Dump binary registry data to file #164
Comments
|
This should be a straightforward addition, a really old package does something like this (EvilGrab) so I will update the code and signatures to a more general feature. |
|
I've created a signature as the first step in building this feature - if you could test it out and make sure it triggers where you expect it to (i.e. whenever a PE image is written to the registry) that would be great. Or if you can supply the hashes, even better. Then I will create a package to dump them out. |
|
This will handle PE files nicely. However, there are often times that scripts and config data are also written to the registry. It would be good to handle these instances as well. I would dump anything with a size greater than 16KB (see creates_largekey.py signature.) |
|
Something else to consider, the binary maybe be obfuscated as well. |
Powershell shadowcopy modification into Curtain
Malware can write binaries to the registry for persistence, etc. It would be nice to capture the data/binary as either a dropped file or supplementary file. I know the registry API hooks are logging the data, but it's limited to a small buffer currently.
I'd say this is more of a feature request than an issue.
The text was updated successfully, but these errors were encountered: