creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 05:34:55 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
0fbcbdf8ddfc4342277f03b2ddb60be33ca6dcb1
Anthropic-Cybersecurity-Skills/skills/analyzing-windows-shellbag-artifacts/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

84 lines
2.1 KiB
Markdown
Raw Blame History

# API Reference: Windows ShellBag Forensics
## SBECmd (Eric Zimmerman)
### Syntax
```bash
SBECmd.exe -d <registry_dir> # Process directory of hives
SBECmd.exe --hive <NTUSER.DAT> # Single hive
SBECmd.exe -d <dir> --csv <output_dir> # CSV export
SBECmd.exe -d <dir> -l # Live system registry
```
### Output Fields
| Field | Description |
|-------|-------------|
| AbsolutePath | Full reconstructed folder path |
| CreatedOn | Folder creation timestamp |
| ModifiedOn | Folder modification timestamp |
| AccessedOn | Folder access timestamp |
| MFTEntryNumber | NTFS MFT reference |
| ShellType | Folder, network, zip, etc. |
## ShellBags Explorer (GUI)
### Features
- Tree view of folder access history
- Timeline view of access patterns
- Filtering by date range
- Export to CSV/JSON
## Registry Paths
### NTUSER.DAT
```
Software\Microsoft\Windows\Shell\BagMRU
Software\Microsoft\Windows\Shell\Bags
Software\Microsoft\Windows\ShellNoRoam\BagMRU
```
### UsrClass.dat
```
Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Local Settings\Software\Microsoft\Windows\Shell\Bags
```
## regipy (Python)
### Installation
```bash
pip install regipy
```
### Usage
```python
from regipy.registry import RegistryHive
hive = RegistryHive("NTUSER.DAT")
key = hive.get_key("Software\Microsoft\Windows\Shell\BagMRU")
for value in key.iter_values():
print(value.name, type(value.value))
```
## Shell Item Types
| Type Byte | Description |
|-----------|-------------|
| 0x1F | Root folder (GUID - Desktop, My Computer) |
| 0x2F | Volume (drive letter) |
| 0x31 | File entry (directory) |
| 0x32 | File entry (file) |
| 0x41 | Network location |
| 0x42 | Compressed folder |
| 0x46 | Network share (UNC path) |
| 0x71 | Control Panel item |
## Forensic Value
| Artifact | Intelligence |
|----------|-------------|
| Network paths | Remote share access (lateral movement) |
| USB paths | Removable media (data exfiltration) |
| Deleted folders | Evidence of anti-forensics awareness |
| Temp directories | Staging areas for tools/malware |
| AppData paths | Persistence mechanism locations |
| Recycle Bin | Awareness of deleted content |
Reference in New Issue View Git Blame Copy Permalink