def _csv_list_named_pipes(self,pipes): with open(self.output_dir + '\\' + self.computer_name + '_named_pipes.csv', 'wb') as output: csv_writer = get_csv_writer(output) #output.write('"Computer Name"|"Type"|"Name"\n') for pipe in pipes: write_to_csv([self.computer_name, 'PIPES', pipe], csv_writer) record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_named_pipes.csv',self.output_dir +'\\'+self.computer_name+'_sha256.log')
def _csv_windows_prefetch(self, wpref): with open( self.output_dir + '\\' + self.computer_name + '_prefetch.csv', 'wb') as output: csv_writer = get_csv_writer(output) #output.write('"Computer Name"|"Type"|"File"|"Version"|"Size"|"name Exec"|"Create Time"|"Modification Time"\n') for prefetch_file, format_version, file_size, exec_name, tc, tm, run_count, hash_table_a, list_str_c in wpref: str_c = '' for s in list_str_c: str_c += s.replace('\0', '') + ';' write_to_csv([ self.computer_name, 'Prefetch', prefetch_file, unicode(format_version), unicode(file_size), exec_name.replace('\00', ''), unicode(tc), unicode(tm), unicode(run_count), unicode(hash_table_a['start_time']), unicode(hash_table_a['duration']), unicode(hash_table_a['average_duration']), str_c ], csv_writer) record_sha256_logs( self.output_dir + '\\' + self.computer_name + '_prefetch.csv', self.output_dir + '\\' + self.computer_name + '_sha256.log')
def _csv_list_route_table(self,routes): self.logger.info('Health : Listing routes tables') with open(self.output_dir+"_routes_tables.csv",'ab') as fw: csv_writer = get_csv_writer(fw) #fw.write('"Computer Name"|"Route"|"Name"|"Mask"\r\n') for name,mask in routes: write_to_csv([self.computer_name, 'Route table', unicode(name), unicode(mask)], csv_writer) record_sha256_logs(self.output_dir +'_routes_tables.csv',self.output_dir +'_sha256.log')
def _csv_list_network_drives(self,drives): self.logger.info("Health : Listing network drives") with open(self.output_dir+'_list_networks_drives.csv','wb') as fw: csv_writer = get_csv_writer(fw) #fw.write('"Computer Name"|"Type"|"disque"|"fs"|"Partition Name"\r\n') for diskCapt,diskFs,diskPName in drives: write_to_csv([self.computer_name, 'Network drives', diskCapt, diskFs, diskPName], csv_writer) record_sha256_logs(self.output_dir+ '_list_networks_drives.csv',self.output_dir +'_sha256.log')
def _csv_list_drives(self,drives): self.logger.info("Health : Listing drives") with open(self.output_dir+'_list_drives.csv','wb') as fw: csv_writer = get_csv_writer(fw) #fw.write('"Computer Name"|"Type"|"Fab"|"Partions"|"Disk"|"File System"\r\n') for phCapt,partCapt,logicalCapt,fs in drives: write_to_csv([self.computer_name, 'Drives', phCapt, partCapt, logicalCapt, fs], csv_writer) record_sha256_logs(self.output_dir + '_list_drives.csv',self.output_dir+'_sha256.log')
def _csv_list_share(self,share): self.logger.info("Health : Listing shares") with open(self.output_dir + '_shares.csv','wb') as fw: csv_writer = get_csv_writer(fw) #fw.write('"Computer Name"|"Type"|"Name"|"Path"\r\n') for name,path in share: write_to_csv([self.computer_name, 'Shares', name, path], csv_writer) record_sha256_logs(self.output_dir +'_shares.csv',self.output_dir +'_sha256.log')
def _csv_list_sessions(self,sessions): self.logger.info('Health : Listing sessions') with open(self.output_dir+'_sessions.csv','ab') as fw: csv_writer = get_csv_writer(fw) #fw.write('"Computer Name"|"Type"|"Logon ID"|"Authentication Package"|"Start Time"|"Logon Type"\r\n') for logonID,authenticationPackage,startime,logontype in sessions: write_to_csv([ self.computer_name, 'Active sessions', unicode(logonID), authenticationPackage, unicode(startime.split('.')[0]), unicode(logontype)], csv_writer) record_sha256_logs(self.output_dir + '_sessions.csv',self.output_dir +'_sha256.log')
def _csv_list_share(self, share): self.logger.info("Health : Listing shares") with open(self.output_dir + '_shares.csv', 'wb') as fw: csv_writer = get_csv_writer(fw) #fw.write('"Computer Name"|"Type"|"Name"|"Path"\r\n') for name, path in share: write_to_csv([self.computer_name, 'Shares', name, path], csv_writer) record_sha256_logs(self.output_dir + '_shares.csv', self.output_dir + '_sha256.log')
def _csv_list_services(self,services): self.logger.info('Health : Listing services') with open(self.output_dir+'_services.csv','ab') as fw: csv_writer = get_csv_writer(fw) #fw.write('"Computer Name"|"Type"|"name"|"caption"|"processId"|"pathName"|"serviceType"|"status"|"state"|"startMode"\r\n') for name,caption,processId,pathName,serviceType,status,state,startMode in services: write_to_csv([ self.computer_name, 'Services', caption, unicode(processId), serviceType, pathName, unicode(status), state, startMode], csv_writer) record_sha256_logs(self.output_dir +'_services.csv',self.output_dir +'_sha256.log')
def _csv_list_sockets_network(self,connections): self.logger.info('Health : Listing sockets networks') with open(self.output_dir+'_sockets.csv','ab') as fw: csv_writer = get_csv_writer(fw) #fw.write('"Computer Name"|"Type"|"pid"|"name"|"local address"|"source port"|"remote addr"|"remote port"|"status"\r\n') for pid,name,local_address,source_port,remote_addr,remote_port,status in connections: write_to_csv([ self.computer_name, 'Sockets', unicode(pid), unicode(name), unicode(local_address), unicode(source_port), unicode(remote_addr), unicode(remote_port), unicode(status)], csv_writer) record_sha256_logs(self.output_dir +'_sockets.csv',self.output_dir +'_sha256.log')
def _csv_list_named_pipes(self, pipes): with open( self.output_dir + '\\' + self.computer_name + '_named_pipes.csv', 'wb') as output: csv_writer = get_csv_writer(output) #output.write('"Computer Name"|"Type"|"Name"\n') for pipe in pipes: write_to_csv([self.computer_name, 'PIPES', pipe], csv_writer) record_sha256_logs( self.output_dir + '\\' + self.computer_name + '_named_pipes.csv', self.output_dir + '\\' + self.computer_name + '_sha256.log')
def _csv_list_drives(self, drives): self.logger.info("Health : Listing drives") with open(self.output_dir + '_list_drives.csv', 'wb') as fw: csv_writer = get_csv_writer(fw) #fw.write('"Computer Name"|"Type"|"Fab"|"Partions"|"Disk"|"File System"\r\n') for phCapt, partCapt, logicalCapt, fs in drives: write_to_csv([ self.computer_name, 'Drives', phCapt, partCapt, logicalCapt, fs ], csv_writer) record_sha256_logs(self.output_dir + '_list_drives.csv', self.output_dir + '_sha256.log')
def _csv_list_network_drives(self, drives): self.logger.info("Health : Listing network drives") with open(self.output_dir + '_list_networks_drives.csv', 'wb') as fw: csv_writer = get_csv_writer(fw) #fw.write('"Computer Name"|"Type"|"disque"|"fs"|"Partition Name"\r\n') for diskCapt, diskFs, diskPName in drives: write_to_csv([ self.computer_name, 'Network drives', diskCapt, diskFs, diskPName ], csv_writer) record_sha256_logs(self.output_dir + '_list_networks_drives.csv', self.output_dir + '_sha256.log')
def _csv_list_running_process(self,list_running): self.logger.info("Health : Listing running processes") with open(self.output_dir+'_processes.csv','ab') as fw: csv_writer = get_csv_writer(fw) #fw.write('"Computer Name"|"Type"|"PID"|"Name"|"Command"|"Path Exec"\r\n') for p in list_running: pid=p[0] name=p[1] cmd=p[2] exe_path=p[3] write_to_csv([self.computer_name, 'Running processes', unicode(pid), name, unicode(cmd), unicode(exe_path)], csv_writer) record_sha256_logs(self.output_dir +'_processes.csv',self.output_dir+'_sha256.log')
def csv_recycle_bin(self): ''' Exports the filenames contained in the recycle bin ''' with open(self.output_dir + '\\' + self.computer_name + '_recycle_bin.csv', 'wb') as output: csv_writer = get_csv_writer(output) #output.write('"Computer Name"|"Type"|"Name 1"|"Name 2"\n') idl = shell.SHGetSpecialFolderLocation(0, shellcon.CSIDL_BITBUCKET) desktop = shell.SHGetDesktopFolder() files = desktop.BindToObject(idl, None, shell.IID_IShellFolder) for bin_file in files: write_to_csv([ self.computer_name, 'Recycle Bin', files.GetDisplayNameOf(bin_file, shellcon.SHGDN_NORMAL), files.GetDisplayNameOf(bin_file, shellcon.SHGDN_FORPARSING)], csv_writer) record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_recycle_bin.csv',self.output_dir +'\\'+self.computer_name+'_sha256.log')
def _csv_list_services(self, services): self.logger.info('Health : Listing services') with open(self.output_dir + '_services.csv', 'ab') as fw: csv_writer = get_csv_writer(fw) #fw.write('"Computer Name"|"Type"|"name"|"caption"|"processId"|"pathName"|"serviceType"|"status"|"state"|"startMode"\r\n') for name, caption, processId, pathName, serviceType, status, state, startMode in services: write_to_csv([ self.computer_name, 'Services', caption, unicode(processId), serviceType, pathName, unicode(status), state, startMode ], csv_writer) record_sha256_logs(self.output_dir + '_services.csv', self.output_dir + '_sha256.log')
def _csv_list_route_table(self, routes): self.logger.info('Health : Listing routes tables') with open(self.output_dir + "_routes_tables.csv", 'ab') as fw: csv_writer = get_csv_writer(fw) #fw.write('"Computer Name"|"Route"|"Name"|"Mask"\r\n') for name, mask in routes: write_to_csv([ self.computer_name, 'Route table', unicode(name), unicode(mask) ], csv_writer) record_sha256_logs(self.output_dir + '_routes_tables.csv', self.output_dir + '_sha256.log')
def _csv_windows_prefetch(self,wpref): with open(self.output_dir + '\\' + self.computer_name + '_prefetch.csv', 'wb') as output: csv_writer = get_csv_writer(output) #output.write('"Computer Name"|"Type"|"File"|"Version"|"Size"|"name Exec"|"Create Time"|"Modification Time"\n') for prefetch_file, format_version, file_size, exec_name, tc, tm, run_count, hash_table_a, list_str_c in wpref: str_c = '' for s in list_str_c: str_c += s.replace('\0', '') + ';' write_to_csv([ self.computer_name, 'Prefetch', prefetch_file, unicode(format_version), unicode(file_size), exec_name.replace('\00', ''), unicode(tc), unicode(tm), unicode(run_count), unicode(hash_table_a['start_time']), unicode(hash_table_a['duration']), unicode(hash_table_a['average_duration']), str_c], csv_writer) record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_prefetch.csv',self.output_dir +'\\'+self.computer_name+'_sha256.log')
def _csv_list_sessions(self, sessions): self.logger.info('Health : Listing sessions') with open(self.output_dir + '_sessions.csv', 'ab') as fw: csv_writer = get_csv_writer(fw) #fw.write('"Computer Name"|"Type"|"Logon ID"|"Authentication Package"|"Start Time"|"Logon Type"\r\n') for logonID, authenticationPackage, startime, logontype in sessions: write_to_csv([ self.computer_name, 'Active sessions', unicode(logonID), authenticationPackage, unicode(startime.split('.')[0]), unicode(logontype) ], csv_writer) record_sha256_logs(self.output_dir + '_sessions.csv', self.output_dir + '_sha256.log')
def _csv_list_arp_table(self,arp): self.logger.info('Health : Listing ARP tables') with open(self.output_dir + "_arp_table.csv",'wb') as fw: csv_writer = get_csv_writer(fw) #fw.write('"Computer Name"|"Type"|"IP"|"Mac"|"Status"\n') for entry in arp: entry.replace('\xff','') tokens=entry.split() entry_to_write='' if len(tokens)==3: entry_to_write='"'+self.computer_name+'"|"ARP table"|"'+'"|"'.join(tokens)+'"\n' if entry_to_write.find('\.')!=1 and len(entry_to_write) >0: arr_to_write = [self.computer_name, 'ARP table'] + tokens write_to_csv(arr_to_write, csv_writer) record_sha256_logs(self.output_dir +'_arp_table.csv',self.output_dir +'_sha256.log')
def _csv_list_arp_table(self, arp): self.logger.info('Health : Listing ARP tables') with open(self.output_dir + "_arp_table.csv", 'wb') as fw: csv_writer = get_csv_writer(fw) #fw.write('"Computer Name"|"Type"|"IP"|"Mac"|"Status"\n') for entry in arp: entry.replace('\xff', '') tokens = entry.split() entry_to_write = '' if len(tokens) == 3: entry_to_write = '"' + self.computer_name + '"|"ARP table"|"' + '"|"'.join( tokens) + '"\n' if entry_to_write.find('\.') != 1 and len(entry_to_write) > 0: arr_to_write = [self.computer_name, 'ARP table'] + tokens write_to_csv(arr_to_write, csv_writer) record_sha256_logs(self.output_dir + '_arp_table.csv', self.output_dir + '_sha256.log')
def _csv_list_running_process(self, list_running): self.logger.info("Health : Listing running processes") with open(self.output_dir + '_processes.csv', 'ab') as fw: csv_writer = get_csv_writer(fw) #fw.write('"Computer Name"|"Type"|"PID"|"Name"|"Command"|"Path Exec"\r\n') for p in list_running: pid = p[0] name = p[1] cmd = p[2] exe_path = p[3] write_to_csv([ self.computer_name, 'Running processes', unicode(pid), name, unicode(cmd), unicode(exe_path) ], csv_writer) record_sha256_logs(self.output_dir + '_processes.csv', self.output_dir + '_sha256.log')
def _csv_list_scheduled_jobs(self): self.logger.info('Health : Listing scheduled jobs') file_tasks=self.output_dir + '_tasks.csv' with open(file_tasks,'wb') as tasks_logs: proc=subprocess.Popen(["schtasks.exe",'/query','/fo','CSV'], stdout=subprocess.PIPE) res = proc.communicate() res = get_terminal_decoded_string(res[0]) write_to_output(res, tasks_logs, self.logger) with open(file_tasks,"r") as fr, open(self.output_dir + "_scheduled_jobs.csv",'wb') as fw: csv_writer = get_csv_writer(fw) #fw.write('"Computer Name"|"Type"|"Name"|"Time"|"State"\r\n') for l in fr.readlines(): l = l.decode('utf8') if l.find('\\') > 0: l = l[:-1].replace('"', '') # remove the end of line arr_write = [self.computer_name, 'Scheduled jobs'] + l.split(',') write_to_csv(arr_write, csv_writer) record_sha256_logs(self.output_dir +'_scheduled_jobs.csv',self.output_dir +'_sha256.log')
def _csv_list_sockets_network(self, connections): self.logger.info('Health : Listing sockets networks') with open(self.output_dir + '_sockets.csv', 'ab') as fw: csv_writer = get_csv_writer(fw) #fw.write('"Computer Name"|"Type"|"pid"|"name"|"local address"|"source port"|"remote addr"|"remote port"|"status"\r\n') for pid, name, local_address, source_port, remote_addr, remote_port, status in connections: write_to_csv([ self.computer_name, 'Sockets', unicode(pid), unicode(name), unicode(local_address), unicode(source_port), unicode(remote_addr), unicode(remote_port), unicode(status) ], csv_writer) record_sha256_logs(self.output_dir + '_sockets.csv', self.output_dir + '_sha256.log')
def _csv_list_network_adapters(self, ncs): self.logger.info('Health : Listing network adapters') with open(self.output_dir + "_networks_cards.csv", 'wb') as fw: csv_writer = get_csv_writer(fw) #fw.write('"Computer Name"|"Type"|"netcard"|"adapter_type"|"description"|"mac_address"|"product_name"|"physical_adapter"|"speed"|"IPv4"|"IPv6"|"DHCP_server"|"DNS_server"|"database_path"|"nbtstat_value"\r\n') for netcard, adapter_type, description, mac_address, product_name, physical_adapter, product_name, speed, IPv4, IPv6, DHCP_server, DNS_server, database_path, nbtstat_value in ncs: if netcard is None: netcard = ' ' if adapter_type is None: adapter_type = '' if description is None: description = ' ' if mac_address is None: mac_address = ' ' if physical_adapter is None: physical_adapter = ' ' if product_name is None: product_name if speed is None: speed = ' ' if IPv4 is None: IPv4 = ' ' if IPv6 is None: IPv6 = '' if DHCP_server is None: DHCP_server = ' ' if DNS_server is None: DNS_server = ' ' if database_path is None: database_path = ' ' if nbtstat_value is None: nbtstat_value = ' ' try: write_to_csv([ self.computer_name, 'Network adapter', netcard, adapter_type, description, mac_address, product_name, physical_adapter, speed, IPv4, IPv6, DHCP_server, DNS_server, database_path, nbtstat_value ], csv_writer) except Exception: self.logger.error(traceback.format_exc()) record_sha256_logs(self.output_dir + '_networks_cards.csv', self.output_dir + '_sha256.log')
def _csv_list_network_adapters(self,ncs): self.logger.info('Health : Listing network adapters') with open(self.output_dir + "_networks_cards.csv",'wb') as fw: csv_writer = get_csv_writer(fw) #fw.write('"Computer Name"|"Type"|"netcard"|"adapter_type"|"description"|"mac_address"|"product_name"|"physical_adapter"|"speed"|"IPv4"|"IPv6"|"DHCP_server"|"DNS_server"|"database_path"|"nbtstat_value"\r\n') for netcard,adapter_type,description,mac_address,product_name,physical_adapter,product_name,speed,IPv4,IPv6,DHCP_server,DNS_server,database_path,nbtstat_value in ncs: if netcard is None: netcard=' ' if adapter_type is None: adapter_type='' if description is None: description=' ' if mac_address is None: mac_address=' ' if physical_adapter is None: physical_adapter=' ' if product_name is None: product_name if speed is None: speed=' ' if IPv4 is None: IPv4=' ' if IPv6 is None: IPv6='' if DHCP_server is None: DHCP_server=' ' if DNS_server is None: DNS_server=' ' if database_path is None: database_path=' ' if nbtstat_value is None: nbtstat_value=' ' try: write_to_csv([self.computer_name, 'Network adapter', netcard, adapter_type, description, mac_address, product_name, physical_adapter, speed, IPv4, IPv6, DHCP_server, DNS_server, database_path, nbtstat_value], csv_writer) except Exception: self.logger.error(traceback.format_exc()) record_sha256_logs(self.output_dir +'_networks_cards.csv',self.output_dir +'_sha256.log')
def csv_recycle_bin(self): ''' Exports the filenames contained in the recycle bin ''' with open( self.output_dir + '\\' + self.computer_name + '_recycle_bin.csv', 'wb') as output: csv_writer = get_csv_writer(output) #output.write('"Computer Name"|"Type"|"Name 1"|"Name 2"\n') idl = shell.SHGetSpecialFolderLocation(0, shellcon.CSIDL_BITBUCKET) desktop = shell.SHGetDesktopFolder() files = desktop.BindToObject(idl, None, shell.IID_IShellFolder) for bin_file in files: write_to_csv([ self.computer_name, 'Recycle Bin', files.GetDisplayNameOf(bin_file, shellcon.SHGDN_NORMAL), files.GetDisplayNameOf(bin_file, shellcon.SHGDN_FORPARSING) ], csv_writer) record_sha256_logs( self.output_dir + '\\' + self.computer_name + '_recycle_bin.csv', self.output_dir + '\\' + self.computer_name + '_sha256.log')
def _csv_list_scheduled_jobs(self): self.logger.info('Health : Listing scheduled jobs') file_tasks = self.output_dir + '_tasks.csv' with open(file_tasks, 'wb') as tasks_logs: proc = subprocess.Popen(["schtasks.exe", '/query', '/fo', 'CSV'], stdout=subprocess.PIPE) res = proc.communicate() res = get_terminal_decoded_string(res[0]) write_to_output(res, tasks_logs, self.logger) with open(file_tasks, "r") as fr, open(self.output_dir + "_scheduled_jobs.csv", 'wb') as fw: csv_writer = get_csv_writer(fw) #fw.write('"Computer Name"|"Type"|"Name"|"Time"|"State"\r\n') for l in fr.readlines(): l = l.decode('utf8') if l.find('\\') > 0: l = l[:-1].replace('"', '') # remove the end of line arr_write = [self.computer_name, 'Scheduled jobs' ] + l.split(',') write_to_csv(arr_write, csv_writer) record_sha256_logs(self.output_dir + '_scheduled_jobs.csv', self.output_dir + '_sha256.log')