Exemplo n.º 1
0
 def csv_recent_docs(self):
     """Extracts information about recently opened files saved location and opened date"""
     self.logger.info("Extracting recent docs")
     path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs"
     hive_list = self._get_list_from_registry_key(registry_obj.HKEY_USERS,
                                                  path)
     to_csv_list = [
         ("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH",
          "ATTR_NAME", "REG_TYPE", "ATTR_TYPE", "ATTR_DATA")
     ]
     for item in hive_list:
         if item[KEY_VALUE_STR] == "VALUE":
             if item[VALUE_NAME] != "MRUListEx":
                 values_decoded = decode_recent_docs_mru(item[VALUE_DATA])
                 for value_decoded in values_decoded:
                     to_csv_list.append(
                         (self.computer_name, "recent_docs",
                          item[VALUE_LAST_WRITE_TIME], "HKEY_USERS",
                          item[VALUE_PATH], item[VALUE_NAME],
                          item[KEY_VALUE_STR],
                          registry_obj.get_str_type(item[VALUE_TYPE]),
                          value_decoded))
     with open(
             self.output_dir + "\\" + self.computer_name + "_recent_docs" +
             self.rand_ext, "wb") as output:
         csv_writer = get_csv_writer(output)
         write_list_to_csv(to_csv_list, csv_writer)
Exemplo n.º 2
0
    def csv_custom_registry_keys(self):

            with open(self.output_dir + "\\" + self.computer_name + "_custom_registry_keys" + self.rand_ext, "wb") as output:
                csv_writer = get_csv_writer(output)
                to_csv_list = self.__get_custom_registry_keys()
                if to_csv_list:
                    write_list_to_csv(to_csv_list, csv_writer)
Exemplo n.º 3
0
def parse_testssl(args):
    # test if combined_issues.csv exists
    if os.path.isfile(os.path.join(args.input_dir, "combined_issues.csv")):
        log.error('Remove the combined_issues.csv file in {} before running.'.format(args.input_dir))
        return
    vulnerabilities = []
    issues = get_issues(args.input_dir)
    for issue in issues:
        # Check if we already have a vulnerability for this issue
        log.debug("Processing issue: {}".format(issue))
        if utils.find_vulnerability(vulnerabilities, issue[0]):
            log.debug("Vulnerability exists: {}".format(issue[0]))
            vuln = utils.find_vulnerability(vulnerabilities, issue[0])
            log.debug("Adding affected host to {} issue: {}".format(vuln, issue))
            vuln.add_affected(issue)
        else:
            log.debug("Vulnerability does not exist: {}".format(issue[0]))
            log.debug("Creating vulnerability: finding={}, risk_level={}, _id={}".format(issue[4], issue[3], issue[0]))
            vuln = TestSSLVulnerability(issue[4], issue[3], issue[0])
            log.debug("Adding affected host {}".format(issue))
            vuln.add_affected(issue)
            vulnerabilities.append(vuln)
    output_vulns = [[
        "Finding", "Affected Device/Technology", "Risk Level", "Business Impact",
        "Remediation Procedure", "Resource Required",
    ]]
    for vuln in vulnerabilities:
        output_vulns.append(vuln.list_format())
    out_csv = os.path.join(args.input_dir, "combined_issues.csv")
    utils.write_list_to_csv(output_vulns, out_csv)
Exemplo n.º 4
0
 def _csv_open_save_mru(self, str_opensave_mru):
     """Extracts OpenSaveMRU containing information about files selected in the Open and Save view"""
     # TODO : Win XP
     self.logger.info("Extracting open save MRU")
     hive_list = self._get_list_from_registry_key(registry_obj.HKEY_USERS,
                                                  str_opensave_mru)
     to_csv_list = [
         ("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH",
          "ATTR_NAME", "REG_TYPE", "ATTR_TYPE", "ATTR_DATA")
     ]
     for item in hive_list:
         if item[KEY_VALUE_STR] == 'VALUE':
             if item[VALUE_NAME] != "MRUListEx":
                 pidl = shell.StringAsPIDL(item[VALUE_DATA])
                 path = shell.SHGetPathFromIDList(pidl)
                 to_csv_list.append(
                     (self.computer_name, "opensaveMRU",
                      item[VALUE_LAST_WRITE_TIME], "HKEY_USERS",
                      item[VALUE_PATH], item[VALUE_NAME],
                      item[KEY_VALUE_STR],
                      registry_obj.get_str_type(item[VALUE_TYPE]), path))
     with open(
             self.output_dir + "\\" + self.computer_name + "_opensaveMRU" +
             self.rand_ext, "wb") as output:
         csv_writer = get_csv_writer(output)
         write_list_to_csv(to_csv_list, csv_writer)
Exemplo n.º 5
0
 def _csv_networks_list(self, key):
     with open(os.path.join(self.output_dir,'%s_network_list_%s' % (self.computer_name, self.rand_ext)), 'wb') as output:
         csv_writer = get_csv_writer(output)
         network_list_result = self._get_network_list(key)
         arr_data = [v.values() for v in network_list_result.values()]
         arr_data.insert(0,network_list_result.values()[0].keys())
         write_list_to_csv(arr_data, csv_writer)
Exemplo n.º 6
0
 def csv_custom_registry_keys(self):
     """
     Extracts custom registry keys, the user specifies whether it should be recursive or not.
     The list of registry keys to extract should be comma-separated
     """
     if self.exec_custom_registry_keys:
         self.logger.info("Extracting custom registry keys")
         to_csv_list = [
             ("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
              "ATTR_TYPE", "ATTR_DATA")]
         for paths in reader([self.custom_registry_keys]):  # used as a kind of unpack
             for path in paths:
                 temp = path.split("\\")
                 hive = temp[0].upper()
                 path = "\\".join(temp[1:])
                 if hive in ("HKLM", "HKEY_LOCAL_MACHINE"):
                     self._generate_hklm_csv_list(to_csv_list, "custom_registry_key", path,
                                                  is_recursive=self.registry_recursive)
                 elif hive in ("HKU", "HKEY_USERS"):
                     self._generate_hku_csv_list(to_csv_list, "custom_registry_key", path,
                                                 is_recursive=self.registry_recursive)
                 else:  # error
                     self.logger.warn("Must specify HKLM/HKEY_LOCAL_MACHINE or HKU/HKEY_USERS as hive")
                     return
         with open(self.output_dir + "\\" + self.computer_name + "_custom_registry_keys" + self.rand_ext, "wb") as output:
             csv_writer = get_csv_writer(output)
             write_list_to_csv(to_csv_list, csv_writer)
Exemplo n.º 7
0
    def csv_shell_bags(self):
        """
        Extracts shellbags: size, view, icon and position of graphical windows
        In particular, executed graphical programs will leave a key here
        """
        self.logger.info("Extracting shell bags")
        paths = [
            r"Software\Microsoft\Windows\Shell\Bags",
            r"Software\Microsoft\Windows\Shell\BagMRU"
        ]
        paths_usrclass = [
            r"Local Settings\Software\Microsoft\Windows\Shell\Bags",
            r"Local Settings\Software\Microsoft\Windows\Shell\BagMRU"
        ]
        hive_list = []
        for path in paths:
            hive_list += self._get_list_from_registry_key(
                registry_obj.HKEY_USERS, path)
        for path in paths_usrclass:
            hive_list += self._get_list_from_registry_key(
                registry_obj.HKEY_USERS, path, is_usrclass=True)
        to_csv_list = [
            ("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH",
             "ATTR_NAME", "REG_TYPE", "ATTR_TYPE", "ATTR_DATA")
        ]
        for item in hive_list:
            if "ItemPos" in item[VALUE_NAME]:
                try:
                    data = decode_shellbag_itempos_data(item[VALUE_DATA])
                except IndexError:
                    self.logger.error("Error in shellbag data format for " +
                                      item[VALUE_NAME])
                    data = None
                if data:
                    if item[KEY_VALUE_STR] == "VALUE":
                        for data in data:
                            for d in data:
                                to_csv_list.append(
                                    (self.computer_name, "shellbags",
                                     item[VALUE_LAST_WRITE_TIME], "HKEY_USERS",
                                     item[VALUE_PATH], item[VALUE_NAME],
                                     item[KEY_VALUE_STR],
                                     registry_obj.get_str_type(
                                         item[VALUE_TYPE]), d))
                else:
                    if item[KEY_VALUE_STR] == "VALUE":
                        to_csv_list.append(
                            (self.computer_name, "shellbags",
                             item[VALUE_LAST_WRITE_TIME], "HKEY_USERS",
                             item[VALUE_PATH], item[VALUE_NAME],
                             item[KEY_VALUE_STR],
                             registry_obj.get_str_type(item[VALUE_TYPE]),
                             item[VALUE_DATA]))

        with open(
                self.output_dir + "\\" + self.computer_name + "_shellbags" +
                self.rand_ext, "wb") as output:
            csv_writer = get_csv_writer(output)
            write_list_to_csv(to_csv_list, csv_writer)
Exemplo n.º 8
0
    def csv_custom_registry_keys(self):

        with open(self.output_dir + "\\" + self.computer_name + "_custom_registry_keys" + self.rand_ext,
                  "wb") as output:
            csv_writer = get_csv_writer(output)
            to_csv_list = self.__get_custom_registry_keys()
            if to_csv_list:
                write_list_to_csv(to_csv_list, csv_writer)
Exemplo n.º 9
0
 def _csv_networks_list(self, key):
     with open(os.path.join(self.output_dir, '%s_network_list_%s' % (self.computer_name, self.rand_ext)),
               'wb') as output:
         csv_writer = get_csv_writer(output)
         network_list_result = self._get_network_list(key)
         arr_data = [v.values() for v in network_list_result.values()]
         arr_data.insert(0, network_list_result.values()[0].keys())
         write_list_to_csv(arr_data, csv_writer)
Exemplo n.º 10
0
 def csv_run_mru_start(self):
     """Extracts run MRU, containing the last 26 oommands executed using the RUN command"""
     path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU"
     to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
                     "ATTR_TYPE", "ATTR_DATA")]
     self._generate_hku_csv_list(to_csv_list, "run_MRU_start", path)
     #with open(self.output_dir + "\\" + self.computer_name + "_run_MRU_start.csv", "wb") as output:
         #csv_writer = get_csv_writer(output)
     write_list_to_csv(to_csv_list, None)
Exemplo n.º 11
0
 def csv_registry_services(self):
     """Extracts services"""
     path = r"System\CurrentControlSet\Services"
     to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
                     "ATTR_TYPE", "ATTR_DATA")]
     self._generate_hklm_csv_list(to_csv_list, "registry_services", path)
     with open(self.output_dir + "\\" + self.computer_name + "_registry_services.csv", "wb") as output:
         csv_writer = get_csv_writer(output)
         write_list_to_csv(to_csv_list, csv_writer)
Exemplo n.º 12
0
 def _csv_user_assist(self, count_offset, is_win7_or_further):
     """
     Extracts information from UserAssist registry key which contains information about executed programs
     The count offset is for Windows versions before 7, where it would start at 6
     """
     self.logger.info("Extracting user assist")
     path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\\UserAssist"
     count = "\Count"
     # logged on users
     users = registry_obj.RegistryKey(registry_obj.HKEY_USERS)
     hive_list = []
     for i in xrange(users.get_number_of_sub_keys()):
         user = users.get_sub_key(i)
         user_assist_key = user.get_sub_key_by_path(path)
         if user_assist_key:
             for j in xrange(user_assist_key.get_number_of_sub_keys()):
                 # getting Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\*\Count
                 path_no_sid = "\\".join(user_assist_key.get_sub_key(j).get_path().split("\\")[1:])
                 hive_list += self._get_list_from_registry_key(registry_obj.HKEY_USERS, path_no_sid + count)
     if is_win7_or_further:
         to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
                         "ATTR_TYPE", "ATTR_DATA", "DATA_SESSION", "DATA_COUNT", "DATA_FOCUS", "DATA_LAST_EXEC")]
     else:
         to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
                         "ATTR_TYPE", "ATTR_DATA", "DATA_SESSION", "DATA_COUNT", "DATA_LAST_EXEC")]
     for item in hive_list:
         if item[KEY_VALUE_STR] == "VALUE":
             str_value_name = codecs.decode(item[VALUE_NAME], "rot_13")
             str_value_datatmp = item[VALUE_DATA]
             # some data are less than 16 bytes for some reason...
             if len(str_value_datatmp) < 16:
                 to_csv_list.append((self.computer_name,
                                     "userassist",
                                     item[VALUE_LAST_WRITE_TIME],
                                     "HKEY_USERS",
                                     item[VALUE_PATH],
                                     item[VALUE_NAME],
                                     item[KEY_VALUE_STR],
                                     registry_obj.get_str_type(item[VALUE_TYPE]),
                                     str_value_name))
             else:
                 if is_win7_or_further:
                     data = csv_user_assist_value_decode_win7_and_after(str_value_datatmp, count_offset)
                 else:
                     data = csv_user_assist_value_decode_before_win7(str_value_datatmp, count_offset)
                 to_csv_list.append((self.computer_name,
                                     "user_assist",
                                     item[VALUE_LAST_WRITE_TIME],
                                     "HKEY_USERS",
                                     item[VALUE_PATH],
                                     item[VALUE_NAME],
                                     item[KEY_VALUE_STR],
                                     registry_obj.get_str_type(item[VALUE_TYPE]),
                                     str_value_name) + tuple(data))
     with open(self.output_dir + "\\" + self.computer_name + "_user_assist" + self.rand_ext, "wb") as output:
         csv_writer = get_csv_writer(output)
         write_list_to_csv(to_csv_list, csv_writer)
Exemplo n.º 13
0
 def _csv_user_assist(self, count_offset, is_win7_or_further):
     """
     Extracts information from UserAssist registry key which contains information about executed programs
     The count offset is for Windows versions before 7, where it would start at 6
     """
     self.logger.info("Extracting user assist")
     path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\\UserAssist"
     count = "\Count"
     # logged on users
     users = registry_obj.RegistryKey(registry_obj.HKEY_USERS)
     hive_list = []
     for i in xrange(users.get_number_of_sub_keys()):
         user = users.get_sub_key(i)
         user_assist_key = user.get_sub_key_by_path(path)
         if user_assist_key:
             for j in xrange(user_assist_key.get_number_of_sub_keys()):
                 # getting Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\*\Count
                 path_no_sid = "\\".join(user_assist_key.get_sub_key(j).get_path().split("\\")[1:])
                 hive_list += self._get_list_from_registry_key(registry_obj.HKEY_USERS, path_no_sid + count)
     if is_win7_or_further:
         to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
                         "ATTR_TYPE", "ATTR_DATA", "DATA_SESSION", "DATA_COUNT", "DATA_FOCUS", "DATA_LAST_EXEC")]
     else:
         to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
                         "ATTR_TYPE", "ATTR_DATA", "DATA_SESSION", "DATA_COUNT", "DATA_LAST_EXEC")]
     for item in hive_list:
         if item[KEY_VALUE_STR] == "VALUE":
             str_value_name = codecs.decode(item[VALUE_NAME], "rot_13")
             str_value_datatmp = item[VALUE_DATA]
             # some data are less than 16 bytes for some reason...
             if len(str_value_datatmp) < 16:
                 to_csv_list.append((self.computer_name,
                                     "userassist",
                                     item[VALUE_LAST_WRITE_TIME],
                                     "HKEY_USERS",
                                     item[VALUE_PATH],
                                     item[VALUE_NAME],
                                     item[KEY_VALUE_STR],
                                     registry_obj.get_str_type(item[VALUE_TYPE]),
                                     str_value_name))
             else:
                 if is_win7_or_further:
                     data = csv_user_assist_value_decode_win7_and_after(str_value_datatmp, count_offset)
                 else:
                     data = csv_user_assist_value_decode_before_win7(str_value_datatmp, count_offset)
                 to_csv_list.append((self.computer_name,
                                     "user_assist",
                                     item[VALUE_LAST_WRITE_TIME],
                                     "HKEY_USERS",
                                     item[VALUE_PATH],
                                     item[VALUE_NAME],
                                     item[KEY_VALUE_STR],
                                     registry_obj.get_str_type(item[VALUE_TYPE]),
                                     str_value_name) + tuple(data))
     with open(self.output_dir + "\\" + self.computer_name + "_user_assist.csv", "wb") as output:
         csv_writer = get_csv_writer(output)
         write_list_to_csv(to_csv_list, csv_writer)
Exemplo n.º 14
0
    def csv_clipboard(self):
        """Exports the clipboard contents"""
        # TODO : what happens if clipboard contents is a CSV string ?

        with open(self.output_dir + '\\' + self.computer_name + '_clipboard' + self.rand_ext, 'wb') as output:
            csv_writer = get_csv_writer(output)
            write_list_to_csv(self.__get_clipboard(), csv_writer)
        record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_clipboard' + self.rand_ext,
                           self.output_dir + '\\' + self.computer_name + '_sha256.log')
Exemplo n.º 15
0
    def csv_startup_programs(self):
        """Extracts programs running at startup from various keys"""
        self.logger.info("Extracting startup programs")
        software = "Software"
        wow = r"\Wow6432Node"
        ts_run = (
            r"\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software"
            r"\Microsoft\Windows\CurrentVersion\Run")
        ts_run_once = (
            r"\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software"
            r"\Microsoft\Windows\CurrentVersion\RunOnce")
        paths = [
            r"\Microsoft\Windows\CurrentVersion\Run",
            r"\Microsoft\Windows\CurrentVersion\RunOnce",
            r"\Microsoft\Windows\CurrentVersion\RunOnceEx",
            r"\Microsoft\Windows\CurrentVersion\RunServices",
            r"\Microsoft\Windows\CurrentVersion\RunServicesOnce",
            r"\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run", ts_run,
            ts_run_once
        ]
        to_csv_list = [
            ("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH",
             "ATTR_NAME", "REG_TYPE", "ATTR_TYPE", "ATTR_DATA")
        ]
        for path in paths:
            full_path = software + path
            self._generate_hklm_csv_list(to_csv_list, "startup", full_path)
            full_path = software + wow + path
            self._generate_hklm_csv_list(to_csv_list, "startup", full_path)

        paths = [
            r"\Microsoft\Windows\CurrentVersion\Run",
            r"\Microsoft\Windows\CurrentVersion\RunOnce",
            r"\Microsoft\Windows\CurrentVersion\RunOnceEx",
            r"\Microsoft\Windows\CurrentVersion\RunServices",
            r"\Microsoft\Windows\CurrentVersion\RunServicesOnce",
            r"\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run", ts_run,
            ts_run_once
        ]
        for path in paths:
            full_path = software + path
            self._generate_hku_csv_list(to_csv_list, "startup", full_path)
            full_path = software + wow + path
            self._generate_hku_csv_list(to_csv_list, "startup", full_path)
        if self.get_autoruns:
            to_csv_list = self._get_files_and_hashes(to_csv_list[1:])
            to_csv_list.insert(
                0, ("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE",
                    "KEY_PATH", "ATTR_NAME", "REG_TYPE", "ATTR_TYPE",
                    "ATTR_DATA", "MD5", "SHA1", "SHA256"))

        with open(
                self.output_dir + "\\" + self.computer_name + "_startup" +
                self.rand_ext, "wb") as output:
            csv_writer = get_csv_writer(output)
            write_list_to_csv(to_csv_list, csv_writer)
Exemplo n.º 16
0
 def csv_installer_folder(self):
     """Extracts information about folders which are created at installation"""
     self.logger.info("Extracting installer folders")
     path = r"Software\Microsoft\Windows\CurrentVersion\Installer\Folders"
     to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
                     "ATTR_TYPE", "ATTR_DATA")]
     self._generate_hklm_csv_list(to_csv_list, "installer_folder", path)
     with open(self.output_dir + "\\" + self.computer_name + "_installer_folder.csv", "wb") as output:
         csv_writer = get_csv_writer(output)
         write_list_to_csv(to_csv_list, csv_writer)
Exemplo n.º 17
0
 def csv_registry_services(self):
     """Extracts services"""
     self.logger.info("Extracting services")
     path = r"System\CurrentControlSet\Services"
     to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
                     "ATTR_TYPE", "ATTR_DATA")]
     self._generate_hklm_csv_list(to_csv_list, "registry_services", path)
     with open(self.output_dir + "\\" + self.computer_name + "_registry_services.csv", "wb") as output:
         csv_writer = get_csv_writer(output)
         write_list_to_csv(to_csv_list, csv_writer)
Exemplo n.º 18
0
 def csv_installer_folder(self):
     """Extracts information about folders which are created at installation"""
     self.logger.info("Extracting installer folders")
     path = r"Software\Microsoft\Windows\CurrentVersion\Installer\Folders"
     to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
                     "ATTR_TYPE", "ATTR_DATA")]
     self._generate_hklm_csv_list(to_csv_list, "installer_folder", path)
     with open(self.output_dir + "\\" + self.computer_name + "_installer_folder" + self.rand_ext, "wb") as output:
         csv_writer = get_csv_writer(output)
         write_list_to_csv(to_csv_list, csv_writer)
Exemplo n.º 19
0
    def _csv_all_modules_opened_files(self):

        with open(self.output_dir + '\\' + self.computer_name + '_processes_opened_files' + self.rand_ext,
                  'wb') as output:
            csv_writer = get_csv_writer(output)
            write_list_to_csv(self.__get_all_modules_opened_files(), csv_writer)


        record_sha256_logs(self.output_dir + '\\' + self.computer_name + '_processes_opened_files' + self.rand_ext,
                           self.output_dir + '\\' + self.computer_name + '_sha256.log')
Exemplo n.º 20
0
 def _csv_all_modules_dll(self):
     with open(
             self.output_dir + self.computer_name + '_processes_dll' +
             self.rand_ext, 'wb') as output:
         csv_writer = get_csv_writer(output)
         write_list_to_csv(self.__get_all_modules_dll(), csv_writer)
     record_sha256_logs(
         self.output_dir + self.computer_name + '_processes_dll' +
         self.rand_ext,
         self.output_dir + self.computer_name + '_sha256.log')
Exemplo n.º 21
0
 def csv_run_mru_start(self):
     """Extracts run MRU, containing the last 26 oommands executed using the RUN command"""
     self.logger.info("Extracting Run MRU")
     path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU"
     to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
                     "ATTR_TYPE", "ATTR_DATA")]
     self._generate_hku_csv_list(to_csv_list, "run_MRU_start", path)
     with open(self.output_dir + "\\" + self.computer_name + "_run_MRU_start.csv", "wb") as output:
         csv_writer = get_csv_writer(output)
         write_list_to_csv(to_csv_list, csv_writer)
Exemplo n.º 22
0
    def csv_clipboard(self):
        """Exports the clipboard contents"""

        with open(
                self.output_dir + self.computer_name + '_clipboard' +
                self.rand_ext, 'wb') as output:
            csv_writer = get_csv_writer(output)
            write_list_to_csv(self.__get_clipboard(), csv_writer)
        record_sha256_logs(
            self.output_dir + self.computer_name + '_clipboard' +
            self.rand_ext,
            self.output_dir + self.computer_name + '_sha256.log')
Exemplo n.º 23
0
    def csv_shell_bags(self):
        """
        Extracts shellbags: size, view, icon and position of graphical windows
        In particular, executed graphical programs will leave a key here
        """
        self.logger.info("Extracting shell bags")
        paths = [r"Software\Microsoft\Windows\Shell\Bags",
                 r"Software\Microsoft\Windows\Shell\BagMRU"]
        paths_usrclass = [r"Local Settings\Software\Microsoft\Windows\Shell\Bags",
                          r"Local Settings\Software\Microsoft\Windows\Shell\BagMRU"]
        hive_list = []
        for path in paths:
            hive_list += self._get_list_from_registry_key(registry_obj.HKEY_USERS, path)
        for path in paths_usrclass:
            hive_list += self._get_list_from_registry_key(registry_obj.HKEY_USERS, path, is_usrclass=True)
        to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
                        "ATTR_TYPE", "ATTR_DATA")]
        for item in hive_list:
            if "ItemPos" in item[VALUE_NAME]:
                try:
                    data = decode_shellbag_itempos_data(item[VALUE_DATA])
                except IndexError:
                    self.logger.error("Error in shellbag data format for " + item[VALUE_NAME])
                    data = None
                if data:
                    if item[KEY_VALUE_STR] == "VALUE":
                        for data in data:
                            for d in data:
                                to_csv_list.append((self.computer_name,
                                                    "shellbags",
                                                    item[VALUE_LAST_WRITE_TIME],
                                                    "HKEY_USERS",
                                                    item[VALUE_PATH],
                                                    item[VALUE_NAME],
                                                    item[KEY_VALUE_STR],
                                                    registry_obj.get_str_type(item[VALUE_TYPE]),
                                                    d))
                else:
                    if item[KEY_VALUE_STR] == "VALUE":
                        to_csv_list.append((self.computer_name,
                                            "shellbags",
                                            item[VALUE_LAST_WRITE_TIME],
                                            "HKEY_USERS",
                                            item[VALUE_PATH],
                                            item[VALUE_NAME],
                                            item[KEY_VALUE_STR],
                                            registry_obj.get_str_type(item[VALUE_TYPE]),
                                            item[VALUE_DATA]))

        with open(self.output_dir + "\\" + self.computer_name + "_shellbags" + self.rand_ext, "wb") as output:
            csv_writer = get_csv_writer(output)
            write_list_to_csv(to_csv_list, csv_writer)
Exemplo n.º 24
0
 def csv_winlogon_values(self):
     """
     Extracts winlogon values, in particular UserInit, where the specified executable will be executed at
     system startup
     """
     path = r"Software\Microsoft\Windows NT\CurrentVersion\Winlogon"
     to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
                     "ATTR_TYPE", "ATTR_DATA")]
     self._generate_hklm_csv_list(to_csv_list, "winlogon_values", path)
     self._generate_hku_csv_list(to_csv_list, "winlogon_values", path)
     with open(self.output_dir + "\\" + self.computer_name + "_winlogon_values.csv", "wb") as output:
         csv_writer = get_csv_writer(output)
         write_list_to_csv(to_csv_list, csv_writer)
Exemplo n.º 25
0
 def csv_installed_components(self):
     """
     Extracts installed components key
     When an installed component key is in HKLM but not in HKCU, the path specified in HKLM will be added in HKCU
     and will be executed by the system
     """
     path = r"Software\Microsoft\Active Setup\Installed Components"
     to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
                     "ATTR_TYPE", "ATTR_DATA")]
     self._generate_hklm_csv_list(to_csv_list, "installed_components", path)
     with open(self.output_dir + "\\" + self.computer_name + "_installed_components.csv", "wb") as output:
         csv_writer = get_csv_writer(output)
         write_list_to_csv(to_csv_list, csv_writer)
Exemplo n.º 26
0
 def csv_windows_values(self):
     """
     Extracts windows values, in particular AppInit_DLLs, where any DLL specified here will be loaded by any
     application
     """
     path = r"Software\Microsoft\Windows NT\CurrentVersion\Windows"
     to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
                     "ATTR_TYPE", "ATTR_DATA")]
     self._generate_hklm_csv_list(to_csv_list, "windows_values", path)
     self._generate_hku_csv_list(to_csv_list, "windows_values", path)
     with open(self.output_dir + "\\" + self.computer_name + "_windows_values.csv", "wb") as output:
         csv_writer = get_csv_writer(output)
         write_list_to_csv(to_csv_list, csv_writer)
Exemplo n.º 27
0
 def csv_installed_components(self):
     """
     Extracts installed components key
     When an installed component key is in HKLM but not in HKCU, the path specified in HKLM will be added in HKCU
     and will be executed by the system
     """
     self.logger.info("Extracting installed components")
     path = r"Software\Microsoft\Active Setup\Installed Components"
     to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
                     "ATTR_TYPE", "ATTR_DATA")]
     self._generate_hklm_csv_list(to_csv_list, "installed_components", path)
     with open(self.output_dir + "\\" + self.computer_name + "_installed_components.csv", "wb") as output:
         csv_writer = get_csv_writer(output)
         write_list_to_csv(to_csv_list, csv_writer)
Exemplo n.º 28
0
 def csv_winlogon_values(self):
     """
     Extracts winlogon values, in particular UserInit, where the specified executable will be executed at
     system startup
     """
     self.logger.info("Extracting winlogon values")
     path = r"Software\Microsoft\Windows NT\CurrentVersion\Winlogon"
     to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
                     "ATTR_TYPE", "ATTR_DATA")]
     self._generate_hklm_csv_list(to_csv_list, "winlogon_values", path)
     self._generate_hku_csv_list(to_csv_list, "winlogon_values", path)
     with open(self.output_dir + "\\" + self.computer_name + "_winlogon_values.csv", "wb") as output:
         csv_writer = get_csv_writer(output)
         write_list_to_csv(to_csv_list, csv_writer)
Exemplo n.º 29
0
 def csv_windows_values(self):
     """
     Extracts windows values, in particular AppInit_DLLs, where any DLL specified here will be loaded by any
     application
     """
     self.logger.info("Extracting windows values")
     path = r"Software\Microsoft\Windows NT\CurrentVersion\Windows"
     to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
                     "ATTR_TYPE", "ATTR_DATA")]
     self._generate_hklm_csv_list(to_csv_list, "windows_values", path)
     self._generate_hku_csv_list(to_csv_list, "windows_values", path)
     with open(self.output_dir + "\\" + self.computer_name + "_windows_values.csv", "wb") as output:
         csv_writer = get_csv_writer(output)
         write_list_to_csv(to_csv_list, csv_writer)
Exemplo n.º 30
0
    def csv_startup_programs(self):
        """Extracts programs running at startup from various keys"""
        self.logger.info("Extracting startup programs")
        software = "Software"
        wow = r"\Wow6432Node"
        ts_run = (r"\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software"
                  r"\Microsoft\Windows\CurrentVersion\Run")
        ts_run_once = (r"\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software"
                       r"\Microsoft\Windows\CurrentVersion\RunOnce")
        paths = [r"\Microsoft\Windows\CurrentVersion\Run",
                 r"\Microsoft\Windows\CurrentVersion\RunOnce",
                 r"\Microsoft\Windows\CurrentVersion\RunOnceEx",
                 r"\Microsoft\Windows\CurrentVersion\RunServices",
                 r"\Microsoft\Windows\CurrentVersion\RunServicesOnce",
                 r"\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run",
                 ts_run,
                 ts_run_once]
        to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
                        "ATTR_TYPE", "ATTR_DATA")]
        for path in paths:
            full_path = software + path
            self._generate_hklm_csv_list(to_csv_list, "startup", full_path)
            full_path = software + wow + path
            self._generate_hklm_csv_list(to_csv_list, "startup", full_path)

        paths = [r"\Microsoft\Windows\CurrentVersion\Run",
                 r"\Microsoft\Windows\CurrentVersion\RunOnce",
                 r"\Microsoft\Windows\CurrentVersion\RunOnceEx",
                 r"\Microsoft\Windows\CurrentVersion\RunServices",
                 r"\Microsoft\Windows\CurrentVersion\RunServicesOnce",
                 r"\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run",
                 ts_run,
                 ts_run_once]
        for path in paths:
            full_path = software + path
            self._generate_hku_csv_list(to_csv_list, "startup", full_path)
            full_path = software + wow + path
            self._generate_hku_csv_list(to_csv_list, "startup", full_path)
        if self.get_autoruns:
            to_csv_list = self._get_files_and_hashes(to_csv_list[1:])
            to_csv_list.insert(0,
                               ("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
                                "ATTR_TYPE", "ATTR_DATA", "MD5", "SHA1", "SHA256")
                               )

        with open(self.output_dir + "\\" + self.computer_name + "_startup" + self.rand_ext, "wb") as output:
            csv_writer = get_csv_writer(output)
            write_list_to_csv(to_csv_list, csv_writer)
Exemplo n.º 31
0
    def csv_startup_programs(self):
        """Extracts programs running at startup from various keys"""
        software = "Software"
        wow = r"\Wow6432Node"
        ts_run = (r"\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software"
                  r"\Microsoft\Windows\CurrentVersion\Run")
        ts_run_once = (r"\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software"
                       r"\Microsoft\Windows\CurrentVersion\RunOnce")
        paths = [r"\Microsoft\Windows\CurrentVersion\Run",
                 r"\Microsoft\Windows\CurrentVersion\RunOnce",
                 r"\Microsoft\Windows\CurrentVersion\RunOnceEx",
                 r"\Microsoft\Windows\CurrentVersion\RunServices",
                 r"\Microsoft\Windows\CurrentVersion\RunServicesOnce",
                 # r"\Microsoft\Windows NT\CurrentVersion\Winlogon\\Userinit",
                 # r"\Microsoft\Windows NT\CurrentVersion\Windows",
                 r"\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run",
                 ts_run,
                 ts_run_once]
        to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
                        "ATTR_TYPE", "ATTR_DATA")]
        for path in paths:
            full_path = software + path
            self._generate_hklm_csv_list(to_csv_list, "startup", full_path)
            full_path = software + wow + path
            self._generate_hklm_csv_list(to_csv_list, "startup", full_path)

        paths = [r"\Microsoft\Windows\CurrentVersion\Run",
                 r"\Microsoft\Windows\CurrentVersion\RunOnce",
                 r"\Microsoft\Windows\CurrentVersion\RunOnceEx",
                 r"\Microsoft\Windows\CurrentVersion\RunServices",
                 r"\Microsoft\Windows\CurrentVersion\RunServicesOnce",
                 r"\Microsoft\Windows NT\CurrentVersion\Windows",
                 r"\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run",
                 ts_run,
                 ts_run_once]
        for path in paths:
            full_path = software + path
            self._generate_hku_csv_list(to_csv_list, "startup", full_path)
            full_path = software + wow + path
            self._generate_hku_csv_list(to_csv_list, "startup", full_path)
       # with open(self.output_dir + "\\" + self.computer_name + "_startup.csv", "wb") as output:
            #csv_writer = get_csv_writer(output)
        write_list_to_csv(to_csv_list, None)
Exemplo n.º 32
0
 def csv_usb_history(self):
     """Extracts information about USB devices that have been connected since the system installation"""
     hive_list = self._get_list_from_registry_key(
         registry_obj.HKEY_LOCAL_MACHINE,
         r"SYSTEM\CurrentControlSet\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}",
         is_recursive=False)
     to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "KEY_VALUE", "USB_ID")]
     for item in hive_list:
         if item[KEY_VALUE_STR] == "KEY":
             usb_decoded = get_usb_key_info(item[KEY_PATH])
             to_csv_list.append((self.computer_name,
                                 "USBHistory",
                                 item[KEY_LAST_WRITE_TIME],
                                 "HKEY_LOCAL_MACHINE",
                                 item[KEY_PATH],
                                 item[KEY_VALUE_STR],
                                 usb_decoded))
     with open(self.output_dir + "\\" + self.computer_name + "_USBHistory.csv", "wb") as output:
         csv_writer = get_csv_writer(output)
         write_list_to_csv(to_csv_list, csv_writer)
Exemplo n.º 33
0
 def csv_usb_history(self):
     """Extracts information about USB devices that have been connected since the system installation"""
     self.logger.info("Extracting USB history")
     hive_list = self._get_list_from_registry_key(
         registry_obj.HKEY_LOCAL_MACHINE,
         r"SYSTEM\CurrentControlSet\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}",
         is_recursive=False)
     to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "KEY_VALUE", "USB_ID")]
     for item in hive_list:
         if item[KEY_VALUE_STR] == "KEY":
             usb_decoded = get_usb_key_info(item[KEY_PATH])
             to_csv_list.append((self.computer_name,
                                 "USBHistory",
                                 item[KEY_LAST_WRITE_TIME],
                                 "HKEY_LOCAL_MACHINE",
                                 item[KEY_PATH],
                                 item[KEY_VALUE_STR],
                                 usb_decoded))
     with open(self.output_dir + "\\" + self.computer_name + "_USBHistory.csv", "wb") as output:
         csv_writer = get_csv_writer(output)
         write_list_to_csv(to_csv_list, csv_writer)
Exemplo n.º 34
0
 def csv_custom_registry_keys(self):
     """
     Extracts custom registry keys, the user specifies whether it should be recursive or not.
     The list of registry keys to extract should be comma-separated
     """
     if self.exec_custom_registry_keys:
         self.logger.info("Extracting custom registry keys")
         to_csv_list = [
             ("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE",
              "KEY_PATH", "ATTR_NAME", "REG_TYPE", "ATTR_TYPE", "ATTR_DATA")
         ]
         for paths in reader([self.custom_registry_keys
                              ]):  # used as a kind of unpack
             for path in paths:
                 temp = path.split("\\")
                 hive = temp[0].upper()
                 path = "\\".join(temp[1:])
                 if hive in ("HKLM", "HKEY_LOCAL_MACHINE"):
                     self._generate_hklm_csv_list(
                         to_csv_list,
                         "custom_registry_key",
                         path,
                         is_recursive=self.registry_recursive)
                 elif hive in ("HKU", "HKEY_USERS"):
                     self._generate_hku_csv_list(
                         to_csv_list,
                         "custom_registry_key",
                         path,
                         is_recursive=self.registry_recursive)
                 else:  # error
                     self.logger.warn(
                         "Must specify HKLM/HKEY_LOCAL_MACHINE or HKU/HKEY_USERS as hive"
                     )
                     return
         with open(
                 self.output_dir + "\\" + self.computer_name +
                 "_custom_registry_keys" + self.rand_ext, "wb") as output:
             csv_writer = get_csv_writer(output)
             write_list_to_csv(to_csv_list, csv_writer)
Exemplo n.º 35
0
 def csv_recent_docs(self):
     """Extracts information about recently opened files saved location and opened date"""
     path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs"
     hive_list = self._get_list_from_registry_key(registry_obj.HKEY_USERS, path)
     to_csv_list = []
     for item in hive_list:
         if item[KEY_VALUE_STR] == "VALUE":
             if item[VALUE_NAME] != "MRUListEx":
                 values_decoded = decode_recent_docs_mru(item[VALUE_DATA])
                 for value_decoded in values_decoded:
                     to_csv_list.append((self.computer_name,
                                         "recent_docs",
                                         item[VALUE_LAST_WRITE_TIME],
                                         "HKEY_USERS",
                                         item[VALUE_PATH],
                                         item[VALUE_NAME],
                                         item[KEY_VALUE_STR],
                                         registry_obj.get_str_type(item[VALUE_TYPE]),
                                         value_decoded))
    # with open(self.output_dir + "\\" + self.computer_name + "_recent_docs.csv", "wb") as output:
     #csv_writer = get_csv_writer(output)
     write_list_to_csv(to_csv_list, None)
Exemplo n.º 36
0
 def _csv_open_save_mru(self, str_opensave_mru):
     """Extracts OpenSaveMRU containing information about files selected in the Open and Save view"""
     # TODO : Win XP
     self.logger.info("Extracting open save MRU")
     hive_list = self._get_list_from_registry_key(registry_obj.HKEY_USERS, str_opensave_mru)
     to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
                     "ATTR_TYPE", "ATTR_DATA")]
     for item in hive_list:
         if item[KEY_VALUE_STR] == 'VALUE':
             if item[VALUE_NAME] != "MRUListEx":
                 pidl = shell.StringAsPIDL(item[VALUE_DATA])
                 path = shell.SHGetPathFromIDList(pidl)
                 to_csv_list.append((self.computer_name,
                                     "opensaveMRU",
                                     item[VALUE_LAST_WRITE_TIME],
                                     "HKEY_USERS",
                                     item[VALUE_PATH],
                                     item[VALUE_NAME],
                                     item[KEY_VALUE_STR],
                                     registry_obj.get_str_type(item[VALUE_TYPE]), path))
     with open(self.output_dir + "\\" + self.computer_name + "_opensaveMRU" + self.rand_ext, "wb") as output:
         csv_writer = get_csv_writer(output)
         write_list_to_csv(to_csv_list, csv_writer)
Exemplo n.º 37
0
 def csv_usb_history(self):
     with open(self.output_dir + "\\" + self.computer_name + "_USBHistory" + self.rand_ext, "wb") as output:
         csv_writer = get_csv_writer(output)
         write_list_to_csv(self.__get_usb_history(), csv_writer)
Exemplo n.º 38
0
    def csv_run_mru_start(self):

        with open(self.output_dir + "\\" + self.computer_name + "_run_MRU_start" + self.rand_ext, "wb") as output:
            csv_writer = get_csv_writer(output)
            write_list_to_csv(self.__get_run_mru_start(), csv_writer)
Exemplo n.º 39
0
    def csv_installed_components(self):

        with open(self.output_dir + "\\" + self.computer_name + "_installed_components" + self.rand_ext,
                  "wb") as output:
            csv_writer = get_csv_writer(output)
            write_list_to_csv(self.__get_installed_components(), csv_writer)
Exemplo n.º 40
0
    def csv_windows_values(self):

        with open(self.output_dir + "\\" + self.computer_name + "_windows_values" + self.rand_ext, "wb") as output:
            csv_writer = get_csv_writer(output)
            write_list_to_csv(self.__get_windows_values(), csv_writer)
Exemplo n.º 41
0
    def csv_shell_bags(self):

        with open(self.output_dir + "\\" + self.computer_name + "_shellbags" + self.rand_ext, "wb") as output:
            csv_writer = get_csv_writer(output)
            write_list_to_csv(self.__get_shell_bags(), csv_writer)
Exemplo n.º 42
0
    def csv_startup_programs(self):

        with open(self.output_dir + "\\" + self.computer_name + "_startup" + self.rand_ext, "wb") as output:
            csv_writer = get_csv_writer(output)
            write_list_to_csv(self.__get_startup_programs(), csv_writer)
Exemplo n.º 43
0
 def csv_recent_docs(self):
     with open(self.output_dir + "\\" + self.computer_name + "_recent_docs" + self.rand_ext, "wb") as output:
         csv_writer = get_csv_writer(output)
         write_list_to_csv(self.__get_recents_docs(), csv_writer)
Exemplo n.º 44
0
    def csv_registry_services(self):
        """Extracts services"""

        with open(self.output_dir + "\\" + self.computer_name + "_registry_services" + self.rand_ext, "wb") as output:
            csv_writer = get_csv_writer(output)
            write_list_to_csv(self.__get_registry_services(), csv_writer)
Exemplo n.º 45
0
    def _csv_PowerPoint_mru(self, str_powerpoint_mru):

        with open(self.output_dir + "\\" + self.computer_name + "_powerpointMRU" + self.rand_ext, "wb") as output:
            csv_writer = get_csv_writer(output)
            write_list_to_csv(self.__get_powerpoint_mru(str_powerpoint_mru), csv_writer)
Exemplo n.º 46
0
    def _csv_open_save_mru(self, str_opensave_mru):

        with open(self.output_dir + "\\" + self.computer_name + "_opensaveMRU" + self.rand_ext, "wb") as output:
            csv_writer = get_csv_writer(output)
            write_list_to_csv(self.__get_open_save_mru(str_opensave_mru), csv_writer)
Exemplo n.º 47
0
    def _csv_user_assist(self, count_offset, is_win7_or_further):

        with open(self.output_dir + "\\" + self.computer_name + "_user_assist" + self.rand_ext, "wb") as output:
            csv_writer = get_csv_writer(output)
            write_list_to_csv(self.__get_user_assist(count_offset, is_win7_or_further), csv_writer)