Add application_execution tag to certain Amcache entries

log2timeline · May 6, 2022 · c902dbf · c902dbf
1 parent 1c5ec4d
commit c902dbf
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/data/tag_windows.txt b/data/tag_windows.txt
@@ -11,6 +11,7 @@ application_execution
   data_type is 'windows:registry:mrulistex' AND entries contains '.exe'
   data_type is 'windows:registry:userassist' AND value_name contains '.exe'
   data_type is 'windows:tasks:job'
+  parser is 'winreg/amcache' AND data_type is 'windows:registry:key_value' AND values contains 'BundleManifestPath'
 
 # Tags Windows application installation events.
 application_install