#![allow(clippy::too_many_lines)]
use super::super::super::types::{
ArtifactDescriptor, ArtifactType, DataScope, Decoder, HiveTarget, OsScope, TriagePriority,
};
pub(crate) static NIRSOFT_LAST_ACTIVITY_RECENT_ITEMS: ArtifactDescriptor = ArtifactDescriptor {
id: "nirsoft_last_activity_recent_items",
name: "LastActivityView — Recent Items",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%APPDATA%\\Microsoft\\Windows\\Recent\\*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Recent files and folders accessed by the user (LNK shortcuts). Documented by NirSoft LastActivityView.",
mitre_techniques: &["T1547.009"],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://www.nirsoft.net/utils/computer_activity_view.html"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static NIRSOFT_BROWSING_HISTORY_CHROME: ArtifactDescriptor = ArtifactDescriptor {
id: "nirsoft_browsing_history_chrome",
name: "BrowsingHistoryView — Chrome History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default\\History"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome browsing history SQLite DB as parsed by NirSoft BrowsingHistoryView.",
mitre_techniques: &["T1217"],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://www.nirsoft.net/utils/browsing_history_view.html"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static NIRSOFT_BROWSING_HISTORY_FIREFOX: ArtifactDescriptor = ArtifactDescriptor {
id: "nirsoft_browsing_history_firefox",
name: "BrowsingHistoryView — Firefox History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%APPDATA%\\Mozilla\\Firefox\\Profiles\\*.default-release\\places.sqlite"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Firefox browsing history (places.sqlite) as parsed by NirSoft BrowsingHistoryView.",
mitre_techniques: &["T1217"],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://www.nirsoft.net/utils/browsing_history_view.html"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static NIRSOFT_NETWORK_CONNECT_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "nirsoft_network_connect_log",
name: "NetworkConnectLog — System Log Files",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\LogFiles\\*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"Network connection log files in System32\\LogFiles. Parsed by NirSoft NetworkConnectLog.",
mitre_techniques: &["T1049"],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://www.nirsoft.net/utils/network_connect_log.html"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static NIRSOFT_USBDEVIEW_ENUM_USB: ArtifactDescriptor = ArtifactDescriptor {
id: "nirsoft_usbdeview_enum_usb",
name: "USBDeview — USB Device Enumeration",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::HklmSystem),
key_path: "CurrentControlSet\\Enum\\USB",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "USB device enumeration entries in HKLM\\SYSTEM. Parsed by NirSoft USBDeview to list connected USB devices.",
mitre_techniques: &["T1052", "T1025"],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://www.nirsoft.net/utils/usb_devices_view.html"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static NIRSOFT_USBDEVIEW_ENUM_USBSTOR: ArtifactDescriptor = ArtifactDescriptor {
id: "nirsoft_usbdeview_enum_usbstor",
name: "USBDeview — USB Storage Device History",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::HklmSystem),
key_path: "CurrentControlSet\\Enum\\USBSTOR",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "USB mass storage device history in HKLM\\SYSTEM\\USBSTOR. Records device serial numbers and connection history.",
mitre_techniques: &["T1052", "T1025"],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://www.nirsoft.net/utils/usb_devices_view.html"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static NIRSOFT_SHELLBAGS_USRCLASS_BAGS: ArtifactDescriptor = ArtifactDescriptor {
id: "nirsoft_shellbags_usrclass_bags",
name: "ShellBagsView — UsrClass ShellBags",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::UsrClass),
key_path: "Local Settings\\Software\\Microsoft\\Windows\\Shell\\Bags",
value_name: None,
file_path: None,
scope: DataScope::User,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "ShellBag entries in UsrClass.dat recording folder view settings — proves folder access even after deletion. Parsed by NirSoft ShellBagsView.",
mitre_techniques: &["T1083"],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://www.nirsoft.net/utils/shell_bags_view.html", "https://www.sans.org/blog/computer-forensic-artifacts-windows-7-shellbags/"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static NIRSOFT_SHELLBAGS_NTUSER_BAGS: ArtifactDescriptor = ArtifactDescriptor {
id: "nirsoft_shellbags_ntuser_bags",
name: "ShellBagsView — NTUSER ShellBags",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::NtUser),
key_path: "Software\\Microsoft\\Windows\\Shell\\BagMRU",
value_name: None,
file_path: None,
scope: DataScope::User,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "ShellBag MRU entries in NTUSER.DAT. Tracks folder navigation history.",
mitre_techniques: &["T1083"],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://www.nirsoft.net/utils/shell_bags_view.html"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static NIRSOFT_JUMPLISTS_AUTOMATIC_DESTINATIONS: ArtifactDescriptor = ArtifactDescriptor {
id: "nirsoft_jumplists_automatic_destinations",
name: "JumpListsView — Automatic Destinations",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%APPDATA%\\Microsoft\\Windows\\Recent\\AutomaticDestinations"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Automatic Jump List files (*.automaticDestinations-ms) — records recent files opened by each application. Parsed by NirSoft JumpListsView.",
mitre_techniques: &["T1547.009"],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://www.nirsoft.net/utils/jump_lists_view.html"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static NIRSOFT_JUMPLISTS_CUSTOM_DESTINATIONS: ArtifactDescriptor = ArtifactDescriptor {
id: "nirsoft_jumplists_custom_destinations",
name: "JumpListsView — Custom Destinations",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%APPDATA%\\Microsoft\\Windows\\Recent\\CustomDestinations"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Custom Jump List files (*.customDestinations-ms) — pinned items and tasks defined by applications.",
mitre_techniques: &["T1547.009"],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://www.nirsoft.net/utils/jump_lists_view.html"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static NIRSOFT_MUICACHE_LOCAL_SETTINGS: ArtifactDescriptor = ArtifactDescriptor {
id: "nirsoft_muicache_local_settings",
name: "MUICache — Program Execution Evidence",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::UsrClass),
key_path: "Local Settings\\Software\\Microsoft\\Windows\\Shell\\MuiCache",
value_name: None,
file_path: None,
scope: DataScope::User,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "MUICache stores program display names for executables that have run — evidence of program execution even after binary deletion. Documented by NirSoft MUICacheView.",
mitre_techniques: &["T1059"],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://www.nirsoft.net/utils/muicache_view.html"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static NIRSOFT_RECENTFILES_RECENTDOCS_KEY: ArtifactDescriptor = ArtifactDescriptor {
id: "nirsoft_recentfiles_recentdocs_key",
name: "RecentFilesView — RecentDocs Registry Key",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::NtUser),
key_path: "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs",
value_name: None,
file_path: None,
scope: DataScope::User,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Registry key tracking recently opened documents — per-extension MRU lists. Parsed by NirSoft RecentFilesView.",
mitre_techniques: &["T1083"],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://www.nirsoft.net/utils/recent_files_view.html"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static NIRSOFT_WIFI_HISTORY_PROFILES_DIR: ArtifactDescriptor = ArtifactDescriptor {
id: "nirsoft_wifi_history_profiles_dir",
name: "WifiHistoryView — WLAN Profiles Directory",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\wlansvc\\Profiles\\Interfaces"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WLAN XML profile files listing previously connected Wi-Fi networks (includes SSID). Parsed by NirSoft WifiHistoryView.",
mitre_techniques: &["T1049"],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://www.nirsoft.net/utils/wifi_history_view.html"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static NIRSOFT_NETWORK_PASSWORDS_CRED_DIR: ArtifactDescriptor = ArtifactDescriptor {
id: "nirsoft_network_passwords_cred_dir",
name: "NetworkPasswordRecovery — Credentials Store",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%APPDATA%\\Microsoft\\Credentials"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Credential Manager store. May contain cached network passwords and domain credentials. Parsed by NirSoft NetworkPasswordRecovery.",
mitre_techniques: &["T1555.004"],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://www.nirsoft.net/utils/network_password_recovery.html"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &["Encrypted browser passwords; key in OS credential store; timestamp shows last use"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Credential store persists until browser profile deletion",
};
pub(crate) static NIRSOFT_SAM_HIVE_REG: ArtifactDescriptor = ArtifactDescriptor {
id: "nirsoft_sam_hive_reg",
name: "SAM Hive — Account Database",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::HklmSam),
key_path: "SAM\\Domains\\Account\\Users",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SAM hive users sub-key contains NT/LM password hashes for local accounts. Relevant to NirSoft's password recovery tools.",
mitre_techniques: &["T1003.002"],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://www.nirsoft.net/utils/sam_password_recovery.html"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &["Local account credential hashes; NTLM offline cracking risk"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "SAM hive persists across reboots; protected in-use by Windows",
};
pub(crate) static NIRSOFT_REGISTRY_CHANGES_NTUSER: ArtifactDescriptor = ArtifactDescriptor {
id: "nirsoft_registry_changes_ntuser",
name: "RegistryChangesView — NTUSER.DAT",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%USERPROFILE%\\NTUSER.DAT"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "User registry hive (NTUSER.DAT) — source for RegistryChangesView to diff registry before/after malware execution.",
mitre_techniques: &["T1112"],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://www.nirsoft.net/utils/registry_changes_view.html"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static NIRSOFT_OPENED_FILES_VIEW_HANDLE: ArtifactDescriptor = ArtifactDescriptor {
id: "nirsoft_opened_files_view_handle",
name: "OpenedFilesView — Open File Handles",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("\\\\.\\PhysicalDrive0"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "NirSoft OpenedFilesView queries the OS for open file handles — live artifact useful during triage to identify locked files.",
mitre_techniques: &["T1083"],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://www.nirsoft.net/utils/opened_files_view.html"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static NIRSOFT_PROCESS_ACTIVITY_PREFETCH: ArtifactDescriptor = ArtifactDescriptor {
id: "nirsoft_process_activity_prefetch",
name: "ProcessActivityView — Prefetch Files",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\Prefetch\\*.pf"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Prefetch files used by NirSoft ProcessActivityView to reconstruct process execution history.",
mitre_techniques: &["T1059"],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://www.nirsoft.net/utils/process_activity_view.html"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static NIRSOFT_INSTALLED_CODEC_AUDIO: ArtifactDescriptor = ArtifactDescriptor {
id: "nirsoft_installed_codec_audio",
name: "InstalledCodec — Audio/Video Codec Registry",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::HklmSoftware),
key_path: "Microsoft\\Windows NT\\CurrentVersion\\Drivers32",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Audio/video codec registrations — sometimes abused for persistence (DLL hijacking via codec paths). Documented by NirSoft InstalledCodec.",
mitre_techniques: &["T1546"],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://www.nirsoft.net/utils/installed_codec.html"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static NIRSOFT_STARTUP_RUN_HKLM_RUN: ArtifactDescriptor = ArtifactDescriptor {
id: "nirsoft_startup_run_hklm_run",
name: "Startup Run — HKLM Run Key",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::HklmSoftware),
key_path: "Microsoft\\Windows\\CurrentVersion\\Run",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "System-wide Run key — programs listed here launch for all users at logon. A primary persistence mechanism documented by NirSoft StartupRun.",
mitre_techniques: &["T1547.001"],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://www.nirsoft.net/utils/startup_run_view.html"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static NIRSOFT_STARTUP_RUN_HKCU_RUN: ArtifactDescriptor = ArtifactDescriptor {
id: "nirsoft_startup_run_hkcu_run",
name: "Startup Run — HKCU Run Key",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::NtUser),
key_path: "Software\\Microsoft\\Windows\\CurrentVersion\\Run",
value_name: None,
file_path: None,
scope: DataScope::User,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Per-user Run key — programs listed here launch when the current user logs on. Common persistence mechanism.",
mitre_techniques: &["T1547.001"],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://www.nirsoft.net/utils/startup_run_view.html"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static NIRSOFT_APP_CRASH_DUMPS_DIR: ArtifactDescriptor = ArtifactDescriptor {
id: "nirsoft_app_crash_dumps_dir",
name: "AppCrashView — Crash Dump Directory",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%LOCALAPPDATA%\\CrashDumps"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Application crash dump files. May contain credential material or memory forensics artefacts. Listed by NirSoft AppCrashView.",
mitre_techniques: &["T1003"],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://www.nirsoft.net/utils/app_crash_view.html"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};