def GetEntries(self, parser_mediator, registry_key, **kwargs): """Collect Values under Office 2010 MRUs and return events for each one. Args: parser_mediator: A parser mediator object (instance of ParserMediator). registry_key: A Windows Registry key (instance of dfwinreg.WinRegistryKey). """ # TODO: Test other Office versions to make sure this plugin is applicable. mru_values_dict = {} for registry_value in registry_key.GetValues(): # Ignore any value not in the form: 'Item [0-9]+'. if not registry_value.name or not self._RE_VALUE_NAME.search( registry_value.name): continue # Ignore any value that is empty or that does not contain a string. if not registry_value.data or not registry_value.DataIsString(): continue value_string = registry_value.GetDataAsObject() values = self._RE_VALUE_DATA.findall(value_string) # Values will contain a list containing a tuple containing 2 values. if len(values) != 1 or len(values[0]) != 2: continue try: filetime = int(values[0][0], 16) except ValueError: parser_mediator.ProduceParseError( (u'unable to convert filetime string to an integer for ' u'value: {0:s}.').format(registry_value.name)) continue mru_values_dict[registry_value.name] = value_string # TODO: change into a separate event object. values_dict = {registry_value.name: value_string} event_object = windows_events.WindowsRegistryEvent( filetime, registry_key.path, values_dict, offset=registry_key.offset, source_append=self._SOURCE_APPEND) parser_mediator.ProduceEvent(event_object) event_object = windows_events.WindowsRegistryEvent( registry_key.last_written_time, registry_key.path, mru_values_dict, offset=registry_key.offset, source_append=self._SOURCE_APPEND) parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs): """Gather the BootExecute Value, compare to default, return event. The rest of the values in the Session Manager key are in a separate event. Args: parser_mediator: A parser mediator object (instance of ParserMediator). registry_key: A Windows Registry key (instance of dfwinreg.WinRegistryKey). """ values_dict = {} for registry_value in registry_key.GetValues(): value_name = registry_value.name or u'(default)' if value_name == u'BootExecute': # MSDN: claims that the data type of this value is REG_BINARY # although REG_MULTI_SZ is known to be used as well. if registry_value.DataIsString(): value_string = registry_value.GetDataAsObject() elif registry_value.DataIsMultiString(): value_string = u''.join(registry_value.GetDataAsObject()) elif registry_value.DataIsBinaryData(): value_string = registry_value.GetDataAsObject() else: value_string = u'' error_string = ( u'Key: {0:s}, value: {1:s}: unsupported value data type: ' u'{2:s}.').format(registry_key.path, value_name, registry_value.data_type_string) parser_mediator.ProduceExtractionError(error_string) # TODO: why does this have a separate event object? Remove this. value_dict = {u'BootExecute': value_string} event_object = windows_events.WindowsRegistryEvent( registry_key.last_written_time, registry_key.path, value_dict, offset=registry_key.offset, urls=self.URLS) parser_mediator.ProduceEvent(event_object) else: values_dict[value_name] = registry_value.GetDataAsObject() event_object = windows_events.WindowsRegistryEvent( registry_key.last_written_time, registry_key.path, values_dict, offset=registry_key.offset, urls=self.URLS) parser_mediator.ProduceEvent(event_object)
def CreateTestEventObjects(): """Creates the event objects for testing. Returns: A list of event objects (instances of EventObject). """ event_objects = [] filetime = dfwinreg_filetime.Filetime() filetime.CopyFromString(u'2012-04-20 22:38:46.929596') values_dict = {u'Value': u'c:/Temp/evil.exe'} event_object = windows_events.WindowsRegistryEvent(filetime.timestamp, u'MY AutoRun key', values_dict) event_object.parser = 'UNKNOWN' event_objects.append(event_object) filetime.CopyFromString(u'2012-05-02 13:43:26.929596') values_dict = {u'Value': u'send all the exes to the other world'} event_object = windows_events.WindowsRegistryEvent( filetime.timestamp, u'\\HKCU\\Secret\\EvilEmpire\\Malicious_key', values_dict) event_object.parser = 'UNKNOWN' event_objects.append(event_object) filetime.CopyFromString(u'2012-04-20 16:44:46') values_dict = {u'Value': u'run all the benign stuff'} event_object = windows_events.WindowsRegistryEvent( filetime.timestamp, u'\\HKCU\\Windows\\Normal', values_dict) event_object.parser = 'UNKNOWN' event_objects.append(event_object) timemstamp = timelib.Timestamp.CopyFromString(u'2009-04-05 12:27:39') text_dict = { u'hostname': u'nomachine', u'text': (u'This is a line by someone not reading the log line properly. And ' u'since this log line exceeds the accepted 80 chars it will be ' u'shortened.'), u'username': u'johndoe' } event_object = text_events.TextEvent(timemstamp, 12, text_dict) event_object.parser = 'UNKNOWN' event_objects.append(event_object) return event_objects
def GetEntries(self, parser_mediator, registry_key, **kwargs): """Collect ShutdownTime value under Windows and produce an event object. Args: parser_mediator: A parser mediator object (instance of ParserMediator). registry_key: A Windows Registry key (instance of dfwinreg.WinRegistryKey). """ shutdown_value = registry_key.GetValueByName(u'ShutdownTime') if not shutdown_value: return value_integer = shutdown_value.GetDataAsObject() try: filetime = self._UINT64_STRUCT.parse(value_integer) except construct.FieldError as exception: parser_mediator.ProduceParseError( (u'Unable to extract shutdown timestamp: {0:d} with error: ' u'{1:s}').format(value_integer, exception)) return values_dict = {u'Description': shutdown_value.name} event_object = windows_events.WindowsRegistryEvent( filetime, registry_key.path, values_dict, offset=registry_key.offset, source_append=self._SOURCE_APPEND, usage=eventdata.EventTimestamp.LAST_SHUTDOWN) parser_mediator.ProduceEvent(event_object)
def _ParseMRUListExKey(self, parser_mediator, key, codepage=u'cp1252'): """Extract event objects from a MRUListEx Registry key. Args: parser_mediator: A parser mediator object (instance of ParserMediator). key: the Registry key (instance of dfwinreg.WinRegistryKey). codepage: Optional extended ASCII string codepage. """ values_dict = {} for entry_index, entry_number in self._ParseMRUListExValue(key): # TODO: detect if list ends prematurely. # MRU lists are terminated with 0xffffffff (-1). if entry_number == 0xffffffff: break value_string = self._ParseMRUListExEntryValue(parser_mediator, key, entry_index, entry_number, codepage=codepage) value_text = u'Index: {0:d} [MRU Value {1:d}]'.format( entry_index + 1, entry_number) values_dict[value_text] = value_string event_object = windows_events.WindowsRegistryEvent( key.last_written_time, key.path, values_dict, offset=key.offset, source_append=self._SOURCE_APPEND) parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs): """Extracts event objects from a WinRAR ArcHistory key. Args: parser_mediator: a parser mediator object (instance of ParserMediator). registry_key: a Windows Registry key (instance of dfwinreg.WinRegistryKey). """ values_dict = {} for registry_value in registry_key.GetValues(): # Ignore any value not in the form: '[0-9]+'. if (not registry_value.name or not self._RE_VALUE_NAME.search(registry_value.name)): continue # Ignore any value that is empty or that does not contain a string. if not registry_value.data or not registry_value.DataIsString(): continue values_dict[registry_value.name] = registry_value.GetDataAsObject() event_object = windows_events.WindowsRegistryEvent( registry_key.last_written_time, registry_key.path, values_dict, offset=registry_key.offset, source_append=self._SOURCE_APPEND) parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs): """Collect the values under Outlook and return event for each one. Args: parser_mediator: A parser mediator object (instance of ParserMediator). registry_key: A Windows Registry key (instance of dfwinreg.WinRegistryKey). """ values_dict = {} for registry_value in registry_key.GetValues(): # Ignore the default value. if not registry_value.name: continue # Ignore any value that is empty or that does not contain an integer. if not registry_value.data or not registry_value.DataIsInteger(): continue # TODO: change this 32-bit integer into something meaningful, for now # the value name is the most interesting part. value_integer = registry_value.GetDataAsObject() values_dict[registry_value.name] = u'0x{0:08x}'.format( value_integer) event_object = windows_events.WindowsRegistryEvent( registry_key.last_written_time, registry_key.path, values_dict, offset=registry_key.offset, source_append=self._SOURCE_APPEND) parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs): """Collect MRU Values and return event for each one. Args: parser_mediator: A parser mediator object (instance of ParserMediator). registry_key: A Windows Registry key (instance of dfwinreg.WinRegistryKey). """ values_dict = {} for value in registry_key.GetValues(): # Ignore the default value. if not value.name: continue # Ignore any value that is empty or that does not contain a string. if not value.data or not value.DataIsString(): continue values_dict[value.name] = value.GetDataAsObject() event_object = windows_events.WindowsRegistryEvent( registry_key.last_written_time, registry_key.path, values_dict, offset=registry_key.offset, source_append=self._SOURCE_APPEND) parser_mediator.ProduceEvent(event_object)
def _ParseRegisteredDLLs(self, parser_mediator, registry_key): """Parses the registered DLLs that receive event notifications. Args: parser_mediator: A parser mediator object (instance of ParserMediator). registry_key: A Windows Registry key (instance of dfwinreg.WinRegistryKey). """ notify_key = registry_key.GetSubkeyByName(u'Notify') if not notify_key: return for subkey in notify_key.GetSubkeys(): for trigger in self._TRIGGERS: handler_value = subkey.GetValueByName(trigger) if handler_value: values_dict = { u'Application': subkey.name, u'Handler': handler_value.GetDataAsObject(), u'Trigger': trigger } command_value = subkey.GetValueByName(u'DllName') if command_value: values_dict[ u'Command'] = command_value.GetDataAsObject() event_object = windows_events.WindowsRegistryEvent( subkey.last_written_time, subkey.path, values_dict, offset=subkey.offset, source_append=u': Winlogon') parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs): """Gather minimal information about system install and return an event. Args: parser_mediator: A parser mediator object (instance of ParserMediator). registry_key: A Windows Registry key (instance of dfwinreg.WinRegistryKey). """ installation_value = None string_values = {} for registry_value in registry_key.GetValues(): # Ignore the default value. if not registry_value.name: continue if (registry_value.name == u'InstallDate' and registry_value.DataIsInteger()): installation_value = registry_value continue # Ignore any value that is empty or that does not contain a string. if not registry_value.data or not registry_value.DataIsString(): continue string_value_name = self._STRING_VALUE_NAME_STRINGS.get( registry_value.name, None) if not string_value_name: continue string_values[string_value_name] = registry_value.GetDataAsObject() owner = string_values.get(u'owner', u'') product_name = string_values.get(u'product_name', u'') service_pack = string_values.get(u'service_pack', u'') version = string_values.get(u'version', u'') values_dict = {} values_dict[u'Owner'] = owner values_dict[u'Product name'] = product_name values_dict[u'Service pack'] = service_pack values_dict[u'Windows Version Information'] = version event_object = windows_events.WindowsRegistryEvent( registry_key.last_written_time, registry_key.path, values_dict, offset=registry_key.offset) parser_mediator.ProduceEvent(event_object) # TODO: if not present indicate anomaly of missing installation # date and time. if installation_value: posix_time = installation_value.GetDataAsObject() event_object = windows_events.WindowsRegistryInstallationEvent( posix_time, registry_key.path, owner, product_name, service_pack, version) parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs): """Returns an event object based on a Registry key name and values. Args: parser_mediator: A parser mediator object (instance of ParserMediator). registry_key: A Windows Registry key (instance of dfwinreg.WinRegistryKey). """ values_dict = {} if registry_key.number_of_values == 0: values_dict[u'Value'] = u'No values stored in key.' else: for registry_value in registry_key.GetValues(): value_name = registry_value.name or u'(default)' if registry_value.data is None: value_string = u'[{0:s}] Empty'.format( registry_value.data_type_string) elif registry_value.DataIsString(): value_string = registry_value.GetDataAsObject() value_string = u'[{0:s}] {1:s}'.format( registry_value.data_type_string, value_string) elif registry_value.DataIsInteger(): value_integer = registry_value.GetDataAsObject() value_string = u'[{0:s}] {1:d}'.format( registry_value.data_type_string, value_integer) elif registry_value.DataIsMultiString(): multi_string = registry_value.GetDataAsObject() if not isinstance(multi_string, (list, tuple)): value_string = u'[{0:s}]'.format( registry_value.data_type_string) # TODO: Add a flag or some sort of an anomaly alert. else: value_string = u'[{0:s}] {1:s}'.format( registry_value.data_type_string, u''.join(multi_string)) else: value_string = u'[{0:s}]'.format( registry_value.data_type_string) values_dict[value_name] = value_string event_object = windows_events.WindowsRegistryEvent( registry_key.last_written_time, registry_key.path, values_dict, offset=registry_key.offset) parser_mediator.ProduceEvent(event_object)
def _ParseSubKey( self, parser_mediator, key, parent_path_segments, codepage=u'cp1252'): """Extract event objects from a MRUListEx Registry key. Args: parser_mediator: a parser mediator object (instance of ParserMediator). key: the Registry key (instance of dfwinreg.WinRegistryKey). parent_path_segments: list containing the parent shell item path segments. codepage: optional extended ASCII string codepage. """ entry_numbers = {} values_dict = {} value_strings = {} found_terminator = False for index, entry_number in self._ParseMRUListExValue(parser_mediator, key): if entry_number == 0xffffffff: found_terminator = True continue if found_terminator: parser_mediator.ProduceExtractionError(( u'Found additional MRUListEx entries after terminator ' u'in key: {0:s}.').format(key.path)) # Only create one parser error per terminator. found_terminator = False path_segment = self._ParseMRUListExEntryValue( parser_mediator, key, index, entry_number, values_dict, value_strings, parent_path_segments, codepage=codepage) entry_numbers[entry_number] = path_segment event_object = windows_events.WindowsRegistryEvent( key.last_written_time, key.path, values_dict, offset=key.offset, source_append=self._SOURCE_APPEND, urls=self.URLS) parser_mediator.ProduceEvent(event_object) for entry_number, path_segment in iter(entry_numbers.items()): sub_key = key.GetSubkeyByName(u'{0:d}'.format(entry_number)) if not sub_key: parser_mediator.ProduceExtractionError( u'Missing BagMRU sub key: {0:d} in key: {1:s}.'.format( entry_number, key.path)) continue parent_path_segments.append(path_segment) self._ParseSubKey( parser_mediator, sub_key, parent_path_segments, codepage=codepage) parent_path_segments.pop()
def GetEntries(self, parser_mediator, registry_key, **kwargs): """Collect Values in Servers and return event for each one. Args: parser_mediator: A parser mediator object (instance of ParserMediator). registry_key: A Windows Registry key (instance of dfwinreg.WinRegistryKey). """ mru_values_dict = {} for subkey in registry_key.GetSubkeys(): username_value = subkey.GetValueByName(u'UsernameHint') if (username_value and username_value.data and username_value.DataIsString()): username = username_value.GetDataAsObject() else: username = u'N/A' mru_values_dict[subkey.name] = username values_dict = {u'Username hint': username} event_object = windows_events.WindowsRegistryEvent( subkey.last_written_time, subkey.path, values_dict, offset=subkey.offset, source_append=self._SOURCE_APPEND) parser_mediator.ProduceEvent(event_object) event_object = windows_events.WindowsRegistryEvent( registry_key.last_written_time, registry_key.path, mru_values_dict, offset=registry_key.offset, source_append=self._SOURCE_APPEND) parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs): """Gather the BootVerification key values and return one event for all. This key is rare, so its presence is suspect. Args: parser_mediator: A parser mediator object (instance of ParserMediator). registry_key: A Windows Registry key (instance of dfwinreg.WinRegistryKey). """ values_dict = {} for registry_value in registry_key.GetValues(): value_name = registry_value.name or u'(default)' values_dict[value_name] = registry_value.GetDataAsObject() event_object = windows_events.WindowsRegistryEvent( registry_key.last_written_time, registry_key.path, values_dict, offset=registry_key.offset, urls=self.URLS) parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs): """Extracts event objects from a CCleaner Registry key. Args: parser_mediator: A parser mediator object (instance of ParserMediator). registry_key: A Windows Registry key (instance of dfwinreg.WinRegistryKey). """ update_key_value = None values_dict = {} for registry_value in registry_key.GetValues(): if not registry_value.name or not registry_value.data: continue if (registry_value.name == u'UpdateKey' and registry_value.DataIsString()): update_key_value = registry_value else: values_dict[registry_value.name] = registry_value.GetDataAsObject() if update_key_value: date_time_string = update_key_value.GetDataAsObject() try: # Date and time string in the form: MM/DD/YYYY hh:mm:ss [A|P]M # e.g. 07/13/2013 10:03:14 AM # TODO: does this hold for other locales? timestamp = timelib.Timestamp.FromTimeString( date_time_string, timezone=parser_mediator.timezone) except errors.TimestampError: timestamp = None parser_mediator.ProduceParseError( u'unable to parse time string: {0:s}'.format(date_time_string)) if timestamp is not None: event_object = CCleanerUpdateEvent(timestamp, registry_key.path) parser_mediator.ProduceEvent(event_object) event_object = windows_events.WindowsRegistryEvent( registry_key.last_written_time, registry_key.path, values_dict, offset=registry_key.offset, source_append=self._SOURCE_APPEND) parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs): """Retrieves information from the MountPoints2 registry key. Args: parser_mediator: A parser mediator object (instance of ParserMediator). registry_key: A Windows Registry key (instance of dfwinreg.WinRegistryKey). """ for subkey in registry_key.GetSubkeys(): name = subkey.name if not name: continue values_dict = {} values_dict[u'Volume'] = name label_value = subkey.GetValueByName(u'_LabelFromReg') if label_value: values_dict[u'Label'] = label_value.GetDataAsObject() if name.startswith(u'{'): values_dict[u'Type'] = u'Volume' elif name.startswith(u'#'): # The format is: ##Server_Name#Share_Name. values_dict[u'Type'] = u'Remote Drive' server_name, _, share_name = name[2:].partition(u'#') values_dict[u'Remote_Server'] = server_name values_dict[u'Share_Name'] = u'\\{0:s}'.format( share_name.replace(u'#', u'\\')) else: values_dict[u'Type'] = u'Drive' event_object = windows_events.WindowsRegistryEvent( subkey.last_written_time, registry_key.path, values_dict, offset=subkey.offset, urls=self.URLS) parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs): """Extracts event objects from a Explorer ProgramsCache Registry key. Args: parser_mediator: A parser mediator object (instance of ParserMediator). registry_key: A Windows Registry key (instance of dfwinreg.WinRegistryKey). """ registry_value = registry_key.GetValueByName(u'ProgramsCache') if registry_value: self._ParseValueData(parser_mediator, registry_key, registry_value) registry_value = registry_key.GetValueByName(u'ProgramsCacheSMP') if registry_value: self._ParseValueData(parser_mediator, registry_key, registry_value) registry_value = registry_key.GetValueByName(u'ProgramsCacheTBP') if registry_value: self._ParseValueData(parser_mediator, registry_key, registry_value) values_dict = {} for registry_value in registry_key.GetValues(): # Ignore the default value. if not registry_value.name or registry_value.name in [ u'ProgramsCache', u'ProgramsCacheSMP', u'ProgramsCacheTBP']: continue # Ignore any value that is empty or that does not contain a string. if not registry_value.data or not registry_value.DataIsString(): continue values_dict[registry_value.name] = registry_value.GetDataAsObject() event_object = windows_events.WindowsRegistryEvent( registry_key.last_written_time, registry_key.path, values_dict, offset=registry_key.offset) parser_mediator.ProduceEvent(event_object)
def _ParseLogonApplications(self, parser_mediator, registry_key): """Parses the registered logon applications. Args: parser_mediator: A parser mediator object (instance of ParserMediator). registry_key: A Windows Registry key (instance of dfwinreg.WinRegistryKey). """ for application in self._LOGON_APPLICATIONS: command_value = registry_key.GetValueByName(application) if command_value: values_dict = { u'Application': application, u'Command': command_value.GetDataAsObject(), u'Trigger': u'Logon' } event_object = windows_events.WindowsRegistryEvent( registry_key.last_written_time, registry_key.path, values_dict, offset=registry_key.offset, source_append=u': Winlogon') parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs): """Collect SubKeys under USB and produce an event object for each one. Args: parser_mediator: A parser mediator object (instance of ParserMediator). registry_key: A Windows Registry key (instance of dfwinreg.WinRegistryKey). """ for subkey in registry_key.GetSubkeys(): values_dict = {} values_dict[u'subkey_name'] = subkey.name vendor_identification = None product_identification = None try: subkey_name_parts = subkey.name.split(u'&') if len(subkey_name_parts) >= 2: vendor_identification = subkey_name_parts[0] product_identification = subkey_name_parts[1] except ValueError as exception: logging.warning( u'Unable to split string: {0:s} with error: {1:s}'.format( subkey.name, exception)) if vendor_identification and product_identification: values_dict[u'vendor'] = vendor_identification values_dict[u'product'] = product_identification for devicekey in subkey.GetSubkeys(): values_dict[u'serial'] = devicekey.name # Last USB connection per USB device recorded in the Registry. event_object = windows_events.WindowsRegistryEvent( devicekey.last_written_time, registry_key.path, values_dict, offset=registry_key.offset, source_append=self._SOURCE_APPEND, usage=eventdata.EventTimestamp.LAST_CONNECTED) parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs): """Retrieves information from the Network registry key. Args: parser_mediator: A parser mediator object (instance of ParserMediator). registry_key: A Windows Registry key (instance of dfwinreg.WinRegistryKey). """ for subkey in registry_key.GetSubkeys(): drive_letter = subkey.name if not drive_letter: continue values_dict = { u'DriveLetter': drive_letter, u'Type': u'Mapped Drive' } # Get the remote path if it exists. remote_path_value = subkey.GetValueByName(u'RemotePath') if remote_path_value: remote_path = remote_path_value.GetDataAsObject() if remote_path.startswith(u'\\\\'): server_name, _, share_name = remote_path[2:].partition( u'\\') values_dict[u'RemoteServer'] = server_name values_dict[u'ShareName'] = u'\\{0:s}'.format( share_name.replace(u'#', u'\\')) event_object = windows_events.WindowsRegistryEvent( subkey.last_written_time, registry_key.path, values_dict, offset=subkey.offset, source_append=u': Network Drive') parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs): """Collect values and return an event. Args: parser_mediator: A parser mediator object (instance of ParserMediator). registry_key: A Windows Registry key (instance of dfwinreg.WinRegistryKey). """ if registry_key is None: return values_dict = {} for value_name in self._VALUE_NAMES: value_data = self._GetValueData(registry_key, value_name) if value_data is None: continue values_dict[value_name] = value_data event_object = windows_events.WindowsRegistryEvent( registry_key.last_written_time, registry_key.path, values_dict, offset=registry_key.offset) parser_mediator.ProduceEvent(event_object)
def CreateTestEvents(): """Creates events for testing. Returns: list[EventObject]: events. """ test_events = [] hostname = u'MYHOSTNAME' data_type = u'test:event' event_object = events.EventObject() event_object.username = u'joesmith' event_object.filename = u'c:/Users/joesmith/NTUSER.DAT' event_object.hostname = hostname event_object.timestamp = 0 event_object.data_type = data_type event_object.text = u'' test_events.append(event_object) filetime = dfdatetime_filetime.Filetime() # TODO: move this to a WindowsRegistryEvent unit test. filetime.CopyFromString(u'2012-04-20 22:38:46.929596') values_dict = {u'Run': u'c:/Temp/evil.exe'} event_object = windows_events.WindowsRegistryEvent(filetime, u'MY AutoRun key', values_dict) event_object.hostname = hostname test_events.append(event_object) filetime.CopyFromString(u'2012-04-20 23:56:46.929596') values_dict = {u'Value': u'send all the exes to the other world'} event_object = windows_events.WindowsRegistryEvent( filetime, u'HKCU\\Secret\\EvilEmpire\\Malicious_key', values_dict) event_object.hostname = hostname test_events.append(event_object) filetime.CopyFromString(u'2012-04-20 16:44:46.000000') values_dict = {u'Value': u'run all the benign stuff'} event_object = windows_events.WindowsRegistryEvent( filetime, u'HKCU\\Windows\\Normal', values_dict) event_object.hostname = hostname test_events.append(event_object) timestamp = timelib.Timestamp.CopyFromString(u'2012-04-30 10:29:47.929596') filename = u'c:/Temp/evil.exe' attributes = {u'text': u'This log line reads ohh so much.'} event_object = TestEvent(timestamp, attributes) event_object.filename = filename event_object.hostname = hostname test_events.append(event_object) timestamp = timelib.Timestamp.CopyFromString(u'2012-04-30 10:29:47.929596') attributes = {u'text': u'Nothing of interest here, move on.'} event_object = TestEvent(timestamp, attributes) event_object.filename = filename event_object.hostname = hostname test_events.append(event_object) timestamp = timelib.Timestamp.CopyFromString(u'2012-04-30 13:06:47.939596') attributes = { u'text': u'Mr. Evil just logged into the machine and got root.' } event_object = TestEvent(timestamp, attributes) event_object.filename = filename event_object.hostname = hostname test_events.append(event_object) text_dict = { u'body': (u'This is a line by someone not reading the log line properly. And ' u'since this log line exceeds the accepted 80 chars it will be ' u'shortened.'), u'hostname': u'nomachine', u'username': u'johndoe' } # TODO: move this to a TextEvent unit test. timestamp = timelib.Timestamp.CopyFromString(u'2012-06-05 22:14:19.000000') event_object = text_events.TextEvent(timestamp, 12, text_dict) event_object.text = event_object.body event_object.hostname = hostname event_object.filename = filename test_events.append(event_object) return test_events
def GetEntries(self, parser_mediator, registry_key, **kwargs): """Collect data from Users and Names and produce event objects. Args: parser_mediator: A parser mediator object (instance of ParserMediator). registry_key: A Windows Registry key (instance of dfwinreg.WinRegistryKey). """ name_key = registry_key.GetSubkeyByName(u'Names') if not name_key: parser_mediator.ProduceParseError(u'Unable to locate Names key.') return values = [(v.name, v.last_written_time) for v in name_key.GetSubkeys()] name_dict = dict(values) for subkey in registry_key.GetSubkeys(): if subkey.name == u'Names': continue parsed_v_value = self._ParseVValue(subkey) if not parsed_v_value: parser_mediator.ProduceParseError( u'Unable to parse SAM key: {0:s} V value.'.format(subkey)) return username = parsed_v_value[0] full_name = parsed_v_value[1] comments = parsed_v_value[2] values_dict = {u'user_guid': subkey.name} if username: values_dict[u'username'] = username if full_name: values_dict[u'full_name'] = full_name if comments: values_dict[u'comments'] = comments if name_dict: account_create_time = name_dict.get(username, 0) else: account_create_time = 0 f_data = self._ParseFValue(subkey) values_dict[u'account_rid'] = f_data.rid values_dict[u'login_count'] = f_data.login_count if account_create_time > 0: event_object = windows_events.WindowsRegistryEvent( account_create_time, registry_key.path, values_dict, usage=eventdata.EventTimestamp.ACCOUNT_CREATED, offset=registry_key.offset, source_append=self._SOURCE_APPEND) parser_mediator.ProduceEvent(event_object) if f_data.last_login > 0: event_object = windows_events.WindowsRegistryEvent( f_data.last_login, registry_key.path, values_dict, usage=eventdata.EventTimestamp.LAST_LOGIN_TIME, offset=registry_key.offset, source_append=self._SOURCE_APPEND) parser_mediator.ProduceEvent(event_object) if f_data.password_reset > 0: event_object = windows_events.WindowsRegistryEvent( f_data.password_reset, registry_key.path, values_dict, usage=eventdata.EventTimestamp.LAST_PASSWORD_RESET, offset=registry_key.offset, source_append=self._SOURCE_APPEND) parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs): """Parses a Task Cache Registry key. Args: parser_mediator: A parser mediator object (instance of ParserMediator). registry_key: A Windows Registry key (instance of dfwinreg.WinRegistryKey). """ dynamic_info_size_error_reported = False tasks_key = registry_key.GetSubkeyByName(u'Tasks') tree_key = registry_key.GetSubkeyByName(u'Tree') if not tasks_key or not tree_key: parser_mediator.ProduceParseError( u'Task Cache is missing a Tasks or Tree sub key.') return task_guids = {} for sub_key in tree_key.GetSubkeys(): for value_key, id_value in self._GetIdValue(sub_key): # TODO: improve this check to a regex. # The GUID is in the form {%GUID%} and stored an UTF-16 little-endian # string and should be 78 bytes in size. id_value_data_size = len(id_value.data) if id_value_data_size != 78: parser_mediator.ProduceParseError( u'unsupported Id value data size: {0:d}.'.format( id_value_data_size)) continue guid_string = id_value.GetDataAsObject() task_guids[guid_string] = value_key.name for sub_key in tasks_key.GetSubkeys(): dynamic_info_value = sub_key.GetValueByName(u'DynamicInfo') if not dynamic_info_value: continue dynamic_info_value_data_size = len(dynamic_info_value.data) if dynamic_info_value_data_size == self._DYNAMIC_INFO_STRUCT_SIZE: dynamic_info_struct = self._DYNAMIC_INFO_STRUCT.parse( dynamic_info_value.data) elif dynamic_info_value_data_size == self._DYNAMIC_INFO2_STRUCT_SIZE: dynamic_info_struct = self._DYNAMIC_INFO_STRUCT.parse( dynamic_info_value.data) else: if not dynamic_info_size_error_reported: parser_mediator.ProduceParseError( u'unsupported DynamicInfo value data size: {0:d}.'. format(dynamic_info_value_data_size)) dynamic_info_size_error_reported = True continue name = task_guids.get(sub_key.name, sub_key.name) values_dict = {} values_dict[u'Task: {0:s}'.format(name)] = u'[ID: {0:s}]'.format( sub_key.name) event_object = windows_events.WindowsRegistryEvent( registry_key.last_written_time, registry_key.path, values_dict, offset=registry_key.offset) parser_mediator.ProduceEvent(event_object) last_registered_time = dynamic_info_struct.get( u'last_registered_time') if last_registered_time: # Note this is likely either the last registered time or # the update time. event_object = TaskCacheEvent(last_registered_time, u'Last registered time', name, sub_key.name) parser_mediator.ProduceEvent(event_object) launch_time = dynamic_info_struct.get(u'launch_time') if launch_time: # Note this is likely the launch time. event_object = TaskCacheEvent(launch_time, u'Launch time', name, sub_key.name) parser_mediator.ProduceEvent(event_object) unknown_time = dynamic_info_struct.get(u'unknown_time') if unknown_time: event_object = TaskCacheEvent(unknown_time, u'Unknown time', name, sub_key.name) parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs): """Parses a UserAssist Registry key. Args: parser_mediator: A parser mediator object (instance of ParserMediator). registry_key: A Windows Registry key (instance of dfwinreg.WinRegistryKey). """ version_value = registry_key.GetValueByName(u'Version') count_subkey = registry_key.GetSubkeyByName(u'Count') if not version_value: parser_mediator.ProduceParseError(u'Missing version value') return if not version_value.DataIsInteger(): parser_mediator.ProduceParseError( u'Unsupported version value data type') return format_version = version_value.GetDataAsObject() if format_version not in (3, 5): parser_mediator.ProduceParseError( u'Unsupported format version: {0:d}'.format(format_version)) return if not count_subkey: parser_mediator.ProduceParseError(u'Missing count subkey') return userassist_entry_index = 0 for registry_value in count_subkey.GetValues(): try: value_name = registry_value.name.decode(u'rot-13') except UnicodeEncodeError as exception: logging.debug(( u'Unable to decode UserAssist string: {0:s} with error: {1:s}.\n' u'Attempting piecewise decoding.').format( registry_value.name, exception)) characters = [] for char in registry_value.name: if ord(char) < 128: try: characters.append(char.decode(u'rot-13')) except UnicodeEncodeError: characters.append(char) else: characters.append(char) value_name = u''.join(characters) if format_version == 5: path_segments = value_name.split(u'\\') for segment_index in range(0, len(path_segments)): # Remove the { } from the path segment to get the GUID. guid = path_segments[segment_index][1:-1] path_segments[segment_index] = known_folder_ids.PATHS.get( guid, path_segments[segment_index]) value_name = u'\\'.join(path_segments) # Check if we might need to substitute values. if u'%' in value_name: # TODO: deprecate direct use of pre_obj. value_name = environ_expand.ExpandWindowsEnvironmentVariables( value_name, parser_mediator.knowledge_base.pre_obj) value_data_size = len(registry_value.data) if not registry_value.DataIsBinaryData(): parser_mediator.ProduceParseError( u'Unsupported value data type: {0:s}'.format( registry_value.data_type_string)) elif value_name == u'UEME_CTLSESSION': pass elif format_version == 3: if value_data_size != self._USERASSIST_V3_STRUCT.sizeof(): parser_mediator.ProduceParseError( u'Unsupported value data size: {0:d}'.format( value_data_size)) else: parsed_data = self._USERASSIST_V3_STRUCT.parse( registry_value.data) filetime = parsed_data.get(u'timestamp', 0) count = parsed_data.get(u'count', 0) if count > 5: count -= 5 values_dict = {} values_dict[value_name] = u'[Count: {0:d}]'.format(count) event_object = windows_events.WindowsRegistryEvent( filetime, count_subkey.path, values_dict, offset=registry_value.offset) parser_mediator.ProduceEvent(event_object) elif format_version == 5: if value_data_size != self._USERASSIST_V5_STRUCT.sizeof(): parser_mediator.ProduceParseError( u'Unsupported value data size: {0:d}'.format( value_data_size)) parsed_data = self._USERASSIST_V5_STRUCT.parse( registry_value.data) userassist_entry_index += 1 count = parsed_data.get(u'count', None) app_focus_count = parsed_data.get(u'app_focus_count', None) focus_duration = parsed_data.get(u'focus_duration', None) filetime = parsed_data.get(u'timestamp', 0) values_dict = {} values_dict[value_name] = ( u'[UserAssist entry: {0:d}, Count: {1:d}, ' u'Application focus count: {2:d}, Focus duration: {3:d}]' ).format(userassist_entry_index, count, app_focus_count, focus_duration) event_object = windows_events.WindowsRegistryEvent( filetime, count_subkey.path, values_dict, offset=count_subkey.offset) parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs): """Collect Values under USBStor and return an event object for each one. Args: parser_mediator: A parser mediator object (instance of ParserMediator). registry_key: A Windows Registry key (instance of dfwinreg.WinRegistryKey). """ for subkey in registry_key.GetSubkeys(): values_dict = {} values_dict[u'subkey_name'] = subkey.name # Time last USB device of this class was first inserted. event_object = windows_events.WindowsRegistryEvent( subkey.last_written_time, registry_key.path, values_dict, offset=registry_key.offset, source_append=self._SOURCE_APPEND, usage=eventdata.EventTimestamp.FIRST_CONNECTED) parser_mediator.ProduceEvent(event_object) name_values = subkey.name.split(u'&') number_of_name_values = len(name_values) # Normally we expect 4 fields here however that is not always the case. if number_of_name_values != 4: logging.warning( u'Expected 4 &-separated values in: {0:s}'.format( subkey.name)) if number_of_name_values >= 1: values_dict[u'device_type'] = name_values[0] if number_of_name_values >= 2: values_dict[u'vendor'] = name_values[1] if number_of_name_values >= 3: values_dict[u'product'] = name_values[2] if number_of_name_values >= 4: values_dict[u'revision'] = name_values[3] for devicekey in subkey.GetSubkeys(): values_dict[u'serial'] = devicekey.name friendly_name_value = devicekey.GetValueByName(u'FriendlyName') if friendly_name_value: values_dict[ u'friendly_name'] = friendly_name_value.GetDataAsObject( ) else: values_dict.pop(u'friendly_name', None) # ParentIdPrefix applies to Windows XP Only. parent_id_prefix_value = devicekey.GetValueByName( u'ParentIdPrefix') if parent_id_prefix_value: values_dict[u'parent_id_prefix'] = ( parent_id_prefix_value.GetDataAsObject()) else: values_dict.pop(u'parent_id_prefix', None) # Win7 - Last Connection. # Vista/XP - Time of an insert. event_object = windows_events.WindowsRegistryEvent( devicekey.last_written_time, registry_key.path, values_dict, offset=registry_key.offset, source_append=self._SOURCE_APPEND, usage=eventdata.EventTimestamp.LAST_CONNECTED) parser_mediator.ProduceEvent(event_object) # Build list of first Insertion times. first_insert = [] device_parameter_key = devicekey.GetSubkeyByName( u'Device Parameters') if device_parameter_key: first_insert.append(device_parameter_key.last_written_time) log_configuration_key = devicekey.GetSubkeyByName(u'LogConf') if (log_configuration_key and log_configuration_key.last_written_time not in first_insert): first_insert.append( log_configuration_key.last_written_time) properties_key = devicekey.GetSubkeyByName(u'Properties') if (properties_key and properties_key.last_written_time not in first_insert): first_insert.append(properties_key.last_written_time) # Add first Insertion times. for timestamp in first_insert: event_object = windows_events.WindowsRegistryEvent( timestamp, registry_key.path, values_dict, offset=registry_key.offset, source_append=self._SOURCE_APPEND, usage=eventdata.EventTimestamp.LAST_CONNECTED) parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs): """Collect data from Users and Names and produce event objects. Args: parser_mediator: A parser mediator object (instance of ParserMediator). registry_key: A Windows Registry key (instance of dfwinreg.WinRegistryKey). """ names_key = registry_key.GetSubkeyByName(u'Names') if not names_key: parser_mediator.ProduceParseError(u'missing subkey: "Names".') return values = [(v.name, v.last_written_time) for v in names_key.GetSubkeys()] usernames_dict = dict(values) for subkey in registry_key.GetSubkeys(): if subkey.name == u'Names': continue f_value = subkey.GetValueByName(u'F') if not f_value: parser_mediator.ProduceParseError( u'missing Registry value: "F" in subkey: {0:s}.'.format( subkey.name)) continue v_value = subkey.GetValueByName(u'V') if not v_value: parser_mediator.ProduceParseError( u'missing Registry value: "V" in subkey: {0:s}.'.format( subkey.name)) continue try: f_data_struct = self._F_VALUE_STRUCT.parse(f_value.data) except construct.FieldError as exception: parser_mediator.ProduceParseError( (u'unable to parse Registry value: "F" in subkey: {0:s} ' u'with error: {1:s}.').format(subkey.name, exception)) continue try: v_data_struct = self._V_VALUE_HEADER.parse(v_value.data) except construct.FieldError as exception: parser_mediator.ProduceParseError( (u'unable to parse Registry value: "V" in subkey: {0:s} ' u'with error: {1:s}.').format(subkey.name, exception)) continue v_header_values = v_data_struct.values()[0] data_start_offset = v_header_values[ 3] + self._V_VALUE_STRINGS_OFFSET data_end_offset = v_header_values[4] + data_start_offset utf16_stream = v_value.data[data_start_offset:data_end_offset] try: username = utf16_stream.decode(u'utf-16-le') except (UnicodeDecodeError, UnicodeEncodeError) as exception: username = utf16_stream.decode(u'utf-16-le', errors=u'replace') parser_mediator.ProduceParseError(( u'unable to decode username string with error: {0:s}. Characters ' u'that cannot be decoded will be replaced with "?" or ' u'"\\ufffd".').format(exception)) data_start_offset = v_header_values[ 6] + self._V_VALUE_STRINGS_OFFSET data_end_offset = v_header_values[7] + data_start_offset utf16_stream = v_value.data[data_start_offset:data_end_offset] try: fullname = utf16_stream.decode(u'utf-16-le') except (UnicodeDecodeError, UnicodeEncodeError) as exception: fullname = utf16_stream.decode(u'utf-16-le', errors=u'replace') parser_mediator.ProduceParseError(( u'unable to decode fullname string with error: {0:s}. Characters ' u'that cannot be decoded will be replaced with "?" or ' u'"\\ufffd".').format(exception)) data_start_offset = v_header_values[ 9] + self._V_VALUE_STRINGS_OFFSET data_end_offset = v_header_values[10] + data_start_offset utf16_stream = v_value.data[data_start_offset:data_end_offset] try: comments = utf16_stream.decode(u'utf-16-le') except (UnicodeDecodeError, UnicodeEncodeError) as exception: comments = utf16_stream.decode(u'utf-16-le', errors=u'replace') parser_mediator.ProduceParseError(( u'unable to decode comments string with error: {0:s}. Characters ' u'that cannot be decoded will be replaced with "?" or ' u'"\\ufffd".').format(exception)) filetime = None if usernames_dict: filetime = usernames_dict.get(username, None) # TODO: check if subkey.name == f_data_struct.rid if filetime: values_dict = { u'account_rid': f_data_struct.rid, u'login_count': f_data_struct.login_count } if username: values_dict[u'username'] = username if fullname: values_dict[u'full_name'] = fullname if comments: values_dict[u'comments'] = comments event_object = windows_events.WindowsRegistryEvent( filetime, registry_key.path, values_dict, offset=registry_key.offset, source_append=self._SOURCE_APPEND) parser_mediator.ProduceEvent(event_object) if f_data_struct.last_login > 0: event_object = SAMUsersWindowsRegistryEvent( f_data_struct.last_login, eventdata.EventTimestamp.LAST_LOGIN_TIME, registry_key.path, f_value.offset, f_data_struct.rid, f_data_struct.login_count, username, fullname, comments) parser_mediator.ProduceEvent(event_object) if f_data_struct.password_reset > 0: event_object = SAMUsersWindowsRegistryEvent( f_data_struct.password_reset, eventdata.EventTimestamp.LAST_PASSWORD_RESET, registry_key.path, f_value.offset, f_data_struct.rid, f_data_struct.login_count, username, fullname, comments) parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs): """Retrieves information of the Internet Settings Zones values. The MSIE Feature controls are stored in the Zone specific subkeys in: Internet Settings\\Zones key Internet Settings\\Lockdown_Zones key Args: parser_mediator: A parser mediator object (instance of ParserMediator). registry_key: A Windows Registry key (instance of dfwinreg.WinRegistryKey). """ values_dict = {} if registry_key.number_of_values > 0: for registry_value in registry_key.GetValues(): value_name = registry_value.name or u'(default)' if registry_value.DataIsString(): value_string = u'[{0:s}] {1:s}'.format( registry_value.data_type_string, registry_value.GetDataAsObject()) elif registry_value.DataIsInteger(): value_string = u'[{0:s}] {1:d}'.format( registry_value.data_type_string, registry_value.GetDataAsObject()) elif registry_value.DataIsMultiString(): value_string = u'[{0:s}] {1:s}'.format( registry_value.data_type_string, u''.join( registry_value.GetDataAsObject())) else: value_string = u'[{0:s}]'.format(registry_value.data_type_string) values_dict[value_name] = value_string # Generate at least one event object for the key. event_object = windows_events.WindowsRegistryEvent( registry_key.last_written_time, registry_key.path, values_dict, offset=registry_key.offset, urls=self.URLS) parser_mediator.ProduceEvent(event_object) if registry_key.number_of_subkeys == 0: error_string = u'Key: {0:s} missing subkeys.'.format(registry_key.path) parser_mediator.ProduceParseError(error_string) return for zone_key in registry_key.GetSubkeys(): # TODO: these values are stored in the Description value of the # zone key. This solution will break on zone values that are larger # than 5. path = u'{0:s}\\{1:s}'.format( registry_key.path, self._ZONE_NAMES[zone_key.name]) values_dict = {} # TODO: this plugin currently just dumps the values and does not # distinguish between what is a feature control or not. for value in zone_key.GetValues(): # Ignore the default value. if not value.name: continue if value.DataIsString(): value_string = value.GetDataAsObject() elif value.DataIsInteger(): value_integer = value.GetDataAsObject() if value.name in self._KNOWN_PERMISSIONS_VALUE_NAMES: value_string = self._CONTROL_VALUES_PERMISSIONS.get( value_integer, u'UNKNOWN') elif value.name == u'1A00': value_string = self._CONTROL_VALUES_1A00.get( value_integer, u'UNKNOWN') elif value.name == u'1C00': value_string = self._CONTROL_VALUES_1C00.get( value_integer, u'UNKNOWN') elif value.name == u'1E05': value_string = self._CONTROL_VALUES_SAFETY.get( value_integer, u'UNKNOWN') else: value_string = u'{0:d}'.format(value_integer) else: value_string = u'[{0:s}]'.format(value.data_type_string) if len(value.name) == 4 and value.name != u'Icon': value_description = self._FEATURE_CONTROLS.get(value.name, u'UNKNOWN') else: value_description = self._FEATURE_CONTROLS.get(value.name, u'') if value_description: feature_control = u'[{0:s}] {1:s}'.format( value.name, value_description) else: feature_control = u'[{0:s}]'.format(value.name) values_dict[feature_control] = value_string event_object = windows_events.WindowsRegistryEvent( zone_key.last_written_time, path, values_dict, offset=zone_key.offset, urls=self.URLS) parser_mediator.ProduceEvent(event_object)