Add general Registry parser about kuiper HOT 9 CLOSED

hi
please check the changes
you need to replace the configuration.json file to enable regtimeline parser
https://github.com/DFIRKuiper/Kuiper/blob/master/kuiper/app/parsers/regsk/configuration.json

from kuiper.

hello,

thank you for the add. I've copied over the new configuration.json file and gotten it to parse.

Kuiper does now display the above keys, but the current issue is that it does not show the Values for the key.

I think this is because REGtimeline was able to parse NTUSER.dat, but it errors out parsing any SOFTWARE hive I give it, where the values of the key would be stored.

Any ideas?

from kuiper.

this also had some issues parsing SYSTEM hives

from kuiper.

i think this issue from yarp library,
try to run yarp directly on the hive file, if failed that means the problem in yarp

regarding the data
it parses the record as either key or value, for example

the key is the first record, it will not have a value
the second record is the value, multiple records will have multiple records with the same key value
if you want the data for the value, check the record details

from kuiper.

thanks for the reply. Could you elaborate on how to run yarp on the file?

I've installed a fresh version of kuiper and still getting issues with system and software hvies

from kuiper.

download the yarp from here https://github.com/msuhanov/yarp
then run

pip3 install ./
python3 yarp-print <path-to-SYSTEM>

if it worked that means yarp has no issue of opening the file

from kuiper.

Hello.

I was able to run yarp on it with no issues on the same software and system hives. printed right to terminal no errors from what i could see.

I got a copy of the malware and ran it in my own VM and have attached it here.

The malicious keys are stored in the NTUSER.dat, although Kuiper is not parsing all of the keys.

I look at how yarp parses it and can see the keys in question, its not making it over to Kuiper some how.

here is how the keys look in registry editor, kuiper only shows value 3 out of the 7

test_registries.zip

true_nt.txt

I've also included the file true_nt.txt which is my yarp output of the ntuser.dat in test_registries.zip.

SOFTWARE\Microsoft\Phone\paul0 is the first malicious key with 7 values. its a binary split up over 7 keys

SOFTWARE\Microsoft\Phone\paul is the second malicious key with 120+ values in it.

I've noticed they are all separate key values.

Would it be possible to have Kuiper stitch these together? so when you view the value field for SOFTWARE\Microsoft\Phone\paul for example, all of the 120 values have been reassembled into one value for the key.

This would be very helpful for getting malware out of reg keys

from kuiper.

Hi,

I solved the issue with REGTimeline, the source code for calling the parser function for values was commented due to the huge number of records generated by the parser, which impact the memory.
I enabled it and modified some part of the code to enhance the utilization of the memory so it will not impact the processing.

regarding combining the values to generate one record, unfortunately this is not good for two reasons.

• Kuiper will not know what values should combined and what value should not, so it is not generic thing.
• The Elasticsearch has a limitation of 32k bytes per field, if I combine the whole binary in one field it will not index the value to Elasticsearch, even though it is possible to modify the settings, it might impact the resource of Elasticsearch.

Note: I added troubleshooting guide for parsers here incase you faced issue later

from kuiper.

Understood!

Just tested out the new code and its working! thanks so much.

Great to know about the troubleshooting guide tysm

from kuiper.