dissect.target.plugins.os.windows.regf.trusteddocs
#
Module Contents#
Classes#
Plugin to obtain Microsoft Office Trusted Document registry keys. |
Attributes#
- dissect.target.plugins.os.windows.regf.trusteddocs.TrustedDocumentsRecord#
- class dissect.target.plugins.os.windows.regf.trusteddocs.TrustedDocumentsPlugin(target: dissect.target.Target)#
Bases:
dissect.target.plugin.Plugin
Plugin to obtain Microsoft Office Trusted Document registry keys.
- KEY = 'HKEY_CURRENT_USER\\Software\\Microsoft\\Office'#
- check_compatible() None #
Perform a compatibility check with the target.
This function should return
None
if the plugin is compatible with the current target (self.target
). For example, check if a certain file exists. Otherwise it should raise anUnsupportedPluginError
.- Raises:
UnsupportedPluginError – If the plugin could not be loaded.
- trusteddocs() Iterator[TrustedDocumentsRecord] #
Return Microsoft Office TrustRecords registry keys for all Office applications.
Microsoft uses Trusted Documents to cache whether the user enabled the editing and/or macros for that document. Therefore, this may reveal if macros have been enabled for a malicious Office document.
Yields records based on the values within the TrustRecords registry keys. At least contains the following fields:
application (string): Application name of the Office product that produced the TrustRecords registry key. document_path (path): Path to the document for which a TrustRecords entry is created. ts (datetime): The created time of the TrustRecord registry key. type (varint): Type of the value within the TrustRecords registry key. value (bytes): Value of the TrustRecords entry, which contains the information whether macros are enabled.