reg_hunter | Blueteam operational triage registry hunting/forensic tool | Cybersecurity library

reg_hunter is a Rust library typically used in Security, Cybersecurity applications. reg_hunter has no bugs, it has no vulnerabilities, it has a Permissive License and it has low support. You can download it from GitHub.

Blueteam operational triage registry hunting/forensic tool. I hope to incorporate more than just registry triage and hunting. I'd love to see this tool become a standalone triage / hunt tool for all Windows persistence mechanisms. Demo and misc. information on Registry Hunter via Forensic Lunch podcast: Thank you to and for their open research. Many of the explicit registry keys and values defined in this tool came from their graciously shared hard work. Thanks to and for the Lnk and Registry Rust crates. Output is in JSON line delimited. If you just want the tool, download the reg_hunter_x32.exe and/or reg_hunter_x64.exe binary. Note that you'll want to run the 64 bit binary on a 64 bit OS so that it will not be partially blinded by Windows WOW64 redirection. Registry key "last_write_time" is included in Registry JSON logs. The "tags" field is an array populated by any hunts that are a positive match. I needed a self-contained tool, as when I'm triaging an event, the less files I have to push to a remote device the better. Adding in new hunts and recompiling is simple as well. I also wanted a tool that was not dependent on having a minimum .Net version installed. NOTE: The "parent_data_type" field specifies the "data_type" that caused the generation of this data type. E.g. If a Lnk file was found in a registry value, this will generate a "ShellLink" data_type with a parent_data_type of "Registry". Then a data_type of "File" with a parent_data_type of "ShellLink" will be generated if the file that the Lnk file points to is found/exists. I.e. Registry --> ShellLink --> File. A file/lnk's meta data will only be collected once no matter how many times it is referenced in registry values.