creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-13 06:34:57 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/analyzing-windows-registry-for-artifacts/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

2.1 KiB
Raw Blame History

API Reference: Analyzing Windows Registry for Artifacts

regipy

Open Registry Hive

from regipy.registry import RegistryHive

reg = RegistryHive("/path/to/NTUSER.DAT")
key = reg.get_key("Software\\Microsoft\\Windows\\CurrentVersion\\Run")
print(key.header.last_modified)
for val in key.iter_values():
    print(val.name, val.value)

Iterate Subkeys

key = reg.get_key("Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall")
for subkey in key.iter_subkeys():
    print(subkey.name, subkey.header.last_modified)

Key Forensic Registry Paths

Path Hive Artifact
Microsoft\Windows\CurrentVersion\Run SOFTWARE / NTUSER Autostart entries
Microsoft\Windows\CurrentVersion\RunOnce SOFTWARE / NTUSER One-time autostart
CurrentVersion\Explorer\UserAssist NTUSER Program execution (ROT13)
CurrentVersion\Explorer\RecentDocs NTUSER Recently opened documents
CurrentVersion\Explorer\TypedPaths NTUSER Explorer address bar history
ControlSet00X\Enum\USBSTOR SYSTEM USB device history
MountedDevices SYSTEM Drive letter assignments
CurrentVersion\Uninstall SOFTWARE Installed software
ControlSet00X\Control\ComputerName SYSTEM Computer name
ControlSet00X\Control\TimeZoneInformation SYSTEM System timezone

UserAssist Decoding

import codecs, struct
from datetime import datetime, timedelta

decoded_name = codecs.decode(rot13_name, "rot_13")
run_count = struct.unpack_from("<I", data, 4)[0]
timestamp = struct.unpack_from("<Q", data, 60)[0]
ts = datetime(1601, 1, 1) + timedelta(microseconds=timestamp // 10)

RegRipper Plugins

# NTUSER.DAT analysis
rip.pl -r NTUSER.DAT -p userassist
rip.pl -r NTUSER.DAT -p recentdocs
rip.pl -r NTUSER.DAT -p typedurls

# SYSTEM hive
rip.pl -r SYSTEM -p compname
rip.pl -r SYSTEM -p usbstor
rip.pl -r SYSTEM -p shutdown

References

Reference in New Issue View Git Blame Copy Permalink