def make_imageload(self,
event: dict) -> Optional[Tuple[File, Process, File]]:
# Pull out the process fields.
process = Process(
process_image=event["process"],
process_image_path=event["processPath"],
process_id=int(event["pid"]),
user=event.get("username", None),
)
# Pull out the image of the process
file_node = process.get_file_node()
# File - (File Of) -> Process
file_node.file_of[process]
# Add the drive where possible.
if event.get("drive"):
file_path = f"{event['drive']}:\\{event['filePath']}"
else:
file_path = event["filePath"]
loaded_file = File(file_path=file_path, file_name=event["fileName"])
loaded_file.set_extension()
process.loaded[loaded_file].append(timestamp=event["event_time"])
return (loaded_file, process, file_node)
def make_file_copy(self, event: dict) -> Tuple[Process, File, File, File]:
process = Process(
process_image=event[FieldNames.PROCESS_IMAGE],
process_image_path=event[FieldNames.PROCESS_IMAGE_PATH],
process_id=int(event[FieldNames.PROCESS_ID]),
command_line=event[FieldNames.COMMAND_LINE],
)
proc_file = process.get_file_node()
proc_file.file_of[process]
# Source file
src_file = File(
file_path=event[FieldNames.SRC_FILE][FieldNames.FILE_PATH],
file_name=event[FieldNames.SRC_FILE][FieldNames.FILE_NAME],
hashes=event[FieldNames.SRC_FILE].get(FieldNames.HASHES),
)
# Dest file
src_file.set_extension()
dest_file = File(
file_path=event[FieldNames.DEST_FILE][FieldNames.FILE_PATH],
file_name=event[FieldNames.DEST_FILE][FieldNames.FILE_NAME],
hashes=event[FieldNames.DEST_FILE].get(FieldNames.HASHES),
)
dest_file.set_extension()
src_file.copied_to[dest_file]
process.copied[src_file]
return (process, proc_file, src_file, dest_file)
def make_file(self, event: dict) -> Optional[Tuple[File, Process, File]]:
"""Converts a fileWriteEvent to two nodes, a file and the process manipulated the file.
Generates a process - (Wrote) -> File edge.
Parameters
----------
event : dict
The fileWriteEvent event.
Returns
-------
Optional[Tuple[File, Process, File]]
Returns a tuple contaning the File that this event is focused on, and the process
which manipulated the file. The process has a Wrote edge to the file. Also contains
the file that the process belongs to.
"""
if "filePath" not in event:
return None
# Add the drive where possible.
if event.get("drive"):
file_path = f"{event['drive']}:\\{event['filePath']}"
else:
file_path = event["filePath"]
hashes: Dict[str, str] = {}
if event.get("md5"):
hashes = {"md5": event["md5"]}
# Create the file node.
file_node = File(file_path=file_path,
file_name=event["fileName"],
hashes=hashes)
# Set the extension
file_node.set_extension()
# Set the process node
process = Process(
process_id=int(event["pid"]),
process_image=event["process"],
process_image_path=event["processPath"],
user=event.get("username"),
)
# Add a wrote edge with the contents of the file write.
process.wrote[file_node].append(
timestamp=int(event["event_time"]),
contents=event.get("textAtLowestOffset"))
# Pull out the image of the process
proc_file_node = process.get_file_node()
# File - (File Of) -> Process
proc_file_node.file_of[process]
return (file_node, process, proc_file_node)
def make_basic_file(self, event: dict) -> Tuple[Process, File, File]:
"""Transforms a file based event.
Support events:
1. EventTypes.FILE_DELETED
2. EventTypes.FILE_OPENED
3. EventTypes.FILE_WRITTEN
4. EventTypes.LOADED_MODULE
Parameters
----------
event : dict
[description]
Returns
-------
Tuple[Process, File, File]
[description]
"""
process = Process(
process_image=event[FieldNames.PROCESS_IMAGE],
process_image_path=event[FieldNames.PROCESS_IMAGE_PATH],
process_id=int(event[FieldNames.PROCESS_ID]),
command_line=event[FieldNames.COMMAND_LINE],
)
proc_file = process.get_file_node()
proc_file.file_of[process]
file_node = File(
file_path=event[FieldNames.FILE_PATH],
file_name=event[FieldNames.FILE_NAME],
hashes=event.get(FieldNames.HASHES),
)
file_node.set_extension()
# Switch based on the event type
event_type = event[FieldNames.EVENT_TYPE]
if event_type == EventTypes.FILE_OPENED:
process.accessed[file_node]
elif event_type == EventTypes.FILE_WRITTEN:
process.wrote[file_node]
elif event_type == EventTypes.LOADED_MODULE:
process.loaded[file_node]
else:
process.deleted[file_node]
return (process, proc_file, file_node)
def file_events(
self, event: dict
) -> Union[Tuple[Process, File, File], Tuple[Process, File, File, File]]:
"""Transforms a file event
Example file event::
{
"mode": "created",
"fid": { "ads": "", "content": 2533274790555891 },
"processinfo": {
"imagepath": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"md5sum": "eb32c070e658937aa9fa9f3ae629b2b8",
"pid": 2956
},
"ntstatus": "0x0",
"value": "C:\\Users\\admin\\AppData\\Local\\Temp\\sy24ttkc.k25.ps1",
"CreateOptions": "0x400064",
"timestamp": 9494
}
In 8.2.0 the `value` field became a dictionary when the mode is `failed`::
"values": {
"value": "C:\\Users\\admin\\AppData\\Local\\Temp\\sy24ttkc.k25.ps1""
}
Parameters
----------
event : dict
The source event
Returns
-------
Tuple[Process, File, File]
The process, the process' image, and the file written.
"""
proc_info = event["processinfo"]
process_image, process_image_path = split_path(proc_info["imagepath"])
proc = Process(
process_id=int(proc_info["pid"]),
process_image=process_image,
process_image_path=process_image_path,
)
proc_file = proc.get_file_node()
proc_file.file_of[proc]
# 8.2.0 changes.
if "values" in event:
full_path = event["values"]["value"]
else:
full_path = event["value"]
file_name, file_path = split_path(full_path)
file_node = File(file_name=file_name, file_path=file_path)
file_node.set_extension()
if event["mode"] == "created":
proc.wrote[file_node].append(timestamp=event["timestamp"])
elif event["mode"] == "deleted":
proc.deleted[file_node].append(timestamp=event["timestamp"])
elif event["mode"] == "CopyFile":
src_name, src_path = split_path(event["source"])
src_file = File(file_name=src_name, file_path=src_path)
src_file.set_extension()
src_file.copied_to[file_node].append(timestamp=event["timestamp"])
proc.copied[src_file].append(timestamp=event["timestamp"])
return (proc, proc_file, file_node, src_file)
else:
proc.accessed[file_node].append(timestamp=event["timestamp"])
return (proc, proc_file, file_node)
def test_set_extension():
file_node = File(file_path="c:/windows", file_name="test.exe")
file_node.set_extension()
assert file_node.extension == "exe"