def collect_mechanism(self, fsw: ForensicStoreWrapper) -> list:
tmp_dict = {}
mechanisms = []
for artifact in fsw.get_artifacts("WindowsServices"):
for value in artifact.get("values", []):
name = value.get("name", "").casefold()
if name == "ServiceDll".casefold(
) or name == "ImagePath".casefold() and value.get("data"):
tmp_dict.setdefault(value.get("data"),
set()).add(artifact.get("key"))
for artifact in fsw.get_artifacts("WindowsFontDriversAlt"):
for value in artifact.get("values", []):
tmp_dict.setdefault(value.get("data"),
set()).add(artifact.get("key"))
for entry, origins in tmp_dict.items():
if entry.endswith(".sys"):
mechanisms.append({
"name": "driver",
"origins": list(origins),
"entry": entry
})
else:
mechanisms.append({
"name": "service",
"origins": list(origins),
"entry": entry
})
return mechanisms
def collect_mechanism(self, fsw: ForensicStoreWrapper) -> list:
mechanisms = []
for artifact in fsw.get_files("WindowsScheduledTasks"):
if "export_path" in artifact and artifact[
"export_path"] and not artifact["export_path"].endswith(
".DAT"):
# pylint: disable=protected-access
with fsw._fs_store.load_file(artifact["export_path"]) as io:
xml_file = minidom.parse(io)
elem = ""
arg = ""
# Check xml doc for "Command" and "Arguments" tags. Exception wil be ignored if no argument exists.
try:
elem = xml_file.getElementsByTagName(
'Command')[0].childNodes[0].data
arg = xml_file.getElementsByTagName(
'Arguments')[0].childNodes[0].data
except IndexError:
pass
if elem:
mechanisms.append({
"name":
"scheduled_tasks",
"origins": [artifact.get("origin").get("path")],
"entry":
" ".join([elem, arg])
})
return mechanisms
def collect_mechanism(self, fsw: ForensicStoreWrapper) -> list:
tmp_dict = {}
folder_path = os.path.join(fsw.forensicstore_path,
"WindowsBrowserPersistenceFiles/")
if os.path.exists(folder_path):
for file in os.listdir(folder_path):
if file.endswith(".json"):
file_path = os.path.join(folder_path, file)
with open(file_path) as io:
for addon in json.load(io).get("addons"):
name = addon.get("defaultLocale", {}).get("name")
path = addon.get("path", "Unkonwn")
if addon.get(
"active") and name != "Default" and path:
tmp_dict.setdefault(name, set()).add(path)
for artifact in fsw.get_artifacts("WindowsBrowserPersistenceKeys"):
for value in artifact.get("values", []):
if value.get("name") in ["(Default)", "ToolTip"]:
tmp_dict.setdefault(value.get("data"),
set()).add(artifact.get("key"))
return [{
"name": "browser_extensions",
"origins": list(origins),
"entry": extension_data
} for extension_data, origins in tmp_dict.items()]
def collect_mechanism(self, fsw: ForensicStoreWrapper) -> list:
tmp_dict = {}
for artifact in fsw.get_artifacts("WindowsCOMProperties"):
for value in artifact.get("values", []):
if value.get("name") == "(Default)":
tmp_dict.setdefault(value.get("data"), set()).add(artifact.get("key"))
return [{"name": "com_hijacking", "origins": list(origins), "entry": com_object}
for com_object, origins in tmp_dict.items()]
def collect_mechanism(self, fsw: ForensicStoreWrapper) -> list:
tmp_dict = {}
for artifact in fsw.get_artifacts("WindowsPrintMonitors"):
for value in artifact.get("values", []):
if value.get("data"):
tmp_dict.setdefault(value.get("data"), set()).add(artifact.get("key"))
return [{"name": "port_monitors", "origins": list(origins), "entry": dll}
for dll, origins in tmp_dict.items()]
def collect_mechanism(self, fsw: ForensicStoreWrapper) -> list:
tmp_dict = {}
for artifact in fsw.get_artifacts("WindowsSIPandTrustProviderHijacking"):
for value in artifact.get("values", []):
name = value.get("name", "").casefold()
if name == "Dll".casefold() or name == "'$DLL'".casefold() and value.get("data"):
tmp_dict.setdefault(value.get("data"), set()).add(artifact.get("key"))
return [{"name": "sip_and_trust_provider_hijacking", "origins": list(origins), "entry": dll}
for dll, origins in tmp_dict.items()]
def collect(fstore_full_path: str) -> list:
fsw = ForensicStoreWrapper(fstore_full_path)
plugins_to_run = [
'app_cert_dlls',
'app_init_dlls',
'application_shimming',
'authentication_packages',
'browser_extensions',
'codecs',
'com_hijacking',
'file_associations',
'image_hijacks',
'known_dlls',
'logon',
'netsh_helper',
'office_application_startup',
'port_monitors',
'powershell_profiles',
'run_keys',
'scheduled_tasks',
'screensaver',
'security_support_provider',
'services_and_drivers',
'sip_and_trust_provider_hijacking',
'time_providers',
'winlogon_helper',
'winsock_providers',
]
# Instantiate all "Mechanism" subclasses (plugins) and collect mechanisms
mechanisms_folder = os.path.join(
os.path.dirname(os.path.abspath(__file__)), "mechanisms")
for file in glob(os.path.join(mechanisms_folder, "*py")):
name = os.path.splitext(os.path.basename(file))[0]
if name in plugins_to_run:
__import__(f"discoruns.mechanisms.{name}")
collected_mechanisms = []
for mechanisms in Mechanism.__subclasses__():
collected_mechanisms.extend(mechanisms().collect_mechanism(fsw))
fsw.close()
return collected_mechanisms
def collect_mechanism(self, fsw: ForensicStoreWrapper) -> list:
tmp_dict = {}
for artifact in fsw.get_artifacts("WindowsOfficeApplicationStartup"):
for value in artifact.get("values", []):
if value.get("name") in ["FriendlyName", "URL", "(Default)"]:
tmp_dict.setdefault(value.get("data"),
set()).add(artifact.get("key"))
return [{
"name": "office_application_startup",
"origins": list(origins),
"entry": com_object
} for com_object, origins in tmp_dict.items()]
def collect_mechanism(self, fsw: ForensicStoreWrapper) -> list:
tmp_dict = {}
for artifact in fsw.get_artifacts("WindowsLSASecurityPackages"):
for value in artifact.get("values", []):
if value.get("data") and not value.get("data") == "['\"\"']":
tmp_dict.setdefault(value.get("data"),
set()).add(artifact.get("key"))
return [{
"name": "security_support_provider",
"origins": list(origins),
"entry": dll
} for dll, origins in tmp_dict.items()]
def collect_mechanism(self, fsw: ForensicStoreWrapper) -> list:
tmp_dict = {}
for artifact in fsw.get_artifacts("WindowsTimeProviders"):
for value in artifact.get("values", []):
if value.get("data") and value.get(
"name").casefold() == 'DllName'.casefold():
tmp_dict.setdefault(value.get("data"),
set()).add(artifact.get("key"))
return [{
"name": "time_providers",
"origins": list(origins),
"entry": dll
} for dll, origins in tmp_dict.items()]
def collect_mechanism(self, fsw: ForensicStoreWrapper) -> list:
tmp_dict = {}
for artifact in fsw.get_artifacts("WindowsScreenSaverExecutable"):
for value in artifact.get("values", []):
if value.get("data") and value.get(
"name").casefold() == "scrnsave.exe".casefold():
tmp_dict.setdefault(value.get("data"),
set()).add(artifact.get("key"))
return [{
"name": "screensaver",
"origins": list(origins),
"entry": dll
} for dll, origins in tmp_dict.items()]
def collect_mechanism(self, fsw: ForensicStoreWrapper) -> list:
tmp_dict = {}
attributes = ['Debugger', 'MonitorProcess', 'AutoRun', '(Default)']
for artifact in fsw.get_artifacts("WindowsImageHijacks"):
for value in artifact.get("values", []):
if value.get("data") and value.get(
"name"
) in attributes and not value.get("data") == "\"%1\" %*":
tmp_dict.setdefault(value.get("data"),
set()).add(artifact.get("key"))
return [{
"name": "image_hijacks",
"origins": list(origins),
"entry": dll
} for dll, origins in tmp_dict.items()]
def collect_mechanism(self, fsw: ForensicStoreWrapper) -> list:
tmp_dict = {}
for artifact in fsw.get_artifacts("WindowsFileAssociation"):
if values := artifact.get("values"):
# Find the last program the extension was opened with via MRUList.
mru_lists = [value.get("data") for value in values if value.get("name") == "MRUList"]
mru_list = ""
if len(mru_lists) == 1:
mru_list = mru_lists[0]
last_prog_char = ""
if len(mru_list) >= 1:
last_prog_char = mru_list[0]
for value in artifact.get("values", []):
if value.get("data") and value.get("name") == last_prog_char:
tmp_dict.setdefault(value.get("data"), set()).add(artifact.get("key"))
def collect_mechanism(self, fsw: ForensicStoreWrapper) -> list:
mechanisms = []
tmp_dict = {}
# Windows Environment Logon Scripts
for artifact in fsw.get_artifacts(
"WindowsEnvironmentUserLoginScripts"):
for value in artifact.get("values", []):
if value.get("data"):
tmp_dict.setdefault(value.get("data"),
set()).add(artifact.get("key"))
for dll, origins in tmp_dict.items():
mechanisms.append({
"name": "user_environment_script",
"origins": list(origins),
"entry": dll
})
# Windows Group Policy Scripts
folder_path = os.path.join(fsw.forensicstore_path,
"WindowsGroupPolicyScripts/")
if os.path.exists(folder_path):
for file in os.listdir(folder_path):
file_path = os.path.join(folder_path, file)
file_origin = get_file_origin(fsw, file_path)[0]
# Group Policy Logon and Logoff Scripts
if file.endswith("GroupPolicy_User_Scripts_scripts.ini"):
process_ini_values(tmp_dict, file_path, "Logon",
file_origin)
process_ini_values(tmp_dict, file_path, "Logoff",
file_origin)
# Group Policy Startup and Shutdown Scripts
elif file.endswith("GroupPolicy_Machine_Scripts_scripts.ini"):
process_ini_values(tmp_dict, file_path, "Startup",
file_origin)
process_ini_values(tmp_dict, file_path, "Shutdown",
file_origin)
# Filesystem Startup and Shutdown Scripts
elif file.endswith(".exe"):
if "Shutdown" in file:
mechanisms.append({
"name":
"logon",
"origins": [file_origin],
"entry":
file.partition("Shutdown_")[2]
})
elif "Startup" in file:
mechanisms.append({
"name":
"logon",
"origins": [file_origin],
"entry":
file.partition("Startup_")[2]
})
elif "Logon" in file:
mechanisms.append({
"name": "logon",
"origins": [file_origin],
"entry": file.partition("Logon_")[2]
})
elif "Logoff" in file:
mechanisms.append({
"name": "logon",
"origins": [file_origin],
"entry": file.partition("Logoff_")[2]
})
# Windows Startup Scripts
tmp_vals = {}
for artifact in fsw.get_artifacts("WindowsStartupScript"):
for value in artifact.get("values", []):
if value.get("name") == "Parameters":
tmp_vals.setdefault(artifact.get("key"), {}).update(
{"param": value.get("data")})
elif value.get("name") == "Script":
tmp_vals.setdefault(artifact.get("key"), {}).update(
{"script": value.get("data")})
else:
tmp_vals.setdefault(artifact.get("key"), {}).update({
"script":
value.get("data"),
"param":
None
})
for key, entries in tmp_vals.items():
tmp_dict.setdefault(
" ".join(
filter(None, [entries.get("script"),
entries.get("param")])), set()).add(key)
# Windows Startup Folders
for file in fsw.get_files("WindowsStartupFolders"):
if file.get("name", "").endswith(".exe", None):
mechanisms.append({
"name": "logon",
"origins": [file.get("origin").get("path")],
"entry": file.get("name")
})
return [{
"name": "logon",
"origins": list(origins),
"entry": entry
} for entry, origins in tmp_dict.items()]