Esempio n. 1
0
    def collect_mechanism(self, fsw: ForensicStoreWrapper) -> list:
        tmp_dict = {}
        mechanisms = []

        for artifact in fsw.get_artifacts("WindowsServices"):
            for value in artifact.get("values", []):
                name = value.get("name", "").casefold()
                if name == "ServiceDll".casefold(
                ) or name == "ImagePath".casefold() and value.get("data"):
                    tmp_dict.setdefault(value.get("data"),
                                        set()).add(artifact.get("key"))

        for artifact in fsw.get_artifacts("WindowsFontDriversAlt"):
            for value in artifact.get("values", []):
                tmp_dict.setdefault(value.get("data"),
                                    set()).add(artifact.get("key"))

        for entry, origins in tmp_dict.items():
            if entry.endswith(".sys"):
                mechanisms.append({
                    "name": "driver",
                    "origins": list(origins),
                    "entry": entry
                })
            else:
                mechanisms.append({
                    "name": "service",
                    "origins": list(origins),
                    "entry": entry
                })

        return mechanisms
Esempio n. 2
0
    def collect_mechanism(self, fsw: ForensicStoreWrapper) -> list:
        mechanisms = []
        for artifact in fsw.get_files("WindowsScheduledTasks"):
            if "export_path" in artifact and artifact[
                    "export_path"] and not artifact["export_path"].endswith(
                        ".DAT"):
                # pylint: disable=protected-access
                with fsw._fs_store.load_file(artifact["export_path"]) as io:
                    xml_file = minidom.parse(io)
                    elem = ""
                    arg = ""

                    # Check xml doc for "Command" and "Arguments" tags. Exception wil be ignored if no argument exists.
                    try:
                        elem = xml_file.getElementsByTagName(
                            'Command')[0].childNodes[0].data
                        arg = xml_file.getElementsByTagName(
                            'Arguments')[0].childNodes[0].data
                    except IndexError:
                        pass

                    if elem:
                        mechanisms.append({
                            "name":
                            "scheduled_tasks",
                            "origins": [artifact.get("origin").get("path")],
                            "entry":
                            " ".join([elem, arg])
                        })

        return mechanisms
Esempio n. 3
0
    def collect_mechanism(self, fsw: ForensicStoreWrapper) -> list:
        tmp_dict = {}
        folder_path = os.path.join(fsw.forensicstore_path,
                                   "WindowsBrowserPersistenceFiles/")
        if os.path.exists(folder_path):
            for file in os.listdir(folder_path):
                if file.endswith(".json"):
                    file_path = os.path.join(folder_path, file)
                    with open(file_path) as io:
                        for addon in json.load(io).get("addons"):
                            name = addon.get("defaultLocale", {}).get("name")
                            path = addon.get("path", "Unkonwn")
                            if addon.get(
                                    "active") and name != "Default" and path:
                                tmp_dict.setdefault(name, set()).add(path)

        for artifact in fsw.get_artifacts("WindowsBrowserPersistenceKeys"):
            for value in artifact.get("values", []):
                if value.get("name") in ["(Default)", "ToolTip"]:
                    tmp_dict.setdefault(value.get("data"),
                                        set()).add(artifact.get("key"))

        return [{
            "name": "browser_extensions",
            "origins": list(origins),
            "entry": extension_data
        } for extension_data, origins in tmp_dict.items()]
Esempio n. 4
0
    def collect_mechanism(self, fsw: ForensicStoreWrapper) -> list:
        tmp_dict = {}

        for artifact in fsw.get_artifacts("WindowsCOMProperties"):
            for value in artifact.get("values", []):
                if value.get("name") == "(Default)":
                    tmp_dict.setdefault(value.get("data"), set()).add(artifact.get("key"))

        return [{"name": "com_hijacking", "origins": list(origins), "entry": com_object}
                for com_object, origins in tmp_dict.items()]
Esempio n. 5
0
    def collect_mechanism(self, fsw: ForensicStoreWrapper) -> list:
        tmp_dict = {}

        for artifact in fsw.get_artifacts("WindowsPrintMonitors"):
            for value in artifact.get("values", []):
                if value.get("data"):
                    tmp_dict.setdefault(value.get("data"), set()).add(artifact.get("key"))

        return [{"name": "port_monitors", "origins": list(origins), "entry": dll}
                for dll, origins in tmp_dict.items()]
    def collect_mechanism(self, fsw: ForensicStoreWrapper) -> list:
        tmp_dict = {}

        for artifact in fsw.get_artifacts("WindowsSIPandTrustProviderHijacking"):
            for value in artifact.get("values", []):
                name = value.get("name", "").casefold()
                if name == "Dll".casefold() or name == "'$DLL'".casefold() and value.get("data"):
                    tmp_dict.setdefault(value.get("data"), set()).add(artifact.get("key"))

        return [{"name": "sip_and_trust_provider_hijacking", "origins": list(origins), "entry": dll}
                for dll, origins in tmp_dict.items()]
Esempio n. 7
0
def collect(fstore_full_path: str) -> list:
    fsw = ForensicStoreWrapper(fstore_full_path)
    plugins_to_run = [
        'app_cert_dlls',
        'app_init_dlls',
        'application_shimming',
        'authentication_packages',
        'browser_extensions',
        'codecs',
        'com_hijacking',
        'file_associations',
        'image_hijacks',
        'known_dlls',
        'logon',
        'netsh_helper',
        'office_application_startup',
        'port_monitors',
        'powershell_profiles',
        'run_keys',
        'scheduled_tasks',
        'screensaver',
        'security_support_provider',
        'services_and_drivers',
        'sip_and_trust_provider_hijacking',
        'time_providers',
        'winlogon_helper',
        'winsock_providers',
    ]

    # Instantiate all "Mechanism" subclasses (plugins) and collect mechanisms
    mechanisms_folder = os.path.join(
        os.path.dirname(os.path.abspath(__file__)), "mechanisms")
    for file in glob(os.path.join(mechanisms_folder, "*py")):
        name = os.path.splitext(os.path.basename(file))[0]
        if name in plugins_to_run:
            __import__(f"discoruns.mechanisms.{name}")
    collected_mechanisms = []
    for mechanisms in Mechanism.__subclasses__():
        collected_mechanisms.extend(mechanisms().collect_mechanism(fsw))
    fsw.close()
    return collected_mechanisms
    def collect_mechanism(self, fsw: ForensicStoreWrapper) -> list:
        tmp_dict = {}

        for artifact in fsw.get_artifacts("WindowsOfficeApplicationStartup"):
            for value in artifact.get("values", []):
                if value.get("name") in ["FriendlyName", "URL", "(Default)"]:
                    tmp_dict.setdefault(value.get("data"),
                                        set()).add(artifact.get("key"))

        return [{
            "name": "office_application_startup",
            "origins": list(origins),
            "entry": com_object
        } for com_object, origins in tmp_dict.items()]
Esempio n. 9
0
    def collect_mechanism(self, fsw: ForensicStoreWrapper) -> list:
        tmp_dict = {}

        for artifact in fsw.get_artifacts("WindowsLSASecurityPackages"):
            for value in artifact.get("values", []):
                if value.get("data") and not value.get("data") == "['\"\"']":
                    tmp_dict.setdefault(value.get("data"),
                                        set()).add(artifact.get("key"))

        return [{
            "name": "security_support_provider",
            "origins": list(origins),
            "entry": dll
        } for dll, origins in tmp_dict.items()]
Esempio n. 10
0
    def collect_mechanism(self, fsw: ForensicStoreWrapper) -> list:
        tmp_dict = {}

        for artifact in fsw.get_artifacts("WindowsTimeProviders"):
            for value in artifact.get("values", []):
                if value.get("data") and value.get(
                        "name").casefold() == 'DllName'.casefold():
                    tmp_dict.setdefault(value.get("data"),
                                        set()).add(artifact.get("key"))

        return [{
            "name": "time_providers",
            "origins": list(origins),
            "entry": dll
        } for dll, origins in tmp_dict.items()]
Esempio n. 11
0
    def collect_mechanism(self, fsw: ForensicStoreWrapper) -> list:
        tmp_dict = {}

        for artifact in fsw.get_artifacts("WindowsScreenSaverExecutable"):
            for value in artifact.get("values", []):
                if value.get("data") and value.get(
                        "name").casefold() == "scrnsave.exe".casefold():
                    tmp_dict.setdefault(value.get("data"),
                                        set()).add(artifact.get("key"))

        return [{
            "name": "screensaver",
            "origins": list(origins),
            "entry": dll
        } for dll, origins in tmp_dict.items()]
Esempio n. 12
0
    def collect_mechanism(self, fsw: ForensicStoreWrapper) -> list:
        tmp_dict = {}
        attributes = ['Debugger', 'MonitorProcess', 'AutoRun', '(Default)']

        for artifact in fsw.get_artifacts("WindowsImageHijacks"):
            for value in artifact.get("values", []):
                if value.get("data") and value.get(
                        "name"
                ) in attributes and not value.get("data") == "\"%1\" %*":
                    tmp_dict.setdefault(value.get("data"),
                                        set()).add(artifact.get("key"))

        return [{
            "name": "image_hijacks",
            "origins": list(origins),
            "entry": dll
        } for dll, origins in tmp_dict.items()]
Esempio n. 13
0
    def collect_mechanism(self, fsw: ForensicStoreWrapper) -> list:
        tmp_dict = {}

        for artifact in fsw.get_artifacts("WindowsFileAssociation"):
            if values := artifact.get("values"):

                # Find the last program the extension was opened with via MRUList.
                mru_lists = [value.get("data") for value in values if value.get("name") == "MRUList"]
                mru_list = ""
                if len(mru_lists) == 1:
                    mru_list = mru_lists[0]

                last_prog_char = ""
                if len(mru_list) >= 1:
                    last_prog_char = mru_list[0]

                for value in artifact.get("values", []):
                    if value.get("data") and value.get("name") == last_prog_char:
                        tmp_dict.setdefault(value.get("data"), set()).add(artifact.get("key"))
Esempio n. 14
0
    def collect_mechanism(self, fsw: ForensicStoreWrapper) -> list:
        mechanisms = []
        tmp_dict = {}

        # Windows Environment Logon Scripts
        for artifact in fsw.get_artifacts(
                "WindowsEnvironmentUserLoginScripts"):
            for value in artifact.get("values", []):
                if value.get("data"):
                    tmp_dict.setdefault(value.get("data"),
                                        set()).add(artifact.get("key"))

        for dll, origins in tmp_dict.items():
            mechanisms.append({
                "name": "user_environment_script",
                "origins": list(origins),
                "entry": dll
            })

        # Windows Group Policy Scripts
        folder_path = os.path.join(fsw.forensicstore_path,
                                   "WindowsGroupPolicyScripts/")
        if os.path.exists(folder_path):
            for file in os.listdir(folder_path):
                file_path = os.path.join(folder_path, file)
                file_origin = get_file_origin(fsw, file_path)[0]

                # Group Policy Logon and Logoff Scripts
                if file.endswith("GroupPolicy_User_Scripts_scripts.ini"):
                    process_ini_values(tmp_dict, file_path, "Logon",
                                       file_origin)
                    process_ini_values(tmp_dict, file_path, "Logoff",
                                       file_origin)

                # Group Policy Startup and Shutdown Scripts
                elif file.endswith("GroupPolicy_Machine_Scripts_scripts.ini"):
                    process_ini_values(tmp_dict, file_path, "Startup",
                                       file_origin)
                    process_ini_values(tmp_dict, file_path, "Shutdown",
                                       file_origin)

                # Filesystem Startup and Shutdown Scripts
                elif file.endswith(".exe"):
                    if "Shutdown" in file:
                        mechanisms.append({
                            "name":
                            "logon",
                            "origins": [file_origin],
                            "entry":
                            file.partition("Shutdown_")[2]
                        })
                    elif "Startup" in file:
                        mechanisms.append({
                            "name":
                            "logon",
                            "origins": [file_origin],
                            "entry":
                            file.partition("Startup_")[2]
                        })
                    elif "Logon" in file:
                        mechanisms.append({
                            "name": "logon",
                            "origins": [file_origin],
                            "entry": file.partition("Logon_")[2]
                        })
                    elif "Logoff" in file:
                        mechanisms.append({
                            "name": "logon",
                            "origins": [file_origin],
                            "entry": file.partition("Logoff_")[2]
                        })

        # Windows Startup Scripts
        tmp_vals = {}
        for artifact in fsw.get_artifacts("WindowsStartupScript"):
            for value in artifact.get("values", []):
                if value.get("name") == "Parameters":
                    tmp_vals.setdefault(artifact.get("key"), {}).update(
                        {"param": value.get("data")})
                elif value.get("name") == "Script":
                    tmp_vals.setdefault(artifact.get("key"), {}).update(
                        {"script": value.get("data")})
                else:
                    tmp_vals.setdefault(artifact.get("key"), {}).update({
                        "script":
                        value.get("data"),
                        "param":
                        None
                    })

        for key, entries in tmp_vals.items():
            tmp_dict.setdefault(
                " ".join(
                    filter(None, [entries.get("script"),
                                  entries.get("param")])), set()).add(key)

        # Windows Startup Folders
        for file in fsw.get_files("WindowsStartupFolders"):
            if file.get("name", "").endswith(".exe", None):
                mechanisms.append({
                    "name": "logon",
                    "origins": [file.get("origin").get("path")],
                    "entry": file.get("name")
                })

        return [{
            "name": "logon",
            "origins": list(origins),
            "entry": entry
        } for entry, origins in tmp_dict.items()]