From 9401bd797277377eb44ede70ae0167400b245af2 Mon Sep 17 00:00:00 2001 From: cert-cwatch <149478619+cert-cwatch@users.noreply.github.com> Date: Tue, 17 Mar 2026 19:12:23 +0100 Subject: [PATCH 1/5] Update DFIRBatch.reb Adding WDigest & Adding multiples ControlSet00* missing path on some Third Party Applications --- BatchExamples/DFIRBatch.reb | 100 ++++++++++++++++++++++++++++++++++++ 1 file changed, 100 insertions(+) diff --git a/BatchExamples/DFIRBatch.reb b/BatchExamples/DFIRBatch.reb index 23b7b05..67be7c1 100644 --- a/BatchExamples/DFIRBatch.reb +++ b/BatchExamples/DFIRBatch.reb @@ -3261,6 +3261,14 @@ Keys: Recursive: true Comment: "Displays artifacts relating to AnyDesk" + - + Description: AnyDesk + HiveType: SYSTEM + Category: Third Party Applications + KeyPath: ControlSet00*\Services\AnyDesk + Recursive: true + Comment: "Displays artifacts relating to AnyDesk" + # https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_1_yamashige-nakatani-tanaka_en.pdf # Third Party Applications -> Atera - https://www.atera.com @@ -3273,6 +3281,14 @@ Keys: Recursive: true Comment: "Displays artifacts relating to Atera" + - + Description: Atera + HiveType: SYSTEM + Category: Third Party Applications + KeyPath: ControlSet00*\Services\AteraAgent + Recursive: true + Comment: "Displays artifacts relating to Atera" + # https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_1_yamashige-nakatani-tanaka_en.pdf # Third Party Applications -> ConnectWise (ScreenConnect) - https://screenconnect.connectwise.com/ @@ -3286,6 +3302,15 @@ Keys: Recursive: false Comment: "Displays artifacts relating to ConnectWise (ScreenConnect)" + - + Description: ConnectWise (ScreenConnect) + HiveType: SYSTEM + Category: Third Party Applications + KeyPath: ControlSet00*\Services\ScreenConnect Client* + ValueName: DisplayName + Recursive: false + Comment: "Displays artifacts relating to ConnectWise (ScreenConnect)" + # https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_1_yamashige-nakatani-tanaka_en.pdf # Third Party Applications -> LogMeIn - https://www.logmein.com @@ -3298,6 +3323,14 @@ Keys: Recursive: true Comment: "Displays artifacts relating to LogMeIn" + - + Description: LogMeIn + HiveType: SYSTEM + Category: Third Party Applications + KeyPath: ControlSet00*\Services\LogMeIn + Recursive: true + Comment: "Displays artifacts relating to LogMeIn" + # https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_1_yamashige-nakatani-tanaka_en.pdf # Third Party Applications -> RemoteUtilities - https://www.remoteutilities.com/ @@ -3309,6 +3342,13 @@ Keys: KeyPath: CurrentControlSet\Services\RManService Recursive: true Comment: "Displays artifacts relating to RemoteUtilities" + - + Description: RemoteUtilities + HiveType: SYSTEM + Category: Third Party Applications + KeyPath: ControlSet00*\Services\RManService + Recursive: true + Comment: "Displays artifacts relating to RemoteUtilities" - Description: RemoteUtilities HiveType: SYSTEM @@ -3360,6 +3400,13 @@ Keys: KeyPath: CurrentControlSet\Services\SplashtopRemoteService Recursive: true Comment: "Displays artifacts relating to Splashtop" + - + Description: Splashtop + HiveType: SYSTEM + Category: Third Party Applications + KeyPath: ControlSet00*\Services\SSUService + Recursive: true + Comment: "Displays artifacts relating to Splashtop" - Description: Splashtop HiveType: SYSTEM @@ -3367,6 +3414,13 @@ Keys: KeyPath: CurrentControlSet\Services\SSUService Recursive: true Comment: "Displays artifacts relating to Splashtop" + - + Description: Splashtop + HiveType: SYSTEM + Category: Third Party Applications + KeyPath: ControlSet00*\Services\SSUService + Recursive: true + Comment: "Displays artifacts relating to Splashtop" - Description: Splashtop HiveType: NTUSER @@ -3401,6 +3455,14 @@ Keys: KeyPath: CurrentControlSet\Services\TeamViewer Recursive: true Comment: "Displays artifacts relating to TeamViewer" + - + Description: TeamViewer + HiveType: SYSTEM + Category: Third Party Applications + KeyPath: ControlSet00*\Services\TeamViewer + Recursive: true + Comment: "Displays artifacts relating to TeamViewer" + # https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_1_yamashige-nakatani-tanaka_en.pdf # Third Party Applications -> TightVNC - https://www.tightvnc.com/ @@ -3419,6 +3481,14 @@ Keys: KeyPath: Software\TightVNC\Server Recursive: true Comment: "Displays artifacts relating to TightVNC" + - + Description: TightVNC + HiveType: SYSTEM + Category: Third Party Applications + KeyPath: ControlSet00*\Services\tvnserver + Recursive: true + Comment: "Displays artifacts relating to TightVNC" + # https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_1_yamashige-nakatani-tanaka_en.pdf # Third Party Applications -> PuTTY - https://www.chiark.greenend.org.uk/~sgtatham/putty/ @@ -3491,6 +3561,13 @@ Keys: KeyPath: CurrentControlSet\Services\GsServer Recursive: true Comment: "Displays artifacts relating to GoodSync" + - + Description: GoodSync + HiveType: SYSTEM + Category: Third Party Applications + KeyPath: ControlSet00*\Services\GsServer + Recursive: true + Comment: "Displays artifacts relating to GoodSync" # https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_1_yamashige-nakatani-tanaka_en.pdf @@ -5063,4 +5140,27 @@ Keys: # https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpsb/932a34b5-48e7-44c0-b6d2-a57aadef1799 + + - + Description: WDigest + HiveType: SYSTEM + Category: Threat Hunting + KeyPath: ControlSet*\Control\SecurityProviders\WDigest + ValueName: UseLogonCredential + Recursive: false + Comment: "Display whether WDigest is enabled. These registry keys are worth monitoring in an environment as an attacker may wish to set it to 1 to enable Digest password support which forces “clear-text” passwords to be placed in LSASS on any version of Windows from Windows 7 / 2008R2 up to Windows 10 / 2012R2. Furthermore, Windows 8.1 / 2012 R2 and newer do not have a “UseLogonCredential” DWORD value, so the key needs to be added. The existence of the key is suspicious, if not expected." + + - + Description: WDigest + HiveType: SYSTEM + Category: Threat Hunting + KeyPath: ControlSet*\Control\SecurityProviders\WDigest + ValueName: Negotiate + Recursive: false + Comment: "Display whether WDigest is enabled. These registry keys are worth monitoring in an environment as an attacker may wish to set it to 1 to enable Digest password support which forces “clear-text” passwords to be placed in LSASS on any version of Windows from Windows 7 / 2008R2 up to Windows 10 / 2012R2. " + +# https://docs.velociraptor.app/artifact_references/pages/windows.registry.wdigest/ +# https://medium.com/blue-team/preventing-mimikatz-attacks-ed283e7ebdd5 +# https://www.ired.team/offensive-security/credential-access-and-credential-dumping/forcing-wdigest-to-store-credentials-in-plaintext + # More to come...stay tuned! From 3ea2f62417d78c8e157895dc6a1a208b652692ab Mon Sep 17 00:00:00 2001 From: cert-cwatch <149478619+cert-cwatch@users.noreply.github.com> Date: Tue, 17 Mar 2026 19:14:44 +0100 Subject: [PATCH 2/5] Update DFIRBatch.reb Changing Version & ID --- BatchExamples/DFIRBatch.reb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/BatchExamples/DFIRBatch.reb b/BatchExamples/DFIRBatch.reb index 67be7c1..06504a7 100644 --- a/BatchExamples/DFIRBatch.reb +++ b/BatchExamples/DFIRBatch.reb @@ -1,7 +1,7 @@ Description: DFIR RECmd Batch File Author: Andrew Rathbun -Version: 2.21 -Id: 6e68cc0b-c945-428b-ab91-c02d91c877b8 +Version: 2.22 +Id: 77ae78db-4fe9-4383-9aea-ddd9ebec35cc Keys: # # DFIRBatch README: https://github.com/EricZimmerman/RECmd/blob/master/BatchExamples/DFIRBatch.md From be93b6e726ff3bead1d61db322ecdff93e66c3a6 Mon Sep 17 00:00:00 2001 From: cert-cwatch <149478619+cert-cwatch@users.noreply.github.com> Date: Tue, 17 Mar 2026 19:16:50 +0100 Subject: [PATCH 3/5] Update DFIRBatch.md Adding documentation --- BatchExamples/DFIRBatch.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/BatchExamples/DFIRBatch.md b/BatchExamples/DFIRBatch.md index d7f92be..e70d9c6 100644 --- a/BatchExamples/DFIRBatch.md +++ b/BatchExamples/DFIRBatch.md @@ -11,6 +11,7 @@ Special thanks to those who have contributed to this Batch file: * [esecrpm](https://github.com/esecrpm) * [ogmini](https://github.com/ogmini) * [Evangelos Dragonas (@theAtropos4n6)](https://github.com/theAtropos4n6) +* [CERT CWATCH](https://github.com/cert-cwatch/) # Version History @@ -71,6 +72,8 @@ Example entry, please follow this format: | 2.19 | 2025-09-02 | Added Desktop IconLayouts, DB Browser for SQLite and WinMerge Artifacts | | 2.20 | 2025-10-03 | Added PuTTY, CCleaner, File Shredder, Splashtop Artifacts | | 2.21 | 2026-01-06 | Added WOW6432Node Run Keys and Expanded Edge and Chrome Artifacts | +| 2.22 | 2026-03-17 | Added WDigest status artifcats. Also fix some Third Party Applications missing path | + # Documentation https://docs.microsoft.com/en-US/troubleshoot/windows-server/performance/windows-registry-advanced-users From 758593eef9fbb7af842623119578c348b44d994c Mon Sep 17 00:00:00 2001 From: cert-cwatch <149478619+cert-cwatch@users.noreply.github.com> Date: Wed, 18 Mar 2026 11:05:37 +0100 Subject: [PATCH 4/5] Update DFIRBatch.reb Fixing ID & Splashtop duplicates --- BatchExamples/DFIRBatch.reb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/BatchExamples/DFIRBatch.reb b/BatchExamples/DFIRBatch.reb index 06504a7..506e2ec 100644 --- a/BatchExamples/DFIRBatch.reb +++ b/BatchExamples/DFIRBatch.reb @@ -1,7 +1,7 @@ Description: DFIR RECmd Batch File Author: Andrew Rathbun Version: 2.22 -Id: 77ae78db-4fe9-4383-9aea-ddd9ebec35cc +Id: 6e68cc0b-c945-428b-ab91-c02d91c877b8 Keys: # # DFIRBatch README: https://github.com/EricZimmerman/RECmd/blob/master/BatchExamples/DFIRBatch.md @@ -3404,7 +3404,7 @@ Keys: Description: Splashtop HiveType: SYSTEM Category: Third Party Applications - KeyPath: ControlSet00*\Services\SSUService + KeyPath: ControlSet00*\Services\SplashtopRemoteService Recursive: true Comment: "Displays artifacts relating to Splashtop" - From 3b6c153b3feab9bcab79228767c1d9971c71326a Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Wed, 18 Mar 2026 11:52:34 -0400 Subject: [PATCH 5/5] revert GUID/ID --- BatchExamples/DFIRBatch.reb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/BatchExamples/DFIRBatch.reb b/BatchExamples/DFIRBatch.reb index 506e2ec..822435a 100644 --- a/BatchExamples/DFIRBatch.reb +++ b/BatchExamples/DFIRBatch.reb @@ -1,7 +1,7 @@ Description: DFIR RECmd Batch File Author: Andrew Rathbun Version: 2.22 -Id: 6e68cc0b-c945-428b-ab91-c02d91c877b8 +Id: 77ae78db-4fe9-4383-9aea-ddd9ebec35cc Keys: # # DFIRBatch README: https://github.com/EricZimmerman/RECmd/blob/master/BatchExamples/DFIRBatch.md