def run(self):
hive = get_hive(self.prim_hive, self.log_files)
select_key = hive.find_key(u'Select')
current_path = ''
if select_key:
current_value = select_key.value(name=u"Current")
current_path = u"ControlSet{:03d}".format(current_value.data())
else:
current_path = 'ControlSet001'
lst = []
bam_user_settings_path = u"\\".join(
[current_path, u"Services\\bam\\UserSettings"])
bam_user_settings_key = hive.find_key(bam_user_settings_path)
if bam_user_settings_key:
for sid_key in bam_user_settings_key.subkeys():
sid_name = sid_key.name()
version_value = sid_key.value(name=u"Version")
version = None
if version_value:
version = version_value.data()
sequence_value = sid_key.value(name=u"SequenceNumber")
sequence = None
if sequence_value:
sequence = version_value.data()
sid_key_values = iter(sid_key.values())
while True:
try:
value = next(sid_key_values)
except StopIteration:
break
except Exception as error:
logging.error(
u"Error getting next value: {}".format(error))
continue
value_name = value.name()
value_data = value.data_raw()
if value_name not in [u"Version", u"SequenceNumber"]:
timestamp = convert_datetime(value_data[0:8])
record = OrderedDict([("name", value_name),
("@timestamp", timestamp),
("sid", sid_name),
("version", version),
("sequence", sequence)])
lst.append(u"{}".format(
json.dumps(record, cls=ComplexEncoder)))
return lst
else:
logging.info(u"[{}] {} not found.".format('Bam',
bam_user_settings_path))
def run(self):
# for reg_handler in registry_manager.iter_registry_handlers(name=u'NTUSER.DAT'):
hive = get_hive(self.prim_hive,self.log_files)
user_assist_key = hive.find_key(u'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist')
if user_assist_key is not None:
lst =[]
for guid_key in user_assist_key.subkeys():
guid_key_name = guid_key.name()
count_key = guid_key.subkey(u"Count")
dat_key =guid_key.last_written_timestamp().isoformat()
if count_key is not None:
for value in count_key.values():
value_name = value.name()
value_name_decoded = codecs.encode(value_name, 'rot_13')
value_data = value.data()
count = None
win =""
if len(value_data) == 16:
count = struct.unpack("<I",value_data[4:8])[0]
count -= 5
record = OrderedDict([
("_plugin", u"UserAssist"),
("guid", guid_key_name),
("name", value_name_decoded),
("count", count),
("@timestamp",dat_key)
])
lst.append(u"{}".format(json.dumps(record, cls=ComplexEncoder)))
elif len(value_data) == 72:
count = struct.unpack("<I", value_data[4:8])[0]
date_time = struct.unpack("<q", value_data[60:68])[0]
new_datetime =convert_datetime(date_time)
if new_datetime == "1601-01-01T00:00:00":
new_datetime = dat_key
record = OrderedDict([
("guid", guid_key_name),
("name", value_name_decoded),
("count", count),
("key_creation_time",dat_key),
("@timestamp",new_datetime)
])
lst.append(u"{}".format(json.dumps(record, cls=ComplexEncoder)))
else:
pass
return lst
else:
return None
def run(self):
lst = []
# for reg_handler in registry_manager.iter_registry_handlers(name=u'NTUSER.DAT'):
hive = get_hive(self.prim_hive, self.log_files)
user_assist_key = hive.find_key(
u'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist'
)
if user_assist_key is not None:
for guid_key in user_assist_key.subkeys():
guid_key_name = guid_key.name()
count_key = guid_key.subkey(u"Count")
if count_key is not None:
for value in count_key.values():
value_name = value.name()
value_name_decoded = codecs.encode(
value_name, 'rot_13')
value_data = value.data()
# dump = RegistryHelpers.HexDump(value_data)
count = None
win = ""
if len(value_data) == 16:
count = struct.unpack("<I", value_data[4:8])[0]
count -= 5
elif len(value_data) == 72:
count = struct.unpack("<I", value_data[4:8])[0]
date_time = struct.unpack("<q",
value_data[60:68])[0]
new_datetime = convert_datetime(date_time)
record = OrderedDict([("guid", guid_key_name),
("name", value_name_decoded),
("count", count),
("@timestamp", new_datetime)])
lst.append(u"{}".format(
json.dumps(record, cls=ComplexEncoder)))
return lst
def run(self):
lst = []
hive = get_hive(self.prim_hive, self.log_files)
Amcache_user_settings_path = u"root\\InventoryApplicationFile"
Amcache_win7_user_settings_path = u"root\\File"
Amcache_user_settings_key = hive.find_key(Amcache_user_settings_path)
Amcache7_user_settings_key = hive.find_key(
Amcache_win7_user_settings_path)
if Amcache_user_settings_key:
for sid_key in Amcache_user_settings_key.subkeys():
sid_key_values = iter(sid_key.values())
key_time = sid_key.last_written_timestamp().isoformat()
win10_amache_mapping = {
"ProgramId": "ProgramId",
"LongPathHash": "LongPathHash",
"IsOsComponent": "IsOsComponent",
"Usn": "Usn",
"LowerCaseLongPath": "Path",
"FileId": "Sha1",
"Name": "Name",
"Publisher": "CompanyName",
"Version": "Version",
"BinFileVersion": "BinFileVersion",
"BinaryType": "BinaryType",
"ProductName": "ProductName",
"ProductVersion": "ProductVersion",
"LinkDate": "LinkDate",
"BinProductVersion": "BinProductVersion",
"Size": "FileSize",
"Language": "Language",
"IsPeFile": "IsPeFile"
}
record = OrderedDict([])
while True:
try:
value = next(sid_key_values)
except StopIteration:
break
except Exception as error:
logging.error(
u"Error getting next value: {}".format(error))
continue
value_name = value.name()
names = win10_amache_mapping[value_name]
data = value.data()
record[names] = strip_control_characters(str(data))
record["@timestamp"] = key_time
if record["Sha1"].startswith("0000"):
sha1 = record["Sha1"]
record["Sha1"] = sha1[4:]
lst.append(u"{}".format(json.dumps(record,
cls=ComplexEncoder)))
return lst
elif Amcache7_user_settings_key:
win8_amcache_mapping = {
'0': 'ProductName',
'1': 'CompanyName',
'2': 'FileVersionNum',
'3': 'Language',
'4': 'SwitchBackContext',
'5': 'FileVersion',
'6': 'FileSize',
'7': 'pe_header_hash',
'8': 'unknown1',
'9': 'pe_header_checksum',
'a': 'unknown2',
'b': 'unknown3',
'c': 'file_description',
'd': 'unknown4',
'f': 'linker_compile_time',
'10': 'unknown5',
'11': 'last_modified_timestamp',
'12': 'created_timestamp',
'15': 'Path',
'16': 'unknown6',
'17': 'last_modified_timestamp_2',
'100': 'ProgramId',
'101': 'Sha1'
}
for sid_key in Amcache7_user_settings_key.subkeys():
for sidd_key in sid_key.subkeys():
sid_key_values = iter(sidd_key.values())
key_time = sidd_key.last_written_timestamp().isoformat()
record = OrderedDict([])
while True:
try:
value = next(sid_key_values)
except StopIteration:
break
except Exception as error:
logging.error(
u"Error getting next value: {}".format(error))
continue
value_name = value.name()
names = win8_amcache_mapping[value_name]
data = value.data()
if "time" in names:
if "linker_compile_time" in names:
data = datetime.datetime.fromtimestamp(data)
else:
data = convert_datetime(data)
record[names] = strip_control_characters(str(data))
if len(record) == 0:
continue
record["@timestamp"] = key_time
if record["Sha1"].startswith("0000"):
sha1 = record["Sha1"]
record["Sha1"] = sha1[4:]
lst.append(u"{}".format(
json.dumps(record, cls=ComplexEncoder)))
return lst
else:
logging.info(u"[{}] {} not found.".format(
'Amcache', Amcache_user_settings_key))