Merge pull request #89 from esecrpm/master

AndrewRathbun · web-flow · commit bb0e21e3489e · 2025-03-31T11:16:16.000-04:00
Update DFIRBatch.reb
diff --git a/BatchExamples/DFIRBatch.md b/BatchExamples/DFIRBatch.md
@@ -57,6 +57,7 @@ Example entry, please follow this format:
 | 2.08 | 2024-12-07 | Added WinSCP DEFAULT artifact back and added Advanced IP Scanner and Advanced Port Scanner Artifacts |
 | 2.09 | 2024-12-19 | Added Angry IP Scanner Artifacts |
 | 2.10 | 2025-01-18 | Added System ProductType and ProductSuite Artifacts |
+| 2.11 | 2025-03-31 | Added Threat Hunt for WinLogon Shell and Userinit values |
 
 # Documentation
 
diff --git a/BatchExamples/DFIRBatch.reb b/BatchExamples/DFIRBatch.reb
@@ -1,7 +1,7 @@
 Description: DFIR RECmd Batch File
-Author: Andrew Rathbun
-Version: 2.10
-Id: 2e1589f5-e31a-4bef-822f-075d56afdddd
+Author: Andrew Rathbun, esecrpm
+Version: 2.11
+Id: 6e68cc0b-c945-428b-ab91-c02d91c877b8
 Keys:
 #
 # DFIRBatch README: https://github.com/EricZimmerman/RECmd/blob/master/BatchExamples/DFIRBatch.md
@@ -3561,6 +3561,78 @@ Keys:
 # THREAT HUNTING
 # --------------------
 
+    -
+        Description: WinLogon Shell
+        HiveType: NTUSER
+        Category: Threat Hunting
+        KeyPath: SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
+        ValueName: Shell
+        Recursive: false
+        Comment: "Contains the default shell environment for Windows, normally 'explorer.exe'"
+
+# https://attack.mitre.org/techniques/T1547/004
+# https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md
+
+    -
+        Description: WinLogon Shell
+        HiveType: SOFTWARE
+        Category: Threat Hunting
+        KeyPath: Microsoft\Windows NT\CurrentVersion\WinLogon
+        ValueName: Shell
+        Recursive: false
+        Comment: "Contains the default shell environment for Windows, normally 'explorer.exe'"
+
+# https://attack.mitre.org/techniques/T1547/004
+# https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md
+
+    -
+        Description: WinLogon Shell
+        HiveType: SOFTWARE
+        Category: Threat Hunting
+        KeyPath: WOW6432Node\Microsoft\Windows NT\CurrentVersion\WinLogon
+        ValueName: Shell
+        Recursive: false
+        Comment: "Contains the default shell environment for Windows, normally 'explorer.exe'"
+
+# https://attack.mitre.org/techniques/T1547/004
+# https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md
+
+    -
+        Description: WinLogon UserInit
+        HiveType: NTUSER
+        Category: Threat Hunting
+        KeyPath: SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
+        ValueName: Userinit
+        Recursive: false
+        Comment: "Userinit.exe is launched by winlogon.exe and runs logon scripts for the user, reestablishes network connections, and then starts Explorer.exe. It also specifies programs Winlogon should run when a user logs on. Typically contains 'userinit.exe,'."
+
+# https://attack.mitre.org/techniques/T1547/004
+# https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md
+
+    -
+        Description: WinLogon UserInit
+        HiveType: SOFTWARE
+        Category: Threat Hunting
+        KeyPath: Microsoft\Windows NT\CurrentVersion\WinLogon
+        ValueName: Userinit
+        Recursive: false
+        Comment: "Userinit.exe is launched by winlogon.exe and runs logon scripts for the user, reestablishes network connections, and then starts Explorer.exe. It also specifies programs Winlogon should run when a user logs on. Typically contains 'userinit.exe,'."
+
+# https://attack.mitre.org/techniques/T1547/004
+# https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md
+
+    -
+        Description: WinLogon UserInit
+        HiveType: SOFTWARE
+        Category: Threat Hunting
+        KeyPath: WOW6432Node\Microsoft\Windows NT\CurrentVersion\WinLogon
+        ValueName: Userinit
+        Recursive: false
+        Comment: "Userinit.exe is launched by winlogon.exe and runs logon scripts for the user, reestablishes network connections, and then starts Explorer.exe. It also specifies programs Winlogon should run when a user logs on. Typically contains 'userinit.exe,'."
+
+# https://attack.mitre.org/techniques/T1547/004
+# https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md
+
     -
         Description: Shadow RDP Sessions
         HiveType: SOFTWARE
