dissect.target.plugins.os.windows.regf.trusteddocs#

Module Contents#

Classes#

TrustedDocumentsPlugin

Plugin to obtain Microsoft Office Trusted Document registry keys.

Attributes#

dissect.target.plugins.os.windows.regf.trusteddocs.TrustedDocumentsRecord#
class dissect.target.plugins.os.windows.regf.trusteddocs.TrustedDocumentsPlugin(target: dissect.target.Target)#

Bases: dissect.target.plugin.Plugin

Plugin to obtain Microsoft Office Trusted Document registry keys.

KEY = 'HKEY_CURRENT_USER\\Software\\Microsoft\\Office'#
check_compatible() None#

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

trusteddocs() Iterator[TrustedDocumentsRecord]#

Return Microsoft Office TrustRecords registry keys for all Office applications.

Microsoft uses Trusted Documents to cache whether the user enabled the editing and/or macros for that document. Therefore, this may reveal if macros have been enabled for a malicious Office document.

Yields records based on the values within the TrustRecords registry keys. At least contains the following fields:

application (string): Application name of the Office product that produced the TrustRecords registry key. document_path (path): Path to the document for which a TrustRecords entry is created. ts (datetime): The created time of the TrustRecord registry key. type (varint): Type of the value within the TrustRecords registry key. value (bytes): Value of the TrustRecords entry, which contains the information whether macros are enabled.