-
Notifications
You must be signed in to change notification settings - Fork 128
/
Copy pathdefinition.json
188 lines (188 loc) · 5.74 KB
/
definition.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
{
"attributes": {
"AutoAdminLogon": {
"description": "Flag value to determine if autologon is enabled for a user without entering the password.",
"disable_correlation": true,
"misp-attribute": "boolean",
"sane_default": [
"True",
"False"
],
"ui-priority": 0
},
"AutoRestartShell": {
"description": "Value of the flag set to auto restart the shell if it crashes or shuts down automatically.",
"disable_correlation": true,
"misp-attribute": "boolean",
"sane_default": [
"True",
"False"
],
"ui-priority": 0
},
"CachedLogonCount": {
"description": "Number of times the user has logged into the system.",
"disable_correlation": true,
"misp-attribute": "counter",
"ui-priority": 0
},
"Comments": {
"description": "Additional comments.",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"DefaultUserName": {
"description": "user-name of the default user.",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"DisableCAD": {
"description": "Flag to determine if user login is enabled by pressing Ctrl+ALT+Delete.",
"disable_correlation": true,
"misp-attribute": "boolean",
"sane_default": [
"True",
"False"
],
"ui-priority": 0
},
"Legal-notice-caption": {
"description": "Message title set to display when the user logs-in.",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"Legal-notice-text": {
"description": "Message set to display when the user logs-in.",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"PasswordExpiryWarining": {
"description": "Number of times the password expiry warning appeared.",
"disable_correlation": true,
"misp-attribute": "counter",
"ui-priority": 0
},
"PowerdownAfterShutDown": {
"description": "Flag value- if the system is set to power down after it is shutdown.",
"disable_correlation": true,
"misp-attribute": "boolean",
"sane_default": [
"True",
"False"
],
"ui-priority": 0
},
"PreCreateKnownFolders": {
"description": "create known folders key",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"ReportBootOk": {
"description": "Flag to check if the reboot was successful.",
"disable_correlation": true,
"misp-attribute": "boolean",
"sane_default": [
"True",
"False"
],
"ui-priority": 0
},
"SID": {
"description": "Security identifier assigned to the user profile.",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"Shell": {
"description": "Shell set to run when the user logs onto the system.",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"ShutdownFlags": {
"description": "Number of times shutdown is initiated from a process when the user is logged-in.",
"disable_correlation": true,
"misp-attribute": "counter",
"ui-priority": 0
},
"ShutdownWithoutLogon": {
"description": "Value of the flag set to enable shutdown without requiring a user to login.",
"disable_correlation": true,
"misp-attribute": "boolean",
"sane_default": [
"True",
"False"
],
"ui-priority": 0
},
"UserInit": {
"description": "Applications and files set to run when the user logs onto the system (User logon activity).",
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"WinStationsDisabled": {
"description": "Flag value set to enable/disable logons to the system.",
"disable_correlation": true,
"misp-attribute": "boolean",
"sane_default": [
"True",
"False"
],
"ui-priority": 0
},
"user-profile-key-last-write-time": {
"description": "Date and time when the key was last updated.",
"disable_correlation": true,
"misp-attribute": "datetime",
"ui-priority": 0
},
"user-profile-key-path": {
"description": "key where the user-profile information is retrieved from.",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"user-profile-last-write-time": {
"description": "Date and time when the user profile was last updated.",
"disable_correlation": true,
"misp-attribute": "datetime",
"ui-priority": 0
},
"user-profile-path": {
"description": "Path of the user profile on the system",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"winlogon-key-last-write-time": {
"description": "Date and time when the winlogon key was last updated.",
"disable_correlation": true,
"misp-attribute": "datetime",
"ui-priority": 0
},
"winlogon-key-path": {
"description": "winlogon key referred in order to retrieve default user information",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
}
},
"description": "Regripper Object template designed to gather user profile information when the user logs onto the system, gathered from the software hive.",
"meta-category": "misc",
"name": "regripper-software-hive-userprofile-winlogon",
"required": [
"user-profile-key-path",
"SID"
],
"uuid": "df03d0e4-3e6b-4e56-951a-142eae4cad59",
"version": 2
}