Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

motherboard_info winreg plugin #4953

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

motherboard_info winreg plugin #4953

wants to merge 10 commits into from
+200 −0

Conversation

elad-levi-cyberark
Copy link

@elad-levi-cyberark elad-levi-cyberark commented Feb 16, 2025
edited by joachimmetz
Loading

motherboard_info winreg plugin

Description:

This plugin extract from the Windows registry the following information:

  • Motherboard Manufacturer
  • Motherboard Model
  • BIOS Release Date
  • BIOS Version

Notes:

All contributions to Plaso undergo code review.
This makes sure that the code has appropriate test coverage and conforms to the
Plaso style guide.

One of the maintainers will examine your code, and may request changes. Check off the items below in
order, and then a maintainer will review your code.

Checklist:

  • Automated checks (GitHub Actions, AppVeyor) pass
  • No new new dependencies are required or l2tdevtools has been updated
  • Reviewer assigned

@elad-levi-cyberark
Copy link
Author

elad-levi-cyberark commented Feb 17, 2025
edited
Loading

Passed AppVeyor tests, waiting for approvals to start GitHub Actions workflows

joachimmetz
joachimmetz reviewed Feb 23, 2025
View reviewed changes
plaso/parsers/winreg_plugins/__init__.py Outdated
@@ -31,3 +31,4 @@
from plaso.parsers.winreg_plugins import winlogon
from plaso.parsers.winreg_plugins import winrar
from plaso.parsers.winreg_plugins import windows_version
from plaso.parsers.winreg_plugins import motherboard_info
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

style nit: please use alphabetical order

joachimmetz
joachimmetz reviewed Feb 23, 2025
View reviewed changes
plaso/data/formatters/windows.yaml Outdated
- '{bios_version}'
- 'Origin: {key_path}'
short_source: 'REG'
source: 'Registry Key'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

style nit: make sure line has end-of-line character

joachimmetz
joachimmetz reviewed Feb 23, 2025
View reviewed changes
plaso/data/timeliner.yaml Outdated
attribute_mappings:
- name: 'last_written_time'
description: 'Content Modification Time'
place_holder_event: false
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

style nit: make sure line has end-of-line character

@joachimmetz
Copy link
Member

@elad-levi-cyberark thanks for the proposed plug-in could you provide me a bit of context about your use case, given what it looks like, the plugin does not parse additional values it just wraps them in an unique event data type.

@joachimmetz joachimmetz self-assigned this Feb 23, 2025
@codecov Codecov
Copy link

codecov bot commented Feb 23, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 85.06%. Comparing base (9d4e13c) to head (55a7f2a).
Report is 1 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #4953   +/-   ##
=======================================
  Coverage   85.05%   85.06%           
=======================================
  Files         431      432    +1     
  Lines       38648    38676   +28     
=======================================
+ Hits        32873    32898   +25     
- Misses       5775     5778    +3

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@elad-levi-cyberark
Copy link
Author

@elad-levi-cyberark thanks for the proposed plug-in could you provide me a bit of context about your use case, given what it looks like, the plugin does not parse additional values it just wraps them in an unique event data type.

I'm using Plaso output in Timesketch, and obviously all registry key value pairs are displayed.
It's just that the Windows registry is a mess, so instead of relying everybody knows where to look for a specific piece of information - I think it can be useful to summarize them.

If it's a finding (IoC, evidence of execution, etc.) I usually just write a sigma rule in Timesketch, but because this is just info I find it more useful as a data type

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joachimmetz joachimmetz joachimmetz left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@joachimmetz joachimmetz

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@elad-levi-cyberark @joachimmetz