def run(self):
lst = []
"use the SOFTWARE hive to get the result"
ProfileList_user_settings_path = u"Microsoft\\Windows NT\\CurrentVersion\\ProfileList"
hive = get_hive(self.prim_hive, self.log_files)
ProfileList_user_settings_key = hive.find_key(
ProfileList_user_settings_path)
# print('Found a key: {}'.format(ProfileList_user_settings_key.path()))
if ProfileList_user_settings_key:
for sid_key in ProfileList_user_settings_key.subkeys():
sid_name = sid_key.name()
Profile_path = sid_key.value(name=u"ProfileImagePath")
Profile_data = strip_control_characters(Profile_path.data())
timestamp = sid_key.last_written_timestamp().isoformat()
user = strip_control_characters(
os.path.basename(os.path.normpath(Profile_data)))
record = OrderedDict([("Path", Profile_data), ("User", user),
("sid", sid_name),
("Key_Timestamp", timestamp),
("@timestamp", timestamp)])
lst.append(u"{}".format(json.dumps(record,
cls=ComplexEncoder)))
else:
logging.info(u"[{}] {} not found.".format(
'ProfileList', ProfileList_user_settings_path))
return lst
def run(self):
lst = []
"use the SOFTWARE hive to get the result"
InstalledApp_user_settings_path = u"Microsoft\\Windows\\CurrentVersion\\App Paths"
hive = get_hive(self.prim_hive, self.log_files)
InstalledApp_user_settings_key = hive.find_key(
InstalledApp_user_settings_path)
# print('Found a key: {}'.format(InstalledApp_user_settings_key.path()))
if InstalledApp_user_settings_key:
for sid_key in InstalledApp_user_settings_key.subkeys():
sid_name = sid_key.name()
timestamp = sid_key.last_written_timestamp().isoformat()
Path = sid_key.value(name=u"Path")
if Path:
Path_data = strip_control_characters(Path.data())
else:
Path_data = ""
record = OrderedDict([
("Application_Name", sid_name),
("InstalledApp_date", timestamp),
("Path", Path_data),
("@timestamp", timestamp),
])
lst.append(u"{}".format(json.dumps(record,
cls=ComplexEncoder)))
else:
logging.info(u"[{}] {} not found.".format('Bam',
bam_user_settings_path))
return lst
def run(self):
"use the NTUSER.dat hive to get the result"
StreamMRU_user_settings_path = u'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StreamMRU'
hive = get_hive(self.prim_hive,self.log_files)
StreamMRU_user_settings_key = hive.find_key(StreamMRU_user_settings_path)
print('Found a key: {}'.format(StreamMRU_user_settings_key.path()))
if StreamMRU_user_settings_key:
sid_key_values = iter(StreamMRU_user_settings_key.values())
timestamp = StreamMRU_user_settings_key.last_written_timestamp().isoformat()
counter =0
while True:
try:
value = next(sid_key_values)
except StopIteration:
break
except Exception as error:
logging.error(u"Error getting next value: {}".format(error))
continue
sid_name = value.name()
data = value.data()
dump = RegistryHelpers.HexDump(value.data())
counter = counter +1
dx = struct.unpack(data)
print (dx)
def run(self):
lst = []
MuiCache_user_settings_path = u"\\Local Settings\\Software\\Microsoft\\Windows\\Shell\\MuiCache"
hive = get_hive(self.prim_hive, self.log_files)
MuiCache_user_settings_key = hive.find_key(MuiCache_user_settings_path)
if MuiCache_user_settings_key:
sid_name = MuiCache_user_settings_key.name()
sid_key_values = iter(MuiCache_user_settings_key.values())
timestamp = MuiCache_user_settings_key.last_written_timestamp(
).isoformat()
while True:
try:
value = next(sid_key_values)
except StopIteration:
break
except Exception as error:
logging.error(
u"Error getting next value: {}".format(error))
continue
value_name = value.name()
value_data = value.data_raw()
record = OrderedDict([("name", value_name), ("sid", sid_name),
("Key_Timestamp", timestamp),
("@timestamp", timestamp)])
lst.append(u"{}".format(json.dumps(record,
cls=ComplexEncoder)))
return lst
else:
logging.info(u"[{}] {} not found.".format(
'Muicache', MuiCache_user_settings_key))
def run(self):
lst =[]
PortForwading_user_settings_path = u"CurrentControlSet\\Services\\PortProxy\\v4tov4"
hive = get_hive(self.prim_hive,self.log_files)
PortForwading_user_settings_key = hive.find_key(PortForwading_user_settings_path)
for sk in PortForwading_user_settings_key.subkeys():
print(sk)
def run(self):
hive = get_hive(self.prim_hive, self.log_files)
select_key = hive.find_key(u'Select')
current_path = ''
if select_key:
current_value = select_key.value(name=u"Current")
current_path = u"ControlSet{:03d}".format(current_value.data())
else:
current_path = 'ControlSet001'
lst = []
TimeZoneInformation_user_settings_path = u"\\".join(
[current_path, u"Control\\TimeZoneInformation"])
TimeZoneInformation_user_settings_key = hive.find_key(
TimeZoneInformation_user_settings_path)
if TimeZoneInformation_user_settings_key:
TimeZoneKeyName = TimeZoneInformation_user_settings_key.value(
name=u"TimeZoneKeyName")
TimeZoneKeyName_data = TimeZoneKeyName.data()
timestamp = TimeZoneInformation_user_settings_key.last_written_timestamp(
).isoformat()
record = OrderedDict([
("Time Zone", strip_control_characters(TimeZoneKeyName_data)),
("Key_Timestamp", timestamp), ("@timestamp", timestamp)
])
lst.append(u"{}".format(json.dumps(record, cls=ComplexEncoder)))
else:
logging.info(u"[{}] {} not found.".format(
'TimeZoneInformation', TimeZoneInformation_user_settings_path))
return lst
def run(self):
lst = []
WordWheelQuery_user_settings_path = u"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WordWheelQuery"
hive = get_hive(self.prim_hive,self.log_files)
WordWheelQuery_user_settings_key = hive.find_key(WordWheelQuery_user_settings_path)
if WordWheelQuery_user_settings_key:
#for sid_key in WordWheelQuery_user_settings_key.subkeys():
sid_key_values = iter(WordWheelQuery_user_settings_key.values())
while True:
try:
value = next(sid_key_values)
except StopIteration:
break
except Exception as error:
logging.error(u"Error getting next value: {}".format(error))
continue
value_name = value.name()
url_data =value.data().decode("utf-16")
timestamp = WordWheelQuery_user_settings_key.last_written_timestamp().isoformat()
record = OrderedDict([
("Key_Timestamp",timestamp),
("Url_Name", value_name),
("Url", strip_control_characters(url_data)),
("@timestamp",timestamp),
])
lst.append(u"{}".format(json.dumps(record, cls=ComplexEncoder)))
else:
logging.info(u"[{}] {} not found.".format('WordWheelQuery', WordWheelQuery_user_settings_path))
return lst
def run(self):
lst = []
"use the NTUSER.dat hive to get the result"
RunMRU_user_settings_path = u'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU'
hive = get_hive(self.prim_hive,self.log_files)
RunMRU_user_settings_key = hive.find_key(RunMRU_user_settings_path)
if RunMRU_user_settings_key:
sid_key_values = iter(RunMRU_user_settings_key.values())
timestamp = RunMRU_user_settings_key.last_written_timestamp().isoformat()
while True:
try:
value = next(sid_key_values)
except StopIteration:
break
except Exception as error:
logging.error(u"Error getting next value: {}".format(error))
continue
sid_name = value.name()
file_name = strip_control_characters(value.data())
record = OrderedDict([
("Sequence", sid_name),
("Command", file_name),
("Key_Timestamp",timestamp),
("@timestmap",timestamp)
])
lst.append(u"{}".format(json.dumps(record, cls=ComplexEncoder)))
else:
logging.info(u"[{}] {} not found.".format('RunMRU', RunMRU_user_settings_path))
return lst
def run(self):
hive = get_hive(self.prim_hive, self.log_files)
select_key = hive.find_key(u'Select')
current_path = ''
if select_key:
current_value = select_key.value(name=u"Current")
current_path = u"ControlSet{:03d}".format(current_value.data())
else:
current_path = 'ControlSet001'
lst = []
PortForwading_user_settings_path = u"\\".join(
[current_path, u"Services\\PortProxy\\v4tov4"])
hive = get_hive(self.prim_hive, self.log_files)
PortForwading_user_settings_key = hive.find_key(
PortForwading_user_settings_path)
for sk in PortForwading_user_settings_key.subkeys():
print(sk)
def run(self):
lst =[]
OpenSaveMRU_settings_path = u"\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\OpenSavePIDlMRU"
hive = get_hive(self.prim_hive,self.log_files)
OpenSaveMRU_settings_key = hive.find_key(OpenSaveMRU_settings_path)
#print('Found a key: {}'.format(OpenSaveMRU_settings_key.path()))
if OpenSaveMRU_settings_key:
for sid_key in OpenSaveMRU_settings_key.subkeys():
try:
dat_key =sid_key.last_written_timestamp().isoformat()
except:
pass
sid_name = sid_key.name()
cat = sid_name
sid_key_values = iter(sid_key.values())
while True:
try:
value = next(sid_key_values)
value_name = value.name()
if "MRUListEx" == value_name or "(Default)" !=value_name:
data = value.data()
path = ""
data = data.hex()
data = data.split("0400efbe")
#print (data)
counter = 0
for d in data:
if counter == 0 :
pass
else:
dax =bytes.fromhex(d)
#print(dax)
format = Struct(
'unkuwn'/Bytes(38),
'Path' /CString("utf16")
)
dd = format.parse(dax)
path += "\\"+dd.Path
counter = counter + 1
record = OrderedDict([
("SequenceNumber", value_name),
("Key_timestamp", dat_key),
("Type", sid_name),
("path",path),
("@timestamp", dat_key)
])
lst.append(u"{}".format(json.dumps(record, cls=ComplexEncoder)))
except StopIteration:
break
except Exception as error:
logging.error(u"Error getting next value: {}".format(error))
continue
return lst
def run(self):
hive = get_hive(self.prim_hive, self.log_files)
select_key = hive.find_key(u'Select')
current_path = ''
if select_key:
current_value = select_key.value(name=u"Current")
current_path = u"ControlSet{:03d}".format(current_value.data())
else:
current_path = 'ControlSet001'
lst = []
bam_user_settings_path = u"\\".join(
[current_path, u"Services\\bam\\UserSettings"])
bam_user_settings_key = hive.find_key(bam_user_settings_path)
if bam_user_settings_key:
for sid_key in bam_user_settings_key.subkeys():
sid_name = sid_key.name()
version_value = sid_key.value(name=u"Version")
version = None
if version_value:
version = version_value.data()
sequence_value = sid_key.value(name=u"SequenceNumber")
sequence = None
if sequence_value:
sequence = version_value.data()
sid_key_values = iter(sid_key.values())
while True:
try:
value = next(sid_key_values)
except StopIteration:
break
except Exception as error:
logging.error(
u"Error getting next value: {}".format(error))
continue
value_name = value.name()
value_data = value.data_raw()
if value_name not in [u"Version", u"SequenceNumber"]:
timestamp = convert_datetime(value_data[0:8])
record = OrderedDict([("name", value_name),
("@timestamp", timestamp),
("sid", sid_name),
("version", version),
("sequence", sequence)])
lst.append(u"{}".format(
json.dumps(record, cls=ComplexEncoder)))
return lst
else:
logging.info(u"[{}] {} not found.".format('Bam',
bam_user_settings_path))
def run(self):
print("HI" * 100)
lst = []
VolatileEnvironment_user_settings_path = u"Volatile Environment"
hive = get_hive(self.prim_hive, self.log_files)
VolatileEnvironment_user_settings_key = hive.find_key(
VolatileEnvironment_user_settings_path)
print('Found a key: {}'.format(
VolatileEnvironment_user_settings_key.path()))
#return None
if VolatileEnvironment_user_settings_key:
print("gg")
# for sid_key in VolatileEnvironment_user_settings_key.subkeys():
# sid_name = sid_key.name()
#
# def get_date (value_name):
# value = sid_key.value(name=value_name)
# if value:
# value = value.data()
# else:
# value ="None"
# return value
#
# dict_values_data = {'VolatileEnvironmentIPAddress' : strip_control_characters(get_date('VolatileEnvironmentIPAddress')),
# 'VolatileEnvironmentServer' : strip_control_characters(get_date('VolatileEnvironmentServer')),
# 'VolatileEnvironmentSubnetMask' : strip_control_characters(get_date('VolatileEnvironmentSubnetMask')),
# 'Domain' : strip_control_characters(get_date('Domain')),
# 'NameServer' : strip_control_characters(get_date('NameServer')),
# 'EnableVolatileEnvironment' : get_date('EnableVolatileEnvironment'),
# 'VolatileEnvironmentConnForceBroadcastFlag' : get_date('VolatileEnvironmentConnForceBroadcastFlag'),
# 'IsServerNapAware' : get_date('IsServerNapAware'),
# 'RegisterAdapterName' : get_date('RegisterAdapterName'),
# 'RegistrationEnabled' : get_date('RegistrationEnabled')}
#
#
# record = OrderedDict([
# ("_plugin", u"VolatileEnvironment"),
# ("VolatileEnvironment IP Address", dict_values_data['VolatileEnvironmentIPAddress']),
# ("VolatileEnvironment Server", dict_values_data['VolatileEnvironmentServer']),
# ("VolatileEnvironmentSubnetMask", dict_values_data['VolatileEnvironmentSubnetMask']),
# ("Domain", dict_values_data['Domain']),
# ("Name Server", dict_values_data['NameServer']),
# ("Enable VolatileEnvironment", dict_values_data['EnableVolatileEnvironment']),
# ("VolatileEnvironmentConnForceBroadcastFlag", dict_values_data['VolatileEnvironmentConnForceBroadcastFlag']),
# ("Is Server NapAware", dict_values_data['IsServerNapAware']),
# ("Register Adapter Name", dict_values_data['RegisterAdapterName']),
# ("Registration Enabled", dict_values_data['RegistrationEnabled'])
#
# ])
#
# lst.append(u"{}".format(json.dumps(record, cls=ComplexEncoder)))
else:
logging.info(u"[{}] {} not found.".format(
'VolatileEnvironment', VolatileEnvironment_user_settings_path))
def run(self):
lst = []
hive = get_hive(self.prim_hive, self.log_files)
Amcache_user_settings_path = u"root\\InventoryApplicationFile"
Amcache_user_settings_key = hive.find_key(Amcache_user_settings_path)
if Amcache_user_settings_key:
for sid_key in Amcache_user_settings_key.subkeys():
sub_key = sid_key.name()
value_X = sid_key.values()
for x in value_X:
print(x, x.data())
break
path = sid_key.value(name=u"LowerCaseLongPath").data()
hash = sid_key.value(name=u"FileId").data()
Name = sid_key.value(name=u"Name").data()
Publisher = sid_key.value(name=u"Publisher").data()
Version = sid_key.value(name=u"Version").data()
BinFileVersion = sid_key.value(name=u"BinFileVersion").data()
BinaryType = sid_key.value(name=u"BinaryType").data()
ProductName = sid_key.value(name=u"ProductName").data()
ProductVersion = sid_key.value(name=u"ProductVersion").data()
LinkDate = sid_key.value(name=u"LinkDate").data()
BinProductVersion = sid_key.value(
name=u"BinProductVersion").data()
Size = sid_key.value(name=u"Size").data()
Language = sid_key.value(name=u"Language").data()
IsPeFile = sid_key.value(name=u"IsPeFile").data()
record = OrderedDict([
("path", path),
("hash", hash),
("Name", Name),
("Publisher", Publisher),
("Version", Version),
("BinFileVersion", BinFileVersion),
("BinaryType", BinaryType),
("ProductName", ProductName),
("ProductVersion", ProductVersion),
("LinkDate", LinkDate),
("BinProductVersion", BinProductVersion),
("ProductName", ProductName),
("Size", Size),
("Language", Language),
("IsPeFile", IsPeFile),
("@timestamp", LinkDate),
])
lst.append(u"{}".format(json.dumps(record,
cls=ComplexEncoder)))
return lst
else:
logging.info(u"[{}] {} not found.".format(
'Amcache', Amcache_user_settings_key))
def run(self):
# for reg_handler in registry_manager.iter_registry_handlers(name=u'NTUSER.DAT'):
hive = get_hive(self.prim_hive,self.log_files)
user_assist_key = hive.find_key(u'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist')
if user_assist_key is not None:
lst =[]
for guid_key in user_assist_key.subkeys():
guid_key_name = guid_key.name()
count_key = guid_key.subkey(u"Count")
dat_key =guid_key.last_written_timestamp().isoformat()
if count_key is not None:
for value in count_key.values():
value_name = value.name()
value_name_decoded = codecs.encode(value_name, 'rot_13')
value_data = value.data()
count = None
win =""
if len(value_data) == 16:
count = struct.unpack("<I",value_data[4:8])[0]
count -= 5
record = OrderedDict([
("_plugin", u"UserAssist"),
("guid", guid_key_name),
("name", value_name_decoded),
("count", count),
("@timestamp",dat_key)
])
lst.append(u"{}".format(json.dumps(record, cls=ComplexEncoder)))
elif len(value_data) == 72:
count = struct.unpack("<I", value_data[4:8])[0]
date_time = struct.unpack("<q", value_data[60:68])[0]
new_datetime =convert_datetime(date_time)
if new_datetime == "1601-01-01T00:00:00":
new_datetime = dat_key
record = OrderedDict([
("guid", guid_key_name),
("name", value_name_decoded),
("count", count),
("key_creation_time",dat_key),
("@timestamp",new_datetime)
])
lst.append(u"{}".format(json.dumps(record, cls=ComplexEncoder)))
else:
pass
return lst
else:
return None
def run(self):
lst =[]
"use the SOFTWARE hive to get the result"
ShellExtensions_user_settings_path = u'Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Approved'
hive = get_hive(self.prim_hive,self.log_files)
ShellExtensions_user_settings_key = hive.find_key(ShellExtensions_user_settings_path)
if ShellExtensions_user_settings_key:
sid_key_values = iter(ShellExtensions_user_settings_key.values())
timestamp = ShellExtensions_user_settings_key.last_written_timestamp().isoformat()
while True:
try:
value = next(sid_key_values)
except StopIteration:
break
except Exception as error:
logging.error(u"Error getting next value: {}".format(error))
continue
sid_name= value.name()
data = value.data()
if isinstance(data, bytes):
pos = data.find(b'\x00\x00') +1
file_name = strip_control_characters(data[:pos].decode('utf-16'))
else:
file_name = strip_control_characters(data)
record = OrderedDict([
("sid", sid_name),
("File Name", file_name),
("key_last_written_timestamp",timestamp),
("@timestamp",timestamp)
])
lst.append(u"{}".format(json.dumps(record, cls=ComplexEncoder)))
else:
logging.info(u"[{}] {} not found.".format('ShellExtensions', ShellExtensions_user_settings_path))
return lst
def run(self):
lst = []
ComputerName_user_settings_path = u"ControlSet001\\Control\\ComputerName\\ComputerName"
hive = get_hive(self.prim_hive,self.log_files)
ComputerName_user_settings_key = hive.find_key(ComputerName_user_settings_path)
if ComputerName_user_settings_key:
ComputerName = ComputerName_user_settings_key.value(name=u"ComputerName")
ComputerName_data = ComputerName.data()
timestamp = ComputerName_user_settings_key.last_written_timestamp().isoformat()
record = OrderedDict([
("ComputerName", strip_control_characters(ComputerName_data)),
("Key_Timestamp", timestamp),
("@timestamp",timestamp)
])
lst.append(u"{}".format(json.dumps(record, cls=ComplexEncoder)))
else:
logging.info(u"[{}] {} not found.".format('ComputerName', ComputerName_user_settings_path))
return lst
def run(self):
lst = []
# for reg_handler in registry_manager.iter_registry_handlers(name=u'NTUSER.DAT'):
hive = get_hive(self.prim_hive, self.log_files)
user_assist_key = hive.find_key(
u'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist'
)
if user_assist_key is not None:
for guid_key in user_assist_key.subkeys():
guid_key_name = guid_key.name()
count_key = guid_key.subkey(u"Count")
if count_key is not None:
for value in count_key.values():
value_name = value.name()
value_name_decoded = codecs.encode(
value_name, 'rot_13')
value_data = value.data()
# dump = RegistryHelpers.HexDump(value_data)
count = None
win = ""
if len(value_data) == 16:
count = struct.unpack("<I", value_data[4:8])[0]
count -= 5
elif len(value_data) == 72:
count = struct.unpack("<I", value_data[4:8])[0]
date_time = struct.unpack("<q",
value_data[60:68])[0]
new_datetime = convert_datetime(date_time)
record = OrderedDict([("guid", guid_key_name),
("name", value_name_decoded),
("count", count),
("@timestamp", new_datetime)])
lst.append(u"{}".format(
json.dumps(record, cls=ComplexEncoder)))
return lst
def run(self):
lst = []
"use the SOFTWARE hive to get the result"
LaunchTracing_user_settings_path = u"\\Wow6432Node\\Microsoft\\Tracing"
hive = get_hive(self.prim_hive, self.log_files)
LaunchTracing_user_settings_key = hive.find_key(
LaunchTracing_user_settings_path)
if LaunchTracing_user_settings_key:
for sid_key in LaunchTracing_user_settings_key.subkeys():
sid_name = sid_key.name()
timestamp = sid_key.last_written_timestamp().isoformat()
record = OrderedDict([("name", sid_name),
("Excution_Time", timestamp),
("@timestamp", timestamp)])
lst.append(u"{}".format(json.dumps(record,
cls=ComplexEncoder)))
else:
logging.info(u"[{}] {} not found.".format(
'LaunchTracing', LaunchTracing_user_settings_path))
return lst
def run(self):
lst = []
AppCompatFlags_user_settings_path = u"\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers"
hive = get_hive(self.prim_hive, self.log_files)
AppCompatFlags_user_settings_key = hive.find_key(
AppCompatFlags_user_settings_path)
if AppCompatFlags_user_settings_key:
sid_name = AppCompatFlags_user_settings_key.name()
timestamp = AppCompatFlags_user_settings_key.last_written_timestamp(
).isoformat()
sid_key_values = iter(AppCompatFlags_user_settings_key.values())
while True:
try:
value = next(sid_key_values)
except StopIteration:
break
except Exception as error:
logging.error(
u"Error getting next value: {}".format(error))
continue
value_name = value.name()
value_datax = value.data()
record = OrderedDict([
("File", value_name),
("Key_Timestamp", timestamp),
("sid", sid_name),
("value", value_datax),
("@timestamp", timestamp),
])
lst.append(u"{}".format(json.dumps(record,
cls=ComplexEncoder)))
return lst
else:
logging.info(u"[{}] {} not found.".format(
'AppCompatFlags', AppCompatFlags_user_settings_path))
def run(self):
lst = []
"use the NATUSER.dat hive to get the result"
#Software\\Classes\\
Sysinternals_user_settings_path = u'\\Software\\Sysinternals'
hive = get_hive(self.prim_hive, self.log_files)
Sysinternals_user_settings_key = hive.find_key(
Sysinternals_user_settings_path)
if Sysinternals_user_settings_key:
for sid_key in Sysinternals_user_settings_key.subkeys():
Application_name = sid_key.name()
timestamp = sid_key.last_written_timestamp().isoformat()
EulaAccepted = sid_key.value(name=u"EulaAccepted")
if EulaAccepted:
EulaAccepted_data = EulaAccepted.data()
if EulaAccepted_data == 1:
EulaAccepted_data = "True"
else:
EulaAccepted_data = "False"
else:
EulaAccepted_data = "None"
record = OrderedDict([
("Application_Name", Application_name),
("Eula_Accepted", EulaAccepted_data),
("Accepted_TimeStamp", timestamp),
("@timestamp", timestamp),
])
lst.append(u"{}".format(json.dumps(record,
cls=ComplexEncoder)))
else:
logging.info(u"[{}] {} not found.".format(
'Sysinternals', Sysinternals_user_settings_path))
return lst
def run(self):
lst = []
TypedUrls_user_settings_path = u"Software\\Microsoft\\Internet Explorer\\TypedURLs"
hive = get_hive(self.prim_hive, self.log_files)
TypedUrls_user_settings_key = hive.find_key(
TypedUrls_user_settings_path)
if TypedUrls_user_settings_key:
#for sid_key in TypedUrls_user_settings_key.subkeys():
sid_key_values = iter(TypedUrls_user_settings_key.values())
while True:
try:
value = next(sid_key_values)
except StopIteration:
break
except Exception as error:
logging.error(
u"Error getting next value: {}".format(error))
continue
value_name = value.name()
url_data = value.data()
timestamp = TypedUrls_user_settings_key.last_written_timestamp(
).isoformat()
record = OrderedDict([("Key_Timestamp", timestamp),
("Url Name", value_name),
("Url",
strip_control_characters(url_data)),
("@timestamp", timestamp)])
lst.append(u"{}".format(json.dumps(record,
cls=ComplexEncoder)))
else:
logging.info(u"[{}] {} not found.".format(
'TypedUrls', TypedUrls_user_settings_path))
return lst
def run(self):
lst = []
LastVisitedPidMRU_settings_path = u"\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\LastVisitedPidlMRU"
hive = get_hive(self.prim_hive, self.log_files)
LastVisitedPidMRU_settings_key = hive.find_key(
LastVisitedPidMRU_settings_path)
if LastVisitedPidMRU_settings_key:
if LastVisitedPidMRU_settings_key:
sid_name = LastVisitedPidMRU_settings_key.name()
dat_key = LastVisitedPidMRU_settings_key.last_written_timestamp(
).isoformat()
cat = sid_name
sid_key_values = iter(LastVisitedPidMRU_settings_key.values())
while True:
try:
value = next(sid_key_values)
value_name = value.name()
if value_name != "MRUListEx" and value_name != "(Default)":
data = value.data()
format = Struct('filename' / CString("utf16"))
File_name = format.parse(data)
File_name = File_name.filename
data = data.hex()
data = data.split("0400efbe")
path = ""
counter = 0
a_time = ""
c_time = ""
record = None
for d in data:
if counter == 0:
a_time = ""
else:
dax = bytes.fromhex(d)
format = Struct('CreationDate' / Bytes(4),
'AccessDate' / Bytes(4),
'idntifier' / Bytes(4),
'MFT_entry' / Bytes(6),
'sequence' / Bytes(16),
'unkowun' / Bytes(4),
'Path' / CString("utf16"))
dd = format.parse(dax)
path += "\\" + dd.Path
cc_time = dd.CreationDate
aa_time = dd.AccessDate
if cc_time == b'\x00\x00\x00\x00':
c_time = dat_key
else:
c_time = from_fat(cc_time.hex())
if aa_time == b'\x00\x00\x00\x00':
a_time = dat_key
else:
a_time = from_fat(aa_time.hex())
counter = counter + 1
if value_name == "MRUListEx":
pass
else:
record = OrderedDict([
("SequenceNumber", value_name),
("Key_timestamp", dat_key),
("CreationDate", c_time),
("AccessDate", a_time),
("@timestamp", a_time),
("File_name", File_name),
("path", path)
])
if record is not None:
lst.append(u"{}".format(
json.dumps(record, cls=ComplexEncoder)))
except StopIteration:
break
except Exception as error:
logging.error(
u"Error getting next value: {}".format(error))
continue
return lst
else:
logging.info(u"[{}] {} not found.".format(
'LastVisitedPidMRU', LastVisitedPidMRU_settings_path))
def run(self):
lst = []
# list of service data mapping
Service_Start = [
'Boot', 'System', 'Automatic', 'Manual', 'Disabled', "DelayedStart"
]
Service_ErrorControl = ['Ignore', 'Normal', 'Severe', 'Critical']
Service_ServiceSidType = ['NONE', 'UNRESTRICTED', 0, 'RESTRICTED']
hive = get_hive(self.prim_hive, self.log_files)
ControlSet_Services_Paths = [
] # this contains the list of paths for ControlSets
main_key = hive.find_key("\\")
for main_key_subkey in main_key.subkeys():
if main_key_subkey.name().startswith("ControlSet"):
ControlSet_Services_Paths.append(main_key_subkey.path() +
"\\services")
for ControlSet_Services_Path in ControlSet_Services_Paths:
ControlSet_Services_Key = hive.find_key(ControlSet_Services_Path)
if ControlSet_Services_Key:
#print('Found a key: {}'.format(ControlSet_Services_Key.path()))
timestamp = ControlSet_Services_Key.last_written_timestamp(
).isoformat()
#print("timestamp: " + timestamp)
for subkey in ControlSet_Services_Key.subkeys():
service = {}
service['Name'] = subkey.name()
service['Path'] = subkey.path()
service["@timestamp"] = subkey.last_written_timestamp(
).isoformat()
values = list(subkey.values())
for v in values:
value_name = v.name().replace(".", "_")
#print(value_name + " ---> " + str(type(v.data())))
# get the start type if the value name is Start
if value_name == 'Start':
service[value_name] = Service_Start[v.data()]
# get the ErrorControl if the value name is ErrorControl
elif value_name == 'ErrorControl':
service[value_name] = Service_ErrorControl[
v.data()]
# get the ServiceSidType if the value name is ServiceSidType
elif value_name == 'ServiceSidType':
service[value_name] = Service_ServiceSidType[
v.data()]
# parse the FailureActions field
elif value_name == 'FailureActions':
failure_actions = self.parse_SERVICE_FAILURE_ACTIONS(
v.data())
service[value_name] = failure_actions['SC_ACTIONS']
service[
"FailureCountResetPeriod"] = failure_actions[
'SC_ACTIONS']
# get the service type if the value name is Type
elif value_name == 'Type':
service[value_name] = self.get_service_type(
v.data())
# if the data is a list, then combine the list
elif type(v.data()) == list:
service[value_name] = "|".join([
strip_control_characters(element)
for element in v.data() if element != "\x00"
])
# if the data is str, ensure to strip null bytes
elif type(v.data()) == str:
service[value_name] = strip_control_characters(
v.data())
elif type(v.data()) == bytes:
service[value_name] = v.data().hex()
else:
service[value_name] = v.data()
# check and retrive parameters subkey from the key
for service_subkey in subkey.subkeys():
if service_subkey.name() == 'Parameters':
service[
'Parameters'] = self.get_service_parameters_subkey(
service_subkey)
elif service_subkey.name() == 'TriggerInfo':
triggers = {}
for trigger in service_subkey.subkeys():
triggers[str(
len(triggers)
)] = self.get_TriggerInfo_subkey(trigger)
service["TriggerInfo"] = triggers
#print(service)
print(json.dumps(service, indent=4, sort_keys=True))
lst.append(service)
else:
pass
else:
logging.info(u"[{}] {} not found.".format(
'Services', ControlSet_Services_Paths))
print(len(lst))
return lst
def run(self):
lst = []
DHCP_user_settings_path = u"ControlSet001\\Services\\Tcpip\\Parameters\\Interfaces"
hive = get_hive(self.prim_hive, self.log_files)
DHCP_user_settings_key = hive.find_key(DHCP_user_settings_path)
if DHCP_user_settings_key:
for sid_key in DHCP_user_settings_key.subkeys():
timestamp = sid_key.last_written_timestamp().isoformat()
sid_name = sid_key.name()
def get_date(value_name):
value = sid_key.value(name=value_name)
if value:
value = value.data()
else:
value = "None"
return value
dict_values_data = {
'DhcpIPAddress':
strip_control_characters(get_date('DhcpIPAddress')),
'DhcpServer':
strip_control_characters(get_date('DhcpServer')),
'DhcpSubnetMask':
strip_control_characters(get_date('DhcpSubnetMask')),
'Domain':
strip_control_characters(get_date('Domain')),
'NameServer':
strip_control_characters(get_date('NameServer')),
'EnableDHCP':
get_date('EnableDHCP'),
'DhcpConnForceBroadcastFlag':
get_date('DhcpConnForceBroadcastFlag'),
'IsServerNapAware':
get_date('IsServerNapAware'),
'RegisterAdapterName':
get_date('RegisterAdapterName'),
'RegistrationEnabled':
get_date('RegistrationEnabled')
}
record = OrderedDict([
("Dhcp IP Address", dict_values_data['DhcpIPAddress']),
("Dhcp Server", dict_values_data['DhcpServer']),
("DhcpSubnetMask", dict_values_data['DhcpSubnetMask']),
("Domain", dict_values_data['Domain']),
("Name Server", dict_values_data['NameServer']),
("Enable DHCP", dict_values_data['EnableDHCP']),
("DhcpConnForceBroadcastFlag",
dict_values_data['DhcpConnForceBroadcastFlag']),
("Is Server NapAware",
dict_values_data['IsServerNapAware']),
("Register Adapter Name",
dict_values_data['RegisterAdapterName']),
("Registration Enabled",
dict_values_data['RegistrationEnabled']),
('@timestamp', timestamp)
])
lst.append(u"{}".format(json.dumps(record,
cls=ComplexEncoder)))
else:
logging.info(u"[{}] {} not found.".format('DHCP',
DHCP_user_settings_path))
return lst
def run(self):
lst = []
TerminalServerClient_user_settings_paths = [
'Software\\Microsoft\\Terminal Server Client\\Servers',
'Software\\Microsoft\\Terminal Server Client\\Default'
]
for TerminalServerClient_user_settings_path in TerminalServerClient_user_settings_paths:
hive = get_hive(self.prim_hive, self.log_files)
TerminalServerClient_user_settings_key = hive.find_key(
TerminalServerClient_user_settings_path)
# print('Found a key: {}'.format(TerminalServerClient_user_settings_key.path()))
if TerminalServerClient_user_settings_key:
if "Servers" in TerminalServerClient_user_settings_path:
for sid_key in TerminalServerClient_user_settings_key.subkeys(
):
timestamp = TerminalServerClient_user_settings_key.last_written_timestamp(
).isoformat()
key_name = sid_key.name()
sid_key_values = iter(sid_key.values())
while True:
try:
value = next(sid_key_values)
except StopIteration:
break
except Exception as error:
logging.error(
u"Error getting next value: {}".format(
error))
continue
value_name = value.name()
if "UsernameHint" == value_name:
value_data = value.data()
record = OrderedDict([
("key_timestamp", timestamp),
("IP_Address", key_name),
("User_Name",
strip_control_characters(value_data)),
("@timestamp", timestamp)
])
#
lst.append(u"{}".format(
json.dumps(record, cls=ComplexEncoder)))
else:
sid_key_values = iter(
TerminalServerClient_user_settings_key.values())
while True:
try:
value = next(sid_key_values)
except StopIteration:
break
except Exception as error:
logging.error(
u"Error getting next value: {}".format(error))
continue
value_name = value.name()
value_data = value.data()
record = OrderedDict([
("key_timestamp", timestamp),
("@timestamp", timestamp),
("IP_Address",
strip_control_characters(value_data)),
("Value_Name", value_name)
])
#
lst.append(u"{}".format(
json.dumps(record, cls=ComplexEncoder)))
else:
logging.info(u"[{}] {} not found.".format(
'TerminalServerClient',
TerminalServerClient_user_settings_path))
return lst
def run(self):
lst= []
"use the SOFTWARE hive to get the result"
InstalledComponents_user_settings_path = [u'Microsoft\\Active Setup\\Installed Components',u'Wow6432Node\\Microsoft\\Active Setup\\Installed Components']
hive = get_hive(self.prim_hive,self.log_files)
for path in InstalledComponents_user_settings_path:
InstalledComponents_user_settings_key = hive.find_key(path)
if InstalledComponents_user_settings_key:
for sid_key in InstalledComponents_user_settings_key.subkeys():
sid_name = sid_key.name()
timestamp = sid_key.last_written_timestamp().isoformat()
IsInstalled = sid_key.value(name=u"IsInstalled")
if IsInstalled:
IsInstalled_data = IsInstalled.data()
else:
IsInstalled_data ="None"
DontAsk = sid_key.value(name=u"DontAsk")
if DontAsk:
DontAsk_data = DontAsk.data()
else:
DontAsk_data ="None"
Enabled = sid_key.value(name=u"Enabled")
if Enabled:
Enabled_data = Enabled.data()
else:
Enabled_data ="None"
Locale = sid_key.value(name=u"Locale")
if Locale:
Locale_data = strip_control_characters(Locale.data())
else:
Locale_data ="None"
LocalizedName = sid_key.value(name=u"LocalizedName")
if LocalizedName:
LocalizedName_data = strip_control_characters(LocalizedName.data())
else:
LocalizedName_data ="None"
StubPath = sid_key.value(name=u"StubPath")
if StubPath:
StubPath_data = strip_control_characters(StubPath.data())
else:
StubPath_data ="None"
Version = sid_key.value(name=u"Version")
if Version:
Version_data = strip_control_characters(Version.data())
else:
Version_data ="None"
ComponentID = sid_key.value(name=u"ComponentID")
if ComponentID:
ComponentID_data = strip_control_characters(ComponentID.data())
else:
ComponentID_data ="None"
record = OrderedDict([
("sid", sid_name),
("last_written_timestamp",timestamp),
("ComponentID", ComponentID_data),
("Version", Version_data),
("StubPath", StubPath_data),
("LocalizedName", LocalizedName_data),
("Locale", Locale_data),
("Enabled", Enabled_data),
("DontAsk", DontAsk_data),
("IsInstalled", IsInstalled_data),
("@timestamp",timestamp)
])
lst.append(u"{}".format(json.dumps(record, cls=ComplexEncoder)))
else:
logging.info(u"[{}] {} not found.".format('InstalledComponents', InstalledComponents_user_settings_path))
return lst
def run(self):
lst= []
"This uses useclass.data"
BagMRU_user_settings_path = u"Local Settings\\Software\\Microsoft\\Windows\\Shell\\BagMRU"
hive = get_hive(self.prim_hive,self.log_files)
BagMRU_user_settings_key = hive.find_key(BagMRU_user_settings_path)
if BagMRU_user_settings_key:
for sid_key in BagMRU_user_settings_key.values():
sid_name = sid_key.name()
data = sid_key.data()
if "MRUListEx" == sid_name or "NodeSlot" == sid_name or "NodeSlots" == sid_name:
pass
else:
buf = sid_key.data()
#data = buf[::2][:buf[::2].find(b'\x00')].decode()
print ("_"*100)
dd = RegistryHelpers.HexDump(buf)
print(dd)
# block = SHITEMLIST(buf, 0x0, False)
# offset = 0x10
#
#
# for i in len(data):
# o = i + 2
# dd = struct.unpack_from("<H", data, o)[0]
# print (dd)
#size = block.unpack_word(offset)
# if size == 0:
# break
# elif size < 0x15:
# pass
# else:
# item = block.get_item(offset)
#print (item)
# version_value = sid_key.value(name=u"Version")
# version = None
# if version_value:
# version = version_value.data()
#
# sequence_value = sid_key.value(name=u"SequenceNumber")
# sequence = None
# if sequence_value:
# sequence = version_value.data()
# We can have an issue with iterating values so we will take it one
# at a time to try and catch errors.
# sid_key_values = iter(sid_key.values())
#
# while True:
# try:
# value = next(sid_key_values)
# except StopIteration:
# break
# except Exception as error:
# logging.error(u"Error getting next value: {}".format(error))
# continue
#
# value_name = value.name()
# value_data = value.data_raw()
#
# if value_name not in [u"Version", u"SequenceNumber"]:
# timestamp = convert_datetime(value_data[0:8])
#
# record = OrderedDict([
# ("_plugin", u"BagMRU"),
# ("name", value_name),
# ("timestamp", timestamp),
# ("sid", sid_name),
# ("version", version),
# ("sequence", sequence)
# ])
#
# print(u"{}".format(json.dumps(record, cls=ComplexEncoder)))
else:
logging.info(u"[{}] {} not found.".format('BagMRU', BagMRU_user_settings_path))
def run(self):
lst = []
hive = get_hive(self.prim_hive, self.log_files)
Amcache_user_settings_path = u"root\\InventoryApplicationFile"
Amcache_win7_user_settings_path = u"root\\File"
Amcache_user_settings_key = hive.find_key(Amcache_user_settings_path)
Amcache7_user_settings_key = hive.find_key(
Amcache_win7_user_settings_path)
if Amcache_user_settings_key:
for sid_key in Amcache_user_settings_key.subkeys():
sid_key_values = iter(sid_key.values())
key_time = sid_key.last_written_timestamp().isoformat()
win10_amache_mapping = {
"ProgramId": "ProgramId",
"LongPathHash": "LongPathHash",
"IsOsComponent": "IsOsComponent",
"Usn": "Usn",
"LowerCaseLongPath": "Path",
"FileId": "Sha1",
"Name": "Name",
"Publisher": "CompanyName",
"Version": "Version",
"BinFileVersion": "BinFileVersion",
"BinaryType": "BinaryType",
"ProductName": "ProductName",
"ProductVersion": "ProductVersion",
"LinkDate": "LinkDate",
"BinProductVersion": "BinProductVersion",
"Size": "FileSize",
"Language": "Language",
"IsPeFile": "IsPeFile"
}
record = OrderedDict([])
while True:
try:
value = next(sid_key_values)
except StopIteration:
break
except Exception as error:
logging.error(
u"Error getting next value: {}".format(error))
continue
value_name = value.name()
names = win10_amache_mapping[value_name]
data = value.data()
record[names] = strip_control_characters(str(data))
record["@timestamp"] = key_time
if record["Sha1"].startswith("0000"):
sha1 = record["Sha1"]
record["Sha1"] = sha1[4:]
lst.append(u"{}".format(json.dumps(record,
cls=ComplexEncoder)))
return lst
elif Amcache7_user_settings_key:
win8_amcache_mapping = {
'0': 'ProductName',
'1': 'CompanyName',
'2': 'FileVersionNum',
'3': 'Language',
'4': 'SwitchBackContext',
'5': 'FileVersion',
'6': 'FileSize',
'7': 'pe_header_hash',
'8': 'unknown1',
'9': 'pe_header_checksum',
'a': 'unknown2',
'b': 'unknown3',
'c': 'file_description',
'd': 'unknown4',
'f': 'linker_compile_time',
'10': 'unknown5',
'11': 'last_modified_timestamp',
'12': 'created_timestamp',
'15': 'Path',
'16': 'unknown6',
'17': 'last_modified_timestamp_2',
'100': 'ProgramId',
'101': 'Sha1'
}
for sid_key in Amcache7_user_settings_key.subkeys():
for sidd_key in sid_key.subkeys():
sid_key_values = iter(sidd_key.values())
key_time = sidd_key.last_written_timestamp().isoformat()
record = OrderedDict([])
while True:
try:
value = next(sid_key_values)
except StopIteration:
break
except Exception as error:
logging.error(
u"Error getting next value: {}".format(error))
continue
value_name = value.name()
names = win8_amcache_mapping[value_name]
data = value.data()
if "time" in names:
if "linker_compile_time" in names:
data = datetime.datetime.fromtimestamp(data)
else:
data = convert_datetime(data)
record[names] = strip_control_characters(str(data))
if len(record) == 0:
continue
record["@timestamp"] = key_time
if record["Sha1"].startswith("0000"):
sha1 = record["Sha1"]
record["Sha1"] = sha1[4:]
lst.append(u"{}".format(
json.dumps(record, cls=ComplexEncoder)))
return lst
else:
logging.info(u"[{}] {} not found.".format(
'Amcache', Amcache_user_settings_key))
def run(self):
lst = []
"use the SOFTWARE hive to get the result"
Uninstall_user_settings_path = u"Microsoft\\Windows\\CurrentVersion\\Uninstall"
hive = get_hive(self.prim_hive,self.log_files)
Uninstall_user_settings_key = hive.find_key(Uninstall_user_settings_path)
# print('Found a key: {}'.format(Uninstall_user_settings_key.path()))
if Uninstall_user_settings_key:
for sid_key in Uninstall_user_settings_key.subkeys():
sid_name = sid_key.name()
timestamp = sid_key.last_written_timestamp().isoformat()
#try:
DisplayName = sid_key.value(name=u"DisplayName")
if DisplayName:
DisplayName_data = strip_control_characters(DisplayName.data())
else:
DisplayName_data =""
DisplayVersion = sid_key.value(name=u"DisplayVersion")
if DisplayVersion:
DisplayVersion_data = strip_control_characters(DisplayVersion.data())
else:
DisplayVersion_data =""
InstallDate = sid_key.value(name=u"InstallDate")
if InstallDate:
InstallDate_data = strip_control_characters(InstallDate.data())
else:
InstallDate_data =""
InstallLocation = sid_key.value(name=u"InstallLocation")
if InstallLocation:
InstallLocation_data = strip_control_characters(InstallLocation.data())
else:
InstallLocation_data =""
InstallSource= sid_key.value(name=u"InstallSource")
if InstallSource:
InstallSource_data = strip_control_characters(InstallSource.data())
else:
InstallSource_data =""
ModifyPath = sid_key.value(name=u"ModifyPath")
if ModifyPath:
ModifyPath_data = strip_control_characters(ModifyPath.data())
else:
ModifyPath_data =""
Publisher = sid_key.value(name=u"Publisher")
if Publisher:
Publisher_data = strip_control_characters(Publisher.data())
else:
Publisher_data=""
Size = sid_key.value(name=u"Size")
if Size:
Size_data = str(Size.data())
else:
Size_data =""
URLInfoAbout = sid_key.value(name=u"URLInfoAbout")
if URLInfoAbout:
URLInfoAbout_data = strip_control_characters(URLInfoAbout.data())
else:
URLInfoAbout_data =""
record = OrderedDict([
("name", sid_name),
("Uninstall_date",timestamp),
("Application_Name", DisplayName_data),
("Version",DisplayVersion_data),
("Install_Date",InstallDate_data),
("Install_Location", InstallLocation_data),
("Install_Source", InstallSource_data),
("Modify_Path", ModifyPath_data),
("Publisher", Publisher_data),
("Size", Size_data),
("URLInfoAbout",URLInfoAbout_data),
("@timestamp",timestamp)
])
lst.append(u"{}".format(json.dumps(record, cls=ComplexEncoder)))
else:
logging.info(u"[{}] {} not found.".format('Bam', bam_user_settings_path))
return lst
