Comments (9)
hi
please check the changes
you need to replace the configuration.json
file to enable regtimeline parser
https://github.com/DFIRKuiper/Kuiper/blob/master/kuiper/app/parsers/regsk/configuration.json
from kuiper.
hello,
thank you for the add. I've copied over the new configuration.json file and gotten it to parse.
Kuiper does now display the above keys, but the current issue is that it does not show the Values for the key.
I think this is because REGtimeline was able to parse NTUSER.dat, but it errors out parsing any SOFTWARE hive I give it, where the values of the key would be stored.
Any ideas?
from kuiper.
this also had some issues parsing SYSTEM hives
from kuiper.
i think this issue from yarp library,
try to run yarp directly on the hive file, if failed that means the problem in yarp
regarding the data
it parses the record as either key or value, for example
the key
is the first record, it will not have a value
the second record is the value, multiple records will have multiple records with the same key
value
if you want the data
for the value, check the record details
from kuiper.
thanks for the reply. Could you elaborate on how to run yarp on the file?
I've installed a fresh version of kuiper and still getting issues with system and software hvies
from kuiper.
download the yarp from here https://github.com/msuhanov/yarp
then run
pip3 install ./
python3 yarp-print <path-to-SYSTEM>
if it worked that means yarp has no issue of opening the file
from kuiper.
Hello.
I was able to run yarp on it with no issues on the same software and system hives. printed right to terminal no errors from what i could see.
I got a copy of the malware and ran it in my own VM and have attached it here.
The malicious keys are stored in the NTUSER.dat, although Kuiper is not parsing all of the keys.
I look at how yarp parses it and can see the keys in question, its not making it over to Kuiper some how.
here is how the keys look in registry editor, kuiper only shows value 3 out of the 7
I've also included the file true_nt.txt which is my yarp output of the ntuser.dat in test_registries.zip.
SOFTWARE\Microsoft\Phone\paul0 is the first malicious key with 7 values. its a binary split up over 7 keys
SOFTWARE\Microsoft\Phone\paul is the second malicious key with 120+ values in it.
I've noticed they are all separate key values.
Would it be possible to have Kuiper stitch these together? so when you view the value field for SOFTWARE\Microsoft\Phone\paul for example, all of the 120 values have been reassembled into one value for the key.
This would be very helpful for getting malware out of reg keys
from kuiper.
Hi,
I solved the issue with REGTimeline, the source code for calling the parser function for values was commented due to the huge number of records generated by the parser, which impact the memory.
I enabled it and modified some part of the code to enhance the utilization of the memory so it will not impact the processing.
regarding combining the values to generate one record, unfortunately this is not good for two reasons.
- Kuiper will not know what values should combined and what value should not, so it is not generic thing.
- The Elasticsearch has a limitation of 32k bytes per field, if I combine the whole binary in one field it will not index the value to Elasticsearch, even though it is possible to modify the settings, it might impact the resource of Elasticsearch.
Note: I added troubleshooting guide for parsers here incase you faced issue later
from kuiper.
Understood!
Just tested out the new code and its working! thanks so much.
Great to know about the troubleshooting guide tysm
from kuiper.
Related Issues (20)
- Search fails when selecting time range HOT 6
- Kuiper modifies meaning of parsed data (quoting) HOT 2
- KAPE: Error extracting the archive content: compression type 9 (deflate64) HOT 1
- ZIP files generated in Windows (e.g. 7-zip) are not processed properly HOT 1
- IIS Access Logs Parser failed because of 'utf8' codec HOT 2
- "Powershell_Execution" rule does not catch "-encodedcommand" HOT 2
- Security Vulnerability Report: Open Redirect in Login HOT 1
- After installing v2.3.5 - still v2.3.4 displayed HOT 1
- Raw file removal code commented in recent commit HOT 4
- Search broken on large shard/index HOT 1
- v2.3.3 Issue: kuiper_flask is constantly restarting and does not start on HOT 2
- Tag multiple rows HOT 2
- Defender Detection History Parser HOT 1
- Celery and Flask restarting-loop HOT 2
- future to add .tar to be upload HOT 2
- Worker exited prematurely: signal 9 (SIGKILL) Job: 3. HOT 1
- When are you going to adopt Python 3? HOT 3
- ZIP files not uploading HOT 1
- Authentication Feature HOT 4
- JumpList and Browser_History Parsing ERROR HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kuiper.