[RegistryPlugin.TaskCache] Feature Request - Action csv field

[RevD17]

Please add new functionality - new column to the output CSV in the TaskCache Registry Plugin.

TaskCache Binary field(RegBinary) "Action" can contain additional information such as commandline in wide encoding, for example:
cmd /c copy C:\1\somefile.exe C:\2\somefile2.exe

Met this on Windows Server 2019.

Please parse this value to string or to hex string at least.

Unfortunatly, I can't give you registry file as example.

Thank you!

[AndrewRathbun]

@EricZimmerman we should transfer this issue to https://github.com/EricZimmerman/RegistryPlugins

[EricZimmerman]

yea that works for me

[EricZimmerman]

can you share the value at least? even if its just a screenshot?

[RevD17]

Actions_export.zip
Example of "Actions" value binary data . I left the strings and data length as it was and only changed the character codes.

[EricZimmerman]

i think more work is needed here. There are rules for decoding it.

example

offset 0x2: 0c == 12 which is Author (12 chars, 2 each, since unicode, and Author is 6 chars long once decoded)
0x8: 06, and decodes to "cmd"
0x22: EE01 decodes to "/c copy C:\ProgramData\Microsoft\XX\XXXX.XXX "C:\Program Files\Microsoft\Exchange Server\VXX\FrontEnd\HttpProxy\owa\auth\error.aspx" && timeout /t 1000 && del "C:\Program Files\Microsoft\Exchange Server\VXX\FrontEnd\HttpProxy\owa\auth\error.aspx""

so i think, ideally, we figure out the rules (just need more data)

at offset 0, we see 03, which is probably created by?
theres other things in between those fields, but we just need more data to "see" the pattern

dumping the whole byte value as a unicode string gets us nothing useful