Cleaned up WindowsServices artifact definition (ForensicArtifacts#446)

coperni · Dec 5, 2021 · 883da02 · 883da02
1 parent bfba89b
commit 883da02
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 25 deletions.
diff --git a/artifacts/__init__.py b/artifacts/__init__.py
@@ -1,4 +1,4 @@
 # -*- coding: utf-8 -*-
 """ForensicArtifacts.com Artifact Repository."""
 
-__version__ = '20211107'
+__version__ = '20211205'
diff --git a/config/dpkg/changelog b/config/dpkg/changelog
@@ -1,5 +1,5 @@
-artifacts (20211107-1) unstable; urgency=low
+artifacts (20211205-1) unstable; urgency=low
 
   * Auto-generated
 
- -- Forensic artifacts <[email protected]>  Sun, 07 Nov 2021 17:26:29 +0100
+ -- Forensic artifacts <[email protected]>  Sun, 05 Dec 2021 14:40:08 +0100
diff --git a/data/windows.yaml b/data/windows.yaml
@@ -1959,30 +1959,14 @@ urls:
 - 'https://www.silentrunners.org/Silent%20Runners.vbs'
 ---
 name: WindowsServices
-doc: |
-  Windows services from the Registry.
-
-  Malware can add new services to gain persistence, or modify
-  existing ones to avoid detection. For example, the ZeroAccess
-  rootkit will make the following changes to the WSCSVC (Windows
-  Security Service Center), WINDEFEND (Windows Defender),
-  and MPSSVC (Windows Firewall) services, among others
-
-  * Set 'Start' to 4, indicating that the service should be disabled
-  * Set 'DeleteFlag' to 1, indicating that the service should be removed
-  * Set 'ErrorControl' to 0 and 'Type' to 32, causing it to fail to be
-    started by the Service Controller and no error messages generated
+doc: Windows service and driver configurations.
 sources:
 - type: REGISTRY_KEY
   attributes:
-    keys:
-    - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\*\*'
-    - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\*\Parameters\*'
+    keys: ['HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\*']
 labels: [Software]
 supported_os: [Windows]
-urls:
-- 'https://support.microsoft.com/kb/103000'
-- 'https://github.com/libyal/winreg-kb/blob/main/documentation/System%20keys.asciidoc'
+urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/ServicesAndDrivers.html']
 ---
 name: WindowsActionCenterSettings
 doc: |
@@ -2895,7 +2879,7 @@ sources:
     paths: ['%%environ_systemroot%%\System32\sru\SRUDB.dat']
     separator: '\'
 supported_os: [Windows]
-urls: ['https://github.com/libyal/esedb-kb/blob/main/documentation/System%20Resource%20Usage%20Monitor%20(SRUM).asciidoc']
+urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/SystemResourceUsageMonitor.html']
 ---
 name: WindowsTempDirectories
 doc: Contents of the Windows temporary directories

diff --git a/docs/sources/background/Stats.md b/docs/sources/background/Stats.md
@@ -3,13 +3,13 @@
 The artifact definitions can be found in the [data directory](https://github.com/ForensicArtifacts/artifacts/tree/main/data)
 and the format is described in detail in the [Style Guide](https://artifacts.readthedocs.io/en/latest/sources/Format-specification.html).
 
-Status of the repository as of 2021-11-07
+Status of the repository as of 2021-12-05
 
 Description | Number
 --- | ---
 Number of artifact definitions: | 580
 Number of file paths: | 1234
-Number of Windows Registry key paths: | 680
+Number of Windows Registry key paths: | 679
 
 ### Artifact definition source types