def run(self):
lst = []
"use the NTUSER.dat hive to get the result"
RunMRU_user_settings_path = u'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU'
hive = get_hive(self.prim_hive, self.log_files)
RunMRU_user_settings_key = hive.find_key(RunMRU_user_settings_path)
if RunMRU_user_settings_key:
sid_key_values = iter(RunMRU_user_settings_key.values())
timestamp = RunMRU_user_settings_key.last_written_timestamp(
).isoformat()
while True:
try:
value = next(sid_key_values)
except StopIteration:
break
except Exception as error:
# logging.error(u"Error getting next value: {}".format(error))
continue
sid_name = value.name()
file_name = strip_control_characters(value.data())
record = OrderedDict([("Sequence", sid_name),
("Command", file_name),
("Key_Timestamp", timestamp),
("@timestamp", timestamp)])
lst.append(
eval(u"{}".format(json.dumps(record, cls=ComplexEncoder))))
# else:
# # logging.info(u"[{}] {} not found.".format('RunMRU', RunMRU_user_settings_path))
return lst
def run(self):
lst = []
"use the NATUSER.dat hive to get the result"
#Software\\Classes\\
Sysinternals_user_settings_path = u'\\Software\\Sysinternals'
hive = get_hive(self.prim_hive,self.log_files)
Sysinternals_user_settings_key = hive.find_key(Sysinternals_user_settings_path)
if Sysinternals_user_settings_key:
for sid_key in Sysinternals_user_settings_key.subkeys():
Application_name = sid_key.name()
timestamp = sid_key.last_written_timestamp().isoformat()
EulaAccepted = sid_key.value(name=u"EulaAccepted")
if EulaAccepted:
EulaAccepted_data = EulaAccepted.data()
if EulaAccepted_data == 1:
EulaAccepted_data = "True"
else:
EulaAccepted_data ="False"
else:
EulaAccepted_data ="None"
record = OrderedDict([
("Application_Name", Application_name),
("Eula_Accepted", EulaAccepted_data),
("Accepted_TimeStamp",timestamp),
("@timestamp",timestamp),
])
lst.append(eval(u"{}".format(json.dumps(record, cls=ComplexEncoder))))
# else:
# # logging.info(u"[{}] {} not found.".format('Sysinternals', Sysinternals_user_settings_path))
return lst
def run(self):
try:
lst = []
OpenSaveMRU_settings_path = u"\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\OpenSavePIDlMRU"
hive = get_hive(self.prim_hive, self.log_files)
OpenSaveMRU_settings_key = hive.find_key(OpenSaveMRU_settings_path)
#print('Found a key: {}'.format(OpenSaveMRU_settings_key.path()))
if OpenSaveMRU_settings_key:
for sid_key in OpenSaveMRU_settings_key.subkeys():
try:
dat_key = sid_key.last_written_timestamp().isoformat()
except:
pass
sid_name = sid_key.name()
cat = sid_name
sid_key_values = iter(sid_key.values())
while True:
try:
value = next(sid_key_values)
value_name = value.name()
if "MRUListEx" == value_name or "(Default)" != value_name:
data = value.data()
path = ""
data = data.hex()
data = data.split("0400efbe")
counter = 0
for d in data:
if counter == 0:
pass
else:
dax = bytes.fromhex(d)
format = Struct(
'unkuwn' / Bytes(38),
'Path' / CString("utf16"))
dd = format.parse(dax)
#print("prob")
path += "\\" + dd.Path
counter = counter + 1
record = OrderedDict([
("SequenceNumber", value_name),
("Key_timestamp", dat_key),
("Type", sid_name), ("path", path),
("@timestamp", dat_key)
])
lst.append(
eval(u"{}".format(
json.dumps(record,
cls=ComplexEncoder))))
except StopIteration:
break
except Exception as error:
## logging.error(u"Error getting next value: {}".format(error))
continue
return lst
except Exception as e:
raise e
def run(self):
lst = []
TypedPaths_user_settings_path = u"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths"
hive = get_hive(self.prim_hive, self.log_files)
TypedPaths_user_settings_key = hive.find_key(
TypedPaths_user_settings_path)
if TypedPaths_user_settings_key:
#for sid_key in TypedPaths_user_settings_key.subkeys():
sid_key_values = iter(TypedPaths_user_settings_key.values())
while True:
try:
value = next(sid_key_values)
except StopIteration:
break
except Exception as error:
# logging.error(u"Error getting next value: {}".format(error))
continue
value_name = value.name()
url_data = value.data()
timestamp = TypedPaths_user_settings_key.last_written_timestamp(
).isoformat()
record = OrderedDict([("Key_Timestamp", timestamp),
("Url Name", value_name),
("Url",
strip_control_characters(url_data)),
("@timestmap", timestamp)])
lst.append(
eval(u"{}".format(json.dumps(record, cls=ComplexEncoder))))
# else:
# # logging.info(u"[{}] {} not found.".format('TypedPaths', TypedPaths_user_settings_path))
return lst
def run(self):
hive = get_hive(self.prim_hive, self.log_files)
select_key = hive.find_key(u'Select')
current_path = ''
if select_key:
current_value = select_key.value(name=u"Current")
current_path = u"ControlSet{:03d}".format(current_value.data())
else:
current_path = 'ControlSet001'
lst = []
TimeZoneInformation_user_settings_path = u"\\".join(
[current_path, u"Control\\TimeZoneInformation"])
TimeZoneInformation_user_settings_key = hive.find_key(
TimeZoneInformation_user_settings_path)
if TimeZoneInformation_user_settings_key:
TimeZoneKeyName = TimeZoneInformation_user_settings_key.value(
name=u"TimeZoneKeyName")
TimeZoneKeyName_data = TimeZoneKeyName.data()
timestamp = TimeZoneInformation_user_settings_key.last_written_timestamp(
).isoformat()
record = OrderedDict([
("Time Zone", strip_control_characters(TimeZoneKeyName_data)),
("Key_Timestamp", timestamp), ("@timestamp", timestamp)
])
lst.append(
eval(u"{}".format(json.dumps(record, cls=ComplexEncoder))))
# else:
# # logging.info(u"[{}] {} not found.".format('TimeZoneInformation', TimeZoneInformation_user_settings_path))
return lst
def run(self):
lst = []
"use the SOFTWARE hive to get the result"
InstalledApp_user_settings_path = u"Microsoft\\Windows\\CurrentVersion\\App Paths"
hive = get_hive(self.prim_hive, self.log_files)
InstalledApp_user_settings_key = hive.find_key(
InstalledApp_user_settings_path)
# print('Found a key: {}'.format(InstalledApp_user_settings_key.path()))
if InstalledApp_user_settings_key:
for sid_key in InstalledApp_user_settings_key.subkeys():
sid_name = sid_key.name()
timestamp = sid_key.last_written_timestamp().isoformat()
Path = sid_key.value(name=u"Path")
if Path:
Path_data = strip_control_characters(Path.data())
else:
Path_data = ""
record = OrderedDict([
("Application_Name", sid_name),
("InstalledApp_date", timestamp),
("Path", Path_data),
("@timestamp", timestamp),
])
lst.append(
eval(u"{}".format(json.dumps(record, cls=ComplexEncoder))))
# else:
# # logging.info(u"[{}] {} not found.".format('Bam', bam_user_settings_path))
return lst
def run(self):
lst = []
"use the SOFTWARE hive to get the result"
ProfileList_user_settings_path = u"Microsoft\\Windows NT\\CurrentVersion\\ProfileList"
hive = get_hive(self.prim_hive, self.log_files)
ProfileList_user_settings_key = hive.find_key(
ProfileList_user_settings_path)
# print('Found a key: {}'.format(ProfileList_user_settings_key.path()))
if ProfileList_user_settings_key:
for sid_key in ProfileList_user_settings_key.subkeys():
sid_name = sid_key.name()
Profile_path = sid_key.value(name=u"ProfileImagePath")
Profile_data = strip_control_characters(Profile_path.data())
timestamp = sid_key.last_written_timestamp().isoformat()
user = strip_control_characters(
os.path.basename(os.path.normpath(Profile_data)))
record = OrderedDict([("Path", Profile_data), ("User", user),
("sid", sid_name),
("Key_Timestamp", timestamp),
("@timestamp", timestamp)])
lst.append(
eval(u"{}".format(json.dumps(record, cls=ComplexEncoder))))
else:
logging.info(u"[{}] {} not found.".format(
'ProfileList', ProfileList_user_settings_path))
return lst
def run(self):
"use the NTUSER.dat hive to get the result"
StreamMRU_user_settings_path = u'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StreamMRU'
hive = get_hive(self.prim_hive,self.log_files)
StreamMRU_user_settings_key = hive.find_key(StreamMRU_user_settings_path)
print('Found a key: {}'.format(StreamMRU_user_settings_key.path()))
if StreamMRU_user_settings_key:
sid_key_values = iter(StreamMRU_user_settings_key.values())
timestamp = StreamMRU_user_settings_key.last_written_timestamp().isoformat()
counter =0
while True:
try:
value = next(sid_key_values)
except StopIteration:
break
except Exception as error:
# logging.error(u"Error getting next value: {}".format(error))
continue
sid_name = value.name()
data = value.data()
dump = RegistryHelpers.HexDump(value.data())
counter = counter +1
dx = struct.unpack(data)
print (dx)
def run(self):
lst = []
AppCompatFlags_user_settings_path = u"\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers"
hive = get_hive(self.prim_hive, self.log_files)
AppCompatFlags_user_settings_key = hive.find_key(
AppCompatFlags_user_settings_path)
if AppCompatFlags_user_settings_key:
sid_name = AppCompatFlags_user_settings_key.name()
timestamp = AppCompatFlags_user_settings_key.last_written_timestamp(
).isoformat()
sid_key_values = iter(AppCompatFlags_user_settings_key.values())
while True:
try:
value = next(sid_key_values)
except StopIteration:
break
except Exception as error:
# # logging.error(u"Error getting next value: {}".format(error))
continue
value_name = value.name()
value_datax = value.data()
record = OrderedDict([
("File", value_name),
("Key_Timestamp", timestamp),
("sid", sid_name),
("value", value_datax),
("@timestamp", timestamp),
])
lst.append(
eval(u"{}".format(json.dumps(record, cls=ComplexEncoder))))
return lst
def run(self):
lst =[]
MuiCache_user_settings_path = u"\\Local Settings\\Software\\Microsoft\\Windows\\Shell\\MuiCache"
hive = get_hive(self.prim_hive,self.log_files)
MuiCache_user_settings_key = hive.find_key(MuiCache_user_settings_path)
if MuiCache_user_settings_key:
sid_name = MuiCache_user_settings_key.name()
sid_key_values = iter(MuiCache_user_settings_key.values())
timestamp = MuiCache_user_settings_key.last_written_timestamp().isoformat()
while True:
try:
value = next(sid_key_values)
except StopIteration:
break
except Exception as error:
# logging.error(u"Error getting next value: {}".format(error))
continue
value_name = value.name()
value_data = value.data_raw()
record = OrderedDict([
("name", value_name),
("sid", sid_name),
("Key_Timestamp", timestamp),
("@timestamp", timestamp)
])
lst.append(eval(u"{}".format(json.dumps(record, cls=ComplexEncoder))))
return lst
def run(self):
# for reg_handler in registry_manager.iter_registry_handlers(name=u'NTUSER.DAT'):
try:
hive = get_hive(self.prim_hive, self.log_files)
user_assist_key = hive.find_key(
u'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist'
)
if user_assist_key is not None:
lst = []
for guid_key in user_assist_key.subkeys():
guid_key_name = guid_key.name()
count_key = guid_key.subkey(u"Count")
dat_key = guid_key.last_written_timestamp().isoformat()
if count_key is not None:
for value in count_key.values():
value_name = value.name()
value_name_decoded = codecs.encode(
value_name, 'rot_13')
value_data = value.data()
count = None
win = ""
if len(value_data) == 16:
count = struct.unpack("<I", value_data[4:8])[0]
count -= 5
record = OrderedDict([
("_plugin", u"UserAssist"),
("guid", guid_key_name),
("name", value_name_decoded),
("count", count), ("@timestamp", dat_key)
])
lst.append(
eval(u"{}".format(
json.dumps(record,
cls=ComplexEncoder))))
elif len(value_data) == 72:
count = struct.unpack("<I", value_data[4:8])[0]
date_time = struct.unpack(
"<q", value_data[60:68])[0]
new_datetime = convert_datetime(date_time)
if new_datetime == "1601-01-01T00:00:00":
new_datetime = dat_key
record = OrderedDict([
("guid", guid_key_name),
("name", value_name_decoded),
("count", count),
("key_creation_time", dat_key),
("@timestamp", new_datetime)
])
lst.append(
eval(u"{}".format(
json.dumps(record,
cls=ComplexEncoder))))
else:
pass
return lst
else:
return None
except Exception as e:
raise e
def run(self):
hive = get_hive(self.prim_hive,self.log_files)
select_key = hive.find_key(u'Select')
current_path=''
if select_key:
current_value = select_key.value(name=u"Current")
current_path = u"ControlSet{:03d}".format(current_value.data())
else:
current_path ='ControlSet001'
lst =[]
PortForwading_user_settings_path = u"\\".join([current_path,u"Services\\PortProxy\\v4tov4"])
hive = get_hive(self.prim_hive,self.log_files)
PortForwading_user_settings_key = hive.find_key(PortForwading_user_settings_path)
if PortForwading_user_settings_key:
for sk in PortForwading_user_settings_key.subkeys():
lst.append(sk)
return lst
def run(self):
hive = get_hive(self.prim_hive, self.log_files)
select_key = hive.find_key(u'Select')
current_path = ''
if select_key:
current_value = select_key.value(name=u"Current")
current_path = u"ControlSet{:03d}".format(current_value.data())
else:
current_path = 'ControlSet001'
lst = []
bam_user_settings_path = u"\\".join(
[current_path, u"Services\\bam\\UserSettings"])
bam_user_settings_key = hive.find_key(bam_user_settings_path)
if bam_user_settings_key:
for sid_key in bam_user_settings_key.subkeys():
sid_name = sid_key.name()
version_value = sid_key.value(name=u"Version")
version = None
if version_value:
version = version_value.data()
sequence_value = sid_key.value(name=u"SequenceNumber")
sequence = None
if sequence_value:
sequence = version_value.data()
sid_key_values = iter(sid_key.values())
while True:
try:
value = next(sid_key_values)
except StopIteration:
break
except Exception as error:
logging.error(
u"Error getting next value: {}".format(error))
continue
value_name = value.name()
value_data = value.data_raw()
if value_name not in [u"Version", u"SequenceNumber"]:
timestamp = convert_datetime(value_data[0:8])
record = OrderedDict([("name", value_name),
("@timestamp", timestamp),
("sid", sid_name),
("version", version),
("sequence", sequence)])
lst.append(
eval(u"{}".format(
json.dumps(record, cls=ComplexEncoder))))
return lst
else:
logging.info(u"[{}] {} not found.".format('Bam',
bam_user_settings_path))
def run(self):
hive = get_hive(self.prim_hive,self.log_files)
select_key = hive.find_key(u'Select')
current_path=''
if select_key:
current_value = select_key.value(name=u"Current")
current_path = u"ControlSet{:03d}".format(current_value.data())
else:
current_path ='ControlSet001'
lst= []
DHCP_user_settings_path = u"\\".join([current_path,u"Services\\Tcpip\\Parameters\\Interfaces"])
DHCP_user_settings_key = hive.find_key(DHCP_user_settings_path)
if DHCP_user_settings_key:
for sid_key in DHCP_user_settings_key.subkeys():
timestamp = sid_key.last_written_timestamp().isoformat()
sid_name = sid_key.name()
def get_date (value_name):
value = sid_key.value(name=value_name)
if value:
value = value.data()
else:
value ="None"
return value
dict_values_data = {'DhcpIPAddress' : strip_control_characters(get_date('DhcpIPAddress')),
'DhcpServer' : strip_control_characters(get_date('DhcpServer')),
'DhcpSubnetMask' : strip_control_characters(get_date('DhcpSubnetMask')),
'Domain' : strip_control_characters(get_date('Domain')),
'NameServer' : strip_control_characters(get_date('NameServer')),
'EnableDHCP' : get_date('EnableDHCP'),
'DhcpConnForceBroadcastFlag' : get_date('DhcpConnForceBroadcastFlag'),
'IsServerNapAware' : get_date('IsServerNapAware'),
'RegisterAdapterName' : get_date('RegisterAdapterName'),
'RegistrationEnabled' : get_date('RegistrationEnabled')}
record = OrderedDict([
("Dhcp IP Address", dict_values_data['DhcpIPAddress']),
("Dhcp Server", dict_values_data['DhcpServer']),
("DhcpSubnetMask", dict_values_data['DhcpSubnetMask']),
("Domain", dict_values_data['Domain']),
("Name Server", dict_values_data['NameServer']),
("Enable DHCP", dict_values_data['EnableDHCP']),
("DhcpConnForceBroadcastFlag", dict_values_data['DhcpConnForceBroadcastFlag']),
("Is Server NapAware", dict_values_data['IsServerNapAware']),
("Register Adapter Name", dict_values_data['RegisterAdapterName']),
("Registration Enabled", dict_values_data['RegistrationEnabled']),
('@timestamp',timestamp)
])
lst.append(eval(u"{}".format(json.dumps(record, cls=ComplexEncoder))))
# else:
# # logging.info(u"[{}] {} not found.".format('DHCP', DHCP_user_settings_path))
return lst
def run(self):
print ("HI"*100)
lst= []
VolatileEnvironment_user_settings_path = u"Volatile Environment"
hive = get_hive(self.prim_hive,self.log_files)
VolatileEnvironment_user_settings_key = hive.find_key(VolatileEnvironment_user_settings_path)
# print('Found a key: {}'.format(VolatileEnvironment_user_settings_key.path()))
#return None
if VolatileEnvironment_user_settings_key:
print("gg")
def run(self):
print ("HI"*100)
lst= []
VolatileEnvironment_user_settings_path = u"Volatile Environment"
hive = get_hive(self.prim_hive,self.log_files)
VolatileEnvironment_user_settings_key = hive.find_key(VolatileEnvironment_user_settings_path)
print('Found a key: {}'.format(VolatileEnvironment_user_settings_key.path()))
#return None
if VolatileEnvironment_user_settings_key:
print("gg")
# for sid_key in VolatileEnvironment_user_settings_key.subkeys():
# sid_name = sid_key.name()
#
# def get_date (value_name):
# value = sid_key.value(name=value_name)
# if value:
# value = value.data()
# else:
# value ="None"
# return value
#
# dict_values_data = {'VolatileEnvironmentIPAddress' : strip_control_characters(get_date('VolatileEnvironmentIPAddress')),
# 'VolatileEnvironmentServer' : strip_control_characters(get_date('VolatileEnvironmentServer')),
# 'VolatileEnvironmentSubnetMask' : strip_control_characters(get_date('VolatileEnvironmentSubnetMask')),
# 'Domain' : strip_control_characters(get_date('Domain')),
# 'NameServer' : strip_control_characters(get_date('NameServer')),
# 'EnableVolatileEnvironment' : get_date('EnableVolatileEnvironment'),
# 'VolatileEnvironmentConnForceBroadcastFlag' : get_date('VolatileEnvironmentConnForceBroadcastFlag'),
# 'IsServerNapAware' : get_date('IsServerNapAware'),
# 'RegisterAdapterName' : get_date('RegisterAdapterName'),
# 'RegistrationEnabled' : get_date('RegistrationEnabled')}
#
#
# record = OrderedDict([
# ("_plugin", u"VolatileEnvironment"),
# ("VolatileEnvironment IP Address", dict_values_data['VolatileEnvironmentIPAddress']),
# ("VolatileEnvironment Server", dict_values_data['VolatileEnvironmentServer']),
# ("VolatileEnvironmentSubnetMask", dict_values_data['VolatileEnvironmentSubnetMask']),
# ("Domain", dict_values_data['Domain']),
# ("Name Server", dict_values_data['NameServer']),
# ("Enable VolatileEnvironment", dict_values_data['EnableVolatileEnvironment']),
# ("VolatileEnvironmentConnForceBroadcastFlag", dict_values_data['VolatileEnvironmentConnForceBroadcastFlag']),
# ("Is Server NapAware", dict_values_data['IsServerNapAware']),
# ("Register Adapter Name", dict_values_data['RegisterAdapterName']),
# ("Registration Enabled", dict_values_data['RegistrationEnabled'])
#
# ])
#
# lst.append(u"{}".format(json.dumps(record, cls=ComplexEncoder)))
else:
logging.info(u"[{}] {} not found.".format('VolatileEnvironment', VolatileEnvironment_user_settings_path))
def run(self):
lst = []
"This uses useclass.data"
BagMRU_user_settings_path = u"Local Settings\\Software\\Microsoft\\Windows\\Shell\\BagMRU"
hive = get_hive(self.prim_hive, self.log_files)
BagMRU_user_settings_key = hive.find_key(BagMRU_user_settings_path)
if BagMRU_user_settings_key:
for sid_key in BagMRU_user_settings_key.values():
sid_name = sid_key.name()
data = sid_key.data()
if "MRUListEx" == sid_name or "NodeSlot" == sid_name or "NodeSlots" == sid_name:
pass
else:
buf = sid_key.data()
#data = buf[::2][:buf[::2].find(b'\x00')].decode()
print("_" * 100)
dd = RegistryHelpers.HexDump(buf)
print(dd)
def run(self):
lst = []
"use the SOFTWARE hive to get the result"
ShellExtensions_user_settings_path = u'Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Approved'
hive = get_hive(self.prim_hive, self.log_files)
ShellExtensions_user_settings_key = hive.find_key(
ShellExtensions_user_settings_path)
if ShellExtensions_user_settings_key:
sid_key_values = iter(ShellExtensions_user_settings_key.values())
timestamp = ShellExtensions_user_settings_key.last_written_timestamp(
).isoformat()
while True:
try:
value = next(sid_key_values)
except StopIteration:
break
except Exception as error:
logging.error(
u"Error getting next value: {}".format(error))
continue
sid_name = value.name()
data = value.data()
if isinstance(data, bytes):
pos = data.find(b'\x00\x00') + 1
file_name = strip_control_characters(
data[:pos].decode('utf-16'))
else:
file_name = strip_control_characters(data)
record = OrderedDict([("sid", sid_name),
("File Name", file_name),
("key_last_written_timestamp",
timestamp), ("@timestamp", timestamp)])
lst.append(
eval(u"{}".format(json.dumps(record, cls=ComplexEncoder))))
else:
logging.info(u"[{}] {} not found.".format(
'ShellExtensions', ShellExtensions_user_settings_path))
return lst
def run(self):
lst = []
"use the SOFTWARE hive to get the result"
LaunchTracing_user_settings_path = u"\\Wow6432Node\\Microsoft\\Tracing"
hive = get_hive(self.prim_hive, self.log_files)
LaunchTracing_user_settings_key = hive.find_key(
LaunchTracing_user_settings_path)
if LaunchTracing_user_settings_key:
for sid_key in LaunchTracing_user_settings_key.subkeys():
sid_name = sid_key.name()
timestamp = sid_key.last_written_timestamp().isoformat()
record = OrderedDict([("name", sid_name),
("Excution_Time", timestamp),
("@timestamp", timestamp)])
lst.append(
eval(u"{}".format(json.dumps(record, cls=ComplexEncoder))))
# else:
# # logging.info(u"[{}] {} not found.".format('LaunchTracing', LaunchTracing_user_settings_path))
return lst
def run(self):
lst = []
hive = get_hive(self.prim_hive, self.log_files)
Amcache_user_settings_path = u"root\\InventoryApplicationFile"
Amcache_win7_user_settings_path = u"root\\File"
Amcache_user_settings_key = hive.find_key(Amcache_user_settings_path)
Amcache7_user_settings_key = hive.find_key(
Amcache_win7_user_settings_path)
if Amcache_user_settings_key:
for sid_key in Amcache_user_settings_key.subkeys():
sid_key_values = iter(sid_key.values())
key_time = sid_key.last_written_timestamp().isoformat()
win10_amache_mapping = {
"ProgramId": "ProgramId",
"LongPathHash": "LongPathHash",
"IsOsComponent": "IsOsComponent",
"Usn": "Usn",
"LowerCaseLongPath": "Path",
"FileId": "Sha1",
"Name": "Name",
"Publisher": "CompanyName",
"Version": "Version",
"BinFileVersion": "BinFileVersion",
"BinaryType": "BinaryType",
"ProductName": "ProductName",
"ProductVersion": "ProductVersion",
"LinkDate": "LinkDate",
"BinProductVersion": "BinProductVersion",
"Size": "FileSize",
"Language": "Language",
"IsPeFile": "IsPeFile"
}
record = OrderedDict([])
while True:
try:
value = next(sid_key_values)
except StopIteration:
break
except Exception as error:
# # logging.error(u"Error getting next value: {}".format(error))
continue
value_name = value.name()
if value_name in win10_amache_mapping.keys():
names = win10_amache_mapping[value_name]
else:
names = value_name
data = value.data()
record[names] = strip_control_characters(str(data))
record["@timestamp"] = key_time
if record["Sha1"].startswith("0000"):
sha1 = record["Sha1"]
record["Sha1"] = sha1[4:]
lst.append(
eval(u"{}".format(json.dumps(record, cls=ComplexEncoder))))
return lst
elif Amcache7_user_settings_key:
win8_amcache_mapping = {
'0': 'ProductName',
'1': 'CompanyName',
'2': 'FileVersionNum',
'3': 'Language',
'4': 'SwitchBackContext',
'5': 'FileVersion',
'6': 'FileSize',
'7': 'pe_header_hash',
'8': 'unknown1',
'9': 'pe_header_checksum',
'a': 'unknown2',
'b': 'unknown3',
'c': 'file_description',
'd': 'unknown4',
'f': 'linker_compile_time',
'10': 'unknown5',
'11': 'last_modified_timestamp',
'12': 'created_timestamp',
'15': 'Path',
'16': 'unknown6',
'17': 'last_modified_timestamp_2',
'100': 'ProgramId',
'101': 'Sha1'
}
for sid_key in Amcache7_user_settings_key.subkeys():
for sidd_key in sid_key.subkeys():
sid_key_values = iter(sidd_key.values())
key_time = sidd_key.last_written_timestamp().isoformat()
record = OrderedDict([])
while True:
try:
value = next(sid_key_values)
except StopIteration:
break
except Exception as error:
# # logging.error(u"Error getting next value: {}".format(error))
continue
value_name = value.name()
names = win8_amcache_mapping[value_name]
data = value.data()
if "time" in names:
if "linker_compile_time" in names:
data = datetime.datetime.fromtimestamp(data)
else:
data = convert_datetime(data)
record[names] = strip_control_characters(str(data))
if len(record) == 0:
continue
record["@timestamp"] = key_time
if record["Sha1"].startswith("0000"):
sha1 = record["Sha1"]
record["Sha1"] = sha1[4:]
lst.append(u"{}".format(
json.dumps(record, cls=ComplexEncoder)))
return lst
def run(self):
lst= []
"This uses useclass.data"
BagMRU_user_settings_path = u"Local Settings\\Software\\Microsoft\\Windows\\Shell\\BagMRU"
hive = get_hive(self.prim_hive,self.log_files)
BagMRU_user_settings_key = hive.find_key(BagMRU_user_settings_path)
if BagMRU_user_settings_key:
for sid_key in BagMRU_user_settings_key.values():
sid_name = sid_key.name()
data = sid_key.data()
if "MRUListEx" == sid_name or "NodeSlot" == sid_name or "NodeSlots" == sid_name:
pass
else:
buf = sid_key.data()
#data = buf[::2][:buf[::2].find(b'\x00')].decode()
print ("_"*100)
dd = RegistryHelpers.HexDump(buf)
print(dd)
# block = SHITEMLIST(buf, 0x0, False)
# offset = 0x10
#
#
# for i in len(data):
# o = i + 2
# dd = struct.unpack_from("<H", data, o)[0]
# print (dd)
#size = block.unpack_word(offset)
# if size == 0:
# break
# elif size < 0x15:
# pass
# else:
# item = block.get_item(offset)
#print (item)
# version_value = sid_key.value(name=u"Version")
# version = None
# if version_value:
# version = version_value.data()
#
# sequence_value = sid_key.value(name=u"SequenceNumber")
# sequence = None
# if sequence_value:
# sequence = version_value.data()
# We can have an issue with iterating values so we will take it one
# at a time to try and catch errors.
# sid_key_values = iter(sid_key.values())
#
# while True:
# try:
# value = next(sid_key_values)
# except StopIteration:
# break
# except Exception as error:
# logging.error(u"Error getting next value: {}".format(error))
# continue
#
# value_name = value.name()
# value_data = value.data_raw()
#
# if value_name not in [u"Version", u"SequenceNumber"]:
# timestamp = convert_datetime(value_data[0:8])
#
# record = OrderedDict([
# ("_plugin", u"BagMRU"),
# ("name", value_name),
# ("timestamp", timestamp),
# ("sid", sid_name),
# ("version", version),
# ("sequence", sequence)
# ])
#
# print(u"{}".format(json.dumps(record, cls=ComplexEncoder)))
else:
logging.info(u"[{}] {} not found.".format('BagMRU', BagMRU_user_settings_path))
def run(self):
lst = []
"use the SOFTWARE hive to get the result"
InstalledComponents_user_settings_path = [
u'Microsoft\\Active Setup\\Installed Components',
u'Wow6432Node\\Microsoft\\Active Setup\\Installed Components'
]
hive = get_hive(self.prim_hive, self.log_files)
for path in InstalledComponents_user_settings_path:
InstalledComponents_user_settings_key = hive.find_key(path)
if InstalledComponents_user_settings_key:
for sid_key in InstalledComponents_user_settings_key.subkeys():
sid_name = sid_key.name()
timestamp = sid_key.last_written_timestamp().isoformat()
IsInstalled = sid_key.value(name=u"IsInstalled")
if IsInstalled:
IsInstalled_data = IsInstalled.data()
else:
IsInstalled_data = "None"
DontAsk = sid_key.value(name=u"DontAsk")
if DontAsk:
DontAsk_data = DontAsk.data()
else:
DontAsk_data = "None"
Enabled = sid_key.value(name=u"Enabled")
if Enabled:
Enabled_data = Enabled.data()
else:
Enabled_data = "None"
Locale = sid_key.value(name=u"Locale")
if Locale:
Locale_data = strip_control_characters(Locale.data())
else:
Locale_data = "None"
LocalizedName = sid_key.value(name=u"LocalizedName")
if LocalizedName:
LocalizedName_data = strip_control_characters(
LocalizedName.data())
else:
LocalizedName_data = "None"
StubPath = sid_key.value(name=u"StubPath")
if StubPath:
StubPath_data = strip_control_characters(
StubPath.data())
else:
StubPath_data = "None"
Version = sid_key.value(name=u"Version")
if Version:
Version_data = strip_control_characters(Version.data())
else:
Version_data = "None"
ComponentID = sid_key.value(name=u"ComponentID")
if ComponentID:
ComponentID_data = strip_control_characters(
ComponentID.data())
else:
ComponentID_data = "None"
record = OrderedDict([
("sid", sid_name),
("last_written_timestamp", timestamp),
("ComponentID", ComponentID_data),
("Version", Version_data), ("StubPath", StubPath_data),
("LocalizedName", LocalizedName_data),
("Locale", Locale_data), ("Enabled", Enabled_data),
("DontAsk", DontAsk_data),
("IsInstalled", IsInstalled_data),
("@timestamp", timestamp)
])
lst.append(
eval(u"{}".format(
json.dumps(record, cls=ComplexEncoder))))
# else:
# # logging.info(u"[{}] {} not found.".format('InstalledComponents', InstalledComponents_user_settings_path))
return lst
def run(self):
lst = []
"use the SOFTWARE hive to get the result"
Uninstall_user_settings_path = u"Microsoft\\Windows\\CurrentVersion\\Uninstall"
hive = get_hive(self.prim_hive, self.log_files)
Uninstall_user_settings_key = hive.find_key(
Uninstall_user_settings_path)
# print('Found a key: {}'.format(Uninstall_user_settings_key.path()))
if Uninstall_user_settings_key:
for sid_key in Uninstall_user_settings_key.subkeys():
sid_name = sid_key.name()
timestamp = sid_key.last_written_timestamp().isoformat()
#try:
DisplayName = sid_key.value(name=u"DisplayName")
if DisplayName:
DisplayName_data = strip_control_characters(
DisplayName.data())
else:
DisplayName_data = ""
DisplayVersion = sid_key.value(name=u"DisplayVersion")
if DisplayVersion:
DisplayVersion_data = strip_control_characters(
DisplayVersion.data())
else:
DisplayVersion_data = ""
InstallDate = sid_key.value(name=u"InstallDate")
if InstallDate:
InstallDate_data = strip_control_characters(
InstallDate.data())
else:
InstallDate_data = ""
InstallLocation = sid_key.value(name=u"InstallLocation")
if InstallLocation:
InstallLocation_data = strip_control_characters(
InstallLocation.data())
else:
InstallLocation_data = ""
InstallSource = sid_key.value(name=u"InstallSource")
if InstallSource:
InstallSource_data = strip_control_characters(
InstallSource.data())
else:
InstallSource_data = ""
ModifyPath = sid_key.value(name=u"ModifyPath")
if ModifyPath:
ModifyPath_data = strip_control_characters(
ModifyPath.data())
else:
ModifyPath_data = ""
Publisher = sid_key.value(name=u"Publisher")
if Publisher:
Publisher_data = strip_control_characters(Publisher.data())
else:
Publisher_data = ""
Size = sid_key.value(name=u"Size")
if Size:
Size_data = str(Size.data())
else:
Size_data = ""
URLInfoAbout = sid_key.value(name=u"URLInfoAbout")
if URLInfoAbout:
URLInfoAbout_data = strip_control_characters(
URLInfoAbout.data())
else:
URLInfoAbout_data = ""
record = OrderedDict([("name", sid_name),
("Uninstall_date", timestamp),
("Application_Name", DisplayName_data),
("Version", DisplayVersion_data),
("Install_Date", InstallDate_data),
("Install_Location",
InstallLocation_data),
("Install_Source", InstallSource_data),
("Modify_Path", ModifyPath_data),
("Publisher", Publisher_data),
("Size", Size_data),
("URLInfoAbout", URLInfoAbout_data),
("@timestamp", timestamp)])
lst.append(
eval(u"{}".format(json.dumps(record, cls=ComplexEncoder))))
else:
logging.info(u"[{}] {} not found.".format('Bam',
bam_user_settings_path))
return lst
def run(self):
lst = []
TerminalServerClient_user_settings_paths = [
'Software\\Microsoft\\Terminal Server Client\\Servers',
'Software\\Microsoft\\Terminal Server Client\\Default'
]
for TerminalServerClient_user_settings_path in TerminalServerClient_user_settings_paths:
hive = get_hive(self.prim_hive, self.log_files)
TerminalServerClient_user_settings_key = hive.find_key(
TerminalServerClient_user_settings_path)
# print('Found a key: {}'.format(TerminalServerClient_user_settings_key.path()))
if TerminalServerClient_user_settings_key:
timestamp = TerminalServerClient_user_settings_key.last_written_timestamp(
).isoformat()
if "Servers" in TerminalServerClient_user_settings_path:
for sid_key in TerminalServerClient_user_settings_key.subkeys(
):
key_name = sid_key.name()
sid_key_values = iter(sid_key.values())
while True:
try:
value = next(sid_key_values)
except StopIteration:
break
except Exception as error:
# # logging.error(u"Error getting next value: {}".format(error))
continue
value_name = value.name()
UsernameHint = "" if "UsernameHint" != value_name else strip_control_characters(
value.data())
record = OrderedDict([("key_timestamp", timestamp),
("IP_Address", key_name),
("User_Name", UsernameHint),
("@timestamp", timestamp)])
lst.append(
eval(u"{}".format(
json.dumps(record, cls=ComplexEncoder))))
else:
sid_key_values = iter(
TerminalServerClient_user_settings_key.values())
while True:
try:
value = next(sid_key_values)
except StopIteration:
break
except Exception as error:
# # logging.error(u"Error getting next value: {}".format(error))
continue
value_name = value.name()
value_data = value.data()
record = OrderedDict([
("key_timestamp", timestamp),
("@timestamp", timestamp),
("IP_Address",
strip_control_characters(value_data)),
("Value_Name", value_name)
])
#
lst.append(
eval(u"{}".format(
json.dumps(record, cls=ComplexEncoder))))
# else:
# # # logging.info(u"[{}] {} not found.".format('TerminalServerClient', TerminalServerClient_user_settings_path))
return lst
def run(self):
try:
lst=[]
LastVisitedPidMRU_settings_path = u"\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\LastVisitedPidlMRU"
hive = get_hive(self.prim_hive,self.log_files)
LastVisitedPidMRU_settings_key = hive.find_key(LastVisitedPidMRU_settings_path)
if LastVisitedPidMRU_settings_key:
if LastVisitedPidMRU_settings_key:
sid_name = LastVisitedPidMRU_settings_key.name()
dat_key =LastVisitedPidMRU_settings_key.last_written_timestamp().isoformat()
cat = sid_name
sid_key_values = iter(LastVisitedPidMRU_settings_key.values())
while True:
try:
value = next(sid_key_values)
value_name = value.name()
if value_name != "MRUListEx" and value_name !="(Default)":
data = value.data()
format = Struct(
'filename' / CString("utf16")
)
File_name = format.parse(data)
File_name = File_name.filename
data = data.hex()
data = data.split("0400efbe")
path = ""
counter = 0
a_time=""
c_time=""
record = None
for d in data:
if counter == 0 :
a_time = ""
else:
dax =bytes.fromhex(d)
format = Struct(
'CreationDate' / Bytes(4),
'AccessDate' / Bytes(4),
'idntifier'/ Bytes(4),
'MFT_entry'/ Bytes(6),
'sequence'/ Bytes(16),
'unkowun' /Bytes(4),
'Path' /CString("utf16")
)
dd = format.parse(dax)
path += "\\"+dd.Path
cc_time = dd.CreationDate
aa_time = dd.AccessDate
if cc_time == b'\x00\x00\x00\x00':
c_time = dat_key
else:
c_time =from_fat(cc_time.hex())
if aa_time == b'\x00\x00\x00\x00':
a_time = dat_key
else:
a_time = from_fat(aa_time.hex())
counter = counter + 1
if value_name == "MRUListEx":
pass
else:
record = OrderedDict([
("SequenceNumber", value_name),
("Key_timestamp", dat_key),
("CreationDate",c_time),
("AccessDate",a_time),
("@timestamp", a_time),
("File_name", File_name),
("path", path)
])
if record is not None:
lst.append(eval(u"{}".format(json.dumps(record, cls=ComplexEncoder))))
except StopIteration:
break
except Exception as error:
# logging.error(u"Error getting next value: {}".format(error))
continue
return lst
# else:
# # logging.info(u"[{}] {} not found.".format('LastVisitedPidMRU', LastVisitedPidMRU_settings_path))
except Exception as e:
raise e
