-
Notifications
You must be signed in to change notification settings - Fork 153
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dump binary registry data to file #164
Comments
This should be a straightforward addition, a really old package does something like this (EvilGrab) so I will update the code and signatures to a more general feature. |
I've created a signature as the first step in building this feature - if you could test it out and make sure it triggers where you expect it to (i.e. whenever a PE image is written to the registry) that would be great. Or if you can supply the hashes, even better. Then I will create a package to dump them out. |
This will handle PE files nicely. However, there are often times that scripts and config data are also written to the registry. It would be good to handle these instances as well. I would dump anything with a size greater than 16KB (see creates_largekey.py signature.) |
Something else to consider, the binary maybe be obfuscated as well. |
Powershell shadowcopy modification into Curtain
Malware can write binaries to the registry for persistence, etc. It would be nice to capture the data/binary as either a dropped file or supplementary file. I know the registry API hooks are logging the data, but it's limited to a small buffer currently.
I'd say this is more of a feature request than an issue.
The text was updated successfully, but these errors were encountered: