def run(self): lst = [] "use the NTUSER.dat hive to get the result" RunMRU_user_settings_path = u'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU' hive = get_hive(self.prim_hive, self.log_files) RunMRU_user_settings_key = hive.find_key(RunMRU_user_settings_path) if RunMRU_user_settings_key: sid_key_values = iter(RunMRU_user_settings_key.values()) timestamp = RunMRU_user_settings_key.last_written_timestamp( ).isoformat() while True: try: value = next(sid_key_values) except StopIteration: break except Exception as error: # logging.error(u"Error getting next value: {}".format(error)) continue sid_name = value.name() file_name = strip_control_characters(value.data()) record = OrderedDict([("Sequence", sid_name), ("Command", file_name), ("Key_Timestamp", timestamp), ("@timestamp", timestamp)]) lst.append( eval(u"{}".format(json.dumps(record, cls=ComplexEncoder)))) # else: # # logging.info(u"[{}] {} not found.".format('RunMRU', RunMRU_user_settings_path)) return lst
def run(self): lst = [] "use the NATUSER.dat hive to get the result" #Software\\Classes\\ Sysinternals_user_settings_path = u'\\Software\\Sysinternals' hive = get_hive(self.prim_hive,self.log_files) Sysinternals_user_settings_key = hive.find_key(Sysinternals_user_settings_path) if Sysinternals_user_settings_key: for sid_key in Sysinternals_user_settings_key.subkeys(): Application_name = sid_key.name() timestamp = sid_key.last_written_timestamp().isoformat() EulaAccepted = sid_key.value(name=u"EulaAccepted") if EulaAccepted: EulaAccepted_data = EulaAccepted.data() if EulaAccepted_data == 1: EulaAccepted_data = "True" else: EulaAccepted_data ="False" else: EulaAccepted_data ="None" record = OrderedDict([ ("Application_Name", Application_name), ("Eula_Accepted", EulaAccepted_data), ("Accepted_TimeStamp",timestamp), ("@timestamp",timestamp), ]) lst.append(eval(u"{}".format(json.dumps(record, cls=ComplexEncoder)))) # else: # # logging.info(u"[{}] {} not found.".format('Sysinternals', Sysinternals_user_settings_path)) return lst
def run(self): try: lst = [] OpenSaveMRU_settings_path = u"\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\OpenSavePIDlMRU" hive = get_hive(self.prim_hive, self.log_files) OpenSaveMRU_settings_key = hive.find_key(OpenSaveMRU_settings_path) #print('Found a key: {}'.format(OpenSaveMRU_settings_key.path())) if OpenSaveMRU_settings_key: for sid_key in OpenSaveMRU_settings_key.subkeys(): try: dat_key = sid_key.last_written_timestamp().isoformat() except: pass sid_name = sid_key.name() cat = sid_name sid_key_values = iter(sid_key.values()) while True: try: value = next(sid_key_values) value_name = value.name() if "MRUListEx" == value_name or "(Default)" != value_name: data = value.data() path = "" data = data.hex() data = data.split("0400efbe") counter = 0 for d in data: if counter == 0: pass else: dax = bytes.fromhex(d) format = Struct( 'unkuwn' / Bytes(38), 'Path' / CString("utf16")) dd = format.parse(dax) #print("prob") path += "\\" + dd.Path counter = counter + 1 record = OrderedDict([ ("SequenceNumber", value_name), ("Key_timestamp", dat_key), ("Type", sid_name), ("path", path), ("@timestamp", dat_key) ]) lst.append( eval(u"{}".format( json.dumps(record, cls=ComplexEncoder)))) except StopIteration: break except Exception as error: ## logging.error(u"Error getting next value: {}".format(error)) continue return lst except Exception as e: raise e
def run(self): lst = [] TypedPaths_user_settings_path = u"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths" hive = get_hive(self.prim_hive, self.log_files) TypedPaths_user_settings_key = hive.find_key( TypedPaths_user_settings_path) if TypedPaths_user_settings_key: #for sid_key in TypedPaths_user_settings_key.subkeys(): sid_key_values = iter(TypedPaths_user_settings_key.values()) while True: try: value = next(sid_key_values) except StopIteration: break except Exception as error: # logging.error(u"Error getting next value: {}".format(error)) continue value_name = value.name() url_data = value.data() timestamp = TypedPaths_user_settings_key.last_written_timestamp( ).isoformat() record = OrderedDict([("Key_Timestamp", timestamp), ("Url Name", value_name), ("Url", strip_control_characters(url_data)), ("@timestmap", timestamp)]) lst.append( eval(u"{}".format(json.dumps(record, cls=ComplexEncoder)))) # else: # # logging.info(u"[{}] {} not found.".format('TypedPaths', TypedPaths_user_settings_path)) return lst
def run(self): hive = get_hive(self.prim_hive, self.log_files) select_key = hive.find_key(u'Select') current_path = '' if select_key: current_value = select_key.value(name=u"Current") current_path = u"ControlSet{:03d}".format(current_value.data()) else: current_path = 'ControlSet001' lst = [] TimeZoneInformation_user_settings_path = u"\\".join( [current_path, u"Control\\TimeZoneInformation"]) TimeZoneInformation_user_settings_key = hive.find_key( TimeZoneInformation_user_settings_path) if TimeZoneInformation_user_settings_key: TimeZoneKeyName = TimeZoneInformation_user_settings_key.value( name=u"TimeZoneKeyName") TimeZoneKeyName_data = TimeZoneKeyName.data() timestamp = TimeZoneInformation_user_settings_key.last_written_timestamp( ).isoformat() record = OrderedDict([ ("Time Zone", strip_control_characters(TimeZoneKeyName_data)), ("Key_Timestamp", timestamp), ("@timestamp", timestamp) ]) lst.append( eval(u"{}".format(json.dumps(record, cls=ComplexEncoder)))) # else: # # logging.info(u"[{}] {} not found.".format('TimeZoneInformation', TimeZoneInformation_user_settings_path)) return lst
def run(self): lst = [] "use the SOFTWARE hive to get the result" InstalledApp_user_settings_path = u"Microsoft\\Windows\\CurrentVersion\\App Paths" hive = get_hive(self.prim_hive, self.log_files) InstalledApp_user_settings_key = hive.find_key( InstalledApp_user_settings_path) # print('Found a key: {}'.format(InstalledApp_user_settings_key.path())) if InstalledApp_user_settings_key: for sid_key in InstalledApp_user_settings_key.subkeys(): sid_name = sid_key.name() timestamp = sid_key.last_written_timestamp().isoformat() Path = sid_key.value(name=u"Path") if Path: Path_data = strip_control_characters(Path.data()) else: Path_data = "" record = OrderedDict([ ("Application_Name", sid_name), ("InstalledApp_date", timestamp), ("Path", Path_data), ("@timestamp", timestamp), ]) lst.append( eval(u"{}".format(json.dumps(record, cls=ComplexEncoder)))) # else: # # logging.info(u"[{}] {} not found.".format('Bam', bam_user_settings_path)) return lst
def run(self): lst = [] "use the SOFTWARE hive to get the result" ProfileList_user_settings_path = u"Microsoft\\Windows NT\\CurrentVersion\\ProfileList" hive = get_hive(self.prim_hive, self.log_files) ProfileList_user_settings_key = hive.find_key( ProfileList_user_settings_path) # print('Found a key: {}'.format(ProfileList_user_settings_key.path())) if ProfileList_user_settings_key: for sid_key in ProfileList_user_settings_key.subkeys(): sid_name = sid_key.name() Profile_path = sid_key.value(name=u"ProfileImagePath") Profile_data = strip_control_characters(Profile_path.data()) timestamp = sid_key.last_written_timestamp().isoformat() user = strip_control_characters( os.path.basename(os.path.normpath(Profile_data))) record = OrderedDict([("Path", Profile_data), ("User", user), ("sid", sid_name), ("Key_Timestamp", timestamp), ("@timestamp", timestamp)]) lst.append( eval(u"{}".format(json.dumps(record, cls=ComplexEncoder)))) else: logging.info(u"[{}] {} not found.".format( 'ProfileList', ProfileList_user_settings_path)) return lst
def run(self): "use the NTUSER.dat hive to get the result" StreamMRU_user_settings_path = u'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StreamMRU' hive = get_hive(self.prim_hive,self.log_files) StreamMRU_user_settings_key = hive.find_key(StreamMRU_user_settings_path) print('Found a key: {}'.format(StreamMRU_user_settings_key.path())) if StreamMRU_user_settings_key: sid_key_values = iter(StreamMRU_user_settings_key.values()) timestamp = StreamMRU_user_settings_key.last_written_timestamp().isoformat() counter =0 while True: try: value = next(sid_key_values) except StopIteration: break except Exception as error: # logging.error(u"Error getting next value: {}".format(error)) continue sid_name = value.name() data = value.data() dump = RegistryHelpers.HexDump(value.data()) counter = counter +1 dx = struct.unpack(data) print (dx)
def run(self): lst = [] AppCompatFlags_user_settings_path = u"\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers" hive = get_hive(self.prim_hive, self.log_files) AppCompatFlags_user_settings_key = hive.find_key( AppCompatFlags_user_settings_path) if AppCompatFlags_user_settings_key: sid_name = AppCompatFlags_user_settings_key.name() timestamp = AppCompatFlags_user_settings_key.last_written_timestamp( ).isoformat() sid_key_values = iter(AppCompatFlags_user_settings_key.values()) while True: try: value = next(sid_key_values) except StopIteration: break except Exception as error: # # logging.error(u"Error getting next value: {}".format(error)) continue value_name = value.name() value_datax = value.data() record = OrderedDict([ ("File", value_name), ("Key_Timestamp", timestamp), ("sid", sid_name), ("value", value_datax), ("@timestamp", timestamp), ]) lst.append( eval(u"{}".format(json.dumps(record, cls=ComplexEncoder)))) return lst
def run(self): lst =[] MuiCache_user_settings_path = u"\\Local Settings\\Software\\Microsoft\\Windows\\Shell\\MuiCache" hive = get_hive(self.prim_hive,self.log_files) MuiCache_user_settings_key = hive.find_key(MuiCache_user_settings_path) if MuiCache_user_settings_key: sid_name = MuiCache_user_settings_key.name() sid_key_values = iter(MuiCache_user_settings_key.values()) timestamp = MuiCache_user_settings_key.last_written_timestamp().isoformat() while True: try: value = next(sid_key_values) except StopIteration: break except Exception as error: # logging.error(u"Error getting next value: {}".format(error)) continue value_name = value.name() value_data = value.data_raw() record = OrderedDict([ ("name", value_name), ("sid", sid_name), ("Key_Timestamp", timestamp), ("@timestamp", timestamp) ]) lst.append(eval(u"{}".format(json.dumps(record, cls=ComplexEncoder)))) return lst
def run(self): # for reg_handler in registry_manager.iter_registry_handlers(name=u'NTUSER.DAT'): try: hive = get_hive(self.prim_hive, self.log_files) user_assist_key = hive.find_key( u'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist' ) if user_assist_key is not None: lst = [] for guid_key in user_assist_key.subkeys(): guid_key_name = guid_key.name() count_key = guid_key.subkey(u"Count") dat_key = guid_key.last_written_timestamp().isoformat() if count_key is not None: for value in count_key.values(): value_name = value.name() value_name_decoded = codecs.encode( value_name, 'rot_13') value_data = value.data() count = None win = "" if len(value_data) == 16: count = struct.unpack("<I", value_data[4:8])[0] count -= 5 record = OrderedDict([ ("_plugin", u"UserAssist"), ("guid", guid_key_name), ("name", value_name_decoded), ("count", count), ("@timestamp", dat_key) ]) lst.append( eval(u"{}".format( json.dumps(record, cls=ComplexEncoder)))) elif len(value_data) == 72: count = struct.unpack("<I", value_data[4:8])[0] date_time = struct.unpack( "<q", value_data[60:68])[0] new_datetime = convert_datetime(date_time) if new_datetime == "1601-01-01T00:00:00": new_datetime = dat_key record = OrderedDict([ ("guid", guid_key_name), ("name", value_name_decoded), ("count", count), ("key_creation_time", dat_key), ("@timestamp", new_datetime) ]) lst.append( eval(u"{}".format( json.dumps(record, cls=ComplexEncoder)))) else: pass return lst else: return None except Exception as e: raise e
def run(self): hive = get_hive(self.prim_hive,self.log_files) select_key = hive.find_key(u'Select') current_path='' if select_key: current_value = select_key.value(name=u"Current") current_path = u"ControlSet{:03d}".format(current_value.data()) else: current_path ='ControlSet001' lst =[] PortForwading_user_settings_path = u"\\".join([current_path,u"Services\\PortProxy\\v4tov4"]) hive = get_hive(self.prim_hive,self.log_files) PortForwading_user_settings_key = hive.find_key(PortForwading_user_settings_path) if PortForwading_user_settings_key: for sk in PortForwading_user_settings_key.subkeys(): lst.append(sk) return lst
def run(self): hive = get_hive(self.prim_hive, self.log_files) select_key = hive.find_key(u'Select') current_path = '' if select_key: current_value = select_key.value(name=u"Current") current_path = u"ControlSet{:03d}".format(current_value.data()) else: current_path = 'ControlSet001' lst = [] bam_user_settings_path = u"\\".join( [current_path, u"Services\\bam\\UserSettings"]) bam_user_settings_key = hive.find_key(bam_user_settings_path) if bam_user_settings_key: for sid_key in bam_user_settings_key.subkeys(): sid_name = sid_key.name() version_value = sid_key.value(name=u"Version") version = None if version_value: version = version_value.data() sequence_value = sid_key.value(name=u"SequenceNumber") sequence = None if sequence_value: sequence = version_value.data() sid_key_values = iter(sid_key.values()) while True: try: value = next(sid_key_values) except StopIteration: break except Exception as error: logging.error( u"Error getting next value: {}".format(error)) continue value_name = value.name() value_data = value.data_raw() if value_name not in [u"Version", u"SequenceNumber"]: timestamp = convert_datetime(value_data[0:8]) record = OrderedDict([("name", value_name), ("@timestamp", timestamp), ("sid", sid_name), ("version", version), ("sequence", sequence)]) lst.append( eval(u"{}".format( json.dumps(record, cls=ComplexEncoder)))) return lst else: logging.info(u"[{}] {} not found.".format('Bam', bam_user_settings_path))
def run(self): hive = get_hive(self.prim_hive,self.log_files) select_key = hive.find_key(u'Select') current_path='' if select_key: current_value = select_key.value(name=u"Current") current_path = u"ControlSet{:03d}".format(current_value.data()) else: current_path ='ControlSet001' lst= [] DHCP_user_settings_path = u"\\".join([current_path,u"Services\\Tcpip\\Parameters\\Interfaces"]) DHCP_user_settings_key = hive.find_key(DHCP_user_settings_path) if DHCP_user_settings_key: for sid_key in DHCP_user_settings_key.subkeys(): timestamp = sid_key.last_written_timestamp().isoformat() sid_name = sid_key.name() def get_date (value_name): value = sid_key.value(name=value_name) if value: value = value.data() else: value ="None" return value dict_values_data = {'DhcpIPAddress' : strip_control_characters(get_date('DhcpIPAddress')), 'DhcpServer' : strip_control_characters(get_date('DhcpServer')), 'DhcpSubnetMask' : strip_control_characters(get_date('DhcpSubnetMask')), 'Domain' : strip_control_characters(get_date('Domain')), 'NameServer' : strip_control_characters(get_date('NameServer')), 'EnableDHCP' : get_date('EnableDHCP'), 'DhcpConnForceBroadcastFlag' : get_date('DhcpConnForceBroadcastFlag'), 'IsServerNapAware' : get_date('IsServerNapAware'), 'RegisterAdapterName' : get_date('RegisterAdapterName'), 'RegistrationEnabled' : get_date('RegistrationEnabled')} record = OrderedDict([ ("Dhcp IP Address", dict_values_data['DhcpIPAddress']), ("Dhcp Server", dict_values_data['DhcpServer']), ("DhcpSubnetMask", dict_values_data['DhcpSubnetMask']), ("Domain", dict_values_data['Domain']), ("Name Server", dict_values_data['NameServer']), ("Enable DHCP", dict_values_data['EnableDHCP']), ("DhcpConnForceBroadcastFlag", dict_values_data['DhcpConnForceBroadcastFlag']), ("Is Server NapAware", dict_values_data['IsServerNapAware']), ("Register Adapter Name", dict_values_data['RegisterAdapterName']), ("Registration Enabled", dict_values_data['RegistrationEnabled']), ('@timestamp',timestamp) ]) lst.append(eval(u"{}".format(json.dumps(record, cls=ComplexEncoder)))) # else: # # logging.info(u"[{}] {} not found.".format('DHCP', DHCP_user_settings_path)) return lst
def run(self): print ("HI"*100) lst= [] VolatileEnvironment_user_settings_path = u"Volatile Environment" hive = get_hive(self.prim_hive,self.log_files) VolatileEnvironment_user_settings_key = hive.find_key(VolatileEnvironment_user_settings_path) # print('Found a key: {}'.format(VolatileEnvironment_user_settings_key.path())) #return None if VolatileEnvironment_user_settings_key: print("gg")
def run(self): print ("HI"*100) lst= [] VolatileEnvironment_user_settings_path = u"Volatile Environment" hive = get_hive(self.prim_hive,self.log_files) VolatileEnvironment_user_settings_key = hive.find_key(VolatileEnvironment_user_settings_path) print('Found a key: {}'.format(VolatileEnvironment_user_settings_key.path())) #return None if VolatileEnvironment_user_settings_key: print("gg") # for sid_key in VolatileEnvironment_user_settings_key.subkeys(): # sid_name = sid_key.name() # # def get_date (value_name): # value = sid_key.value(name=value_name) # if value: # value = value.data() # else: # value ="None" # return value # # dict_values_data = {'VolatileEnvironmentIPAddress' : strip_control_characters(get_date('VolatileEnvironmentIPAddress')), # 'VolatileEnvironmentServer' : strip_control_characters(get_date('VolatileEnvironmentServer')), # 'VolatileEnvironmentSubnetMask' : strip_control_characters(get_date('VolatileEnvironmentSubnetMask')), # 'Domain' : strip_control_characters(get_date('Domain')), # 'NameServer' : strip_control_characters(get_date('NameServer')), # 'EnableVolatileEnvironment' : get_date('EnableVolatileEnvironment'), # 'VolatileEnvironmentConnForceBroadcastFlag' : get_date('VolatileEnvironmentConnForceBroadcastFlag'), # 'IsServerNapAware' : get_date('IsServerNapAware'), # 'RegisterAdapterName' : get_date('RegisterAdapterName'), # 'RegistrationEnabled' : get_date('RegistrationEnabled')} # # # record = OrderedDict([ # ("_plugin", u"VolatileEnvironment"), # ("VolatileEnvironment IP Address", dict_values_data['VolatileEnvironmentIPAddress']), # ("VolatileEnvironment Server", dict_values_data['VolatileEnvironmentServer']), # ("VolatileEnvironmentSubnetMask", dict_values_data['VolatileEnvironmentSubnetMask']), # ("Domain", dict_values_data['Domain']), # ("Name Server", dict_values_data['NameServer']), # ("Enable VolatileEnvironment", dict_values_data['EnableVolatileEnvironment']), # ("VolatileEnvironmentConnForceBroadcastFlag", dict_values_data['VolatileEnvironmentConnForceBroadcastFlag']), # ("Is Server NapAware", dict_values_data['IsServerNapAware']), # ("Register Adapter Name", dict_values_data['RegisterAdapterName']), # ("Registration Enabled", dict_values_data['RegistrationEnabled']) # # ]) # # lst.append(u"{}".format(json.dumps(record, cls=ComplexEncoder))) else: logging.info(u"[{}] {} not found.".format('VolatileEnvironment', VolatileEnvironment_user_settings_path))
def run(self): lst = [] "This uses useclass.data" BagMRU_user_settings_path = u"Local Settings\\Software\\Microsoft\\Windows\\Shell\\BagMRU" hive = get_hive(self.prim_hive, self.log_files) BagMRU_user_settings_key = hive.find_key(BagMRU_user_settings_path) if BagMRU_user_settings_key: for sid_key in BagMRU_user_settings_key.values(): sid_name = sid_key.name() data = sid_key.data() if "MRUListEx" == sid_name or "NodeSlot" == sid_name or "NodeSlots" == sid_name: pass else: buf = sid_key.data() #data = buf[::2][:buf[::2].find(b'\x00')].decode() print("_" * 100) dd = RegistryHelpers.HexDump(buf) print(dd)
def run(self): lst = [] "use the SOFTWARE hive to get the result" ShellExtensions_user_settings_path = u'Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Approved' hive = get_hive(self.prim_hive, self.log_files) ShellExtensions_user_settings_key = hive.find_key( ShellExtensions_user_settings_path) if ShellExtensions_user_settings_key: sid_key_values = iter(ShellExtensions_user_settings_key.values()) timestamp = ShellExtensions_user_settings_key.last_written_timestamp( ).isoformat() while True: try: value = next(sid_key_values) except StopIteration: break except Exception as error: logging.error( u"Error getting next value: {}".format(error)) continue sid_name = value.name() data = value.data() if isinstance(data, bytes): pos = data.find(b'\x00\x00') + 1 file_name = strip_control_characters( data[:pos].decode('utf-16')) else: file_name = strip_control_characters(data) record = OrderedDict([("sid", sid_name), ("File Name", file_name), ("key_last_written_timestamp", timestamp), ("@timestamp", timestamp)]) lst.append( eval(u"{}".format(json.dumps(record, cls=ComplexEncoder)))) else: logging.info(u"[{}] {} not found.".format( 'ShellExtensions', ShellExtensions_user_settings_path)) return lst
def run(self): lst = [] "use the SOFTWARE hive to get the result" LaunchTracing_user_settings_path = u"\\Wow6432Node\\Microsoft\\Tracing" hive = get_hive(self.prim_hive, self.log_files) LaunchTracing_user_settings_key = hive.find_key( LaunchTracing_user_settings_path) if LaunchTracing_user_settings_key: for sid_key in LaunchTracing_user_settings_key.subkeys(): sid_name = sid_key.name() timestamp = sid_key.last_written_timestamp().isoformat() record = OrderedDict([("name", sid_name), ("Excution_Time", timestamp), ("@timestamp", timestamp)]) lst.append( eval(u"{}".format(json.dumps(record, cls=ComplexEncoder)))) # else: # # logging.info(u"[{}] {} not found.".format('LaunchTracing', LaunchTracing_user_settings_path)) return lst
def run(self): lst = [] hive = get_hive(self.prim_hive, self.log_files) Amcache_user_settings_path = u"root\\InventoryApplicationFile" Amcache_win7_user_settings_path = u"root\\File" Amcache_user_settings_key = hive.find_key(Amcache_user_settings_path) Amcache7_user_settings_key = hive.find_key( Amcache_win7_user_settings_path) if Amcache_user_settings_key: for sid_key in Amcache_user_settings_key.subkeys(): sid_key_values = iter(sid_key.values()) key_time = sid_key.last_written_timestamp().isoformat() win10_amache_mapping = { "ProgramId": "ProgramId", "LongPathHash": "LongPathHash", "IsOsComponent": "IsOsComponent", "Usn": "Usn", "LowerCaseLongPath": "Path", "FileId": "Sha1", "Name": "Name", "Publisher": "CompanyName", "Version": "Version", "BinFileVersion": "BinFileVersion", "BinaryType": "BinaryType", "ProductName": "ProductName", "ProductVersion": "ProductVersion", "LinkDate": "LinkDate", "BinProductVersion": "BinProductVersion", "Size": "FileSize", "Language": "Language", "IsPeFile": "IsPeFile" } record = OrderedDict([]) while True: try: value = next(sid_key_values) except StopIteration: break except Exception as error: # # logging.error(u"Error getting next value: {}".format(error)) continue value_name = value.name() if value_name in win10_amache_mapping.keys(): names = win10_amache_mapping[value_name] else: names = value_name data = value.data() record[names] = strip_control_characters(str(data)) record["@timestamp"] = key_time if record["Sha1"].startswith("0000"): sha1 = record["Sha1"] record["Sha1"] = sha1[4:] lst.append( eval(u"{}".format(json.dumps(record, cls=ComplexEncoder)))) return lst elif Amcache7_user_settings_key: win8_amcache_mapping = { '0': 'ProductName', '1': 'CompanyName', '2': 'FileVersionNum', '3': 'Language', '4': 'SwitchBackContext', '5': 'FileVersion', '6': 'FileSize', '7': 'pe_header_hash', '8': 'unknown1', '9': 'pe_header_checksum', 'a': 'unknown2', 'b': 'unknown3', 'c': 'file_description', 'd': 'unknown4', 'f': 'linker_compile_time', '10': 'unknown5', '11': 'last_modified_timestamp', '12': 'created_timestamp', '15': 'Path', '16': 'unknown6', '17': 'last_modified_timestamp_2', '100': 'ProgramId', '101': 'Sha1' } for sid_key in Amcache7_user_settings_key.subkeys(): for sidd_key in sid_key.subkeys(): sid_key_values = iter(sidd_key.values()) key_time = sidd_key.last_written_timestamp().isoformat() record = OrderedDict([]) while True: try: value = next(sid_key_values) except StopIteration: break except Exception as error: # # logging.error(u"Error getting next value: {}".format(error)) continue value_name = value.name() names = win8_amcache_mapping[value_name] data = value.data() if "time" in names: if "linker_compile_time" in names: data = datetime.datetime.fromtimestamp(data) else: data = convert_datetime(data) record[names] = strip_control_characters(str(data)) if len(record) == 0: continue record["@timestamp"] = key_time if record["Sha1"].startswith("0000"): sha1 = record["Sha1"] record["Sha1"] = sha1[4:] lst.append(u"{}".format( json.dumps(record, cls=ComplexEncoder))) return lst
def run(self): lst= [] "This uses useclass.data" BagMRU_user_settings_path = u"Local Settings\\Software\\Microsoft\\Windows\\Shell\\BagMRU" hive = get_hive(self.prim_hive,self.log_files) BagMRU_user_settings_key = hive.find_key(BagMRU_user_settings_path) if BagMRU_user_settings_key: for sid_key in BagMRU_user_settings_key.values(): sid_name = sid_key.name() data = sid_key.data() if "MRUListEx" == sid_name or "NodeSlot" == sid_name or "NodeSlots" == sid_name: pass else: buf = sid_key.data() #data = buf[::2][:buf[::2].find(b'\x00')].decode() print ("_"*100) dd = RegistryHelpers.HexDump(buf) print(dd) # block = SHITEMLIST(buf, 0x0, False) # offset = 0x10 # # # for i in len(data): # o = i + 2 # dd = struct.unpack_from("<H", data, o)[0] # print (dd) #size = block.unpack_word(offset) # if size == 0: # break # elif size < 0x15: # pass # else: # item = block.get_item(offset) #print (item) # version_value = sid_key.value(name=u"Version") # version = None # if version_value: # version = version_value.data() # # sequence_value = sid_key.value(name=u"SequenceNumber") # sequence = None # if sequence_value: # sequence = version_value.data() # We can have an issue with iterating values so we will take it one # at a time to try and catch errors. # sid_key_values = iter(sid_key.values()) # # while True: # try: # value = next(sid_key_values) # except StopIteration: # break # except Exception as error: # logging.error(u"Error getting next value: {}".format(error)) # continue # # value_name = value.name() # value_data = value.data_raw() # # if value_name not in [u"Version", u"SequenceNumber"]: # timestamp = convert_datetime(value_data[0:8]) # # record = OrderedDict([ # ("_plugin", u"BagMRU"), # ("name", value_name), # ("timestamp", timestamp), # ("sid", sid_name), # ("version", version), # ("sequence", sequence) # ]) # # print(u"{}".format(json.dumps(record, cls=ComplexEncoder))) else: logging.info(u"[{}] {} not found.".format('BagMRU', BagMRU_user_settings_path))
def run(self): lst = [] "use the SOFTWARE hive to get the result" InstalledComponents_user_settings_path = [ u'Microsoft\\Active Setup\\Installed Components', u'Wow6432Node\\Microsoft\\Active Setup\\Installed Components' ] hive = get_hive(self.prim_hive, self.log_files) for path in InstalledComponents_user_settings_path: InstalledComponents_user_settings_key = hive.find_key(path) if InstalledComponents_user_settings_key: for sid_key in InstalledComponents_user_settings_key.subkeys(): sid_name = sid_key.name() timestamp = sid_key.last_written_timestamp().isoformat() IsInstalled = sid_key.value(name=u"IsInstalled") if IsInstalled: IsInstalled_data = IsInstalled.data() else: IsInstalled_data = "None" DontAsk = sid_key.value(name=u"DontAsk") if DontAsk: DontAsk_data = DontAsk.data() else: DontAsk_data = "None" Enabled = sid_key.value(name=u"Enabled") if Enabled: Enabled_data = Enabled.data() else: Enabled_data = "None" Locale = sid_key.value(name=u"Locale") if Locale: Locale_data = strip_control_characters(Locale.data()) else: Locale_data = "None" LocalizedName = sid_key.value(name=u"LocalizedName") if LocalizedName: LocalizedName_data = strip_control_characters( LocalizedName.data()) else: LocalizedName_data = "None" StubPath = sid_key.value(name=u"StubPath") if StubPath: StubPath_data = strip_control_characters( StubPath.data()) else: StubPath_data = "None" Version = sid_key.value(name=u"Version") if Version: Version_data = strip_control_characters(Version.data()) else: Version_data = "None" ComponentID = sid_key.value(name=u"ComponentID") if ComponentID: ComponentID_data = strip_control_characters( ComponentID.data()) else: ComponentID_data = "None" record = OrderedDict([ ("sid", sid_name), ("last_written_timestamp", timestamp), ("ComponentID", ComponentID_data), ("Version", Version_data), ("StubPath", StubPath_data), ("LocalizedName", LocalizedName_data), ("Locale", Locale_data), ("Enabled", Enabled_data), ("DontAsk", DontAsk_data), ("IsInstalled", IsInstalled_data), ("@timestamp", timestamp) ]) lst.append( eval(u"{}".format( json.dumps(record, cls=ComplexEncoder)))) # else: # # logging.info(u"[{}] {} not found.".format('InstalledComponents', InstalledComponents_user_settings_path)) return lst
def run(self): lst = [] "use the SOFTWARE hive to get the result" Uninstall_user_settings_path = u"Microsoft\\Windows\\CurrentVersion\\Uninstall" hive = get_hive(self.prim_hive, self.log_files) Uninstall_user_settings_key = hive.find_key( Uninstall_user_settings_path) # print('Found a key: {}'.format(Uninstall_user_settings_key.path())) if Uninstall_user_settings_key: for sid_key in Uninstall_user_settings_key.subkeys(): sid_name = sid_key.name() timestamp = sid_key.last_written_timestamp().isoformat() #try: DisplayName = sid_key.value(name=u"DisplayName") if DisplayName: DisplayName_data = strip_control_characters( DisplayName.data()) else: DisplayName_data = "" DisplayVersion = sid_key.value(name=u"DisplayVersion") if DisplayVersion: DisplayVersion_data = strip_control_characters( DisplayVersion.data()) else: DisplayVersion_data = "" InstallDate = sid_key.value(name=u"InstallDate") if InstallDate: InstallDate_data = strip_control_characters( InstallDate.data()) else: InstallDate_data = "" InstallLocation = sid_key.value(name=u"InstallLocation") if InstallLocation: InstallLocation_data = strip_control_characters( InstallLocation.data()) else: InstallLocation_data = "" InstallSource = sid_key.value(name=u"InstallSource") if InstallSource: InstallSource_data = strip_control_characters( InstallSource.data()) else: InstallSource_data = "" ModifyPath = sid_key.value(name=u"ModifyPath") if ModifyPath: ModifyPath_data = strip_control_characters( ModifyPath.data()) else: ModifyPath_data = "" Publisher = sid_key.value(name=u"Publisher") if Publisher: Publisher_data = strip_control_characters(Publisher.data()) else: Publisher_data = "" Size = sid_key.value(name=u"Size") if Size: Size_data = str(Size.data()) else: Size_data = "" URLInfoAbout = sid_key.value(name=u"URLInfoAbout") if URLInfoAbout: URLInfoAbout_data = strip_control_characters( URLInfoAbout.data()) else: URLInfoAbout_data = "" record = OrderedDict([("name", sid_name), ("Uninstall_date", timestamp), ("Application_Name", DisplayName_data), ("Version", DisplayVersion_data), ("Install_Date", InstallDate_data), ("Install_Location", InstallLocation_data), ("Install_Source", InstallSource_data), ("Modify_Path", ModifyPath_data), ("Publisher", Publisher_data), ("Size", Size_data), ("URLInfoAbout", URLInfoAbout_data), ("@timestamp", timestamp)]) lst.append( eval(u"{}".format(json.dumps(record, cls=ComplexEncoder)))) else: logging.info(u"[{}] {} not found.".format('Bam', bam_user_settings_path)) return lst
def run(self): lst = [] TerminalServerClient_user_settings_paths = [ 'Software\\Microsoft\\Terminal Server Client\\Servers', 'Software\\Microsoft\\Terminal Server Client\\Default' ] for TerminalServerClient_user_settings_path in TerminalServerClient_user_settings_paths: hive = get_hive(self.prim_hive, self.log_files) TerminalServerClient_user_settings_key = hive.find_key( TerminalServerClient_user_settings_path) # print('Found a key: {}'.format(TerminalServerClient_user_settings_key.path())) if TerminalServerClient_user_settings_key: timestamp = TerminalServerClient_user_settings_key.last_written_timestamp( ).isoformat() if "Servers" in TerminalServerClient_user_settings_path: for sid_key in TerminalServerClient_user_settings_key.subkeys( ): key_name = sid_key.name() sid_key_values = iter(sid_key.values()) while True: try: value = next(sid_key_values) except StopIteration: break except Exception as error: # # logging.error(u"Error getting next value: {}".format(error)) continue value_name = value.name() UsernameHint = "" if "UsernameHint" != value_name else strip_control_characters( value.data()) record = OrderedDict([("key_timestamp", timestamp), ("IP_Address", key_name), ("User_Name", UsernameHint), ("@timestamp", timestamp)]) lst.append( eval(u"{}".format( json.dumps(record, cls=ComplexEncoder)))) else: sid_key_values = iter( TerminalServerClient_user_settings_key.values()) while True: try: value = next(sid_key_values) except StopIteration: break except Exception as error: # # logging.error(u"Error getting next value: {}".format(error)) continue value_name = value.name() value_data = value.data() record = OrderedDict([ ("key_timestamp", timestamp), ("@timestamp", timestamp), ("IP_Address", strip_control_characters(value_data)), ("Value_Name", value_name) ]) # lst.append( eval(u"{}".format( json.dumps(record, cls=ComplexEncoder)))) # else: # # # logging.info(u"[{}] {} not found.".format('TerminalServerClient', TerminalServerClient_user_settings_path)) return lst
def run(self): try: lst=[] LastVisitedPidMRU_settings_path = u"\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\LastVisitedPidlMRU" hive = get_hive(self.prim_hive,self.log_files) LastVisitedPidMRU_settings_key = hive.find_key(LastVisitedPidMRU_settings_path) if LastVisitedPidMRU_settings_key: if LastVisitedPidMRU_settings_key: sid_name = LastVisitedPidMRU_settings_key.name() dat_key =LastVisitedPidMRU_settings_key.last_written_timestamp().isoformat() cat = sid_name sid_key_values = iter(LastVisitedPidMRU_settings_key.values()) while True: try: value = next(sid_key_values) value_name = value.name() if value_name != "MRUListEx" and value_name !="(Default)": data = value.data() format = Struct( 'filename' / CString("utf16") ) File_name = format.parse(data) File_name = File_name.filename data = data.hex() data = data.split("0400efbe") path = "" counter = 0 a_time="" c_time="" record = None for d in data: if counter == 0 : a_time = "" else: dax =bytes.fromhex(d) format = Struct( 'CreationDate' / Bytes(4), 'AccessDate' / Bytes(4), 'idntifier'/ Bytes(4), 'MFT_entry'/ Bytes(6), 'sequence'/ Bytes(16), 'unkowun' /Bytes(4), 'Path' /CString("utf16") ) dd = format.parse(dax) path += "\\"+dd.Path cc_time = dd.CreationDate aa_time = dd.AccessDate if cc_time == b'\x00\x00\x00\x00': c_time = dat_key else: c_time =from_fat(cc_time.hex()) if aa_time == b'\x00\x00\x00\x00': a_time = dat_key else: a_time = from_fat(aa_time.hex()) counter = counter + 1 if value_name == "MRUListEx": pass else: record = OrderedDict([ ("SequenceNumber", value_name), ("Key_timestamp", dat_key), ("CreationDate",c_time), ("AccessDate",a_time), ("@timestamp", a_time), ("File_name", File_name), ("path", path) ]) if record is not None: lst.append(eval(u"{}".format(json.dumps(record, cls=ComplexEncoder)))) except StopIteration: break except Exception as error: # logging.error(u"Error getting next value: {}".format(error)) continue return lst # else: # # logging.info(u"[{}] {} not found.".format('LastVisitedPidMRU', LastVisitedPidMRU_settings_path)) except Exception as e: raise e