Ejemplo n.º 1
0
    def run(self):
        lst = []
        "use the SOFTWARE hive to get the result"
        ProfileList_user_settings_path = u"Microsoft\\Windows NT\\CurrentVersion\\ProfileList"
        hive = get_hive(self.prim_hive, self.log_files)
        ProfileList_user_settings_key = hive.find_key(
            ProfileList_user_settings_path)
        # print('Found a key: {}'.format(ProfileList_user_settings_key.path()))
        if ProfileList_user_settings_key:
            for sid_key in ProfileList_user_settings_key.subkeys():
                sid_name = sid_key.name()
                Profile_path = sid_key.value(name=u"ProfileImagePath")
                Profile_data = strip_control_characters(Profile_path.data())
                timestamp = sid_key.last_written_timestamp().isoformat()
                user = strip_control_characters(
                    os.path.basename(os.path.normpath(Profile_data)))
                record = OrderedDict([("Path", Profile_data), ("User", user),
                                      ("sid", sid_name),
                                      ("Key_Timestamp", timestamp),
                                      ("@timestamp", timestamp)])

                lst.append(
                    eval(u"{}".format(json.dumps(record, cls=ComplexEncoder))))
        else:
            logging.info(u"[{}] {} not found.".format(
                'ProfileList', ProfileList_user_settings_path))

        return lst
Ejemplo n.º 2
0
    def run(self):
        hive = get_hive(self.prim_hive,self.log_files)
        select_key = hive.find_key(u'Select')
        current_path=''
        if select_key:
            current_value = select_key.value(name=u"Current")
            current_path = u"ControlSet{:03d}".format(current_value.data())
        else:
            current_path ='ControlSet001'
        lst= []
        DHCP_user_settings_path = u"\\".join([current_path,u"Services\\Tcpip\\Parameters\\Interfaces"])
        DHCP_user_settings_key = hive.find_key(DHCP_user_settings_path)
        if DHCP_user_settings_key:
            for sid_key in DHCP_user_settings_key.subkeys():
                timestamp = sid_key.last_written_timestamp().isoformat()
                sid_name = sid_key.name()

                def get_date (value_name):
                    value = sid_key.value(name=value_name)
                    if value:
                        value = value.data()
                    else:
                        value ="None"
                    return value

                dict_values_data = {'DhcpIPAddress' : strip_control_characters(get_date('DhcpIPAddress')),
                                        'DhcpServer' : strip_control_characters(get_date('DhcpServer')),
                                        'DhcpSubnetMask' : strip_control_characters(get_date('DhcpSubnetMask')),
                                        'Domain' : strip_control_characters(get_date('Domain')),
                                        'NameServer' : strip_control_characters(get_date('NameServer')),
                                        'EnableDHCP' : get_date('EnableDHCP'),
                                        'DhcpConnForceBroadcastFlag' : get_date('DhcpConnForceBroadcastFlag'),
                                        'IsServerNapAware' : get_date('IsServerNapAware'),
                                        'RegisterAdapterName' : get_date('RegisterAdapterName'),
                                        'RegistrationEnabled' : get_date('RegistrationEnabled')}


                record = OrderedDict([
                    ("Dhcp IP Address", dict_values_data['DhcpIPAddress']),
                    ("Dhcp Server", dict_values_data['DhcpServer']),
                    ("DhcpSubnetMask", dict_values_data['DhcpSubnetMask']),
                    ("Domain", dict_values_data['Domain']),
                    ("Name Server", dict_values_data['NameServer']),
                    ("Enable DHCP", dict_values_data['EnableDHCP']),
                    ("DhcpConnForceBroadcastFlag", dict_values_data['DhcpConnForceBroadcastFlag']),
                    ("Is Server NapAware", dict_values_data['IsServerNapAware']),
                    ("Register Adapter Name", dict_values_data['RegisterAdapterName']),
                    ("Registration Enabled", dict_values_data['RegistrationEnabled']),
                    ('@timestamp',timestamp)
                ])

                lst.append(eval(u"{}".format(json.dumps(record, cls=ComplexEncoder))))
        # else:
            # # logging.info(u"[{}] {} not found.".format('DHCP', DHCP_user_settings_path))

        return lst
Ejemplo n.º 3
0
    def run(self):
        lst = []
        TypedPaths_user_settings_path = u"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths"
        hive = get_hive(self.prim_hive, self.log_files)
        TypedPaths_user_settings_key = hive.find_key(
            TypedPaths_user_settings_path)
        if TypedPaths_user_settings_key:
            #for sid_key in TypedPaths_user_settings_key.subkeys():
            sid_key_values = iter(TypedPaths_user_settings_key.values())
            while True:
                try:
                    value = next(sid_key_values)
                except StopIteration:
                    break
                except Exception as error:
                    # logging.error(u"Error getting next value: {}".format(error))
                    continue

                value_name = value.name()
                url_data = value.data()
                timestamp = TypedPaths_user_settings_key.last_written_timestamp(
                ).isoformat()
                record = OrderedDict([("Key_Timestamp", timestamp),
                                      ("Url Name", value_name),
                                      ("Url",
                                       strip_control_characters(url_data)),
                                      ("@timestmap", timestamp)])

                lst.append(
                    eval(u"{}".format(json.dumps(record, cls=ComplexEncoder))))

        # else:
        #     # logging.info(u"[{}] {} not found.".format('TypedPaths', TypedPaths_user_settings_path))

        return lst
Ejemplo n.º 4
0
    def run(self):
        lst = []
        "use the NTUSER.dat hive to get the result"
        RunMRU_user_settings_path = u'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU'
        hive = get_hive(self.prim_hive, self.log_files)
        RunMRU_user_settings_key = hive.find_key(RunMRU_user_settings_path)
        if RunMRU_user_settings_key:
            sid_key_values = iter(RunMRU_user_settings_key.values())
            timestamp = RunMRU_user_settings_key.last_written_timestamp(
            ).isoformat()
            while True:
                try:
                    value = next(sid_key_values)
                except StopIteration:
                    break
                except Exception as error:
                    # logging.error(u"Error getting next value: {}".format(error))
                    continue

                sid_name = value.name()
                file_name = strip_control_characters(value.data())

                record = OrderedDict([("Sequence", sid_name),
                                      ("Command", file_name),
                                      ("Key_Timestamp", timestamp),
                                      ("@timestamp", timestamp)])

                lst.append(
                    eval(u"{}".format(json.dumps(record, cls=ComplexEncoder))))
        # else:
        #     # logging.info(u"[{}] {} not found.".format('RunMRU', RunMRU_user_settings_path))

        return lst
Ejemplo n.º 5
0
    def run(self):
        hive = get_hive(self.prim_hive, self.log_files)
        select_key = hive.find_key(u'Select')
        current_path = ''
        if select_key:
            current_value = select_key.value(name=u"Current")
            current_path = u"ControlSet{:03d}".format(current_value.data())
        else:
            current_path = 'ControlSet001'
        lst = []
        TimeZoneInformation_user_settings_path = u"\\".join(
            [current_path, u"Control\\TimeZoneInformation"])
        TimeZoneInformation_user_settings_key = hive.find_key(
            TimeZoneInformation_user_settings_path)
        if TimeZoneInformation_user_settings_key:
            TimeZoneKeyName = TimeZoneInformation_user_settings_key.value(
                name=u"TimeZoneKeyName")
            TimeZoneKeyName_data = TimeZoneKeyName.data()
            timestamp = TimeZoneInformation_user_settings_key.last_written_timestamp(
            ).isoformat()
            record = OrderedDict([
                ("Time Zone", strip_control_characters(TimeZoneKeyName_data)),
                ("Key_Timestamp", timestamp), ("@timestamp", timestamp)
            ])

            lst.append(
                eval(u"{}".format(json.dumps(record, cls=ComplexEncoder))))

        # else:
        #     # logging.info(u"[{}] {} not found.".format('TimeZoneInformation', TimeZoneInformation_user_settings_path))

        return lst
Ejemplo n.º 6
0
    def run(self):
        lst = []
        "use the SOFTWARE hive to get the result"
        InstalledApp_user_settings_path = u"Microsoft\\Windows\\CurrentVersion\\App Paths"
        hive = get_hive(self.prim_hive, self.log_files)
        InstalledApp_user_settings_key = hive.find_key(
            InstalledApp_user_settings_path)
        # print('Found a key: {}'.format(InstalledApp_user_settings_key.path()))
        if InstalledApp_user_settings_key:
            for sid_key in InstalledApp_user_settings_key.subkeys():
                sid_name = sid_key.name()
                timestamp = sid_key.last_written_timestamp().isoformat()
                Path = sid_key.value(name=u"Path")
                if Path:
                    Path_data = strip_control_characters(Path.data())
                else:
                    Path_data = ""
                record = OrderedDict([
                    ("Application_Name", sid_name),
                    ("InstalledApp_date", timestamp),
                    ("Path", Path_data),
                    ("@timestamp", timestamp),
                ])

                lst.append(
                    eval(u"{}".format(json.dumps(record, cls=ComplexEncoder))))
        # else:
        #     # logging.info(u"[{}] {} not found.".format('Bam', bam_user_settings_path))

        return lst
Ejemplo n.º 7
0
    def run(self):
        lst = []
        "use the SOFTWARE hive to get the result"
        ShellExtensions_user_settings_path = u'Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Approved'

        hive = get_hive(self.prim_hive, self.log_files)
        ShellExtensions_user_settings_key = hive.find_key(
            ShellExtensions_user_settings_path)
        if ShellExtensions_user_settings_key:
            sid_key_values = iter(ShellExtensions_user_settings_key.values())
            timestamp = ShellExtensions_user_settings_key.last_written_timestamp(
            ).isoformat()
            while True:

                try:
                    value = next(sid_key_values)
                except StopIteration:
                    break
                except Exception as error:
                    logging.error(
                        u"Error getting next value: {}".format(error))
                    continue

                sid_name = value.name()
                data = value.data()
                if isinstance(data, bytes):
                    pos = data.find(b'\x00\x00') + 1
                    file_name = strip_control_characters(
                        data[:pos].decode('utf-16'))
                else:
                    file_name = strip_control_characters(data)

                record = OrderedDict([("sid", sid_name),
                                      ("File Name", file_name),
                                      ("key_last_written_timestamp",
                                       timestamp), ("@timestamp", timestamp)])

                lst.append(
                    eval(u"{}".format(json.dumps(record, cls=ComplexEncoder))))
        else:
            logging.info(u"[{}] {} not found.".format(
                'ShellExtensions', ShellExtensions_user_settings_path))

        return lst
Ejemplo n.º 8
0
    def run(self):
        lst = []
        "use the SOFTWARE hive to get the result"
        InstalledComponents_user_settings_path = [
            u'Microsoft\\Active Setup\\Installed Components',
            u'Wow6432Node\\Microsoft\\Active Setup\\Installed Components'
        ]
        hive = get_hive(self.prim_hive, self.log_files)
        for path in InstalledComponents_user_settings_path:
            InstalledComponents_user_settings_key = hive.find_key(path)
            if InstalledComponents_user_settings_key:
                for sid_key in InstalledComponents_user_settings_key.subkeys():
                    sid_name = sid_key.name()
                    timestamp = sid_key.last_written_timestamp().isoformat()
                    IsInstalled = sid_key.value(name=u"IsInstalled")
                    if IsInstalled:
                        IsInstalled_data = IsInstalled.data()
                    else:
                        IsInstalled_data = "None"

                    DontAsk = sid_key.value(name=u"DontAsk")
                    if DontAsk:
                        DontAsk_data = DontAsk.data()
                    else:
                        DontAsk_data = "None"

                    Enabled = sid_key.value(name=u"Enabled")
                    if Enabled:
                        Enabled_data = Enabled.data()
                    else:
                        Enabled_data = "None"

                    Locale = sid_key.value(name=u"Locale")
                    if Locale:
                        Locale_data = strip_control_characters(Locale.data())
                    else:
                        Locale_data = "None"

                    LocalizedName = sid_key.value(name=u"LocalizedName")
                    if LocalizedName:
                        LocalizedName_data = strip_control_characters(
                            LocalizedName.data())
                    else:
                        LocalizedName_data = "None"

                    StubPath = sid_key.value(name=u"StubPath")
                    if StubPath:
                        StubPath_data = strip_control_characters(
                            StubPath.data())
                    else:
                        StubPath_data = "None"

                    Version = sid_key.value(name=u"Version")
                    if Version:
                        Version_data = strip_control_characters(Version.data())
                    else:
                        Version_data = "None"

                    ComponentID = sid_key.value(name=u"ComponentID")
                    if ComponentID:
                        ComponentID_data = strip_control_characters(
                            ComponentID.data())
                    else:
                        ComponentID_data = "None"

                    record = OrderedDict([
                        ("sid", sid_name),
                        ("last_written_timestamp", timestamp),
                        ("ComponentID", ComponentID_data),
                        ("Version", Version_data), ("StubPath", StubPath_data),
                        ("LocalizedName", LocalizedName_data),
                        ("Locale", Locale_data), ("Enabled", Enabled_data),
                        ("DontAsk", DontAsk_data),
                        ("IsInstalled", IsInstalled_data),
                        ("@timestamp", timestamp)
                    ])

                    lst.append(
                        eval(u"{}".format(
                            json.dumps(record, cls=ComplexEncoder))))
        # else:
        #     # logging.info(u"[{}] {} not found.".format('InstalledComponents', InstalledComponents_user_settings_path))

        return lst
Ejemplo n.º 9
0
    def run(self):
        lst = []
        "use the SOFTWARE hive to get the result"
        Uninstall_user_settings_path = u"Microsoft\\Windows\\CurrentVersion\\Uninstall"
        hive = get_hive(self.prim_hive, self.log_files)
        Uninstall_user_settings_key = hive.find_key(
            Uninstall_user_settings_path)
        # print('Found a key: {}'.format(Uninstall_user_settings_key.path()))
        if Uninstall_user_settings_key:
            for sid_key in Uninstall_user_settings_key.subkeys():
                sid_name = sid_key.name()
                timestamp = sid_key.last_written_timestamp().isoformat()
                #try:
                DisplayName = sid_key.value(name=u"DisplayName")
                if DisplayName:
                    DisplayName_data = strip_control_characters(
                        DisplayName.data())
                else:
                    DisplayName_data = ""

                DisplayVersion = sid_key.value(name=u"DisplayVersion")
                if DisplayVersion:
                    DisplayVersion_data = strip_control_characters(
                        DisplayVersion.data())
                else:
                    DisplayVersion_data = ""

                InstallDate = sid_key.value(name=u"InstallDate")
                if InstallDate:
                    InstallDate_data = strip_control_characters(
                        InstallDate.data())

                else:
                    InstallDate_data = ""

                InstallLocation = sid_key.value(name=u"InstallLocation")
                if InstallLocation:
                    InstallLocation_data = strip_control_characters(
                        InstallLocation.data())
                else:
                    InstallLocation_data = ""

                InstallSource = sid_key.value(name=u"InstallSource")
                if InstallSource:
                    InstallSource_data = strip_control_characters(
                        InstallSource.data())
                else:
                    InstallSource_data = ""

                ModifyPath = sid_key.value(name=u"ModifyPath")
                if ModifyPath:
                    ModifyPath_data = strip_control_characters(
                        ModifyPath.data())
                else:
                    ModifyPath_data = ""

                Publisher = sid_key.value(name=u"Publisher")
                if Publisher:
                    Publisher_data = strip_control_characters(Publisher.data())
                else:
                    Publisher_data = ""
                Size = sid_key.value(name=u"Size")
                if Size:
                    Size_data = str(Size.data())
                else:
                    Size_data = ""

                URLInfoAbout = sid_key.value(name=u"URLInfoAbout")
                if URLInfoAbout:
                    URLInfoAbout_data = strip_control_characters(
                        URLInfoAbout.data())
                else:
                    URLInfoAbout_data = ""

                record = OrderedDict([("name", sid_name),
                                      ("Uninstall_date", timestamp),
                                      ("Application_Name", DisplayName_data),
                                      ("Version", DisplayVersion_data),
                                      ("Install_Date", InstallDate_data),
                                      ("Install_Location",
                                       InstallLocation_data),
                                      ("Install_Source", InstallSource_data),
                                      ("Modify_Path", ModifyPath_data),
                                      ("Publisher", Publisher_data),
                                      ("Size", Size_data),
                                      ("URLInfoAbout", URLInfoAbout_data),
                                      ("@timestamp", timestamp)])

                lst.append(
                    eval(u"{}".format(json.dumps(record, cls=ComplexEncoder))))
        else:
            logging.info(u"[{}] {} not found.".format('Bam',
                                                      bam_user_settings_path))

        return lst
Ejemplo n.º 10
0
    def run(self):
        lst = []
        TerminalServerClient_user_settings_paths = [
            'Software\\Microsoft\\Terminal Server Client\\Servers',
            'Software\\Microsoft\\Terminal Server Client\\Default'
        ]
        for TerminalServerClient_user_settings_path in TerminalServerClient_user_settings_paths:
            hive = get_hive(self.prim_hive, self.log_files)
            TerminalServerClient_user_settings_key = hive.find_key(
                TerminalServerClient_user_settings_path)
            # print('Found a key: {}'.format(TerminalServerClient_user_settings_key.path()))
            if TerminalServerClient_user_settings_key:
                timestamp = TerminalServerClient_user_settings_key.last_written_timestamp(
                ).isoformat()
                if "Servers" in TerminalServerClient_user_settings_path:
                    for sid_key in TerminalServerClient_user_settings_key.subkeys(
                    ):
                        key_name = sid_key.name()
                        sid_key_values = iter(sid_key.values())

                        while True:
                            try:
                                value = next(sid_key_values)
                            except StopIteration:
                                break
                            except Exception as error:
                                # # logging.error(u"Error getting next value: {}".format(error))
                                continue

                            value_name = value.name()
                            UsernameHint = "" if "UsernameHint" != value_name else strip_control_characters(
                                value.data())

                            record = OrderedDict([("key_timestamp", timestamp),
                                                  ("IP_Address", key_name),
                                                  ("User_Name", UsernameHint),
                                                  ("@timestamp", timestamp)])
                            lst.append(
                                eval(u"{}".format(
                                    json.dumps(record, cls=ComplexEncoder))))
                else:
                    sid_key_values = iter(
                        TerminalServerClient_user_settings_key.values())

                    while True:
                        try:
                            value = next(sid_key_values)
                        except StopIteration:
                            break
                        except Exception as error:
                            # # logging.error(u"Error getting next value: {}".format(error))
                            continue

                        value_name = value.name()
                        value_data = value.data()

                        record = OrderedDict([
                            ("key_timestamp", timestamp),
                            ("@timestamp", timestamp),
                            ("IP_Address",
                             strip_control_characters(value_data)),
                            ("Value_Name", value_name)
                        ])
                        #
                        lst.append(
                            eval(u"{}".format(
                                json.dumps(record, cls=ComplexEncoder))))

        # else:
        #     # # logging.info(u"[{}] {} not found.".format('TerminalServerClient', TerminalServerClient_user_settings_path))
        return lst
Ejemplo n.º 11
0
    def run(self):
        lst = []
        hive = get_hive(self.prim_hive, self.log_files)
        Amcache_user_settings_path = u"root\\InventoryApplicationFile"
        Amcache_win7_user_settings_path = u"root\\File"
        Amcache_user_settings_key = hive.find_key(Amcache_user_settings_path)
        Amcache7_user_settings_key = hive.find_key(
            Amcache_win7_user_settings_path)
        if Amcache_user_settings_key:
            for sid_key in Amcache_user_settings_key.subkeys():
                sid_key_values = iter(sid_key.values())
                key_time = sid_key.last_written_timestamp().isoformat()
                win10_amache_mapping = {
                    "ProgramId": "ProgramId",
                    "LongPathHash": "LongPathHash",
                    "IsOsComponent": "IsOsComponent",
                    "Usn": "Usn",
                    "LowerCaseLongPath": "Path",
                    "FileId": "Sha1",
                    "Name": "Name",
                    "Publisher": "CompanyName",
                    "Version": "Version",
                    "BinFileVersion": "BinFileVersion",
                    "BinaryType": "BinaryType",
                    "ProductName": "ProductName",
                    "ProductVersion": "ProductVersion",
                    "LinkDate": "LinkDate",
                    "BinProductVersion": "BinProductVersion",
                    "Size": "FileSize",
                    "Language": "Language",
                    "IsPeFile": "IsPeFile"
                }
                record = OrderedDict([])
                while True:
                    try:
                        value = next(sid_key_values)
                    except StopIteration:
                        break
                    except Exception as error:
                        # # logging.error(u"Error getting next value: {}".format(error))
                        continue

                    value_name = value.name()
                    if value_name in win10_amache_mapping.keys():
                        names = win10_amache_mapping[value_name]
                    else:
                        names = value_name
                    data = value.data()

                    record[names] = strip_control_characters(str(data))
                record["@timestamp"] = key_time

                if record["Sha1"].startswith("0000"):
                    sha1 = record["Sha1"]
                    record["Sha1"] = sha1[4:]
                lst.append(
                    eval(u"{}".format(json.dumps(record, cls=ComplexEncoder))))
            return lst

        elif Amcache7_user_settings_key:
            win8_amcache_mapping = {
                '0': 'ProductName',
                '1': 'CompanyName',
                '2': 'FileVersionNum',
                '3': 'Language',
                '4': 'SwitchBackContext',
                '5': 'FileVersion',
                '6': 'FileSize',
                '7': 'pe_header_hash',
                '8': 'unknown1',
                '9': 'pe_header_checksum',
                'a': 'unknown2',
                'b': 'unknown3',
                'c': 'file_description',
                'd': 'unknown4',
                'f': 'linker_compile_time',
                '10': 'unknown5',
                '11': 'last_modified_timestamp',
                '12': 'created_timestamp',
                '15': 'Path',
                '16': 'unknown6',
                '17': 'last_modified_timestamp_2',
                '100': 'ProgramId',
                '101': 'Sha1'
            }
            for sid_key in Amcache7_user_settings_key.subkeys():
                for sidd_key in sid_key.subkeys():
                    sid_key_values = iter(sidd_key.values())
                    key_time = sidd_key.last_written_timestamp().isoformat()
                    record = OrderedDict([])
                    while True:
                        try:
                            value = next(sid_key_values)
                        except StopIteration:
                            break
                        except Exception as error:
                            # # logging.error(u"Error getting next value: {}".format(error))
                            continue

                        value_name = value.name()
                        names = win8_amcache_mapping[value_name]
                        data = value.data()
                        if "time" in names:
                            if "linker_compile_time" in names:
                                data = datetime.datetime.fromtimestamp(data)
                            else:
                                data = convert_datetime(data)

                        record[names] = strip_control_characters(str(data))

                    if len(record) == 0:
                        continue
                    record["@timestamp"] = key_time
                    if record["Sha1"].startswith("0000"):
                        sha1 = record["Sha1"]
                        record["Sha1"] = sha1[4:]
                    lst.append(u"{}".format(
                        json.dumps(record, cls=ComplexEncoder)))
            return lst