def run(self):
"""
This plugin checks the following parameters:
EnableLUA - Windows notifies the user when programs try to make changes to the computer
EnableVirtualization - enables the redirection of legacy application File and Registry writes
that would normally fail as standard user to a user-writable data location.
FilterAdministratorToken - If enabled approval is required when performing administrative tasks.
ConsentPromptBehaviorAdmin - This option allows the Consent Admin to perform an
operation that requires elevation without consent or credentials.
ConsentPromptBehaviorUser - If enabled, a standard user that needs to perform an operation that requires
elevation of privilege will be prompted for an administrative user name and password
"""
try:
subkey = self.registry_hive.get_key(UAC_KEY_PATH)
except RegistryKeyNotFoundException as ex:
logger.error(
f'Could not find {self.NAME} subkey at {UAC_KEY_PATH}: {ex}')
return None
self.entries = {
'last_write':
convert_wintime(subkey.header.last_modified, as_json=self.as_json),
'enable_limited_user_accounts':
subkey.get_value('EnableLUA', as_json=self.as_json),
'enable_virtualization':
subkey.get_value('EnableVirtualization', as_json=self.as_json),
'filter_admin_token':
subkey.get_value('FilterAdministratorToken', as_json=self.as_json),
'consent_prompt_admin':
subkey.get_value('ConsentPromptBehaviorAdmin',
as_json=self.as_json),
'consent_prompt_user':
subkey.get_value('ConsentPromptBehaviorUser', as_json=self.as_json)
}
def run(self):
try:
subkey = self.registry_hive.get_key(TYPED_URLS_KEY_PATH)
except RegistryKeyNotFoundException as ex:
logger.error(f'Could not find {self.NAME} plugin data at: {TYPED_URLS_KEY_PATH}: {ex}')
return None
self.entries = {
'last_write': convert_wintime(subkey.header.last_modified, as_json=self.as_json),
'entries': [{underscore(x.name): x.value} for x in subkey.iter_values(as_json=self.as_json)]
}
def _get_installed_software(self, subkey_path):
try:
ras_subkey = self.registry_hive.get_key(subkey_path)
except RegistryKeyNotFoundException as ex:
logger.error(ex)
return
for entry in ras_subkey.iter_subkeys():
timestamp = convert_wintime(entry.header.last_modified,
as_json=self.as_json)
self.entries.append({'name': entry.name, 'timestamp': timestamp})
def run(self):
try:
subkey = self.registry_hive.get_key(LAST_LOGON_KEY_PATH)
except RegistryKeyNotFoundException as ex:
logger.error(f'Could not find {self.NAME} subkey at {LAST_LOGON_KEY_PATH}: {ex}')
return None
self.entries = {
'last_write': convert_wintime(subkey.header.last_modified, as_json=self.as_json),
**{underscore(x.name): x.value for x in subkey.iter_values(as_json=self.as_json)}
}
def run(self):
try:
tsclient_subkey = self.registry_hive.get_key(TSCLIENT_HISTORY_PATH)
except (RegistryKeyNotFoundException, NoRegistrySubkeysException) as ex:
logger.error(ex)
return
for server in tsclient_subkey.iter_subkeys():
self.entries.append({
'server': server.name,
'last_connection': convert_wintime(server.header.last_modified, as_json=self.as_json),
'username_hint': server.get_value('UsernameHint')
})
def run(self):
try:
installer_subkey = self.registry_hive.get_key(CLASSES_INSTALLER_PATH)
except RegistryKeyNotFoundException as ex:
logger.error(ex)
return
for entry in installer_subkey.iter_subkeys():
identifier = entry.name
timestamp = convert_wintime(entry.header.last_modified, as_json=self.as_json)
product_name = entry.get_value('ProductName')
self.entries.append({
'identifier': identifier,
'timestamp': timestamp,
'product_name': product_name,
'is_hidden': product_name is None
})
def _get_safeboot_entries(self, subkey_path):
entries = []
for safeboot_network_path in self.registry_hive.get_control_sets(subkey_path):
control_set_name = safeboot_network_path.split('\\')[1]
try:
subkey = self.registry_hive.get_key(safeboot_network_path)
except RegistryKeyNotFoundException as ex:
logger.error(ex)
continue
for safeboot_network_subkey in subkey.iter_subkeys():
timestamp = convert_wintime(safeboot_network_subkey.header.last_modified, as_json=self.as_json)
entries.append({
'timestamp': timestamp,
'name': safeboot_network_subkey.name,
'description': safeboot_network_subkey.get_value(),
'control_set_name': control_set_name
})
return entries
def run(self):
try:
subkey = self.registry_hive.get_key(PORTS_KEY_PATH)
except RegistryKeyNotFoundException as ex:
logger.error(
f'Could not find {self.NAME} subkey at {PORTS_KEY_PATH}: {ex}')
return None
last_write = convert_wintime(subkey.header.last_modified).isoformat()
for port in subkey.iter_values():
self.entries.append({
'timestamp':
last_write,
'port_name':
port.name,
'parameters':
port.value
if isinstance(port.value, int) else port.value.split(',')
})