Satharus/MUICache.yml

## MUICache.yml
name: Custom.Windows.Registry.MUICache
description: |
  Parses the system's MUI cache from the registry

author: Ahmed Elmayyah & eduardocm

parameters:
  - name: ModernRegistryGlob
    default: HKEY_USERS\*\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache**
  - name: LegacyRegistryGlob
    default: HKEY_USERS\*\Software\Microsoft\Windows\ShellNoRoam\MuiCache**
  - name: userRegex
    default: .

# Mitre ATT&CK Mapping
  - name: tactic
    description: ATT&CK tactic
    default: execution
    type: hidden

#Windows 7 and later:       HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
#Windows Vista and before:  HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MuiCache

#Velociraptor isn't available on OSs before Windows Vista, there is no point in including them: https://github.com/Velocidex/velociraptor#supported-platforms

precondition: SELECT OS From info() where OS = 'windows'

sources:
  - queries:
      - LET OSVersion = SELECT Platform FROM info() where OS = 'windows'

      - LET users <= SELECT Name, UUID FROM Artifact.Windows.Sys.Users() WHERE Name =~ userRegex

      - SELECT * FROM if(
        condition=(OSVersion =~ 'Vista'),
        then={
            SELECT Data.value as Name, Name as Path, {
                SELECT Name FROM users WHERE UUID=regex_replace(source=FullPath, re=".+\\\\(S-[^\\\\]+)\\\\.+", replace="$1")
             } as User
             FROM glob(globs=LegacyRegistryGlob, accessor='registry') where FullPath =~ "MuiCache" and Path != "MuiCache" and Path != "LangID"},

        else={
            SELECT Data.value as Name, Name as Path, {
                SELECT Name FROM users WHERE UUID=regex_replace(source=FullPath, re=".+\\\\(S-[^\\\\]+)\\\\.+", replace="$1")
             } as User
             FROM glob(globs=ModernRegistryGlob, accessor='registry') where FullPath =~ "MuiCache" and Path != "MuiCache" and Path != "LangID"})
	name: Custom.Windows.Registry.MUICache
	description: \|
	Parses the system's MUI cache from the registry

	author: Ahmed Elmayyah & eduardocm

	parameters:
	- name: ModernRegistryGlob
	default: HKEY_USERS\\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache*
	- name: LegacyRegistryGlob
	default: HKEY_USERS\\Software\Microsoft\Windows\ShellNoRoam\MuiCache*
	- name: userRegex
	default: .

	# Mitre ATT&CK Mapping
	- name: tactic
	description: ATT&CK tactic
	default: execution
	type: hidden

	#Windows 7 and later: HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
	#Windows Vista and before: HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MuiCache

	#Velociraptor isn't available on OSs before Windows Vista, there is no point in including them: https://github.com/Velocidex/velociraptor#supported-platforms

	precondition: SELECT OS From info() where OS = 'windows'

	sources:
	- queries:
	- LET OSVersion = SELECT Platform FROM info() where OS = 'windows'

	- LET users <= SELECT Name, UUID FROM Artifact.Windows.Sys.Users() WHERE Name =~ userRegex

	- SELECT * FROM if(
	condition=(OSVersion =~ 'Vista'),
	then={
	SELECT Data.value as Name, Name as Path, {
	SELECT Name FROM users WHERE UUID=regex_replace(source=FullPath, re=".+\\\\(S-[^\\\\]+)\\\\.+", replace="$1")
	} as User
	FROM glob(globs=LegacyRegistryGlob, accessor='registry') where FullPath =~ "MuiCache" and Path != "MuiCache" and Path != "LangID"},

	else={
	SELECT Data.value as Name, Name as Path, {
	SELECT Name FROM users WHERE UUID=regex_replace(source=FullPath, re=".+\\\\(S-[^\\\\]+)\\\\.+", replace="$1")
	} as User
	FROM glob(globs=ModernRegistryGlob, accessor='registry') where FullPath =~ "MuiCache" and Path != "MuiCache" and Path != "LangID"})