- Original path:
profiles/modules/windows/registry.toml
# Windows Registry Artifacts Module
# Collects Windows Registry hives and important registry artifacts
[module]
name = "Windows Registry Artifacts"
description = "Windows Registry hives (SAM, SYSTEM, SOFTWARE, NTUSER, etc.)"
category = "windows"
platform = ["windows"]
priority = "critical"
# Registry Hive Files
[[patterns]]
name = "SAM Registry Hive"
pattern = "(?:^|[/\\\\])SAM$"
case-insensitive = true
type = "regex"
[[patterns]]
name = "SYSTEM Registry Hive"
pattern = "(?:^|[/\\\\])SYSTEM$"
case-insensitive = true
type = "regex"
[[patterns]]
name = "SOFTWARE Registry Hive"
pattern = "(?:^|[/\\\\])SOFTWARE$"
case-insensitive = true
type = "regex"
[[patterns]]
name = "SECURITY Registry Hive"
pattern = "(?:^|[/\\\\])SECURITY$"
case-insensitive = true
type = "regex"
[[patterns]]
name = "DEFAULT Registry Hive"
pattern = "(?:^|[/\\\\])DEFAULT$"
case-insensitive = true
type = "regex"
[[patterns]]
name = "NTUSER.DAT Registry Hive"
pattern = "NTUSER\\.DAT"
case-insensitive = true
type = "regex"
[[patterns]]
name = "UsrClass.dat Registry Hive"
pattern = "UsrClass\\.dat"
case-insensitive = true
type = "regex"
# Registry Transaction Logs
[[patterns]]
name = "Registry Transaction Log"
pattern = "\\.(?:LOG|LOG1|LOG2)$"
case-insensitive = true
type = "regex"
# AmCache (Application Compatibility Cache)
[[patterns]]
name = "AmCache Hive"
pattern = "Amcache\\.hve"
case-insensitive = true
type = "regex"
# Registry Backups
[[patterns]]
name = "Registry Backup"
pattern = "RegBack"
case-insensitive = true
type = "regex"