def getServices(computerName, objWMIService, hostPath):
print computerName + " - checking services"
outFile = open(hostPath + "\SERVICES-" + computerName + ".csv", "w")
outFile.write(
"service,path,install_date,pid,start_mode,account,state,description\n")
services = objWMIService.ExecQuery(
"Select Name,PathName,InstallDate,ProcessId,StartMode,StartName,State,Description from Win32_Service"
)
for service in services:
serviceName = support.convert_to_string(service.Name)
servicePathName = support.convert_to_string(service.PathName)
serviceInstallDate = support.convertDate(
support.convert_to_string(service.InstallDate))
serviceProcessId = support.convert_to_string(service.ProcessId)
serviceStartMode = support.convert_to_string(service.StartMode)
serviceStartName = support.convert_to_string(service.StartName)
serviceState = support.convert_to_string(service.State)
serviceDescription = support.convert_to_string(
service.Description).replace("\n", " ")
outFile.write(
serviceName.replace(",", " ") + "," +
servicePathName.replace(",", " ") + "," + serviceInstallDate +
"," + serviceProcessId.replace(",", " ") + "," +
serviceStartMode.replace(",", " ") + "," +
serviceStartName.replace(",", " ") + "," +
serviceState.replace(",", " ") + "," +
serviceDescription.replace(",", " ") + "\n")
outFile.close()
def getDirectoryList(computerName, objWMIService, hostPath, tmpIndicators):
print computerName + " - enumerating directory lists"
outFile = open(hostPath + "\DIRECTORYLIST-" + computerName + ".csv", "w")
outFile.write("directory,created,modified,last_accessed\n")
configFile = support.resource_path("config\\DirectoryList.txt")
with open(configFile, "r") as scanPathsFile:
scanPaths = scanPathsFile.readlines()
scanPaths = scanPaths + tmpIndicators
for path in scanPaths:
path = path.replace("\n", "")
if not path.strip():
continue
if "\\" != path[-1:]:
path = path + "\\"
path = path.replace("\\", "\\\\")
drivePos = path.find(":") + 1
drive = path[0:drivePos]
path = path[drivePos:]
#path must contain the drive in associators query - for some reason you cant split Path and Drive in this query - also paths must not contain trailing slash
#query = "Associators of {Win32_Directory.Name='" + path + "'} WHERE AssocClass = Win32_Subdirectory ResultRole = PartComponent"
query = "Select Name,CreationDate,LastModified,LastAccessed From WIN32_Directory Where Path = \"" + path + "\""
if drive:
query += " And Drive = \"" + drive + "\""
dirlist = objWMIService.ExecQuery(query)
try:
for dir in dirlist:
dirname = support.convert_to_string(dir.Name)
outFile.write(
dirname.replace(",", " ") + "," +
support.convertDate(dir.CreationDate) + "," +
support.convertDate(dir.LastModified) + "," +
support.convertDate(dir.LastAccessed) + "\n")
except:
pass
outFile.close()
def getProcesses(computerName, objWMIService, hostPath):
print computerName + " - checking processes and process modules"
outFile = open(hostPath + "\PROCESSES-" + computerName + ".csv", "w")
outFile.write(
"process,pid,creation_date,process_owner,threat_count,path,cmd_line,ppid\n"
)
outFile2 = open(hostPath + "\PROCESSMODULES-" + computerName + ".csv", "w")
outFile2.write("pid,module_path\n")
processes = objWMIService.ExecQuery(
"select Name,ProcessID,CreationDate,ThreadCount,ExecutablePath,CommandLine,ParentProcessID from Win32_Process"
) #can't get process owner with this method
for process in processes:
try:
owner = process.ExecMethod_("GetOwner")
username = support.convert_to_string(
owner.Domain) + "\\" + support.convert_to_string(owner.User)
except:
username = ""
processID = process.ProcessID
processName = support.convert_to_string(process.Name)
processId = support.convert_to_string(process.ProcessId)
processCreationDate = support.convertDate(
support.convert_to_string(process.CreationDate))
processThreadCount = support.convert_to_string(process.ThreadCount)
processExecutablePath = support.convert_to_string(
process.ExecutablePath)
processCommandLine = support.convert_to_string(process.CommandLine)
processParentProcessId = support.convert_to_string(
process.ParentProcessId)
outFile.write(
processName.replace(",", " ") + "," + processId + "," +
processCreationDate + "," + username.replace(",", " ") + "," +
processThreadCount + "," +
processExecutablePath.replace(",", " ") + "," +
processCommandLine.replace(",", " ") + "," +
processParentProcessId + "\n")
modules = objWMIService.ExecQuery(
"associators of {win32_process.handle='" + processId +
"'} where AssocClass = CIM_ProcessExecutable")
try:
for module in modules:
moduleName = support.convert_to_string(module.Name)
outFile2.write(processId + "," + moduleName.replace(",", " ") +
"\n")
except:
pass
outFile2.close()
outFile.close()
def getDirectoryList(computerName,objWMIService,hostPath,tmpIndicators):
print computerName + " - enumerating directory lists"
outFile = open(hostPath + "\DIRECTORYLIST-" + computerName + ".csv", "w")
outFile.write("directory,created,modified,last_accessed\n")
configFile = support.resource_path("config\\DirectoryList.txt")
with open(configFile, "r") as scanPathsFile:
scanPaths = scanPathsFile.readlines()
scanPaths = scanPaths + tmpIndicators
for path in scanPaths:
path = path.replace("\n","")
if not path.strip():
continue
if "\\" != path[-1:]:
path = path + "\\"
path = path.replace("\\","\\\\")
drivePos = path.find(":")+1
drive = path[0:drivePos]
path = path[drivePos:]
#path must contain the drive in associators query - for some reason you cant split Path and Drive in this query - also paths must not contain trailing slash
#query = "Associators of {Win32_Directory.Name='" + path + "'} WHERE AssocClass = Win32_Subdirectory ResultRole = PartComponent"
query = "Select Name,CreationDate,LastModified,LastAccessed From WIN32_Directory Where Path = \"" + path + "\""
if drive:
query += " And Drive = \"" + drive + "\""
dirlist = objWMIService.ExecQuery(query)
try:
for dir in dirlist:
dirname = support.convert_to_string(dir.Name)
outFile.write(dirname.replace(","," ") + "," + support.convertDate(dir.CreationDate) + "," + support.convertDate(dir.LastModified) + "," +
support.convertDate(dir.LastAccessed) + "\n")
except:
pass
outFile.close()
def getFileList(computerName, objWMIService, hostPath, tmpIndicators):
print computerName + " - checking file lists"
outFile = open(hostPath + "\FILELIST-" + computerName + ".csv", "w")
outFile.write("file,created,modified,last_accessed,size\n")
configFile = support.resource_path("config\\FileList.txt")
with open(configFile, "r") as scanPathsFile:
scanPaths = scanPathsFile.readlines()
scanPaths = scanPaths + tmpIndicators
for path in scanPaths:
path = path.replace("\n", "")
if not path.strip():
continue
if "\\" != path[-1:]:
path = path + "\\"
path = path.replace("\\", "\\\\")
drivePos = path.find(":") + 1
drive = path[0:drivePos]
path = path[drivePos:]
query = "Select Name,CreationDate,LastModified,LastAccessed,FileSize From CIM_DataFile Where Path = \"" + path + "\""
if drive:
query += " And Drive = \"" + drive + "\""
filelist = objWMIService.ExecQuery(query)
for file in filelist:
filename = support.convert_to_string(file.Name)
filesize = support.convert_to_string(file.FileSize)
outFile.write(
filename.replace(",", " ") + "," +
support.convertDate(file.CreationDate) + "," +
support.convertDate(file.LastModified) + "," +
support.convertDate(file.LastAccessed) + "," + filesize + "\n")
outFile.close()
def getFileList(computerName,objWMIService,hostPath,tmpIndicators):
print computerName + " - checking file lists"
outFile = open(hostPath + "\FILELIST-" + computerName + ".csv", "w")
outFile.write("file,created,modified,last_accessed,size\n")
configFile = support.resource_path("config\\FileList.txt")
with open(configFile, "r") as scanPathsFile:
scanPaths = scanPathsFile.readlines()
scanPaths = scanPaths + tmpIndicators
for path in scanPaths:
path = path.replace("\n","")
if not path.strip():
continue
if "\\" != path[-1:]:
path = path + "\\"
path = path.replace("\\","\\\\")
drivePos = path.find(":")+1
drive = path[0:drivePos]
path = path[drivePos:]
query = "Select Name,CreationDate,LastModified,LastAccessed,FileSize From CIM_DataFile Where Path = \"" + path + "\""
if drive:
query += " And Drive = \"" + drive + "\""
filelist = objWMIService.ExecQuery(query)
for file in filelist:
filename = support.convert_to_string(file.Name)
filesize = support.convert_to_string(file.FileSize)
outFile.write(filename.replace(","," ") + "," + support.convertDate(file.CreationDate) + "," + support.convertDate(file.LastModified) + "," +
support.convertDate(file.LastAccessed) + "," + filesize + "\n")
outFile.close()
def getProcesses(computerName,objWMIService,hostPath):
print computerName + " - checking processes and process modules"
outFile = open(hostPath + "\PROCESSES-" + computerName + ".csv", "w")
outFile.write("process,pid,creation_date,process_owner,threat_count,path,cmd_line,ppid\n")
outFile2 = open(hostPath + "\PROCESSMODULES-" + computerName + ".csv", "w")
outFile2.write("pid,module_path\n")
processes = objWMIService.ExecQuery("select Name,ProcessID,CreationDate,ThreadCount,ExecutablePath,CommandLine,ParentProcessID from Win32_Process") #can't get process owner with this method
for process in processes:
try:
owner = process.ExecMethod_("GetOwner")
username = support.convert_to_string(owner.Domain) + "\\" + support.convert_to_string(owner.User)
except:
username = ""
processID = process.ProcessID
processName = support.convert_to_string(process.Name)
processId = support.convert_to_string(process.ProcessId)
processCreationDate = support.convertDate(support.convert_to_string(process.CreationDate))
processThreadCount = support.convert_to_string(process.ThreadCount)
processExecutablePath = support.convert_to_string(process.ExecutablePath)
processCommandLine = support.convert_to_string(process.CommandLine)
processParentProcessId = support.convert_to_string(process.ParentProcessId)
outFile.write(processName.replace(","," ") + "," + processId + "," + processCreationDate + "," +
username.replace(","," ") + "," + processThreadCount + "," + processExecutablePath.replace(","," ") + "," +
processCommandLine.replace(","," ") + "," + processParentProcessId + "\n")
modules = objWMIService.ExecQuery("associators of {win32_process.handle='" + processId + "'} where AssocClass = CIM_ProcessExecutable")
try:
for module in modules:
moduleName = support.convert_to_string(module.Name)
outFile2.write(processId + "," + moduleName.replace(","," ") + "\n")
except:
pass
outFile2.close()
outFile.close()
def getServices(computerName,objWMIService,hostPath):
print computerName + " - checking services"
outFile = open(hostPath + "\SERVICES-" + computerName + ".csv", "w")
outFile.write("service,path,install_date,pid,start_mode,account,state,description\n")
services = objWMIService.ExecQuery("Select Name,PathName,InstallDate,ProcessId,StartMode,StartName,State,Description from Win32_Service")
for service in services:
serviceName = support.convert_to_string(service.Name)
servicePathName = support.convert_to_string(service.PathName)
serviceInstallDate = support.convertDate(support.convert_to_string(service.InstallDate))
serviceProcessId = support.convert_to_string(service.ProcessId)
serviceStartMode = support.convert_to_string(service.StartMode)
serviceStartName = support.convert_to_string(service.StartName)
serviceState = support.convert_to_string(service.State)
serviceDescription = support.convert_to_string(service.Description).replace("\n"," ")
outFile.write(serviceName.replace(","," ") + "," + servicePathName.replace(","," ") + "," + serviceInstallDate + "," +
serviceProcessId.replace(","," ") + "," + serviceStartMode.replace(","," ") + "," + serviceStartName.replace(","," ") + "," +
serviceState.replace(","," ") + "," + serviceDescription.replace(","," ") + "\n")
outFile.close()
def getLocalAccounts(computerName, objWMIService, hostPath):
print computerName + " - checking local accounts"
outFile = open(hostPath + "\ACCOUNTS-" + computerName + ".csv", "w")
outFile.write(
"account_type,caption,description,disabled,domain,full_name,local_account,lockout,install_date,name,password_changeable,password_expires,password_required,sid,sid_type,status\n"
)
query = "Select DomainRole From Win32_ComputerSystem"
domainRoles = objWMIService.ExecQuery(query)
for domainRole in domainRoles:
if domainRole.DomainRole == 4 or domainRole.domainRole == 5:
outFile.write(
"This is a domain controller. The local accounts cannot be accessed\n"
)
else:
query = "Select InstallDate,AccountType,Caption,Description,Disabled,Domain,FullName,LocalAccount,Lockout,Name,PasswordChangeable,PasswordExpires,PasswordRequired,SID,SIDType,Status from Win32_UserAccount Where LocalAccount = True"
accounts = objWMIService.ExecQuery(query)
for account in accounts:
accountType = support.convert_to_string(account.AccountType)
accountCaption = support.convert_to_string(account.Caption)
accountDescription = support.convert_to_string(
account.Description)
accountDisabled = support.convert_to_string(account.Disabled)
if accountDisabled.upper() == "TRUE":
accountDisabled = "1"
else:
accountDisabled = "0"
accountDomain = support.convert_to_string(account.Domain)
accountFullName = support.convert_to_string(account.FullName)
accountLocalAccount = support.convert_to_string(
account.LocalAccount)
if accountLocalAccount.upper() == "TRUE":
accountLocalAccount = "1"
else:
accountLocalAccount = "0"
accountLockout = support.convert_to_string(account.Lockout)
if accountLockout.upper() == "TRUE":
accountLockout = "1"
else:
accountLockout = "0"
accountInstallDate = support.convertDate(
support.convert_to_string(account.InstallDate))
accountName = support.convert_to_string(account.Name)
accountPasswordChangeable = support.convert_to_string(
account.PasswordChangeable)
if accountPasswordChangeable.upper() == "TRUE":
accountPasswordChangeable = "1"
else:
accountPasswordChangeable = "0"
accountPasswordExpires = support.convert_to_string(
account.PasswordExpires)
if accountPasswordExpires.upper() == "TRUE":
accountPasswordExpires = "1"
else:
accountPasswordExpires = "0"
accountPasswordRequired = support.convert_to_string(
account.PasswordRequired)
if accountPasswordRequired.upper() == "TRUE":
accountPasswordRequired = "1"
else:
accountPasswordRequired = "0"
accountSID = support.convert_to_string(account.SID)
accountSIDType = support.convert_to_string(account.SIDType)
accountStatus = support.convert_to_string(account.Status)
outFile.write(
accountType.replace(",", " ") + "," +
accountCaption.replace(",", " ") + "," +
accountDescription.replace(",", " ") + "," +
accountDisabled + "," + accountDomain.replace(",", " ") +
"," + accountFullName.replace(",", " ") + "," +
accountLocalAccount + "," + accountLockout + "," +
accountInstallDate + "," + accountName.replace(",", " ") +
"," + accountPasswordChangeable + "," +
accountPasswordExpires + "," + accountPasswordRequired +
"," + accountSID.replace(",", " ") + "," +
accountSIDType.replace(",", " ") + "," +
accountStatus.replace(",", " ") + "\n")
outFile.close()
break
outFile = open(hostPath + "\LOCALADMINS-" + computerName + ".csv", "w")
outFile.write("domain,user")
query = "select * from Win32_GroupUser where GroupComponent = \"Win32_Group.Domain='" + computerName + "',Name='Administrators'\""
admins = objWMIService.ExecQuery(query)
for admin in admins:
partComponent = support.convert_to_string(admin.PartComponent)
domainPos = partComponent.find("Win32_UserAccount.Domain=") + len(
"Win32_UserAccount.Domain=")
if domainPos <= len("Win32_UserAccount.Domain="):
domainPos = partComponent.find("Win32_Group.Domain=") + len(
"Win32_Group.Domain=")
namePos = partComponent.find(",Name=", domainPos)
if domainPos <= len("Win32_Group.Domain="):
domain = ""
else:
domain = partComponent[domainPos + 1:namePos - 1] #remove quotes
namePos += len(",Name=")
if namePos <= len(",Name="):
name = ""
else:
name = partComponent[namePos + 1:-1] #remove quotes
outFile.write(domain + "," + name + "\n")
outFile.close()
def getTasks(computerName,objWMIService,hostPath):
print computerName + " - checking tasks"
outFile = open(hostPath + "\TASKS-" + computerName + ".csv", "w")
outFile.write("command,days_of_month,days_of_week,description,elapsed_time,install_date,interact_with_desktop,job_id,job_status,name,notify,owner,priority,run_repeatedly,start_time,status,time_submitted,until_time\n")
tasks = objWMIService.ExecQuery("Select * from Win32_ScheduledJob")
for task in tasks:
taskCommand = support.convert_to_string(task.Command)
taskDaysOfMonth = support.convert_to_string(task.DaysOfMonth)
if taskDaysOfMonth == "None":
taskDaysOfMonth = "NULL"
taskDaysOfWeek = support.convert_to_string(task.DaysOfWeek)
if taskDaysOfWeek == "None":
taskDaysOfWeek = "NULL"
taskDescription = support.convert_to_string(task.Description)
taskElapsedTime = support.convertDate(support.convert_to_string(task.ElapsedTime))
taskInstallDate = support.convertDate(support.convert_to_string(task.InstallDate))
taskInteractWithDesktop = support.convert_to_string(task.InteractWithDesktop)
if taskInteractWithDesktop.upper() == "TRUE":
taskInteractWithDesktop = "1"
else:
taskInteractWithDesktop = "0"
taskJobId = support.convert_to_string(task.JobId)
taskJobStatus = support.convert_to_string(task.JobStatus)
taskName = support.convert_to_string(task.Name)
taskNotify = support.convert_to_string(task.Notify)
taskOwner = support.convert_to_string(task.Owner)
taskPriority = support.convert_to_string(task.Priority)
if taskPriority == "None":
taskPriority = "NULL"
taskRunRepeatedly = support.convert_to_string(task.RunRepeatedly)
if taskRunRepeatedly.upper() == "TRUE":
taskRunRepeatedly = "1"
else:
taskRunRepeatedly = "0"
taskStartTime = support.convertDate(support.convert_to_string(task.StartTime))
taskStatus = support.convert_to_string(task.Status)
taskTimeSubmitted = support.convertDate(support.convert_to_string(task.TimeSubmitted))
taskUntilTime = support.convertDate(support.convert_to_string(task.UntilTime))
outFile.write(taskCommand.replace(","," ") + "," + taskDaysOfMonth.replace(","," ") + "," + taskDaysOfWeek.replace(","," ") + "," +
taskDescription.replace(","," ") + "," + taskElapsedTime.replace(","," ") + "," + taskInstallDate.replace(","," ") + "," +
taskInteractWithDesktop.replace(","," ") + "," + taskJobId.replace(","," ") + "," + taskJobStatus.replace(","," ") + "," +
taskName.replace(","," ") + "," + taskNotify.replace(","," ") + "," + taskOwner.replace(","," ") + "," +
taskPriority.replace(","," ") + "," + taskRunRepeatedly.replace(","," ") + "," + taskStartTime.replace(","," ") + "," +
taskStatus.replace(","," ") + "," + taskTimeSubmitted.replace(","," ") + "," + taskUntilTime.replace(","," ") + "\n")
outFile.close()
def getLocalAccounts(computerName,objWMIService,hostPath):
print computerName + " - checking local accounts"
outFile = open(hostPath + "\ACCOUNTS-" + computerName + ".csv", "w")
outFile.write("account_type,caption,description,disabled,domain,full_name,local_account,lockout,install_date,name,password_changeable,password_expires,password_required,sid,sid_type,status\n")
query = "Select DomainRole From Win32_ComputerSystem"
domainRoles = objWMIService.ExecQuery(query)
for domainRole in domainRoles:
if domainRole.DomainRole == 4 or domainRole.domainRole == 5:
outFile.write("This is a domain controller. The local accounts cannot be accessed\n")
else:
query = "Select InstallDate,AccountType,Caption,Description,Disabled,Domain,FullName,LocalAccount,Lockout,Name,PasswordChangeable,PasswordExpires,PasswordRequired,SID,SIDType,Status from Win32_UserAccount Where LocalAccount = True"
accounts = objWMIService.ExecQuery(query)
for account in accounts:
accountType = support.convert_to_string(account.AccountType)
accountCaption = support.convert_to_string(account.Caption)
accountDescription = support.convert_to_string(account.Description)
accountDisabled = support.convert_to_string(account.Disabled)
if accountDisabled.upper() == "TRUE":
accountDisabled = "1"
else:
accountDisabled = "0"
accountDomain = support.convert_to_string(account.Domain)
accountFullName = support.convert_to_string(account.FullName)
accountLocalAccount = support.convert_to_string(account.LocalAccount)
if accountLocalAccount.upper() == "TRUE":
accountLocalAccount = "1"
else:
accountLocalAccount = "0"
accountLockout = support.convert_to_string(account.Lockout)
if accountLockout.upper() == "TRUE":
accountLockout = "1"
else:
accountLockout = "0"
accountInstallDate = support.convertDate(support.convert_to_string(account.InstallDate))
accountName = support.convert_to_string(account.Name)
accountPasswordChangeable = support.convert_to_string(account.PasswordChangeable)
if accountPasswordChangeable.upper() == "TRUE":
accountPasswordChangeable = "1"
else:
accountPasswordChangeable = "0"
accountPasswordExpires = support.convert_to_string(account.PasswordExpires)
if accountPasswordExpires.upper() == "TRUE":
accountPasswordExpires = "1"
else:
accountPasswordExpires = "0"
accountPasswordRequired = support.convert_to_string(account.PasswordRequired)
if accountPasswordRequired.upper() == "TRUE":
accountPasswordRequired = "1"
else:
accountPasswordRequired = "0"
accountSID = support.convert_to_string(account.SID)
accountSIDType = support.convert_to_string(account.SIDType)
accountStatus = support.convert_to_string(account.Status)
outFile.write(accountType.replace(","," ") + "," + accountCaption.replace(","," ") + "," + accountDescription.replace(","," ") + "," + accountDisabled + "," +
accountDomain.replace(","," ") + "," + accountFullName.replace(","," ") + "," + accountLocalAccount + "," + accountLockout + "," +
accountInstallDate + "," + accountName.replace(","," ") + "," + accountPasswordChangeable + "," + accountPasswordExpires + "," +
accountPasswordRequired + "," + accountSID.replace(","," ") + "," + accountSIDType.replace(","," ") + "," + accountStatus.replace(","," ") + "\n")
outFile.close()
break
outFile = open(hostPath + "\LOCALADMINS-" + computerName + ".csv", "w")
outFile.write("domain,user")
query = "select * from Win32_GroupUser where GroupComponent = \"Win32_Group.Domain='" + computerName + "',Name='Administrators'\""
admins = objWMIService.ExecQuery(query)
for admin in admins:
partComponent = support.convert_to_string(admin.PartComponent)
domainPos = partComponent.find("Win32_UserAccount.Domain=") + len("Win32_UserAccount.Domain=")
if domainPos <= len("Win32_UserAccount.Domain="):
domainPos = partComponent.find("Win32_Group.Domain=") + len("Win32_Group.Domain=")
namePos = partComponent.find(",Name=",domainPos)
if domainPos <= len("Win32_Group.Domain="):
domain = ""
else:
domain = partComponent[domainPos+1:namePos-1] #remove quotes
namePos += len(",Name=")
if namePos <= len(",Name="):
name = ""
else:
name = partComponent[namePos+1:-1] #remove quotes
outFile.write(domain + "," + name + "\n")
outFile.close()
