creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 05:34:55 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
c15f73db46149587e31df83c2f9d92a3b578ef21
Anthropic-Cybersecurity-Skills/skills/analyzing-windows-shellbag-artifacts/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

2.1 KiB
Raw Blame History

API Reference: Windows ShellBag Forensics

SBECmd (Eric Zimmerman)

Syntax

SBECmd.exe -d <registry_dir>              # Process directory of hives
SBECmd.exe --hive <NTUSER.DAT>            # Single hive
SBECmd.exe -d <dir> --csv <output_dir>    # CSV export
SBECmd.exe -d <dir> -l                    # Live system registry

Output Fields

Field Description
AbsolutePath Full reconstructed folder path
CreatedOn Folder creation timestamp
ModifiedOn Folder modification timestamp
AccessedOn Folder access timestamp
MFTEntryNumber NTFS MFT reference
ShellType Folder, network, zip, etc.

ShellBags Explorer (GUI)

Features

  • Tree view of folder access history
  • Timeline view of access patterns
  • Filtering by date range
  • Export to CSV/JSON

Registry Paths

NTUSER.DAT

Software\Microsoft\Windows\Shell\BagMRU
Software\Microsoft\Windows\Shell\Bags
Software\Microsoft\Windows\ShellNoRoam\BagMRU

UsrClass.dat

Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Local Settings\Software\Microsoft\Windows\Shell\Bags

regipy (Python)

Installation

pip install regipy

Usage

from regipy.registry import RegistryHive

hive = RegistryHive("NTUSER.DAT")
key = hive.get_key("Software\Microsoft\Windows\Shell\BagMRU")
for value in key.iter_values():
    print(value.name, type(value.value))

Shell Item Types

Type Byte Description
0x1F Root folder (GUID - Desktop, My Computer)
0x2F Volume (drive letter)
0x31 File entry (directory)
0x32 File entry (file)
0x41 Network location
0x42 Compressed folder
0x46 Network share (UNC path)
0x71 Control Panel item

Forensic Value

Artifact Intelligence
Network paths Remote share access (lateral movement)
USB paths Removable media (data exfiltration)
Deleted folders Evidence of anti-forensics awareness
Temp directories Staging areas for tools/malware
AppData paths Persistence mechanism locations
Recycle Bin Awareness of deleted content
Reference in New Issue View Git Blame Copy Permalink