Created
August 24, 2022 04:06
-
-
Save scudette/97152f6b7427ebbb924308954ab06d39 to your computer and use it in GitHub Desktop.
Revisions
-
scudette created this gist
Aug 24, 2022 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,179 @@ remappings: - type: permissions permissions: - COLLECT_CLIENT - FILESYSTEM_READ - FILESYSTEM_WRITE - READ_RESULTS - MACHINE_STATE - SERVER_ADMIN - type: impersonation os: windows hostname: Virtual Host env: - key: SystemRoot value: C:\Windows - key: WinDir value: C:\Windows disabled_functions: - amsi - lookupSID - token disabled_plugins: - users - certificates - handles - pslist - interfaces - modules - netstat - partitions - proc_dump - proc_yara - vad - winobj - wmi - type: mount description: 'Mount the partition /shared/mnt/flat (offset 122683392) on the C: drive (NTFS)' from: accessor: raw_ntfs prefix: | { "DelegateAccessor": "offset", "Delegate": { "DelegateAccessor": "file", "DelegatePath": "/shared/mnt/flat", "Path":"122683392" }, "Path": "/" } "on": accessor: ntfs prefix: '\\.\C:' path_type: ntfs - type: mount description: 'Mount the partition /shared/mnt/flat (offset 122683392) on the C: drive (File Accessor)' from: accessor: raw_ntfs prefix: | { "DelegateAccessor": "offset", "Delegate": { "DelegateAccessor": "file", "DelegatePath": "/shared/mnt/flat", "Path":"122683392" }, "Path": "/" } "on": accessor: file prefix: 'C:' path_type: windows - type: mount description: 'Mount the partition /shared/mnt/flat (offset 122683392) on the C: drive (Auto Accessor)' from: accessor: raw_ntfs prefix: | { "DelegateAccessor": "offset", "Delegate": { "DelegateAccessor": "file", "DelegatePath": "/shared/mnt/flat", "Path":"122683392" }, "Path": "/" } "on": accessor: auto prefix: 'C:' path_type: windows - type: mount description: Map the /Windows/System32/Config/SOFTWARE Registry hive on HKEY_LOCAL_MACHINE\Software (Prefixed at /) from: accessor: raw_reg prefix: |- { "Path": "/", "DelegateAccessor": "raw_ntfs", "Delegate": { "DelegateAccessor":"offset", "Delegate": { "DelegateAccessor": "file", "DelegatePath": "/shared/mnt/flat", "Path": "122683392" }, "Path":"/Windows/System32/Config/SOFTWARE" } } path_type: registry "on": accessor: registry prefix: HKEY_LOCAL_MACHINE\Software path_type: registry - type: mount description: Map the /Windows/System32/Config/SYSTEM Registry hive on HKEY_LOCAL_MACHINE\System (Prefixed at /) from: accessor: raw_reg prefix: |- { "Path": "/", "DelegateAccessor": "raw_ntfs", "Delegate": { "DelegateAccessor":"offset", "Delegate": { "DelegateAccessor": "file", "DelegatePath": "/shared/mnt/flat", "Path": "122683392" }, "Path":"/Windows/System32/Config/SYSTEM" } } path_type: registry "on": accessor: registry prefix: HKEY_LOCAL_MACHINE\System path_type: registry - type: mount description: Map the /Windows/System32/Config/SYSTEM Registry hive on HKEY_LOCAL_MACHINE\System\CurrentControlSet (Prefixed at /ControlSet001) from: accessor: raw_reg prefix: |- { "Path": "/ControlSet001", "DelegateAccessor": "raw_ntfs", "Delegate": { "DelegateAccessor":"offset", "Delegate": { "DelegateAccessor": "file", "DelegatePath": "/shared/mnt/flat", "Path": "122683392" }, "Path":"/Windows/System32/Config/SYSTEM" } } path_type: registry "on": accessor: registry prefix: HKEY_LOCAL_MACHINE\System\CurrentControlSet path_type: registry - type: shadow from: accessor: zip "on": accessor: zip - type: shadow from: accessor: raw_reg "on": accessor: raw_reg - type: shadow from: accessor: data "on": accessor: data