def _csv_list_named_pipes(self,pipes):
with open(self.output_dir + '\\' + self.computer_name + '_named_pipes.csv', 'wb') as output:
csv_writer = get_csv_writer(output)
#output.write('"Computer Name"|"Type"|"Name"\n')
for pipe in pipes:
write_to_csv([self.computer_name, 'PIPES', pipe], csv_writer)
record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_named_pipes.csv',self.output_dir +'\\'+self.computer_name+'_sha256.log')
def _csv_windows_prefetch(self, wpref):
with open(
self.output_dir + '\\' + self.computer_name + '_prefetch.csv',
'wb') as output:
csv_writer = get_csv_writer(output)
#output.write('"Computer Name"|"Type"|"File"|"Version"|"Size"|"name Exec"|"Create Time"|"Modification Time"\n')
for prefetch_file, format_version, file_size, exec_name, tc, tm, run_count, hash_table_a, list_str_c in wpref:
str_c = ''
for s in list_str_c:
str_c += s.replace('\0', '') + ';'
write_to_csv([
self.computer_name, 'Prefetch', prefetch_file,
unicode(format_version),
unicode(file_size),
exec_name.replace('\00', ''),
unicode(tc),
unicode(tm),
unicode(run_count),
unicode(hash_table_a['start_time']),
unicode(hash_table_a['duration']),
unicode(hash_table_a['average_duration']), str_c
], csv_writer)
record_sha256_logs(
self.output_dir + '\\' + self.computer_name + '_prefetch.csv',
self.output_dir + '\\' + self.computer_name + '_sha256.log')
def _csv_list_route_table(self,routes):
self.logger.info('Health : Listing routes tables')
with open(self.output_dir+"_routes_tables.csv",'ab') as fw:
csv_writer = get_csv_writer(fw)
#fw.write('"Computer Name"|"Route"|"Name"|"Mask"\r\n')
for name,mask in routes:
write_to_csv([self.computer_name, 'Route table', unicode(name), unicode(mask)], csv_writer)
record_sha256_logs(self.output_dir +'_routes_tables.csv',self.output_dir +'_sha256.log')
def _csv_list_network_drives(self,drives):
self.logger.info("Health : Listing network drives")
with open(self.output_dir+'_list_networks_drives.csv','wb') as fw:
csv_writer = get_csv_writer(fw)
#fw.write('"Computer Name"|"Type"|"disque"|"fs"|"Partition Name"\r\n')
for diskCapt,diskFs,diskPName in drives:
write_to_csv([self.computer_name, 'Network drives', diskCapt, diskFs, diskPName], csv_writer)
record_sha256_logs(self.output_dir+ '_list_networks_drives.csv',self.output_dir +'_sha256.log')
def _csv_list_drives(self,drives):
self.logger.info("Health : Listing drives")
with open(self.output_dir+'_list_drives.csv','wb') as fw:
csv_writer = get_csv_writer(fw)
#fw.write('"Computer Name"|"Type"|"Fab"|"Partions"|"Disk"|"File System"\r\n')
for phCapt,partCapt,logicalCapt,fs in drives:
write_to_csv([self.computer_name, 'Drives', phCapt, partCapt, logicalCapt, fs], csv_writer)
record_sha256_logs(self.output_dir + '_list_drives.csv',self.output_dir+'_sha256.log')
def _csv_list_share(self,share):
self.logger.info("Health : Listing shares")
with open(self.output_dir + '_shares.csv','wb') as fw:
csv_writer = get_csv_writer(fw)
#fw.write('"Computer Name"|"Type"|"Name"|"Path"\r\n')
for name,path in share:
write_to_csv([self.computer_name, 'Shares', name, path], csv_writer)
record_sha256_logs(self.output_dir +'_shares.csv',self.output_dir +'_sha256.log')
def _csv_list_sessions(self,sessions):
self.logger.info('Health : Listing sessions')
with open(self.output_dir+'_sessions.csv','ab') as fw:
csv_writer = get_csv_writer(fw)
#fw.write('"Computer Name"|"Type"|"Logon ID"|"Authentication Package"|"Start Time"|"Logon Type"\r\n')
for logonID,authenticationPackage,startime,logontype in sessions:
write_to_csv([ self.computer_name, 'Active sessions', unicode(logonID),
authenticationPackage, unicode(startime.split('.')[0]), unicode(logontype)], csv_writer)
record_sha256_logs(self.output_dir + '_sessions.csv',self.output_dir +'_sha256.log')
def _csv_list_share(self, share):
self.logger.info("Health : Listing shares")
with open(self.output_dir + '_shares.csv', 'wb') as fw:
csv_writer = get_csv_writer(fw)
#fw.write('"Computer Name"|"Type"|"Name"|"Path"\r\n')
for name, path in share:
write_to_csv([self.computer_name, 'Shares', name, path],
csv_writer)
record_sha256_logs(self.output_dir + '_shares.csv',
self.output_dir + '_sha256.log')
def _csv_list_services(self,services):
self.logger.info('Health : Listing services')
with open(self.output_dir+'_services.csv','ab') as fw:
csv_writer = get_csv_writer(fw)
#fw.write('"Computer Name"|"Type"|"name"|"caption"|"processId"|"pathName"|"serviceType"|"status"|"state"|"startMode"\r\n')
for name,caption,processId,pathName,serviceType,status,state,startMode in services:
write_to_csv([ self.computer_name, 'Services', caption,
unicode(processId), serviceType, pathName,
unicode(status), state, startMode], csv_writer)
record_sha256_logs(self.output_dir +'_services.csv',self.output_dir +'_sha256.log')
def _csv_list_sockets_network(self,connections):
self.logger.info('Health : Listing sockets networks')
with open(self.output_dir+'_sockets.csv','ab') as fw:
csv_writer = get_csv_writer(fw)
#fw.write('"Computer Name"|"Type"|"pid"|"name"|"local address"|"source port"|"remote addr"|"remote port"|"status"\r\n')
for pid,name,local_address,source_port,remote_addr,remote_port,status in connections:
write_to_csv([ self.computer_name, 'Sockets', unicode(pid),
unicode(name), unicode(local_address), unicode(source_port),
unicode(remote_addr), unicode(remote_port), unicode(status)], csv_writer)
record_sha256_logs(self.output_dir +'_sockets.csv',self.output_dir +'_sha256.log')
def _csv_list_named_pipes(self, pipes):
with open(
self.output_dir + '\\' + self.computer_name +
'_named_pipes.csv', 'wb') as output:
csv_writer = get_csv_writer(output)
#output.write('"Computer Name"|"Type"|"Name"\n')
for pipe in pipes:
write_to_csv([self.computer_name, 'PIPES', pipe], csv_writer)
record_sha256_logs(
self.output_dir + '\\' + self.computer_name + '_named_pipes.csv',
self.output_dir + '\\' + self.computer_name + '_sha256.log')
def _csv_list_drives(self, drives):
self.logger.info("Health : Listing drives")
with open(self.output_dir + '_list_drives.csv', 'wb') as fw:
csv_writer = get_csv_writer(fw)
#fw.write('"Computer Name"|"Type"|"Fab"|"Partions"|"Disk"|"File System"\r\n')
for phCapt, partCapt, logicalCapt, fs in drives:
write_to_csv([
self.computer_name, 'Drives', phCapt, partCapt,
logicalCapt, fs
], csv_writer)
record_sha256_logs(self.output_dir + '_list_drives.csv',
self.output_dir + '_sha256.log')
def _csv_list_network_drives(self, drives):
self.logger.info("Health : Listing network drives")
with open(self.output_dir + '_list_networks_drives.csv', 'wb') as fw:
csv_writer = get_csv_writer(fw)
#fw.write('"Computer Name"|"Type"|"disque"|"fs"|"Partition Name"\r\n')
for diskCapt, diskFs, diskPName in drives:
write_to_csv([
self.computer_name, 'Network drives', diskCapt, diskFs,
diskPName
], csv_writer)
record_sha256_logs(self.output_dir + '_list_networks_drives.csv',
self.output_dir + '_sha256.log')
def _csv_list_running_process(self,list_running):
self.logger.info("Health : Listing running processes")
with open(self.output_dir+'_processes.csv','ab') as fw:
csv_writer = get_csv_writer(fw)
#fw.write('"Computer Name"|"Type"|"PID"|"Name"|"Command"|"Path Exec"\r\n')
for p in list_running:
pid=p[0]
name=p[1]
cmd=p[2]
exe_path=p[3]
write_to_csv([self.computer_name, 'Running processes', unicode(pid), name, unicode(cmd), unicode(exe_path)], csv_writer)
record_sha256_logs(self.output_dir +'_processes.csv',self.output_dir+'_sha256.log')
def csv_recycle_bin(self):
''' Exports the filenames contained in the recycle bin '''
with open(self.output_dir + '\\' + self.computer_name + '_recycle_bin.csv', 'wb') as output:
csv_writer = get_csv_writer(output)
#output.write('"Computer Name"|"Type"|"Name 1"|"Name 2"\n')
idl = shell.SHGetSpecialFolderLocation(0, shellcon.CSIDL_BITBUCKET)
desktop = shell.SHGetDesktopFolder()
files = desktop.BindToObject(idl, None, shell.IID_IShellFolder)
for bin_file in files:
write_to_csv([ self.computer_name, 'Recycle Bin', files.GetDisplayNameOf(bin_file, shellcon.SHGDN_NORMAL),
files.GetDisplayNameOf(bin_file, shellcon.SHGDN_FORPARSING)], csv_writer)
record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_recycle_bin.csv',self.output_dir +'\\'+self.computer_name+'_sha256.log')
def _csv_list_services(self, services):
self.logger.info('Health : Listing services')
with open(self.output_dir + '_services.csv', 'ab') as fw:
csv_writer = get_csv_writer(fw)
#fw.write('"Computer Name"|"Type"|"name"|"caption"|"processId"|"pathName"|"serviceType"|"status"|"state"|"startMode"\r\n')
for name, caption, processId, pathName, serviceType, status, state, startMode in services:
write_to_csv([
self.computer_name, 'Services', caption,
unicode(processId), serviceType, pathName,
unicode(status), state, startMode
], csv_writer)
record_sha256_logs(self.output_dir + '_services.csv',
self.output_dir + '_sha256.log')
def _csv_list_route_table(self, routes):
self.logger.info('Health : Listing routes tables')
with open(self.output_dir + "_routes_tables.csv", 'ab') as fw:
csv_writer = get_csv_writer(fw)
#fw.write('"Computer Name"|"Route"|"Name"|"Mask"\r\n')
for name, mask in routes:
write_to_csv([
self.computer_name, 'Route table',
unicode(name),
unicode(mask)
], csv_writer)
record_sha256_logs(self.output_dir + '_routes_tables.csv',
self.output_dir + '_sha256.log')
def _csv_windows_prefetch(self,wpref):
with open(self.output_dir + '\\' + self.computer_name + '_prefetch.csv', 'wb') as output:
csv_writer = get_csv_writer(output)
#output.write('"Computer Name"|"Type"|"File"|"Version"|"Size"|"name Exec"|"Create Time"|"Modification Time"\n')
for prefetch_file, format_version, file_size, exec_name, tc, tm, run_count, hash_table_a, list_str_c in wpref:
str_c = ''
for s in list_str_c:
str_c += s.replace('\0', '') + ';'
write_to_csv([ self.computer_name, 'Prefetch', prefetch_file,
unicode(format_version), unicode(file_size), exec_name.replace('\00', ''),
unicode(tc), unicode(tm), unicode(run_count), unicode(hash_table_a['start_time']),
unicode(hash_table_a['duration']), unicode(hash_table_a['average_duration']), str_c], csv_writer)
record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_prefetch.csv',self.output_dir +'\\'+self.computer_name+'_sha256.log')
def _csv_list_sessions(self, sessions):
self.logger.info('Health : Listing sessions')
with open(self.output_dir + '_sessions.csv', 'ab') as fw:
csv_writer = get_csv_writer(fw)
#fw.write('"Computer Name"|"Type"|"Logon ID"|"Authentication Package"|"Start Time"|"Logon Type"\r\n')
for logonID, authenticationPackage, startime, logontype in sessions:
write_to_csv([
self.computer_name, 'Active sessions',
unicode(logonID), authenticationPackage,
unicode(startime.split('.')[0]),
unicode(logontype)
], csv_writer)
record_sha256_logs(self.output_dir + '_sessions.csv',
self.output_dir + '_sha256.log')
def _csv_list_arp_table(self,arp):
self.logger.info('Health : Listing ARP tables')
with open(self.output_dir + "_arp_table.csv",'wb') as fw:
csv_writer = get_csv_writer(fw)
#fw.write('"Computer Name"|"Type"|"IP"|"Mac"|"Status"\n')
for entry in arp:
entry.replace('\xff','')
tokens=entry.split()
entry_to_write=''
if len(tokens)==3:
entry_to_write='"'+self.computer_name+'"|"ARP table"|"'+'"|"'.join(tokens)+'"\n'
if entry_to_write.find('\.')!=1 and len(entry_to_write) >0:
arr_to_write = [self.computer_name, 'ARP table'] + tokens
write_to_csv(arr_to_write, csv_writer)
record_sha256_logs(self.output_dir +'_arp_table.csv',self.output_dir +'_sha256.log')
def _csv_list_arp_table(self, arp):
self.logger.info('Health : Listing ARP tables')
with open(self.output_dir + "_arp_table.csv", 'wb') as fw:
csv_writer = get_csv_writer(fw)
#fw.write('"Computer Name"|"Type"|"IP"|"Mac"|"Status"\n')
for entry in arp:
entry.replace('\xff', '')
tokens = entry.split()
entry_to_write = ''
if len(tokens) == 3:
entry_to_write = '"' + self.computer_name + '"|"ARP table"|"' + '"|"'.join(
tokens) + '"\n'
if entry_to_write.find('\.') != 1 and len(entry_to_write) > 0:
arr_to_write = [self.computer_name, 'ARP table'] + tokens
write_to_csv(arr_to_write, csv_writer)
record_sha256_logs(self.output_dir + '_arp_table.csv',
self.output_dir + '_sha256.log')
def _csv_list_running_process(self, list_running):
self.logger.info("Health : Listing running processes")
with open(self.output_dir + '_processes.csv', 'ab') as fw:
csv_writer = get_csv_writer(fw)
#fw.write('"Computer Name"|"Type"|"PID"|"Name"|"Command"|"Path Exec"\r\n')
for p in list_running:
pid = p[0]
name = p[1]
cmd = p[2]
exe_path = p[3]
write_to_csv([
self.computer_name, 'Running processes',
unicode(pid), name,
unicode(cmd),
unicode(exe_path)
], csv_writer)
record_sha256_logs(self.output_dir + '_processes.csv',
self.output_dir + '_sha256.log')
def _csv_list_scheduled_jobs(self):
self.logger.info('Health : Listing scheduled jobs')
file_tasks=self.output_dir + '_tasks.csv'
with open(file_tasks,'wb') as tasks_logs:
proc=subprocess.Popen(["schtasks.exe",'/query','/fo','CSV'], stdout=subprocess.PIPE)
res = proc.communicate()
res = get_terminal_decoded_string(res[0])
write_to_output(res, tasks_logs, self.logger)
with open(file_tasks,"r") as fr, open(self.output_dir + "_scheduled_jobs.csv",'wb') as fw:
csv_writer = get_csv_writer(fw)
#fw.write('"Computer Name"|"Type"|"Name"|"Time"|"State"\r\n')
for l in fr.readlines():
l = l.decode('utf8')
if l.find('\\') > 0:
l = l[:-1].replace('"', '') # remove the end of line
arr_write = [self.computer_name, 'Scheduled jobs'] + l.split(',')
write_to_csv(arr_write, csv_writer)
record_sha256_logs(self.output_dir +'_scheduled_jobs.csv',self.output_dir +'_sha256.log')
def _csv_list_sockets_network(self, connections):
self.logger.info('Health : Listing sockets networks')
with open(self.output_dir + '_sockets.csv', 'ab') as fw:
csv_writer = get_csv_writer(fw)
#fw.write('"Computer Name"|"Type"|"pid"|"name"|"local address"|"source port"|"remote addr"|"remote port"|"status"\r\n')
for pid, name, local_address, source_port, remote_addr, remote_port, status in connections:
write_to_csv([
self.computer_name, 'Sockets',
unicode(pid),
unicode(name),
unicode(local_address),
unicode(source_port),
unicode(remote_addr),
unicode(remote_port),
unicode(status)
], csv_writer)
record_sha256_logs(self.output_dir + '_sockets.csv',
self.output_dir + '_sha256.log')
def _csv_list_network_adapters(self, ncs):
self.logger.info('Health : Listing network adapters')
with open(self.output_dir + "_networks_cards.csv", 'wb') as fw:
csv_writer = get_csv_writer(fw)
#fw.write('"Computer Name"|"Type"|"netcard"|"adapter_type"|"description"|"mac_address"|"product_name"|"physical_adapter"|"speed"|"IPv4"|"IPv6"|"DHCP_server"|"DNS_server"|"database_path"|"nbtstat_value"\r\n')
for netcard, adapter_type, description, mac_address, product_name, physical_adapter, product_name, speed, IPv4, IPv6, DHCP_server, DNS_server, database_path, nbtstat_value in ncs:
if netcard is None:
netcard = ' '
if adapter_type is None:
adapter_type = ''
if description is None:
description = ' '
if mac_address is None:
mac_address = ' '
if physical_adapter is None:
physical_adapter = ' '
if product_name is None:
product_name
if speed is None:
speed = ' '
if IPv4 is None:
IPv4 = ' '
if IPv6 is None:
IPv6 = ''
if DHCP_server is None:
DHCP_server = ' '
if DNS_server is None:
DNS_server = ' '
if database_path is None:
database_path = ' '
if nbtstat_value is None:
nbtstat_value = ' '
try:
write_to_csv([
self.computer_name, 'Network adapter', netcard,
adapter_type, description, mac_address, product_name,
physical_adapter, speed, IPv4, IPv6, DHCP_server,
DNS_server, database_path, nbtstat_value
], csv_writer)
except Exception:
self.logger.error(traceback.format_exc())
record_sha256_logs(self.output_dir + '_networks_cards.csv',
self.output_dir + '_sha256.log')
def _csv_list_network_adapters(self,ncs):
self.logger.info('Health : Listing network adapters')
with open(self.output_dir + "_networks_cards.csv",'wb') as fw:
csv_writer = get_csv_writer(fw)
#fw.write('"Computer Name"|"Type"|"netcard"|"adapter_type"|"description"|"mac_address"|"product_name"|"physical_adapter"|"speed"|"IPv4"|"IPv6"|"DHCP_server"|"DNS_server"|"database_path"|"nbtstat_value"\r\n')
for netcard,adapter_type,description,mac_address,product_name,physical_adapter,product_name,speed,IPv4,IPv6,DHCP_server,DNS_server,database_path,nbtstat_value in ncs:
if netcard is None:
netcard=' '
if adapter_type is None:
adapter_type=''
if description is None:
description=' '
if mac_address is None:
mac_address=' '
if physical_adapter is None:
physical_adapter=' '
if product_name is None:
product_name
if speed is None:
speed=' '
if IPv4 is None:
IPv4=' '
if IPv6 is None:
IPv6=''
if DHCP_server is None:
DHCP_server=' '
if DNS_server is None:
DNS_server=' '
if database_path is None:
database_path=' '
if nbtstat_value is None:
nbtstat_value=' '
try:
write_to_csv([self.computer_name,
'Network adapter', netcard, adapter_type,
description, mac_address, product_name,
physical_adapter, speed, IPv4,
IPv6, DHCP_server, DNS_server,
database_path, nbtstat_value], csv_writer)
except Exception:
self.logger.error(traceback.format_exc())
record_sha256_logs(self.output_dir +'_networks_cards.csv',self.output_dir +'_sha256.log')
def csv_recycle_bin(self):
''' Exports the filenames contained in the recycle bin '''
with open(
self.output_dir + '\\' + self.computer_name +
'_recycle_bin.csv', 'wb') as output:
csv_writer = get_csv_writer(output)
#output.write('"Computer Name"|"Type"|"Name 1"|"Name 2"\n')
idl = shell.SHGetSpecialFolderLocation(0, shellcon.CSIDL_BITBUCKET)
desktop = shell.SHGetDesktopFolder()
files = desktop.BindToObject(idl, None, shell.IID_IShellFolder)
for bin_file in files:
write_to_csv([
self.computer_name, 'Recycle Bin',
files.GetDisplayNameOf(bin_file, shellcon.SHGDN_NORMAL),
files.GetDisplayNameOf(bin_file, shellcon.SHGDN_FORPARSING)
], csv_writer)
record_sha256_logs(
self.output_dir + '\\' + self.computer_name + '_recycle_bin.csv',
self.output_dir + '\\' + self.computer_name + '_sha256.log')
def _csv_list_scheduled_jobs(self):
self.logger.info('Health : Listing scheduled jobs')
file_tasks = self.output_dir + '_tasks.csv'
with open(file_tasks, 'wb') as tasks_logs:
proc = subprocess.Popen(["schtasks.exe", '/query', '/fo', 'CSV'],
stdout=subprocess.PIPE)
res = proc.communicate()
res = get_terminal_decoded_string(res[0])
write_to_output(res, tasks_logs, self.logger)
with open(file_tasks,
"r") as fr, open(self.output_dir + "_scheduled_jobs.csv",
'wb') as fw:
csv_writer = get_csv_writer(fw)
#fw.write('"Computer Name"|"Type"|"Name"|"Time"|"State"\r\n')
for l in fr.readlines():
l = l.decode('utf8')
if l.find('\\') > 0:
l = l[:-1].replace('"', '') # remove the end of line
arr_write = [self.computer_name, 'Scheduled jobs'
] + l.split(',')
write_to_csv(arr_write, csv_writer)
record_sha256_logs(self.output_dir + '_scheduled_jobs.csv',
self.output_dir + '_sha256.log')
