dissect.target 3.16.dev44__py3-none-any.whl → 3.17__py3-none-any.whl

dissect/target/plugins/os/unix/linux/sockets.py

@@ -17,9 +17,9 @@ NetSocketRecord = TargetRecordDescriptor(
         ("uint32", "rx_queue"),
         ("uint32", "tx_queue"),
         ("string", "local_ip"),
-        ("string", "local_port"),
+        ("uint16", "local_port"),
         ("string", "remote_ip"),
-        ("string", "remote_port"),
+        ("uint16", "remote_port"),
         ("string", "state"),
         ("string", "owner"),
         ("uint32", "inode"),

dissect/target/plugins/os/unix/log/messages.py

@@ -1,7 +1,8 @@
 import re
-from itertools import chain
+from pathlib import Path
 from typing import Iterator
 
+from dissect.target import Target
 from dissect.target.exceptions import UnsupportedPluginError
 from dissect.target.helpers.record import TargetRecordDescriptor
 from dissect.target.helpers.utils import year_rollover_helper
@@ -23,17 +24,28 @@ RE_TS = re.compile(r"(\w+\s{1,2}\d+\s\d{2}:\d{2}:\d{2})")
 RE_DAEMON = re.compile(r"^[^:]+:\d+:\d+[^\[\]:]+\s([^\[:]+)[\[|:]{1}")
 RE_PID = re.compile(r"\w\[(\d+)\]")
 RE_MSG = re.compile(r"[^:]+:\d+:\d+[^:]+:\s(.*)$")
+RE_CLOUD_INIT_LINE = re.compile(r"(?P<ts>.*) - (?P<daemon>.*)\[(?P<log_level>\w+)\]\: (?P<message>.*)$")
 
 
 class MessagesPlugin(Plugin):
+    def __init__(self, target: Target):
+        super().__init__(target)
+        self.log_files = set(self._find_log_files())
+
+    def _find_log_files(self) -> Iterator[Path]:
+        log_dirs = ["/var/log/", "/var/log/installer/"]
+        file_globs = ["syslog*", "messages*", "cloud-init.log*"]
+        for log_dir in log_dirs:
+            for glob in file_globs:
+                yield from self.target.fs.path(log_dir).glob(glob)
+
     def check_compatible(self) -> None:
-        var_log = self.target.fs.path("/var/log")
-        if not any(var_log.glob("syslog*")) and not any(var_log.glob("messages*")):
-            raise UnsupportedPluginError("No message files found")
+        if not self.log_files:
+            raise UnsupportedPluginError("No log files found")
 
     @export(record=MessagesRecord)
     def syslog(self) -> Iterator[MessagesRecord]:
-        """Return contents of /var/log/messages* and /var/log/syslog*.
+        """Return contents of /var/log/messages*, /var/log/syslog* and cloud-init logs.
 
         See ``messages`` for more information.
         """
@@ -41,7 +53,7 @@ class MessagesPlugin(Plugin):
 
     @export(record=MessagesRecord)
     def messages(self) -> Iterator[MessagesRecord]:
-        """Return contents of /var/log/messages* and /var/log/syslog*.
+        """Return contents of /var/log/messages*, /var/log/syslog* and cloud-init logs.
 
         Note: due to year rollover detection, the contents of the files are returned in reverse.
 
@@ -52,12 +64,16 @@ class MessagesPlugin(Plugin):
         References:
             - https://geek-university.com/linux/var-log-messages-file/
             - https://www.geeksforgeeks.org/file-timestamps-mtime-ctime-and-atime-in-linux/
+            - https://cloudinit.readthedocs.io/en/latest/development/logging.html#logging-command-output
         """
 
         tzinfo = self.target.datetime.tzinfo
 
-        var_log = self.target.fs.path("/var/log")
-        for log_file in chain(var_log.glob("syslog*"), var_log.glob("messages*")):
+        for log_file in self.log_files:
+            if "cloud-init" in log_file.name:
+                yield from self._parse_cloud_init_log(log_file)
+                continue
+
             for ts, line in year_rollover_helper(log_file, RE_TS, DEFAULT_TS_LOG_FORMAT, tzinfo):
                 daemon = dict(enumerate(RE_DAEMON.findall(line))).get(0)
                 pid = dict(enumerate(RE_PID.findall(line))).get(0)
@@ -71,3 +87,32 @@ class MessagesPlugin(Plugin):
                     source=log_file,
                     _target=self.target,
                 )
+
+    def _parse_cloud_init_log(self, log_file: Path) -> Iterator[MessagesRecord]:
+        """Parse a cloud-init.log file.
+
+        Lines are structured in the following format:
+        ``YYYY-MM-DD HH:MM:SS,000 - dhcp.py[DEBUG]: Received dhcp lease on IFACE for IP/MASK``
+
+        NOTE: ``cloud-init-output.log`` files are not supported as they do not contain structured logs.
+
+        Args:
+            ``log_file``: path to cloud-init.log file.
+
+        Returns: ``MessagesRecord``
+        """
+        for line in log_file.open("rt").readlines():
+            if line := line.strip():
+                if match := RE_CLOUD_INIT_LINE.match(line):
+                    match = match.groupdict()
+                    yield MessagesRecord(
+                        ts=match["ts"].split(",")[0],
+                        daemon=match["daemon"],
+                        pid=None,
+                        message=match["message"],
+                        source=log_file,
+                        _target=self.target,
+                    )
+                else:
+                    self.target.log.warning("Could not match cloud-init log line")
+                    self.target.log.debug("No match for line '%s'", line)

dissect/target/plugins/os/windows/_os.py

@@ -1,5 +1,6 @@
 from __future__ import annotations
 
+import operator
 import struct
 from typing import Any, Iterator, Optional
 
@@ -40,7 +41,7 @@ class WindowsPlugin(OSPlugin):
 
         if not sysvol.exists("boot/BCD"):
             for fs in target.filesystems:
-                if fs.exists("boot") and fs.exists("boot/BCD"):
+                if fs.exists("boot/BCD") or fs.exists("EFI/Microsoft/Boot/BCD"):
                     target.fs.mount("efi", fs)
 
         return cls(target)
@@ -77,6 +78,14 @@ class WindowsPlugin(OSPlugin):
             self.target.log.warning("Failed to map drive letters")
             self.target.log.debug("", exc_info=e)
 
+        # Fallback mount the sysvol to C: if we didn't manage to mount it to any other drive letter
+        if operator.countOf(self.target.fs.mounts.values(), self.target.fs.mounts["sysvol"]) == 1:
+            if "c:" not in self.target.fs.mounts:
+                self.target.log.debug("Unable to determine drive letter of sysvol, falling back to C:")
+                self.target.fs.mount("c:", self.target.fs.mounts["sysvol"])
+            else:
+                self.target.log.warning("Unknown drive letter for sysvol")
+
     @export(property=True)
     def hostname(self) -> Optional[str]:
         key = "HKLM\\SYSTEM\\ControlSet001\\Control\\Computername\\Computername"

dissect/target/plugins/os/windows/catroot.py

@@ -1,26 +1,42 @@
-from asn1crypto import algos, core
+from typing import Iterator, Optional
+
+from dissect.esedb import EseDB
 from flow.record.fieldtypes import digest
 
 from dissect.target.exceptions import UnsupportedPluginError
 from dissect.target.helpers.record import TargetRecordDescriptor
 from dissect.target.plugin import Plugin, export
 
+try:
+    from asn1crypto.cms import ContentInfo
+    from asn1crypto.core import Sequence
+
+    HAS_ASN1 = True
+except ImportError:
+    HAS_ASN1 = False
+
 HINT_NEEDLE = b"\x1e\x08\x00H\x00i\x00n\x00t"
-MD5_NEEDLE = b"\x06\x08\x2a\x86\x48\x86\xf7\x0d\x02\x05"
-SHA1_NEEDLE = b"\x06\x05\x2b\x0e\x03\x02\x1a"
-SHA_GENERIC_NEEDLE = b"\x06\x09\x08\x86\x48\x01\x65\x03\x04\x02"
+PACKAGE_NAME_NEEDLE = b"\x06\n+\x06\x01\x04\x01\x827\x0c\x02\x01"
+DIGEST_NEEDLES = {
+    "md5": b"\x06\x08\x2a\x86\x48\x86\xf7\x0d\x02\x05",
+    "sha1": b"\x06\x05\x2b\x0e\x03\x02\x1a",
+    "sha_generic": b"\x06\x09\x08\x86\x48\x01\x65\x03\x04\x02",
+    "sha256": b"\x06\t`\x86H\x01e\x03\x04\x02\x01\x05\x00",
+}
+
 
 CatrootRecord = TargetRecordDescriptor(
     "windows/catroot",
     [
         ("digest", "digest"),
-        ("path", "hint"),
+        ("string[]", "hints"),
+        ("string", "catroot_name"),
         ("path", "source"),
     ],
 )
 
 
-def findall(buf, needle):
+def findall(buf: bytes, needle: bytes) -> Iterator[int]:
     offset = 0
     while True:
         offset = buf.find(needle, offset)
@@ -31,27 +47,59 @@ def findall(buf, needle):
         offset += 1
 
 
+def _get_package_name(sequence: Sequence) -> str:
+    """Parse sequences within a sequence and return the 'PackageName' value if it exists."""
+    for value in sequence.native.values():
+        # Value is an ordered dict that contains a sequence on index 1
+        inner_sequence = Sequence.load(value.get("1"))
+        # Key value is stored at index 0, value at index 2
+        if "PackageName" in inner_sequence[0].native:
+            return inner_sequence[2].native.decode("utf-16-le").strip("\x00")
+
+
+def find_package_name(hint_buf: bytes) -> Optional[str]:
+    """Find a sequence that contains the 'PackageName' key and return the value if present."""
+    for hint_offset in findall(hint_buf, PACKAGE_NAME_NEEDLE):
+        # 7, 6 or 5 bytes before the package_name needle, a sequence starts (starts with b"0\x82" or b"0\x81").
+        for sequence_needle in [b"0\x82", b"0\x81"]:
+            if (sequence_offset := hint_buf.find(sequence_needle, hint_offset - 8, hint_offset)) == -1:
+                continue
+
+            hint_sequence = Sequence.load(hint_buf[sequence_offset:])
+            return _get_package_name(hint_sequence)
+
+
 class CatrootPlugin(Plugin):
     """Catroot plugin.
 
     Parses catroot files for hashes and file hints.
     """
 
+    __namespace__ = "catroot"
+
     def __init__(self, target):
         super().__init__(target)
-        self.catrootdir = self.target.fs.path("sysvol/windows/system32/catroot")
+        self.catroot_dir = self.target.fs.path("sysvol/windows/system32/catroot")
+        self.catroot2_dir = self.target.fs.path("sysvol/windows/system32/catroot2")
 
     def check_compatible(self) -> None:
-        if len(list(self.catrootdir.iterdir())) == 0:
-            raise UnsupportedPluginError("No catroot dirs found")
+        if not HAS_ASN1:
+            raise UnsupportedPluginError("Missing asn1crypto dependency")
+
+        if next(self.catroot2_dir.rglob("catdb"), None) is None and next(self.catroot_dir.rglob("*.cat"), None) is None:
+            raise UnsupportedPluginError("No catroot files or catroot ESE databases found")
 
     @export(record=CatrootRecord)
-    def catroot(self):
+    def files(self) -> Iterator[CatrootRecord]:
         """Return the content of the catalog files in the CatRoot folder.
 
         A catalog file contains a collection of cryptographic hashes, or thumbprints. These files are generally used to
         verify the integrity of Windows operating system files, instead of per-file authenticode signatures.
 
+        At the moment, parsing catalog files is done on best effort. ``asn1crypto`` is not able to fully parse the
+        ``encap_content_info``, highly likely because Microsoft uses its own format. Future research should result in
+        a more resilient and complete implementation of the ``catroot.files`` plugin.
+
         References:
             - https://www.thewindowsclub.com/catroot-catroot2-folder-reset-windows
             - https://docs.microsoft.com/en-us/windows-hardware/drivers/install/catalog-files
@@ -60,67 +108,134 @@ class CatrootPlugin(Plugin):
             hostname (string): The target hostname.
             domain (string): The target domain.
             digest (digest): The parsed digest.
-            hint (path): File hint, if present.
-            source (path): Source catroot file.
+            hints (string[]): File hints, if present.
+            catroot_name (string): Catroot name.
+            source (path): Source of the catroot record.
         """
-        # So asn1crypt dies when parsing these files, so we kinda bruteforce it
-        # Look for the object identifiers of various hash types, and parse from there
-        # We don't do any further checking, just traverse according to a known structure
-        # If an exception occurs, we're not looking at the right structure.
-        for d in self.catrootdir.iterdir():
-            if not d.is_dir():
+        # As far as known, Microsoft uses its own implementation to store the digest in the
+        # encap_content_info along with an optional file hint. Here we parse the digest values
+        # ourselves by looking for the corresponding digest needles in the raw encap_content_info
+        # data. Furthermore, we try to find the file hint if it is present in that same raw data.
+        for file in self.catroot_dir.rglob("*.cat"):
+            if not file.is_file():
                 continue
 
-            for f in d.iterdir():
-                buf = f.open().read()
+            try:
+                buf = file.read_bytes()
+
+                # TODO: Parse other data in the content info
+                content_info = ContentInfo.load(buf)["content"]
+
+                digest_type = content_info["digest_algorithms"].native[0].get("algorithm")
+                encap_contents = content_info["encap_content_info"].contents
+                needle = DIGEST_NEEDLES[digest_type]
+
+                digests = []
+                offset = None
+                for offset in findall(encap_contents, needle):
+                    # 4 bytes before the digest type, a sequence starts
+                    objseq = Sequence.load(encap_contents[offset - 4 :])
+                    # The second entry in the sequence is the digest string
+                    raw_digest = objseq[1].native
+                    hexdigest = raw_digest.hex()
+
+                    file_digest = digest()
+                    if len(hexdigest) == 32:
+                        file_digest.md5 = hexdigest
+                    elif len(hexdigest) == 40:
+                        file_digest.sha1 = hexdigest
+                    elif len(hexdigest) == 64:
+                        file_digest.sha256 = hexdigest
+
+                    digests.append(file_digest)
+
+                # Finding the hint in encap_content_info is on best effort. In most of the cases,
+                # there is a key "PackageName" available. We first try to parse the corresponding
+                # value if it is present. If this does not succeed, we might be dealing with catroot
+                # files containing the "hint" needle.
+                # If both methods do not result in a file hint, there is either no hint available or
+                # the format is not yet known and therefore not supported.
+                hints = []
+                try:
+                    if offset:
+                        # As far as known, the PackageName data is only present in the encap_content_info
+                        # after the last digest.
+                        hint_buf = encap_contents[offset + len(needle) + len(raw_digest) + 2 :]
+
+                        # First try to find to find the "PackageName" value, if it's present.
+                        hint = find_package_name(hint_buf)
+                        if hint:
+                            hints.append(hint)
+
+                    # If the package_name needle is not found or it's not present in the first 7 bytes of the hint_buf
+                    # We are probably dealing with a catroot file that contains "hint" needles.
+                    if not hints:
+                        for hint_offset in findall(encap_contents, HINT_NEEDLE):
+                            # Either 3 or 4 bytes before the needle, a sequence starts
+                            bytes_before_needle = 3 if encap_contents[hint_offset - 3] == 48 else 4
+                            name_sequence = Sequence.load(encap_contents[hint_offset - bytes_before_needle :])
+
+                            hint = name_sequence[2].native.decode("utf-16-le").strip("\x00")
+                            hints.append(hint)
+
+                except Exception as e:
+                    self.target.log.debug("", exc_info=e)
+
+                # Currently, it is not known how the file hints are related to the digests. Therefore, each digest
+                # is yielded as a record with all of the file hints found.
+                # TODO: find the correlation between the file hints and the digests in catroot files.
+                for file_digest in digests:
+                    yield CatrootRecord(
+                        digest=file_digest,
+                        hints=hints,
+                        catroot_name=file.name,
+                        source=file,
+                        _target=self.target,
+                    )
+
+            except Exception as error:
+                self.target.log.error("An error occurred while parsing the catroot file %s: %s", file, error)
 
-                for needle in [MD5_NEEDLE, SHA1_NEEDLE, SHA_GENERIC_NEEDLE]:
-                    # There's an identifier early on in the file that specifies the hash type for this file
-                    offset = buf.find(needle, 0, 100)
-                    if offset == -1:
-                        continue
+    @export(record=CatrootRecord)
+    def catdb(self) -> Iterator[CatrootRecord]:
+        """Return the hash values present in the catdb files in the catroot2 folder.
+
+        The catdb file is an ESE database file that contains the digests of the catalog files present on the system.
+        This database is used to speed up the process of validating a Portable Executable (PE) file.
+
+        Note: catalog files can include file hints, however these seem not to be present in the catdb files.
+
+        References:
+            - https://www.thewindowsclub.com/catroot-catroot2-folder-reset-windows
+            - https://docs.microsoft.com/en-us/windows-hardware/drivers/install/catalog-files
+
+        Yields CatrootRecords with the following fields:
+            hostname (string): The target hostname.
+            domain (string): The target domain.
+            digest (digest): The parsed digest.
+            hints (string[]): File hints, if present.
+            catroot_name (string): Catroot name.
+            source (path): Source of the catroot record.
+        """
+        for ese_file in self.catroot2_dir.rglob("catdb"):
+            with ese_file.open("rb") as fh:
+                ese_db = EseDB(fh)
 
-                    try:
-                        # Sanity check
-                        algos.DigestAlgorithmId.load(buf[offset:])
-                    except TypeError:
+                tables = [table.name for table in ese_db.tables()]
+                for hash_type, table_name in [("sha256", "HashCatNameTableSHA256"), ("sha1", "HashCatNameTableSHA1")]:
+                    if table_name not in tables:
                         continue
 
-                    for offset in findall(buf, needle):
-                        try:
-                            digestid = algos.DigestAlgorithmId.load(buf[offset:])
-                            # 4 bytes before the digest type, a sequence starts
-                            objseq = core.Sequence.load(buf[offset - 4 :])
-                            # The second entry in the sequence is the digest string
-                            hexdigest = objseq[1].native.hex()
-
-                            # Later versions of windows also have a file hint
-                            # Try to find it
-                            digestlen = len(digestid.contents)
-                            hintoffset = buf.find(HINT_NEEDLE, offset + digestlen, offset + digestlen + 64)
-
-                            filehint = None
-                            if hintoffset != -1:
-                                try:
-                                    file_buf = buf[hintoffset + len(HINT_NEEDLE) + 6 :]
-                                    # There's an INTEGER after the Hint BMPString of size 6
-                                    filehint = core.OctetString.load(file_buf).native.decode("utf-16-le")
-                                except Exception:
-                                    pass
-
-                            fdigest = digest()
-                            if len(hexdigest) == 32:
-                                fdigest.md5 = hexdigest
-                            elif len(hexdigest) == 40:
-                                fdigest.sha1 = hexdigest
-                            elif len(hexdigest) == 64:
-                                fdigest.sha256 = hexdigest
+                    for record in ese_db.table(table_name).records():
+                        file_digest = digest()
+                        setattr(file_digest, hash_type, record.get("HashCatNameTable_HashCol").hex())
+                        catroot_names = record.get("HashCatNameTable_CatNameCol").decode().rstrip("|").split("|")
 
+                        for catroot_name in catroot_names:
                             yield CatrootRecord(
-                                digest=fdigest,
-                                hint=self.target.fs.path(filehint) if filehint else None,
-                                source=f,
+                                digest=file_digest,
+                                hints=None,
+                                catroot_name=catroot_name,
+                                source=ese_file,
                                 _target=self.target,
                             )
-                        except Exception:
-                            continue

dissect/target/plugins/os/windows/credhist.py

@@ -0,0 +1,210 @@
+import hashlib
+import logging
+from dataclasses import dataclass, field
+from pathlib import Path
+from typing import BinaryIO, Iterator, Optional
+from uuid import UUID
+
+from dissect.cstruct import cstruct
+from dissect.util.sid import read_sid
+
+from dissect.target.exceptions import UnsupportedPluginError
+from dissect.target.helpers import keychain
+from dissect.target.helpers.descriptor_extensions import UserRecordDescriptorExtension
+from dissect.target.helpers.record import create_extended_descriptor
+from dissect.target.plugin import Plugin, export
+from dissect.target.plugins.general.users import UserDetails
+from dissect.target.plugins.os.windows.dpapi.crypto import (
+    CipherAlgorithm,
+    HashAlgorithm,
+    derive_password_hash,
+)
+from dissect.target.target import Target
+
+log = logging.getLogger(__name__)
+
+
+CredHistRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
+    "windows/credential/history",
+    [
+        ("string", "guid"),
+        ("boolean", "decrypted"),
+        ("string", "sha1"),
+        ("string", "nt"),
+    ],
+)
+
+
+credhist_def = """
+struct entry {
+    DWORD   dwVersion;
+    CHAR    guidLink[16];
+    DWORD   dwNextLinkSize;
+    DWORD   dwCredLinkType;
+    DWORD   algHash;                    // ALG_ID
+    DWORD   dwPbkdf2IterationCount;
+    DWORD   dwSidSize;
+    DWORD   algCrypt;                   // ALG_ID
+    DWORD   dwShaHashSize;
+    DWORD   dwNtHashSize;
+    CHAR    pSalt[16];
+    CHAR    pSid[dwSidSize];
+    CHAR    encrypted[0];
+};
+"""
+
+c_credhist = cstruct()
+c_credhist.load(credhist_def)
+
+
+@dataclass
+class CredHistEntry:
+    version: int
+    guid: str
+    user_sid: str
+    sha1: Optional[bytes]
+    nt: Optional[bytes]
+    hash_alg: HashAlgorithm = field(repr=False)
+    cipher_alg: CipherAlgorithm = field(repr=False)
+    raw: c_credhist.entry = field(repr=False)
+    decrypted: bool = False
+
+    def decrypt(self, password_hash: bytes) -> None:
+        """Decrypt this CREDHIST entry using the provided password hash. Modifies ``CredHistEntry.sha1``
+        and ``CredHistEntry.nt`` values.
+
+        If the decrypted ``nt`` value is 16 bytes we assume the decryption was successful.
+
+        Args:
+            password_hash: Bytes of SHA1 password hash digest.
+
+        Raises:
+            ValueError: If the decryption seems to have failed.
+        """
+        data = self.cipher_alg.decrypt_with_hmac(
+            data=self.raw.encrypted,
+            key=derive_password_hash(password_hash, self.user_sid),
+            iv=self.raw.pSalt,
+            hash_algorithm=self.hash_alg,
+            rounds=self.raw.dwPbkdf2IterationCount,
+        )
+
+        sha_size = self.raw.dwShaHashSize
+        nt_size = self.raw.dwNtHashSize
+
+        sha1 = data[:sha_size]
+        nt = data[sha_size : sha_size + nt_size].rstrip(b"\x00")
+
+        if len(nt) != 16:
+            raise ValueError("Decrypting failed, invalid password hash?")
+
+        self.decrypted = True
+        self.sha1 = sha1
+        self.nt = nt
+
+
+class CredHistFile:
+    def __init__(self, fh: BinaryIO) -> None:
+        self.fh = fh
+        self.entries = list(self._parse())
+
+    def __repr__(self) -> str:
+        return f"<CredHistFile fh='{self.fh}' entries={len(self.entries)}>"
+
+    def _parse(self) -> Iterator[CredHistEntry]:
+        self.fh.seek(0)
+        try:
+            while True:
+                entry = c_credhist.entry(self.fh)
+
+                # determine size of encrypted data and add to entry
+                cipher_alg = CipherAlgorithm.from_id(entry.algCrypt)
+                enc_size = entry.dwShaHashSize + entry.dwNtHashSize
+                enc_size += enc_size % cipher_alg.block_length
+                entry.encrypted = self.fh.read(enc_size)
+
+                yield CredHistEntry(
+                    version=entry.dwVersion,
+                    guid=UUID(bytes_le=entry.guidLink),
+                    user_sid=read_sid(entry.pSid),
+                    hash_alg=HashAlgorithm.from_id(entry.algHash),
+                    cipher_alg=cipher_alg,
+                    sha1=None,
+                    nt=None,
+                    raw=entry,
+                )
+        except EOFError:
+            pass
+
+    def decrypt(self, password_hash: bytes) -> None:
+        """Decrypt a CREDHIST chain using the provided password SHA1 hash."""
+
+        for entry in reversed(self.entries):
+            try:
+                entry.decrypt(password_hash)
+            except ValueError as e:
+                log.warning("Could not decrypt entry %s with password %s", entry.guid, password_hash.hex())
+                log.debug("", exc_info=e)
+                continue
+            password_hash = entry.sha1
+
+
+class CredHistPlugin(Plugin):
+    """Windows CREDHIST file parser.
+
+    Windows XP:         ``C:\\Documents and Settings\\username\\Application Data\\Microsoft\\Protect\\CREDHIST``
+    Windows 7 and up:   ``C:\\Users\\username\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST``
+
+    Resources:
+        - https://www.passcape.com/index.php?section=docsys&cmd=details&id=28#41
+    """
+
+    def __init__(self, target: Target):
+        super().__init__(target)
+        self.files = list(self._find_files())
+
+    def _find_files(self) -> Iterator[tuple[UserDetails, Path]]:
+        hashes = set()
+        for user_details in self.target.user_details.all_with_home():
+            for path in ["AppData/Roaming/Microsoft/Protect/CREDHIST", "Application Data/Microsoft/Protect/CREDHIST"]:
+                credhist_path = user_details.home_path.joinpath(path)
+                if credhist_path.exists() and (hash := credhist_path.get().hash()) not in hashes:
+                    hashes.add(hash)
+                    yield user_details.user, credhist_path
+
+    def check_compatible(self) -> None:
+        if not self.files:
+            raise UnsupportedPluginError("No CREDHIST files found on target.")
+
+    @export(record=CredHistRecord)
+    def credhist(self) -> Iterator[CredHistRecord]:
+        """Yield and decrypt all Windows CREDHIST entries on the target."""
+        passwords = keychain_passwords()
+
+        if not passwords:
+            self.target.log.warning("No passwords provided in keychain, cannot decrypt CREDHIST hashes")
+
+        for user, path in self.files:
+            credhist = CredHistFile(path.open("rb"))
+
+            for password in passwords:
+                credhist.decrypt(hashlib.sha1(password.encode("utf-16-le")).digest())
+
+            for entry in credhist.entries:
+                yield CredHistRecord(
+                    guid=entry.guid,
+                    decrypted=entry.decrypted,
+                    sha1=entry.sha1.hex() if entry.sha1 else None,
+                    nt=entry.nt.hex() if entry.nt else None,
+                    _user=user,
+                    _target=self.target,
+                )
+
+
+def keychain_passwords() -> set:
+    passphrases = set()
+    for key in keychain.get_keys_for_provider("user") + keychain.get_keys_without_provider():
+        if key.key_type == keychain.KeyType.PASSPHRASE:
+            passphrases.add(key.value)
+    passphrases.add("")
+    return passphrases