def GetEntries(self, key, **unused_kwargs):
"""Extracts event objects from a CCleaner Registry key.
Args:
key: A Windows Registry key (instance of WinRegKey).
Yields:
An event object (instance of EventObject) that contains a MRU list.
"""
for value in key.GetValues():
if not value.name:
continue
text_dict = {}
text_dict[value.name] = value.data
if not text_dict[value.name]:
continue
if value.name == 'UpdateKey':
zone = getattr(self._config, 'timezone', pytz.utc)
update_key = key.GetValue('UpdateKey')
reg_evt = event.WinRegistryEvent(
key.path, text_dict,
timelib.Timestamp.FromTimeString(update_key.data, timezone=zone))
elif value.name == '0':
reg_evt = event.WinRegistryEvent(
key.path, text_dict, key.timestamp)
else:
reg_evt = event.WinRegistryEvent(
key.path, text_dict, 0)
reg_evt.source_append = ': {}'.format(self.DESCRIPTION)
yield reg_evt
def setUp(self):
"""Sets up the needed objects used throughout the test."""
self._event_objects = []
event_1 = event.WinRegistryEvent(
u'MY AutoRun key', {u'Value': u'c:/Temp/evil.exe'},
timestamp=13349615269295969)
event_1.parser = 'UNKNOWN'
event_2 = event.WinRegistryEvent(
u'\\HKCU\\Secret\\EvilEmpire\\Malicious_key',
{u'Value': u'send all the exes to the other world'},
timestamp=13359662069295961)
event_2.parser = 'UNKNOWN'
event_3 = event.WinRegistryEvent(
u'\\HKCU\\Windows\\Normal', {u'Value': u'run all the benign stuff'},
timestamp=13349402860000000)
event_3.parser = 'UNKNOWN'
text_dict = {'text': (
'This is a line by someone not reading the log line properly. And '
'since this log line exceeds the accepted 80 chars it will be '
'shortened.'), 'hostname': 'nomachine', 'username': '******'}
event_4 = event.TextEvent(12389344590000000, text_dict)
event_4.parser = 'UNKNOWN'
self._event_objects.append(event_1)
self._event_objects.append(event_2)
self._event_objects.append(event_3)
self._event_objects.append(event_4)
def GetEntries(self, key, **unused_kwargs):
"""Extracts event objects from a MRU list.
Args:
key: A Windows Registry key (instance of WinRegKey).
Yields:
An event object (instance of EventObject) that contains a MRU list.
"""
mru_list_value = key.GetValue('MRUList')
if not mru_list_value:
text_dict = {}
text_dict[
'MRUList'] = 'REGALERT: Internal error missing MRUList value.'
yield event.WinRegistryEvent(key.path,
text_dict,
timestamp=key.last_written_timestamp)
else:
timestamp = key.last_written_timestamp
entry_list = []
text_dict = {}
for entry_index, mru_value_name in enumerate(mru_list_value.data):
value = key.GetValue(mru_value_name)
if not value:
mru_value_string = 'REGALERT: No such MRU value: {0}.'.format(
mru_value_name)
# Ignore any value that is empty.
elif not value.data:
mru_value_string = 'REGALERT: Missing MRU value: {0} data.'.format(
mru_value_name)
# TODO: add support for shell item based MRU value data.
elif not value.DataIsString():
mru_value_string = (
'REGALERT: Unsupported MRU value: {0} data type.'
).format(mru_value_name)
else:
mru_value_string = value.data
entry_list.append(mru_value_string)
text_dict[u'Index: {} [MRU Value {}]'.format(
entry_index + 1, mru_value_name)] = mru_value_string
event_object = event.WinRegistryEvent(key.path,
text_dict,
timestamp=timestamp,
source_append=': MRU List')
event_object.mru_list = entry_list
yield event_object
def GetEntries(self, key, **unused_kwargs):
"""Collect typed URLs values.
Args:
key: A Windows Registry key (instance of WinRegKey).
Yields:
An event object for every typed URL.
"""
for value in key.GetValues():
# Ignore any value not in the form: 'url[0-9]+'.
if not value.name or not self._RE_VALUE_NAME.search(value.name):
continue
# Ignore any value that is empty or that does not contain a string.
if not value.data or not value.DataIsString():
continue
# TODO: shouldn't this behavior be, put all the typed urls
# into a single event object with the last written time of the key?
if value.name == 'url1':
timestamp = key.last_written_timestamp
else:
timestamp = 0
text_dict = {}
text_dict[value.name] = value.data
yield event.WinRegistryEvent(
key.path, text_dict, timestamp=timestamp,
source_append=u': {0:s}'.format(self.DESCRIPTION))
def GetEntries(self, key, **unused_kwargs):
"""Gather minimal information about system install and return an event."""
text_dict = {}
text_dict[u'Owner'] = self.GetValueString(key, 'RegisteredOwner')
text_dict[u'sp'] = self.GetValueString(key, 'CSDBuildNumber')
text_dict[u'Product name'] = self.GetValueString(key, 'ProductName')
text_dict[u' Windows Version Information'] = u''
install_raw = key.GetValue('InstallDate').raw_data
# TODO: move this to a function in utils with a more descriptive name
# e.g. CopyByteStreamToInt32BigEndian.
try:
install = self.INT_STRUCT.parse(install_raw)
except construct.FieldError:
install = 0
event_object = event.WinRegistryEvent(
key.path,
text_dict,
timestamp=timelib.Timestamp.FromPosixTime(install))
event_object.prodname = text_dict[u'Product name']
event_object.source_long = 'SOFTWARE WinVersion key'
if text_dict[u'Owner']:
event_object.owner = text_dict[u'Owner']
yield event_object
def GetEntries(self, key, **unused_kwargs):
"""Collect MRU Values and return event for each one."""
for value in key.GetValues():
# TODO: add a check for the value naming scheme.
# Ignore the default value.
if not value.name:
continue
# Ignore any value that is empty or that does not contain a string.
if not value.data or not value.DataIsString():
continue
text_dict = {}
text_dict[value.name] = value.data
if value.name == 'MRU0':
timestamp = key.last_written_timestamp
else:
timestamp = 0
yield event.WinRegistryEvent(key.path,
text_dict,
timestamp=timestamp,
source_append=u': {0:s}'.format(
self.DESCRIPTION))
def GetEntries(self, key, **unused_kwargs):
"""Collect values under WinRAR ArcHistory and return event for each one."""
for value in key.GetValues():
# Ignore any value not in the form: '[0-9]+'.
if not value.name or not self._RE_VALUE_NAME.search(value.name):
continue
# Ignore any value that is empty or that does not contain a string.
if not value.data or not value.DataIsString():
continue
if value.name == '0':
timestamp = key.last_written_timestamp
else:
timestamp = 0
text_dict = {}
text_dict[value.name] = value.data
# TODO: shouldn't this behavior be, put all the values
# into a single event object with the last written time of the key?
yield event.WinRegistryEvent(key.path,
text_dict,
timestamp=timestamp,
source_append=': {0:s}'.format(
self.DESCRIPTION))
def GetEntries(self, key, **unused_kwargs):
"""Extract EventObjects from a MRU list."""
mru_list_data = key.GetValue('MRUListEx')
# TODO: there is no need to use raw data refactor to use data.
raw_data = mru_list_data.raw_data
try:
mru_list = self.LIST_STRUCT.parse(raw_data)
except construct.FieldError:
logging.warning(u'Unable to parse the MRU key: {0:s}'.format(
key.path))
return
event_timestamp = key.last_written_timestamp
text_dict = {}
for nr, entry in enumerate(mru_list):
# MRU lists are terminated with 0xFFFFFFFF.
if entry == 0xFFFFFFFF:
break
value_text = u'Index: {} [MRU Value {:d}]'.format(nr + 1, entry)
text_dict[value_text] = self.GetText(key, unicode(entry))
yield event.WinRegistryEvent(key.path,
text_dict,
timestamp=event_timestamp,
source_append=': MRUx List')
def GetEntries(self, key, **unused_kwargs):
"""Collect the values under Outlook and return event for each one."""
value_index = 0
for value in key.GetValues():
# Ignore the default value.
if not value.name:
continue
# Ignore any value that is empty or that does not contain an integer.
if not value.data or not value.DataIsInteger():
continue
# TODO: change this 32-bit integer into something meaningful, for now
# the value name is the most interesting part.
text_dict = {}
text_dict[value.name] = '0x{0:08x}'.format(value.data)
if value_index == 0:
timestamp = key.last_written_timestamp
else:
timestamp = 0
yield event.WinRegistryEvent(key.path,
text_dict,
timestamp=timestamp,
source_append=': {0:s}'.format(
self.DESCRIPTION))
value_index += 1
def GetEntries(self, key, **unused_kwargs):
"""Gather the BootExecute Value, compare to default, return event.
The rest of the values in the Session Manager key are in a separate event.
Args:
key: The extracted registry key.
Yields:
Extracted event objects from the boot verify key.
"""
text_dict = {}
for value in key.GetValues():
if value.name == 'BootExecute':
# MSDN: claims that the data type of this value is REG_BINARY
# although REG_MULTI_SZ is known to be used as well.
if value.DataIsString():
value_string = value.data
elif value.DataIsMultiString():
value_string = u''.join(value.data)
elif value.DataIsBinaryData():
value_string = value.data
else:
value_string = (
u'unuspported value data type: {0:s}.').format(
value.data_type_string)
boot_dict = {}
if value_string != u'autocheck autochk *':
boot_dict['BootExecute'] = u'REGALERT: {0:s}'.format(
value_string)
else:
boot_dict['BootExecute'] = value_string
yield event.WinRegistryEvent(
key.path, boot_dict, timestamp=key.last_written_timestamp)
else:
text_dict[value.name] = value.data
yield event.WinRegistryEvent(key.path,
text_dict,
timestamp=key.last_written_timestamp)
def GetEntries(self, key, **unused_kwargs):
"""Gather the BootVerification key values and return one event for all.
This key is rare, so its presence is suspect.
Args:
key: The extracted registry key.
Yields:
Extracted event objects from the boot verify key.
"""
text_dict = {}
text_dict['BootVerification'] = u'REGALERT'
for value in key.GetValues():
text_dict[value.name] = value.data
yield event.WinRegistryEvent(key.path,
text_dict,
timestamp=key.last_written_timestamp)
def GetEntries(self, key, **unused_kwargs):
"""Collect the Values under the Run Key and return an event for each one."""
for value in key.GetValues():
# Ignore the default value.
if not value.name:
continue
# Ignore any value that is empty or that does not contain a string.
if not value.data or not value.DataIsString():
continue
text_dict = {}
text_dict[value.name] = value.data
yield event.WinRegistryEvent(key.path,
text_dict,
timestamp=key.last_written_timestamp,
source_append=': {0:s}'.format(
self.DESCRIPTION))
def GetEntries(self, key, **unused_kwargs):
"""Collect Values in Servers and return event for each one."""
for subkey in key.GetSubkeys():
username_value = subkey.GetValue('UsernameHint')
if (username_value and username_value.data
and username_value.DataIsString()):
username = username_value.data
else:
username = u'None'
text_dict = {}
text_dict['UsernameHint'] = username
yield event.WinRegistryEvent(key.path,
text_dict,
timestamp=key.last_written_timestamp,
source_append=': {0:s}'.format(
self.DESCRIPTION))
def GetEntries(self, key, **unused_kwargs):
"""Collect Values under Office 2010 MRUs and return events for each one."""
# TODO: Test other Office versions to makesure this plugin is applicable.
for value in key.GetValues():
# Ignore any value not in the form: 'Item [0-9]+'.
if not value.name or not self._RE_VALUE_NAME.search(value.name):
continue
# Ignore any value that is empty or that does not contain a string.
if not value.data or not value.DataIsString():
continue
values = self._RE_VALUE_DATA.findall(value.data)
# Values will contain a list containing a tuple containing 2 values.
if len(values) != 1 or len(values[0]) != 2:
continue
try:
filetime = int(values[0][0], 16)
except ValueError:
logging.warning(
'Unable to convert filetime string to an integer.')
filetime = 0
# TODO: why this behavior? Only the first Item is stored with its
# timestamp. Shouldn't this be: Store all the Item # values with
# their timestamp and store the entire MRU as one event with the
# registry key last written time?
if value.name == 'Item 1':
timestamp = timelib.Timestamp.FromFiletime(filetime)
else:
timestamp = 0
text_dict = {}
text_dict[value.name] = value.data
yield event.WinRegistryEvent(key.path,
text_dict,
timestamp=timestamp,
source_append=': {0:s}'.format(
self.DESCRIPTION))
def GetEntries(self, key, **unused_kwargs):
"""Returns an event object based on a Registry key name and values."""
text_dict = {}
if key.number_of_values == 0:
text_dict[u'Value'] = u'No values stored in key.'
else:
for value in key.GetValues():
if not value.name:
value_name = '(default)'
else:
value_name = u'{0:s}'.format(value.name)
if value.data is None:
value_string = u'[{0:s}] Empty'.format(
value.data_type_string)
elif value.DataIsString():
string_decode = utils.GetUnicodeString(value.data)
value_string = u'[{0:s}] {1:s}'.format(
value.data_type_string, string_decode)
elif value.DataIsInteger():
value_string = u'[{0:s}] {1:d}'.format(
value.data_type_string, value.data)
elif value.DataIsMultiString():
if type(value.data) not in (list, tuple):
value_string = u'[{0:s}]'.format(
value.data_type_string)
# TODO: Add a flag or some sort of an anomaly alert.
else:
value_string = u'[{0:s}] {1:s}'.format(
value.data_type_string, u''.join(value.data))
else:
value_string = u'[{0:s}]'.format(value.data_type_string)
text_dict[value_name] = value_string
yield event.WinRegistryEvent(key.path,
text_dict,
timestamp=key.last_written_timestamp,
offset=key.offset)
def GetEntries(self, key, **unused_kwargs):
"""Retrieves information from the MountPoints2 registry key.
Args:
key: A Windows Registry key (instance of WinRegKey).
Yields:
An event object of with the extracted data.
"""
for subkey in key.GetSubkeys():
name = subkey.name
if not name:
continue
text_dict = {}
text_dict[u'Volume'] = name
# Get the label if it exists.
label_value = subkey.GetValue('_LabelFromReg')
if label_value:
text_dict[u'Label'] = label_value.data
if name.startswith('{'):
text_dict[u'Type'] = u'Volume'
elif name.startswith('#'):
# The format is: ##Server_Name#Share_Name.
text_dict[u'Type'] = u'Remote Drive'
server_name, _, share_name = name[2:].partition('#')
text_dict[u'Remote_Server'] = server_name
text_dict[u'Share_Name'] = u'\\{0:s}'.format(
share_name.replace(u'#', u'\\'))
else:
text_dict[u'Type'] = u'Drive'
yield event.WinRegistryEvent(
key.path,
text_dict,
timestamp=subkey.last_written_timestamp,
offset=subkey.offset)
def GetEntries(self, key, **unused_kwargs):
"""Parses a UserAssist Registry key.
Args:
key: A Windows Registry key (instance of WinRegKey).
Yields:
An event object (instance of EventObject) that contains an user assist
entry.
"""
version_value = key.GetValue('Version')
count_subkey = key.GetSubkey('Count')
regalert_string = ''
if not version_value:
regalert_string = 'missing version value'
elif not version_value.DataIsInteger():
regalert_string = 'unsupported version value data type'
elif version_value.data not in [3, 5]:
regalert_string = 'unsupported version: {0:d}'.format(
version_value.data)
elif not count_subkey:
regalert_string = 'missing count subkey'
if regalert_string:
text_dict = {}
text_dict['Version'] = 'REGALERT {0:s}.'.format(regalert_string)
regalert_string = ''
yield event.WinRegistryEvent(key.path,
text_dict,
timestamp=key.last_written_timestamp)
else:
for value in count_subkey.GetValues():
try:
value_name = value.name.decode('rot-13')
except UnicodeEncodeError as exception:
logging.debug((
u'Unable to decode UserAssist string: {0:s} with error: {1:s}.\n'
u'Attempting piecewise decoding.').format(
value.name, exception))
characters = []
for char in value.name:
if ord(char) < 128:
try:
characters.append(char.decode('rot-13'))
except UnicodeEncodeError:
characters.append(char)
else:
characters.append(char)
value_name = u''.join(characters)
if version_value.data == 5:
path_segments = value_name.split('\\')
for segment_index in range(0, len(path_segments)):
path_segments[
segment_index] = knownfolderid.IDENTIFIERS.get(
path_segments[segment_index],
path_segments[segment_index])
value_name = u'\\'.join(path_segments)
# Check if we might need to substitute values.
if '%' in value_name:
value_name = environ_expand.ExpandWindowsEnvironmentVariables(
value_name, self._config)
if not value.DataIsBinaryData():
regalert_string = 'unsupported value data type: {0:s}'.format(
value.data_type_string)
elif version_value.data == 3:
if len(value.data) != self.USERASSIST_V3_STRUCT.sizeof():
regalert_string = 'unsupported value data size: {0:d}'.format(
len(value.data))
else:
parsed_data = self.USERASSIST_V3_STRUCT.parse(
value.data)
filetime = parsed_data.get('timestamp', 0)
count = parsed_data.get('count', 0)
if count > 5:
count -= 5
text_dict = {}
text_dict[value_name] = u'[Count: {0}]'.format(count)
yield event.WinRegistryEvent(
count_subkey.path,
text_dict,
timestamp=timelib.Timestamp.FromFiletime(filetime),
offset=value.offset)
elif version_value.data == 5:
if len(value.data) != self.USERASSIST_V5_STRUCT.sizeof():
regalert_string = 'unsupported value data size: {0:d}'.format(
len(value.data))
parsed_data = self.USERASSIST_V5_STRUCT.parse(value.data)
userassist_entry = parsed_data.get('userassist_entry',
None)
count = parsed_data.get('count', None)
app_focus_count = parsed_data.get('app_focus_count', None)
focus_duration = parsed_data.get('focus_duration', None)
timestamp = parsed_data.get('timestamp', 0)
text_dict = {}
text_dict[value_name] = (
u'[userassist_entry: {0}, Count: {1}, app_focus_count: {2}, '
u'focus_duration: {3}]').format(
userassist_entry, count, app_focus_count,
focus_duration)
yield event.WinRegistryEvent(
count_subkey.path,
text_dict,
timestamp=timelib.Timestamp.FromFiletime(timestamp))
if regalert_string:
text_dict = {}
text_dict[value_name] = 'REGALERT {0:s}.'.format(regalert_string)
regalert_string = ''
yield event.WinRegistryEvent(key.path,
text_dict,
timestamp=key.last_written_timestamp)
def GetEntries(self, key, **unused_kwargs):
"""Create one event for each subkey under Services that has Type and Start.
Adds descriptions of the ErrorControl, Type and StartvValues.
Alerts on unusual settingssuch as Start/Type mismatches or drivers outside
of C:/Windows/system32/drivers.
Args:
key: A Windows Registry key (instance of WinRegKey).
Yields:
Event objects extracted from the Windows service values.
"""
text_dict = {}
service_type_value = key.GetValue('Type')
service_start_value = key.GetValue('Start')
if service_type_value and service_start_value:
service_type = service_type_value.data
text_dict['Type'] = self.SERVICE_TYPE.get(service_type,
service_type)
service_start = service_start_value.data
service_start_str = self.SERVICE_START.get(service_start,
service_start)
# Check for unusal Type/Start pairs.
if service_type > 0 and service_type < 15 and service_start == 2:
service_start_str = 'REGALERT Unusual Start for Driver: {}'.format(
self.SERVICE_START[service_start])
if service_type > 15 and service_type < 257 and service_start in [
0, 1
]:
service_start_str = 'REGALERT Unusal Start for Service: {}'.format(
self.SERVICE_START[service_start])
text_dict['Start'] = service_start_str
# Convert ErrorControl to Human Readable.
if key.GetValue('ErrorControl'):
error_control = key.GetValue('ErrorControl').data
text_dict['ErrorControl'] = self.SERVICE_ERROR.get(
error_control, error_control)
object_name = self.GetObjectName(key, service_type)
if object_name:
text_dict['ObjectName'] = object_name
image_path = self.GetImagePath(key, service_type)
if image_path:
text_dict['ImagePath'] = image_path
# Gather all the other string and integer values and insert as they are.
for value in key.GetValues():
if not value.name:
continue
if value.name not in text_dict:
if value.DataIsString() or value.DataIsInteger():
text_dict[value.name] = value.data
elif value.DataIsMultiString():
text_dict[value.name] = u', '.join(value.data)
event_object = event.WinRegistryEvent(
key.path, text_dict, timestamp=key.last_written_timestamp)
yield event_object
def GetEntries(self, key, **unused_kwargs):
"""Retrieves information of the Internet Settings Zones values.
The MSIE Feature controls are stored in the Zone specific subkeys in:
Internet Settings\\Zones key
Internet Settings\\Lockdown_Zones key
Args:
key: A Windows Registry key (instance of WinRegKey).
Yields:
An event object of the an individual Internet Setting Registry key.
"""
text_dict = {}
if key.number_of_values == 0:
text_dict[u'Value'] = u'No values stored in key'
else:
for value in key.GetValues():
if not value.name:
value_name = '(default)'
else:
value_name = u'{0:s}'.format(value.name)
if value.DataIsString():
value_string = u'[{0:s}] {1:s}'.format(
value.data_type_string, value.data)
elif value.DataIsInteger():
value_string = u'[{0:s}] {1:d}'.format(
value.data_type_string, value.data)
elif value.DataIsMultiString():
value_string = u'[{0:s}] {1:s}'.format(
value.data_type_string, u''.join(value.data))
else:
value_string = u'[{0:s}]'.format(value.data_type_string)
text_dict[value_name] = value_string
yield event.WinRegistryEvent(
key.path, text_dict, timestamp=key.last_written_timestamp,
offset=key.offset)
if key.number_of_subkeys == 0:
logging.info('No subkeys for Internet Settings/Zones')
text_dict = {}
text_dict['Zone Subkeys'] = u'REGALERT No Zones set for Internet Settings'
yield event.WinRegistryEvent(
key.path, text_dict, timestamp=key.last_written_timestamp,
offset=key.offset)
else:
for zone_key in key.GetSubkeys():
# TODO: these values are stored in the Description value of the
# zone key. This solution will break on zone values that are larger
# than 5.
path = u'{0:s}\\{1:s}'.format(
key.path, self.ZONE_NAMES[zone_key.name])
text_dict = {}
# TODO: this plugin currently just dumps the values and does not
# distinguish between what is a feature control or not.
for value in zone_key.GetValues():
# Ignore the default value.
if not value.name:
continue
if value.DataIsString():
value_string = value.data
elif value.DataIsInteger():
if value.name in self.KNOWN_PERMISSIONS_VALUE_NAMES:
value_string = self.CONTROL_VALUES_PERMISSIONS[value.data]
elif value.name == '1A00':
value_string = self.CONTROL_VALUES_1A00[value.data]
elif value.name == '1C00':
value_string = self.CONTROL_VALUES_1C00[value.data]
elif value.name == '1E05':
value_string = self.CONTROL_VALUES_SAFETY[value.data]
else:
value_string = u'{0:d}'.format(value.data)
else:
value_string = u'[{0:s}]'.format(value.data_type_string)
if len(value.name) == 4 and value.name != 'Icon':
value_description = self.FEATURE_CONTROLS.get(value.name, 'UNKNOWN')
else:
value_description = self.FEATURE_CONTROLS.get(value.name, '')
if value_description:
feature_control = u'[{0:s}] {1:s}'.format(
value.name, value_description)
else:
feature_control = u'[{0:s}]'.format(value.name)
text_dict[feature_control] = value_string
yield event.WinRegistryEvent(
path, text_dict, timestamp=zone_key.last_written_timestamp)
def GetEventObjects():
"""Returns a list of test event objects."""
event_objects = []
hostname = 'MYHOSTNAME'
data_type = 'test:event1'
event_a = event.EventObject()
event_a.username = '******'
event_a.filename = 'c:/Users/joesmith/NTUSER.DAT'
event_a.hostname = hostname
event_a.timestamp = 0
event_a.data_type = data_type
event_b = event.WinRegistryEvent(u'MY AutoRun key',
{u'Run': u'c:/Temp/evil.exe'},
timestamp=1334961526929596)
event_b.hostname = hostname
event_objects.append(event_b)
event_c = event.WinRegistryEvent(
u'//HKCU/Secret/EvilEmpire/Malicious_key',
{u'Value': u'REGALERT: send all the exes to the other world'},
timestamp=1334966206929596)
event_c.hostname = hostname
event_objects.append(event_c)
event_d = event.WinRegistryEvent(u'//HKCU/Windows/Normal',
{u'Value': u'run all the benign stuff'},
timestamp=1334940286000000)
event_d.hostname = hostname
event_objects.append(event_d)
event_objects.append(event_a)
filename = 'c:/Temp/evil.exe'
event_e = TestEvent1(1335781787929596,
{'text': 'This log line reads ohh so much.'})
event_e.filename = filename
event_e.hostname = hostname
event_objects.append(event_e)
event_f = TestEvent1(1335781787929596,
{'text': 'Nothing of interest here, move on.'})
event_f.filename = filename
event_f.hostname = hostname
event_objects.append(event_f)
event_g = TestEvent1(
1335791207939596,
{'text': 'Mr. Evil just logged into the machine and got root.'})
event_g.filename = filename
event_g.hostname = hostname
event_objects.append(event_g)
text_dict = {
'body':
(u'This is a line by someone not reading the log line properly. And '
u'since this log line exceeds the accepted 80 chars it will be '
u'shortened.'),
'hostname':
u'nomachine',
'username':
u'johndoe'
}
event_h = event.TextEvent(1338934459000000, text_dict)
event_h.text = event_h.body
event_h.hostname = hostname
event_h.filename = filename
event_objects.append(event_h)
return event_objects
def GetEntries(self, key, **unused_kwargs):
"""Extracts event objects from a Application Compatibility Cache key.
Args:
key: A Windows Registry key (instance of WinRegKey).
Yields:
An event object (instance of EventObject) that contains a cached entry.
"""
value = key.GetValue('AppCompatCache')
if not value:
return
value_data = value.data
value_data_size = len(value.data)
parser = AppCompatCacheKeyParser()
format_type = parser.CheckSignature(value_data)
if not format_type:
text_dict = {}
text_dict['AppCompatCache'] = u'REGALERT: Unsupported signature.'
yield event.WinRegistryEvent(key.path,
text_dict,
timestamp=key.last_written_timestamp)
return
header_object = parser.ParseHeader(format_type, value_data)
# On Windows Vista and 2008 when the cache is empty it will
# only consist of the header.
if value_data_size <= header_object.header_size:
return
cached_entry_offset = header_object.header_size
cached_entry_size = parser.DetermineCacheEntrySize(
format_type, value_data, cached_entry_offset)
if not cached_entry_size:
text_dict = {}
text_dict[
'AppCompatCache'] = u'REGALERT: Unsupported cached entry size.'
yield event.WinRegistryEvent(key.path,
text_dict,
timestamp=key.last_written_timestamp)
return
cached_entry_index = 0
while cached_entry_offset < value_data_size:
cached_entry_object = parser.ParseCachedEntry(
format_type, value_data, cached_entry_offset,
cached_entry_size)
value_name = u'Cached entry: {0:d}'.format(cached_entry_index + 1)
text_dict = {}
text_dict[value_name] = u'[Path: {0:s}]'.format(
cached_entry_object.path)
if cached_entry_object.last_modification_time is not None:
yield event.WinRegistryEvent(
key.path,
text_dict,
timestamp=timelib.Timestamp.FromFiletime(
cached_entry_object.last_modification_time),
offset=cached_entry_offset)
if cached_entry_object.last_update_time is not None:
yield event.WinRegistryEvent(
key.path,
text_dict,
timestamp=timelib.Timestamp.FromFiletime(
cached_entry_object.last_update_time),
offset=cached_entry_offset)
cached_entry_offset += cached_entry_object.cached_entry_size
cached_entry_index += 1
if (header_object.number_of_cached_entries != 0
and cached_entry_index >=
header_object.number_of_cached_entries):
break
text_dict = {}
text_dict[
'AppCompatCache'] = u'[Number of cached entries: {0:d}]'.format(
cached_entry_index)
yield event.WinRegistryEvent(key.path,
text_dict,
timestamp=key.last_written_timestamp)
def GetEntries(self, key, **unused_kwargs):
"""Collect Values under USBStor and return an event object for each one."""
for subkey in key.GetSubkeys():
text_dict = {}
text_dict['subkey_name'] = subkey.name
# Time last USB device of this class was first inserted.
yield event.WinRegistryEvent(
key.path, text_dict, timestamp=subkey.last_written_timestamp,
usage=eventdata.EventTimestamp.FIRST_CONNECTED,
source_append=': {0:s}'.format(self.DESCRIPTION))
# TODO: Determine if these 4 fields always exist.
try:
device_type, vendor, product, revision = subkey.name.split('&')
except ValueError as exception:
logging.warning(
u'Unable to split string: {} - [{}]'.format(
subkey.name, exception))
text_dict['device_type'] = device_type
text_dict['vendor'] = vendor
text_dict['product'] = product
text_dict['revision'] = revision
for devicekey in subkey.GetSubkeys():
text_dict['serial'] = devicekey.name
friendly_name_value = devicekey.GetValue('FriendlyName')
if friendly_name_value:
text_dict['friendly_name'] = friendly_name_value.data
else:
text_dict.pop('friendly_name', None)
# ParentIdPrefix applies to Windows XP Only.
parent_id_prefix_value = devicekey.GetValue('ParentIdPrefix')
if parent_id_prefix_value:
text_dict['parent_id_prefix'] = parent_id_prefix_value.data
else:
text_dict.pop('parent_id_prefix', None)
# Win7 - Last Connection.
# Vista/XP - Time of an insert.
yield event.WinRegistryEvent(
key.path, text_dict,
timestamp=devicekey.last_written_timestamp,
usage=eventdata.EventTimestamp.LAST_CONNECTED,
source_append=': {0:s}'.format(self.DESCRIPTION))
# Build list of first Insertion times.
first_insert = []
device_parameter_key = devicekey.GetSubkey('Device Parameters')
if device_parameter_key:
first_insert.append(device_parameter_key.last_written_timestamp)
log_configuration_key = devicekey.GetSubkey('LogConf')
if (log_configuration_key and
log_configuration_key.last_written_timestamp not in first_insert):
first_insert.append(log_configuration_key.last_written_timestamp)
properties_key = devicekey.GetSubkey('Properties')
if (properties_key and
properties_key.last_written_timestamp not in first_insert):
first_insert.append(properties_key.last_written_timestamp)
# Add first Insertion times.
for timestamp in first_insert:
yield event.WinRegistryEvent(
key.path, text_dict, timestamp=timestamp,
usage=eventdata.EventTimestamp.LAST_CONNECTED,
source_append=': {0:s}'.format(self.DESCRIPTION))