-
Notifications
You must be signed in to change notification settings - Fork 111
/
updates.txt
223 lines (166 loc) · 5.52 KB
/
updates.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
20141015
-updated/modified usb.pl, usbstor.pl, wpdbusenum.pl
20140821
-created at.pl, at_tln.pl
20140808
-updated inprocserver.pl, removed inprocserver_u.pl
20140807
-created del.pl, del_tln.pl
20140730
-updated winzip.pl
-updated ares.pl (G. Nieves submission)
-updated lsa_packages.pl & shares.pl (S. Kelm submission)
-created secrets.pl, based on input from Jamie Levy
20140724
-updated appcompatcache.pl w/ 64-bit Win8.1 support, based on
data provided by Shafik Punja
20140723
-updated applets.pl
-updated ie_version.pl
20140721
-update to mountdev2.pl submitted/incorporated
------------------------------------------------------------
20140512
-updated uninstall.pl, uninstall_tln.pl
20140510
-added profiler.pl
20140501 (These plugins were added to the available online archive)
-added processor_architecture.pl, wevtx.pl (C. Harrell)
-updated pagefile.pl (C. Harrell)
20140416
-updated usbdevices.pl (updates by J. Chau)
20140415
-added winevt.pl (C. Harrell)
-removed winlivemail.pl, winlivemsn.pl (errors)
-removed streammru.pl, streams.pl
20140414
-added knowndev.pl, ddo.pl (J. Chau)
-RELEASED
20140408
-updated lsasecrets.pl (improved error message)
20140326
-created susclient.pl
20142020
-updated recentdocs_tln.pl
20140203
-added winscp.pl (not associated with winscp_sessions.pl)
20140131
-added reading_locations.pl, from Jason Hale
20140115
-updated user_run.pl to look for odd char in paths
20131210
-updated crashcontrol.pl
-updated amcache.pl
20131118
-created cdstaginginfo.pl
20131108
-updated svc.pl to look for WOW64 value in service keys;
indicative of a 32-bit EXE running on a 64-bit OS
20131025
-created startup.pl
20131011
-created kankan.pl plugin
20131010
-created vawtrak.pl
-updated svcll.pl with Derbusi detection
-updated svc.pl (Backdoor.Kopdel checks)
20131009
-created ahaha.pl
20131008
-created opencandy.pl plugin
20131007
-created lazyshell.pl, comfoo.pl
-updated imagefile.pl with carnal0wnage link to sticky keys info
20130930
-updated appcompatflags.pl to support Win8 Store key
20130925
-retired compatassist.pl; functionality rolled into appcompatflags.pl
20130911
-updated svc.pl/svc_tln.pl to alert on FailureAction value
-updated installedcomp.pl to look for StubPath values that point to
rundll32, but point to other than a .dll (i.e., some malware points to
.cpl files)
20130910
-updated winlogon.pl/winlogon_tln.pl to check for GinaDLL value
20130905
-removed winlivemsn.pl from ntuser profile - Module dependencies make it
throw errors (if I had test data, I'd rewrite it)
-updated installedcomp.pl to make the output more searchable
-created netsvcs.pl plugin
20130904
-created rlo.pl plugin (all hives)
-updated backuprestore.pl (cleaned up code)
20130830
-updated timezone.pl, based on findings from Mike W.
20130801
-added initial Win8 support to appcompatcache.pl
-added cross-platform support to rip.pl (File::Spec)
20130731
-updated ie_settings.pl
20130711
-created pending.pl
20130706
-updated appcompatflags.pl to retrieve values from Persisted key
20130630
-updated usbstor.pl - added parsing of Properties values (Win7)
-updated devclass.pl - added additional device class check
20130603
-updated alert code (new alert function & check for ADSs)
-appcompatcache.pl,inprocserver.pl,clsid.pl
-appcompatcache_tln.pl,soft_run.pl,user_run.pl,srun_tln.pl,urun_tln.pl
-svc.pl,svcdll.pl,svc_tln.pl
20130530
-updated mountdev.pl to address endian issues in display of disk signatures
20130522
-minor changes to attachmgr.pl, attachmgr_tln.pl
20130514
-updated itempos.pl to parse ItemPos* value data beneath ShellNoRoam\Bags subkeys
20130513
-updated userinfo.pl to include UserName value beneath "Common" subkey
20130509
-added alert and warnings to appcompatcache.pl, appcompatcache_tln.pl
-updated svc.pl, retired svc2.pl
-created svc_tln.pl, based on svc.pl
20130504
-added alert to Run key plugins to check for %AppData% paths (malware)
20130429
-created winlogon_tln.pl, applets_tln.pl
-added alertMsg() func. to:
-brisv.pl, inprocserver.pl, inprocserver_u.pl, iejava.pl,
spp_clients.pl
-retired scanwithav.pl (func. included in attachmgr.pl)
-retired taskman.pl (func. included in winlogon.pl)
-retired vista_wireless.pl (func. in networklist.pl)
20130425
-RegRipper and rip updated to v2.8; added alertMsg() capability
-retired userinit.pl (functionality included in winlogon.pl)
-created new plugins
-srun_tln.pl, urun_tln.pl,cmdproc_tln.pl
-cmd_shell_tln.pl,muicache_tln.pl
-added alertMsg() functionality to rip.pl, rr.pl, and plugins
-appcompatcache.pl, appcompatcache_tln.pl
-appinitdlls.pl
-soft_run.pl, user_run.pl
-imagefile.pl
-winlogon.pl, winlogon_u.pl
-muicache.pl (look for values with "[Tt]emp" paths)
-attachmgr.pl (look for values per KB 883260)
-virut.pl
-cmdproc.pl, cmd_shell.pl
20130411
-retired specaccts.pl & notify.pl; incorporated functionality into
winlogon.pl
20130410
-retired taskman.pl; merged into winlogon.pl
-updated winlogon.pl (Wow6432Node support, etc.)
-updated winlogon_u.pl (Wow6432Node support)
-updated shellexec.pl, imagefile.pl, installedcomp.pl (Wow6432Node support)
20130409
-added drivers32.pl (C. Harrell) to the archive
20130408
-updated bho.pl to support Wow6432Node
20130405
-updated cmd_shell.pl to include Clients subkey in the Software hive
-created cmd_shell_u.pl
-fixed issue with rip.exe syntax info containing 'rr'
-fixed banner in findexes.pl