You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
this is probably covered by #23, but since I'm working on an extractor for artifacts, I'd like to understand how wildcards are used in the artifacts:
Many of the REGISTRY_KEY artifacts have a \* at the end. My understanding is that this means a subkey. This is strange, because some of the defined registry paths (e.g. the Autorun "Run"-Keys in WindowsRunKeys) clearly do not have subkeys, but still are given with a \* at the end. Although not all of them do, for example WindowsControlPanelFilePaths.
Can you clarify if a wildcard at the end of a REGISTRY_KEY path means "All subkeys" or "All values in this key" or both?
Thanks!
Demian
The text was updated successfully, but these errors were encountered:
I think the wildcard can refer to both, subkeys and values. I think intuitively that makes sense, like a * in filesystems can mean both, files and subdirectories, but I agree that this might cause confusion.
Thanks for the quick answer! I'll handle it like this, then :-)
I don't 100% agree that this is intuitive though: My understanding was that the type of REGISTRY_KEY already means "All the values in this key" as opposed to REGISTRY_VALUE, which specifies exactly one value within a key. The wildcard in the path seems redundant at least.
If we are looking at a key which has values as well as subkeys, what is the wildcard at the end supposed to mean? "Export all the values of this key and all the values of the subkeys"? Then one could argue it should be *\* instead.. But just exporting the names of the subkeys without content does not seem very useful. I hope you can see where my confusion is coming from ;-)
Hi everyone,
this is probably covered by #23, but since I'm working on an extractor for artifacts, I'd like to understand how wildcards are used in the artifacts:
Many of the REGISTRY_KEY artifacts have a
\*
at the end. My understanding is that this means a subkey. This is strange, because some of the defined registry paths (e.g. the Autorun "Run"-Keys inWindowsRunKeys
) clearly do not have subkeys, but still are given with a\*
at the end. Although not all of them do, for exampleWindowsControlPanelFilePaths
.Can you clarify if a wildcard at the end of a REGISTRY_KEY path means "All subkeys" or "All values in this key" or both?
Thanks!
Demian
The text was updated successfully, but these errors were encountered: