Downloads:
9
Downloads of v 2.0.0:
9
Last Update:
28 Apr 2024
Published Date:
28 Apr 2024
Package Maintainer(s):
Software Author(s):
- Eric Zimmerman
Tags:
digital forensics incident response dfir- Software Specific:
- Software Site
- Software Docs
- Package Specific:
- Package Source
- Package outdated?
- Package broken?
- Contact Maintainers
- Contact Site Admins
- Software Vendor?
- Report Abuse
- Download
SBECmd
(Ready for review)
- 1
- 2
- 3
2.0.0 | Updated: 28 Apr 2024
- Software Specific:
- Software Site
- Software Docs
- Package Specific:
- Package Source
- Package outdated?
- Package broken?
- Contact Maintainers
- Contact Site Admins
- Software Vendor?
- Report Abuse
- Download
Downloads:
9
Downloads of v 2.0.0:
9
Published:
28 Apr 2024
Maintainer(s):
Software Author(s):
- Eric Zimmerman
SBECmd 2.0.0
(Ready for review)
- 1
- 2
- 3
All Checks are Passing
3 Passing Tests
This version is in moderation and has not yet been approved. This means it doesn't show up under normal search.
- Until approved, you should consider this package version unsafe - it could do very bad things to your system (it probably doesn't but you have been warned, that's why we have moderation).
- This package version can change wildly over the course of moderation until it is approved. If you install it and it later has changes to this version, you will be out of sync with any changes that have been made to the package. Until approved, you should consider that this package version doesn't even exist.
- You cannot install this package under normal scenarios. See How to install package version under moderation for more information.
- There are also no guarantees that it will be approved.
There are versions of this package awaiting moderation (possibly just this one). See the Version History section below.
SBECmd is a tool created by Eric Zimmerman used to parse the NTUSER.dat and UsrClass.dat Registry hives. These hives contains shell items that are recorded by Windows which indicate which folders a user has traversed.
SBECmd Use Cases
Law Enforcement
For those in Law Enforcement, this tool is useful for parsing the NTUser.dat and UsrClass.dat user Registry hives which will contain artifacts of folder traversal. Since the NTUser.dat and UsrClass.dat Registry hives exist for each user, one can attribute the folder traversal artifacts to a specific account. For Law Enforcement, these artifacts may provide pointers to folders or ZIP files that no longer exist. This artifact will provide the first and last time the specific user interacted with a specific folder or ZIP file, in most cases.
Private Sector
For those in the Private Sector, this tool is useful for enumerating what a user of interest did during unauthorized access to a given host. Often, artifacuts during periods of unauthorized access will show the threat actor accessing and viewing files and folders that are highly sensitive to the client’s business.
Log in or click on link to see number of positives.
- sbecmd.2.0.0.nupkg (dfdf3d089910) - ## / 64
- SBECmd.zip (76e68ea696cb) - ## / 66
In cases where actual malware is found, the packages are subject to removal. Software sometimes has false positives. Moderators do not necessarily validate the safety of the underlying software, only that a package retrieves software from the official distribution point and/or validate embedded software against official distribution point (where distribution rights allow redistribution).
Chocolatey Pro provides runtime protection from possible malware.
2015 Eric Zimmerman
-
- dotnet-6.0-runtime (≥ 6.0.28)
Ground Rules:
- This discussion is only about SBECmd and the SBECmd package. If you have feedback for Chocolatey, please contact the Google Group.
- This discussion will carry over multiple versions. If you have a comment about a particular version, please note that in your comments.
- The maintainers of this Chocolatey Package will be notified about new comments that are posted to this Disqus thread, however, it is NOT a guarantee that you will get a response. If you do not hear back from the maintainers after posting a message below, please follow up by using the link on the left side of this page or follow this link to contact maintainers. If you still hear nothing back, please follow the package triage process.
- Tell us what you love about the package or SBECmd, or tell us what needs improvement.
- Share your experiences with the package, or extra configuration or gotchas that you've found.
- If you use a url, the comment will be flagged for moderation until you've been whitelisted. Disqus moderated comments are approved on a weekly schedule if not sooner. It could take between 1-5 days for your comment to show up.
sustainablelobster (maintainer) on 28 Apr 2024 14:11:06 +00:00:
User 'sustainablelobster' (maintainer) submitted package.
chocolatey-ops (reviewer) on 28 Apr 2024 14:44:12 +00:00:
sbecmd has passed automated validation. It may have or may still fail other checks like testing (verification).
NOTE: No required changes that the validator checks have been flagged! It is appreciated if you fix other items, but only Requirements will hold up a package version from approval. A human review could still turn up issues a computer may not easily find.
Guidelines
Guidelines are strong suggestions that improve the quality of a package version. These are considered something to fix for next time to increase the quality of the package. Over time Guidelines can become Requirements. A package version can be approved without addressing Guideline comments but will reduce the quality of the package.
sustainablelobster (maintainer) on 28 Apr 2024 14:46:07 +00:00:
User 'sustainablelobster' (maintainer) submitted package.
chocolatey-ops (reviewer) on 28 Apr 2024 15:19:17 +00:00:
sbecmd has passed automated validation. It may have or may still fail other checks like testing (verification).
NOTE: No required changes that the validator checks have been flagged! It is appreciated if you fix other items, but only Requirements will hold up a package version from approval. A human review could still turn up issues a computer may not easily find.
Guidelines
Guidelines are strong suggestions that improve the quality of a package version. These are considered something to fix for next time to increase the quality of the package. Over time Guidelines can become Requirements. A package version can be approved without addressing Guideline comments but will reduce the quality of the package.
chocolatey-ops (reviewer) on 28 Apr 2024 15:33:10 +00:00:
sbecmd has passed automated package testing (verification). The next step in the process is package scanning.
Please visit https://gist.github.com/choco-bot/cb82c8a8570a7db54e4e2f28bf89bf8b for details.
This is an FYI only. There is no action you need to take.
chocolatey-ops (reviewer) on 28 Apr 2024 15:44:03 +00:00:
sbecmd has passed automated virus scanning.