DFIRKuiper
diff --git a/‎.env‎
Lines changed: 8 additions & 8 deletions b/‎.env‎
Lines changed: 8 additions & 8 deletions
diff --git a/‎CHANGELOG.md‎
Lines changed: 9 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎docker-compose.yaml‎
Lines changed: 1 addition & 1 deletion b/‎docker-compose.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎kuiper/app/parsers/Autoruns/configuration.json‎
Lines changed: 1 addition & 1 deletion b/‎kuiper/app/parsers/Autoruns/configuration.json‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎kuiper/app/parsers/BrowserHistory/configuration.json‎
Lines changed: 1 addition & 1 deletion b/‎kuiper/app/parsers/BrowserHistory/configuration.json‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎kuiper/app/parsers/CertUtilParser/configuration.json‎
Lines changed: 1 addition & 1 deletion b/‎kuiper/app/parsers/CertUtilParser/configuration.json‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎kuiper/app/parsers/Fennec/configuration.json‎
Lines changed: 1 addition & 1 deletion b/‎kuiper/app/parsers/Fennec/configuration.json‎
Lines changed: 1 addition & 1 deletion
@@ -79,11 +79,11 @@ NGINX_CERT_KEY=MyKey.key
 # link for git to pull new updates if exists
 GIT_URL_RELEASE=https://api.github.com/repos/DFIRKuiper/Kuiper/releases/latest     
 # current version of kuiper
-GIT_KUIPER_VERSION=2.3.1
-GIT_KUIPER_CELERY_VERSION=2.3.2
-GIT_KUIPER_NFS_VERSION=2.3.1
-GIT_KUIPER_FLASK_VERSION=2.3.2
-GIT_KUIPER_ES01_VERSION=2.3.0
-GIT_KUIPER_MONGODB_VERSION=2.3.0
-GIT_KUIPER_NGINX_VERSION=2.3.0
-GIT_KUIPER_REDIS_VERSION=2.3.0
+GIT_KUIPER_VERSION=2.3.4
+GIT_KUIPER_CELERY_VERSION=2.3.4
+GIT_KUIPER_NFS_VERSION=2.3.4
+GIT_KUIPER_FLASK_VERSION=2.3.4
+GIT_KUIPER_ES01_VERSION=2.3.4
+GIT_KUIPER_MONGODB_VERSION=2.3.4
+GIT_KUIPER_NGINX_VERSION=2.3.4
+GIT_KUIPER_REDIS_VERSION=2.3.4
@@ -1,5 +1,14 @@
 # **Changelog**
 This page list the Changelog for Kuiper project
+## **[2.3.4] - 2023-02-03**
+### **Fixes:**
+- Bug Fix: Flask and Celery Docker Images (changed gevent to version 1.2.2) [Pull Request #85](https://github.com/DFIRKuiper/Kuiper/pull/85)
+- Bug Fix: fixed system health scheduler script 
+- Changed the Elasticsearch Java options from `ES_JAVA_OPTS=-Xms512m -Xmx512m` to `ES_JAVA_OPTS=-Xms4g -Xmx4g`
+### **Added:**
+- Net Logon parser parser [Pull Request #86](https://github.com/DFIRKuiper/Kuiper/pull/86)
+- Add machine select box to alerts page [Pull Request #88](https://github.com/DFIRKuiper/Kuiper/pull/88)
+
 
 ## **[2.3.3] - 2022-10-15**
 ### **Fixes:**
 
@@ -157,7 +157,7 @@ services:
           - cluster.name=es-docker-cluster
           - discovery.seed_hosts=es01
           - cluster.initial_master_nodes=es01
-          - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
+          - "ES_JAVA_OPTS=-Xms4g -Xmx4g"
           - FLASK_IP=flask
           - ES_IP=es01
 
 
@@ -1 +1 @@
-[{"parser_files_categorization_values": "SYSTEM", "important_field": [{"path": "Name", "name": "Name"}], "name": "KnownDLLs", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2022-08-11T19:26:21.509750", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "KnownDLLs", "description": "\tKnownDLLs helps improve system performance by ensuring that all Windows processes use the same version of certain DLLs, rather than choose their own from various file locations. During startup, the Session Manager maps the DLLs listed in HKLM\\System\\CurrentControlSet\\Control\\Session Manager\\KnownDlls into memory as named section objects. When a new process is loaded and needs to map these DLLs, it uses the existing sections rather than searching the file system for another version of the DLL."}, {"parser_files_categorization_values": "SYSTEM,SOFTWARE", "important_field": [{"path": "Path", "name": "Path"}], "name": "Winlogon", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2022-08-11T19:27:14.704024", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "Winlogon", "description": "Lists entries that hook into Winlogon.exe, which manages the Windows interactive-logon user interface\r\n"}, {"parser_files_categorization_values": "SOFTWARE,NTUSER", "important_field": [{"path": "Path", "name": "Path"}], "name": "Explorer", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2022-08-11T19:28:14.567543", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "Explorer", "description": "Lists common autostart entries that hook directly into Windows Explorer\r\n"}, {"parser_files_categorization_values": "SOFTWARE,NTUSER", "important_field": [{"path": "Name", "name": "Name"}], "name": "ImageHijacks", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2022-08-11T19:30:01.377947", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "ImageHijacks", "description": "This refers to using Image File Execution options in the Windows registry to redirect a process loading by mapping the executable name and thus load a completely different process.\r\n\r\n"}, {"parser_files_categorization_values": "SOFTWARE,NTUSER", "important_field": [{"path": "Path", "name": "Path"}], "name": "InternetExplorerAddons\t", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2022-08-11T19:31:02.310682", "parser_type_field": "autostart_locations", "action": "edit", "parser_folder": "Autoruns", "_id": "InternetExplorerAddons\t", "description": "Lists Addons of Internet Explorer\t\r\n"}, {"parser_files_categorization_values": "SYSTEM", "important_field": [{"path": "Name", "name": "Name"}], "name": "BootExecute", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2022-08-11T19:33:08.666637", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "BootExecute", "description": "Lists Windows native-mode executables that are started by the Session Manager (Smss.exe) during system boot.\r\n"}, {"parser_files_categorization_values": "SYSTEM,SOFTWARE", "important_field": [{"path": "Name", "name": "Name"}], "name": "AppinitDLLs", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2022-08-11T19:33:58.221311", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "AppinitDLLs", "description": "DLLs in the Appinit_Dlls registry key, and those DLLs will be loaded into every process that loads User32.dll\t\r\n"}, {"parser_files_categorization_values": "SYSTEM", "important_field": [{"path": "Path", "name": "Path"}], "name": "LSAsecurityProviders", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2022-08-11T19:34:43.058475", "parser_type_field": "autostart_locations", "action": "edit", "parser_folder": "Autoruns", "_id": "LSAsecurityProviders", "description": "This list should contain only Windows-verifiable entries. The DLLs listed in these entries are loaded by Lsass.exe or Winlogon.exe and run as Local System.\t\r\n"}, {"parser_files_categorization_values": "SOFTWARE,NTUSER", "important_field": [{"path": "Path", "name": "Path"}], "name": "Codecs", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2022-08-11T19:35:30.965137", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "Codecs", "description": "Lists executable code that can be loaded by media playback applications\t\r\n"}, {"parser_files_categorization_values": "SOFTWARE,NTUSER", "important_field": [{"path": "Path", "name": "Path"}], "name": "OfficeAddins", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2022-08-11T19:36:16.648628", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "OfficeAddins", "description": "Lists add-ins and plug-ins registered to hook into documented interfaces for Access, Excel, Outlook, PowerPoint, and Word.\t\r\n"}, {"parser_files_categorization_values": "SYSTEM,SOFTWARE,NTUSER", "important_field": [{"path": "Path", "name": "Path"}], "name": "Logon", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2022-08-11T19:37:05.817065", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "Logon", "description": "Lists all scripts and binary files that will be execute when Windows starts up and a user logs on\t\r\n"}, {"parser_files_categorization_values": "SYSTEM,SOFTWARE", "important_field": [{"path": "Path", "name": "Path"}], "name": "PrintMonitorDLLs", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2022-08-11T19:37:53.564546", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "PrintMonitorDLLs", "description": "Lists DLLs that are loaded into the Spooler service.\r\n"}, {"parser_files_categorization_values": "SYSTEM", "important_field": [{"path": "Path", "name": "Path"}], "name": "Winsock", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2022-08-11T19:38:39.093495", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "Winsock", "description": "List Winsock protocols and service providers.\t\r\n"}, {"parser_files_categorization_values": "SYSTEM,SOFTWARE", "important_field": [{"path": "Path", "name": "Path"}], "name": "ServicesAndDrivers", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2022-08-11T19:39:57.611707", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "ServicesAndDrivers", "description": "Lists services and drivers that load at boot up a system"}]
+[{"parser_files_categorization_values": "SYSTEM", "important_field": [{"path": "Name", "name": "Name"}], "name": "KnownDLLs", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2023-02-03T14:14:07.229597", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "KnownDLLs", "description": "\tKnownDLLs helps improve system performance by ensuring that all Windows processes use the same version of certain DLLs, rather than choose their own from various file locations. During startup, the Session Manager maps the DLLs listed in HKLM\\System\\CurrentControlSet\\Control\\Session Manager\\KnownDlls into memory as named section objects. When a new process is loaded and needs to map these DLLs, it uses the existing sections rather than searching the file system for another version of the DLL."}, {"parser_files_categorization_values": "SYSTEM,SOFTWARE", "important_field": [{"path": "Path", "name": "Path"}], "name": "Winlogon", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2023-02-03T14:14:07.234509", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "Winlogon", "description": "Lists entries that hook into Winlogon.exe, which manages the Windows interactive-logon user interface\r\n"}, {"parser_files_categorization_values": "SOFTWARE,NTUSER", "important_field": [{"path": "Path", "name": "Path"}], "name": "Explorer", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2023-02-03T14:14:07.238119", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "Explorer", "description": "Lists common autostart entries that hook directly into Windows Explorer\r\n"}, {"parser_files_categorization_values": "SOFTWARE,NTUSER", "important_field": [{"path": "Name", "name": "Name"}], "name": "ImageHijacks", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2023-02-03T14:14:07.242549", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "ImageHijacks", "description": "This refers to using Image File Execution options in the Windows registry to redirect a process loading by mapping the executable name and thus load a completely different process.\r\n\r\n"}, {"parser_files_categorization_values": "SOFTWARE,NTUSER", "important_field": [{"path": "Path", "name": "Path"}], "name": "InternetExplorerAddons\t", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2023-02-03T14:14:07.246449", "parser_type_field": "autostart_locations", "action": "edit", "parser_folder": "Autoruns", "_id": "InternetExplorerAddons\t", "description": "Lists Addons of Internet Explorer\t\r\n"}, {"parser_files_categorization_values": "SYSTEM", "important_field": [{"path": "Name", "name": "Name"}], "name": "BootExecute", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2023-02-03T14:14:07.250112", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "BootExecute", "description": "Lists Windows native-mode executables that are started by the Session Manager (Smss.exe) during system boot.\r\n"}, {"parser_files_categorization_values": "SYSTEM,SOFTWARE", "important_field": [{"path": "Name", "name": "Name"}], "name": "AppinitDLLs", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2023-02-03T14:14:07.254170", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "AppinitDLLs", "description": "DLLs in the Appinit_Dlls registry key, and those DLLs will be loaded into every process that loads User32.dll\t\r\n"}, {"parser_files_categorization_values": "SYSTEM", "important_field": [{"path": "Path", "name": "Path"}], "name": "LSAsecurityProviders", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2023-02-03T14:14:07.258054", "parser_type_field": "autostart_locations", "action": "edit", "parser_folder": "Autoruns", "_id": "LSAsecurityProviders", "description": "This list should contain only Windows-verifiable entries. The DLLs listed in these entries are loaded by Lsass.exe or Winlogon.exe and run as Local System.\t\r\n"}, {"parser_files_categorization_values": "SOFTWARE,NTUSER", "important_field": [{"path": "Path", "name": "Path"}], "name": "Codecs", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2023-02-03T14:14:07.261977", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "Codecs", "description": "Lists executable code that can be loaded by media playback applications\t\r\n"}, {"parser_files_categorization_values": "SOFTWARE,NTUSER", "important_field": [{"path": "Path", "name": "Path"}], "name": "OfficeAddins", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2023-02-03T14:14:07.265490", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "OfficeAddins", "description": "Lists add-ins and plug-ins registered to hook into documented interfaces for Access, Excel, Outlook, PowerPoint, and Word.\t\r\n"}, {"parser_files_categorization_values": "SYSTEM,SOFTWARE,NTUSER", "important_field": [{"path": "Path", "name": "Path"}], "name": "Logon", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2023-02-03T14:14:07.269270", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "Logon", "description": "Lists all scripts and binary files that will be execute when Windows starts up and a user logs on\t\r\n"}, {"parser_files_categorization_values": "SYSTEM,SOFTWARE", "important_field": [{"path": "Path", "name": "Path"}], "name": "PrintMonitorDLLs", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2023-02-03T14:14:07.272831", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "PrintMonitorDLLs", "description": "Lists DLLs that are loaded into the Spooler service.\r\n"}, {"parser_files_categorization_values": "SYSTEM", "important_field": [{"path": "Path", "name": "Path"}], "name": "Winsock", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2023-02-03T14:14:07.276474", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "Winsock", "description": "List Winsock protocols and service providers.\t\r\n"}, {"parser_files_categorization_values": "SYSTEM,SOFTWARE", "important_field": [{"path": "Path", "name": "Path"}], "name": "ServicesAndDrivers", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2023-02-03T14:14:07.280370", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "ServicesAndDrivers", "description": "Lists services and drivers that load at boot up a system"}]
@@ -1 +1 @@
-[{"parser_files_categorization_values": "WebCacheV01.dat,History,places.sqlite", "important_field": [{"path": "type", "name": "Type"}, {"path": "browser_name", "name": "Browser"}, {"path": "link", "name": "Link"}], "name": "Browser_History", "interface_function": "BrowserHistory_interface.auto_browser_history", "parser_files_categorization_type": "file_name", "creation_time": "2022-08-13T19:20:17.279363", "parser_type_field": "web_browser", "action": "edit", "parser_folder": "BrowserHistory", "_id": "Browser_History", "description": "Parser the browser history for (IE, Firefox, Chrome)"}]
+[{"parser_files_categorization_values": "WebCacheV01.dat,History,places.sqlite", "important_field": [{"path": "type", "name": "Type"}, {"path": "browser_name", "name": "Browser"}, {"path": "link", "name": "Link"}], "name": "Browser_History", "interface_function": "BrowserHistory_interface.auto_browser_history", "parser_files_categorization_type": "file_name", "creation_time": "2023-02-03T14:14:07.196119", "parser_type_field": "web_browser", "action": "edit", "parser_folder": "BrowserHistory", "_id": "Browser_History", "description": "Parser the browser history for (IE, Firefox, Chrome)"}]
@@ -1 +1 @@
-[{"parser_files_categorization_values": "70000000", "important_field": [{"path": "URL", "name": "URL"}, {"path": "FileSize", "name": "FileSize"}], "name": "CertUtilParser", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "magic_number", "creation_time": "2022-08-13T19:20:17.202324", "parser_type_field": "os_general", "action": "edit", "parser_folder": "CertUtilParser", "_id": "CertUtilParser", "description": "certutil cache parser"}]
+[{"parser_files_categorization_values": "70000000", "important_field": [{"path": "URL", "name": "URL"}, {"path": "FileSize", "name": "FileSize"}], "name": "CertUtilParser", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "magic_number", "creation_time": "2023-02-03T14:14:07.097761", "parser_type_field": "os_general", "action": "edit", "parser_folder": "CertUtilParser", "_id": "CertUtilParser", "description": "certutil cache parser"}]
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		-[{"parser_files_categorization_values": "SYSTEM", "important_field": [{"path": "Name", "name": "Name"}], "name": "KnownDLLs", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2022-08-11T19:26:21.509750", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "KnownDLLs", "description": "\tKnownDLLs helps improve system performance by ensuring that all Windows processes use the same version of certain DLLs, rather than choose their own from various file locations. During startup, the Session Manager maps the DLLs listed in HKLM\\System\\CurrentControlSet\\Control\\Session Manager\\KnownDlls into memory as named section objects. When a new process is loaded and needs to map these DLLs, it uses the existing sections rather than searching the file system for another version of the DLL."}, {"parser_files_categorization_values": "SYSTEM,SOFTWARE", "important_field": [{"path": "Path", "name": "Path"}], "name": "Winlogon", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2022-08-11T19:27:14.704024", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "Winlogon", "description": "Lists entries that hook into Winlogon.exe, which manages the Windows interactive-logon user interface\r\n"}, {"parser_files_categorization_values": "SOFTWARE,NTUSER", "important_field": [{"path": "Path", "name": "Path"}], "name": "Explorer", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2022-08-11T19:28:14.567543", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "Explorer", "description": "Lists common autostart entries that hook directly into Windows Explorer\r\n"}, {"parser_files_categorization_values": "SOFTWARE,NTUSER", "important_field": [{"path": "Name", "name": "Name"}], "name": "ImageHijacks", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2022-08-11T19:30:01.377947", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "ImageHijacks", "description": "This refers to using Image File Execution options in the Windows registry to redirect a process loading by mapping the executable name and thus load a completely different process.\r\n\r\n"}, {"parser_files_categorization_values": "SOFTWARE,NTUSER", "important_field": [{"path": "Path", "name": "Path"}], "name": "InternetExplorerAddons\t", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2022-08-11T19:31:02.310682", "parser_type_field": "autostart_locations", "action": "edit", "parser_folder": "Autoruns", "_id": "InternetExplorerAddons\t", "description": "Lists Addons of Internet Explorer\t\r\n"}, {"parser_files_categorization_values": "SYSTEM", "important_field": [{"path": "Name", "name": "Name"}], "name": "BootExecute", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2022-08-11T19:33:08.666637", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "BootExecute", "description": "Lists Windows native-mode executables that are started by the Session Manager (Smss.exe) during system boot.\r\n"}, {"parser_files_categorization_values": "SYSTEM,SOFTWARE", "important_field": [{"path": "Name", "name": "Name"}], "name": "AppinitDLLs", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2022-08-11T19:33:58.221311", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "AppinitDLLs", "description": "DLLs in the Appinit_Dlls registry key, and those DLLs will be loaded into every process that loads User32.dll\t\r\n"}, {"parser_files_categorization_values": "SYSTEM", "important_field": [{"path": "Path", "name": "Path"}], "name": "LSAsecurityProviders", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2022-08-11T19:34:43.058475", "parser_type_field": "autostart_locations", "action": "edit", "parser_folder": "Autoruns", "_id": "LSAsecurityProviders", "description": "This list should contain only Windows-verifiable entries. The DLLs listed in these entries are loaded by Lsass.exe or Winlogon.exe and run as Local System.\t\r\n"}, {"parser_files_categorization_values": "SOFTWARE,NTUSER", "important_field": [{"path": "Path", "name": "Path"}], "name": "Codecs", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2022-08-11T19:35:30.965137", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "Codecs", "description": "Lists executable code that can be loaded by media playback applications\t\r\n"}, {"parser_files_categorization_values": "SOFTWARE,NTUSER", "important_field": [{"path": "Path", "name": "Path"}], "name": "OfficeAddins", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2022-08-11T19:36:16.648628", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "OfficeAddins", "description": "Lists add-ins and plug-ins registered to hook into documented interfaces for Access, Excel, Outlook, PowerPoint, and Word.\t\r\n"}, {"parser_files_categorization_values": "SYSTEM,SOFTWARE,NTUSER", "important_field": [{"path": "Path", "name": "Path"}], "name": "Logon", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2022-08-11T19:37:05.817065", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "Logon", "description": "Lists all scripts and binary files that will be execute when Windows starts up and a user logs on\t\r\n"}, {"parser_files_categorization_values": "SYSTEM,SOFTWARE", "important_field": [{"path": "Path", "name": "Path"}], "name": "PrintMonitorDLLs", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2022-08-11T19:37:53.564546", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "PrintMonitorDLLs", "description": "Lists DLLs that are loaded into the Spooler service.\r\n"}, {"parser_files_categorization_values": "SYSTEM", "important_field": [{"path": "Path", "name": "Path"}], "name": "Winsock", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2022-08-11T19:38:39.093495", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "Winsock", "description": "List Winsock protocols and service providers.\t\r\n"}, {"parser_files_categorization_values": "SYSTEM,SOFTWARE", "important_field": [{"path": "Path", "name": "Path"}], "name": "ServicesAndDrivers", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2022-08-11T19:39:57.611707", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "ServicesAndDrivers", "description": "Lists services and drivers that load at boot up a system"}]
	`1`	+[{"parser_files_categorization_values": "SYSTEM", "important_field": [{"path": "Name", "name": "Name"}], "name": "KnownDLLs", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2023-02-03T14:14:07.229597", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "KnownDLLs", "description": "\tKnownDLLs helps improve system performance by ensuring that all Windows processes use the same version of certain DLLs, rather than choose their own from various file locations. During startup, the Session Manager maps the DLLs listed in HKLM\\System\\CurrentControlSet\\Control\\Session Manager\\KnownDlls into memory as named section objects. When a new process is loaded and needs to map these DLLs, it uses the existing sections rather than searching the file system for another version of the DLL."}, {"parser_files_categorization_values": "SYSTEM,SOFTWARE", "important_field": [{"path": "Path", "name": "Path"}], "name": "Winlogon", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2023-02-03T14:14:07.234509", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "Winlogon", "description": "Lists entries that hook into Winlogon.exe, which manages the Windows interactive-logon user interface\r\n"}, {"parser_files_categorization_values": "SOFTWARE,NTUSER", "important_field": [{"path": "Path", "name": "Path"}], "name": "Explorer", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2023-02-03T14:14:07.238119", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "Explorer", "description": "Lists common autostart entries that hook directly into Windows Explorer\r\n"}, {"parser_files_categorization_values": "SOFTWARE,NTUSER", "important_field": [{"path": "Name", "name": "Name"}], "name": "ImageHijacks", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2023-02-03T14:14:07.242549", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "ImageHijacks", "description": "This refers to using Image File Execution options in the Windows registry to redirect a process loading by mapping the executable name and thus load a completely different process.\r\n\r\n"}, {"parser_files_categorization_values": "SOFTWARE,NTUSER", "important_field": [{"path": "Path", "name": "Path"}], "name": "InternetExplorerAddons\t", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2023-02-03T14:14:07.246449", "parser_type_field": "autostart_locations", "action": "edit", "parser_folder": "Autoruns", "_id": "InternetExplorerAddons\t", "description": "Lists Addons of Internet Explorer\t\r\n"}, {"parser_files_categorization_values": "SYSTEM", "important_field": [{"path": "Name", "name": "Name"}], "name": "BootExecute", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2023-02-03T14:14:07.250112", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "BootExecute", "description": "Lists Windows native-mode executables that are started by the Session Manager (Smss.exe) during system boot.\r\n"}, {"parser_files_categorization_values": "SYSTEM,SOFTWARE", "important_field": [{"path": "Name", "name": "Name"}], "name": "AppinitDLLs", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2023-02-03T14:14:07.254170", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "AppinitDLLs", "description": "DLLs in the Appinit_Dlls registry key, and those DLLs will be loaded into every process that loads User32.dll\t\r\n"}, {"parser_files_categorization_values": "SYSTEM", "important_field": [{"path": "Path", "name": "Path"}], "name": "LSAsecurityProviders", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2023-02-03T14:14:07.258054", "parser_type_field": "autostart_locations", "action": "edit", "parser_folder": "Autoruns", "_id": "LSAsecurityProviders", "description": "This list should contain only Windows-verifiable entries. The DLLs listed in these entries are loaded by Lsass.exe or Winlogon.exe and run as Local System.\t\r\n"}, {"parser_files_categorization_values": "SOFTWARE,NTUSER", "important_field": [{"path": "Path", "name": "Path"}], "name": "Codecs", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2023-02-03T14:14:07.261977", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "Codecs", "description": "Lists executable code that can be loaded by media playback applications\t\r\n"}, {"parser_files_categorization_values": "SOFTWARE,NTUSER", "important_field": [{"path": "Path", "name": "Path"}], "name": "OfficeAddins", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2023-02-03T14:14:07.265490", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "OfficeAddins", "description": "Lists add-ins and plug-ins registered to hook into documented interfaces for Access, Excel, Outlook, PowerPoint, and Word.\t\r\n"}, {"parser_files_categorization_values": "SYSTEM,SOFTWARE,NTUSER", "important_field": [{"path": "Path", "name": "Path"}], "name": "Logon", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2023-02-03T14:14:07.269270", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "Logon", "description": "Lists all scripts and binary files that will be execute when Windows starts up and a user logs on\t\r\n"}, {"parser_files_categorization_values": "SYSTEM,SOFTWARE", "important_field": [{"path": "Path", "name": "Path"}], "name": "PrintMonitorDLLs", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2023-02-03T14:14:07.272831", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "PrintMonitorDLLs", "description": "Lists DLLs that are loaded into the Spooler service.\r\n"}, {"parser_files_categorization_values": "SYSTEM", "important_field": [{"path": "Path", "name": "Path"}], "name": "Winsock", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2023-02-03T14:14:07.276474", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "Winsock", "description": "List Winsock protocols and service providers.\t\r\n"}, {"parser_files_categorization_values": "SYSTEM,SOFTWARE", "important_field": [{"path": "Path", "name": "Path"}], "name": "ServicesAndDrivers", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "file_name", "creation_time": "2023-02-03T14:14:07.280370", "parser_type_field": "autostart_locations", "action": "add", "parser_folder": "Autoruns", "_id": "ServicesAndDrivers", "description": "Lists services and drivers that load at boot up a system"}]
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-[{"parser_files_categorization_values": "70000000", "important_field": [{"path": "URL", "name": "URL"}, {"path": "FileSize", "name": "FileSize"}], "name": "CertUtilParser", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "magic_number", "creation_time": "2022-08-13T19:20:17.202324", "parser_type_field": "os_general", "action": "edit", "parser_folder": "CertUtilParser", "_id": "CertUtilParser", "description": "certutil cache parser"}]`
	`1`	`+[{"parser_files_categorization_values": "70000000", "important_field": [{"path": "URL", "name": "URL"}, {"path": "FileSize", "name": "FileSize"}], "name": "CertUtilParser", "interface_function": "interface.auto_interface", "parser_files_categorization_type": "magic_number", "creation_time": "2023-02-03T14:14:07.097761", "parser_type_field": "os_general", "action": "edit", "parser_folder": "CertUtilParser", "_id": "CertUtilParser", "description": "certutil cache parser"}]`