def run(self): lst = [] "use the SOFTWARE hive to get the result" ProfileList_user_settings_path = u"Microsoft\\Windows NT\\CurrentVersion\\ProfileList" hive = get_hive(self.prim_hive, self.log_files) ProfileList_user_settings_key = hive.find_key( ProfileList_user_settings_path) # print('Found a key: {}'.format(ProfileList_user_settings_key.path())) if ProfileList_user_settings_key: for sid_key in ProfileList_user_settings_key.subkeys(): sid_name = sid_key.name() Profile_path = sid_key.value(name=u"ProfileImagePath") Profile_data = strip_control_characters(Profile_path.data()) timestamp = sid_key.last_written_timestamp().isoformat() user = strip_control_characters( os.path.basename(os.path.normpath(Profile_data))) record = OrderedDict([("Path", Profile_data), ("User", user), ("sid", sid_name), ("Key_Timestamp", timestamp), ("@timestamp", timestamp)]) lst.append( eval(u"{}".format(json.dumps(record, cls=ComplexEncoder)))) else: logging.info(u"[{}] {} not found.".format( 'ProfileList', ProfileList_user_settings_path)) return lst
def run(self): hive = get_hive(self.prim_hive,self.log_files) select_key = hive.find_key(u'Select') current_path='' if select_key: current_value = select_key.value(name=u"Current") current_path = u"ControlSet{:03d}".format(current_value.data()) else: current_path ='ControlSet001' lst= [] DHCP_user_settings_path = u"\\".join([current_path,u"Services\\Tcpip\\Parameters\\Interfaces"]) DHCP_user_settings_key = hive.find_key(DHCP_user_settings_path) if DHCP_user_settings_key: for sid_key in DHCP_user_settings_key.subkeys(): timestamp = sid_key.last_written_timestamp().isoformat() sid_name = sid_key.name() def get_date (value_name): value = sid_key.value(name=value_name) if value: value = value.data() else: value ="None" return value dict_values_data = {'DhcpIPAddress' : strip_control_characters(get_date('DhcpIPAddress')), 'DhcpServer' : strip_control_characters(get_date('DhcpServer')), 'DhcpSubnetMask' : strip_control_characters(get_date('DhcpSubnetMask')), 'Domain' : strip_control_characters(get_date('Domain')), 'NameServer' : strip_control_characters(get_date('NameServer')), 'EnableDHCP' : get_date('EnableDHCP'), 'DhcpConnForceBroadcastFlag' : get_date('DhcpConnForceBroadcastFlag'), 'IsServerNapAware' : get_date('IsServerNapAware'), 'RegisterAdapterName' : get_date('RegisterAdapterName'), 'RegistrationEnabled' : get_date('RegistrationEnabled')} record = OrderedDict([ ("Dhcp IP Address", dict_values_data['DhcpIPAddress']), ("Dhcp Server", dict_values_data['DhcpServer']), ("DhcpSubnetMask", dict_values_data['DhcpSubnetMask']), ("Domain", dict_values_data['Domain']), ("Name Server", dict_values_data['NameServer']), ("Enable DHCP", dict_values_data['EnableDHCP']), ("DhcpConnForceBroadcastFlag", dict_values_data['DhcpConnForceBroadcastFlag']), ("Is Server NapAware", dict_values_data['IsServerNapAware']), ("Register Adapter Name", dict_values_data['RegisterAdapterName']), ("Registration Enabled", dict_values_data['RegistrationEnabled']), ('@timestamp',timestamp) ]) lst.append(eval(u"{}".format(json.dumps(record, cls=ComplexEncoder)))) # else: # # logging.info(u"[{}] {} not found.".format('DHCP', DHCP_user_settings_path)) return lst
def run(self): lst = [] TypedPaths_user_settings_path = u"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths" hive = get_hive(self.prim_hive, self.log_files) TypedPaths_user_settings_key = hive.find_key( TypedPaths_user_settings_path) if TypedPaths_user_settings_key: #for sid_key in TypedPaths_user_settings_key.subkeys(): sid_key_values = iter(TypedPaths_user_settings_key.values()) while True: try: value = next(sid_key_values) except StopIteration: break except Exception as error: # logging.error(u"Error getting next value: {}".format(error)) continue value_name = value.name() url_data = value.data() timestamp = TypedPaths_user_settings_key.last_written_timestamp( ).isoformat() record = OrderedDict([("Key_Timestamp", timestamp), ("Url Name", value_name), ("Url", strip_control_characters(url_data)), ("@timestmap", timestamp)]) lst.append( eval(u"{}".format(json.dumps(record, cls=ComplexEncoder)))) # else: # # logging.info(u"[{}] {} not found.".format('TypedPaths', TypedPaths_user_settings_path)) return lst
def run(self): lst = [] "use the NTUSER.dat hive to get the result" RunMRU_user_settings_path = u'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU' hive = get_hive(self.prim_hive, self.log_files) RunMRU_user_settings_key = hive.find_key(RunMRU_user_settings_path) if RunMRU_user_settings_key: sid_key_values = iter(RunMRU_user_settings_key.values()) timestamp = RunMRU_user_settings_key.last_written_timestamp( ).isoformat() while True: try: value = next(sid_key_values) except StopIteration: break except Exception as error: # logging.error(u"Error getting next value: {}".format(error)) continue sid_name = value.name() file_name = strip_control_characters(value.data()) record = OrderedDict([("Sequence", sid_name), ("Command", file_name), ("Key_Timestamp", timestamp), ("@timestamp", timestamp)]) lst.append( eval(u"{}".format(json.dumps(record, cls=ComplexEncoder)))) # else: # # logging.info(u"[{}] {} not found.".format('RunMRU', RunMRU_user_settings_path)) return lst
def run(self): hive = get_hive(self.prim_hive, self.log_files) select_key = hive.find_key(u'Select') current_path = '' if select_key: current_value = select_key.value(name=u"Current") current_path = u"ControlSet{:03d}".format(current_value.data()) else: current_path = 'ControlSet001' lst = [] TimeZoneInformation_user_settings_path = u"\\".join( [current_path, u"Control\\TimeZoneInformation"]) TimeZoneInformation_user_settings_key = hive.find_key( TimeZoneInformation_user_settings_path) if TimeZoneInformation_user_settings_key: TimeZoneKeyName = TimeZoneInformation_user_settings_key.value( name=u"TimeZoneKeyName") TimeZoneKeyName_data = TimeZoneKeyName.data() timestamp = TimeZoneInformation_user_settings_key.last_written_timestamp( ).isoformat() record = OrderedDict([ ("Time Zone", strip_control_characters(TimeZoneKeyName_data)), ("Key_Timestamp", timestamp), ("@timestamp", timestamp) ]) lst.append( eval(u"{}".format(json.dumps(record, cls=ComplexEncoder)))) # else: # # logging.info(u"[{}] {} not found.".format('TimeZoneInformation', TimeZoneInformation_user_settings_path)) return lst
def run(self): lst = [] "use the SOFTWARE hive to get the result" InstalledApp_user_settings_path = u"Microsoft\\Windows\\CurrentVersion\\App Paths" hive = get_hive(self.prim_hive, self.log_files) InstalledApp_user_settings_key = hive.find_key( InstalledApp_user_settings_path) # print('Found a key: {}'.format(InstalledApp_user_settings_key.path())) if InstalledApp_user_settings_key: for sid_key in InstalledApp_user_settings_key.subkeys(): sid_name = sid_key.name() timestamp = sid_key.last_written_timestamp().isoformat() Path = sid_key.value(name=u"Path") if Path: Path_data = strip_control_characters(Path.data()) else: Path_data = "" record = OrderedDict([ ("Application_Name", sid_name), ("InstalledApp_date", timestamp), ("Path", Path_data), ("@timestamp", timestamp), ]) lst.append( eval(u"{}".format(json.dumps(record, cls=ComplexEncoder)))) # else: # # logging.info(u"[{}] {} not found.".format('Bam', bam_user_settings_path)) return lst
def run(self): lst = [] "use the SOFTWARE hive to get the result" ShellExtensions_user_settings_path = u'Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Approved' hive = get_hive(self.prim_hive, self.log_files) ShellExtensions_user_settings_key = hive.find_key( ShellExtensions_user_settings_path) if ShellExtensions_user_settings_key: sid_key_values = iter(ShellExtensions_user_settings_key.values()) timestamp = ShellExtensions_user_settings_key.last_written_timestamp( ).isoformat() while True: try: value = next(sid_key_values) except StopIteration: break except Exception as error: logging.error( u"Error getting next value: {}".format(error)) continue sid_name = value.name() data = value.data() if isinstance(data, bytes): pos = data.find(b'\x00\x00') + 1 file_name = strip_control_characters( data[:pos].decode('utf-16')) else: file_name = strip_control_characters(data) record = OrderedDict([("sid", sid_name), ("File Name", file_name), ("key_last_written_timestamp", timestamp), ("@timestamp", timestamp)]) lst.append( eval(u"{}".format(json.dumps(record, cls=ComplexEncoder)))) else: logging.info(u"[{}] {} not found.".format( 'ShellExtensions', ShellExtensions_user_settings_path)) return lst
def run(self): lst = [] "use the SOFTWARE hive to get the result" InstalledComponents_user_settings_path = [ u'Microsoft\\Active Setup\\Installed Components', u'Wow6432Node\\Microsoft\\Active Setup\\Installed Components' ] hive = get_hive(self.prim_hive, self.log_files) for path in InstalledComponents_user_settings_path: InstalledComponents_user_settings_key = hive.find_key(path) if InstalledComponents_user_settings_key: for sid_key in InstalledComponents_user_settings_key.subkeys(): sid_name = sid_key.name() timestamp = sid_key.last_written_timestamp().isoformat() IsInstalled = sid_key.value(name=u"IsInstalled") if IsInstalled: IsInstalled_data = IsInstalled.data() else: IsInstalled_data = "None" DontAsk = sid_key.value(name=u"DontAsk") if DontAsk: DontAsk_data = DontAsk.data() else: DontAsk_data = "None" Enabled = sid_key.value(name=u"Enabled") if Enabled: Enabled_data = Enabled.data() else: Enabled_data = "None" Locale = sid_key.value(name=u"Locale") if Locale: Locale_data = strip_control_characters(Locale.data()) else: Locale_data = "None" LocalizedName = sid_key.value(name=u"LocalizedName") if LocalizedName: LocalizedName_data = strip_control_characters( LocalizedName.data()) else: LocalizedName_data = "None" StubPath = sid_key.value(name=u"StubPath") if StubPath: StubPath_data = strip_control_characters( StubPath.data()) else: StubPath_data = "None" Version = sid_key.value(name=u"Version") if Version: Version_data = strip_control_characters(Version.data()) else: Version_data = "None" ComponentID = sid_key.value(name=u"ComponentID") if ComponentID: ComponentID_data = strip_control_characters( ComponentID.data()) else: ComponentID_data = "None" record = OrderedDict([ ("sid", sid_name), ("last_written_timestamp", timestamp), ("ComponentID", ComponentID_data), ("Version", Version_data), ("StubPath", StubPath_data), ("LocalizedName", LocalizedName_data), ("Locale", Locale_data), ("Enabled", Enabled_data), ("DontAsk", DontAsk_data), ("IsInstalled", IsInstalled_data), ("@timestamp", timestamp) ]) lst.append( eval(u"{}".format( json.dumps(record, cls=ComplexEncoder)))) # else: # # logging.info(u"[{}] {} not found.".format('InstalledComponents', InstalledComponents_user_settings_path)) return lst
def run(self): lst = [] "use the SOFTWARE hive to get the result" Uninstall_user_settings_path = u"Microsoft\\Windows\\CurrentVersion\\Uninstall" hive = get_hive(self.prim_hive, self.log_files) Uninstall_user_settings_key = hive.find_key( Uninstall_user_settings_path) # print('Found a key: {}'.format(Uninstall_user_settings_key.path())) if Uninstall_user_settings_key: for sid_key in Uninstall_user_settings_key.subkeys(): sid_name = sid_key.name() timestamp = sid_key.last_written_timestamp().isoformat() #try: DisplayName = sid_key.value(name=u"DisplayName") if DisplayName: DisplayName_data = strip_control_characters( DisplayName.data()) else: DisplayName_data = "" DisplayVersion = sid_key.value(name=u"DisplayVersion") if DisplayVersion: DisplayVersion_data = strip_control_characters( DisplayVersion.data()) else: DisplayVersion_data = "" InstallDate = sid_key.value(name=u"InstallDate") if InstallDate: InstallDate_data = strip_control_characters( InstallDate.data()) else: InstallDate_data = "" InstallLocation = sid_key.value(name=u"InstallLocation") if InstallLocation: InstallLocation_data = strip_control_characters( InstallLocation.data()) else: InstallLocation_data = "" InstallSource = sid_key.value(name=u"InstallSource") if InstallSource: InstallSource_data = strip_control_characters( InstallSource.data()) else: InstallSource_data = "" ModifyPath = sid_key.value(name=u"ModifyPath") if ModifyPath: ModifyPath_data = strip_control_characters( ModifyPath.data()) else: ModifyPath_data = "" Publisher = sid_key.value(name=u"Publisher") if Publisher: Publisher_data = strip_control_characters(Publisher.data()) else: Publisher_data = "" Size = sid_key.value(name=u"Size") if Size: Size_data = str(Size.data()) else: Size_data = "" URLInfoAbout = sid_key.value(name=u"URLInfoAbout") if URLInfoAbout: URLInfoAbout_data = strip_control_characters( URLInfoAbout.data()) else: URLInfoAbout_data = "" record = OrderedDict([("name", sid_name), ("Uninstall_date", timestamp), ("Application_Name", DisplayName_data), ("Version", DisplayVersion_data), ("Install_Date", InstallDate_data), ("Install_Location", InstallLocation_data), ("Install_Source", InstallSource_data), ("Modify_Path", ModifyPath_data), ("Publisher", Publisher_data), ("Size", Size_data), ("URLInfoAbout", URLInfoAbout_data), ("@timestamp", timestamp)]) lst.append( eval(u"{}".format(json.dumps(record, cls=ComplexEncoder)))) else: logging.info(u"[{}] {} not found.".format('Bam', bam_user_settings_path)) return lst
def run(self): lst = [] TerminalServerClient_user_settings_paths = [ 'Software\\Microsoft\\Terminal Server Client\\Servers', 'Software\\Microsoft\\Terminal Server Client\\Default' ] for TerminalServerClient_user_settings_path in TerminalServerClient_user_settings_paths: hive = get_hive(self.prim_hive, self.log_files) TerminalServerClient_user_settings_key = hive.find_key( TerminalServerClient_user_settings_path) # print('Found a key: {}'.format(TerminalServerClient_user_settings_key.path())) if TerminalServerClient_user_settings_key: timestamp = TerminalServerClient_user_settings_key.last_written_timestamp( ).isoformat() if "Servers" in TerminalServerClient_user_settings_path: for sid_key in TerminalServerClient_user_settings_key.subkeys( ): key_name = sid_key.name() sid_key_values = iter(sid_key.values()) while True: try: value = next(sid_key_values) except StopIteration: break except Exception as error: # # logging.error(u"Error getting next value: {}".format(error)) continue value_name = value.name() UsernameHint = "" if "UsernameHint" != value_name else strip_control_characters( value.data()) record = OrderedDict([("key_timestamp", timestamp), ("IP_Address", key_name), ("User_Name", UsernameHint), ("@timestamp", timestamp)]) lst.append( eval(u"{}".format( json.dumps(record, cls=ComplexEncoder)))) else: sid_key_values = iter( TerminalServerClient_user_settings_key.values()) while True: try: value = next(sid_key_values) except StopIteration: break except Exception as error: # # logging.error(u"Error getting next value: {}".format(error)) continue value_name = value.name() value_data = value.data() record = OrderedDict([ ("key_timestamp", timestamp), ("@timestamp", timestamp), ("IP_Address", strip_control_characters(value_data)), ("Value_Name", value_name) ]) # lst.append( eval(u"{}".format( json.dumps(record, cls=ComplexEncoder)))) # else: # # # logging.info(u"[{}] {} not found.".format('TerminalServerClient', TerminalServerClient_user_settings_path)) return lst
def run(self): lst = [] hive = get_hive(self.prim_hive, self.log_files) Amcache_user_settings_path = u"root\\InventoryApplicationFile" Amcache_win7_user_settings_path = u"root\\File" Amcache_user_settings_key = hive.find_key(Amcache_user_settings_path) Amcache7_user_settings_key = hive.find_key( Amcache_win7_user_settings_path) if Amcache_user_settings_key: for sid_key in Amcache_user_settings_key.subkeys(): sid_key_values = iter(sid_key.values()) key_time = sid_key.last_written_timestamp().isoformat() win10_amache_mapping = { "ProgramId": "ProgramId", "LongPathHash": "LongPathHash", "IsOsComponent": "IsOsComponent", "Usn": "Usn", "LowerCaseLongPath": "Path", "FileId": "Sha1", "Name": "Name", "Publisher": "CompanyName", "Version": "Version", "BinFileVersion": "BinFileVersion", "BinaryType": "BinaryType", "ProductName": "ProductName", "ProductVersion": "ProductVersion", "LinkDate": "LinkDate", "BinProductVersion": "BinProductVersion", "Size": "FileSize", "Language": "Language", "IsPeFile": "IsPeFile" } record = OrderedDict([]) while True: try: value = next(sid_key_values) except StopIteration: break except Exception as error: # # logging.error(u"Error getting next value: {}".format(error)) continue value_name = value.name() if value_name in win10_amache_mapping.keys(): names = win10_amache_mapping[value_name] else: names = value_name data = value.data() record[names] = strip_control_characters(str(data)) record["@timestamp"] = key_time if record["Sha1"].startswith("0000"): sha1 = record["Sha1"] record["Sha1"] = sha1[4:] lst.append( eval(u"{}".format(json.dumps(record, cls=ComplexEncoder)))) return lst elif Amcache7_user_settings_key: win8_amcache_mapping = { '0': 'ProductName', '1': 'CompanyName', '2': 'FileVersionNum', '3': 'Language', '4': 'SwitchBackContext', '5': 'FileVersion', '6': 'FileSize', '7': 'pe_header_hash', '8': 'unknown1', '9': 'pe_header_checksum', 'a': 'unknown2', 'b': 'unknown3', 'c': 'file_description', 'd': 'unknown4', 'f': 'linker_compile_time', '10': 'unknown5', '11': 'last_modified_timestamp', '12': 'created_timestamp', '15': 'Path', '16': 'unknown6', '17': 'last_modified_timestamp_2', '100': 'ProgramId', '101': 'Sha1' } for sid_key in Amcache7_user_settings_key.subkeys(): for sidd_key in sid_key.subkeys(): sid_key_values = iter(sidd_key.values()) key_time = sidd_key.last_written_timestamp().isoformat() record = OrderedDict([]) while True: try: value = next(sid_key_values) except StopIteration: break except Exception as error: # # logging.error(u"Error getting next value: {}".format(error)) continue value_name = value.name() names = win8_amcache_mapping[value_name] data = value.data() if "time" in names: if "linker_compile_time" in names: data = datetime.datetime.fromtimestamp(data) else: data = convert_datetime(data) record[names] = strip_control_characters(str(data)) if len(record) == 0: continue record["@timestamp"] = key_time if record["Sha1"].startswith("0000"): sha1 = record["Sha1"] record["Sha1"] = sha1[4:] lst.append(u"{}".format( json.dumps(record, cls=ComplexEncoder))) return lst