- Original path:
profiles/modules/windows/all-windows.toml
# All Windows Compound Module
# Combines all Windows artifact modules
[module]
name = "All Windows Artifacts"
description = "Comprehensive Windows artifact collection (registry, event logs, prefetch, execution)"
category = "windows"
platform = ["windows"]
priority = "critical"
# Include individual Windows modules
includes = [
"registry.toml",
"event-logs.toml",
"prefetch.toml",
"execution.toml"
]
# Additional cross-Windows patterns
[[patterns]]
name = "Windows Directory"
pattern = "[/\\\\]Windows[/\\\\]"
case-insensitive = true
type = "regex"
[[patterns]]
name = "System32 Directory"
pattern = "[/\\\\]System32[/\\\\]"
case-insensitive = true
type = "regex"
[[patterns]]
name = "SysWOW64 Directory"
pattern = "[/\\\\]SysWOW64[/\\\\]"
case-insensitive = true
type = "regex"
[[patterns]]
name = "Program Files"
pattern = "[/\\\\]Program Files(?:\\s\\(x86\\))?[/\\\\]"
case-insensitive = true
type = "regex"
[[patterns]]
name = "AppData Directory"
pattern = "[/\\\\]AppData[/\\\\]"
case-insensitive = true
type = "regex"
[[patterns]]
name = "Users Directory"
pattern = "[/\\\\]Users[/\\\\]"
case-insensitive = true
type = "regex"
# MFT (Master File Table)
[[patterns]]
name = "MFT"
pattern = "(?:^|[/\\\\])\\$MFT$"
case-insensitive = true
type = "regex"
# USN Journal
[[patterns]]
name = "USN Journal"
pattern = "(?:^|[/\\\\])\\$UsnJrnl"
case-insensitive = true
type = "regex"
# $LogFile
[[patterns]]
name = "NTFS LogFile"
pattern = "(?:^|[/\\\\])\\$LogFile$"
case-insensitive = true
type = "regex"
# Recycle Bin
[[patterns]]
name = "Recycle Bin"
pattern = "\\$Recycle\\.Bin"
case-insensitive = true
type = "regex"
# Signatures for Windows artifacts
[[signatures]]
name = "Multiple Windows Artifacts"
query = "SELECT sha256, COUNT(DISTINCT pattern_name) as windows_artifacts FROM pattern_matches WHERE pattern_name LIKE '%Windows%' OR pattern_name LIKE '%Registry%' OR pattern_name LIKE '%Event%' OR pattern_name LIKE '%Prefetch%' GROUP BY sha256 HAVING windows_artifacts > 3"