EricZimmerman · AndrewRathbun · Mar 18, 2026 · Mar 17, 2026 · Mar 17, 2026 · Mar 17, 2026
diff --git a/BatchExamples/DFIRBatch.md b/BatchExamples/DFIRBatch.md
@@ -11,6 +11,7 @@ Special thanks to those who have contributed to this Batch file:
 * [esecrpm](https://github.com/esecrpm)
 * [ogmini](https://github.com/ogmini)
 * [Evangelos Dragonas (@theAtropos4n6)](https://github.com/theAtropos4n6)
+* [CERT CWATCH](https://github.com/cert-cwatch/)
 
 # Version History
 
@@ -71,6 +72,8 @@ Example entry, please follow this format:
 | 2.19 | 2025-09-02 | Added Desktop IconLayouts, DB Browser for SQLite and WinMerge Artifacts |
 | 2.20 | 2025-10-03 | Added PuTTY, CCleaner, File Shredder, Splashtop Artifacts |
 | 2.21 | 2026-01-06 | Added WOW6432Node Run Keys and Expanded Edge and Chrome Artifacts |
+| 2.22 | 2026-03-17 | Added WDigest status artifcats. Also fix some Third Party Applications missing path |
+
 # Documentation
 
 https://docs.microsoft.com/en-US/troubleshoot/windows-server/performance/windows-registry-advanced-users

diff --git a/BatchExamples/DFIRBatch.reb b/BatchExamples/DFIRBatch.reb
@@ -1,7 +1,7 @@
 Description: DFIR RECmd Batch File
 Author: Andrew Rathbun
-Version: 2.21
-Id: 6e68cc0b-c945-428b-ab91-c02d91c877b8
+Version: 2.22
+Id: 77ae78db-4fe9-4383-9aea-ddd9ebec35cc
 Keys:
 #
 # DFIRBatch README: https://github.com/EricZimmerman/RECmd/blob/master/BatchExamples/DFIRBatch.md
@@ -3261,6 +3261,14 @@ Keys:
         Recursive: true
         Comment: "Displays artifacts relating to AnyDesk"
 
+    -
+        Description: AnyDesk
+        HiveType: SYSTEM
+        Category: Third Party Applications
+        KeyPath: ControlSet00*\Services\AnyDesk
+        Recursive: true
+        Comment: "Displays artifacts relating to AnyDesk"
+
 # https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_1_yamashige-nakatani-tanaka_en.pdf
 
 # Third Party Applications -> Atera - https://www.atera.com
@@ -3273,6 +3281,14 @@ Keys:
         Recursive: true
         Comment: "Displays artifacts relating to Atera"
 
+    -
+        Description: Atera
+        HiveType: SYSTEM
+        Category: Third Party Applications
+        KeyPath: ControlSet00*\Services\AteraAgent
+        Recursive: true
+        Comment: "Displays artifacts relating to Atera"
+
 # https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_1_yamashige-nakatani-tanaka_en.pdf
 
 # Third Party Applications -> ConnectWise (ScreenConnect) - https://screenconnect.connectwise.com/
@@ -3286,6 +3302,15 @@ Keys:
         Recursive: false
         Comment: "Displays artifacts relating to ConnectWise (ScreenConnect)"
 
+    -
+        Description: ConnectWise (ScreenConnect)
+        HiveType: SYSTEM
+        Category: Third Party Applications
+        KeyPath: ControlSet00*\Services\ScreenConnect Client*
+        ValueName: DisplayName
+        Recursive: false
+        Comment: "Displays artifacts relating to ConnectWise (ScreenConnect)"
+
 # https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_1_yamashige-nakatani-tanaka_en.pdf
 
 # Third Party Applications -> LogMeIn - https://www.logmein.com
@@ -3298,6 +3323,14 @@ Keys:
         Recursive: true
         Comment: "Displays artifacts relating to LogMeIn"
 
+    -
+        Description: LogMeIn
+        HiveType: SYSTEM
+        Category: Third Party Applications
+        KeyPath: ControlSet00*\Services\LogMeIn
+        Recursive: true
+        Comment: "Displays artifacts relating to LogMeIn"
+
 # https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_1_yamashige-nakatani-tanaka_en.pdf
 
 # Third Party Applications -> RemoteUtilities - https://www.remoteutilities.com/
@@ -3309,6 +3342,13 @@ Keys:
         KeyPath: CurrentControlSet\Services\RManService
         Recursive: true
         Comment: "Displays artifacts relating to RemoteUtilities"
+    -
+        Description: RemoteUtilities
+        HiveType: SYSTEM
+        Category: Third Party Applications
+        KeyPath: ControlSet00*\Services\RManService
+        Recursive: true
+        Comment: "Displays artifacts relating to RemoteUtilities"
     -
         Description: RemoteUtilities
         HiveType: SYSTEM
@@ -3360,13 +3400,27 @@ Keys:
         KeyPath: CurrentControlSet\Services\SplashtopRemoteService
         Recursive: true
         Comment: "Displays artifacts relating to Splashtop"
+    -
+        Description: Splashtop
+        HiveType: SYSTEM
+        Category: Third Party Applications
+        KeyPath: ControlSet00*\Services\SplashtopRemoteService
+        Recursive: true
+        Comment: "Displays artifacts relating to Splashtop"
     -
         Description: Splashtop
         HiveType: SYSTEM
         Category: Third Party Applications
         KeyPath: CurrentControlSet\Services\SSUService
         Recursive: true
         Comment: "Displays artifacts relating to Splashtop"
+    -
+        Description: Splashtop
+        HiveType: SYSTEM
+        Category: Third Party Applications
+        KeyPath: ControlSet00*\Services\SSUService
+        Recursive: true
+        Comment: "Displays artifacts relating to Splashtop"
     -
         Description: Splashtop
         HiveType: NTUSER
@@ -3401,6 +3455,14 @@ Keys:
         KeyPath: CurrentControlSet\Services\TeamViewer
         Recursive: true
         Comment: "Displays artifacts relating to TeamViewer"
+    -
+        Description: TeamViewer
+        HiveType: SYSTEM
+        Category: Third Party Applications
+        KeyPath: ControlSet00*\Services\TeamViewer
+        Recursive: true
+        Comment: "Displays artifacts relating to TeamViewer"
+
 # https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_1_yamashige-nakatani-tanaka_en.pdf
 
 # Third Party Applications -> TightVNC - https://www.tightvnc.com/
@@ -3419,6 +3481,14 @@ Keys:
         KeyPath: Software\TightVNC\Server
         Recursive: true
         Comment: "Displays artifacts relating to TightVNC"
+    -
+        Description: TightVNC
+        HiveType: SYSTEM
+        Category: Third Party Applications
+        KeyPath: ControlSet00*\Services\tvnserver
+        Recursive: true
+        Comment: "Displays artifacts relating to TightVNC"
+
 # https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_1_yamashige-nakatani-tanaka_en.pdf
 
 # Third Party Applications -> PuTTY - https://www.chiark.greenend.org.uk/~sgtatham/putty/
@@ -3491,6 +3561,13 @@ Keys:
         KeyPath: CurrentControlSet\Services\GsServer
         Recursive: true
         Comment: "Displays artifacts relating to GoodSync"
+    -
+        Description: GoodSync
+        HiveType: SYSTEM
+        Category: Third Party Applications
+        KeyPath: ControlSet00*\Services\GsServer
+        Recursive: true
+        Comment: "Displays artifacts relating to GoodSync"
 
 # https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_1_yamashige-nakatani-tanaka_en.pdf
 
@@ -5063,4 +5140,27 @@ Keys:
 
 # https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpsb/932a34b5-48e7-44c0-b6d2-a57aadef1799
 
+
+    -
+        Description: WDigest
+        HiveType: SYSTEM
+        Category: Threat Hunting
+        KeyPath: ControlSet*\Control\SecurityProviders\WDigest
+        ValueName: UseLogonCredential
+        Recursive: false
+        Comment: "Display whether WDigest is enabled. These registry keys are worth monitoring in an environment as an attacker may wish to set it to 1 to enable Digest password support which forces “clear-text” passwords to be placed in LSASS on any version of Windows from Windows 7 / 2008R2 up to Windows 10 / 2012R2. Furthermore, Windows 8.1 / 2012 R2 and newer do not have a “UseLogonCredential” DWORD value, so the key needs to be added. The existence of the key is suspicious, if not expected."
+
+    -
+        Description: WDigest
+        HiveType: SYSTEM
+        Category: Threat Hunting
+        KeyPath: ControlSet*\Control\SecurityProviders\WDigest
+        ValueName: Negotiate
+        Recursive: false
+        Comment: "Display whether WDigest is enabled. These registry keys are worth monitoring in an environment as an attacker may wish to set it to 1 to enable Digest password support which forces “clear-text” passwords to be placed in LSASS on any version of Windows from Windows 7 / 2008R2 up to Windows 10 / 2012R2. "
+
+# https://docs.velociraptor.app/artifact_references/pages/windows.registry.wdigest/
+# https://medium.com/blue-team/preventing-mimikatz-attacks-ed283e7ebdd5
+# https://www.ired.team/offensive-security/credential-access-and-credential-dumping/forcing-wdigest-to-store-credentials-in-plaintext
+
 # More to come...stay tuned!