def make_regkey_set_value(
self, event: dict) -> Tuple[Process, File, RegistryKey]:
process = Process(
process_image=event[FieldNames.PROCESS_IMAGE],
process_image_path=event[FieldNames.PROCESS_IMAGE_PATH],
process_id=int(event[FieldNames.PROCESS_ID]),
command_line=event[FieldNames.COMMAND_LINE],
)
proc_file = process.get_file_node()
proc_file.file_of[process]
# RegistryKey Node Creation
reg_node = RegistryKey(
hive=event[FieldNames.HIVE],
key_path=event[FieldNames.REG_KEY_PATH],
key=event[FieldNames.REG_KEY],
value=event.get(FieldNames.REG_KEY_VALUE),
)
if reg_node.value:
process.changed_value[reg_node].append(value=reg_node.value)
else:
process.changed_value[reg_node]
return (process, proc_file, reg_node)
def make_basic_regkey(self,
event: dict) -> Tuple[Process, File, RegistryKey]:
process = Process(
process_image=event[FieldNames.PROCESS_IMAGE],
process_image_path=event[FieldNames.PROCESS_IMAGE_PATH],
process_id=int(event[FieldNames.PROCESS_ID]),
command_line=event[FieldNames.COMMAND_LINE],
)
proc_file = process.get_file_node()
proc_file.file_of[process]
# RegistryKey Node Creation
reg_node = RegistryKey(
hive=event[FieldNames.HIVE],
key_path=event[FieldNames.REG_KEY_PATH],
key=event[FieldNames.REG_KEY],
)
if event["event_type"] == EventTypes.REG_KEY_OPENED:
process.read_key[reg_node]
else:
process.deleted_key[reg_node]
return (process, proc_file, reg_node)
def make_registry(
self, event: dict) -> Optional[Tuple[RegistryKey, Process, File]]:
# Pull out the process fields.
process = Process(
process_image=event["process"],
process_image_path=event["processPath"],
process_id=int(event["pid"]),
user=event.get("username", None),
)
# Pull out the image of the process
file_node = process.get_file_node()
# File - (File Of) -> Process
file_node.file_of[process]
# RegistryKey Node Creation
reg_node = RegistryKey(
hive=event["hive"],
key_path=event["keyPath"],
key=event.get("valueName"),
value=event.get("text"),
value_type=event.get("valueType"),
)
# Space shuttle code for the edge setting
#
# EventType Mappings:
# 1: Value Changed
# 2: Value Deleted
# 3: Key Created
# 4: Key Deleted
#
reg_event_type = str(event["eventType"])
if reg_event_type == "1":
process.changed_value[reg_node].append(
timestamp=event["event_time"])
elif reg_event_type == "2":
process.deleted_value[reg_node].append(
timestamp=event["event_time"])
elif reg_event_type == "3":
process.created_key[reg_node].append(timestamp=event["event_time"])
elif reg_event_type == "4":
process.deleted_key[reg_node].append(timestamp=event["event_time"])
else:
logger.warn(
f"Found a new registry event type with a value of {reg_event_type}: {event}"
)
return (reg_node, process, file_node)
def access_reg_key(self, event) -> Tuple[Process, RegistryKey]:
proc = Process(process_id=int(event["process_id"]),
process_image=event["process_name"])
reg_key, reg_path = split_path(event["path"])
hive = reg_path.split("\\")[0]
reg_path = "\\".join(reg_path.split("\\")[1:])
reg_node = RegistryKey(hive=hive, key_path=reg_path, key=reg_key)
proc.read_key[reg_node].append(timestamp=event["event_time"])
return (proc, reg_node)
def registry_creation(
self, event: dict) -> Optional[Tuple[Process, File, RegistryKey]]:
if "EventData_TargetObject" not in event:
return None
process_image, process_path = split_path(event["EventData_Image"])
proc = SysMonProc(
host=event["Computer"],
user=event.get("EventData_User"),
process_guid=event["EventData_ProcessGuid"],
process_id=int(event["EventData_ProcessId"]),
process_image=process_image,
process_image_path=process_path,
)
proc_file = proc.get_file_node()
proc_file.file_of[proc]
key_path = event["EventData_TargetObject"]
hive = key_path.split("\\")[1]
key = key_path.split("\\")[-1]
# Always has a leading \\ so split from 2:
key_path = "\\".join(key_path.split("\\")[2:-1])
key = RegistryKey(
hive=hive,
key=key,
key_path=key_path,
value=event.get("EventData_Details"),
value_type="DWORD",
)
event_type = event["EventData_EventType"]
if event_type == "SetValue":
proc.changed_value[key].append(
value=event.get("EventData_Details"),
timestamp=event["EventData_UtcTime"])
elif event_type == "DeleteValue":
proc.deleted_value[key].append(
timestamp=event["EventData_UtcTime"])
elif event_type == "CreateKey":
proc.created_key[key].append(timestamp=event["EventData_UtcTime"])
elif event_type == "DeleteKey":
proc.deleted_key[key].append(timestamp=event["EventData_UtcTime"])
return (proc, proc_file, key)
def regkey_events(self, event: dict) -> Tuple[Process, File, RegistryKey]:
"""Transforms a single registry key event
Example event::
{
"mode": "queryvalue",
"processinfo": {
"imagepath": "C:\\Users\\admin\\AppData\\Local\\Temp\\bar.exe",
"tainted": True,
"md5sum": "....",
"pid": 1700,
},
"value": "\\REGISTRY\\USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\\"ProxyOverride\"",
"timestamp": 6203
},
Parameters
----------
event : dict
source regkey event
Returns
-------
Tuple[Process, File, RegistrKey]
Process and its image, and the registry key.
"""
proc_info = event["processinfo"]
process_image, process_image_path = split_path(proc_info["imagepath"])
proc = Process(
process_id=int(proc_info["pid"]),
process_image=process_image,
process_image_path=process_image_path,
)
proc_file = proc.get_file_node()
proc_file.file_of[proc]
path, key_contents = re.match(r"(.*)\\\"(.*)",
event["value"]).groups() # type: ignore
key_contents = key_contents[:-1] # remove last quote.
hive, reg_key_path = path.replace("\\REGISTRY\\", "").split("\\", 1)
if '" = ' in key_contents:
key, value = key_contents.split('" = ')
else:
key = key_contents
value = None
regkey = RegistryKey(hive=hive,
key=key,
key_path=reg_key_path,
value=value)
if event["mode"] == "added":
proc.created_key[regkey].append(timestamp=event["timestamp"],
value=value)
elif event["mode"] == "setval":
proc.changed_value[regkey].append(timestamp=event["timestamp"],
value=value)
elif event["mode"] in ["deleteval", "deleted"]:
proc.deleted_key[regkey].append(timestamp=event["timestamp"],
value=value)
else:
proc.read_key[regkey].append(timestamp=event["timestamp"],
value=value)
return (proc, proc_file, regkey)