This artifact collects all the user’s NTUser.dat registry hives.
When a user logs into a windows machine the system creates their own “profile” which consists of a registry hive mapped into the HKEY_USERS hive. This hive file is locked as long as the user is logged in.
This artifact bypasses the locking mechanism by extracting the registry hives using raw NTFS parsing. We then just upload all hives to the server.
name: Windows.Registry.NTUser.Upload
description: |
This artifact collects all the user's NTUser.dat registry hives.
When a user logs into a windows machine the system creates their own
"profile" which consists of a registry hive mapped into the
HKEY_USERS hive. This hive file is locked as long as the user is
logged in.
This artifact bypasses the locking mechanism by extracting the
registry hives using raw NTFS parsing. We then just upload all hives
to the server.
parameters:
- name: userRegex
default: .
type: regex
sources:
- precondition: |
SELECT OS From info() where OS = 'windows'
query: |
LET users = SELECT
Name,
expand(path=Directory) AS HomeDir
FROM Artifact.Windows.Sys.Users()
WHERE HomeDir AND Name =~ userRegex
SELECT upload(file=HomeDir + "\\ntuser.dat",
accessor="auto") as Upload
FROM users