microsoft\AMSI\Providers\*'
+  Details: |
+    x=>dict(
+      FeatureBits=GetValue(OSPath=OSPath + "FeatureBits"),
+      ProviderDll=GetProviderDllForGUID(GUID=OSPath.Basename))
+
+- Description: Adobe app cRecentFiles values
+  Category: Third Party Applications
+  Root: HKEY_USERS
+  Glob: /*/Software/Adobe/*/*/AVGeneral/cRecent{Files,Folders}/*
+  Filter: x=>true
+  Details: |
+    x=>FetchKeyValuesWithRegex(OSPath=OSPath, Regex='.') +
+       dict(Version=OSPath[-4], Software=OSPath[-5],
+            sDI=CharsToString(X=GetValue(OSPath=OSPath + "sDI")),
+            sDate=CharsToString(X=GetValue(OSPath=OSPath + "sDate")))
+
+- Description: Check for Windows 11 requirement bypass values
+  Author: M. Cohen & H. Carvey
+  Category: System Info
+  Comment: |
+    Analysis Tip: The "AllowUpgradesWithUnsupportedTPMOrCPU" value set
+    to 1 is a hack to allow Windows 11 updates to be installed on
+    systems that did not meet the TPM or CPU checks. This could be
+    interpreted as an attempt at defense evasion, by upgrading the
+    system image to provide additional capabilities, such as Windows
+    Subsystem for Android.
+
+  Reference: https://support.microsoft.com/en-us/windows/ways-to-install-windows-11-e0edbbfb-cfc5-4011-868b-2ce77ac7c70e
+  Root: HKEY_LOCAL_MACHINE/System
+  Glob: Setup\{MoSetup,LabConfig}\{AllowUpgradesWithUnsupportedTPMOrCPU,BypassRAMCheck,BypassTPMCheck,BypassSecureBootCheck}
+
+- Description: Gets user's AMSIEnable value
+  Author: M. Cohen & H. Carvey
+  Category: System Info
+  Root: HKEY_USERS
+  Glob: "*/Software/Microsoft/Windows Script/Settings/AmsiEnable"
+  Comment: |
+    Analysis Tip: If the AmsiEnable value is 0, AMSI is disabled.
+
+- Description: Gets contents of user's ApplicationAssociationToasts key
+  Author: M. Cohen & H. Carvey
+  Category: System Info
+  Root: HKEY_USERS
+  Glob: /*/Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationAssociationToasts
+  Filter: x=>true
+  Details: |
+    x=>FetchKeyValuesWithRegex(OSPath=OSPath, Regex='.')

Rules/Velociraptor-Rules.yaml

@@ -422,11 +422,11 @@ Rules:
 
   Details: |
     x=>dict(
-     DefaultMRU=RDPMRU(OSPath=x.OSPath).Server,
+     DefaultMRU=RDPMRU(OSPath=OSPath).Server,
      Servers={
-      SELECT OSPath.Basename AS Server,
+      SELECT OSPath.Basename AS Server, Mtime,
         FetchKeyValues(OSPath=OSPath) AS Details
-      FROM glob(accessor="registry", globs='*', root=x.OSPath + "Servers")
+      FROM glob(accessor="registry", globs='*', root=OSPath + "Servers")
     })
 
 - Author: Andrew Rathbun, Mike Cohen

bin/compile.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"archive/zip"
+	"fmt"
 	"os"
 
 	"github.com/Velocidex/registry_hunter/compiler"
@@ -45,7 +46,7 @@ func makeZip(rules_compiler *compiler.Compiler) error {
 		return err
 	}
 
-	f, err = w.Create("rules.yml")
+	f, err = w.Create("rules.txt")
 	_, err = f.Write([]byte(rules_compiler.GetRules()))
 	if err != nil {
 		return err
@@ -77,7 +78,9 @@ func doCompile() error {
 	for _, filename := range *compile_yaml {
 		err := rules_compiler.LoadRules(filename)
 		if err != nil {
-			return err
+			fmt.Printf("Error: Unable to load rules from %v: %v\n",
+				filename, err)
+			continue
 		}
 	}