$ target-query <path/to/target> -f appxdebugkeys




Module documentation

Plugin that iterates various AppX debug key locations

Function documentation

Iterate various AppX debug key locations. See source for all locations.

AppX debug keys are registry keys that attach a debugger executable to Universal Windows Platform Apps (AppX). This debugger is executed when the program is launched and is often leveraged as a persistence mechanism.

Yields AppXDebugKeyRecords with fields:

hostname (string): The target hostname. domain (string): The target domain. ts (datetime): The registry key last modified timestamp. name (string): The AppX debug key name. debug_info (string): The AppX debug info. regf_hive_path (string): The hive file that contains the registry key. regf_key_path (string): The key’s full path in the registry. username (string): The name of the user this key belongs to. user_id (string): The id of the user this key belongs to. user_group (string): The group of the user this key belongs to. user_home (string): The home directory of the user this key belongs to.