Updated AmCache to :
A. Consolidate the subkeys Root\InventoryApplicationFile and Root\InventoryApplication under the field "Installed App"
B. Incorporate the parsing of further AmCache subkeys: Root\InventoryApplicationShortcut and Root\InventoryDriverBinary
C. Add a new field “Entry Type” to enable filtering on “LNK”, “Driver”, and “File” AmCache entries.
salehmuhaysin
commented
1 year ago
Adopted the WinDefender Detection History parser to Kuiper. Original parser: https://github.com/jklepsercyber/defender-detectionhistory-parser
Updated AmCache to : A. Consolidate the subkeys Root\InventoryApplicationFile and Root\InventoryApplication under the field "Installed App" B. Incorporate the parsing of further AmCache subkeys: Root\InventoryApplicationShortcut and Root\InventoryDriverBinary C. Add a new field “Entry Type” to enable filtering on “LNK”, “Driver”, and “File” AmCache entries.