- Original path:
profiles/composite/windows-forensics.toml
# Windows Forensics Profile
# Inspired by KAPE's Windows-specific targets
# Comprehensive Windows artifact detection
includes = [
"../base/forensics.toml",
"../base/system-artifacts.toml",
"../base/browser-artifacts.toml"
]
# Windows Registry Artifacts
[[patterns]]
name = "HKLM Registry Path"
pattern = "HKEY_LOCAL_MACHINE\\\\[A-Za-z0-9\\\\]+"
type = "regex"
[[patterns]]
name = "HKCU Registry Path"
pattern = "HKEY_CURRENT_USER\\\\[A-Za-z0-9\\\\]+"
type = "regex"
[[patterns]]
name = "HKCR Registry Path"
pattern = "HKEY_CLASSES_ROOT\\\\[A-Za-z0-9\\\\]+"
type = "regex"
[[patterns]]
name = "RecentDocs"
pattern = "RecentDocs"
type = "string"
[[patterns]]
name = "ComDlg32"
pattern = "ComDlg32\\\\(?:OpenSavePidlMRU|LastVisitedPidlMRU)"
type = "regex"
[[patterns]]
name = "MountPoints2"
pattern = "MountPoints2"
type = "string"
# Windows Event Log Patterns
[[patterns]]
name = "Security Event ID"
pattern = "(?:Event ID|EventID)\\s*:\\s*(?:4624|4625|4672|4720|4732)"
type = "regex"
[[patterns]]
name = "Logon Event"
pattern = "(?:successful logon|failed logon|logon type)"
case-insensitive = true
type = "regex"
[[patterns]]
name = "Account Creation"
pattern = "(?:account.*created|new.*user.*account)"
case-insensitive = true
type = "regex"
[[patterns]]
name = "Privilege Use"
pattern = "(?:privilege.*use|sensitive privilege)"
case-insensitive = true
type = "regex"
# Windows Execution Artifacts
[[patterns]]
name = "Prefetch Execution"
pattern = "[A-Z0-9]{8}\\.pf"
type = "regex"
[[patterns]]
name = "AppCompatCache Entry"
pattern = "(?:AppCompatCache|ShimCache).*LastModified"
type = "regex"
[[patterns]]
name = "BAM/DAM Entry"
pattern = "(?:BAM|DAM)\\\\State\\\\UserSettings"
type = "regex"
[[patterns]]
name = "Windows Timeline"
pattern = "ActivitiesCache\\.db"
type = "regex"
# Windows File System
[[patterns]]
name = "Alternate Data Stream"
pattern = ":[^:]+:\\$DATA"
type = "regex"
[[patterns]]
name = "Zone.Identifier"
pattern = ":Zone\\.Identifier"
type = "string"
[[patterns]]
name = "NTFS Journal"
pattern = "\\$(?:UsnJrnl|LogFile|Extend)"
type = "regex"
# Windows Network Artifacts
[[patterns]]
name = "Network Profile"
pattern = "NetworkList\\\\Profiles"
type = "regex"
[[patterns]]
name = "Wireless Network"
pattern = "(?:WLAN|WiFi).*profile"
case-insensitive = true
type = "regex"
[[patterns]]
name = "VPN Connection"
pattern = "(?:Pbk|rasphone)\\.pbk"
case-insensitive = true
type = "regex"
# Windows Application Artifacts
[[patterns]]
name = "Office Recent Files"
pattern = "(?:Excel|Word|PowerPoint).*Recent"
case-insensitive = true
type = "regex"
[[patterns]]
name = "Windows Store App"
pattern = "Packages\\\\[^\\\\]+\\\\AC"
type = "regex"
[[patterns]]
name = "UWP App Data"
pattern = "Microsoft\\.Windows\\..*_.*\\\\LocalState"
type = "regex"
# Windows Security
[[patterns]]
name = "Credential Manager"
pattern = "Credentials\\\\[A-F0-9]{32}"
type = "regex"
[[patterns]]
name = "Windows Vault"
pattern = "Microsoft\\\\Vault"
type = "regex"
[[patterns]]
name = "DPAPI Master Key"
pattern = "Microsoft\\\\Protect.*[A-F0-9]{8}-(?:[A-F0-9]{4}-){3}[A-F0-9]{12}"
type = "regex"
[[patterns]]
name = "LSA Secrets"
pattern = "SECURITY\\\\Policy\\\\Secrets"
type = "regex"
[[signatures]]
name = "Windows Execution Evidence"
query = "SELECT DISTINCT sha256 FROM pattern_matches WHERE pattern_name IN ('Prefetch Execution', 'AppCompatCache Entry', 'BAM/DAM Entry', 'Windows Timeline')"
[[signatures]]
name = "Windows User Activity"
query = "SELECT sha256 FROM pattern_matches WHERE pattern_name IN ('RecentDocs', 'ComDlg32', 'Office Recent Files', 'TypedURLs', 'RunMRU')"
[[signatures]]
name = "Windows Security Events"
query = "SELECT DISTINCT sha256 FROM pattern_matches WHERE pattern_name LIKE '%Event%' OR pattern_name LIKE '%Logon%' OR pattern_name LIKE '%Account%'"