search

Silv3rHorn / autoripy

Attempt to replicate the functions of auto_rip by Corey Harrell in Python.
13 stars 1 forks source link

RegRipper 4.0 support? #5

Closed CmdrBurrito closed 1 month ago

CmdrBurrito commented 7 months ago

I just discovered to my delight, that RegRipper 4.0 was released about 6 months ago! I'm going to be upgrading asap. Can/does "autoripy" need to be updated to support any new RR 4.0 plugins?

SPOILER ALERT!

The answer turned out to be "No update needed". Autoripy release version "autoripy-20240128" (the latest currently available at the time) worked with RegRipper 4.0 without any modifications. However, please note that "autoripy" will attempt to call a number of RegRipper 3.0 plugins (11 to be exact) that have been been removed from the current RegRipper 4.0 release (i.e., they essentially been deprecated). As such, you won't get any output from those plugins unless you copy the old plugin files from your RegRipper3.0\plugins folder over into your RegRipper4.0\plugins folder. In addition, please note that there are also 11 previously deprecated RegRipper 2.8 plugins, that have been brought back in RegRipper 4.0.

The easiest way to deal with this is to use "robocopy" to copy all the .pl files (excluding all _tln plugin files) from the "RegRipper3.0\plugins" folder, AND THEN the "autoripy/deprecatedRR2.8Plugins" folder, into the "RegRipper4.0\plugins" folder, WHILE MAKING SURE TO PREVENT THE OVERWRITING OF ANY EXISTING FILES AT THE DESTINATION! For example:

1) robocopy C:\DFIR_Tools\keydet89\RegRipper3.0\plugins C:\DFIR_Tools\keydet89\RegRipper4.0\plugins .pl /XC /XN /XO /XF _tln.pl (Currently copies 15 RR3.0 plugins over)

2) robocopy C:\DFIR_Tools\Silv3rHorn\autoripy\deprecatedRR28Plugins C:\DFIR_Tools\keydet89\RegRipper4.0\plugins *.pl /XC /XN /XO (Currently copies 101 deprecated RR2.8 plugins over)

Make sure the run the copy (without overwrite) operations in the listed order. That is to say, copy over the old RR3.0 plugins over first, followed by the deprecated RR2.8 plugins. Again, do NOT overwrite any files that already exist in the destination folder when doing that.

CmdrBurrito commented 7 months ago

It appears that there are currently a number of plugins from RegRipper 3.0 that have been deprecated in RegRipper 4.0. That list of currently deprecated plugins appears to be as follows:

deprecatedRR30Plugins

at ddpe disableeventlog disableuserassist drivers32 exefile heidisql ica_sessions iconlayouts outlook_homepage ScanButton sfc svc svcdll taskcache

Note that this list of (15) plugins, is in addition to the list of (112) plugins that you already have in the "deprecatedRR28Plugins" folder. So between the two, that's 127 total deprecated plugins.

As such, I think you should consider adding a separate "deprecatedRR30Plugins" folder (which contains the RR3.0 plugins listed above) to the "autoripy" repo.

CmdrBurrito commented 7 months ago

FYI, of the 15 (non-TLN) "deprecatedRR30Plugins" (listed above), it appears that the current version of autoripy actually only attempts to execute the following 11 plugins:

at.pl ddpe.pl disableeventlog.pl disableuserassist.pl drivers32.pl exefile.pl heidisql.pl iconlayouts.pl outlook_homepage.pl svc.pl svcdll.pl

Meaning that there appears to be four (4) RR 3.0 plugins that the current version of autoripy never attempts to run.

CmdrBurrito commented 6 months ago

FYI, new to RegRipper 4.0 is that nearly all the plugins have now been assigned to a "category". For example, the "adobe.pl" plugin from RR3.0, has been modified slightly in RR4.0 to now belong to a category of plugins called "user activity". As such, I think maybe you might want consider updating "autoripy" to group plugin output by the new internal categories that are now listed in the plugins themselves. A list of the current RR4.0 pre-defined plugin categories, and the number of (non-TLN) plugins that fall under each category is as follows:

Count RR4.0_Plugin_Category_Name

70 config 67 persistence 56 defense evasion 26 user activity 22 devices 13 execution 10 program execution 9 "" (BLANK - no category specified) 9 privilege escalation 7 credential access 6 collection 6 lateral movement 5 initial access 3 file existence 2 malware 2 syscache 1 antivirus 1 base 1 data staged 1 deleted 1 discovery 1 file access 1 identity 1 impact 1 slack 1 user execution

CmdrBurrito commented 5 months ago

FYI, I've been busy trying to create an updated/new "plugin_categories.py" file, in order to add the new RegRipper 4.0 plugins into autoripy's repertoire. However, it's been pretty slow going, because even if you eliminate the plugins that output to unusual formats (e.g., the _tln, _json, _yara plugins) you're still looking at adding a potential total of 127 new RR 4.0 plugins to that particular "autoripy" config file. It's been fairly daunting.

However, it occurs to me that given the RR 4.0 plugins already include information about the "categories" that they belong to, as well as the registry hive types that they support, it should be possible to eliminate the "plugin_categories.py" file altogether, and just programmatically group stuff together on the fly.

That way whenever a new plugin is released, it'd get automatically added to the stack of stuff that gets run against your hives. Thoughts?

Silv3rHorn commented 5 months ago

@CmdrBurrito , just wanted to let you know that I will look into this issue tomorrow.

Silv3rHorn commented 5 months ago

@CmdrBurrito, I have decided to not rely on the category field of the plugins for the following reasons

  1. Splitting plugins into Mitre tactics/techniques does not align with my usual investigation workflow
  2. Some plugins have missing categories
  3. RR4.0 isn't updated very often (only 2 commits last I checked) so updating the categories when new plugins are released should not be too much effort.

I have finished categorizing the 100+ new plugins in RR4.0 today. Would still need to validate and test against some registry hives before pushing the change to the repo.

CmdrBurrito commented 5 months ago

Roger that, I completely understand your reasoning. Also, thank you for all the effort categorizing all the new plugins yourself! That's amazingly awesome! Will keep an eye out for any updates to this repo!

Silv3rHorn commented 5 months ago

Version that supports RegRipper 4.0 released. I have removed the folders that contain deprecated plugins as I felt it isn't right to include them in this repo. If they are still required, they can be obtained from other Github repos.

CmdrBurrito commented 5 months ago

I have tried out the new version of autoripy (i.e., "autoripy-20240314"), and it works great!

However, I thought I should mention that lines "23" and "94" of the current "README.md" file in the repo, still have references to the old RegRipper3.0 instead of the new RegRipper4.0. As such, I think you might want to consider updating that file as well.

CmdrBurrito commented 3 months ago

FYI, looks like the "README.md" file still hasn't been updated. You should remove line 23 (which states "Recommendation: Copy the plugin files in deprecatedRR28Plugins to your RegRipper3.0\plugins") from it, and also update line 94 (which still links to "RegRipper 3.0" instead of "RegRipper 4.0"). Regards!

Silv3rHorn commented 1 month ago

Resolved