pax_global_header00006660000000000000000000000064131424136710014514gustar00rootroot0000000000000052 comment=817b8331dbb59fb43f90497440cf5731fae8f374 artifacts-20170808/000077500000000000000000000000001314241367100137475ustar00rootroot00000000000000artifacts-20170808/.gitignore000066400000000000000000000003161314241367100157370ustar00rootroot00000000000000# Files to ignore by git # Back-up files *~ *.swp # Generic auto-generated build files *.pyc *.pyo # Specific auto-generated build files /__pycache__ /artifacts.egg-info /build /dist # Tests files .tox artifacts-20170808/.style.yapf000066400000000000000000000001361314241367100160460ustar00rootroot00000000000000[style] based_on_style = chromium COALESCE_BRACKETS = True SPLIT_BEFORE_FIRST_ARGUMENT = True artifacts-20170808/.travis.yml000066400000000000000000000020241314241367100160560ustar00rootroot00000000000000language: python matrix: include: - os: linux dist: trusty sudo: required python: 2.7 - os: linux dist: trusty sudo: required python: 3.4 - os: osx osx_image: xcode8.1 language: generic install: - ./config/travis/install.sh script: - if test ${TRAVIS_OS_NAME} = "osx"; then PYTHONPATH=/Library/Python/2.7/site-packages/ /usr/bin/python run_tests.py; elif test ${TRAVIS_OS_NAME} = "linux"; then if test ${TRAVIS_PYTHON_VERSION} = "2.7"; then coverage run --source=artifacts --omit="*_test*,*__init__*,*test_lib*" ./run_tests.py; else ./run_tests.py; fi; fi - python setup.py build - python setup.py sdist - python setup.py bdist - if test ${TRAVIS_OS_NAME} = "linux"; then mkdir -p ${PWD}/tmp/lib/python${TRAVIS_PYTHON_VERSION}/site-packages/ && PYTHONPATH=${PWD}/tmp/lib/python${TRAVIS_PYTHON_VERSION}/site-packages/ python setup.py install --prefix=${PWD}/tmp/; fi after_success: - if test ${TRAVIS_OS_NAME} = "linux" && test ${TRAVIS_PYTHON_VERSION} = "2.7"; then coveralls --verbose; fi artifacts-20170808/ACKNOWLEDGEMENTS000066400000000000000000000002071314241367100162230ustar00rootroot00000000000000Acknowledgements: artifacts Thanks to contributors (alphabetically based on last name): Sean Gillespie Andreas Moser Sebastian Welsh artifacts-20170808/AUTHORS000066400000000000000000000007501314241367100150210ustar00rootroot00000000000000Copyright 2014 The ForensicArtifacts.com Artifact Repository project. # Names should be added to this file with this pattern: # # For individuals: # Name (email address) # Name (email address), organization # # For organizations: # Organization (fnmatch pattern) # # See python fnmatch module documentation for more information. Greg Castle (github@mailgreg.com), Google Inc. Matt Churchill (matt@mattchurchill.net), CrowdStrike Joachim Metz (joachim.metz@gmail.com), Google Inc. artifacts-20170808/LICENSE000066400000000000000000000260751314241367100147660ustar00rootroot00000000000000Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "{}" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives. Copyright {yyyy} {name of copyright owner} Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. artifacts-20170808/MANIFEST.in000066400000000000000000000007741314241367100155150ustar00rootroot00000000000000include ACKNOWLEDGEMENTS AUTHORS LICENSE README include dependencies.ini run_tests.py utils/dependencies.py recursive-include config * recursive-include data * recursive-include test_data * exclude .gitignore exclude *.pyc recursive-include tools *.py recursive-exclude tools *.pyc recursive-exclude artifacts *.pyc # The test scripts are not required in a binary distribution package they # are considered source distribution files and excluded in find_package() # in setup.py. recursive-include tests *.py artifacts-20170808/README000066400000000000000000000004241314241367100146270ustar00rootroot00000000000000ForensicArtifacts.com Artifact Repository A free, community-sourced, machine-readable knowledge base of forensic artifacts that the world can use both as an information source and within other tools. For more information see: https://github.com/ForensicArtifacts/artifacts artifacts-20170808/README.md000066400000000000000000000071311314241367100152300ustar00rootroot00000000000000## ForensicArtifacts.com Artifact Repository A free, community-sourced, machine-readable knowledge base of forensic artifacts that the world can use both as an information source and within other tools. If you'd like to use the artifacts in your own tools, **all you need to be able to do is read YAML**. That's it. No other dependencies. The python code in this project is just used to validate all the artifacts to make sure they follow the spec. ### Project status [Travis-CI](https://travis-ci.org/) | [AppVeyor](https://ci.appveyor.com) | [Coveralls](https://coveralls.io/) --- | --- | --- [![Build Status](https://travis-ci.org/ForensicArtifacts/artifacts.svg?branch=master)](https://travis-ci.org/ForensicArtifacts/artifacts) | [![Build status](https://ci.appveyor.com/api/projects/status/3yark6bipveg55e0?svg=true)](https://ci.appveyor.com/project/joachimmetz/artifacts) | [![Coverage Status](https://img.shields.io/coveralls/ForensicArtifacts/artifacts.svg)](https://coveralls.io/r/ForensicArtifacts/artifacts?branch=master) ## Artifact Definitions The artifact definitions are in the [definitions directory](https://github.com/ForensicArtifacts/artifacts/tree/master/definitions) and the format is described in detail in the [Style Guide](https://github.com/ForensicArtifacts/artifacts/blob/master/docs/Artifacts%20definition%20format%20and%20style%20guide.asciidoc). As of 2015-11-20 the repository contains: | **File paths covered** | **487** | | :------------------ | ------: | | **Registry keys covered** | **289** | | **Total artifacts** | **345** | **Artifacts by type** | ARTIFACT | COMMAND | DIRECTORY | FILE | PATH | REGISTRY_KEY | REGISTRY_VALUE | WMI | | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | | 14 | 6 | 11 | 191 | 4 | 38 | 65 | 16 | **Artifacts by OS** | Darwin | Linux | Windows | | :---: | :---: | :---: | | 106 | 75 | 177 | **Artifacts by label** | Antivirus | Authentication | Browser | Cloud | Cloud Storage | Configuration Files | External Media | ExternalAccount | IM | Logs | Mail | Network | Software | System | Users | iOS | | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | | 6 | 12 | 18 | 2 | 3 | 34 | 2 | 3 | 4 | 27 | 12 | 7 | 35 | 62 | 59 | 5 | ## Background/History The [ForensicArtifacts.com](http://forensicartifacts.com/) artifact repository was forked from the [GRR project](https://github.com/google/grr) artifact collection into a stand-alone repository that is not tool-specific. The GRR developers have migrated to using this repository and make contributions here. In addition the ForensicArtifact team will begin backfilling artifacts in the new format from the [ForensicArtifacts.com](http://forensicartifacts.com/) website. For some background on the artifacts system and how we expect it to be used see [this blackhat presentation](https://www.blackhat.com/us-14/archives.html#grr-find-all-the-badness-collect-all-the-things) and [youtube video](https://www.youtube.com/watch?v=ren6QSvwFvg) from the GRR team. ## Contributing Please send us your contribution! See [the developers guide](https://github.com/ForensicArtifacts/artifacts/wiki/Developers-guide) for instructions. ## External links * [ForensicsArtifacts.com ... the definitive database](http://forensicartifacts.com/) * [GRR Artifacts](https://www.blackhat.com/docs/us-14/materials/us-14-Castle-GRR-Find-All-The-Badness-Collect-All-The-Things-WP.pdf), by Greg Castle, Blackhat 2014 ## Contact [forensicartifacts@googlegroups.com](https://groups.google.com/forum/#!forum/forensicartifacts) artifacts-20170808/appveyor.yml000066400000000000000000000022671314241367100163460ustar00rootroot00000000000000environment: matrix: - PYTHON: "C:\\Python27" install: - cmd: '"C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\SetEnv.cmd" /x86 /release' - ps: (new-object net.webclient).DownloadFile('https://bootstrap.pypa.io/get-pip.py', 'C:\Projects\get-pip.py') - ps: (new-object net.webclient).DownloadFile('https://github.com/log2timeline/l2tbinaries/raw/master/win32/pywin32-220.win32-py2.7.exe', 'C:\Projects\pywin32-220.win32-py2.7.exe') - ps: (new-object net.webclient).DownloadFile('https://github.com/log2timeline/l2tbinaries/raw/master/win32/WMI-1.4.9.win32.exe', 'C:\Projects\WMI-1.4.9.win32.exe') - cmd: "%PYTHON%\\python.exe C:\\Projects\\get-pip.py" - cmd: "%PYTHON%\\Scripts\\easy_install.exe C:\\Projects\\pywin32-220.win32-py2.7.exe" - cmd: "%PYTHON%\\Scripts\\easy_install.exe C:\\Projects\\WMI-1.4.9.win32.exe" - cmd: git clone https://github.com/log2timeline/l2tdevtools.git && move l2tdevtools ..\ - cmd: mkdir dependencies && set PYTHONPATH=..\l2tdevtools && "%PYTHON%\\python.exe" ..\l2tdevtools\tools\update.py --download-directory dependencies --machine-type x86 --msi-targetdir "%PYTHON%" PyYAML yapf build: off test_script: - "%PYTHON%\\python.exe run_tests.py" artifacts-20170808/artifacts/000077500000000000000000000000001314241367100157275ustar00rootroot00000000000000artifacts-20170808/artifacts/__init__.py000066400000000000000000000001431314241367100200360ustar00rootroot00000000000000# -*- coding: utf-8 -*- """ForensicArtifacts.com Artifact Repository.""" __version__ = '20170808' artifacts-20170808/artifacts/artifact.py000066400000000000000000000066611314241367100201070ustar00rootroot00000000000000# -*- coding: utf-8 -*- """The artifact definition.""" from __future__ import unicode_literals from artifacts import errors from artifacts import registry class ArtifactDefinition(object): """Artifact definition interface. Attributes: conditions (list[str]): conditions. description (str): description. name (str): name that uniquely identifiers the artifact definition. labels (list[str]): labels. provides (list[str]): hints to what information the artifact definition provides. sources (list[str]): sources. supported_os (list[str]): supported operating systems. urls (list[str]): URLs with more information about the artifact definition. """ def __init__(self, name, description=None): """Initializes an artifact definition. Args: name (str): name that uniquely identifiers the artifact definition. description (Optional[str]): description of the artifact definition. """ super(ArtifactDefinition, self).__init__() self.conditions = [] self.description = description self.name = name self.labels = [] self.provides = [] self.sources = [] self.supported_os = [] self.urls = [] def AppendSource(self, type_indicator, attributes): """Appends a source. If you want to implement your own source type you should create a subclass in source_type.py and change the AppendSource method to handle the new subclass. This function raises FormatError if an unsupported source type indicator is encountered. Args: type_indicator (str): source type indicator. attributes (dict[str, object]): source attributes. Returns: SourceType: a source type. Raises: FormatError: if the type indicator is not set or unsupported, or if required attributes are missing. """ if not type_indicator: raise errors.FormatError('Missing type indicator.') try: source_object = registry.ArtifactDefinitionsRegistry.CreateSourceType( type_indicator, attributes) except (AttributeError, TypeError) as exception: raise errors.FormatError(( 'Unable to create source type: {0:s} for artifact definition: {1:s} ' 'with error: {2!s}').format(type_indicator, self.name, exception)) self.sources.append(source_object) return source_object def AsDict(self): """Represents an artifact as a dictionary. Returns: dict[str, object]: artifact attributes. """ sources = [] for source in self.sources: source_definition = { 'type': source.type_indicator, 'attributes': source.AsDict()} if source.supported_os: source_definition['supported_os'] = source.supported_os if source.conditions: source_definition['conditions'] = source.conditions if source.returned_types: source_definition['returned_types'] = source.returned_types sources.append(source_definition) artifact_definition = { 'name': self.name, 'doc': self.description, 'sources': sources,} if self.labels: artifact_definition['labels'] = self.labels if self.supported_os: artifact_definition['supported_os'] = self.supported_os if self.provides: artifact_definition['provides'] = self.provides if self.conditions: artifact_definition['conditions'] = self.conditions if self.urls: artifact_definition['urls'] = self.urls return artifact_definition artifacts-20170808/artifacts/definitions.py000066400000000000000000000037701314241367100206230ustar00rootroot00000000000000# -*- coding: utf-8 -*- """Constants and definitions.""" from __future__ import unicode_literals TYPE_INDICATOR_ARTIFACT_GROUP = 'ARTIFACT_GROUP' TYPE_INDICATOR_COMMAND = 'COMMAND' TYPE_INDICATOR_DIRECTORY = 'DIRECTORY' TYPE_INDICATOR_FILE = 'FILE' TYPE_INDICATOR_PATH = 'PATH' TYPE_INDICATOR_WINDOWS_REGISTRY_KEY = 'REGISTRY_KEY' TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE = 'REGISTRY_VALUE' TYPE_INDICATOR_WMI_QUERY = 'WMI' LABELS = { 'Antivirus': 'Antivirus related artifacts, e.g. quarantine files.', 'Authentication': 'Authentication artifacts.', 'Browser': 'Web Browser artifacts.', 'Cloud': 'Cloud applications artifacts.', 'Cloud Storage': 'Cloud storage artifacts.', 'Configuration Files': 'Configuration files artifacts.', 'Execution': 'Contain execution events.', 'ExternalAccount': ( 'Information about any user accounts e.g. username, ' 'account ID, etc.'), 'External Media': 'Contain external media data or events e.g. USB drives.', 'IM': 'Instant Messaging / Chat applications artifacts.', 'iOS': 'Artifacts related to iOS devices connected to the system.', 'History Files': 'History files artifacts e.g. .bash_history.', 'KnowledgeBase': 'Artifacts used in knowledge base generation.', 'Logs': 'Contain log files.', 'Mail': 'Mail client applications artifacts.', 'Memory': 'Artifacts retrieved from memory.', 'Network': 'Describe networking state.', 'Processes': 'Describe running processes.', 'Rekall': 'Artifacts using the Rekall memory forensics framework.', 'Software': 'Installed software.', 'System': 'Core system artifacts.', 'Users': 'Information about users.'} SUPPORTED_OS = frozenset(['Darwin', 'Linux', 'Windows']) TOP_LEVEL_KEYS = frozenset([ 'conditions', 'doc', 'labels', 'name', 'provides', 'sources', 'supported_os', 'urls']) artifacts-20170808/artifacts/errors.py000066400000000000000000000006031314241367100176140ustar00rootroot00000000000000# -*- coding: utf-8 -*- """The error objects.""" class Error(Exception): """The error interface.""" class CodeStyleError(Error): """Error that is raised when code formatting fails style checks.""" class FormatError(Error): """Error that is raised when the format is incorrect.""" class MissingDependencyError(Error): """Artifact references artifact that is undefined.""" artifacts-20170808/artifacts/reader.py000066400000000000000000000260111314241367100175430ustar00rootroot00000000000000# -*- coding: utf-8 -*- """The artifact reader objects.""" from __future__ import unicode_literals import abc import glob import os import json import yaml from artifacts import artifact from artifacts import definitions from artifacts import errors class BaseArtifactsReader(object): """Artifacts reader interface. Attributes: labels (set[str]): defined labels. supported_os (set[str]): supported operating systems. """ def __init__(self): """Initializes an artifacts reader.""" super(BaseArtifactsReader, self).__init__() self.labels = set() self.supported_os = set() @abc.abstractmethod def ReadArtifactDefinitionValues(self, artifact_definition_values): """Reads an artifact definition from a dictionary. Args: artifact_definition_values (dict[str, object]): artifact definition values. Returns: ArtifactDefinition: an artifact definition. Raises: FormatError: if the format of the artifact definition is not set or incorrect. """ @abc.abstractmethod def ReadDirectory(self, path, extension=None): """Reads artifact definitions from a directory. This function does not recurse sub directories. Args: path (str): path of the directory to read from. extension (Optional[str]): extension of the filenames to read. Yields: ArtifactDefinition: an artifact definition. """ @abc.abstractmethod def ReadFile(self, filename): """Reads artifact definitions from a file. Args: filename (str): name of the file to read from. Yields: ArtifactDefinition: an artifact definition. """ @abc.abstractmethod def ReadFileObject(self, file_object): """Reads artifact definitions from a file-like object. Args: file_object (file): file-like object to read from. Yields: ArtifactDefinition: an artifact definition. Raises: FormatError: if the format of the artifact definition is not set or incorrect. """ class ArtifactsReader(BaseArtifactsReader): """Artifacts reader common functionality.""" def __init__(self): """Initializes an artifacts reader.""" super(ArtifactsReader, self).__init__() self.labels = set(definitions.LABELS) self.supported_os = set(definitions.SUPPORTED_OS) def _ReadLabels(self, artifact_definition_values, artifact_definition, name): """Reads the optional artifact definition labels. Args: artifact_definition_values (dict[str, object]): artifact definition values. artifact_definition (ArtifactDefinition): an artifact definition. Raises: FormatError: if there are undefined labels. """ labels = artifact_definition_values.get('labels', []) undefined_labels = set(labels).difference(self.labels) if undefined_labels: raise errors.FormatError( 'Artifact definition: {0:s} found undefined labels: {1:s}.'.format( name, ', '.join(undefined_labels))) artifact_definition.labels = labels def _ReadSupportedOS(self, definition_values, definition_object, name): """Reads the optional artifact or source type supported OS. Args: definition_values (dict[str, object]): artifact definition values. definition_object (ArtifactDefinition|SourceType): the definition object. name (str): name of the artifact definition. Raises: FormatError: if there are undefined supported operating systems. """ supported_os = definition_values.get('supported_os', []) if not isinstance(supported_os, list): raise errors.FormatError( 'Invalid supported_os type: {0:s}'.format(type(supported_os))) undefined_supported_os = set(supported_os).difference(self.supported_os) if undefined_supported_os: error_string = ( 'Artifact definition: {0:s} undefined supported operating system: ' '{1:s}.').format(name, ', '.join(undefined_supported_os)) raise errors.FormatError(error_string) definition_object.supported_os = supported_os def _ReadSources(self, artifact_definition_values, artifact_definition, name): """Reads the artifact definition sources. Args: artifact_definition_values (dict[str, object]): artifact definition values. artifact_definition (ArtifactDefinition): an artifact definition. Raises: FormatError: if the type indicator is not set or unsupported, or if required attributes are missing. """ sources = artifact_definition_values.get('sources') if not sources: raise errors.FormatError( 'Invalid artifact definition: {0:s} missing sources.'.format(name)) for source in sources: type_indicator = source.get('type', None) if not type_indicator: raise errors.FormatError( 'Invalid artifact definition: {0:s} source type.'.format(name)) attributes = source.get('attributes', None) try: source_type = artifact_definition.AppendSource( type_indicator, attributes) except errors.FormatError as exception: raise errors.FormatError( 'Invalid artifact definition: {0:s}, with error: {1!s}'.format( name, exception)) # TODO: deprecate these left overs from the collector definition. if source_type: source_type.conditions = source.get('conditions', []) source_type.returned_types = source.get('returned_types', []) self._ReadSupportedOS(source, source_type, name) if set(source_type.supported_os) - set( artifact_definition.supported_os): raise errors.FormatError( ('Invalid artifact definition: {0:s} missing ' 'supported_os.').format(name)) def ReadArtifactDefinitionValues(self, artifact_definition_values): """Reads an artifact definition from a dictionary. Args: artifact_definition_values (dict[str, object]): artifact definition values. Returns: ArtifactDefinition: an artifact definition. Raises: FormatError: if the format of the artifact definition is not set or incorrect. """ if not artifact_definition_values: raise errors.FormatError('Missing artifact definition values.') different_keys = ( set(artifact_definition_values) - definitions.TOP_LEVEL_KEYS) if different_keys: raise errors.FormatError('Undefined keys: {0:s}'.format(different_keys)) name = artifact_definition_values.get('name', None) if not name: raise errors.FormatError('Invalid artifact definition missing name.') # The description is assumed to be mandatory. description = artifact_definition_values.get('doc', None) if not description: raise errors.FormatError( 'Invalid artifact definition: {0:s} missing description.'.format( name)) artifact_definition = artifact.ArtifactDefinition( name, description=description) if artifact_definition_values.get('collectors', []): raise errors.FormatError( 'Invalid artifact definition: {0:s} still uses collectors.'.format( name)) # TODO: check conditions. artifact_definition.conditions = artifact_definition_values.get( 'conditions', []) artifact_definition.provides = artifact_definition_values.get( 'provides', []) self._ReadLabels(artifact_definition_values, artifact_definition, name) self._ReadSupportedOS(artifact_definition_values, artifact_definition, name) artifact_definition.urls = artifact_definition_values.get('urls', []) self._ReadSources(artifact_definition_values, artifact_definition, name) return artifact_definition def ReadDirectory(self, path, extension='yaml'): """Reads artifact definitions from a directory. This function does not recurse sub directories. Args: path (str): path of the directory to read from. extension (Optional[str]): extension of the filenames to read. Yields: ArtifactDefinition: an artifact definition. """ if extension: glob_spec = os.path.join(path, '*.{0:s}'.format(extension)) else: glob_spec = os.path.join(path, '*') for artifact_file in glob.glob(glob_spec): for artifact_definition in self.ReadFile(artifact_file): yield artifact_definition def ReadFile(self, filename): """Reads artifact definitions from a file. Args: filename (str): name of the file to read from. Yields: ArtifactDefinition: an artifact definition. """ with open(filename, 'r') as file_object: for artifact_definition in self.ReadFileObject(file_object): yield artifact_definition @abc.abstractmethod def ReadFileObject(self, file_object): """Reads artifact definitions from a file-like object. Args: file_object (file): file-like object to read from. Yields: ArtifactDefinition: an artifact definition. Raises: FormatError: if the format of the artifact definition is not set or incorrect. """ class JsonArtifactsReader(ArtifactsReader): """JSON artifacts reader.""" def ReadFileObject(self, file_object): """Reads artifact definitions from a file-like object. Args: file_object (file): file-like object to read from. Yields: ArtifactDefinition: an artifact definition. Raises: FormatError: if the format of the JSON artifact definition is not set or incorrect. """ # TODO: add try, except? json_definitions = json.loads(file_object.read()) last_artifact_definition = None for json_definition in json_definitions: try: artifact_definition = self.ReadArtifactDefinitionValues(json_definition) except errors.FormatError as exception: error_location = 'At start' if last_artifact_definition: error_location = 'After: {0:s}'.format(last_artifact_definition.name) raise errors.FormatError( '{0:s} {1!s}'.format(error_location, exception)) yield artifact_definition last_artifact_definition = artifact_definition class YamlArtifactsReader(ArtifactsReader): """YAML artifacts reader.""" def ReadFileObject(self, file_object): """Reads artifact definitions from a file-like object. Args: file_object (file): file-like object to read from. Yields: ArtifactDefinition: an artifact definition. Raises: FormatError: if the format of the YAML artifact definition is not set or incorrect. """ # TODO: add try, except? yaml_generator = yaml.safe_load_all(file_object) last_artifact_definition = None for yaml_definition in yaml_generator: try: artifact_definition = self.ReadArtifactDefinitionValues(yaml_definition) except errors.FormatError as exception: error_location = 'At start' if last_artifact_definition: error_location = 'After: {0:s}'.format(last_artifact_definition.name) raise errors.FormatError( '{0:s} {1!s}'.format(error_location, exception)) yield artifact_definition last_artifact_definition = artifact_definition artifacts-20170808/artifacts/registry.py000066400000000000000000000161161314241367100201560ustar00rootroot00000000000000# -*- coding: utf-8 -*- """The artifact definitions registry.""" from __future__ import unicode_literals from artifacts import definitions from artifacts import errors from artifacts import source_type class ArtifactDefinitionsRegistry(object): """Artifact definitions registry.""" _source_type_classes = { definitions.TYPE_INDICATOR_ARTIFACT_GROUP: source_type.ArtifactGroupSourceType, definitions.TYPE_INDICATOR_COMMAND: source_type.CommandSourceType, definitions.TYPE_INDICATOR_DIRECTORY: source_type.DirectorySourceType, definitions.TYPE_INDICATOR_FILE: source_type.FileSourceType, definitions.TYPE_INDICATOR_PATH: source_type.PathSourceType, definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY: source_type.WindowsRegistryKeySourceType, definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE: source_type.WindowsRegistryValueSourceType, definitions.TYPE_INDICATOR_WMI_QUERY: source_type.WMIQuerySourceType, } def __init__(self): """Initializes an artifact definitions registry.""" super(ArtifactDefinitionsRegistry, self).__init__() self._artifact_definitions = {} self._artifact_name_references = set() self._defined_artifact_names = set() @classmethod def CreateSourceType(cls, type_indicator, attributes): """Creates a source type object. Args: type_indicator (str): source type indicator. attributes (dict[str, object]): source attributes. Returns: SourceType: a source type. Raises: FormatError: if the type indicator is not set or unsupported, or if required attributes are missing. """ if type_indicator not in cls._source_type_classes: raise errors.FormatError( 'Unsupported type indicator: {0:s}.'.format(type_indicator)) return cls._source_type_classes[type_indicator](**attributes) def DeregisterDefinition(self, artifact_definition): """Deregisters an artifact definition. Artifact definitions are identified based on their lower case name. Args: artifact_definition (ArtifactDefinition): an artifact definition. Raises: KeyError: if an artifact definition is not set for the corresponding name. """ artifact_definition_name = artifact_definition.name.lower() if artifact_definition_name not in self._artifact_definitions: raise KeyError( 'Artifact definition not set for name: {0:s}.'.format( artifact_definition.name)) del self._artifact_definitions[artifact_definition_name] @classmethod def DeregisterSourceType(cls, source_type_class): """Deregisters a source type. Source types are identified based on their type indicator. Args: source_type_class (type): source type. Raises: KeyError: if a source type is not set for the corresponding type indicator. """ if source_type_class.TYPE_INDICATOR not in cls._source_type_classes: raise KeyError('Source type not set for type: {0:s}.'.format( source_type_class.TYPE_INDICATOR)) del cls._source_type_classes[source_type_class.TYPE_INDICATOR] def GetDefinitionByName(self, name): """Retrieves a specific artifact definition by name. Args: name (str): name of the artifact definition. Returns: ArtifactDefinition: an artifact definition or None if not available. """ if name: return self._artifact_definitions.get(name.lower(), None) def GetDefinitions(self): """Retrieves the artifact definitions. Returns: list[ArtifactDefinition]: artifact definitions. """ return self._artifact_definitions.values() def GetUndefinedArtifacts(self): """Retrieves the names of undefined artifacts used by artifact groups. Returns: set[str]: undefined artifacts names. """ return self._artifact_name_references - self._defined_artifact_names def RegisterDefinition(self, artifact_definition): """Registers an artifact definition. Artifact definitions are identified based on their lower case name. Args: artifact_definition (ArtifactDefinition): an artifact definition. Raises: KeyError: if artifact definition is already set for the corresponding name. """ artifact_definition_name = artifact_definition.name.lower() if artifact_definition_name in self._artifact_definitions: raise KeyError( 'Artifact definition already set for name: {0:s}.'.format( artifact_definition.name)) self._artifact_definitions[artifact_definition_name] = artifact_definition self._defined_artifact_names.add(artifact_definition.name) for source in artifact_definition.sources: if source.type_indicator == definitions.TYPE_INDICATOR_ARTIFACT_GROUP: self._artifact_name_references.update(source.names) @classmethod def RegisterSourceType(cls, source_type_class): """Registers a source type. Source types are identified based on their type indicator. Args: source_type_class (type): source type. Raises: KeyError: if source types is already set for the corresponding type indicator. """ if source_type_class.TYPE_INDICATOR in cls._source_type_classes: raise KeyError('Source type already set for type: {0:s}.'.format( source_type_class.TYPE_INDICATOR)) cls._source_type_classes[source_type_class.TYPE_INDICATOR] = ( source_type_class) @classmethod def RegisterSourceTypes(cls, source_type_classes): """Registers source types. Source types are identified based on their type indicator. Args: source_type_classes (list[type]): source types. """ for source_type_class in source_type_classes: cls.RegisterSourceType(source_type_class) def ReadFromDirectory(self, artifact_reader, path, extension='yaml'): """Reads artifact definitions into the registry from files in a directory. This function does not recurse sub directories. Args: artifacts_reader (ArtifactsReader): an artifacts reader. path (str): path of the directory to read from. extension (Optional[str]): extension of the filenames to read. Raises: KeyError: if a duplicate artifact definition is encountered. """ for artifact_definition in artifact_reader.ReadDirectory( path, extension=extension): self.RegisterDefinition(artifact_definition) def ReadFromFile(self, artifact_reader, filename): """Reads artifact definitions into the registry from a file. Args: artifacts_reader (ArtifactsReader): an artifacts reader. filename (str): name of the file to read from. """ for artifact_definition in artifact_reader.ReadFile(filename): self.RegisterDefinition(artifact_definition) def ReadFileObject(self, artifact_reader, file_object): """Reads artifact definitions into the registry from a file-like object. Args: artifacts_reader (ArtifactsReader): an artifacts reader. file_object (file): file-like object to read from. """ for artifact_definition in artifact_reader.ReadFileObject(file_object): self.RegisterDefinition(artifact_definition) artifacts-20170808/artifacts/source_type.py000066400000000000000000000314011314241367100206410ustar00rootroot00000000000000# -*- coding: utf-8 -*- """The source type objects. The source type objects define the source of the artifact data. In earlier versions of the artifact definitions collector definitions had a similar purpose as the source type. Currently the following source types are defined: * artifact; the source is one or more artifact definitions; * file; the source is one or more files; * path; the source is one or more paths; * Windows Registry key; the source is one or more Windows Registry keys; * Windows Registry value; the source is one or more Windows Registry values; * WMI query; the source is a Windows Management Instrumentation query. The difference between the file and path source types are that file should be used to define file entries that contain data and path, file entries that define a location. E.g. on Windows %SystemRoot% could be considered a path artifact definition, pointing to a location e.g. C:\\Windows. And where C:\\Windows\\System32\\winevt\\Logs\\AppEvent.evt a file artifact definition, pointing to the Application Event Log file. """ from __future__ import unicode_literals import abc from artifacts import definitions from artifacts import errors class SourceType(object): """Artifact definition source type interface.""" TYPE_INDICATOR = None @property def type_indicator(self): """The type indicator. Raises: NotImplementedError: if the type indicator is not defined. """ if not self.TYPE_INDICATOR: raise NotImplementedError('Invalid source type missing type indicator.') return self.TYPE_INDICATOR @abc.abstractmethod def AsDict(self): """Represents a source type as a dictionary. Returns: dict[str, str]: source type attributes. """ class ArtifactGroupSourceType(SourceType): """Artifact group source type.""" TYPE_INDICATOR = definitions.TYPE_INDICATOR_ARTIFACT_GROUP def __init__(self, names=None): """Initializes a source type. Args: names (Optional[str]): artifact definition names. Raises: FormatError: when artifact names is not set. """ if not names: raise errors.FormatError('Missing names value.') super(ArtifactGroupSourceType, self).__init__() self.names = names def AsDict(self): """Represents a source type as a dictionary. Returns: dict[str, str]: source type attributes. """ return {'names': self.names} class CommandSourceType(SourceType): """Command source type.""" TYPE_INDICATOR = definitions.TYPE_INDICATOR_COMMAND def __init__(self, args=None, cmd=None): """Initializes a source type. Args: args (list[str]): arguments to the command to run. cmd (str): command to run. Raises: FormatError: when args or cmd is not set. """ if args is None or cmd is None: raise errors.FormatError('Missing args or cmd value.') super(CommandSourceType, self).__init__() self.args = args self.cmd = cmd def AsDict(self): """Represents a source type as a dictionary. Returns: dict[str, str]: source type attributes. """ return {'cmd': self.cmd, 'args': self.args} class DirectorySourceType(SourceType): """Directory source type.""" TYPE_INDICATOR = definitions.TYPE_INDICATOR_DIRECTORY def __init__(self, paths=None, separator='/'): """Initializes a source type. Args: paths (Optional[str]): paths relative to the root of the file system. separator (Optional[str]): path segment separator. Raises: FormatError: when paths is not set. """ if not paths: raise errors.FormatError('Missing directory value.') super(DirectorySourceType, self).__init__() self.paths = paths self.separator = separator def AsDict(self): """Represents a source type as a dictionary. Returns: dict[str, str]: source type attributes. """ source_type_attributes = {'paths': self.paths} if self.separator != '/': source_type_attributes['separator'] = self.separator return source_type_attributes class FileSourceType(SourceType): """File source type.""" TYPE_INDICATOR = definitions.TYPE_INDICATOR_FILE def __init__(self, paths=None, separator='/'): """Initializes a source type. Args: paths (Optional[str]): paths relative to the root of the file system. separator (Optional[str]): path segment separator. Raises: FormatError: when paths is not set. """ if not paths: raise errors.FormatError('Missing paths value.') super(FileSourceType, self).__init__() self.paths = paths self.separator = separator def AsDict(self): """Represents a source type as a dictionary. Returns: dict[str, str]: source type attributes. """ source_type_attributes = {'paths': self.paths} if self.separator != '/': source_type_attributes['separator'] = self.separator return source_type_attributes class PathSourceType(SourceType): """Path source type.""" TYPE_INDICATOR = definitions.TYPE_INDICATOR_PATH def __init__(self, paths=None, separator='/'): """Initializes a source type. Args: paths (Optional[str]): paths relative to the root of the file system. separator (Optional[str]): path segment separator. Raises: FormatError: when paths is not set. """ if not paths: raise errors.FormatError('Missing paths value.') super(PathSourceType, self).__init__() self.paths = paths self.separator = separator def AsDict(self): """Represents a source type as a dictionary. Returns: dict[str, str]: source type attributes. """ source_type_attributes = {'paths': self.paths} if self.separator != '/': source_type_attributes['separator'] = self.separator return source_type_attributes class WindowsRegistryKeySourceType(SourceType): """Windows Registry key source type.""" TYPE_INDICATOR = definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY VALID_PREFIXES = [ r'HKEY_LOCAL_MACHINE', r'HKEY_USERS', r'HKEY_CLASSES_ROOT', r'%%current_control_set%%',] def __init__(self, keys=None): """Initializes a source type. Args: keys (Optional[list[str]]): key paths relative to the root of the Windows Registry. Raises: FormatError: when keys is not set. """ if not keys: raise errors.FormatError('Missing keys value.') if not isinstance(keys, list): raise errors.FormatError('keys must be a list') for key in keys: self.ValidateKey(key) super(WindowsRegistryKeySourceType, self).__init__() self.keys = keys def AsDict(self): """Represents a source type as a dictionary. Returns: dict[str, str]: source type attributes. """ return {'keys': self.keys} @classmethod def ValidateKey(cls, key_path): """Validates this key against supported key names. Args: key_path (str): path of a Windows Registry key. Raises: FormatError: when key is not supported. """ for prefix in cls.VALID_PREFIXES: if key_path.startswith(prefix): return # TODO: move check to validator. if key_path.startswith('HKEY_CURRENT_USER\\'): raise errors.FormatError( 'HKEY_CURRENT_USER\\ is not supported instead use: ' 'HKEY_USERS\\%%users.sid%%\\') raise errors.FormatError( 'Unupported Registry key path: {0:s}'.format(key_path)) class WindowsRegistryValueSourceType(SourceType): """Windows Registry value source type.""" TYPE_INDICATOR = definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE def __init__(self, key_value_pairs=None): """Initializes a source type. Args: key_value_pairs (Optional[list[tuple[str, str]]]): key path and value name pairs, where key paths are relative to the root of the Windows Registry. Raises: FormatError: when key value pairs is not set. """ if not key_value_pairs: raise errors.FormatError('Missing key value pairs value.') if not isinstance(key_value_pairs, list): raise errors.FormatError('key_value_pairs must be a list') for pair in key_value_pairs: if not isinstance(pair, dict): raise errors.FormatError('key_value_pair must be a dict') if set(pair.keys()) != set(['key', 'value']): error_message = ( 'key_value_pair missing "key" and "value" keys, got: ' '{0:s}').format(key_value_pairs) raise errors.FormatError(error_message) WindowsRegistryKeySourceType.ValidateKey(pair['key']) super(WindowsRegistryValueSourceType, self).__init__() self.key_value_pairs = key_value_pairs def AsDict(self): """Represents a source type as a dictionary. Returns: dict[str, str]: source type attributes. """ return {'key_value_pairs': self.key_value_pairs} class WMIQuerySourceType(SourceType): """WMI query source type.""" TYPE_INDICATOR = definitions.TYPE_INDICATOR_WMI_QUERY def __init__(self, query=None, base_object=None): """Initializes a source type. Args: query (Optional[str]): WMI query. Raises: FormatError: when query is not set. """ if not query: raise errors.FormatError('Missing query value.') super(WMIQuerySourceType, self).__init__() self.base_object = base_object self.query = query def AsDict(self): """Represents a source type as a dictionary. Returns: dict[str, str]: source type attributes. """ source_type_attributes = {'query': self.query} if self.base_object: source_type_attributes['base_object'] = self.base_object return source_type_attributes class SourceTypeFactory(object): """Source type factory.""" _source_type_classes = { definitions.TYPE_INDICATOR_ARTIFACT_GROUP: ArtifactGroupSourceType, definitions.TYPE_INDICATOR_COMMAND: CommandSourceType, definitions.TYPE_INDICATOR_DIRECTORY: DirectorySourceType, definitions.TYPE_INDICATOR_FILE: FileSourceType, definitions.TYPE_INDICATOR_PATH: PathSourceType, definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY: WindowsRegistryKeySourceType, definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE: WindowsRegistryValueSourceType, definitions.TYPE_INDICATOR_WMI_QUERY: WMIQuerySourceType,} @classmethod def CreateSourceType(cls, type_indicator, attributes): """Creates a source type. Args: type_indicator (str): source type indicator. attributes (dict[str, object]): source type attributes. Returns: SourceType: a source type. Raises: FormatError: if the type indicator is not set or unsupported, or if required attributes are missing. """ if type_indicator not in cls._source_type_classes: raise errors.FormatError( 'Unsupported type indicator: {0:s}.'.format(type_indicator)) return cls._source_type_classes[type_indicator](**attributes) @classmethod def DeregisterSourceType(cls, source_type_class): """Deregisters a source type. Source types are identified based on their type indicator. Args: source_type_class (type): source type. Raises: KeyError: if a source type is not set for the corresponding type indicator. """ if source_type_class.TYPE_INDICATOR not in cls._source_type_classes: raise KeyError( 'Source type not set for type: {0:s}.'.format( source_type_class.TYPE_INDICATOR)) del cls._source_type_classes[source_type_class.TYPE_INDICATOR] @classmethod def GetSourceTypes(cls): """Retrieves the source types. Returns: list[type]: source types. """ return cls._source_type_classes.values() @classmethod def GetSourceTypeIndicators(cls): """Retrieves the source type indicators. Returns: list[str]: source type indicators. """ return cls._source_type_classes.keys() @classmethod def RegisterSourceType(cls, source_type_class): """Registers a source type. Source types are identified based on their type indicator. Args: source_type_class (type): source type. Raises: KeyError: if source types is already set for the corresponding type indicator. """ if source_type_class.TYPE_INDICATOR in cls._source_type_classes: raise KeyError( 'Source type already set for type: {0:s}.'.format( source_type_class.TYPE_INDICATOR)) cls._source_type_classes[source_type_class.TYPE_INDICATOR] = ( source_type_class) @classmethod def RegisterSourceTypes(cls, source_type_classes): """Registers source types. Source types are identified based on their type indicator. Args: source_type_classes (list[type]): source types. """ for source_type_class in source_type_classes: cls.RegisterSourceType(source_type_class) artifacts-20170808/artifacts/writer.py000066400000000000000000000046701314241367100176240ustar00rootroot00000000000000# -*- coding: utf-8 -*- """The artifact writer objects.""" from __future__ import unicode_literals import abc import json import yaml class BaseArtifactsWriter(object): """Artifacts writer interface.""" @abc.abstractmethod def FormatArtifacts(self, artifacts): """Formats artifacts to desired output format. Args: artifacts (list[ArtifactDefinition]): artifact definitions. Returns: str: formatted string of artifact definition. """ @abc.abstractmethod def WriteArtifactsFile(self, artifacts, filename): """Writes artifact definitions to a file. Args: artifacts (list[ArtifactDefinition]): artifact definitions to be written. filename (str): name of the file to write artifacts to. """ class ArtifactWriter(BaseArtifactsWriter): """File artifacts writer.""" @abc.abstractmethod def FormatArtifacts(self, artifacts): """Formats artifacts to desired output format. Args: artifacts (ArtifactDefinition|list[ArtifactDefinition]): artifact definitions. Returns: str: formatted string of artifact definition. """ def WriteArtifactsFile(self, artifacts, filename): """Writes artifact definitions to a file. Args: artifacts (list[ArtifactDefinition]): artifact definitions to be written. filename (str): name of the file to write artifacts to. """ with open(filename, 'w') as file_object: file_object.write(self.FormatArtifacts(artifacts)) class JsonArtifactsWriter(ArtifactWriter): """JSON artifacts writer interface.""" def FormatArtifacts(self, artifacts): """Formats artifacts to desired output format. Args: artifacts (list[ArtifactDefinition]): artifact definitions. Returns: str: formatted string of artifact definition. """ artifact_definitions = [artifact.AsDict() for artifact in artifacts] json_data = json.dumps(artifact_definitions) return json_data class YamlArtifactsWriter(ArtifactWriter): """YAML artifacts writer interface.""" def FormatArtifacts(self, artifacts): """Formats artifacts to desired output format. Args: artifacts (list[ArtifactDefinition]): artifact definitions. Returns: str: formatted string of artifact definition. """ # TODO: improve output formatting of yaml artifact_definitions = [artifact.AsDict() for artifact in artifacts] yaml_data = yaml.safe_dump_all(artifact_definitions) return yaml_data artifacts-20170808/config/000077500000000000000000000000001314241367100152145ustar00rootroot00000000000000artifacts-20170808/config/dpkg/000077500000000000000000000000001314241367100161415ustar00rootroot00000000000000artifacts-20170808/config/dpkg/artifacts-data.dirs000066400000000000000000000000251314241367100217100ustar00rootroot00000000000000/usr/share/artifacts artifacts-20170808/config/dpkg/artifacts-data.install000066400000000000000000000000331314241367100224140ustar00rootroot00000000000000data/* usr/share/artifacts artifacts-20170808/config/dpkg/artifacts-tools.install000066400000000000000000000000101314241367100226360ustar00rootroot00000000000000usr/bin artifacts-20170808/config/dpkg/changelog000066400000000000000000000002371314241367100200150ustar00rootroot00000000000000artifacts (20170513-1) unstable; urgency=low * Auto-generated -- Forensic artifacts Tue, 08 Aug 2017 08:18:16 +0200 artifacts-20170808/config/dpkg/clean000066400000000000000000000000261314241367100171440ustar00rootroot00000000000000artifacts/*.pyc *.pyc artifacts-20170808/config/dpkg/compat000066400000000000000000000000021314241367100173370ustar00rootroot000000000000009 artifacts-20170808/config/dpkg/control000066400000000000000000000033171314241367100175500ustar00rootroot00000000000000Source: artifacts Section: python Priority: extra Maintainer: Forensic artifacts Build-Depends: debhelper (>= 7), python-all (>= 2.7~), python-setuptools, python3-all (>= 3.4~), python3-setuptools Standards-Version: 3.9.5 X-Python-Version: >= 2.7 X-Python3-Version: >= 3.4 Homepage: https://github.com/ForensicArtifacts/artifacts Package: artifacts-data Architecture: all Depends: ${misc:Depends} Description: Data files for ForensicArtifacts.com Artifact Repository A free, community-sourced, machine-readable knowledge base of forensic artifacts that the world can use both as an information source and within other tools. Package: python-artifacts Architecture: all Depends: artifacts-data, python-yaml (>= 3.10), ${python:Depends}, ${misc:Depends} Description: Python bindings for ForensicArtifacts.com Artifact Repository A free, community-sourced, machine-readable knowledge base of forensic artifacts that the world can use both as an information source and within other tools. Package: python3-artifacts Architecture: all Depends: artifacts-data, python3-yaml (>= 3.10), ${python3:Depends}, ${misc:Depends} Description: Python bindings for ForensicArtifacts.com Artifact Repository A free, community-sourced, machine-readable knowledge base of forensic artifacts that the world can use both as an information source and within other tools. Package: artifacts-tools Architecture: all Depends: python-artifacts, python (>= 2.7~), ${python:Depends}, ${misc:Depends} Description: Tools for ForensicArtifacts.com Artifact Repository A free, community-sourced, machine-readable knowledge base of forensic artifacts that the world can use both as an information source and within other tools. artifacts-20170808/config/dpkg/copyright000066400000000000000000000017711314241367100201020ustar00rootroot00000000000000Format: http://dep.debian.net/deps/dep5 Upstream-Name: artifacts Source: https://github.com/ForensicArtifacts/artifacts/ Files: * Copyright: 2014 The ForensicArtifacts.com Artifact Repository project. License: Apache-2.0 Files: debian/* Copyright: 2014 The ForensicArtifacts.com Artifact Repository project. License: Apache-2.0 License: Apache-2.0 Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at . http://www.apache.org/licenses/LICENSE-2.0 . Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. . On Debian systems, the complete text of the Apache version 2.0 license can be found in "/usr/share/common-licenses/Apache-2.0". artifacts-20170808/config/dpkg/python-artifacts.install000066400000000000000000000001431314241367100230260ustar00rootroot00000000000000usr/lib/python2*/dist-packages/artifacts/*.py usr/lib/python2*/dist-packages/artifacts*.egg-info/* artifacts-20170808/config/dpkg/python3-artifacts.install000066400000000000000000000001431314241367100231110ustar00rootroot00000000000000usr/lib/python3*/dist-packages/artifacts/*.py usr/lib/python3*/dist-packages/artifacts*.egg-info/* artifacts-20170808/config/dpkg/rules000077500000000000000000000011511314241367100172170ustar00rootroot00000000000000#!/usr/bin/make -f %: dh $@ --buildsystem=python_distutils --with=python2,python3 .PHONY: override_dh_auto_clean override_dh_auto_clean: dh_auto_clean rm -rf build artifacts.egg-info/SOURCES.txt artifacts.egg-info/PKG-INFO .PHONY: override_dh_auto_build override_dh_auto_build: dh_auto_build set -ex; for python in $(shell py3versions -r); do \ $$python setup.py build; \ done; .PHONY: override_dh_auto_install override_dh_auto_install: dh_auto_install --destdir $(CURDIR) set -ex; for python in $(shell py3versions -r); do \ $$python setup.py install --root=$(CURDIR) --install-layout=deb; \ done; artifacts-20170808/config/dpkg/source/000077500000000000000000000000001314241367100174415ustar00rootroot00000000000000artifacts-20170808/config/dpkg/source/format000066400000000000000000000000141314241367100206470ustar00rootroot000000000000003.0 (quilt) artifacts-20170808/config/travis/000077500000000000000000000000001314241367100165245ustar00rootroot00000000000000artifacts-20170808/config/travis/install.sh000077500000000000000000000017051314241367100205340ustar00rootroot00000000000000#!/bin/bash # # Script to set up Travis-CI test VM. COVERALL_DEPENDENCIES="python-coverage python-coveralls python-docopt"; L2TBINARIES_DEPENDENCIES="PyYAML"; L2TBINARIES_TEST_DEPENDENCIES="yapf"; PYTHON2_DEPENDENCIES="python-yaml"; PYTHON2_TEST_DEPENDENCIES="python-yapf"; # Exit on error. set -e; if test ${TRAVIS_OS_NAME} = "osx"; then git clone https://github.com/log2timeline/l2tdevtools.git; mv l2tdevtools ../; mkdir dependencies; PYTHONPATH=../l2tdevtools ../l2tdevtools/tools/update.py --download-directory=dependencies ${L2TBINARIES_DEPENDENCIES} ${L2TBINARIES_TEST_DEPENDENCIES}; elif test ${TRAVIS_OS_NAME} = "linux"; then sudo add-apt-repository ppa:gift/dev -y; sudo apt-get update -q; # Only install the Python 2 dependencies. # Also see: https://docs.travis-ci.com/user/languages/python/#Travis-CI-Uses-Isolated-virtualenvs sudo apt-get install -y ${COVERALL_DEPENDENCIES} ${PYTHON2_DEPENDENCIES} ${PYTHON2_TEST_DEPENDENCIES}; fi artifacts-20170808/data/000077500000000000000000000000001314241367100146605ustar00rootroot00000000000000artifacts-20170808/data/antivirus.yaml000066400000000000000000000036321314241367100175740ustar00rootroot00000000000000# Anti-Virus artifacts. name: EsetAVQuarantine doc: Eset Anti-Virus Quarantine (Infected) files. sources: - type: FILE attributes: {paths: ['/Library/Application Support/ESET/esets/cache/quarantine/*']} supported_os: [Darwin] labels: [Antivirus] --- name: MicrosoftAVQuarantine doc: Microsoft Anti-Virus Quarantine (Infected) files. sources: - type: FILE attributes: paths: - '%%environ_allusersappdata%%\Microsoft\Microsoft Antimalware\Quarantine\**' - '%%environ_allusersappdata%%\Microsoft\Windows Defender\Quarantine\**' supported_os: [Windows] labels: [Antivirus] --- name: SophosAVLogs doc: Sophos Anti-Virus log files. sources: - type: FILE attributes: {paths: ['%%environ_allusersappdata%%\Sophos\Sophos Anti-Virus\Logs\*']} supported_os: [Windows] sources: - type: FILE attributes: {paths: ['/Library/Logs/Sophos*.log']} supported_os: [Darwin] supported_os: [Windows, Darwin] labels: [Antivirus, Logs] --- name: SophosAVQuarantine doc: Sophos Anti-Virus Quarantine (Infected) files. sources: - type: FILE attributes: {paths: ['%%environ_allusersappdata%%\Sophos\Sophos Anti-Virus\INFECTED\*']} supported_os: [Windows] - type: FILE attributes: {paths: ['/Users/Shared/Infected/*']} supported_os: [Darwin] supported_os: [Windows, Darwin] labels: [Antivirus] --- name: SymantecAVLogs doc: Symantec Anti-Virus Log Files. sources: - type: FILE attributes: paths: - '%%environ_allusersappdata%%\Symantec\Symantec Endpoint Protection\*\Data\Logs\*.log' - '%%users.localappdata%%\Symantec\Symantec Endpoint Protection\Logs\*.log' supported_os: [Windows] supported_os: [Windows] labels: [Antivirus, Logs] --- name: SymantecAVQuarantine doc: Symantec Anti-Virus Quarantine (Infected) files. sources: - type: FILE attributes: {paths: ['%%environ_allusersappdata%%\Symantec\Symantec Endpoint Protection\**5.vbn']} supported_os: [Windows] supported_os: [Windows] labels: [Antivirus, Logs] artifacts-20170808/data/applications.yaml000066400000000000000000000037061314241367100202400ustar00rootroot00000000000000# Application artifacts. name: NodeJSPackageManagerCacheFiles doc: Node JS package manager (NPM) cache files sources: - type: FILE attributes: paths: ['%%users.homedir%%/.npm/*'] supported_os: [Darwin, Linux] - type: FILE attributes: paths: ['%%users.appdata%%\npm-cache\*'] separator: '\' supported_os: [Windows] supported_os: [Darwin, Linux, Windows] urls: ['https://docs.npmjs.com/cli/cache'] --- name: MicrosoftOfficeMRU doc: Microsoft Office Most Recently Used sources: - type: FILE attributes: paths: - '%%users.homedir%%/Library/Preferences/com.microsoft.office.plist' - '%%users.homedir%%/Library/Containers/com.microsoft.*/Data/Library/Preferences/com.microsoft.*.securebookmarks.plist' separator: '/' supported_os: [Darwin] - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Office\*\*\File MRU', value: 'Item *'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Office\*\*\Place MRU', value: 'Item *'} supported_os: [Windows] supported_os: [Darwin, Windows] urls: ['https://github.com/mac4n6/macMRU-Parser'] --- name: WinRARExternalViewer doc: Executable run when a file is opened by WinRAR inside an archive. sources: - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_USERS\%%users.sid%%\Software\WinRAR\Viewer\', value: 'ExternalViewer'}]} supported_os: [Windows] urls: - 'http://www.hexacorn.com/blog/2012/09/16/beyond-good-ol-run-key-part-2/' - 'http://acritum.com/software/manuals/winrar/html/helpinterfaceviewing.htm' --- name: WinRARAVScan doc: Executable run to scan a file when it is opened by WinRAR. sources: - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_USERS\%%users.sid%%\Software\WinRAR\VirusScan\', value: 'Name'}]} supported_os: [Windows] urls: - 'http://www.hexacorn.com/blog/2012/09/16/beyond-good-ol-run-key-part-2/' - 'http://acritum.com/software/manuals/winrar/html/helpcommandsvirusscan.htm' artifacts-20170808/data/cloud_services.yaml000066400000000000000000000052071314241367100205610ustar00rootroot00000000000000# Cloud service artifacts. name: CloudStorageClients doc: Multiple cloud storage client artifacts. sources: - type: ARTIFACT_GROUP attributes: names: - 'DropboxClient' - 'GoogleDriveClient' - 'SkyDriveClient' labels: [Cloud Storage] supported_os: [Darwin,Linux,Windows] --- name: DropboxClient doc: Dropbox cloud storage client artifacts. sources: - type: FILE attributes: paths: - '%%users.appdata%%\Dropbox\*.db*' - '%%users.localappdata%%\Dropbox\*.db*' supported_os: [Windows] - type: FILE attributes: paths: - '%%users.homedir%%/.dropbox/*.db*' supported_os: [Darwin,Linux] supported_os: [Darwin,Linux,Windows] labels: [Cloud Storage] urls: ['http://www.forensicswiki.org/wiki/Dropbox'] --- name: GoogleDriveClient doc: Google Drive cloud storage client artifacts. sources: - type: FILE attributes: paths: - '%%users.localappdata%%\Google\Drive\snapshot.db' - '%%users.localappdata%%\Google\Drive\sync_config.db' - '%%users.localappdata%%\Google\Drive\sync_config.log*' - '%%users.localappdata%%\Google\Drive\user_default\snapshot.db' - '%%users.localappdata%%\Google\Drive\user_default\sync_config.db' - '%%users.localappdata%%\Google\Drive\user_default\sync_config.log*' supported_os: [Windows] - type: FILE attributes: paths: - '%%users.homedir%%/Library/Application Support/Google/Drive/snapshot.db' - '%%users.homedir%%/Library/Application Support/Google/Drive/sync_config.db' - '%%users.homedir%%/Library/Application Support/Google/Drive/sync_config.log*' - '%%users.homedir%%/Library/Application Support/Google/Drive/user_default/snapshot.db' - '%%users.homedir%%/Library/Application Support/Google/Drive/user_default/sync_config.db' - '%%users.homedir%%/Library/Application Support/Google/Drive/user_default/sync_config.log*' supported_os: [Darwin] supported_os: [Darwin,Windows] labels: [Cloud Storage] urls: ['http://www.forensicswiki.org/wiki/Google_Drive'] --- name: SkyDriveClient doc: | Microsoft Sky Drive cloud storage client artifacts. Note that Sky Drive was renamed to One Drive. sources: - type: FILE attributes: paths: - '%%users.localappdata%%\Microsoft\SkyDrive\logs\*.log' - '%%users.localappdata%%\Microsoft\SkyDrive\setup\logs\*.log' - '%%users.localappdata%%\Microsoft\SkyDrive\settings\ApplicationSettings.xml' - '%%users.localappdata%%\Microsoft\SkyDrive\settings\*.dat' - '%%users.localappdata%%\Microsoft\SkyDrive\settings\*.ini' supported_os: [Windows] supported_os: [Windows] labels: [Cloud Storage] urls: ['http://forensicswiki.org/wiki/One_Drive#Sky_Drive_client'] artifacts-20170808/data/config_files.yaml000066400000000000000000000011021314241367100201650ustar00rootroot00000000000000# Configuration file artifacts. name: NfsExportsFile doc: NFS Exports configuration sources: - type: FILE attributes: {paths: ['/etc/exports']} labels: [Configuration Files] supported_os: [Linux, Darwin] --- name: SshdConfigFile doc: Sshd configuration sources: - type: FILE attributes: {paths: ['/etc/ssh/sshd_config']} labels: [Configuration Files] supported_os: [Linux] --- name: SshUserConfigFile doc: User ssh configuration file sources: - type: FILE attributes: {paths: ['%%users.homedir%%/.ssh/config']} labels: [Configuration Files] supported_os: [Linux, Darwin] artifacts-20170808/data/installed_modules.yaml000066400000000000000000000063541314241367100212630ustar00rootroot00000000000000# Modules for interpreted languages. name: PythonDistInfo doc: | Python module files distributed in the dist-info format of PEP-0376 (currently linux only). dist-info is always a directory that must contain METADATA, RECORD and INSTALLER. It may also contain REQUESTED. sources: - type: FILE attributes: paths: - '%%users.homedir%%/.local/lib/python*/{dist,site}-packages/*.dist-info/*' - '/usr/{lib,lib64}/python*/{dist,site}-packages/*.dist-info/*' - '/usr/local/{lib,lib64}/python*/{dist,site}-packages/*.dist-info/*' supported_os: [Linux] supported_os: [Linux] labels: [Software] urls: ['https://www.python.org/dev/peps/pep-0376/'] --- name: PythonEggInfo doc: | Python module files distributed in .egg formats (currently linux only). Python eggs can have multiple formats, as described by setuptools. .egg files can be either a zipfile or a directory that contains an info file. .egg-info files can be either a directory or a file. If they are directories, they should contain a MANIFEST that identifies the installed module. PEP-0370 describes a default install location for per-user modules. sources: - type: FILE attributes: paths: # Files containing the install metadata in either a flat file or zipfile. - '%%users.homedir%%/.local/lib/python*/site-packages/*.{egg,egg-info}' - '%%users.homedir%%/.cache/pip/*.{egg,egg-info}' - '/usr/{lib,lib64}/python*/{dist,site}-packages/*.{egg,egg-info}' - '/usr/local/{lib,lib64}/python*/{dist,site}-packages/*.{egg,egg-info}' - '/usr/share/pyshared/*.{egg,egg-info}' # Directories containing the install metadata as separate files. - '%%users.homedir%%/.local/lib/python*/site-packages/*.{egg,egg-info}/*' - '%%users.homedir%%/.cache/pip/*.{egg,egg-info}/*' - '/usr/{lib,lib64}/python*/{dist,site}-packages/*.{egg,egg-info}/*' - '/usr/local/{lib,lib64}/python*/{dist,site}-packages/*.{egg,egg-info}/*' - '/usr/share/pyshared/*.{egg,egg-info}/*' supported_os: [Linux] supported_os: [Linux] labels: [Software] urls: - 'https://pythonhosted.org/setuptools/formats.html' - 'https://www.python.org/dev/peps/pep-0370/' --- name: PythonModuleInfo doc: Python module installation information. sources: - type: ARTIFACT_GROUP attributes: names: - PythonDistInfo - PythonEggInfo - PythonWheelInfo labels: [Software] --- name: PythonWheelInfo doc: | Python module files distributed in the wheel format (currently linux only). Zip archives with the .whl extension. Wheels are installed per the standard installer described in PEP-0376, so should mostly be discoverable as dist-info entries. sources: - type: FILE attributes: paths: - '/usr/share/python-wheels/*.whl' - '%%users.homedir%%/.cache/pip/wheels/*.whl' supported_os: [Linux] supported_os: [Linux] labels: [Software] urls: - 'https://wheel.readthedocs.org/en/latest/' - 'http://pip.readthedocs.org/en/stable/reference/pip_install/' --- name: RubyGems doc: Ruby Gems (currently linux only). sources: - type: FILE attributes: paths: - '%%users.homedir%%/.gem/ruby/**2/*.gemspec' - '/var/lib/gems/**2/*.gemspec' - '/usr/share/rubygems-integration/**2/*.gemspec' supported_os: [Linux] supported_os: [Linux] urls: ['http://guides.rubygems.org'] artifacts-20170808/data/java.yaml000066400000000000000000000011531314241367100164650ustar00rootroot00000000000000# Java related artifacts. name: JavaCacheFiles doc: Java Plug-in cache. sources: - type: FILE attributes: paths: - '%%users.localappdata_low%%\Sun\Java\Deployment\cache\**' - '%%users.homedir%%\AppData\LocalLow\Sun\Java\Deployment\cache\**' - '%%users.homedir%%\Application Data\Sun\Java\Deployment\cache\**' supported_os: [Windows] - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Caches/Java/cache/**']} supported_os: [Darwin] - type: FILE attributes: {paths: ['%%users.homedir%%/.java/deployment/cache/**']} supported_os: [Linux] supported_os: [Windows, Linux, Darwin] artifacts-20170808/data/kaspersky_careto.yaml000066400000000000000000000113161314241367100211170ustar00rootroot00000000000000# Artifacts from the Kaspersky Careto report. name: KasperskyCaretoDarwinFiles doc: Darwin Careto IOCs. sources: - type: FILE attributes: paths: - /Applications/.DS_Store.app/**10 - /Library/LaunchAgents/com.apple.launchport.plist supported_os: [Darwin] urls: ['http://www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf'] --- name: KasperskyCaretoIndicators doc: Kaspersky Careto Indicators. sources: - type: ARTIFACT_GROUP attributes: names: - KasperskyCaretoWindowsFiles - KasperskyCaretoWindowsRegKeys - KasperskyCaretoDarwinFiles supported_os: [Windows, Darwin] urls: ['http://www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf'] --- name: KasperskyCaretoWindowsFiles doc: Windows Careto IOCs. sources: - type: FILE attributes: paths: - '%%environ_systemroot%%\System32\objframe.dll' - '%%environ_systemroot%%\System32\shlink32.dll' - '%%environ_systemroot%%\System32\shlink64.dll' - '%%environ_systemroot%%\System32\cdllait32.dll' - '%%environ_systemroot%%\System32\cdllait64.dll' - '%%environ_systemroot%%\System32\cdlluninstallws32.dll' - '%%environ_systemroot%%\System32\cdlluninstallws64.dll' - '%%environ_systemroot%%\System32\cdlluninstallsgh32.dll' - '%%environ_systemroot%%\System32\cdlluninstallsgh64.dll' - '%%environ_systemroot%%\System32\c_50225.nls' - '%%environ_systemroot%%\System32\c_50227.nls' - '%%environ_systemroot%%\System32\c_50229.nls' - '%%environ_systemroot%%\System32\c_51932.nls' - '%%environ_systemroot%%\System32\c_51936.nls' - '%%environ_systemroot%%\System32\c_51949.nls' - '%%environ_systemroot%%\System32\c_51950.nls' - '%%environ_systemroot%%\System32\c_57002.nls' - '%%environ_systemroot%%\System32\c_57006.nls' - '%%environ_systemroot%%\System32\c_57008.nls' - '%%environ_systemroot%%\System32\c_57010.nls' - '%%environ_systemroot%%\System32\cdgext32.dll' - '%%environ_systemroot%%\System32\cfgbkmgrs.dll' - '%%environ_systemroot%%\System32\cfgmgr64.dll' - '%%environ_systemroot%%\System32\comsvrpcs.dll' - '%%environ_systemroot%%\System32\d3dx8_20.dll' - '%%environ_systemroot%%\System32\dllcomm.dll' - '%%environ_systemroot%%\System32\drivers\wmimgr.sys' - '%%environ_systemroot%%\System32\drvinfo.bin' - '%%environ_systemroot%%\System32\FCache.bin' - '%%environ_systemroot%%\System32\FFExtendedCommand.dll' - '%%environ_systemroot%%\System32\gpktcsp32.dll' - '%%environ_systemroot%%\System32\HPQueue.bin' - '%%environ_systemroot%%\System32\LPQueue.bin' - '%%environ_systemroot%%\System32\mdwmnsp.dll' - '%%environ_systemroot%%\System32\rpcdist.dll' - '%%environ_systemroot%%\System32\scsvrft.dll' - '%%environ_systemroot%%\System32\sdptbw.dll' - '%%environ_systemroot%%\System32\slbkbw.dll' - '%%environ_systemroot%%\System32\skypeie6plugin.dll' - '%%environ_systemroot%%\System32\wmspdmgr.dll' - '%%environ_systemroot%%\System32\mfcn30.dll' - '%%environ_systemroot%%\System32\siiw9x.dll' - '%%environ_systemroot%%\System32\nmwcdlog.dll' - '%%environ_systemroot%%\System32\WifiScan.dll' - '%%environ_systemroot%%\System32\awview32.dll' - '%%environ_systemroot%%\System32\awcodc32.dll' - '%%users.temp%%\~DF01AC74D8BE15EE01.tmp' - '%%users.temp%%\~DF23BF45A473C42B56.tmp' - '%%users.temp%%\~DFA0528CD81300F372.tmp' - '%%users.temp%%\~DF8471938479DA49221.tmp' - '%%users.appdata%%\microsoft\c_27803.nls' - '%%users.appdata%%\microsoft\objframe.dll' - '%%users.appdata%%\microsoft\shmgr.dll' supported_os: [Windows] urls: ['http://www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf'] --- name: KasperskyCaretoWindowsRegKeys doc: Windows Careto IOCs. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\WindowsUpdate', value: 'CISCNF4654'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\WindowsUpdate', value: 'CISCNF0654'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\WindowsUpdate', value: 'CISCNF4654'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\WindowsUpdate', value: 'CISCNF0654'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\\CLSID\{ECD4FC4D-521C-11D0-B792-00A0C90312E1}', value: 'InprocServer32'} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{E6BB64BE-0618-4353-9193-0AFE606D6F0C}', value: 'InprocServer32'} supported_os: [Windows] urls: ['http://www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf'] artifacts-20170808/data/legacy.yaml000066400000000000000000000131561314241367100170160ustar00rootroot00000000000000# Deprecated definitions kept for backwards compatibility with GRR # for the time being. # # https://github.com/google/grr/blob/master/grr/config/artifacts.py # https://github.com/google/grr/blob/master/grr/parsers/windows_registry_parser.py name: AllUsersAppDataEnvironmentVariable doc: The %ProgramData% environment variable. sources: - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'ProgramData'}]} provides: [environ_allusersappdata] supported_os: [Windows] urls: ['http://environmentvariables.org/ProgramData'] --- name: AllUsersProfileEnvironmentVariable doc: The %AllUsersProfile% environment variable. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\ProfilesDirectory' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\AllUsersProfile' provides: [environ_allusersprofile] supported_os: [Windows] urls: ['http://support.microsoft.com/kb//214653'] --- name: CurrentControlSet doc: The control set the system is currently using. sources: - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\SYSTEM\Select', value: 'Current'}]} provides: [current_control_set] supported_os: [Windows] urls: ['https://github.com/libyal/winreg-kb/wiki/System-keys'] --- name: OSXUsers doc: Users directories in /Users sources: - type: DIRECTORY attributes: {paths: ['/Users/*']} labels: [Users] supported_os: [Darwin] provides: [users.username] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Users' --- name: ProgramFiles doc: The %ProgramFiles% environment variable. sources: - type: PATH attributes: paths: ['\Program Files'] separator: '\' - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion', value: 'ProgramFilesDir'}]} provides: [environ_programfiles] supported_os: [Windows] urls: ['http://environmentvariables.org/ProgramFiles'] --- name: ProgramFilesx86 doc: The %ProgramFiles (x86)% environment variable. sources: - type: PATH attributes: paths: ['\Program Files (x86)'] separator: '\' - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion', value: 'ProgramFilesDir (x86)'}]} provides: [environ_programfilesx86] supported_os: [Windows] urls: ['http://environmentvariables.org/ProgramFiles'] --- name: SystemDriveEnvironmentVariable doc: | The %SystemDrive% environment variable, usually "C:". This value isn't actually present in the Registry but with some parsing we can figure it out from SystemRoot. sources: - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion', value: 'SystemRoot'}]} provides: [environ_systemdrive] supported_os: [Windows] urls: - 'http://environmentvariables.org/SystemDrive' - 'https://msdn.microsoft.com/en-us/library/cc231436.aspx' --- name: SystemRoot doc: The system root directory path, defined by %SystemRoot%, typically "C:\Windows". sources: - type: PATH attributes: paths: - '\Windows' - '\WinNT' - '\WINNT35' - '\WTSRV' separator: '\' - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion', value: 'SystemRoot'}]} provides: [environ_systemroot] supported_os: [Windows] urls: ['http://environmentvariables.org/SystemRoot'] --- name: TempEnvironmentVariable doc: The %TEMP% environment variable. sources: - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment', value: 'TEMP'}]} provides: [environ_temp] supported_os: [Windows] urls: ['http://environmentvariables.org/WinDir'] --- name: WinCodePage doc: The codepage of the system. sources: - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CodePage', value: 'ACP'}]} provides: [code_page] supported_os: [Windows] urls: ['http://en.wikipedia.org/wiki/Windows_code_page'] --- name: WinDirEnvironmentVariable doc: The %WinDir% environment variable. sources: - type: PATH attributes: paths: - '\Windows' - '\WinNT' - '\WINNT35' - '\WTSRV' separator: '\' - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment', value: 'windir'}]} provides: [environ_windir] supported_os: [Windows] urls: ['http://environmentvariables.org/WinDir'] --- name: WinDomainName doc: The Windows domain the system is connected to. sources: - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters', value: 'Domain'}]} provides: [domain] supported_os: [Windows] --- name: WinPathEnvironmentVariable doc: The %PATH% environment variable. sources: - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment', value: 'Path'}]} provides: [environ_path] supported_os: [Windows] urls: ['http://environmentvariables.org/WinDir'] --- name: WinTimeZone doc: The timezone of the system in Olson format. sources: - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation', value: 'StandardName'}]} provides: [time_zone] supported_os: [Windows] urls: ['https://github.com/libyal/winreg-kb/wiki/Time-zone-keys'] artifacts-20170808/data/linux.yaml000066400000000000000000000314631314241367100167120ustar00rootroot00000000000000# Linux specific artifacts. name: AnacronFiles doc: Anacron files. sources: - type: FILE attributes: paths: - '/etc/anacrontab' - '/etc/cron.daily/*' - '/etc/cron.hourly/*' - '/etc/cron.monthly/*' - '/etc/cron.weekly/*' - '/var/spool/anacron/cron.daily' - '/var/spool/anacron/cron.hourly' - '/var/spool/anacron/cron.monthly' - '/var/spool/anacron/cron.weekly' labels: [Configuration Files] supported_os: [Linux] --- name: APTSources doc: APT package sources list sources: - type: FILE attributes: paths: - '/etc/apt/sources.list' - '/etc/apt/sources.list.d/*.list' labels: [Configuration Files, System] supported_os: [Linux] urls: ['http://manpages.ubuntu.com/manpages/trusty/en/man5/sources.list.5.html'] --- name: APTTrustKeys doc: APT trusted keys sources: - type: FILE attributes: paths: - '/etc/apt/trusted.gpg' - '/etc/apt/trusted.gpg.d/*.gpg' - '/etc/apt/trustdb.gpg' - '/usr/share/keyrings/*.gpg' labels: [Configuration Files, System] supported_os: [Linux] urls: ['https://wiki.debian.org/SecureApt'] --- name: CronAtAllowDenyFiles doc: Files containing users authorised to run cron or at jobs. sources: - type: FILE attributes: paths: - '/etc/cron.allow' - '/etc/cron.deny' - '/etc/at.allow' - '/etc/at.deny' labels: [Configuration Files] supported_os: [Linux] urls: - http://manpages.ubuntu.com/manpages/saucy/man5/at.allow.5.html - http://manpages.ubuntu.com/manpages/precise/en/man1/crontab.1.html --- name: DebianPackagesLogFiles doc: Linux dpkg log files. sources: - type: FILE attributes: paths: - '/var/log/dpkg.log*' - '/var/log/apt/history.log*' labels: [Logs] supported_os: [Linux] --- name: DebianPackagesStatus doc: Linux dpkg status file. sources: - type: FILE attributes: {paths: ['/var/lib/dpkg/status']} labels: [Software] supported_os: [Linux] --- name: DNSResolvConfFile doc: DNS Resolver configuration file. sources: - type: FILE attributes: {paths: ['/etc/resolv.conf']} labels: [Configuration Files] supported_os: [Linux] urls: ['http://man7.org/linux/man-pages/man5/resolv.conf.5.html'] --- name: HostAccessPolicyConfiguration doc: Linux files related to host access policy configuration. sources: - type: FILE attributes: paths: - '/etc/hosts.allow' - '/etc/hosts.deny' labels: [Configuration Files] supported_os: [Linux] --- name: IPTablesRules doc: List IPTables rules. sources: - type: COMMAND attributes: args: ["-L", "-n", "-v"] cmd: /sbin/iptables labels: [System] supported_os: [Linux] --- name: KernelModules doc: Kernel modules to be loaded on boot. sources: - type: FILE attributes: paths: - '/etc/modules.conf' - '/etc/modprobe.d/*' supported_os: [Linux] --- name: LinuxAtJobs doc: Linux at jobs. sources: - type: FILE attributes: {paths: ['/var/spool/at/*']} labels: [Configuration Files] supported_os: [Linux] --- name: LinuxAuditLogs doc: Linux audit log files. sources: - type: FILE attributes: {paths: ['/var/log/audit/*']} labels: [Logs] supported_os: [Linux] --- name: LinuxAuthLogs doc: Linux auth log files. sources: - type: FILE attributes: {paths: ['/var/log/auth.log*']} labels: [Logs, Authentication] supported_os: [Linux] --- name: LinuxCronLogs doc: Linux cron log files. sources: - type: FILE attributes: {paths: ['/var/log/cron.log*']} labels: [Logs] supported_os: [Linux] --- name: LinuxCronTabs doc: Crontab files. sources: - type: FILE attributes: paths: - '/etc/crontab' - '/etc/cron.d/*' - '/var/spool/cron/**' labels: [Configuration Files] supported_os: [Linux] --- name: LinuxDaemonLogFiles doc: Linux daemon log files. sources: - type: FILE attributes: {paths: ['/var/log/daemon.log*']} labels: [Logs] supported_os: [Linux] --- name: LinuxDSDTTable doc: Linux file containing DSDT table. sources: - type: FILE attributes: {paths: ['/sys/firmware/acpi/tables/DSDT']} labels: [System] urls: ['https://www.kernel.org/doc/Documentation/acpi/initrd_table_override.txt'] supported_os: [Linux] --- name: LinuxFstab doc: Linux fstab file. sources: - type: FILE attributes: {paths: ['/etc/fstab']} labels: [System, Configuration Files] supported_os: [Linux] urls: ['http://en.wikipedia.org/wiki/Fstab'] --- name: LinuxGrubConfiguration doc: Linux grub configuration file. sources: - type: FILE attributes: paths: - '/boot/grub/grub.cfg' - '/boot/grub2/grub.cfg' labels: [System, Configuration Files] supported_os: [Linux] urls: ['https://en.wikipedia.org/wiki/GNU_GRUB'] --- name: LinuxHostnameFile doc: Linux hostname file. sources: - type: FILE attributes: {paths: ['/etc/hostname']} labels: [Configuration Files, System] supported_os: [Linux] --- name: LinuxInitrdFiles doc: Initrd (initramfs) files in /boot/ executed on startup. sources: - type: FILE attributes: paths: - '/boot/initramfs*' - '/boot/initrd*' labels: [Configuration Files, System] supported_os: [Linux] urls: - 'http://en.wikipedia.org/wiki/Initrd' - 'https://www.kernel.org/doc/Documentation/initrd.txt' --- name: LinuxKernelLogFiles doc: Linux kernel log files. sources: - type: FILE attributes: {paths: ['/var/log/kern.log*']} labels: [Logs] supported_os: [Linux] --- name: LinuxLSBInit doc: Linux LSB-style init scripts. sources: - type: FILE attributes: paths: - '/etc/init.d/*' - '/etc/insserv.conf' - '/etc/insserv.conf.d/**' labels: [Configuration Files, System] supported_os: [Linux] urls: ['https://wiki.debian.org/LSBInitScripts'] --- name: LinuxLocalTime doc: Local time zone configuation sources: - type: FILE attributes: {paths: ['/etc/localtime']} labels: [System] supported_os: [Linux] --- name: LinuxMessagesLogFiles doc: Linux messages log files. sources: - type: FILE attributes: {paths: ['/var/log/messages.log*']} labels: [Logs] supported_os: [Linux] --- name: LinuxMountCmd doc: Linux output of mount sources: - type: COMMAND attributes: args: [] cmd: /bin/mount labels: [System] supported_os: [Linux] --- name: LinuxMountInfo doc: Linux mount options. sources: - type: ARTIFACT_GROUP attributes: names: - LinuxFstab - LinuxProcMounts labels: [System, Configuration Files] supported_os: [Linux] --- name: LinuxPamConfigs doc: Configuration files for PAM. sources: - type: FILE attributes: paths: - '/etc/pam.conf' - '/etc/pam.d' - '/etc/pam.d/*' labels: [Authentication, Configuration Files] supported_os: [Linux] urls: ['http://www.linux-pam.org/'] --- name: LinuxPasswdFile doc: | Linux passwd file. A passwd file consist of colon seperated values in the format: username:password:uid:gid:full name:home directory:shell sources: - type: FILE attributes: {paths: ['/etc/passwd']} labels: [Configuration Files, System] supported_os: [Linux] --- name: LinuxRelease doc: | Linux specific distribution information. See: lsb_release(1) man page, or the LSB Specification under the 'Command Behaviour' section. sources: - type: FILE attributes: paths: - '/etc/enterprise-release' - '/etc/lsb-release' - '/etc/oracle-release' - '/etc/redhat-release' - '/etc/system-release' provides: [os_release, os_major_version, os_minor_version] labels: [Software] supported_os: [Linux] --- name: LinuxRsyslogConfigs doc: Linux rsyslog configurations. sources: - type: FILE attributes: paths: - '/etc/rsyslog.conf' - '/etc/rsyslog.d' - '/etc/rsyslog.d/*' labels: [Configuration Files, Logs] supported_os: [Linux] urls: ['http://www.rsyslog.com/doc/rsyslog_conf.html'] --- name: LinuxScheduleFiles doc: All Linux job scheduling files. sources: - type: ARTIFACT_GROUP attributes: names: - AnacronFiles - LinuxCronTabs - LinuxAtJobs labels: [Configuration Files] supported_os: [Linux] --- name: LinuxServices doc: Services running on a Linux system. sources: - type: ARTIFACT_GROUP attributes: names: - LinuxXinetd - LinuxLSBInit - LinuxSysVInit labels: [Configuration Files, System] supported_os: [Linux] --- name: LinuxSSDTTables doc: Linux files containing SSDT table. sources: - type: FILE attributes: {paths: ['/sys/firmware/acpi/tables/SSDT*']} labels: [System] urls: ['https://www.kernel.org/doc/Documentation/acpi/initrd_table_override.txt'] supported_os: [Linux] --- name: LinuxSysLogFiles doc: Linux syslog log files. sources: - type: FILE attributes: {paths: ['/var/log/syslog.log*']} labels: [Logs] supported_os: [Linux] --- name: LinuxSyslogNgConfigs doc: Linux syslog-ng configurations. sources: - type: FILE attributes: paths: - '/etc/syslog-ng/syslog-ng.conf' - '/etc/syslog-ng/conf-d/*.conf' labels: [Configuration Files, Logs] supported_os: [Linux] urls: ['http://linux.die.net/man/5/syslog-ng.conf'] --- name: LinuxSystemdOSRelease doc: Linux systemd /etc/os-release file sources: - type: FILE attributes: paths: - '/etc/os-release' - '/usr/lib/os-release' provides: [os_release, os_major_version, os_minor_version] labels: [Software] supported_os: [Linux] urls: ['https://www.freedesktop.org/software/systemd/man/os-release.html'] --- name: LinuxSysVInit doc: Services started by sysv-style init scripts. sources: - type: FILE attributes: paths: - '/etc/rc*.d' - '/etc/rc*.d/*' - '/etc/rc.d/rc*.d/*' - '/etc/rc.d/init.d/*' labels: [Configuration Files, System] supported_os: [Linux] urls: - 'http://savannah.nongnu.org/projects/sysvinit' - 'http://docs.oracle.com/cd/E37670_01/E41138/html/ol_svcscripts.html' --- name: LinuxTimezoneFile doc: Linux timezone file. sources: - type: FILE attributes: {paths: ['/etc/timezone']} labels: [Configuration Files, System] supported_os: [Linux] --- name: LinuxWtmp doc: Linux wtmp file. sources: - type: FILE attributes: {paths: ['/var/log/wtmp']} labels: [Logs, Authentication] provides: [users.username, users.last_logon] supported_os: [Linux] --- name: LinuxXinetd doc: Linux xinetd configurations. sources: - type: FILE attributes: paths: - '/etc/xinetd.conf' - '/etc/xinetd.d/**' labels: [Configuration Files, System] supported_os: [Linux] urls: ['http://en.wikipedia.org/wiki/Xinetd'] --- name: ListProcessesPsCommand doc: Full process listing via the 'ps' command. sources: - type: COMMAND attributes: args: ['-ef'] cmd: /bin/ps supported_os: [Linux] urls: ['https://gitlab.com/procps-ng/procps'] --- name: LoadedKernelModules doc: Linux output of lsmod. sources: - type: COMMAND attributes: args: [] cmd: /sbin/lsmod supported_os: [Linux] --- name: LoginPolicyConfiguration doc: Linux files related to login policy configuration. sources: - type: FILE attributes: paths: - '/etc/netgroup' - '/etc/nsswitch.conf' - '/etc/passwd' - '/etc/shadow' - '/etc/security/access.conf' - '/root/.k5login' labels: [Authentication, Configuration Files] supported_os: [Linux] --- name: NetgroupConfiguration doc: Linux netgroup configuration. sources: - type: FILE attributes: {paths: ['/etc/netgroup']} labels: [Authentication, Configuration Files] provides: [users.username] supported_os: [Linux] --- name: NtpConfFile doc: The configuration file for ntpd. e.g. ntp.conf. sources: - type: FILE attributes: {paths: ['/etc/ntp.conf']} labels: [Configuration Files] supported_os: [Linux] urls: ['https://www.freebsd.org/cgi/man.cgi?query=ntp.conf&sektion=5'] --- name: PCIDevicesInfoFiles doc: Info and config files for PCI devices located on the system. sources: - type: FILE attributes: paths: - '/sys/bus/pci/devices/*/vendor' - '/sys/bus/pci/devices/*/device' - '/sys/bus/pci/devices/*/class' - '/sys/bus/pci/devices/*/config' labels: [Configuration Files, System] urls: - 'https://www.kernel.org/doc/Documentation/ABI/testing/sysfs-bus-pci' - 'https://www.kernel.org/doc/Documentation/filesystems/sysfs-pci.txt' - 'https://wiki.debian.org/HowToIdentifyADevice/PCI' supported_os: [Linux] --- name: SSHHostPubKeys doc: SSH host public keys sources: - type: FILE attributes: paths: - '/etc/ssh/ssh_host_*_key.pub' labels: [Authentication, Configuration Files] supported_os: [Linux] --- name: ThumbnailCacheFolder doc: Thumbnail cache folder. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/.thumbnails/**3']} labels: [Users] supported_os: [Linux] --- name: YumSources doc: Yum package sources list sources: - type: FILE attributes: paths: - '/etc/yum.conf' - '/etc/yum.repos.d/*.repo' labels: [Configuration Files, System] supported_os: [Linux] urls: ['https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-Configuring_Yum_and_Yum_Repositories.html'] --- name: ZeitgeistDatabase doc: Zeitgeist user activity database. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/.local/share/zeitgeist/activity.sqlite']} labels: [Users, Logs] urls: ['http://forensicswiki.org/wiki/Zeitgeist'] supported_os: [Linux] artifacts-20170808/data/linux_proc.yaml000066400000000000000000000125661314241367100177400ustar00rootroot00000000000000# Linux specific /proc artifacts. name: LinuxASLREnabled doc: Kernel ASLR state. sources: - type: FILE attributes: {paths: ['/proc/sys/kernel/randomize_va_space']} labels: [System] supported_os: [Linux] urls: ['https://www.kernel.org/doc/Documentation/sysctl/kernel.txt'] --- name: LinuxIgnoreICMPBroadcasts doc: Whether the system ignores ICMP pings. sources: - type: FILE attributes: {paths: ['/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts']} labels: [Network, System] supported_os: [Linux] urls: ['https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt'] --- name: LinuxKernelBootloader doc: Bootloader state acquired from the kernel. sources: - type: FILE attributes: paths: - '/proc/sys/kernel/bootloader_type' - '/proc/sys/kernel/bootloader_version' labels: [System] supported_os: [Linux] urls: ['https://www.kernel.org/doc/Documentation/sysctl/kernel.txt'] --- name: LinuxKernelModuleRestrictions doc: Module loading controls. sources: - type: FILE attributes: paths: - '/proc/sys/kernel/kexec_load_disabled' - '/proc/sys/kernel/modules_disabled' labels: [System] supported_os: [Linux] urls: ['https://www.kernel.org/doc/Documentation/sysctl/kernel.txt'] --- name: LinuxKernelModuleTaintStatus doc: Taint state of loaded modules (binary blobs, unsigned modules etc). sources: - type: FILE attributes: {paths: ['/proc/sys/kernel/tainted']} labels: [System] supported_os: [Linux] urls: ['https://www.kernel.org/doc/Documentation/sysctl/kernel.txt'] --- name: LinuxNetworkIpForwardingState doc: IP forwarding states. sources: - type: FILE attributes: paths: - '/proc/sys/net/ipv*/conf/*/forwarding' - '/proc/sys/net/ipv4/conf/*/mc_forwarding' - '/proc/sys/net/ipv4/ip_forward' labels: [Network, System] supported_os: [Linux] urls: ['https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt'] --- name: LinuxNetworkPathFilteringSettings doc: States that determine how the system responds to route manipulation. sources: - type: FILE attributes: paths: - '/proc/sys/net/ipv*/conf/*/accept_source_route' - '/proc/sys/net/ipv4/conf/*/rp_filter' - '/proc/sys/net/ipv4/conf/*/log_martians' labels: [Network, System] supported_os: [Linux] urls: ['https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt'] --- name: LinuxNetworkRedirectState doc: Redirect send/receive states. sources: - type: FILE attributes: paths: - '/proc/sys/net/ipv*/conf/*/accept_redirects' - '/proc/sys/net/ipv4/conf/*/secure_redirects' - '/proc/sys/net/ipv4/conf/*/send_redirects' labels: [Network, System] supported_os: [Linux] urls: ['https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt'] --- name: LinuxProcArp doc: ARP table via /proc/net/arp. sources: - type: FILE attributes: paths: - '/proc/net/arp' labels: [Network] supported_os: [Linux] --- name: LinuxProcMounts doc: Current mounted filesystems. sources: - type: FILE attributes: paths: - '/proc/mounts' labels: [System] supported_os: [Linux] urls: ['https://www.kernel.org/doc/Documentation/filesystems/proc.txt'] --- name: LinuxProcSysHardeningSettings doc: Linux sysctl settings obtained from /proc/sys. sources: - type: ARTIFACT_GROUP attributes: names: - 'LinuxASLREnabled' - 'LinuxIgnoreICMPBroadcasts' - 'LinuxKernelBootloader' - 'LinuxKernelModuleTaintStatus' - 'LinuxKernelModuleRestrictions' - 'LinuxNetworkIpForwardingState' - 'LinuxNetworkPathFilteringSettings' - 'LinuxNetworkRedirectState' - 'LinuxRestrictedDmesgReadPrivileges' - 'LinuxRestrictedKernelPointerReadPrivileges' - 'LinuxSecureSuidCoreDumps' - 'LinuxSecureFsLinks' - 'LinuxSyncookieState' labels: [System] supported_os: [Linux] --- name: LinuxRestrictedDmesgReadPrivileges doc: Restrict whether non-privileged users can read dmesg. sources: - type: FILE attributes: paths: - '/proc/sys/kernel/dmesg_restrict' labels: [System] supported_os: [Linux] urls: ['https://www.kernel.org/doc/Documentation/sysctl/kernel.txt'] --- name: LinuxRestrictedKernelPointerReadPrivileges doc: Memory address obfuscation settings. sources: - type: FILE attributes: {paths: ['/proc/sys/kernel/kptr_restrict']} labels: [System] supported_os: [Linux] urls: ['https://www.kernel.org/doc/Documentation/sysctl/kernel.txt'] --- name: LinuxSecureFsLinks doc: Security controls to restrict operations on links in world writable directories. sources: - type: FILE attributes: paths: - '/proc/sys/fs/protected_hardlinks' - '/proc/sys/fs/protected_symlinks' labels: [System] supported_os: [Linux] urls: ['https://www.kernel.org/doc/Documentation/sysctl/fs.txt'] --- name: LinuxSecureSuidCoreDumps doc: Security controls for suid core dumps. sources: - type: FILE attributes: {paths: ['/proc/sys/fs/suid_dumpable']} labels: [System] supported_os: [Linux] urls: ['https://www.kernel.org/doc/Documentation/sysctl/fs.txt'] --- name: LinuxSyncookieState doc: Whether the system uses syncookies. sources: - type: FILE attributes: {paths: ['/proc/sys/net/ipv4/tcp_syncookies']} labels: [Network, System] supported_os: [Linux] urls: ['https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt'] --- name: LinuxSysctlCmd doc: Linux output of systctl -a. sources: - type: COMMAND attributes: args: ["-a"] cmd: /sbin/sysctl supported_os: [Linux] urls: ['https://www.kernel.org/doc/Documentation/sysctl'] artifacts-20170808/data/macos.yaml000066400000000000000000000641231314241367100166540ustar00rootroot00000000000000# MacOS (Darwin) specific artifacts. name: MacOSAppleSystemLogFiles doc: Apple system log (ASL) files sources: - type: FILE attributes: {paths: ['/var/log/asl/*']} labels: [System, Logs] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Logs' --- name: MacOSApplications doc: Applications sources: - type: DIRECTORY attributes: {paths: ['/Applications/*']} labels: [Users, Software] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#User_Directories' --- name: MacOSApplicationsRecentItems doc: Recent Items application specific sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Preferences/*LSSharedFileList.plist']} labels: [Users, Software] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Recent_Items' --- name: MacOSApplicationSupport doc: Application Support Directory sources: - type: DIRECTORY attributes: {paths: ['%%users.homedir%%/Library/Application Support/*']} labels: [Users, Software] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Misc.' --- name: MacOSAtJobs doc: MacOS at jobs sources: - type: FILE attributes: {paths: ['/usr/lib/cron/jobs/*']} labels: [System] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Info_Misc.' - 'https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/at.1.html#//apple_ref/doc/man/1/at' --- name: MacOSAuditLogFiles doc: Audit log files sources: - type: FILE attributes: {paths: ['/var/audit/*']} labels: [System, Logs] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Logs' --- name: MacOSBashHistory doc: Terminal Commands History sources: - type: FILE attributes: {paths: ['%%users.homedir%%/.bash_history']} labels: [Users, Logs] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Logs' --- name: MacOSBluetoothPlistFile doc: Bluetooth preferences and paired device information plist file sources: - type: FILE attributes: {paths: ['/Library/Preferences/com.apple.Bluetooth.plist']} labels: [System, Logs] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Preferences' --- name: MacOSCronTabs doc: Cron tabs sources: - type: FILE attributes: paths: - '/etc/crontab' - '/usr/lib/cron/tabs/*' labels: [System] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Info_Misc.' --- name: MacOSDock doc: Dock database sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Preferences/com.apple.Dock.plist']} labels: [Users] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Preferences' --- name: MacOSGlobalPreferencesPlistFile doc: Global Preferences plist file sources: - type: FILE attributes: {paths: ['/Library/Preferences/.GlobalPreferences.plist']} labels: [System] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Preferences' --- name: MacOSHostsFile doc: Hosts file sources: - type: FILE attributes: {paths: ['/etc/hosts']} labels: [System, Network] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Networking' --- name: MacOSiCloudPreferences doc: iCloud user preferences sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Preferences/MobileMeAccounts.plist']} labels: [Users, Cloud, ExternalAccount] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Preferences' --- name: MacOSiDevices doc: Attached iDevices sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Preferences/com.apple.iPod.plist']} labels: [Users, External Media] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Preferences' --- name: MacOSInstallationHistory doc: Software Installation History sources: - type: FILE attributes: {paths: ['/Library/Receipts/InstallHistory.plist']} labels: [System] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Software_Installation' --- name: MacOSInstallationLogFile doc: Installation log file sources: - type: FILE attributes: {paths: ['/var/log/install.log']} labels: [System, Logs] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Logs' --- name: MacOSiOSBackupInfo doc: iOS device backup information sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Application Support/MobileSync/Backup/*/info.plist']} labels: [Users, iOS] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#iDevice_Backup' --- name: MacOSiOSBackupManifest doc: iOS device backup apps information sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Application Support/MobileSync/Backup/*/Manifest.plist']} labels: [Users, iOS] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#iDevice_Backup' --- name: MacOSiOSBackupMbdb doc: iOS device backup files information sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Application Support/MobileSync/Backup/*/Manifest.mdbd']} labels: [Users, iOS] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#iDevice_Backup' --- name: MacOSiOSBackupsMainDirectory doc: iOS device backups directory sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Application Support/MobileSync/Backup/*']} labels: [Users, iOS] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#iDevice_Backup' --- name: MacOSiOSBackupStatus doc: iOS device backup status information sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Application Support/MobileSync/Backup/*/Status.plist']} labels: [Users, iOS] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#iDevice_Backup' --- name: MacOSKeychains doc: Keychain Directory sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Keychains/*']} labels: [Users] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Misc.' --- name: MacOSKeyboardLayoutPlistFile doc: Keyboard layout plist file sources: - type: FILE attributes: {paths: ['/Library/Preferences/com.apple.HIToolbox.plist']} labels: [System] supported_os: [Darwin] --- name: MacOSKextFiles doc: Kernel extension (.kext) files sources: - type: FILE attributes: paths: - '/System/Library/Extensions/*' - '/Library/Extensions/*' labels: [System] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Kernel_Extension' --- name: MacOSLaunchAgentsPlistFiles doc: Launch Agents plist files sources: - type: FILE attributes: paths: - '/Library/LaunchAgents/*' - '/System/Library/LaunchAgents/*' - '%%users.homedir%%/Library/LaunchAgents/*' labels: [System] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Autorun_Locations' --- name: MacOSLaunchDaemonsPlistFiles doc: Launch Daemons plist files sources: - type: FILE attributes: paths: - '/Library/LaunchDaemons/*' - '/System/Library/LaunchDaemons/*' - '%%users.homedir%%/Library/LaunchDaemons/*' labels: [System] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Autorun_Locations' --- name: MacOSLoadedKexts doc: MacOS Loaded Kernel Extensions. sources: - type: COMMAND attributes: args: [] cmd: /usr/sbin/kextstat labels: [System] supported_os: [Darwin] --- name: MacOSLocalTime doc: Local time zone configuation sources: - type: FILE attributes: paths: - '/etc/localtime' - '/private/etc/localtime' labels: [System] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Info_Misc.' --- name: MacOSLoginWindowPlistFile doc: Log-in Window information plist file sources: - type: FILE attributes: {paths: ['/Library/Preferences/com.apple.loginwindow.plist']} labels: [System, Authentication] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Preferences' --- name: MacOSMailAccounts doc: Mail Accounts sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Mail/V2/MailData/Accounts.plist']} labels: [Users, Software, Mail] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Mail' --- name: MacOSMailBackupTOC doc: Mail BackupTOC sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Mail/V2/MailData/BackupTOC.plist']} labels: [Users, Software, Mail] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Mail' --- name: MacOSMailboxes doc: Mail Mailbox Directory sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Mail/V2/Mailboxes/*']} labels: [Users, Software, Mail] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Mail' --- name: MacOSMailDownloadAttachments doc: Mail Downloads Directory sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Containers/com.apple.mail/Data/Library/Mail Downloads/*']} labels: [Users, Software, Mail] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Mail' --- name: MacOSMailEnvelopIndex doc: Mail Envelope Index sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Mail/V2/MailData/Envelope Index']} labels: [Users, Software, Mail] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Mail' --- name: MacOSMailIMAP doc: Mail IMAP Synched Mailboxes sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Mail/V2/IMAP-*/*']} labels: [Users, Software, Mail] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Mail' --- name: MacOSMailMainDirectory doc: Mail Main Folder sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Mail/V2/*']} labels: [Users, Software, Mail] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Mail' --- name: MacOSMailOpenedAttachments doc: Mail Opened Attachments sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Mail/V2/MailData/OpenedAttachmentsV2.plist']} labels: [Users, Software, Mail] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Mail' --- name: MacOSMailPOP doc: Mail POP Synched Mailboxes sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Mail/V2/POP-*/*']} labels: [Users, Software, Mail] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Mail' --- name: MacOSMailPreferences doc: Mail Preferences sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Preferences/com.apple.Mail.plist']} labels: [Users, Software, Mail] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Mail' --- name: MacOSMailRecentContacts doc: Mail Recent Contacts sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Application Support/AddressBook/MailRecents-v4.abcdmr']} labels: [Users, Software, Mail] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Mail' --- name: MacOSMailSignatures doc: Mail Signatures by Account sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Mail/V2/MailData/Signatures/*']} labels: [Users, Software, Mail] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Mail' --- name: MacOSMiscLogs doc: Misc. Logs sources: - type: FILE attributes: {paths: ['/Library/Logs/*']} labels: [Users, Logs] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Logs' --- name: MacOSMountedDMGs doc: MacOS Mounted DMG files. sources: - type: COMMAND attributes: args: ['info'] cmd: /usr/bin/hdiutil labels: [System] supported_os: [Darwin] --- name: MacOSPeriodicSystemFunctions doc: Periodic system functions scripts and configuration sources: - type: FILE attributes: paths: - '/etc/defaults/periodic.conf' - '/etc/periodic.conf' - '/etc/periodic.conf.local' - '/etc/periodic/**2' - '/usr/local/etc/periodic/**2' - '/etc/daily.local/*' - '/etc/weekly.local/*' - '/etc/monthly.local/*' labels: [System] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Info_Misc.' - 'https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/periodic.8.html#//apple_ref/doc/man/8/periodic' --- name: MacOSQuarantineEvents doc: Quarantine Event Database sources: - type: FILE attributes: paths: - '%%users.homedir%%/Library/Preferences/com.apple.LaunchServices.QuarantineEvents' - '%%users.homedir%%/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2' labels: [Users, Software] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Preferences' --- name: MacOSRecentItems doc: Recent Items sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Preferences/com.apple.recentitems.plist']} labels: [Users] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Recent_Items' --- name: MacOSSidebarLists doc: | Sidebar Lists Preferences This plist contains the names of volumes mounted on the desktop that have appeared in the sidebar list. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Preferences/com.apple.sidebarlists.plist']} labels: [Users, External Media] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Preferences' --- name: MacOSSkypechatsync doc: Chat Sync Directory sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Application Support/Skype/*/chatsync/*']} labels: [Users, Software, IM] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Skype' --- name: MacOSSkypeDb doc: Main Skype database sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Application Support/Skype/*/Main.db']} labels: [Users, Software, IM] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Skype' --- name: MacOSSkypePreferences doc: Skype Preferences and Recent Searches sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Preferences/com.skype.skype.plist']} labels: [Users, Software, IM] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Skype' --- name: MacOSSkypeUserProfile doc: Skype User profile sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Application Support/Skype/*/*']} labels: [Users, Software, IM] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Skype' --- name: MacOSSleepimageFile doc: Sleepimage file which contains the content of memory before going to sleep sources: - type: FILE attributes: paths: - '/private/var/vm/sleepimage' - '/var/vm/sleepimage' labels: [System] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Sleep.2FHibernate_and_Swap_Image_File' --- name: MacOSStartupItemsPlistFiles doc: Startup Items plist files sources: - type: FILE attributes: paths: - '/Library/StartupItems/*' - '/System/Library/StartupItems/*' labels: [System] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Autorun_Locations' --- name: MacOSSwapFiles doc: Swap files sources: - type: FILE attributes: {paths: ['/var/vm/swapfile#']} labels: [System] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Sleep.2FHibernate_and_Swap_Image_File' --- name: MacOSSystemConfigurationPreferencesPlistFile doc: System configuration preferences plist file sources: - type: FILE attributes: {paths: ['/Library/Preferences/SystemConfiguration/preferences.plist']} labels: [System] supported_os: [Darwin] --- name: MacOSSystemInstallationTime doc: System installation time sources: - type: FILE attributes: {paths: ['/var/db/.AppleSetupDone']} labels: [System] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Settings_and_Informations' --- name: MacOSSystemLogFiles doc: System log files sources: - type: FILE attributes: {paths: ['/var/log/*']} labels: [System, Logs] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Logs' --- name: MacOSSystemPreferencesPlistFiles doc: System Preferences plist files sources: - type: FILE attributes: {paths: ['/Library/Preferences/**']} labels: [System] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Preferences' --- name: MacOSSystemVersionPlistFile doc: Operating system name and version plist file sources: - type: FILE attributes: {paths: ['/System/Library/CoreServices/SystemVersion.plist']} labels: [System] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Settings_and_Informations' --- name: MacOSUpdate doc: Software Update sources: - type: FILE attributes: {paths: ['/Library/Preferences/com.apple.SoftwareUpdate.plist']} labels: [System] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Software_Installation' --- name: MacOSUserApplicationLogs doc: User and Applications Logs Directory sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Logs/*']} labels: [Users, Logs] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Logs' --- name: MacOSUserDesktopDirectory doc: Desktop Directory sources: - type: DIRECTORY attributes: {paths: ['%%users.homedir%%/Desktop/*']} labels: [Users] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#User_Directories' --- name: MacOSUserDocumentsDirectory doc: Documents Directory sources: - type: DIRECTORY attributes: {paths: ['%%users.homedir%%/Documents/*']} labels: [Users] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#User_Directories' --- name: MacOSUserDownloadsDirectory doc: User downloads directory sources: - type: DIRECTORY attributes: {paths: ['%%users.homedir%%/Downloads/*']} labels: [Users] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#User_Directories' --- name: MacOSUserGlobalPreferences doc: User Global Preferences sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Preferences/.GlobalPreferences.plist']} labels: [Users] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Preferences' --- name: MacOSUserLibraryDirectory doc: Library Directory sources: - type: DIRECTORY attributes: {paths: ['%%users.homedir%%/Library/*']} labels: [Users] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#User_Directories' --- name: MacOSUserLoginItems doc: Login Items sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Preferences/com.apple.loginitems.plist']} labels: [Users] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Autorun_Locations_2' --- name: MacOSUserMoviesDirectory doc: Movies Directory sources: - type: DIRECTORY attributes: {paths: ['%%users.homedir%%/Movies/*']} labels: [Users] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#User_Directories' --- name: MacOSUserMusicDirectory doc: Music Directory sources: - type: DIRECTORY attributes: {paths: ['%%users.homedir%%/Music/*']} labels: [Users] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#User_Directories' --- name: MacOSUserPasswordHashesPlistFiles doc: User password hashes plist files sources: - type: FILE attributes: paths: - '/var/db/dslocal/nodes/Default/users/*.plist' - '/private/var/db/dslocal/nodes/Default/users/*.plist' labels: [System, Users, Authentication] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Settings_and_Informations' --- name: MacOSUserPicturesDirectory doc: Pictures Directory sources: - type: DIRECTORY attributes: {paths: ['%%users.homedir%%/Pictures/*']} labels: [Users] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#User_Directories' --- name: MacOSUserPreferences doc: User preferences directory sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Preferences/*']} labels: [Users] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Preferences' --- name: MacOSUserPublicDirectory doc: Public Directory sources: - type: DIRECTORY attributes: {paths: ['%%users.homedir%%/Public/*']} labels: [Users] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#User_Directories' --- name: MacOSUsers doc: Users directories in /Users sources: - type: DIRECTORY attributes: {paths: ['/Users/*']} labels: [Users] supported_os: [Darwin] provides: [users.username] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Users' --- name: MacOSUserSocialAccounts doc: User's Social Accounts sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Accounts/Accounts3.sqlite']} labels: [Users, ExternalAccount] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#User.27s_Accounts' --- name: MacOSTimeMachinePlistFile doc: Time Machine information plist file sources: - type: FILE attributes: {paths: ['/Library/Preferences/com.apple.TimeMachine.plist']} labels: [System] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#System_Preferences' --- name: MacOSUserTrash doc: User Trash Folder sources: - type: FILE attributes: {paths: ['%%users.homedir%%/.Trash/*']} labels: [Users] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Misc.' --- name: MacOSWirelessNetworks doc: Remembered Wireless Networks sources: - type: FILE attributes: {paths: ['/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist']} labels: [System, Network] supported_os: [Darwin] urls: - 'http://forensicswiki.org/wiki/Mac_OS_X' - 'http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location#Networking' artifacts-20170808/data/ntfs.yaml000066400000000000000000000007161314241367100165220ustar00rootroot00000000000000# NTFS specific artifacts. name: NTFSMFTFiles doc: | The NTFS $MFT and $MFTMirr file system metadata files. GRR collection note: you currently need to specify 'use tsk' and 'ignore download size limits' for this artifact to work. This will go away in the future. sources: - type: FILE attributes: paths: - '%%environ_systemdrive%%\$MFT' - '%%environ_systemdrive%%\$MFTMirr' separator: '\' labels: [System] supported_os: [Windows] artifacts-20170808/data/unix_common.yaml000066400000000000000000000074611314241367100201070ustar00rootroot00000000000000# Artifacts common to Unix based OSs name: AllShellConfigs doc: Common shell configuration files containing global, users & root settings. sources: - type: ARTIFACT_GROUP attributes: names: - GlobalShellConfigs - UsersShellConfigs - RootUserShellConfigs labels: [Configuration Files] supported_os: [Linux, Darwin] --- name: AllUsersShellHistory doc: Common shell history files for root and users. sources: - type: ARTIFACT_GROUP attributes: names: - UsersShellHistory - RootUserShellHistory labels: [History Files] supported_os: [Linux, Darwin] --- name: GlobalShellConfigs doc: Unix global shell configuration files. sources: - type: FILE attributes: paths: - '/etc/bashrc' - '/etc/bash.bashrc' - '/etc/kshrc' - '/etc/csh.cshrc' - '/etc/csh.login' - '/etc/csh.logout' - '/etc/profile' - '/etc/zsh/zlogin' - '/etc/zsh/zlogout' - '/etc/zsh/zprofile' - '/etc/zsh/zshenv' - '/etc/zsh/zshrc' - '/etc/zshenv' - '/etc/zshrc' labels: [Configuration Files] supported_os: [Linux, Darwin] --- name: RootUserShellConfigs doc: Common unix root shell configuration files. sources: - type: FILE attributes: paths: - '/root/.bashrc' - '/root/.bash_profile' - '/root/.bash_logout' - '/root/.cshrc' - '/root/.ksh' - '/root/.logout' - '/root/.profile' - '/root/.tcsh' - '/root/.zlogin' - '/root/.zlogout' - '/root/.zprofile' labels: [Configuration Files] supported_os: [Linux, Darwin] --- name: RootUserShellHistory doc: Common unix root shell history files. sources: - type: FILE attributes: paths: - '/root/.bash_history' - '/root/.sh_history' - '/root/.zhistory' - '/root/.zsh_history' labels: [History Files] supported_os: [Linux, Darwin] --- name: UnixGroups doc: Unix groups file. sources: - type: FILE attributes: {paths: ['/etc/group']} labels: [Authentication] supported_os: [Linux, Darwin] --- name: UnixHostsFile doc: Unix hosts file sources: - type: FILE attributes: {paths: ['/etc/hosts']} labels: [Configuration Files] supported_os: [Linux, Darwin] --- name: UnixPasswd doc: Unix /etc/passwd file. sources: - type: FILE attributes: {paths: ['/etc/passwd']} labels: [Authentication] supported_os: [Linux, Darwin] --- name: UnixShadowFile doc: Unix /etc/shadow file. sources: - type: FILE attributes: {paths: ['/etc/shadow']} labels: [Authentication] supported_os: [Linux, Darwin] --- name: UnixSudoersConfiguration doc: Unix sudoers configuration. sources: - type: FILE attributes: {paths: ['/etc/sudoers']} labels: [Authentication, Configuration Files] supported_os: [Linux, Darwin] --- name: UnixUsersGroups doc: Unix users and groups files. sources: - type: ARTIFACT_GROUP attributes: names: - 'UnixPasswd' - 'UnixShadowFile' - 'UnixGroups' labels: [Authentication] supported_os: [Linux, Darwin] --- name: UsersShellConfigs doc: Common unix user shell configuration files. sources: - type: FILE attributes: paths: - '%%users.homedir%%/.bashrc' - '%%users.homedir%%/.bash_profile' - '%%users.homedir%%/.bash_logout' - '%%users.homedir%%/.cshrc' - '%%users.homedir%%/.ksh' - '%%users.homedir%%/.logout' - '%%users.homedir%%/.profile' - '%%users.homedir%%/.tcsh' - '%%users.homedir%%/.zlogin' - '%%users.homedir%%/.zlogout' - '%%users.homedir%%/.zprofile' labels: [Configuration Files] supported_os: [Linux, Darwin] --- name: UsersShellHistory doc: Common unix user shell history files. sources: - type: FILE attributes: paths: - '/%%users.homedir%%/.bash_history' - '/%%users.homedir%%/.sh_history' - '/%%users.homedir%%/.zhistory' - '/%%users.homedir%%/.zsh_history' labels: [History Files] supported_os: [Linux, Darwin] artifacts-20170808/data/webbrowser.yaml000066400000000000000000000516121314241367100177320ustar00rootroot00000000000000# Web browser artifacts. name: BrowserCache doc: Web browser cache of multiple web browsers. sources: - type: ARTIFACT_GROUP attributes: names: - 'ChromeCache' - 'FirefoxCache' - 'InternetExplorerCache' - 'SafariCache' labels: [Browser] supported_os: [Darwin,Linux,Windows] --- name: BrowserHistory doc: Web browser history of multiple web browsers. sources: - type: ARTIFACT_GROUP attributes: names: - 'ChromeHistory' - 'FirefoxHistory' - 'InternetExplorerHistory' - 'OperaHistory' - 'SafariHistory' labels: [Browser] supported_os: [Darwin,Linux,Windows] --- name: ChromeCache doc: | Google Chrome, Canary and Chromium browser caches. Canary uses "Chrome SxS" on windows. * Disk cache (or Cache) * Media cache * Application cache * GPU shader cache * PNaCl translation cache sources: - type: FILE attributes: paths: - '%%users.localappdata%%\Google\Chrome\User Data\*\Application Cache\Cache\*' - '%%users.localappdata%%\Google\Chrome\User Data\*\Cache\*' - '%%users.localappdata%%\Google\Chrome\User Data\*\Media Cache\*' - '%%users.localappdata%%\Google\Chrome\User Data\*\GPUCache\*' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Application Cache\Cache\*' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Cache\*' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Media Cache\*' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\GPUCache\*' - '%%users.localappdata%%\Chromium\User Data\*\Application Cache\Cache\*' - '%%users.localappdata%%\Chromium\User Data\*\Cache\*' - '%%users.localappdata%%\Chromium\User Data\*\Media Cache\*' - '%%users.localappdata%%\Chromium\User Data\*\GPUCache\*' separator: '\' supported_os: [Windows] - type: FILE attributes: paths: - '%%users.homedir%%/Caches/Google/Chrome/*/Cache/*' - '%%users.homedir%%/Library/Caches/Google/Chrome/*/Cache/*' - '%%users.homedir%%/Library/Caches/Google/Chrome/*/Media Cache/*' - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Application Cache/Cache/*' - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/GPUCache/*' - '%%users.homedir%%/Library/Caches/Google/Chrome/PnaclTranslationCache/*' - '%%users.homedir%%/Caches/Google/Chrome Canary/*/Cache/*' - '%%users.homedir%%/Library/Caches/Google/Chrome Canary/*/Cache/*' - '%%users.homedir%%/Library/Caches/Google/Chrome Canary/*/Media Cache/*' - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Application Cache/Cache/*' - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/GPUCache/*' - '%%users.homedir%%/Library/Caches/Google/Chrome Canary/PnaclTranslationCache/*' - '%%users.homedir%%/Caches/Chromium/*/Cache/*' - '%%users.homedir%%/Library/Caches/Chromium/*/Cache/*' - '%%users.homedir%%/Library/Caches/Chromium/*/Media Cache/*' - '%%users.homedir%%/Library/Application Support/Chromium/*/Application Cache/Cache/*' - '%%users.homedir%%/Library/Application Support/Chromium/*/GPUCache/*' - '%%users.homedir%%/Library/Caches/Chromium/PnaclTranslationCache/*' supported_os: [Darwin] - type: FILE attributes: paths: - '%%users.homedir%%/.cache/google-chrome/*/Cache/*' - '%%users.homedir%%/.cache/google-chrome/*/Media Cache/*' - '%%users.homedir%%/.cache/google-chrome/PnaclTranslationCache/*' - '%%users.homedir%%/.config/google-chrome/*/Application Cache/*' - '%%users.homedir%%/.config/google-chrome/*/Cache/*' - '%%users.homedir%%/.config/google-chrome/*/Media Cache/*' - '%%users.homedir%%/.config/google-chrome/*/GPUCache/*' - '%%users.homedir%%/.cache/chromium/*/Cache/*' - '%%users.homedir%%/.cache/chromium/*/Media Cache/*' - '%%users.homedir%%/.cache/chromium/PnaclTranslationCache/*' - '%%users.homedir%%/.config/chromium/*/Application Cache/*' - '%%users.homedir%%/.config/chromium/*/Cache/*' - '%%users.homedir%%/.config/chromium/*/Media Cache/*' - '%%users.homedir%%/.config/chromium/*/GPUCache/*' supported_os: [Linux] supported_os: [Windows,Darwin,Linux] labels: [Browser] urls: ['http://www.forensicswiki.org/wiki/Google_Chrome'] --- name: ChromeHistory doc: Chrome browser history. sources: - type: FILE attributes: paths: - '%%users.localappdata%%\Google\Chrome\User Data\*\Archived History' - '%%users.localappdata%%\Google\Chrome\User Data\*\History' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Archived History' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\History' - '%%users.localappdata%%\Chromium\User Data\*\Archived History' - '%%users.localappdata%%\Chromium\User Data\*\History' separator: '\' supported_os: [Windows] - type: FILE attributes: paths: - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Archived History' - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/History' - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Archived History' - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/History' - '%%users.homedir%%/Library/Application Support/Chromium/*/Archived History' - '%%users.homedir%%/Library/Application Support/Chromium/*/History' supported_os: [Darwin] - type: FILE attributes: paths: - '%%users.homedir%%/.config/google-chrome/*/Archived History' - '%%users.homedir%%/.config/google-chrome/*/History' - '%%users.homedir%%/.config/chromium/*/Archived History' - '%%users.homedir%%/.config/chromium/*/History' supported_os: [Linux] supported_os: [Windows,Darwin,Linux] labels: [Browser] urls: ['http://www.forensicswiki.org/wiki/Google_Chrome'] --- name: ChromeExtensionActivity doc: Chrome Extension Activity database. sources: - type: FILE attributes: paths: - '%%users.localappdata%%\Google\Chrome\User Data\*\Extension Activity' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Extension Activity' - '%%users.localappdata%%\Chromium\User Data\*\Extension Activity' separator: '\' supported_os: [Windows] - type: FILE attributes: paths: - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Extension Activity' - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Extension Activity' - '%%users.homedir%%/Library/Application Support/Chromium/*/Extension Activity' supported_os: [Darwin] - type: FILE attributes: paths: - '%%users.homedir%%/.config/google-chrome/*/Extension Activity' - '%%users.homedir%%/.config/chromium/*/Extension Activity' supported_os: [Linux] supported_os: [Windows,Darwin,Linux] labels: [Browser] urls: ['http://forensicswiki.org/wiki/Google_Chrome#Extension_Activity_database'] --- name: ChromeExtensions doc: Chrome browser extension files. sources: - type: FILE attributes: paths: - '%%users.localappdata%%\Google\Chrome\User Data\*\Extensions\**10' - '%%users.localappdata%%\Chromium\User Data\*\Extensions\**10' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Extensions\**10' separator: '\' supported_os: [Windows] - type: FILE attributes: paths: - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Extensions/**10' - '%%users.homedir%%/Library/Application Support/Chromium/*/Extensions/**10' - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Extensions/**10' supported_os: [Darwin] - type: FILE attributes: paths: - '%%users.homedir%%/.config/google-chrome/*/Extensions/**10' - '%%users.homedir%%/.config/google-chrome-beta/*/Extensions/**10' - '%%users.homedir%%/.config/chromium/*/Extensions/**10' supported_os: [Linux] supported_os: [Windows, Darwin, Linux] labels: [Browser] urls: ['http://forensicswiki.org/wiki/Google_Chrome#Extensions'] --- name: ChromeExtensionRegistryKeys doc: Chrome extensions installed by writing windows registry keys. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extensions\**5' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Google\Chrome\Extensions\**5' labels: [Browser] supported_os: [Windows] urls: ['https://developer.chrome.com/extensions/external_extensions#registry'] --- name: ChromePreferences doc: Chrome Preferences file. sources: - type: FILE attributes: paths: - '%%users.localappdata%%\Google\Chrome\User Data\*\Preferences' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Preferences' - '%%users.localappdata%%\Chromium\User Data\*\Preferences' separator: '\' supported_os: [Windows] - type: FILE attributes: paths: - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Preferences' - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Preferences' - '%%users.homedir%%/Library/Application Support/Chromium/*/Preferences' supported_os: [Darwin] - type: FILE attributes: paths: - '%%users.homedir%%/.config/google-chrome/*/Preferences' - '%%users.homedir%%/.config/chromium/*/Preferences' supported_os: [Linux] supported_os: [Windows,Darwin,Linux] labels: [Browser] urls: ['http://forensicswiki.org/wiki/Google_Chrome#Configuration'] --- name: FirefoxCache doc: Mozilla Firefox browser caches. sources: - type: FILE attributes: paths: - '%%users.localappdata%%\Mozilla\Firefox\Profiles\*.default\Cache\*' - '%%users.localappdata%%\Mozilla\Firefox\Profiles\*.default\cache2\*' - '%%users.localappdata%%\Mozilla\Firefox\Profiles\*.default\cache2\doomed\*' - '%%users.localappdata%%\Mozilla\Firefox\Profiles\*.default\cache2\entries\*' separator: '\' supported_os: [Windows] - type: FILE attributes: paths: - '%%users.homedir%%/Library/Caches/Firefox/Profiles/*.default/Cache/*' - '%%users.homedir%%/Library/Caches/Firefox/Profiles/*.default/cache2/*' - '%%users.homedir%%/Library/Caches/Firefox/Profiles/*.default/cache2/doomed/*' - '%%users.homedir%%/Library/Caches/Firefox/Profiles/*.default/cache2/entries/*' supported_os: [Darwin] - type: FILE attributes: paths: - '%%users.homedir%%/.cache/.mozilla/firefox/*.default/Cache/*' - '%%users.homedir%%/.cache/.mozilla/firefox/*.default/cache2/*' - '%%users.homedir%%/.cache/.mozilla/firefox/*.default/cache2/doomed/*' - '%%users.homedir%%/.cache/.mozilla/firefox/*.default/cache2/entries/*' supported_os: [Linux] supported_os: [Windows,Darwin,Linux] labels: [Browser] urls: ['http://forensicswiki.org/wiki/Mozilla_Firefox'] --- name: FirefoxHistory doc: Firefox browser history (places.sqlite). sources: - type: FILE attributes: paths: - '%%users.localappdata%%\Mozilla\Firefox\Profiles\*\places.sqlite' - '%%users.appdata%%\Mozilla\Firefox\Profiles\*\places.sqlite' separator: '\' supported_os: [Windows] - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/places.sqlite']} supported_os: [Darwin] - type: FILE attributes: {paths: ['%%users.homedir%%/.mozilla/firefox/*/places.sqlite']} supported_os: [Linux] supported_os: [Windows,Darwin,Linux] labels: [Browser] urls: ['http://www.forensicswiki.org/wiki/Mozilla_Firefox'] --- name: InternetExplorerBrowserHelperObjects doc: Loaded on Internet Explorer startup sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*' supported_os: [Windows] urls: - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'http://regenerus.com/malware-common-loadpoints/' - 'https://code.google.com/p/regripper/wiki/ASEPs' --- name: InternetExplorerCache doc: | Microsoft Internet Explorer (MSIE) browser cache. * MSIE 4 - 9 Temporary Internet files. sources: - type: FILE attributes: paths: - '%%users.localappdata%%\Microsoft\Windows\Temporary Internet Files\Content.IE5\*\*' - '%%users.localappdata%%\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\*\*' separator: '\' labels: [Browser] supported_os: [Windows] urls: ['http://www.forensicswiki.org/wiki/Internet_Explorer'] --- name: InternetExplorerCookies doc: | Microsoft Internet Explorer (MSIE) browser cookies. * MSIE 4 - 9 Cache files (index.dat) sources: - type: FILE attributes: paths: - '%%users.appdata%%\Microsoft\Windows\Cookies\index.dat' - '%%users.appdata%%\Microsoft\Windows\Cookies\Low\index.dat' separator: '\' labels: [Browser] supported_os: [Windows] urls: ['http://www.forensicswiki.org/wiki/Internet_Explorer'] --- name: InternetExplorerHistory doc: | Microsoft Internet Explorer (MSIE) browser history. * MSIE 4 - 9 Cache files (index.dat); * MSIE 10 WebCacheV*.dat files. sources: - type: FILE attributes: paths: - '%%users.localappdata%%\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat' - '%%users.localappdata%%\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat' - '%%users.localappdata%%\Microsoft\Windows\History\History.IE5\index.dat' - '%%users.localappdata%%\Microsoft\Windows\History\Low\History.IE5\index.dat' - '%%users.localappdata%%\Microsoft\Windows\History\History.IE5\*\index.dat' - '%%users.localappdata%%\Microsoft\Windows\History\Low\History.IE5\*\index.dat' - '%%users.userprofile%%\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat' - '%%users.appdata%%\Microsoft\Windows\IEDownloadHistory\index.dat' - '%%users.localappdata%%\Microsoft\Windows\WebCache\WebCacheV*.dat' separator: '\' labels: [Browser] supported_os: [Windows] urls: ['http://www.forensicswiki.org/wiki/Internet_Explorer'] --- name: InternetExplorerProtectedModeElevationPolicies doc: | Trust levels of apps launched from low rights IE sessions. The ElevationPolicy dictates how IE handles applications that want to execute in other applications that reside outside of the Low Rights IE session. * AppName is the executable * AppPath is the directory * CLSID is used if it launches a COM server through CoCreateInstance * Policy (DWORD) is the trust level, of 0 through 3. * 3 Protected Mode silently launches the broker as a medium integrity process. * 2 Protected Mode prompts the user for permission to launch the process. If permission is granted, the process is launched as a medium integrity process. * 1 Protected Mode silently launches the broker as a low integrity process. * 0 Protected Mode prevents the process from launching. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'Policy'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'AppName'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'AppPath'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'CLSID'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'Policy'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'AppName'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'AppPath'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'CLSID'} labels: [Browser] supported_os: [Windows] urls: - 'http://blogs.technet.com/b/juanand/archive/2010/10/29/internet-explorer-protected-mode-elevation-policy-and-administrative-templates.aspx' - 'https://msdn.microsoft.com/en-us/library/bb250462(VS.85).aspx' --- name: InternetExplorerProtectedModeDisable doc: | Microsoft Internet Explorer (MSIE) Protected Mode Banner can be suppressed by setting NoProtectedModeBanner. * Applies to versions 7-11 sources: - type: REGISTRY_KEY attributes: {keys: ['HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner']} labels: [Browser] supported_os: [Windows] urls: ['http://www.blackforce.co.uk/2014/01/07/disable-protected-mode-is-turned-off-for-the-internet-zone-group-policy'] --- name: InternetExplorer6Settings doc: Registry keys affecting default behavior for Microsoft Internet Explorer 6. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', value: 'AboutURLs'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', value: 'UrlSearchHooks'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', value: 'Extensions'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', value: 'ExplorerBars'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', value: 'Toolbar'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', value: 'SearchURL'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main', value: 'Default_Page_URL'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main', value: 'Default_Search_URL'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main', value: 'Search Page'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main', value: 'Start Page'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main', value: 'Search Bar'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search', value: 'CustomizeSearch'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer', value: 'UrlSearchHooks'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer', value: 'Extensions'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer', value: 'ExplorerBars'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer', value: 'Toolbar'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer', value: 'SearchURL'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Main', value: 'Default_Page_URL'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Main', value: 'Default_Search_URL'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Main', value: 'Search Page'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Main', value: 'Start Page'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Main', value: 'Search Bar'} labels: [Browser] supported_os: [Windows] urls: - 'https://support.microsoft.com/en-us/kb/895339' - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' --- name: InternetExplorerTypedURLsKeys doc: Microsoft Internet Explorer TypedUrls keys. sources: - type: REGISTRY_KEY attributes: {keys: ['HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\TypedURLs\*']} labels: [Browser] supported_os: [Windows] urls: ['http://www.forensicswiki.org/wiki/Internet_Explorer#Typed_URLs'] --- name: OperaHistory doc: Opera browser history (global_history.dat). sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Opera//global_history.dat']} supported_os: [Darwin] - type: FILE attributes: {paths: ['%%users.homedir%%/.opera/global_history.dat']} supported_os: [Linux] - type: FILE attributes: paths: - '%%users.appdata%%\Opera\Opera\global_history.dat' - '%%users.appdata%%\Opera Software\Opera Stable\History' separator: '\' supported_os: [Windows] supported_os: [Windows,Darwin,Linux] labels: [Browser] urls: ['http://www.forensicswiki.org/wiki/Opera'] --- name: SafariCache doc: Safari browser cache (cache.db). sources: - type: FILE attributes: paths: ['%%users.localappdata%%\Apple Computer\Safari\cache.db'] separator: '\' supported_os: [Windows] - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Caches/com.apple.Safari/cache.db']} supported_os: [Darwin] supported_os: [Windows, Darwin] labels: [Browser] urls: ['http://www.forensicswiki.org/wiki/Apple_Safari'] --- name: SafariHistory doc: Safari browser history (History.plist). sources: - type: FILE attributes: paths: - '%%users.localappdata%%\Apple Computer\Safari\History.plist' - '%%users.appdata%%\Apple Computer\Safari\History.plist' separator: '\' supported_os: [Windows] - type: FILE attributes: paths: - '%%users.homedir%%/Library/Safari/History.plist' - '%%users.homedir%%/Library/Safari/History.db' - '%%users.homedir%%/Library/Safari/History.db-wal' supported_os: [Darwin] supported_os: [Windows, Darwin] labels: [Browser] urls: ['http://www.forensicswiki.org/wiki/Apple_Safari'] artifacts-20170808/data/windows.yaml000066400000000000000000002706471314241367100172560ustar00rootroot00000000000000# Windows specific artifacts. name: WindowsActiveDesktop doc: Windows Active Desktop executable paths, used for persistence. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Desktop\Components\*' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Desktop\General' conditions: [os_major_version < 6] supported_os: [Windows] urls: - 'https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~DwnLdr-GWV/detailed-analysis.aspx' - 'https://support.microsoft.com/en-us/kb/929200' - 'https://en.wikipedia.org/wiki/Active_Desktop' --- name: WindowsAlternateShell doc: Alternate Shell to be run via Userinit. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot', value: 'AlternateShell'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option', value: 'UseAlternateShell'} supported_os: [Windows] urls: - 'https://www.microsoftpressstore.com/articles/article.aspx' - 'https://technet.microsoft.com/en-us/library/cc976124.aspx' - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' --- name: WindowsAMCacheHveFile doc: The AMCache.hve Windows NT Registry file. sources: - type: FILE attributes: paths: ['%%environ_systemroot%%\AppCompat\Programs\Amcache.hve'] separator: '\' conditions: [os_major_version >= 6 AND os_minor_version >= 1] supported_os: [Windows] urls: ['http://www.swiftforensics.com/2013/12/amcachehve-in-windows-8-goldmine-for.html'] --- name: WindowsAppCertDLLs doc: Windows AppCertDLLs persistence. sources: - type: REGISTRY_KEY attributes: keys: ['HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDLLs'] supported_os: [Windows] urls: ['http://blogs.technet.com/b/mmpc/archive/2011/03/19/how-to-defang-the-fake-defragmenter.aspx'] --- name: WindowsAppCompatCache doc: Windows Application Compatibility Cache sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility', value: 'AppCompatCache'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatCache', value: 'AppCompatCache'} supported_os: [Windows] urls: ['https://github.com/libyal/winreg-kb/blob/master/documentation/Application%20Compatibility%20Cache%20key.asciidoc'] --- name: WindowsAppInitDLLs doc: | Windows Application Initial (AppInit) DLLs persistence. AppInit DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded into each user mode process on the system. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows', value: 'AppInit_DLLs'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows', value: 'AppInit_DLLs'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Windows', value: 'AppInit_DLLs'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows', value: 'AppInit_DLLs'} supported_os: [Windows] urls: - 'https://msdn.microsoft.com/en-us/library/windows/desktop/dd744762(v=vs.85).aspx' - 'https://support.microsoft.com/en-us/kb/197571' --- name: WindowsApplicationRegistration doc: Windows Application Registration (AppPath) Registry keys. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\*' supported_os: [Windows] urls: - 'https://github.com/keydet89/RegRipper2.8/blob/master/plugins/apppaths.pl' - 'http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/' - 'https://msdn.microsoft.com/en-us/library/windows/desktop/ee872121(v=vs.85).aspx' --- name: WinAppXRT doc: WinAppXRT DLL loaded by .Net applications when the APPX_PROCESS environment variable is set. sources: - type: FILE attributes: paths: - '%%environ_systemroot%%\system32\WinAppXRT.dll' - '%%environ_systemroot%%\WinAppXRT.dll' - '%%environ_systemroot%%\System32\Wbem\WinAppXRT.dll' - '%%environ_systemroot%%\System32\WindowsPowerShell\v1.0\WinAppXRT.dll' supported_os: [Windows] conditions: [os_major_version >= 6 AND os_minor_version >= 2] urls: ['http://www.hexacorn.com/blog/2014/08/31/beyond-good-ol-run-key-part-17/'] --- name: WindowsAutoexecBat doc: Windows autoexec.bat file sources: - type: FILE attributes: paths: - '%%environ_systemdrive%%\autoexec.bat' - '%%environ_windir%%\autoexec.nt' separator: '\' supported_os: [Windows] --- name: WindowsAutomaticDebugging doc: Windows automatic debugging (Aedebug) sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug', value: 'Debugger'} supported_os: [Windows] urls: - 'https://msdn.microsoft.com/en-us/library/windows/desktop/bb204634(v=vs.85).aspx' - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' --- name: WindowsAutomaticDebuggingExclusionList doc: Windows automatic debugging (Aedebug) exclusion list sources: - type: REGISTRY_KEY attributes: keys: ['HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AutoExclusionList\*'] supported_os: [Windows] urls: ['https://msdn.microsoft.com/en-us/library/windows/desktop/bb204634(v=vs.85).aspx'] --- name: WindowsAutorun doc: Filebased Tests. sources: - type: FILE attributes: paths: ['%%environ_systemdrive%%\autorun.inf'] separator: '\' supported_os: [Windows] --- name: WindowsAvailableTimeZones doc: Timezones available on a Windows system. sources: - type: REGISTRY_KEY attributes: {keys: ['HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Time Zones\*\*']} supported_os: [Windows] urls: ['https://github.com/libyal/winreg-kb/wiki/Time-zone-keys'] --- name: WindowsBITSQueueManagerDatabases doc: Databases that contain the Windows BITS jobs definition and state. sources: - type: FILE attributes: paths: - '%%environ_allusersprofile%%\Microsoft\Network\Downloader\qmgr*.dat' supported_os: [Windows] urls: ['http://dfrws.org/2015/proceedings/presentations/DFRWS2015-pres3.pdf'] --- name: WindowsBootVerificationProgram doc: Path to custom startup verification program. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\BootVerificationProgram', value: 'ImagePath'} supported_os: [Windows] urls: - 'https://technet.microsoft.com/en-us/library/cc786702(WS.10).aspx' - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' --- name: WindowsCodePage doc: The code page of the system. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CodePage', value: 'ACP'} provides: [code_page] supported_os: [Windows] urls: ['http://en.wikipedia.org/wiki/Windows_code_page'] --- name: WindowsComputerName doc: The name of the system. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ComputerName', value: 'ComputerName'} provides: [hostname] supported_os: [Windows] --- name: WindowsCommandProcessorAutoRun doc: Commands that are run each time the Command Processor (Cmd.exe) is started. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor', value: 'AutoRun'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Command Processor', value: 'AutoRun'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Command Processor', value: 'AutoRun'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Command Processor', value: 'AutoRun'} supported_os: [Windows] urls: - 'https://technet.microsoft.com/en-us/library/cc779439(v=ws.10).aspx' - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'http://blogs.msdn.com/b/oldnewthing/archive/2007/11/21/6447771.aspx' - 'https://technet.microsoft.com/en-us/library/cc756720(v=ws.10).aspx' --- name: WindowsCOMInprocHandlers doc: Windows COM in-process handlers sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*', value: 'InprocHandler'} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*', value: 'InprocHandler32'} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*', value: 'InprocHandler'} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*', value: 'InprocHandler32'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*', value: 'InprocHandler'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*', value: 'InprocHandler32'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*', value: 'InprocHandler'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*', value: 'InprocHandler32'} supported_os: [Windows] urls: - 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms694515(v=vs.85).aspx' - 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms691354(v=vs.85).aspx' - 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms693485(v=vs.85).aspx' --- name: WindowsCOMInprocServers doc: Windows COM in-process servers sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\InprocServer', value: ''} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\InprocServer32', value: ''} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\InprocServer', value: ''} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\InprocServer32', value: ''} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*\InprocServer', value: ''} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*\InprocServer32', value: ''} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*\InprocServer', value: ''} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*\InprocServer32', value: ''} supported_os: [Windows] urls: - 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms694515(v=vs.85).aspx' - 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms682390(v=vs.85).aspx' - 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms694328(v=vs.85).aspx' --- name: WindowsCOMLocalServers doc: Windows COM local servers sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*', value: 'LocalServer'} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\LocalServer32', value: ''} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\LocalServer32', value: 'ServerExecutable'} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*', value: 'LocalServer'} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\LocalServer32', value: ''} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\LocalServer32', value: 'ServerExecutable'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*', value: 'LocalServer'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*\LocalServer32', value: ''} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*\LocalServer32', value: 'ServerExecutable'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*', value: 'LocalServer'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*\LocalServer32', value: ''} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*\LocalServer32', value: 'ServerExecutable'} supported_os: [Windows] urls: - 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms694515(v=vs.85).aspx' - 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms686595(v=vs.85).aspx' --- name: WindowsCOMRegisteredTypeLibraries doc: Windows COM registered type libraries sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Typelib\*\*\*\*', value: ''} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\Typelib\*\*\*\*', value: ''} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Typelib\*\*\*\*', value: ''} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\Typelib\*\*\*\*', value: ''} supported_os: [Windows] urls: ['https://github.com/libyal/winreg-kb/blob/master/documentation/Component%20Object%20Model%20keys.asciidoc#type-libraries-key'] --- name: WindowsConfigSys doc: Windows config.sys file sources: - type: FILE attributes: paths: - '%%environ_systemdrive%%\config.sys' - '%%environ_windir%%\config.nt' separator: '\' supported_os: [Windows] --- name: WindowsControlPanelFilePaths doc: DLLs listed here will be run when the user opens the Windows Control Panel. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Control Panel\CPLs' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Control Panel\CPLs' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Control Panel\CPLs' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Control Panel\CPLs' supported_os: [Windows] urls: - 'https://msdn.microsoft.com/en-us/library/windows/desktop/hh127454(v=vs.85).aspx' - 'http://www.geoffchappell.com/studies/windows/shell/shell32/classes/controlpanel.htm' - 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms683844(v=vs.85).aspx' --- name: WindowsCredentialProviderFilters doc: Windows Credential Provider Filters sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\*' supported_os: [Windows] urls: ['http://blog.leetsys.com/2012/01/02/capturing-windows-7-credentials-at-logon-using-custom-credential-provider/'] --- name: WindowsCredentialProviders doc: CLSIDs of applications to use as Credential Providers sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\*' supported_os: [Windows] urls: - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'http://blogs.technet.com/b/ad/archive/2009/05/26/thoughts-on-single-sign-on-and-credential-providers.aspx' - 'http://blog.leetsys.com/2012/01/02/capturing-windows-7-credentials-at-logon-using-custom-credential-provider/' - 'https://www.sophos.com/en-us/support/knowledgebase/114190.aspx' --- name: WindowsCommonFilePlacementAttacks doc: Common files associated with search order hijacking and other file placement attacks. sources: - type: FILE attributes: paths: - '%%environ_programfiles%%\Internet Explorer\sxs.dll' - '%%environ_programfilesx86%%\Internet Explorer\sxs.dll' - '%%environ_systemdrive%%\explorer.exe' - '%%environ_systemdrive%%\program.exe' - '%%environ_systemroot%%\linkinfo.dll' - '%%environ_systemroot%%\ntshrui.dll' - '%%environ_systemroot%%\System32\oci.dll' - '%%environ_systemroot%%\System32\sysprep\cryptbase.dll' - '%%environ_systemroot%%\SysWOW64\oci.dll' - '%%environ_systemroot%%\SysWOW64\sysprep\cryptbase.dll' separator: '\' supported_os: [Windows] urls: - 'http://web.cs.ucdavis.edu/~su/publications/issta10-loading.pdf' - 'https://www.mandiant.com/blog/fxsst/' --- name: WindowsCurrentVersion doc: The Windows current verson sources: - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion', value: 'CurrentVersion'}]} supported_os: [Windows] urls: ['https://github.com/libyal/winreg-kb/blob/master/documentation/System%20keys.asciidoc'] --- name: WindowsDebugger doc: Windows Debugger peristence or AV disable. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*', value: 'Debugger'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*', value: 'Debugger'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*', value: 'Debugger'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*', value: 'Debugger'} supported_os: [Windows] urls: ['https://msdn.microsoft.com/en-us/library/a329t4ed%28VS.71%29.aspx'] --- name: WindowsDomainName doc: The domain the system is connected to. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters', value: 'Domain'} provides: [domain] supported_os: [Windows] --- name: WindowsEnvironmentUserLoginScripts doc: User login scripts configured via Windows environment variables. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_USERS\%%users.sid%%\Environment', value: 'UserInitLogonServer'} - {key: 'HKEY_USERS\%%users.sid%%\Environment', value: 'UserInitLogonScript'} - {key: 'HKEY_USERS\%%users.sid%%\Environment', value: 'UserMprLogonScript'} supported_os: [Windows] urls: - 'http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/' - 'https://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/cb6f1d6f-60a6-4369-803e-ec03d902e638/gina-how-to-run-domain-scripts-after-logon' --- name: WindowsEnvironmentVariableAllUsersAppData doc: The %ProgramData% environment variable. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'ProgramData'} provides: [environ_allusersappdata] supported_os: [Windows] urls: ['http://environmentvariables.org/ProgramData'] --- name: WindowsEnvironmentVariableAllUsersProfile doc: The %AllUsersProfile% environment variable. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'AllUsersProfile'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'ProfilesDirectory'} provides: [environ_allusersprofile] supported_os: [Windows] urls: ['http://support.microsoft.com/kb//214653'] --- name: WindowsEnvironmentVariableAppxProcess doc: | The %APPX_PROCESS% environment variable. If this variable is set, .NET applications will attempt to load WinAppXRT.dll from PATH, which is a potential persistence mechanism. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_USERS\%%users.sid%%\Environment', value: 'APPX_PROCESS'} supported_os: [Windows] conditions: [os_major_version >= 6 AND os_minor_version >= 2] urls: ['http://www.hexacorn.com/blog/2014/08/31/beyond-good-ol-run-key-part-17/'] --- name: WindowsEnvironmentVariablePath doc: The %PATH% environment variable. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment', value: 'Path'} provides: [environ_path] supported_os: [Windows] urls: ['http://environmentvariables.org/Path'] --- name: WindowsEnvironmentVariableProgramFiles doc: The %ProgramFiles% environment variable. sources: - type: PATH attributes: paths: ['\Program Files'] separator: '\' - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion', value: 'ProgramFilesDir'} provides: [environ_programfiles] supported_os: [Windows] urls: ['http://environmentvariables.org/ProgramFiles'] --- name: WindowsEnvironmentVariableProgramFilesX86 doc: The %ProgramFiles(x86)% environment variable. sources: - type: PATH attributes: paths: ['\Program Files (x86)'] separator: '\' - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion', value: 'ProgramFilesDir (x86)'} provides: [environ_programfilesx86] supported_os: [Windows] urls: ['http://environmentvariables.org/ProgramFiles'] --- name: WindowsEnvironmentVariableSystemDrive doc: | The %SystemDrive% environment variable, usually "C:". This value isn't actually present in the Registry but with some parsing we can figure it out from SystemRoot. sources: - type: ARTIFACT_GROUP attributes: {names: ['WindowsEnvironmentVariableSystemRoot']} provides: [environ_systemdrive] supported_os: [Windows] urls: - 'http://environmentvariables.org/SystemDrive' - 'https://msdn.microsoft.com/en-us/library/cc231436.aspx' --- name: WindowsEnvironmentVariableSystemRoot doc: The system root directory path, defined by %SystemRoot%, typically "C:\Windows". sources: - type: PATH attributes: paths: - '\Windows' - '\WinNT' - '\WINNT35' - '\WTSRV' separator: '\' - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion', value: 'SystemRoot'} provides: [environ_systemroot] supported_os: [Windows] urls: ['http://environmentvariables.org/SystemRoot'] --- name: WindowsEnvironmentVariableTemp doc: The %TEMP% environment variable. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment', value: 'TEMP'} provides: [environ_temp] supported_os: [Windows] urls: ['http://environmentvariables.org/Temp'] --- name: WindowsEnvironmentVariableWinDir doc: The %WinDir% environment variable. sources: - type: PATH attributes: paths: - '\Windows' - '\WinNT' - '\WINNT35' - '\WTSRV' separator: '\' - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment', value: 'windir'} provides: [environ_windir] supported_os: [Windows] urls: ['http://environmentvariables.org/WinDir'] --- name: WindowsEventLogs doc: Windows Event logs. sources: - type: ARTIFACT_GROUP attributes: names: - 'WindowsEventLogApplication' - 'WindowsEventLogSecurity' - 'WindowsEventLogSystem' - 'WindowsXMLEventLogApplication' - 'WindowsXMLEventLogSecurity' - 'WindowsXMLEventLogSystem' labels: [Logs] supported_os: [Windows] --- name: WindowsEventLogApplication doc: Application Windows Event Log. sources: - type: FILE attributes: paths: ['%%environ_systemroot%%\System32\winevt\Logs\AppEvent.evt'] separator: '\' conditions: [os_major_version < 6] labels: [Logs] supported_os: [Windows] urls: ['http://www.forensicswiki.org/wiki/Windows_Event_Log_(EVT)'] --- name: WindowsEventLogSecurity doc: Security Windows Event Log. sources: - type: FILE attributes: paths: ['%%environ_systemroot%%\System32\winevt\Logs\SecEvent.evt'] separator: '\' conditions: [os_major_version < 6] labels: [Logs] supported_os: [Windows] urls: ['http://www.forensicswiki.org/wiki/Windows_Event_Log_(EVT)'] --- name: WindowsEventLogSystem doc: System Windows Event Log. sources: - type: FILE attributes: paths: ['%%environ_systemroot%%\System32\winevt\Logs\SysEvent.evt'] separator: '\' conditions: [os_major_version < 6] labels: [Logs] supported_os: [Windows] urls: ['http://www.forensicswiki.org/wiki/Windows_Event_Log_(EVT)'] --- name: WindowsXMLEventLogApplication doc: Application Windows XML Event Log. sources: - type: FILE attributes: paths: ['%%environ_systemroot%%\System32\winevt\Logs\Application.evtx'] separator: '\' conditions: [os_major_version >= 6] labels: [Logs] supported_os: [Windows] urls: ['http://www.forensicswiki.org/wiki/Windows_XML_Event_Log_(EVTX)'] --- name: WindowsXMLEventLogSecurity doc: Security Windows XML Event Log. sources: - type: FILE attributes: paths: ['%%environ_systemroot%%\System32\winevt\Logs\Security.evtx'] separator: '\' conditions: [os_major_version >= 6] labels: [Logs] supported_os: [Windows] urls: ['http://www.forensicswiki.org/wiki/Windows_XML_Event_Log_(EVTX)'] --- name: WindowsXMLEventLogSystem doc: System Windows XML Event Log. sources: - type: FILE attributes: paths: ['%%environ_systemroot%%\System32\winevt\Logs\System.evtx'] separator: '\' conditions: [os_major_version >= 6] labels: [Logs] supported_os: [Windows] urls: ['http://www.forensicswiki.org/wiki/Windows_XML_Event_Log_(EVTX)'] --- name: WindowsXMLEventLogTerminalServices doc: TerminalServices Windows XML Event Log. sources: - type: FILE attributes: paths: ['%%environ_systemroot%%\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx'] separator: '\' conditions: [os_major_version >= 6] labels: [Logs] supported_os: [Windows] urls: ['http://www.forensicswiki.org/wiki/Windows_XML_Event_Log_(EVTX)'] --- name: WindowsExcludeFromKnownDLLs doc: ExcludeFromKnownDLLs can be used to bypass search order hijacking protection. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager', value: 'ExcludeFromKnownDLLs'}] supported_os: [Windows] urls: ['https://msdn.microsoft.com/en-us/library/windows/desktop/ms682586%28v=vs.85%29.aspx'] --- name: WindowsExplorerAppKey doc: Handlers for special keys on some keyboards (file path or CLSID). sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AppKey\*', value: 'ShellExecute'} supported_os: [Windows] urls: - 'http://answers.microsoft.com/en-us/windows/forum/windows_vista-hardware/assigning-the-special-keys-at-the-top-of-the/d1ab2e13-5297-457d-a8e8-bc2c883d8b58?db=5' - 'http://h30434.www3.hp.com/t5/Notebook-Hardware/How-do-I-customize-the-Action-Keys/td-p/379207' --- name: WindowsExplorerAutoplayHandlers doc: Handlers for autoplay events in Windows Explorer. sources: - type: REGISTRY_KEY attributes: keys: ['HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\*'] supported_os: [Windows] urls: - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'https://msdn.microsoft.com/en-us/library/windows/desktop/aa468474.aspx' --- name: WindowsExplorerContextMenuHandlers doc: Handlers for subcommands on context menu sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CommandStore\shell\*', value: 'CommandStateHandler'} - {key: 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CommandStore\shell\*', value: 'ExplorerCommandHandler'} - {key: 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CommandStore\shell\*', value: 'command'} - {key: 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CommandStore\shell\*\command', value: 'DelegateExecute'} supported_os: [Windows] urls: - 'https://msdn.microsoft.com/en-us/library/windows/desktop/hh127467(v=vs.85).aspx' - 'https://msdn.microsoft.com/en-us/library/windows/desktop/cc144171(v=vs.85).aspx' - 'http://www.windowrdb.com/w.php?w=hklm-software-microsoft-windows-currentversion-explorer-commandstore-shell-windows-closewindow' - 'http://www.checkfilename.com/view-details/Windows-7-Ultimate/RespageIndex/4/sTab/2/' --- name: WindowsExplorerNamespaceCommonPlaces doc: CLSIDs listed here are used to populate the Common Places items. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace\DelegateFolders' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\CommonPlaces\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\CommonPlaces\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\CommonPlaces\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\CommonPlaces\NameSpace\DelegateFolders' supported_os: [Windows] urls: - 'https://msdn.microsoft.com/en-us/library/windows/desktop/hh127450(v=vs.85).aspx' - 'http://www.geoffchappell.com/studies/windows/shell/shell32/classes/commonplacesfolder.htm' - 'http://www.windowrdb.com/w.php?w=hklm-software-microsoft-windows-currentversion-explorer-commonplaces' --- name: WindowsExplorerNamespaceControlPanel doc: CLSIDs listed here are used to populate the Control Panel items. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\ControlPanel\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\ControlPanel\NameSpace\DelegateFolders' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanelWOW64\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanelWOW64\NameSpace' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpaceWOW64\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanelWOW64\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\ControlPanelWOW64\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\ControlPanelWOW64\NameSpace\DelegateFolders' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\ControlPanel\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\ControlPanel\NameSpace\DelegateFolders' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ControlPanelWOW64\NameSpace' - 'HKEY_USERS\%%users.sid%%\Wow6432Node\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\ControlPanelWOW64\NameSpace\DelegateFolders' supported_os: [Windows] urls: - 'https://msdn.microsoft.com/en-us/library/windows/desktop/hh127450(v=vs.85).aspx' - 'http://www.geoffchappell.com/studies/windows/shell/shell32/classes/controlpanel.htm' --- name: WindowsExplorerNamespaceDesktop doc: CLSIDs listed here are used to populate the Desktop items. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\Desktop\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\Desktop\NameSpace\DelegateFolders' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Wow6432Node\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\Desktop\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\Desktop\NameSpace\DelegateFolders' supported_os: [Windows] urls: - 'https://social.technet.microsoft.com/Forums/windowsserver/en-US/2760309c-89d1-414c-a04c-ce4178e90787/hide-libraries-icon-from-desktop' - 'http://www.geoffchappell.com/studies/windows/shell/shell32/classes/regfolder.htm' - 'http://www.geoffchappell.com/notes/windows/shell/controlpanel/desktopicons.htm' - 'https://support.microsoft.com/en-us/kb/321777' --- name: WindowsExplorerNamespaceMyComputer doc: CLSIDs listed here are used to populate the MyComputer items. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\MyComputer\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\MyComputer\NameSpace\DelegateFolders' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Wow6432Node\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\MyComputer\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\MyComputer\NameSpace\DelegateFolders' supported_os: [Windows] urls: - 'http://www.geoffchappell.com/studies/windows/shell/shell32/classes/mycomputer.htm' - 'http://www.howtogeek.com/168081/how-to-remove-the-folders-from-my-computer-in-windows-8.1/' - 'http://answers.microsoft.com/en-us/windows/forum/windows8_1-files/how-to-remove-these-folders-from-windows-81/777c4ba3-7853-453e-bfa0-9a0f4245b9e1?db=5' --- name: WindowsExplorerNamespaceNetworkNeighborhood doc: CLSIDs listed here are used to populate the Network Neighborhood items. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\NetworkNeighborhood\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\NetworkNeighborhood\NameSpace\DelegateFolders' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\NetworkNeighborhood\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\NetworkNeighborhood\NameSpace\DelegateFolders' supported_os: [Windows] urls: - 'http://www.geoffchappell.com/studies/windows/shell/shell32/classes/regfolder.htm' - 'http://www.lavasoft.com/mylavasoft/rogues/secretservice' - 'http://www.wikihow.com/Manually-Remove-Macatte-Malware' --- name: WindowsExplorerNamespacePrintersAndFaxes doc: CLSIDs listed here are used to populate the Printer and Fax items. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\PrintersAndFaxes\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\PrintersAndFaxes\NameSpace\DelegateFolders' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\PrintersAndFaxes\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\PrintersAndFaxes\NameSpace\DelegateFolders' supported_os: [Windows] urls: - 'http://www.geoffchappell.com/studies/windows/shell/shell32/classes/printers.htm' --- name: WindowsFileTypeAutorunAssociations doc: | Registry value for what application class identifier (CLSID) to launch for a file extension. Extension subkeys start with a dot. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Classes\.*' - 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\.*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\.*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\.*' supported_os: [Windows] urls: ['https://msdn.microsoft.com/en-us/library/windows/desktop/ms678415(v=vs.85).aspx'] --- name: WindowsGroupPolicyScripts doc: Windows group policy scripts sources: - type: FILE attributes: paths: - '%%environ_systemroot%%\GroupPolicy\User\Scripts\scripts.ini' separator: '\' supported_os: [Windows] --- name: WindowsHostsFiles doc: The Windows hosts and lmhosts file. sources: - type: FILE attributes: paths: - '%%environ_systemroot%%\System32\Drivers\etc\Lmhosts' - '%%environ_systemroot%%\System32\Drivers\etc\hosts' separator: '\' supported_os: [Windows] --- name: WindowsHotkeyReplacement doc: Hotkey executable replacement. sources: - type: FILE attributes: paths: - '%%environ_systemroot%%\System32\magnifier.exe' - '%%environ_systemroot%%\System32\sethc.exe' - '%%environ_systemroot%%\System32\utilman.exe' separator: '\' supported_os: [Windows] --- name: WindowsInstallationDateTime doc: Windows installation date and time sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion', value: 'InstallDate'} supported_os: [Windows] --- name: WindowsLogoffScript doc: Windows policy logoff script sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\Windows\System\Scripts', value: 'Logoff'} - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Scripts', value: 'Logoff'} supported_os: [Windows] urls: ['https://technet.microsoft.com/en-us/library/ff404236.aspx'] --- name: WindowsLogonScript doc: Windows policy logon script sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\Windows\System\Scripts', value: 'Logon'} - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Scripts', value: 'Logon'} supported_os: [Windows] urls: ['https://technet.microsoft.com/en-us/library/ff404236.aspx'] --- name: WindowsLSAAuthenticationPackages doc: Authentication Packages can be injected into LSASS. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa', value: 'Authentication Packages'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig', value: 'Authentication Packages'} supported_os: [Windows] urls: - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'https://technet.microsoft.com/en-us/library/cc963218.aspx' --- name: WindowsLSANotificationPackages doc: Notification Packages can be injected into LSASS. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa', value: 'Notification Packages'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig', value: 'Notification Packages'} supported_os: [Windows] urls: - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'https://technet.microsoft.com/en-us/library/cc963221.aspx' --- name: WindowsLSASecurityPackages doc: Security Packages can be injected into LSASS. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa', value: 'Security Packages'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig', value: 'Security Packages'} supported_os: [Windows] urls: - 'https://msdn.microsoft.com/en-us/library/windows/desktop/aa379392(v=vs.85).aspx' - 'https://dl.mandiant.com/EE/library/MIRcon2014/MIRcon_2014_IR_Track_Analysis_of_Malicious_SSP.pdf' --- name: WindowsMetroApplicationCache doc: Windows Metro application cache. sources: - type: FILE attributes: {paths: ['%%users.homedir%%\AppData\Local\Packages\*\AC\INetCache']} supported_os: [Windows] urls: - 'http://www.forensicmag.com/article/2012/09/microsoft-windows-8-forensic-first-look' --- name: WindowsMetroApplicationCookies doc: Windows Metro application cookies. sources: - type: FILE attributes: {paths: ['%%users.homedir%%\AppData\Local\Packages\*\AC\INetCookies']} supported_os: [Windows] urls: - 'http://www.forensicmag.com/article/2012/09/microsoft-windows-8-forensic-first-look' --- name: WindowsMetroApplicationHistory doc: Windows Metro application history. sources: - type: FILE attributes: {paths: ['%%users.homedir%%\AppData\Local\Packages\*\AC\INetHistory']} supported_os: [Windows] urls: - 'http://www.forensicmag.com/article/2012/09/microsoft-windows-8-forensic-first-look' --- name: WindowsMetroUserPinnedFavoriteTiles doc: Windows Metro user-pinned favorite tiles. sources: - type: FILE attributes: {paths: ['%%users.homedir%%\AppData\Local\Microsoft\Windows\RoamingTiles']} supported_os: [Windows] urls: - 'http://www.forensicmag.com/article/2012/09/microsoft-windows-8-forensic-first-look' --- name: WindowsMostRecentApplication doc: Windows Most Recent Application name key sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\*\MostRecentApplication', value: 'Name'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\*\MostRecentApplication', value: 'Name'} supported_os: [Windows] urls: - 'http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_ransom.smc7' - 'https://www.symantec.com/security_response/writeup.jsp?docid=2014-092314-3644-99&tabid=2' --- name: WindowsMSDTCDLLs doc: Windows MSDTC attempts to load these DLLs on start sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\MSDTC\MTxOCI\*' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\MSDTC\MTxOCI\*' supported_os: [Windows] urls: ['https://www.mandiant.com/blog/hikit-rootkit-advanced-persistent-attack-techniques-part-1-2/'] --- name: WindowsMultiMediaDrivers doc: Configured drivers for different multimedia filetypes. sources: - type: REGISTRY_KEY attributes: keys: ['HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\*'] supported_os: [Windows] urls: - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'https://support.microsoft.com/en-us/kb/126054' --- name: WindowsNetworkShellHelpers doc: Windows Network Shell (netsh) helpers are loaded on boot sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Netsh' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Netsh' supported_os: [Windows] urls: ['https://support.microsoft.com/en-us/kb/242468'] --- name: WindowsOpenSaveMRU doc: Information about files opened or saved in a Windows shell dialog. sources: - type: REGISTRY_KEY attributes: keys: ['HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDIg32\OpenSaveMRU\*\*'] conditions: [os_major_version < 6] supported_os: [Windows] urls: - 'http://www.forensicswiki.org/wiki/OpenSaveMRU' - 'https://digital-forensics.sans.org/blog/2010/04/02/openrunsavemru-lastvisitedmru' --- name: WindowsOpenSavePidlMRU doc: Information about files opened or saved in a Windows shell dialog. sources: - type: REGISTRY_KEY attributes: keys: ['HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\*\*'] conditions: [os_major_version >= 6] supported_os: [Windows] urls: - 'https://digital-forensics.sans.org/blog/2010/04/02/openrunsavemru-lastvisitedmru' - 'http://www.forensicswiki.org/wiki/OpenSavePidlMRU' --- name: WindowsPendingFileRenames doc: Windows Pending file renames on reboot sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager', value: 'PendingFileRenameOperations'} supported_os: [Windows] urls: ['https://technet.microsoft.com/en-us/library/cc960241.aspx'] --- name: WindowsPersistenceMechanisms doc: Persistence mechanisms in Windows. sources: - type: ARTIFACT_GROUP attributes: names: - WindowsPersistenceRegistryKeys - WindowsPowerShellDefaultProfiles - WindowsServices returned_types: [PersistenceFile] labels: [Software] supported_os: [Windows] --- name: WindowsPersistenceRegistryKeys doc: Windows Registry keys used for persistence. sources: - type: ARTIFACT_GROUP attributes: names: - InternetExplorerBrowserHelperObjects - WindowsActiveDesktop - WindowsAlternateShell - WindowsAppCertDLLs - WindowsAppInitDLLs - WindowsBootVerificationProgram - WindowsCommandProcessorAutoRun - WindowsCredentialProviderFilters - WindowsCredentialProviders - WindowsDebugger - WindowsEnvironmentUserLoginScripts - WindowsExplorerAutoplayHandlers - WindowsFileTypeAutorunAssociations - WindowsLSAAuthenticationPackages - WindowsLSANotificationPackages - WindowsLSASecurityPackages - WindowsMSDTCDLLs - WindowsMultiMediaDrivers - WindowsNetworkShellHelpers - WindowsPLAPProviders - WindowsPrintMonitors - WindowsRunGrpConv - WindowsRunKeys - WindowsRunServices - WindowsScreenSaverExecutable - WindowsSecurityProviders - WindowsServiceControlManagerExtension - WindowsSessionManagerBootExecute - WindowsSessionManagerExecute - WindowsSessionManagerSetupExecute - WindowsSessionManagerSubSystems - WindowsSessionManagerWOWCommandLine - WindowsSharedTaskScheduler - WindowsShellExecuteHooks - WindowsShellExtensions - WindowsShellIconOverlayIdentifiers - WindowsShellLoadAndRun - WindowsShellOpenCommand - WindowsShellServiceObjects - WindowsStubPaths - WindowsSystemPolicyShell - WindowsTerminalServerRunKeys - WindowsTerminalServerStartupPrograms - WindowsToolPaths - WindowsWinlogonGinaDLL - WindowsWinlogonNotify - WindowsWinlogonShell - WindowsWinlogonSystem - WindowsWinlogonTaskman - WindowsWinlogonUiHost - WindowsWinlogonUserinit - WindowsWinlogonVMApplet - WinSock2LayeredServiceProviders - WinSock2NamespaceProviders labels: [Software] supported_os: [Windows] --- name: WindowsPLAPProviders doc: Windows Pre-Logon Access Provider (PLAP) Providers sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\*' supported_os: [Windows] urls: ['https://msdn.microsoft.com/en-us/library/windows/desktop/bb530584(v=vs.85).aspx'] --- name: WindowsPolicyDisallowRun doc: Restrict users from running specific applications, typically used by malware to block AV. sources: - type: REGISTRY_KEY attributes: keys: ['HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\*'] labels: [Software] supported_os: [Windows] urls: ['https://support.microsoft.com/en-us/kb/323525'] --- name: WindowsPowerShellDefaultProfiles doc: Default PowerShell Profile files. These files are executed by default when PowerShell starts up. sources: - type: FILE attributes: paths: - '%%environ_systemroot%%\system32\Windows­PowerShell\v1.0\profile.ps1' - '%%environ_systemroot%%\system32\Windows­PowerShell\v1.0\Microsoft.PowerShell_profile.ps1' - '%%users.homedir%%\Documents\WindowsPowerShell\profile.ps1' - '%%users.homedir%%\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1' supported_os: [Windows] urls: - 'https://technet.microsoft.com/en-us/magazine/2008.10.windowspowershell.aspx#id0190010' - 'http://www.hexacorn.com/blog/2014/08/27/beyond-good-ol-run-key-part-16/' --- name: WindowsPowerShellEnableScripts doc: Registry keys that control whether PowerShell scripts can execute directly. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\Windows\PowerShell', value: 'EnableScripts'} - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell', value: 'EnableScripts'} supported_os: [Windows] urls: - 'https://technet.microsoft.com/library/hh847748.aspx' - 'http://www.hexacorn.com/blog/2014/08/27/beyond-good-ol-run-key-part-16/' --- name: WindowsPowerShellExecutionPolicies doc: PowerShell Script Execution Policies for all users, and the system. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\Windows\PowerShell', value: 'ExecutionPolicy'} - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell', value: 'ExecutionPolicy'} supported_os: [Windows] urls: - 'https://technet.microsoft.com/library/hh847748.aspx' - 'http://www.hexacorn.com/blog/2014/08/27/beyond-good-ol-run-key-part-16/' --- name: WindowsPrefetchFiles doc: Windows Prefetch files. sources: - type: FILE attributes: paths: ['%%environ_systemroot%%\Prefetch\*.pf'] separator: '\' labels: [System] supported_os: [Windows] urls: ['http://www.forensicswiki.org/wiki/Prefetch'] --- name: WindowsPrintMonitors doc: Windows Print Monitor DLL config. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Monitors\*', value: 'Driver'}] supported_os: [Windows] urls: - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'https://support.microsoft.com/en-us/kb/102966' --- name: WindowsProductName doc: The Windows product name sources: - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion', value: 'ProductName'}]} supported_os: [Windows] urls: ['https://github.com/libyal/winreg-kb/blob/master/documentation/System%20keys.asciidoc'] --- name: WindowsProgramsCache doc: Windows Programs Cache sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage', value: 'ProgramsCache'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2', value: 'ProgramsCache'} supported_os: [Windows] urls: ['https://github.com/libyal/winreg-kb/blob/master/documentation/Programs%20Cache%20values.asciidoc'] --- name: WindowsRecentFileCacheBCF doc: The RecentFileCache.bcf file. sources: - type: FILE attributes: paths: ['%%environ_systemroot%%\AppCompat\Programs\RecentFileCache.bcf'] separator: '\' conditions: [os_major_version >= 6 AND os_minor_version >= 1] supported_os: [Windows] urls: ['https://github.com/libyal/assorted/blob/master/documentation/RecentFileCache.bcf%20format.asciidoc'] --- name: WindowsRecycleBin doc: Windows Recycle Bin (Recyler, $Recycle.Bin) files. sources: - type: FILE attributes: paths: - '\$Recycle.Bin\**' - '\Recycler\**' separator: '\' labels: [Users] supported_os: [Windows] urls: ['http://www.forensicswiki.org/wiki/Windows#Recycle_Bin'] --- name: WindowsRegistryCurrentControlSet doc: The current control set of the Windows Registry. sources: - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\Select', value: 'Current'}]} provides: [current_control_set] supported_os: [Windows] urls: ['https://github.com/libyal/winreg-kb/wiki/System-keys'] --- name: WindowsRegistryProfiles doc: | Get SIDs for all users on the system with profiles present in the Registry. This looks in the Windows Registry where the profiles are stored and retrieves the paths for each profile. sources: - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\*', value: 'ProfileImagePath'}]} labels: [Users] provides: [users.sid, users.userprofile, users.homedir, users.username] supported_os: [Windows] urls: ['http://msdn.microsoft.com/en-us/library/windows/desktop/bb776892(v=vs.85).aspx'] --- name: WindowsRoverAutostartDLL doc: | Windows Rover autostart DLL. The DLL loaded via the Windows Rover autostart mechanism. If this file exists, and the Rover autostart Registry key is set, userinit.exe will load this file and call its RunMonitor export. sources: - type: FILE attributes: {paths: ['%%environ_systemroot%%\System32\rover.dll']} supported_os: [Windows] urls: ['http://www.hexacorn.com/blog/2014/05/21/beyond-good-ol-run-key-part-12/'] --- name: WindowsRoverAutostartKey doc: | Windows Rover autostart Registry key. When set userinit.exe will load the DLL at %SystemRoot%\System32\rover.dll and call its RunMonitor export. sources: - type: REGISTRY_KEY attributes: {keys: ['HKEY_CLASSES_ROOT\CLSID\{16d12736-7a9e-4765-bec6-f301d679caaa}']} supported_os: [Windows] urls: ['http://www.hexacorn.com/blog/2014/05/21/beyond-good-ol-run-key-part-12/'] --- name: WindowsRunGrpConv doc: | The Windows RunGrpConv Registry value. When this Registry value is non-zero userinit.exe will launch grpconv.exe at user login. sources: - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'RunGrpConv'}]} supported_os: [Windows] conditions: [os_major_version <= 5] urls: - 'http://www.hexacorn.com/blog/2014/06/18/beyond-good-ol-run-key-part-13/' - 'http://www.exploit-id.com/local-exploits/windows-xp-sp2-grpconv-exe' --- name: WindowsRunKeys doc: | Windows Run and RunOnce keys. Note users.sid will currently only expand to SIDs with profiles on the system, not all SIDs. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\*' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\*' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Run\*' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\RunOnce\*' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\*' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\*' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\*' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx\*' labels: [Software] supported_os: [Windows] urls: - 'https://msdn.microsoft.com/en-us/library/windows/desktop/aa376977%28v=vs.85%29.aspx' - 'https://support.microsoft.com/en-us/kb/137367' - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'https://technet.microsoft.com/en-us/magazine/ee851671.aspx' --- name: WindowsRunServices doc: Windows Run Services. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\*' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\*' supported_os: [Windows] urls: ['https://support.microsoft.com/en-us/kb/179365'] --- name: WindowsScheduledTasks doc: Windows Scheduled Tasks. sources: - type: FILE attributes: paths: - '%%environ_systemroot%%\Tasks\**10' - '%%environ_systemroot%%\System32\Tasks\**10' - '%%environ_systemroot%%\SysWow64\Tasks\**10' separator: '\' supported_os: [Windows] urls: ['http://forensicswiki.org/wiki/Windows#Scheduled_Tasks'] --- name: WindowsScreenSaverExecutable doc: ScreenSaver Executable sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\Windows\Control Panel\Desktop', value: 'scrnsave.exe'} - {key: 'HKEY_USERS\%%users.sid%%\Control Panel\Desktop', value: 'scrnsave.exe'} supported_os: [Windows] urls: - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'https://technet.microsoft.com/en-us/library/cc737855(v=ws.10).aspx' - 'https://technet.microsoft.com/en-us/library/cc957840.aspx' --- name: WindowsSearchDatabase doc: Windows Search database (Windows.edb). sources: - type: FILE attributes: paths: ['%%environ_allusersappdata%%\Microsoft\Search\Data\Applications\Windows\Windows.edb'] separator: '\' labels: [Software] supported_os: [Windows] urls: ['http://www.forensicswiki.org/wiki/Windows_Desktop_Search'] --- name: WindowsSecurityProviders doc: Security Providers DLLs sources: - type: REGISTRY_KEY attributes: keys: ['HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\*'] supported_os: [Windows] urls: - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'https://github.com/wmark/security-configuration/blob/master/Windows/disable-weak-ciphers-and-enable-TLS1.x.reg' --- name: WindowsServiceControlManagerExtension doc: Windows service control manager extension sources: - type: REGISTRY_VALUE attributes: key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control', value: 'ServiceControlManagerExtension'}] labels: [Software] supported_os: [Windows] urls: - 'http://forum.sysinternals.com/autoruns-and-windows-7_topic19770.html' - 'https://support.microsoft.com/en-us/kb/102985' - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'http://www.silentrunners.org/Silent%20Runners.vbs' --- name: WindowsServices doc: Windows services from the Registry. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\*\*' - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\*\Parameters\*' labels: [Software] supported_os: [Windows] urls: - 'http://support.microsoft.com/kb/103000' - 'https://github.com/libyal/winreg-kb/wiki/System-keys' --- name: WindowsSessionManagerBootExecute doc: Windows Session Manager BootExecute persistence. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager', value: 'BootExecute'}] supported_os: [Windows] urls: ['https://technet.microsoft.com/en-us/library/cc963230.aspx'] --- name: WindowsSessionManagerExecute doc: Windows Session Manager Execute persistence sources: - type: REGISTRY_VALUE attributes: key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager', value: 'Execute'}] supported_os: [Windows] urls: ['https://technet.microsoft.com/en-us/library/cc976130.aspx'] --- name: WindowsSessionManagerSetupExecute doc: Windows Session Manager SetupExecute persistence sources: - type: REGISTRY_VALUE attributes: key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager', value: 'SetupExecute'}] supported_os: [Windows] urls: ['https://msdn.microsoft.com/en-us/library/windows/desktop/dd392286%28v=vs.85%29.aspx'] --- name: WindowsSessionManagerSubSystems doc: Windows Session Manager SubSystems persistence sources: - type: REGISTRY_VALUE attributes: key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems', value: 'Windows'}] supported_os: [Windows] urls: - 'https://technet.microsoft.com/en-us/library/cc976130.aspx' - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' --- name: WindowsSessionManagerWOWCommandLine doc: Windows Session Manager Windows-on-Windows (WOW) command line sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\WOW', value: 'cmdline'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\WOW', value: 'wowcmdline'} supported_os: [Windows] urls: ['https://support.microsoft.com/en-us/kb/102986'] --- name: WindowsSharedTaskScheduler doc: Runs on windows boot. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\*' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\*' supported_os: [Windows] urls: - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'http://www.bleepingcomputer.com/tutorials/windows-program-automatic-startup-locations/' --- name: WindowsShellExecuteHooks doc: Shell execution hooks are called when ShellExecuteEx() is called. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\*' supported_os: [Windows] urls: - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'http://regenerus.com/malware-common-loadpoints/' - 'https://code.google.com/p/regripper/wiki/ASEPs' --- name: WindowsShellExtensions doc: Approved extensions to the Windows Shell (explorer.exe). sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved' supported_os: [Windows] urls: ['https://msdn.microsoft.com/en-us/library/windows/desktop/cc144110(v=vs.85).aspx'] --- name: WindowsShellHandlersRegistryKeys doc: | Windows registry values for shell handler artifacts. ContextMenuHandlers are added to right-click menus. CopyHookHandlers, DragDropHandlers, and ColumnHandlers are similar contextual settings to trigger on these actions. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Classes\*\ShellEx\ColumnHandlers\*' - 'HKEY_LOCAL_MACHINE\Software\Classes\*\ShellEx\ContextMenuHandlers\*' - 'HKEY_LOCAL_MACHINE\Software\Classes\*\ShellEx\CopyHookHandlers\*' - 'HKEY_LOCAL_MACHINE\Software\Classes\*\ShellEx\DragDropHandlers\*' - 'HKEY_LOCAL_MACHINE\Software\Classes\*\ShellEx\PropertySheetHandlers\*' - 'HKEY_LOCAL_MACHINE\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\*' - 'HKEY_LOCAL_MACHINE\Software\Classes\Directory\Background\ShellEx\CopyHookHandlers\*' - 'HKEY_LOCAL_MACHINE\Software\Classes\Directory\Background\ShellEx\DragDropHandlers\*' - 'HKEY_LOCAL_MACHINE\Software\Classes\Directory\Background\ShellEx\PropertySheetHandlers\*' - 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\ShellEx\ColumnHandlers\*' - 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\ShellEx\ContextMenuHandlers\*' - 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\ShellEx\CopyHookHandlers\*' - 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\ShellEx\DragDropHandlers\*' - 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\ShellEx\PropertySheetHandlers\*' - 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\Directory\Background\ShellEx\ContextMenuHandlers\*' - 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\Directory\Background\ShellEx\CopyHookHandlers\*' - 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\Directory\Background\ShellEx\DragDropHandlers\*' - 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\Directory\Background\ShellEx\PropertySheetHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\*\ShellEx\ColumnHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\*\ShellEx\ContextMenuHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\*\ShellEx\CopyHookHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\*\ShellEx\DragDropHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\*\ShellEx\PropertySheetHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\Directory\Background\ShellEx\CopyHookHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\Directory\Background\ShellEx\DragDropHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\Directory\Background\ShellEx\PropertySheetHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\*\ShellEx\ColumnHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\*\ShellEx\ContextMenuHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\*\ShellEx\CopyHookHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\*\ShellEx\DragDropHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\*\ShellEx\PropertySheetHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\Directory\Background\ShellEx\ContextMenuHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\Directory\Background\ShellEx\CopyHookHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\Directory\Background\ShellEx\DragDropHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\Directory\Background\ShellEx\PropertySheetHandlers\*' supported_os: [Windows] urls: - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'http://www.codeguru.com/cpp/com-tech/shell/article.php/c4515/Logging-the-Shell-Activity.htm' - 'http://www.trendmicro.com/vinfo/us/threat-encyclopedia/archive/malware/troj_qoolaid.r' --- name: WindowsShellIconOverlayIdentifiers doc: Called to display custom icons. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*' supported_os: [Windows] urls: - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'https://msdn.microsoft.com/en-us/library/windows/desktop/hh127455(v=vs.85).aspx' --- name: WindowsShellLoadAndRun doc: Windows Shell Load and Run values sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Windows', value: 'Load'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Windows', value: 'Run'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows', value: 'Load'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows', value: 'Run'} supported_os: [Windows] urls: ['https://support.microsoft.com/en-us/kb/103865'] --- name: WindowsShellOpenCommand doc: Executed every time this file type is opened, should be "%1 %*". sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Classes\*\shell\open\command' - 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\shell\open\command' supported_os: [Windows] urls: ['http://gladiator-antivirus.com/forum/index.php?showtopic=24610'] --- name: WindowsShellServiceObjects doc: Windows Shell (explorer.exe) service objects delayed load. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad' supported_os: [Windows] urls: ['http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=TrojanClicker:Win32/Zirit.X#tab=2'] --- name: WindowsSetupApiLogs doc: Windows setup API logs. sources: - type: FILE attributes: {paths: ['%%environ_systemroot%%\setupapi.log']} conditions: [os_major_version < 6] - type: FILE attributes: paths: - '%%environ_systemroot%%\inf\setupapi.app.log' - '%%environ_systemroot%%\inf\setupapi.dev.log' - '%%environ_systemroot%%\inf\setupapi.offline.log' separator: '\' conditions: [os_major_version >= 6] labels: [Logs] supported_os: [Windows] urls: ['http://www.forensicswiki.org/wiki/Setup_API_Logs'] --- name: WindowsShutdownScript doc: Windows policy shutdown script sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Scripts', value: 'Shutdown'} supported_os: [Windows] urls: ['https://technet.microsoft.com/en-us/library/ff404236.aspx'] --- name: WindowsStartupFolderModification doc: Windows startup folder Registry values. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Common Startup'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Startup'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Common Startup'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Startup'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Common Startup'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Startup'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Common Startup'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Startup'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Common Startup'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Startup'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Common Startup'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Startup'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Common Startup'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Startup'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Common Startup'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Startup'} supported_os: [Windows] --- name: WindowsStartupFolders doc: Windows startup folder persistence. sources: - type: FILE attributes: paths: - '%%users.homedir%%\Start Menu\Programs\Startup\*' - '%%environ_allusersprofile%%\Start Menu\Programs\Startup\*' - '%%users.homedir%%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*' - '%%environ_allusersprofile%%\Microsoft\Windows\Start Menu\Programs\Startup\*' separator: '\' supported_os: [Windows] --- name: WindowsStartupScript doc: Windows policy startup script sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Scripts', value: 'Startup'} supported_os: [Windows] urls: ['https://technet.microsoft.com/en-us/library/ff404236.aspx'] --- name: WindowsStubPaths doc: Windows StubPath persistence. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\*', value: 'StubPath'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\*', value: 'StubPath'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Active Setup\Installed Components\*', value: 'StubPath'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\*', value: 'StubPath'} supported_os: [Windows] --- name: WindowsSuperFetchFiles doc: Windows SuperFetch files. sources: - type: FILE attributes: paths: - '%%environ_systemroot%%\Prefetch\Ag*.db' - '%%environ_systemroot%%\Prefetch\Ag*.db.trx' separator: '\' labels: [System] supported_os: [Windows] urls: ['http://www.forensicswiki.org/wiki/SuperFetch'] --- name: WindowsSystemIniFiles doc: Windows system ini files sources: - type: FILE attributes: paths: - '%%environ_systemdrive%%\system.ini' - '%%environ_windir%%\win.ini' - '%%environ_windir%%\wininit.ini' separator: '\' supported_os: [Windows] --- name: WindowsSystemPolicyShell doc: Windows System policy replacement shell (custom user interface). sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System', value: 'Shell'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System', value: 'Shell'} supported_os: [Windows] urls: ['https://technet.microsoft.com/en-us/library/cc728472(v=ws.10).aspx'] --- name: WindowsSystemRegistryFiles doc: Windows system Registry files. sources: - type: FILE attributes: paths: - '%%environ_systemroot%%\System32\config\SAM' - '%%environ_systemroot%%\System32\config\SECURITY' - '%%environ_systemroot%%\System32\config\SOFTWARE' - '%%environ_systemroot%%\System32\config\SYSTEM' - '\System Volume Information\Syscache.hve' separator: '\' labels: [System] supported_os: [Windows] urls: ['https://github.com/libyal/winreg-kb/wiki/Registry-files'] --- name: WindowsTempDirectories doc: Contents of the Windows temporary directories sources: - type: FILE attributes: paths: - '%%environ_systemdrive%%\Temp\*' - '%%environ_systemroot%%\Temp\*' - '%%users.localappdata%%\Temp\*' separator: '\' supported_os: [Windows] --- name: WindowsTerminalServerRunKeys doc: Windows Terminal Server Run keys sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce\*' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx\*' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\*' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce\*' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx\*' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\*' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce\*' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx\*' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\*' supported_os: [Windows] urls: ['http://gladiator-antivirus.com/forum/index.php?showtopic=24610'] --- name: WindowsTerminalServerStartupPrograms doc: Windows Terminal Server Startup Programs sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd', value: 'StartupPrograms'} supported_os: [Windows] urls: ['http://forum.sysinternals.com/rdpclip_topic4729.html'] --- name: WindowsTimezone doc: The timezone of the system in Olson format. sources: - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation', value: 'StandardName'}]} provides: [time_zone] supported_os: [Windows] urls: ['https://github.com/libyal/winreg-kb/wiki/Time-zone-keys'] --- name: WindowsToolPaths doc: Paths to windows tools such as defrag, chkdsk. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\BackupPath' - 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\ChkDskPath' - 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\cleanuppath' - 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\DefragPath' supported_os: [Windows] urls: - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'http://www.liutilities.com/products/registrybooster/tweaklibrary/tweaks/11118/' --- name: WindowsUninstallKeys doc: Uninstall Registry keys sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\*' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Userdata\%%users.sid%%\Products\*\InstallProperties' supported_os: [Windows] urls: ['https://msdn.microsoft.com/en-us/library/aa372105(v=vs.85).aspx'] --- name: WindowsUpdateStatus doc: Windows auto update status. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Detect', value: 'LastError'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Detect', value: 'LastSuccessTime'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Download', value: 'LastError'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Download', value: 'LastSuccessTime'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install', value: 'LastError'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install', value: 'LastSuccessTime'} supported_os: [Windows] urls: - 'http://forensicswiki.org/wiki/Windows_Update' - 'http://blogs.msdn.com/b/aruns_blog/archive/2011/06/20/active-setup-registry-key-what-it-is-and-how-to-create-in-the-package-using-admin-studio-install-shield.aspx' --- name: WindowsUserDownloadsDirectory doc: User downloads directory sources: - type: DIRECTORY attributes: paths: ['%%users.homedir%%\Downloads\*'] separator: '\' labels: [Users] supported_os: [Windows] --- name: WindowsUserRecentFiles doc: Windows user specific recent files. sources: - type: FILE attributes: paths: - '%%users.appdata%%\Roaming\Microsoft\Office\Recent\*' - '%%users.appdata%%\Roaming\Microsoft\Windows\Recent\*' separator: '\' labels: [Users] supported_os: [Windows] --- name: WindowsUserRegistryFiles doc: Windows user specific Registry files. sources: - type: FILE attributes: paths: - '%%users.homedir%%\NTUSER.DAT' - '%%users.homedir%%\NTUSER.MAN' - '%%users.localappdata%%\Microsoft\Windows\UsrClass.dat' separator: '\' labels: [Users] supported_os: [Windows] urls: ['https://github.com/libyal/winreg-kb/wiki/Registry-files'] --- name: WindowsUserShellFolders doc: The Shell Folders information for Windows users. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\*' - 'HKEY_USERS\%%users.sid%%\Environment\*' - 'HKEY_USERS\%%users.sid%%\Volatile Environment\*' provides: - users.cookies - users.appdata - users.personal - users.startup - users.homedir - users.desktop - users.internet_cache - users.localappdata - users.localappdata_low - users.recent - users.userprofile - users.temp supported_os: [Windows] --- name: WindowsWinlogonGinaDLL doc: Windows Gina DLL replacement. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'GinaDLL'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'GinaDLL'} supported_os: [Windows] urls: ['https://technet.microsoft.com/en-us/library/cc939701.aspx'] --- name: WindowsWinlogonNotify doc: Windows Winlogon Notify DLL names. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\*', value: 'DLLName'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\*', value: 'DLLName'} supported_os: [Windows] urls: ['https://msdn.microsoft.com/en-us/library/windows/desktop/aa379402(v=vs.85).aspx'] --- name: WindowsWinlogonShell doc: Windows shell replacement. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Shell'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Shell'} supported_os: [Windows] urls: ['https://msdn.microsoft.com/en-us/library/ms838576%28v=winembedded.5%29.aspx'] --- name: WindowsWinlogonSystem doc: Applications launched by Winlogon in the system context during the system initialisation. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'System'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'System'} supported_os: [Windows] urls: - 'https://code.google.com/p/regripper/wiki/ASEPs' - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'http://regenerus.com/malware-common-loadpoints/' --- name: WindowsWinlogonTaskman doc: Windows Winlogon Taskman replacement. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Taskman'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Taskman'} supported_os: [Windows] urls: ['https://technet.microsoft.com/en-us/library/cc939701.aspx'] --- name: WindowsWinlogonUiHost doc: Windows Winlogon UI screen application sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'UiHost'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'UiHost'} supported_os: [Windows] urls: - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'http://www.bleepingcomputer.com/forums/t/14028/change-the-loginwelcome-screen/' --- name: WindowsWinlogonUserinit doc: Windows Winlogon Userinit replacement. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Userinit'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Userinit'} supported_os: [Windows] urls: ['https://technet.microsoft.com/en-us/library/cc939862.aspx'] --- name: WindowsWinlogonVMApplet doc: Windows VMApplet replacement. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'VMApplet'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'VMApplet'} supported_os: [Windows] urls: ['https://technet.microsoft.com/en-us/library/cc939701.aspx'] --- name: WindowsWinstart doc: Windows winstart.bat file sources: - type: FILE attributes: paths: - '%%environ_windir%%\winstart.bat' - '%%environ_windir%%\dosstart.bat' separator: '\' supported_os: [Windows] --- name: WindowsWinlogonAppSetup doc: Windows Winlogon Appsetup sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'AppSetup'} supported_os: [Windows] urls: ['https://technet.microsoft.com/en-us/library/cc939701.aspx'] --- name: WinSock2LayeredServiceProviders doc: Used to filter TCP/IP traffic through WinSock2. sources: - type: REGISTRY_KEY attributes: keys: ['HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\*'] supported_os: [Windows] urls: - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'https://en.wikipedia.org/wiki/Layered_Service_Provider' --- name: WinSock2NamespaceProviders doc: WinSock2NamespaceProviders sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters\namespace_catalog5\catalog_entries\*', value: 'LibraryPath'} supported_os: [Windows] urls: - 'https://www.symantec.com/security_response/writeup.jsp?docid=2012-020609-4221-99&tabid=2' - 'http://www.nirsoft.net/utils/winsock_service_providers.html' - 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms739923(v=vs.85).aspx' --- name: WindowsDNSSettings doc: Windows Registry Keys that contain DNS and DHCP settings. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters', value: 'NameServer'} - {key: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\*', value: 'NameServer'} - {key: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrenControlSet\Services\Dnscache\Parameters', value: 'NameServer'} - {key: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\*', value: 'DhcpNameServer'} - {key: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\*', value: 'DhcpServer'} labels: [System, Network] supported_os: [Windows] urls: ['https://technet.microsoft.com/en-us/library/dd197418(v=ws.10).aspx'] artifacts-20170808/data/windows_dll_hijacking.yaml000066400000000000000000000144551314241367100221110ustar00rootroot00000000000000name: DLLHijackLocations doc: DLL search order hijacking locations collected from base Windows 7. urls: ['https://www.fireeye.com/blog/threat-research/2010/07/malware-persistence-windows-registry.html'] sources: - type: FILE attributes: paths: - '%%environ_windir%%\EXPLORERFRAME.dll' - '%%environ_windir%%\DUser.dll' - '%%environ_windir%%\DUI70.dll' - '%%environ_windir%%\UxTheme.dll' - '%%environ_windir%%\POWRPROF.dll' - '%%environ_windir%%\dwmapi.dll' - '%%environ_windir%%\slc.dll' - '%%environ_windir%%\gdiplus.dll' - '%%environ_windir%%\Secur32.dll' - '%%environ_windir%%\SSPICLI.dll' - '%%environ_windir%%\PROPSYS.dll' - '%%environ_windir%%\WINSTA.dll' - '%%environ_windir%%\CRYPTBASE.dll' - '%%environ_windir%%\WindowsCodecs.dll' - '%%environ_windir%%\profapi.dll' - '%%environ_windir%%\apphelp.dll' - '%%environ_windir%%\EhStorShell.dll' - '%%environ_windir%%\cscui.dll' - '%%environ_windir%%\CSCDLL.dll' - '%%environ_windir%%\CSCAPI.dll' - '%%environ_windir%%\ntshrui.dll' - '%%environ_windir%%\srvcli.dll' - '%%environ_windir%%\IconCodecService.dll' - '%%environ_windir%%\CRYPTSP.dll' - '%%environ_windir%%\rsaenh.dll' - '%%environ_windir%%\RpcRtRemote.dll' - '%%environ_windir%%\SndVolSSO.dll' - '%%environ_windir%%\HID.dll' - '%%environ_windir%%\MMDevApi.dll' - '%%environ_windir%%\timedate.cpl' - '%%environ_windir%%\ATL.dll' - '%%environ_windir%%\actxprxy.dll' - '%%environ_windir%%\ntmarta.dll' - '%%environ_windir%%\shdocvw.dll' - '%%environ_windir%%\LINKINFO.dll' - '%%environ_windir%%\USERENV.dll' - '%%environ_windir%%\shacct.dll' - '%%environ_windir%%\gameux.dll' - '%%environ_windir%%\XmlLite.dll' - '%%environ_windir%%\wer.dll' - '%%environ_windir%%\SAMLIB.dll' - '%%environ_windir%%\msls31.dll' - '%%environ_windir%%\tiptsf.dll' - '%%environ_windir%%\authui.dll' - '%%environ_windir%%\CRYPTUI.dll' - '%%environ_windir%%\msiltcfg.dll' - '%%environ_windir%%\VERSION.dll' - '%%environ_windir%%\msi.dll' - '%%environ_windir%%\NetworkExplorer.dll' - '%%environ_windir%%\WINMM.dll' - '%%environ_windir%%\wdmaud.drv' - '%%environ_windir%%\ksuser.dll' - '%%environ_windir%%\AVRT.dll' - '%%environ_windir%%\AUDIOSES.dll' - '%%environ_windir%%\msacm32.drv' - '%%environ_windir%%\MSACM32.dll' - '%%environ_windir%%\midimap.dll' - '%%environ_windir%%\netutils.dll' - '%%environ_windir%%\stobject.dll' - '%%environ_windir%%\BatMeter.dll' - '%%environ_windir%%\WTSAPI32.dll' - '%%environ_windir%%\es.dll' - '%%environ_windir%%\prnfldr.dll' - '%%environ_windir%%\WINSPOOL.DRV' - '%%environ_windir%%\dxp.dll' - '%%environ_windir%%\Syncreg.dll' - '%%environ_windir%%\netshell.dll' - '%%environ_windir%%\IPHLPAPI.dll' - '%%environ_windir%%\WINNSI.dll' - '%%environ_windir%%\nlaapi.dll' - '%%environ_windir%%\AltTab.dll' - '%%environ_windir%%\pnidui.dll' - '%%environ_windir%%\QUtil.dll' - '%%environ_windir%%\wevtapi.dll' - '%%environ_windir%%\dhcpcsvc6.dll' - '%%environ_windir%%\dhcpcsvc.dll' - '%%environ_windir%%\credssp.dll' - '%%environ_windir%%\npmproxy.dll' - '%%environ_windir%%\cscobj.dll' - '%%environ_windir%%\Wlanapi.dll' - '%%environ_windir%%\wlanutil.dll' - '%%environ_windir%%\wwanapi.dll' - '%%environ_windir%%\wwapi.dll' - '%%environ_windir%%\QAgent.dll' - '%%environ_windir%%\srchadmin.dll' - '%%environ_windir%%\mssprxy.dll' - '%%environ_windir%%\bthprops.cpl' - '%%environ_windir%%\ieframe.dll' - '%%environ_windir%%\OLEACC.dll' - '%%environ_windir%%\SyncCenter.dll' - '%%environ_windir%%\Actioncenter.dll' - '%%environ_windir%%\imapi2.dll' - '%%environ_windir%%\SXS.dll' - '%%environ_windir%%\hgcpl.dll' - '%%environ_windir%%\provsvc.dll' - '%%environ_windir%%\wkscli.dll' - '%%environ_windir%%\fxsst.dll' - '%%environ_windir%%\FXSAPI.dll' - '%%environ_windir%%\FXSRESM.dll' - '%%environ_windir%%\ieproxy.dll' - '%%environ_windir%%\thumbcache.dll' - '%%environ_windir%%\rasadhlp.dll' - '%%environ_windir%%\MPR.dll' - '%%environ_windir%%\vmhgfs.dll' - '%%environ_windir%%\drprov.dll' - '%%environ_windir%%\ntlanman.dll' - '%%environ_windir%%\davclnt.dll' - '%%environ_windir%%\DAVHLPR.dll' - '%%environ_windir%%\StructuredQuery.dll' - '%%environ_windir%%\UIAnimation.dll' - '%%environ_windir%%\DEVRTL.dll' - '%%environ_windir%%\MLANG.dll' - '%%environ_windir%%\wscinterop.dll' - '%%environ_windir%%\WSCAPI.dll' - '%%environ_windir%%\wscui.cpl' - '%%environ_windir%%\werconcpl.dll' - '%%environ_windir%%\framedynos.dll' - '%%environ_windir%%\wercplsupport.dll' - '%%environ_windir%%\msxml6.dll' - '%%environ_windir%%\hcproviders.dll' - '%%environ_windir%%\zipfldr.dll' - '%%environ_windir%%\rarext.dll' - '%%environ_windir%%\7-zip.dll' - '%%environ_windir%%\twext.dll' - '%%environ_windir%%\WinCDEmuContextMenu.dll' - '%%environ_windir%%\syncui.dll' - '%%environ_windir%%\SYNCENG.dll' - '%%environ_windir%%\shlext010.dll' - '%%environ_windir%%\ATL90.dll' - '%%environ_windir%%\acppage.dll' - '%%environ_windir%%\sfc.dll' - '%%environ_windir%%\sfc_os.dll' - '%%environ_windir%%\dsrole.dll' - '%%environ_windir%%\ACLUI.dll' - '%%environ_windir%%\NTDSAPI.dll' - '%%environ_windir%%\PhotoBase.dll' - '%%environ_windir%%\sbdrop.dll' - '%%environ_windir%%\tquery.dll' - '%%environ_windir%%\EhStorAPI.dll' - '%%environ_windir%%\SearchFolder.dll' - '%%environ_windir%%\NaturalLanguage6.dll' - '%%environ_windir%%\NLSData0009.dll' - '%%environ_windir%%\NLSLexicons0009.dll' - '%%environ_windir%%\MsftEdit.dll' - '%%environ_windir%%\dnsapi.dll' - '%%environ_windir%%\RASAPI32.dll' - '%%environ_windir%%\rasman.dll' - '%%environ_windir%%\rtutils.dll' - '%%environ_windir%%\sensapi.dll' separator: '\' supported_os: [Windows] artifacts-20170808/data/wmi.yaml000066400000000000000000000136111314241367100163420ustar00rootroot00000000000000# WMI specific artifacts. name: WMIAccountUsersDomain doc: | Fill out user AD domain information based on username. We expect this artifact to be collected with WindowsRegistryProfiles to supply the rest of the user information. This artifact optimizes retrieval of user information by limiting the WMI query to users for which we have a username for. Specifically this solves the issue that in a domain setting, querying for all users via WMI will give you the list of all local and domain accounts which means a large data transfer from an Active Directory server. This artifact relies on having the users.username field populated in the knowledge base. Unfortunately even limiting by username this query can be slow, and this artifact runs it for each user present on the system. sources: - type: WMI attributes: {query: SELECT * FROM Win32_UserAccount WHERE name='%%users.username%%'} labels: [Users] provides: [users.userdomain] supported_os: [Windows] urls: ['http://msdn.microsoft.com/en-us/library/windows/desktop/aa394507(v=vs.85).aspx'] --- name: WMIComputerSystemProduct doc: Computer System Product including Identifiying number queried from WMI. sources: - type: WMI attributes: {query: SELECT * FROM Win32_ComputerSystemProduct} labels: [System] supported_os: [Windows] urls: ['http://msdn.microsoft.com/en-us/library/aa394105(v=vs.85).aspx'] --- name: WMIDrivers doc: Installed drivers via Windows Management Instrumentation (WMI). sources: - type: WMI attributes: {query: 'SELECT DisplayName, Description, InstallDate, Name, PathName, Status, State, ServiceType from Win32_SystemDriver'} conditions: [os_major_version >= 6] labels: [Software] supported_os: [Windows] --- name: WMIEnumerateASEC doc: Enumerate instances of ActiveScriptEventConsumer. sources: - type: WMI attributes: {query: SELECT * FROM ActiveScriptEventConsumer, base_object: 'winmgmts:\root\subscription'} supported_os: [Windows] --- name: WMIEnumerateCLEC doc: Enumerate instances of CommandLineEventConsumer. sources: - type: WMI attributes: {query: SELECT * FROM CommandLineEventConsumer, base_object: 'winmgmts:\root\subscription'} supported_os: [Windows] --- name: WMIHotFixes doc: Installed hotfixes via Windows Management Instrumentation (WMI). sources: - type: WMI attributes: {query: SELECT * from Win32_QuickFixEngineering} conditions: [os_major_version >= 6] labels: [Software] supported_os: [Windows] --- name: WMIInstalledSoftware doc: Installed software via Windows Management Instrumentation (WMI). sources: - type: WMI attributes: {query: 'SELECT Name, Vendor, Description, InstallDate, InstallDate2, Version from Win32_Product'} conditions: [os_major_version >= 6] labels: [Software] supported_os: [Windows] --- name: WMILastBootupTime doc: Last system boot time (UTC) retrieved from WMI. sources: - type: WMI attributes: {query: SELECT LastBootUpTime FROM Win32_OperatingSystem} labels: [System] supported_os: [Windows] urls: ['https://msdn.microsoft.com/en-us/library/windows/desktop/aa394239(v=vs.85).aspx'] --- name: WMILogicalDisks doc: Disk information via Windows Management Instrumentation (WMI). sources: - type: WMI attributes: {query: SELECT * FROM Win32_LogicalDisk} labels: [System] supported_os: [Windows] urls: ['http://msdn.microsoft.com/en-us/library/aa394173(v=vs.85).aspx'] --- name: WMILoggedOnSessions doc: Logged on users queried from WMI. sources: - type: WMI attributes: {query: SELECT * FROM Win32_LogonSession} supported_os: [Windows] --- name: WMILoggedOnUsers doc: Logged on users queried from WMI. sources: - type: WMI attributes: {query: SELECT * FROM Win32_LoggedonUser} supported_os: [Windows] --- name: WMILoginUsers doc: | Login Users via Windows Management Instrumentation (WMI). This WMI query may take a long time to complete when run on a domain and will create load on a domain controller. sources: - type: WMI attributes: {query: SELECT * from Win32_GroupUser where Name = "login_users"} conditions: [os_major_version >= 6] labels: [Software] supported_os: [Windows] --- name: WMIPhysicalMemory doc: Physical memory information via Windows Management Instrumentation (WMI). sources: - type: WMI attributes: {query: SELECT * from Win32_PhysicalMemory} conditions: [os_major_version >= 6] labels: [System] supported_os: [Windows] urls: ["http://msdn.microsoft.com/en-us/library/aa394347%28v=vs.85%29.aspx"] --- name: WMIProcessList doc: Process listing via Windows Management Instrumentation (WMI). sources: - type: WMI attributes: {query: SELECT * from Win32_Process} conditions: [os_major_version >= 6] labels: [Software] supported_os: [Windows] --- name: WMIProfileUsersHomeDir doc: | Get user homedir from Win32_UserProfile based on a known user's SID. This artifact relies on having the SID field users.sid populated in the knowledge base. We expect it to be collected with WindowsRegistryProfiles to supply the rest of the user information. sources: - type: WMI attributes: {query: SELECT * FROM Win32_UserProfile WHERE SID='%%users.sid%%'} labels: [Users] provides: [users.homedir] supported_os: [Windows] urls: ['http://msdn.microsoft.com/en-us/library/windows/desktop/ee886409(v=vs.85).aspx'] --- name: WMIServices doc: Services queried from WMI. sources: - type: WMI attributes: {query: SELECT * FROM Win32_Service} supported_os: [Windows] --- name: WMIUsers doc: | Users via Windows Management Instrumentation (WMI). Note that in a domain setup, this will probably return all users in the domain which will be expensive and slow. Consider limiting by SID like WMIProfileUsersHomeDir. sources: - type: WMI attributes: {query: SELECT * FROM Win32_UserAccount} labels: [Users] supported_os: [Windows] urls: ['http://msdn.microsoft.com/en-us/library/windows/desktop/aa394507(v=vs.85).aspx'] --- name: WMIVolumeShadowCopies doc: A List of Volume Shadow Copies from WMI. sources: - type: WMI attributes: {query: SELECT * FROM Win32_ShadowCopy} labels: [System] supported_os: [Windows] artifacts-20170808/dependencies.ini000066400000000000000000000002161314241367100170750ustar00rootroot00000000000000[yaml] dpkg_name: python-yaml l2tbinaries_name: PyYAML minimum_version: 3.10 pypi_name: PyYAML rpm_name: PyYAML version_property: __version__ artifacts-20170808/docs/000077500000000000000000000000001314241367100146775ustar00rootroot00000000000000artifacts-20170808/docs/Artifacts definition format and style guide.asciidoc000066400000000000000000000401401314241367100266220ustar00rootroot00000000000000= Artifact definition format and style guide :toc: :toclevels: 4 :icons: :numbered!: [abstract] == Summary This guide contains a description of the forensics artifacts definitions. The artifacts definitions are link:http://www.yaml.org/spec/1.2/spec.html[YAML]-based. The format is currently still under development and is likely to undergo some change. One of the goals of this guide is to ensure consistency and readbility of the artifacts definitions. [preface] == Revision history [cols="1,1,1,5",options="header"] |=== | Version | Author | Date | Comments | 0.0.1 | G. Castle | November 2014 | Initial version. | 0.0.2 | G. Castle | December 2014 | Minor format changes. | 0.0.3 | J.B. Metz | April 2015 | Merged style guide and artifact definitions wiki page. | 0.0.3 | J.B. Metz | September 2015 | Additional label. | 0.0.4 | J.B. Metz | July 2016 | Added information about a naming convention. |=== :numbered: == Background The first version of the artifact definitions originated from the https://github.com/google/grr[GRR project], where it is used to describe and quickly collect data of interest, e.g. specific files or Windows Registry keys. The goal of the format is to provide a way to describe the majority of forensic artifacts in a language that is readable by humans and machines. The format is designed to be simple and straight forward, so that a digital forensic analysist is able to quickly write artifact definitions during an investigation without having to rely on complex standards or tooling. The format is intended to describe forensically-relevant data on a machine, while being tool agnostic. In particular we intentionally avoided adding IOC-like logic, or describing how the data should be collected since this various between tools. === Terminology The term artifact (or artefact) is widely used within computer (or digital) forensics, though there is no official definition of this term. The definition closest to the meaning of the word within computer forensics is that of the word artifact within http://en.wikipedia.org/wiki/Artifact_(archaeology)[archaeology]. The term should not be confused with the word artifact used within http://en.wikipedia.org/wiki/Artifact_(software_development)[software development]. If archaeology defines an artifact as: ``` something made or given shape by man, such as a tool or a work of art, esp an object of archaeological interest ``` The definition of artifact within computer forensics could be: ``` An object of digital archaeological interest. ``` Where digital archaeology roughly refers to computer forensics without the forensic (legal) context. == The artifact definition The best way to show what an artifact definition is, is by example. The following example is the artifact definition for the Windows EVTX System Event Logs. [source,yaml] ---- name: WindowsSystemEventLogEvtx doc: Windows System Event log for Vista or later systems. sources: - type: FILE attributes: {paths: ['%%environ_systemroot%%\System32\winevt\Logs\System.evtx']} conditions: [os_major_version >= 6] labels: [Logs] supported_os: [Windows] urls: ['http://www.forensicswiki.org/wiki/Windows_XML_Event_Log_(EVTX)'] ---- The artifact definition can have the following values: [cols="1,5",options="header"] |=== | Value | Description | name | The name. An unique string that identifies the artifact definition. + Also see section: <>. | doc | The description (or documentation). A human readable string that describes the artifact definition. + *Style note*: Typically one line description of the artifact, mentioning important caveats. + If more description is necessary, use the <>. | sources | A list of source definitions. + See section: <>. | conditions | Optional list of conditions that describe when the artifact definition should apply. + See section: <>. | labels | Optional list of predefined labels. See section: <>. | provides | Optional list of *TODO* | supported_os | Optional list that indicates which operating systems the artifact definition applies to. See section: <>. | urls | Optional list of URLs with more contextual information. + Ideally the artifact definition links to an article that discusses the artificat in more depth e.g. on http://forensicswiki.org[Forensics Wiki] |=== === [[artifact_name]]Name *Style note*: The name of an artifact defintion should be in CamelCase name without spaces. As of July 2016 we are migrating to the following naming convention: * Prefix platform specific artifact definitions with the name of the operating system using "Linux", "MacOS" or "Windows" * If not platform specific: ** prefix with the application name, for example "ChromeHistory". ** prefix with the name of the subsystem, for example "WMIComputerSystemProduct". *Style note*: If the sole source of the artifact definition for example are files use "BrowserHistoryFiles" instead of "BrowserHistory" to reduce ambiguity. === [[artifact_long_docs]]Long docs form Multi-line documentation should use the YAML Literal Style as indicated by the | character. [source,yaml] ---- doc: | The Windows run keys. Note users.sid will currently only expand to SIDs with profiles on the system, not all SIDs. ---- *Style note*: the short description (first line) and the longer portion are separated by an empty line. *Style note*: explicit newlines (\n) should not be used. == [[sources]]Sources Every source definition starts with a `type` followed by arguments e.g. [source,yaml] ---- sources: - type: COMMAND attributes: args: [-qa] cmd: /bin/rpm ---- [source,yaml] ---- sources: - type: FILE attributes: paths: - /root/.bashrc - /root/.cshrc - /root/.ksh - /root/.logout - /root/.profile - /root/.tcsh - /root/.zlogin - /root/.zlogout - /root/.zprofile - /root/.zprofile ---- *Style note*: where sources take a single argument with a single value, the one-line {} form should be used to save on line breaks as below: [source,yaml] ---- - type: FILE attributes: {paths: ['%%environ_systemroot%%\System32\winevt\Logs\System.evtx']} ---- [cols="1,5",options="header"] |=== | Value | Description | attributes | A dictionary of keyword attributes specific to the type of source definition. | type | The source type. | conditions | Optional list of conditions to when the artifact definition should apply. + See section: <>. | returned_types | Optional list of returned artifact definition types. | supported_os | Optional list that indicates which operating systems the artifact definition applies to. + See section: <>. |=== === Source types Currently the following different source types are defined: [cols="1,5",options="header"] |=== | Value | Description | ARTIFACT_GROUP | A source that consists of a group of other artifacts. | COMMAND | A source that consists of the output of a command. | FILE | A source that consists of the contents of files. | PATH | A source that consists of the contents of paths. | REGISTRY_KEY | A source that consists of the contents of Windows Registry keys. | REGISTRY_VALUE | A source that consists of the contents of Windows Registry values. | WMI | A source that consists of the output of Windows Management Instrumentation (WMI) queries. |=== The sources types are defined in link:https://github.com/ForensicArtifacts/artifacts/blob/master/artifacts/definitions.py[definitions.py]. as TYPE_INDICATOR constants. === Artifact group source The artifact group source is a source that consists of a group of other artifacts e.g. [source,yaml] ---- - type: ARTIFACT_GROUP attributes: names: [WindowsRunKeys, WindowsServices] returned_types: [PersistenceFile] ---- Where `attributes` can contain the following values: [cols="1,5",options="header"] |=== | Value | Description | names | A list of artifact definition names that make up this "composite" artifact. + This can also be used to group multiple artifact definitions into one for convenience. |=== === Command source The command source is a source that consists of the output of a command e.g. [source,yaml] ---- - type: COMMAND attributes: args: [-qa] cmd: /bin/rpm ---- Where `attributes` can contain the following values: [cols="1,5",options="header"] |=== | Value | Description | args | A list arguments to pass to the command. | cmd | The path of the command. |=== === File source The file source is a source that consists of the contents of files e.g. [source,yaml] ---- - type: FILE attributes: paths: ['%%environ_systemroot%%\System32\winevt\Logs\System.evtx'] ---- Where `attributes` can contain the following values: [cols="1,5",options="header"] |=== | Value | Description | paths | A list of file paths that can potentially be collected. + The paths can use parameter expansion e.g. `%%environ_systemroot%%`. + See section: <> |=== === Path source The path source is a source that consists of the contents of paths e.g. [source,yaml] ---- - type: PATH attributes: paths: ['\Program Files'] separator: '\' ---- Where `attributes` can contain the following values: [cols="1,5",options="header"] |=== | Value | Description | paths | A list of file paths that can potentially be collected. + The paths can use parameter expansion e.g. `%%environ_systemroot%%`. + See section: <> |=== === Windows Registry key source The Windows Registry key source is a source that consists of the contents of Windows Registry keys e.g. [source,yaml] ---- sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\TypedURLs\*' ---- Where `attributes` can contain the following values: [cols="1,5",options="header"] |=== | Value | Description | keys | A list of Windows Registry key paths that can potentially be collected. + The paths can use parameter expansion e.g. `%%users.sid%%`. + See section: <> |=== === Windows Registry value source The Windows Registry value source is a source that consists of the contents of Windows Registry values e.g. [source,yaml] ---- - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\WindowsUpdate', value: 'CISCNF4654'} ---- Where `attributes` can contain the following values: [cols="1,5",options="header"] |=== | Value | Description | key_value_pairs | A list of Windows Registry key paths and value names that can potentially be collected. + The key path can use parameter expansion e.g. `%%users.sid%%`. + See section: <> |=== === Windows Management Instrumentation (WMI) query source The Windows Management Instrumentation (WMI) query source is a source that consists of the output of Windows Management Instrumentation (WMI) queries e.g. [source,yaml] ---- - type: WMI attributes: query: SELECT * FROM Win32_UserAccount WHERE name='%%users.username%%' ---- Where `attributes` can contain the following values: [cols="1,5",options="header"] |=== | Value | Description | query | The Windows Management Instrumentation (WMI) query. + The query can use parameter expansion e.g. `%%users.username%%`. + See section: <> |=== == [[conditions]]Conditions *TODO: work is in progress to move this out of GRR into something more portable.* Artifact conditions are currently implemented using the link:https://github.com/google/objectfilter[objectfilter] system that allows you to apply complex conditions to the attributes of an object. Artifacts can apply conditions to any of the Knowledge Base object attributes as defined in the GRR link:https://github.com/google/grr/blob/master/proto/knowledge_base.proto[knowledge_base.proto]. *Style note*: single quotes should be used for strings when writing conditions. [source,yaml] ---- conditions: [os_major_version >= 6 and time_zone == 'America/Los_Angeles'] ---- === [[supported_os]]Supported operating system Since operating system (OS) conditions are a very common constraint, this has been provided as a separate option "supported_os" to simplify syntax. For supported_os no quotes are required. The currently supported operating systems are: * Darwin (also used for Mac OS X) * Linux * Windows [source,yaml] ---- supported_os: [Darwin, Linux, Windows] ---- This can be translated to objectfilter as: [source,yaml] ---- ["os =='Darwin'" OR "os=='Linux'" OR "os == 'Windows'"] ---- == [[labels]]Labels Currently the following different labels are defined: [cols="1,5",options="header"] |=== | Value | Description | Antivirus | Antivirus related artifacts, e.g. quarantine files. | Authentication | Authentication artifacts. | Browser | Web Browser artifacts. | Cloud Storage | Cloud Storage artifacts. | Configuration Files | Configuration files artifacts. | Execution | Contain execution events. | External Media | Contain external media data or events e.g. USB drives. | KnowledgeBase | Artifacts used in knowledge base generation. | Logs | Contain log files. | Memory | Artifacts retrieved from memory. | Network | Describe networking state. | Processes | Describe running processes. | Software | Installed software. | System | Core system artifacts. | Users | Information about users. | Rekall | Artifacts using the Rekall memory forensics framework. |=== The labes are defined in link:https://github.com/ForensicArtifacts/artifacts/blob/master/artifacts/definitions.py[definitions.py]. == Style notes === Artifact definition YAML files Artifact definition YAML filenames should be of the form: .... $FILENAME.yaml .... Where $FILENAME is name of the file e.g. windows.yaml. Each defintion file should have a comment at the top of the file with a one-line summary describing the type of artifact definitions contained in the file e.g. [source,yaml] ---- # Windows specific artifacts. ---- === Lists Generally use the short [] format for single-item lists that fit inside 80 characters to save on unnecessary line breaks: [source,yaml] ---- labels: [Logs] supported_os: [Windows] urls: ['http://www.forensicswiki.org/wiki/Windows_XML_Event_Log_(EVTX)'] ---- and the bulleted list form for multi-item lists or long lines: [source,yaml] ---- paths: - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Run\*' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\RunOnce\*' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\*' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\*' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\*' ---- === Quotes Quotes should not be used for doc strings, artifact names, and simple lists like labels and supported_os. Paths and URLs should use single quotes to avoid the need for manual escaping. [source,yaml] ---- paths: ['%%environ_temp%%\*.exe'] urls: ['http://www.forensicswiki.org/wiki/Windows_XML_Event_Log_(EVTX)'] ---- Double quotes should be used where escaping causes problems, such as regular expressions: [source,yaml] ---- content_regex_list: ["^%%users.username%%:[^:]*\n"] ---- === Minimize the number of definitions by using multiple sources To minimize the number of artifacts in the list, combine them using the supported_os and conditions attributes where it makes sense. e.g. rather than having FirefoxHistoryWindows, FirefoxHistoryLinux, FirefoxHistoryDarwin, do: [source,yaml] ---- name: FirefoxHistory doc: Firefox places.sqlite files. sources: - type: FILE attributes: paths: - %%users.localappdata%%\Mozilla\Firefox\Profiles\*\places.sqlite - %%users.appdata%%\Mozilla\Firefox\Profiles\*\places.sqlite supported_os: [Windows] - type: FILE attributes: paths: [%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/places.sqlite] supported_os: [Darwin] - type: FILE attributes: paths: ['%%users.homedir%%/.mozilla/firefox/*/places.sqlite'] supported_os: [Linux] labels: [Browser] supported_os: [Windows, Linux, Darwin] ---- == [[parameter_expansion]]Parameter expansion and globs *TODO* artifacts-20170808/requirements.txt000066400000000000000000000000471314241367100172340ustar00rootroot00000000000000pip >= 7.0.0 pytest yapf PyYAML >= 3.10artifacts-20170808/run_tests.py000077500000000000000000000011231314241367100163470ustar00rootroot00000000000000#!/usr/bin/python # -*- coding: utf-8 -*- """Script to run the tests.""" import sys import unittest # Change PYTHONPATH to include dependencies. sys.path.insert(0, u'.') import utils.dependencies # pylint: disable=wrong-import-position if __name__ == '__main__': dependency_helper = utils.dependencies.DependencyHelper() if not dependency_helper.CheckTestDependencies(): sys.exit(1) test_suite = unittest.TestLoader().discover('tests', pattern='*.py') test_results = unittest.TextTestRunner(verbosity=2).run(test_suite) if not test_results.wasSuccessful(): sys.exit(1) artifacts-20170808/setup.cfg000066400000000000000000000003571314241367100155750ustar00rootroot00000000000000[bdist_rpm] release = 1 packager = Forensic artifacts doc_files = ACKNOWLEDGEMENTS AUTHORS LICENSE README build_requires = python-setuptools requires = PyYAML >= 3.10artifacts-20170808/setup.py000077500000000000000000000107441314241367100154720ustar00rootroot00000000000000#!/usr/bin/python # -*- coding: utf-8 -*- """Installation and deployment script.""" from __future__ import print_function import glob import os import sys try: from setuptools import find_packages, setup except ImportError: from distutils.core import find_packages, setup try: from distutils.command.bdist_msi import bdist_msi except ImportError: bdist_msi = None try: from distutils.command.bdist_rpm import bdist_rpm except ImportError: bdist_rpm = None if sys.version < '2.7': print('Unsupported Python version: {0:s}.'.format(sys.version)) print('Supported Python versions are 2.7 or a later 2.x version.') sys.exit(1) # Change PYTHONPATH to include artifacts so that we can get the version. sys.path.insert(0, '.') import artifacts # pylint: disable=wrong-import-position if not bdist_msi: BdistMSICommand = None else: class BdistMSICommand(bdist_msi): """Custom handler for the bdist_msi command.""" def run(self): """Builds an MSI.""" # Command bdist_msi does not support the library version, neither a date # as a version but if we suffix it with .1 everything is fine. self.distribution.metadata.version += '.1' bdist_msi.run(self) if not bdist_rpm: BdistRPMCommand = None else: class BdistRPMCommand(bdist_rpm): """Custom handler for the bdist_rpm command.""" def _make_spec_file(self): """Generates the text of an RPM spec file. Returns: list[str]: lines of the RPM spec file. """ # Note that bdist_rpm can be an old style class. if issubclass(BdistRPMCommand, object): spec_file = super(BdistRPMCommand, self)._make_spec_file() else: spec_file = bdist_rpm._make_spec_file(self) if sys.version_info[0] < 3: python_package = 'python' else: python_package = 'python3' description = [] summary = '' in_description = False python_spec_file = [] for line in iter(spec_file): if line.startswith('Summary: '): summary = line elif line.startswith('BuildRequires: '): line = 'BuildRequires: {0:s}-setuptools'.format(python_package) elif line.startswith('Requires: '): if python_package == 'python3': line = line.replace('python', 'python3') elif line.startswith('%description'): in_description = True elif line.startswith('%files'): line = '%files -f INSTALLED_FILES -n {0:s}-%{{name}}'.format( python_package) elif line.startswith('%prep'): in_description = False python_spec_file.append( '%package -n {0:s}-%{{name}}'.format(python_package)) python_spec_file.append('{0:s}'.format(summary)) python_spec_file.append('') python_spec_file.append( '%description -n {0:s}-%{{name}}'.format(python_package)) python_spec_file.extend(description) elif in_description: # Ignore leading white lines in the description. if not description and not line: continue description.append(line) python_spec_file.append(line) return python_spec_file artifacts_description = ( 'ForensicArtifacts.com Artifact Repository.') artifacts_long_description = ( 'A free, community-sourced, machine-readable knowledge base of forensic ' 'artifacts that the world can use both as an information source and ' 'within other tools.') setup( name='artifacts', version=artifacts.__version__, description=artifacts_description, long_description=artifacts_long_description, license='Apache License, Version 2.0', url='https://github.com/ForensicArtifacts/artifacts', maintainer='ForensicArtifacts.com Artifact Repository maintainers', maintainer_email='forensicartifacts@googlegroups.com', scripts=[ os.path.join('tools', 'stats.py'), os.path.join('tools', 'validator.py'), ], cmdclass={ 'bdist_msi': BdistMSICommand, 'bdist_rpm': BdistRPMCommand}, classifiers=[ 'Development Status :: 3 - Alpha', 'Environment :: Console', 'Operating System :: OS Independent', 'Programming Language :: Python', ], packages=find_packages('.', exclude=[ 'tests', 'tests.*', 'tools', 'utils']), package_dir={'artifacts': 'artifacts'}, data_files=[ ('share/artifacts', glob.glob(os.path.join('data', '*'))), ], install_requires=[ 'PyYAML >= 3.11', ], ) artifacts-20170808/test_data/000077500000000000000000000000001314241367100157175ustar00rootroot00000000000000artifacts-20170808/test_data/definitions.json000066400000000000000000000050111314241367100211220ustar00rootroot00000000000000[{"conditions": ["os_major_version >= 6"], "name": "SecurityEventLogEvtx", "sources": [{"attributes": {"paths": ["%%environ_systemroot%%\\System32\\winevt\\Logs\\Security.evtx"]}, "type": "FILE"}], "supported_os": ["Windows"], "labels": ["Logs"], "doc": "Windows Security Event log for Vista or later systems.", "urls": ["http://www.forensicswiki.org/wiki/Windows_XML_Event_Log_(EVTX)"]}, {"name": "AllUsersProfileEnvironmentVariable", "sources": [{"attributes": {"keys": ["HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\ProfilesDirectory", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\AllUsersProfile"]}, "type": "REGISTRY_KEY"}], "provides": ["environ_allusersprofile"], "supported_os": ["Windows"], "doc": "The %AllUsersProfile% environment variable.", "urls": ["http://support.microsoft.com/kb//214653"]}, {"name": "CurrentControlSet", "sources": [{"attributes": {"key_value_pairs": [{"value": "Current", "key": "HKEY_LOCAL_MACHINE\\SYSTEM\\Select"}]}, "type": "REGISTRY_VALUE"}], "provides": ["current_control_set"], "supported_os": ["Windows"], "doc": "The control set the system is currently using.", "urls": ["https://code.google.com/p/winreg-kb/wiki/SystemKeys"]}, {"name": "WMIProfileUsersHomeDir", "sources": [{"attributes": {"query": "SELECT * FROM Win32_UserProfile WHERE SID='%%users.sid%%'"}, "type": "WMI"}], "provides": ["users.homedir"], "supported_os": ["Windows"], "labels": ["Users"], "doc": "Get user homedir from Win32_UserProfile based on a known user's SID.\n\nThis artifact relies on having the SID field users.sid populated in the knowledge\nbase. We expect it to be collected with WindowsRegistryProfiles to\nsupply the rest of the user information.\n", "urls": ["http://msdn.microsoft.com/en-us/library/windows/desktop/ee886409(v=vs.85).aspx"]}, {"labels": ["Logs"], "name": "EventLogs", "sources": [{"attributes": {"names": ["ApplicationEventLog", "ApplicationEventLogEvtx", "SecurityEventLog", "SecurityEventLogEvtx", "SystemEventLog", "SystemEventLogEvtx"]}, "type": "ARTIFACT_GROUP"}], "doc": "Windows Event logs.", "supported_os": ["Windows"]}, {"labels": ["Software"], "name": "RedhatPackagesList", "sources": [{"attributes": {"args": ["-qa"], "cmd": "/bin/rpm"}, "type": "COMMAND"}], "doc": "Linux output of rpm -qa.", "supported_os": ["Linux"]}, {"labels": ["System"], "name": "OSXLoadedKexts", "sources": [{"attributes": {"args": [], "cmd": "/usr/sbin/kextstat"}, "type": "COMMAND"}], "doc": "Mac OS X Loaded Kernel Extensions.", "supported_os": ["Darwin"]}]artifacts-20170808/test_data/definitions.yaml000066400000000000000000000045511314241367100211230ustar00rootroot00000000000000# Test artifact definitions. name: SecurityEventLogEvtx doc: Windows Security Event log for Vista or later systems. sources: - type: FILE attributes: {paths: ['%%environ_systemroot%%\System32\winevt\Logs\Security.evtx']} conditions: [os_major_version >= 6] labels: [Logs] supported_os: [Windows] urls: ['http://www.forensicswiki.org/wiki/Windows_XML_Event_Log_(EVTX)'] --- name: AllUsersProfileEnvironmentVariable doc: The %AllUsersProfile% environment variable. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\ProfilesDirectory' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\AllUsersProfile' provides: [environ_allusersprofile] supported_os: [Windows] urls: ['http://support.microsoft.com/kb//214653'] --- name: CurrentControlSet doc: The control set the system is currently using. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\SYSTEM\Select', value: 'Current'} provides: [current_control_set] supported_os: [Windows] urls: ['https://code.google.com/p/winreg-kb/wiki/SystemKeys'] --- name: WMIProfileUsersHomeDir doc: | Get user homedir from Win32_UserProfile based on a known user's SID. This artifact relies on having the SID field users.sid populated in the knowledge base. We expect it to be collected with WindowsRegistryProfiles to supply the rest of the user information. sources: - type: WMI attributes: {query: SELECT * FROM Win32_UserProfile WHERE SID='%%users.sid%%'} labels: [Users] provides: [users.homedir] supported_os: [Windows] urls: ['http://msdn.microsoft.com/en-us/library/windows/desktop/ee886409(v=vs.85).aspx'] --- name: EventLogs doc: Windows Event logs. sources: - type: ARTIFACT_GROUP attributes: names: - 'ApplicationEventLog' - 'ApplicationEventLogEvtx' - 'SecurityEventLog' - 'SecurityEventLogEvtx' - 'SystemEventLog' - 'SystemEventLogEvtx' labels: [Logs] supported_os: [Windows] --- name: RedhatPackagesList doc: Linux output of rpm -qa. sources: - type: COMMAND attributes: args: [-qa] cmd: /bin/rpm labels: [Software] supported_os: [Linux] --- name: OSXLoadedKexts doc: Mac OS X Loaded Kernel Extensions. sources: - type: COMMAND attributes: args: [] cmd: /usr/sbin/kextstat labels: [System] supported_os: [Darwin] artifacts-20170808/tests/000077500000000000000000000000001314241367100151115ustar00rootroot00000000000000artifacts-20170808/tests/__init__.py000066400000000000000000000001151314241367100172170ustar00rootroot00000000000000# -*- coding: utf-8 -*- """Tests for artifacts.""" __version__ = '20150409' artifacts-20170808/tests/reader_test.py000066400000000000000000000256621314241367100177770ustar00rootroot00000000000000# -*- coding: utf-8 -*- """Tests for the artifact definitions readers.""" import io import unittest import yaml from artifacts import definitions from artifacts import errors from artifacts import reader from tests import test_lib class YamlArtifactsReaderTest(test_lib.BaseTestCase): """YAML artifacts reader tests.""" @test_lib.skipUnlessHasTestFile(['definitions.yaml']) def testReadFileObject(self): """Tests the ReadFileObject function.""" artifact_reader = reader.YamlArtifactsReader() test_file = self._GetTestFilePath(['definitions.yaml']) with open(test_file, 'rb') as file_object: artifact_definitions = list(artifact_reader.ReadFileObject(file_object)) self.assertEqual(len(artifact_definitions), 7) # Artifact with file source type. artifact_definition = artifact_definitions[0] self.assertEqual(artifact_definition.name, 'SecurityEventLogEvtx') expected_description = ( 'Windows Security Event log for Vista or later systems.') self.assertEqual(artifact_definition.description, expected_description) self.assertEqual(len(artifact_definition.sources), 1) source_type = artifact_definition.sources[0] self.assertIsNotNone(source_type) self.assertEqual( source_type.type_indicator, definitions.TYPE_INDICATOR_FILE) expected_paths = [ '%%environ_systemroot%%\\System32\\winevt\\Logs\\Security.evtx'] self.assertEqual(sorted(source_type.paths), sorted(expected_paths)) self.assertEqual(len(artifact_definition.conditions), 1) expected_condition = 'os_major_version >= 6' self.assertEqual(artifact_definition.conditions[0], expected_condition) self.assertEqual(len(artifact_definition.labels), 1) self.assertEqual(artifact_definition.labels[0], 'Logs') self.assertEqual(len(artifact_definition.supported_os), 1) self.assertEqual(artifact_definition.supported_os[0], 'Windows') self.assertEqual(len(artifact_definition.urls), 1) expected_url = ( 'http://www.forensicswiki.org/wiki/Windows_XML_Event_Log_(EVTX)') self.assertEqual(artifact_definition.urls[0], expected_url) # Artifact with Windows Registry key source type. artifact_definition = artifact_definitions[1] self.assertEqual( artifact_definition.name, 'AllUsersProfileEnvironmentVariable') self.assertEqual(len(artifact_definition.sources), 1) source_type = artifact_definition.sources[0] self.assertIsNotNone(source_type) self.assertEqual( source_type.type_indicator, definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY) expected_key1 = ( 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\' 'ProfileList\\ProfilesDirectory') expected_key2 = ( 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\' 'ProfileList\\AllUsersProfile') expected_keys = [expected_key1, expected_key2] self.assertEqual(sorted(source_type.keys), sorted(expected_keys)) # Artifact with Windows Registry value source type. artifact_definition = artifact_definitions[2] self.assertEqual(artifact_definition.name, 'CurrentControlSet') self.assertEqual(len(artifact_definition.sources), 1) source_type = artifact_definition.sources[0] self.assertIsNotNone(source_type) self.assertEqual( source_type.type_indicator, definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE) self.assertEqual(len(source_type.key_value_pairs), 1) key_value_pair = source_type.key_value_pairs[0] expected_key = 'HKEY_LOCAL_MACHINE\\SYSTEM\\Select' self.assertEqual(key_value_pair['key'], expected_key) self.assertEqual(key_value_pair['value'], 'Current') # Artifact with WMI query source type. artifact_definition = artifact_definitions[3] self.assertEqual(artifact_definition.name, 'WMIProfileUsersHomeDir') expected_provides = sorted(['users.homedir']) self.assertEqual(sorted(artifact_definition.provides), expected_provides) self.assertEqual(len(artifact_definition.sources), 1) source_type = artifact_definition.sources[0] self.assertIsNotNone(source_type) self.assertEqual( source_type.type_indicator, definitions.TYPE_INDICATOR_WMI_QUERY) expected_query = ( 'SELECT * FROM Win32_UserProfile WHERE SID=\'%%users.sid%%\'') self.assertEqual(source_type.query, expected_query) # Artifact with artifact definition source type. artifact_definition = artifact_definitions[4] self.assertEqual(artifact_definition.name, 'EventLogs') self.assertEqual(len(artifact_definition.sources), 1) source_type = artifact_definition.sources[0] self.assertIsNotNone(source_type) self.assertEqual( source_type.type_indicator, definitions.TYPE_INDICATOR_ARTIFACT_GROUP) # Artifact with command definition source type. artifact_definition = artifact_definitions[5] self.assertEqual(artifact_definition.name, 'RedhatPackagesList') self.assertEqual(len(artifact_definition.sources), 1) source_type = artifact_definition.sources[0] self.assertIsNotNone(source_type) self.assertEqual( source_type.type_indicator, definitions.TYPE_INDICATOR_COMMAND) # Artifact with COMMAND definition collector definition. artifact_definition = artifact_definitions[5] self.assertEqual(artifact_definition.name, 'RedhatPackagesList') self.assertEqual(len(artifact_definition.sources), 1) collector_definition = artifact_definition.sources[0] self.assertIsNotNone(collector_definition) self.assertEqual( collector_definition.type_indicator, definitions.TYPE_INDICATOR_COMMAND) def testBadKey(self): """Tests if top level keys are correct.""" artifact_reader = reader.YamlArtifactsReader() file_object = io.StringIO( initial_value=u"""name: BadKey doc: bad extra key. sources: - type: ARTIFACT_GROUP attributes: names: - 'SystemEventLogEvtx' extra_key: 'wrong' labels: [Logs] supported_os: [Windows] """) with self.assertRaises(errors.FormatError): _ = list(artifact_reader.ReadFileObject(file_object)) def testMissingSources(self): """Tests if sources is present.""" artifact_reader = reader.YamlArtifactsReader() file_object = io.StringIO( initial_value=u"""name: BadSources doc: must have one sources. labels: [Logs] supported_os: [Windows] """) with self.assertRaises(errors.FormatError): _ = list(artifact_reader.ReadFileObject(file_object)) def testBadSupportedOS(self): """Tests if supported_os is checked correctly.""" artifact_reader = reader.YamlArtifactsReader() file_object = io.StringIO( initial_value=u"""name: BadSupportedOS doc: supported_os should be an array of strings. sources: - type: ARTIFACT_GROUP attributes: names: - 'SystemEventLogEvtx' labels: [Logs] supported_os: Windows """) with self.assertRaises(errors.FormatError): _ = list(artifact_reader.ReadFileObject(file_object)) def testBadTopSupportedOS(self): """Tests if top level supported_os is checked correctly.""" artifact_reader = reader.YamlArtifactsReader() file_object = io.StringIO( initial_value=u"""name: BadTopSupportedOS doc: Top supported_os should match supported_os from sources. sources: - type: ARTIFACT_GROUP attributes: names: - 'SystemEventLogEvtx' supported_os: [Windows] labels: [Logs] """) with self.assertRaises(errors.FormatError): _ = list(artifact_reader.ReadFileObject(file_object)) def testBadLabels(self): """Tests if labels is checked correctly.""" artifact_reader = reader.YamlArtifactsReader() file_object = io.StringIO( initial_value=u"""name: BadLabel doc: badlabel. sources: - type: ARTIFACT_GROUP attributes: names: - 'SystemEventLogEvtx' labels: Logs supported_os: [Windows] """) with self.assertRaises(errors.FormatError): _ = list(artifact_reader.ReadFileObject(file_object)) def testMissingDoc(self): """Tests if doc is required.""" artifact_reader = reader.YamlArtifactsReader() file_object = io.StringIO( initial_value=u"""name: NoDoc sources: - type: ARTIFACT_GROUP attributes: names: - 'SystemEventLogEvtx' """) with self.assertRaises(errors.FormatError): _ = list(artifact_reader.ReadFileObject(file_object)) def testMissingNamesAttribute(self): """Tests if missing attribute names are checked correctly.""" artifact_reader = reader.YamlArtifactsReader() file_object = io.StringIO( initial_value=u"""name: NoNames doc: Missing names attr. sources: - type: ARTIFACT_GROUP attributes: - 'SystemEventLogEvtx' """) with self.assertRaises(errors.FormatError): _ = list(artifact_reader.ReadFileObject(file_object)) @test_lib.skipUnlessHasTestFile(['definitions.yaml']) def testReadYamlFile(self): """Tests the ReadFile function.""" artifact_reader = reader.YamlArtifactsReader() test_file = self._GetTestFilePath(['definitions.yaml']) artifact_definitions = list(artifact_reader.ReadFile(test_file)) self.assertEqual(len(artifact_definitions), 7) def testReadDirectory(self): """Tests the ReadDirectory function.""" artifact_reader = reader.YamlArtifactsReader() test_file = self._GetTestFilePath(['.']) artifact_definitions = list(artifact_reader.ReadDirectory(test_file)) self.assertEqual(len(artifact_definitions), 7) @test_lib.skipUnlessHasTestFile(['definitions.yaml']) def testArtifactAsDict(self): """Tests the AsDict function.""" artifact_reader = reader.YamlArtifactsReader() test_file = self._GetTestFilePath(['definitions.yaml']) with open(test_file, 'r') as file_object: for artifact_definition in yaml.safe_load_all(file_object): artifact_object = artifact_reader.ReadArtifactDefinitionValues( artifact_definition) self.assertEqual(artifact_definition, artifact_object.AsDict()) def testDefinitionsAsDict(self): """Tests the AsDict function.""" artifact_reader = reader.YamlArtifactsReader() artifact_definitions = list(artifact_reader.ReadDirectory('data')) last_artifact_definition = None for artifact in artifact_definitions: try: artifact_definition = artifact.AsDict() except errors.FormatError: error_location = u'At start' if last_artifact_definition: error_location = u'After: {0}'.format(last_artifact_definition.name) self.fail(u'{0} failed to convert to dict'.format(error_location)) last_artifact_definition = artifact_definition class JsonArtifactsReaderTest(test_lib.BaseTestCase): """JSON artifacts reader tests.""" @test_lib.skipUnlessHasTestFile(['definitions.json']) def testReadJsonFile(self): """Tests the ReadFile function.""" artifact_reader = reader.JsonArtifactsReader() test_file = self._GetTestFilePath(['definitions.json']) artifact_definitions = list(artifact_reader.ReadFile(test_file)) self.assertEqual(len(artifact_definitions), 7) if __name__ == '__main__': unittest.main() artifacts-20170808/tests/registry_test.py000066400000000000000000000115221314241367100203730ustar00rootroot00000000000000# -*- coding: utf-8 -*- """Tests for the artifact definitions registry.""" import io import unittest from artifacts import errors from artifacts import reader from artifacts import registry from artifacts import source_type from tests import test_lib class TestSourceType(source_type.SourceType): """Class that implements a test source type.""" TYPE_INDICATOR = u'test' def __init__(self, test=None): """Initializes the source type object. Args: test: optional test string. The default is None. Raises: FormatError: when test is not set. """ if not test: raise errors.FormatError(u'Missing test value.') super(TestSourceType, self).__init__() self.test = test def AsDict(self): """Represents a source type as a dictionary. Returns: dict[str, str]: source type attributes. """ return {u'test': self.test} class ArtifactDefinitionsRegistryTest(test_lib.BaseTestCase): """Tests for the artifact definitions registry.""" # pylint: disable=protected-access @test_lib.skipUnlessHasTestFile(['definitions.yaml']) def testArtifactDefinitionsRegistry(self): """Tests the ArtifactDefinitionsRegistry functions.""" artifact_registry = registry.ArtifactDefinitionsRegistry() artifact_reader = reader.YamlArtifactsReader() test_file = self._GetTestFilePath(['definitions.yaml']) for artifact_definition in artifact_reader.ReadFile(test_file): artifact_registry.RegisterDefinition(artifact_definition) # Make sure the test file got turned into artifacts. self.assertEqual(len(artifact_registry.GetDefinitions()), 7) artifact_definition = artifact_registry.GetDefinitionByName(u'EventLogs') self.assertIsNotNone(artifact_definition) # Try to register something already registered with self.assertRaises(KeyError): artifact_registry.RegisterDefinition(artifact_definition) # Deregister artifact_registry.DeregisterDefinition(artifact_definition) # Check it is gone with self.assertRaises(KeyError): artifact_registry.DeregisterDefinition(artifact_definition) self.assertEqual(len(artifact_registry.GetDefinitions()), 6) test_artifact_definition = artifact_registry.GetDefinitionByName( u'SecurityEventLogEvtx') self.assertIsNotNone(test_artifact_definition) self.assertEqual(test_artifact_definition.name, u'SecurityEventLogEvtx') expected_description = ( u'Windows Security Event log for Vista or later systems.') self.assertEqual(test_artifact_definition.description, expected_description) bad_args = io.BytesIO( b'name: SecurityEventLogEvtx\n' b'doc: Windows Security Event log for Vista or later systems.\n' b'sources:\n' b'- type: FILE\n' b' attributes: {broken: [\'%%environ_systemroot%%\\System32\\' b'winevt\\Logs\\Security.evtx\']}\n' b'conditions: [os_major_version >= 6]\n' b'labels: [Logs]\n' b'supported_os: [Windows]\n' b'urls: [\'http://www.forensicswiki.org/wiki/\n' b'Windows_XML_Event_Log_(EVTX)\']\n') generator = artifact_reader.ReadFileObject(bad_args) with self.assertRaises(errors.FormatError): next(generator) def testSourceTypeFunctions(self): """Tests the source type functions.""" number_of_source_types = len( registry.ArtifactDefinitionsRegistry._source_type_classes) registry.ArtifactDefinitionsRegistry.RegisterSourceType(TestSourceType) self.assertEqual( len(registry.ArtifactDefinitionsRegistry._source_type_classes), number_of_source_types + 1) with self.assertRaises(KeyError): registry.ArtifactDefinitionsRegistry.RegisterSourceType(TestSourceType) registry.ArtifactDefinitionsRegistry.DeregisterSourceType(TestSourceType) self.assertEqual( len(registry.ArtifactDefinitionsRegistry._source_type_classes), number_of_source_types) registry.ArtifactDefinitionsRegistry.RegisterSourceTypes([TestSourceType]) self.assertEqual( len(registry.ArtifactDefinitionsRegistry._source_type_classes), number_of_source_types + 1) with self.assertRaises(KeyError): registry.ArtifactDefinitionsRegistry.RegisterSourceTypes( [TestSourceType]) source_object = registry.ArtifactDefinitionsRegistry.CreateSourceType( u'test', {u'test': u'test123'}) self.assertIsNotNone(source_object) self.assertEqual(source_object.test, u'test123') with self.assertRaises(errors.FormatError): source_object = registry.ArtifactDefinitionsRegistry.CreateSourceType( u'test', {}) with self.assertRaises(errors.FormatError): source_object = registry.ArtifactDefinitionsRegistry.CreateSourceType( u'bogus', {}) registry.ArtifactDefinitionsRegistry.DeregisterSourceType(TestSourceType) if __name__ == '__main__': unittest.main() artifacts-20170808/tests/source_type_test.py000066400000000000000000000116621314241367100210710ustar00rootroot00000000000000# -*- coding: utf-8 -*- """Tests for the source type objects.""" import unittest from artifacts import errors from artifacts import source_type from tests import test_lib class TestSourceType(source_type.SourceType): """Class that implements a test source type.""" TYPE_INDICATOR = u'test' def __init__(self, test=None): """Initializes the source type object. Args: test: optional test string. The default is None. Raises: FormatError: when test is not set. """ if not test: raise errors.FormatError(u'Missing test value.') super(TestSourceType, self).__init__() self.test = test def AsDict(self): """Represents a source type as a dictionary. Returns: dict[str, str]: source type attributes. """ return {u'test': self.test} class SourceTypeTest(test_lib.BaseTestCase): """Class to test the artifact source type.""" class ArtifactGroupSourceTypeTest(test_lib.BaseTestCase): """Class to test the artifact group source type.""" def testInitialize(self): """Tests the __init__ function.""" source_type.ArtifactGroupSourceType(names=[u'test']) class FileSourceTypeTest(test_lib.BaseTestCase): """Class to test the files source type.""" def testInitialize(self): """Tests the __init__ function.""" source_type.FileSourceType(paths=[u'test']) source_type.FileSourceType(paths=[u'test'], separator=u'\\') class PathSourceTypeTest(test_lib.BaseTestCase): """Class to test the paths source type.""" def testInitialize(self): """Tests the __init__ function.""" source_type.PathSourceType(paths=[u'test']) source_type.PathSourceType(paths=[u'test'], separator=u'\\') class WindowsRegistryKeySourceTypeTest(test_lib.BaseTestCase): """Class to test the Windows Registry keys source type.""" def testInitialize(self): """Tests the __init__ function.""" source_type.WindowsRegistryKeySourceType(keys=[u'HKEY_LOCAL_MACHINE\\test']) with self.assertRaises(errors.FormatError): source_type.WindowsRegistryKeySourceType(keys=u'HKEY_LOCAL_MACHINE\\test') class WindowsRegistryValueSourceTypeTest(test_lib.BaseTestCase): """Class to test the Windows Registry value source type.""" def testInitialize(self): """Tests the __init__ function.""" key_value_pair = {'key': u'HKEY_LOCAL_MACHINE\\test', 'value': u'test'} source_type.WindowsRegistryValueSourceType(key_value_pairs=[key_value_pair]) key_value_pair = {'bad': u'test', 'value': u'test'} with self.assertRaises(errors.FormatError): source_type.WindowsRegistryValueSourceType( key_value_pairs=[key_value_pair]) with self.assertRaises(errors.FormatError): source_type.WindowsRegistryValueSourceType(key_value_pairs=key_value_pair) class WMIQuerySourceTypeTest(test_lib.BaseTestCase): """Class to test the WMI query source type.""" def testInitialize(self): """Tests the __init__ function.""" source_type.WMIQuerySourceType(query=u'test') class SourceTypeFactoryTest(test_lib.BaseTestCase): """Class to test the source type factory.""" def testCreateSourceType(self): """Tests the source type creation.""" source_type.SourceTypeFactory.RegisterSourceTypes([TestSourceType]) with self.assertRaises(KeyError): source_type.SourceTypeFactory.RegisterSourceTypes([TestSourceType]) source_object = source_type.SourceTypeFactory.CreateSourceType( u'test', {u'test': u'test123'}) self.assertIsNotNone(source_object) self.assertEqual(source_object.test, u'test123') with self.assertRaises(errors.FormatError): source_object = source_type.SourceTypeFactory.CreateSourceType( u'test', {}) with self.assertRaises(errors.FormatError): source_object = source_type.SourceTypeFactory.CreateSourceType( u'bogus', {}) source_type.SourceTypeFactory.DeregisterSourceType(TestSourceType) def testRegisterSourceType(self): """Tests the source type registration functions.""" expected_number_of_source_types = len( source_type.SourceTypeFactory.GetSourceTypes()) source_type.SourceTypeFactory.RegisterSourceType(TestSourceType) number_of_source_types = len(source_type.SourceTypeFactory.GetSourceTypes()) self.assertEqual( number_of_source_types, expected_number_of_source_types + 1) source_type.SourceTypeFactory.DeregisterSourceType(TestSourceType) number_of_source_types = len(source_type.SourceTypeFactory.GetSourceTypes()) self.assertEqual(number_of_source_types, expected_number_of_source_types) def testRegisterSourceTypeRaisesWhenAlreadyRegistered(self): """Tests the source type registration functions when already registered.""" source_type.SourceTypeFactory.RegisterSourceType(TestSourceType) with self.assertRaises(KeyError): source_type.SourceTypeFactory.RegisterSourceType(TestSourceType) source_type.SourceTypeFactory.DeregisterSourceType(TestSourceType) if __name__ == '__main__': unittest.main() artifacts-20170808/tests/style_test.py000066400000000000000000000013001314241367100176540ustar00rootroot00000000000000"""Enforce code style.""" import subprocess import unittest from artifacts import errors from tests import test_lib class StyleTest(test_lib.BaseTestCase): """Enforce code style requirements.""" def testCodeStyle(self): """Check yapf style enforcement runs cleanly.""" try: subprocess.check_output([ 'yapf', '--diff', '-r', 'artifacts tools', 'artifacts', 'tests']) except subprocess.CalledProcessError as e: if hasattr(e, 'output'): raise errors.CodeStyleError( 'Run "yapf -i -r artifacts tools/ artifacts/ tests/" to correct ' 'these problems: {0}'.format(e.output)) raise if __name__ == '__main__': unittest.main() artifacts-20170808/tests/test_lib.py000066400000000000000000000046361314241367100173010ustar00rootroot00000000000000# -*- coding: utf-8 -*- """Shared functions and classes for testing.""" import os import shutil import sys import tempfile import unittest def skipUnlessHasTestFile(path_segments): """Decorator to skip a test if the test file does not exist. Args: path_segments (list[str]): path segments inside the test data directory. Returns: function: to invoke. """ fail_unless_has_test_file = getattr( unittest, u'fail_unless_has_test_file', False) path = os.path.join(u'test_data', *path_segments) if fail_unless_has_test_file or os.path.exists(path): return lambda function: function if sys.version_info[0] < 3: path = path.encode(u'utf-8') # Note that the message should be of type str which is different for # different versions of Python. return unittest.skip('missing test file: {0:s}'.format(path)) def GetTestFilePath(path_segments): """Retrieves the path of a test file in the test data directory. Args: path_segments (list[str]): path segments inside the test data directory. Returns: str: path of the test file. """ # Note that we need to pass the individual path segments to os.path.join # and not a list. return os.path.join(os.getcwd(), u'test_data', *path_segments) class BaseTestCase(unittest.TestCase): """The base test case.""" _DATA_PATH = os.path.join(os.getcwd(), u'data') _TEST_DATA_PATH = os.path.join(os.getcwd(), u'test_data') # Show full diff results, part of TestCase so does not follow our naming # conventions. maxDiff = None def _GetTestFilePath(self, path_segments): """Retrieves the path of a test file in the test data directory. Args: path_segments (list[str]): path segments inside the test data directory. Returns: str: path of the test file. """ # Note that we need to pass the individual path segments to os.path.join # and not a list. return os.path.join(self._TEST_DATA_PATH, *path_segments) class TempDirectory(object): """Class that implements a temporary directory.""" def __init__(self): """Initializes a temporary directory.""" super(TempDirectory, self).__init__() self.name = u'' def __enter__(self): """Make this work with the 'with' statement.""" self.name = tempfile.mkdtemp() return self.name def __exit__(self, unused_type, unused_value, unused_traceback): """Make this work with the 'with' statement.""" shutil.rmtree(self.name, True) artifacts-20170808/tests/validator_test.py000066400000000000000000000021701314241367100205070ustar00rootroot00000000000000#!/usr/bin/python # -*- coding: utf-8 -*- """Tests for the artifact definitions validator.""" import glob import os import unittest from artifacts import errors from tools import validator from tests import test_lib class ArtifactDefinitionsValidatorTest(test_lib.BaseTestCase): """Class to test the validator.""" def testArtifactDefinitionsValidator(self): """Runs the validator over all the YAML artifact definitions files.""" validator_object = validator.ArtifactDefinitionsValidator() for definitions_file in glob.glob(os.path.join('data', '*.yaml')): result = validator_object.CheckFile(definitions_file) self.assertTrue( result, msg='in definitions file: {0}'.format(definitions_file)) undefined_artifacts = validator_object.GetUndefinedArtifacts() if undefined_artifacts: raise errors.MissingDependencyError( 'Artifacts group referencing undefined artifacts: {0}'.format( undefined_artifacts)) # TODO: add tests that deliberately provide invalid definitions to see # if the validator works correctly. if __name__ == '__main__': unittest.main() artifacts-20170808/tests/writer_test.py000066400000000000000000000035631314241367100200450ustar00rootroot00000000000000# -*- coding: utf-8 -*- """Tests for the artifact definitions readers.""" import os import unittest from artifacts import reader from artifacts import writer from tests import test_lib class ArtifactsWriterTest(test_lib.BaseTestCase): """Class to test the artifacts writer.""" def _TestArtifactsConversion( self, artifact_reader, artifact_writer, filename): """Tests artifacts conversion. Args: artifact_reader (ArtifactsReader): artifact reader. artifact_writer (ArtifactsWriter): artifact writer. filename (str): name of the file to convert. """ test_file = self._GetTestFilePath([filename]) artifact_definitions = list(artifact_reader.ReadFile(test_file)) with test_lib.TempDirectory() as temporary_directory: output_file = os.path.join(temporary_directory, filename) artifact_writer.WriteArtifactsFile(artifact_definitions, output_file) converted_artifact_definitions = list( artifact_reader.ReadFile(output_file)) self.assertListEqual( [artifact.AsDict() for artifact in artifact_definitions], [artifact.AsDict() for artifact in converted_artifact_definitions]) @test_lib.skipUnlessHasTestFile(['definitions.json']) def testJsonWriter(self): """Tests conversion with the JsonArtifactsWriter.""" artifact_reader = reader.JsonArtifactsReader() artifact_writer = writer.JsonArtifactsWriter() self._TestArtifactsConversion( artifact_reader, artifact_writer, 'definitions.json') @test_lib.skipUnlessHasTestFile(['definitions.yaml']) def testYamlWriter(self): """Tests conversion with the YamlArtifactsWriter.""" artifact_reader = reader.YamlArtifactsReader() artifact_writer = writer.YamlArtifactsWriter() self._TestArtifactsConversion( artifact_reader, artifact_writer, 'definitions.yaml') if __name__ == '__main__': unittest.main() artifacts-20170808/tools/000077500000000000000000000000001314241367100151075ustar00rootroot00000000000000artifacts-20170808/tools/__init__.py000066400000000000000000000000521314241367100172150ustar00rootroot00000000000000#!/usr/bin/python # -*- coding: utf-8 -*- artifacts-20170808/tools/stats.py000077500000000000000000000073011314241367100166230ustar00rootroot00000000000000#!/usr/bin/python # -*- coding: utf-8 -*- """Report statistics about the artifact collection.""" from __future__ import print_function from __future__ import unicode_literals import time from artifacts import definitions from artifacts import reader class ArtifactStatistics(object): """Generate and print statistics about artifact definitions.""" def __init__(self): """Initializes artifact statistics.""" super(ArtifactStatistics, self).__init__() self.label_counts = {} self.os_counts = {} self.path_count = 0 self.reg_key_count = 0 self.source_type_counts = {} self.total_count = 0 def _PrintDictAsTable(self, src_dict): """Prints a table of artifact definitions. Args: src_dict (dict[str, ArtifactDefinition]): artifact definitions by name. """ key_list = list(src_dict.keys()) key_list.sort() print('|', end='') for key in key_list: print(' {0:s} |'.format(key), end='') print('') print('|', end='') for key in key_list: print(' :---: |', end='') print('') print('|', end='') for key in key_list: print(' {0!s} |'.format(src_dict[key]), end='') print('\n') def PrintOSTable(self): """Prints a table of artifact definitions by operating system.""" print('**Artifacts by OS**\n') self._PrintDictAsTable(self.os_counts) def PrintLabelTable(self): """Prints a table of artifact definitions by label.""" print('**Artifacts by label**\n') self._PrintDictAsTable(self.label_counts) def PrintSourceTypeTable(self): """Prints a table of artifact definitions by source type.""" print('**Artifacts by type**\n') self._PrintDictAsTable(self.source_type_counts) def PrintSummaryTable(self): """Prints a summary table.""" print(""" As of {0:s} the repository contains: | **File paths covered** | **{1:d}** | | :------------------ | ------: | | **Registry keys covered** | **{2:d}** | | **Total artifacts** | **{3:d}** | """.format( time.strftime('%Y-%m-%d'), self.path_count, self.reg_key_count, self.total_count)) def BuildStats(self): """Builds the statistics.""" artifact_reader = reader.YamlArtifactsReader() self.label_counts = {} self.os_counts = {} self.path_count = 0 self.reg_key_count = 0 self.source_type_counts = {} self.total_count = 0 for artifact_definition in artifact_reader.ReadDirectory('data'): if hasattr(artifact_definition, 'labels'): for label in artifact_definition.labels: self.label_counts[label] = self.label_counts.get(label, 0) + 1 for source in artifact_definition.sources: self.total_count += 1 source_type = source.type_indicator self.source_type_counts[source_type] = self.source_type_counts.get( source_type, 0) + 1 if source_type == definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY: self.reg_key_count += len(source.keys) if source_type == definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE: self.reg_key_count += len(source.key_value_pairs) if (source_type == definitions.TYPE_INDICATOR_FILE or source_type == definitions.TYPE_INDICATOR_DIRECTORY): self.path_count += len(source.paths) os_list = source.supported_os for os_str in os_list: self.os_counts[os_str] = self.os_counts.get(os_str, 0) + 1 def PrintStats(self): """Build stats and print in MarkDown format.""" self.BuildStats() self.PrintSummaryTable() self.PrintSourceTypeTable() self.PrintOSTable() self.PrintLabelTable() def main(): """The main function.""" statsbuilder = ArtifactStatistics() statsbuilder.PrintStats() if __name__ == '__main__': main() artifacts-20170808/tools/validator.py000077500000000000000000000133261314241367100174560ustar00rootroot00000000000000#!/usr/bin/python # -*- coding: utf-8 -*- """Tool to validate artifact definitions.""" from __future__ import print_function from __future__ import unicode_literals import argparse import logging import os import sys from artifacts import definitions from artifacts import errors from artifacts import reader from artifacts import registry class ArtifactDefinitionsValidator(object): """Artifact definitions validator.""" LEGACY_PATH = os.path.join('data', 'legacy.yaml') def __init__(self): """Initializes an artifact definitions validator.""" super(ArtifactDefinitionsValidator, self).__init__() self._artifact_registry = registry.ArtifactDefinitionsRegistry() self._artifact_registry_key_paths = set() def _CheckRegistryKeyPath(self, filename, artifact_definition, key_path): """Checks a Windows Registry key path. Args: filename (str): name of the artifacts definition file. artifact_definition (ArtifactDefinition): artifact definition. key_path (str): key path. Returns: bool: True if the Registry key path is valid. """ result = True key_path = key_path.upper() if key_path.startswith(u'%%CURRENT_CONTROL_SET%%'): result = False logging.warning(( u'Artifact definition: {0:s} in file: {1:s} contains Windows ' u'Registry key path that starts with ' u'%%CURRENT_CONTROL_SET%%. Replace %%CURRENT_CONTROL_SET%% with ' u'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet').format( artifact_definition.name, filename)) return result def _HasDuplicateRegistryKeyPaths( self, filename, artifact_definition, source): """Checks if Registry key paths are not already defined by other artifacts. Note that at the moment this function will only find exact duplicate Registry key paths. Args: filename (str): name of the artifacts definition file. artifact_definition (ArtifactDefinition): artifact definition. source (SourceType): source definition. Returns: bool: True if the Registry key paths defined by the source type are used in other artifacts. """ result = False intersection = self._artifact_registry_key_paths.intersection( set(source.keys)) if intersection: duplicate_key_paths = u'\n'.join(intersection) logging.warning(( u'Artifact definition: {0:s} in file: {1:s} has duplicate ' u'Registry key paths:\n{2:s}').format( artifact_definition.name, filename, duplicate_key_paths)) result = True self._artifact_registry_key_paths.update(source.keys) return result def CheckFile(self, filename): """Validates the artifacts definition in a specific file. Args: filename (str): name of the artifacts definition file. Returns: bool: True if the file contains valid artifacts definitions. """ result = True artifact_reader = reader.YamlArtifactsReader() try: for artifact_definition in artifact_reader.ReadFile(filename): try: self._artifact_registry.RegisterDefinition(artifact_definition) except KeyError: logging.warning( u'Duplicate artifact definition: {0:s} in file: {1:s}'.format( artifact_definition.name, filename)) result = False for source in artifact_definition.sources: if source.type_indicator == ( definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY): # Exempt the legacy file from duplicate checking because it has # duplicates intentionally. if (filename != self.LEGACY_PATH and self._HasDuplicateRegistryKeyPaths( filename, artifact_definition, source)): result = False for key_path in source.keys: if not self._CheckRegistryKeyPath( filename, artifact_definition, key_path): result = False elif source.type_indicator == ( definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE): for key_value_pair in source.key_value_pairs: if not self._CheckRegistryKeyPath( filename, artifact_definition, key_value_pair[u'key']): result = False except errors.FormatError as exception: logging.warning( u'Unable to validate file: {0:s} with error: {1!s}'.format( filename, exception)) result = False return result def GetUndefinedArtifacts(self): """Retrieves the names of undefined artifacts used by artifact groups. Returns: set[str]: undefined artifacts names. """ return self._artifact_registry.GetUndefinedArtifacts() def Main(): """The main program function. Returns: bool: True if successful or False if not. """ args_parser = argparse.ArgumentParser( description='Validates an artifact definitions file.') args_parser.add_argument( 'filename', nargs='?', action='store', metavar='artifacts.yaml', default=None, help=('path of the file that contains the artifact ' 'definitions.')) options = args_parser.parse_args() if not options.filename: print('Source value is missing.') print('') args_parser.print_help() print('') return False if not os.path.isfile(options.filename): print('No such file: {0:s}'.format(options.filename)) print('') return False print('Validating: {0:s}'.format(options.filename)) validator = ArtifactDefinitionsValidator() if not validator.CheckFile(options.filename): print('FAILURE') return False print('SUCCESS') return True if __name__ == '__main__': if not Main(): sys.exit(1) else: sys.exit(0) artifacts-20170808/tox.ini000066400000000000000000000001451314241367100152620ustar00rootroot00000000000000[tox] envlist = py27, py34 [testenv] commands = nosetests -v deps = nose -rrequirements.txt artifacts-20170808/utils/000077500000000000000000000000001314241367100151075ustar00rootroot00000000000000artifacts-20170808/utils/__init__.py000066400000000000000000000000001314241367100172060ustar00rootroot00000000000000artifacts-20170808/utils/dependencies.py000066400000000000000000000310561314241367100201140ustar00rootroot00000000000000# -*- coding: utf-8 -*- """Helper to check for availability and version of dependencies.""" from __future__ import print_function import re try: import ConfigParser as configparser except ImportError: import configparser # pylint: disable=import-error class DependencyDefinition(object): """Dependency definition. Attributes: dpkg_name (str): name of the dpkg package that provides the dependency. is_optional (bool): True if the dependency is optional. l2tbinaries_name (str): name of the l2tbinaries package that provides the dependency. maximum_version (str): maximum supported version. minimum_version (str): minimum supported version. name (str): name of (the Python module that provides) the dependency. pypi_name (str): name of the PyPI package that provides the dependency. rpm_name (str): name of the rpm package that provides the dependency. version_property (str): name of the version attribute or function. """ def __init__(self, name): """Initializes a dependency configuation. Args: name (str): name of the dependency. """ super(DependencyDefinition, self).__init__() self.dpkg_name = None self.is_optional = False self.l2tbinaries_name = None self.maximum_version = None self.minimum_version = None self.name = name self.pypi_name = None self.rpm_name = None self.version_property = None class DependencyDefinitionReader(object): """Dependency definition reader.""" _VALUE_NAMES = frozenset([ u'dpkg_name', u'is_optional', u'l2tbinaries_name', u'maximum_version', u'minimum_version', u'pypi_name', u'rpm_name', u'version_property']) def _GetConfigValue(self, config_parser, section_name, value_name): """Retrieves a value from the config parser. Args: config_parser (ConfigParser): configuration parser. section_name (str): name of the section that contains the value. value_name (str): name of the value. Returns: object: value or None if the value does not exists. """ try: return config_parser.get(section_name, value_name) except configparser.NoOptionError: return def Read(self, file_object): """Reads dependency definitions. Args: file_object (file): file-like object to read from. Yields: DependencyDefinition: dependency definition. """ config_parser = configparser.RawConfigParser() config_parser.readfp(file_object) for section_name in config_parser.sections(): dependency_definition = DependencyDefinition(section_name) for value_name in self._VALUE_NAMES: value = self._GetConfigValue(config_parser, section_name, value_name) setattr(dependency_definition, value_name, value) yield dependency_definition class DependencyHelper(object): """Dependency helper.""" _VERSION_SPLIT_REGEX = re.compile(r'\.|\-') def __init__(self): """Initializes a dependency helper.""" super(DependencyHelper, self).__init__() self._dependencies = {} self._test_dependencies = {} dependency_reader = DependencyDefinitionReader() with open(u'dependencies.ini', 'r') as file_object: for dependency in dependency_reader.Read(file_object): self._dependencies[dependency.name] = dependency dependency = DependencyDefinition(u'yapf') dependency.minimum_version = u'0.16.1' dependency.version_property = u'__version__' self._test_dependencies[u'yapf'] = dependency def _CheckPythonModule(self, dependency): """Checks the availability of a Python module. Args: dependency (DependencyDefinition): dependency definition. Returns: tuple: consists: bool: True if the Python module is available and conforms to the minimum required version, False otherwise. str: status message. """ module_object = self._ImportPythonModule(dependency.name) if not module_object: status_message = u'missing: {0:s}'.format(dependency.name) return dependency.is_optional, status_message if not dependency.version_property or not dependency.minimum_version: return True, dependency.name return self._CheckPythonModuleVersion( dependency.name, module_object, dependency.version_property, dependency.minimum_version, dependency.maximum_version) def _CheckPythonModuleVersion( self, module_name, module_object, version_property, minimum_version, maximum_version): """Checks the version of a Python module. Args: module_object (module): Python module. module_name (str): name of the Python module. version_property (str): version attribute or function. minimum_version (str): minimum version. maximum_version (str): maximum version. Returns: tuple: consists: bool: True if the Python module is available and conforms to the minimum required version, False otherwise. str: status message. """ module_version = None if not version_property.endswith(u'()'): module_version = getattr(module_object, version_property, None) else: version_method = getattr( module_object, version_property[:-2], None) if version_method: module_version = version_method() if not module_version: status_message = ( u'unable to determine version information for: {0:s}').format( module_name) return False, status_message # Make sure the module version is a string. module_version = u'{0!s}'.format(module_version) # Split the version string and convert every digit into an integer. # A string compare of both version strings will yield an incorrect result. module_version_map = list( map(int, self._VERSION_SPLIT_REGEX.split(module_version))) minimum_version_map = list( map(int, self._VERSION_SPLIT_REGEX.split(minimum_version))) if module_version_map < minimum_version_map: status_message = ( u'{0:s} version: {1!s} is too old, {2!s} or later required').format( module_name, module_version, minimum_version) return False, status_message if maximum_version: maximum_version_map = list( map(int, self._VERSION_SPLIT_REGEX.split(maximum_version))) if module_version_map > maximum_version_map: status_message = ( u'{0:s} version: {1!s} is too recent, {2!s} or earlier ' u'required').format(module_name, module_version, maximum_version) return False, status_message status_message = u'{0:s} version: {1!s}'.format(module_name, module_version) return True, status_message def _ImportPythonModule(self, module_name): """Imports a Python module. Args: module_name (str): name of the module. Returns: module: Python module or None if the module cannot be imported. """ try: module_object = list(map(__import__, [module_name]))[0] except ImportError: return # If the module name contains dots get the upper most module object. if u'.' in module_name: for submodule_name in module_name.split(u'.')[1:]: module_object = getattr(module_object, submodule_name, None) return module_object def _PrintCheckDependencyStatus( self, dependency, result, status_message, verbose_output=True): """Prints the check dependency status. Args: dependency (DependencyDefinition): dependency definition. result (bool): True if the Python module is available and conforms to the minimum required version, False otherwise. status_message (str): status message. """ if not result or dependency.is_optional: if dependency.is_optional: status_indicator = u'[OPTIONAL]' else: status_indicator = u'[FAILURE]' print(u'{0:s}\t{1:s}.'.format(status_indicator, status_message)) elif verbose_output: print(u'[OK]\t\t{0:s}'.format(status_message)) def CheckDependencies(self, verbose_output=True): """Checks the availability of the dependencies. Args: verbose_output (Optional[bool]): True if output should be verbose. Returns: bool: True if the dependencies are available, False otherwise. """ check_result = True if self._dependencies: print(u'Checking availability and versions of dependencies.') for dependency in sorted( self._dependencies.values(), key=lambda dependency: dependency.name): result, status_message = self._CheckPythonModule(dependency) if not result: check_result = False self._PrintCheckDependencyStatus( dependency, result, status_message, verbose_output=verbose_output) if check_result and not verbose_output: print(u'[OK]') print(u'') return check_result def CheckTestDependencies(self, verbose_output=True): """Checks the availability of the dependencies when running tests. Args: verbose_output (Optional[bool]): True if output should be verbose. Returns: bool: True if the dependencies are available, False otherwise. """ if not self.CheckDependencies(verbose_output=verbose_output): return False check_result = True if self._test_dependencies: print(u'Checking availability and versions of test dependencies.') for dependency in sorted( self._test_dependencies.values(), key=lambda dependency: dependency.name): result, status_message = self._CheckPythonModule(dependency) if not result: check_result = False self._PrintCheckDependencyStatus( dependency, result, status_message, verbose_output=verbose_output) if check_result and not verbose_output: print(u'[OK]') print(u'') return check_result def GetDPKGDepends(self, exclude_version=False): """Retrieves the DPKG control file installation requirements. Args: exclude_version (Optional[bool]): True if the version should be excluded from the dependency definitions. Returns: list[str]: dependency definitions for requires for DPKG control file. """ requires = [] for dependency in sorted( self._dependencies.values(), key=lambda dependency: dependency.name): module_name = dependency.dpkg_name or dependency.name if exclude_version or not dependency.minimum_version: requires_string = module_name else: requires_string = u'{0:s} (>= {1:s})'.format( module_name, dependency.minimum_version) requires.append(requires_string) return sorted(requires) def GetL2TBinaries(self): """Retrieves the l2tbinaries requirements. Returns: list[str]: dependency definitions for l2tbinaries. """ requires = [] for dependency in sorted( self._dependencies.values(), key=lambda dependency: dependency.name): module_name = dependency.l2tbinaries_name or dependency.name requires.append(module_name) return sorted(requires) def GetInstallRequires(self): """Retrieves the setup.py installation requirements. Returns: list[str]: dependency definitions for install_requires for setup.py. """ install_requires = [] for dependency in sorted( self._dependencies.values(), key=lambda dependency: dependency.name): module_name = dependency.pypi_name or dependency.name if not dependency.minimum_version: requires_string = module_name elif not dependency.maximum_version: requires_string = u'{0:s} >= {1!s}'.format( module_name, dependency.minimum_version) else: requires_string = u'{0:s} >= {1!s},<= {2!s}'.format( module_name, dependency.minimum_version, dependency.maximum_version) install_requires.append(requires_string) return sorted(install_requires) def GetRPMRequires(self, exclude_version=False): """Retrieves the setup.cfg RPM installation requirements. Args: exclude_version (Optional[bool]): True if the version should be excluded from the dependency definitions. Returns: list[str]: dependency definitions for requires for setup.cfg. """ requires = [] for dependency in sorted( self._dependencies.values(), key=lambda dependency: dependency.name): module_name = dependency.rpm_name or dependency.name if exclude_version or not dependency.minimum_version: requires_string = module_name else: requires_string = u'{0:s} >= {1:s}'.format( module_name, dependency.minimum_version) requires.append(requires_string) return sorted(requires) artifacts-20170808/utils/pylintrc000066400000000000000000000215611314241367100167030ustar00rootroot00000000000000# File copied from: # http://src.chromium.org/chrome/trunk/tools/depot_tools/pylintrc # Date: 2013-06-29. [MASTER] # Specify a configuration file. #rcfile= # Python code to execute, usually for sys.path manipulation such as # pygtk.require(). #init-hook= # Profiled execution. profile=no # Add files or directories to the blacklist. They should be base names, not # paths. ignore=CVS # Pickle collected data for later comparisons. persistent=yes # List of plugins (as comma separated values of python modules names) to load, # usually to register additional checkers. load-plugins= [MESSAGES CONTROL] # Enable the message, report, category or checker with the given id(s). You can # either give multiple identifier separated by comma (,) or put this option # multiple time. #enable= # Disable the message, report, category or checker with the given id(s). You # can either give multiple identifier separated by comma (,) or put this option # multiple time (only on the command line, not in the configuration file where # it should appear only once). # CHANGED: # C0103: Invalid name "" # C0111: Missing docstring # C0302: Too many lines in module (N) # # F0401: Unable to import 'module' # pylint acting strangely: plaso/lib/event.py: F0401: 26,0: Unable to import 'google.protobuf' # # I0010: Unable to consider inline option '' # I0011: Locally disabling WNNNN # # R0201: Method could be a function # R0801: Similar lines in N files # R0901: Too many ancestors (8/7) # R0902: Too many instance attributes (N/7) # R0903: Too few public methods (N/2) # R0904: Too many public methods (N/20) # R0911: Too many return statements (N/6) # R0912: Too many branches (N/12) # R0913: Too many arguments (N/5) # R0914: Too many local variables (N/15) # R0915: Too many statements (N/50) # R0921: Abstract class not referenced # R0922: Abstract class is only referenced 1 times # W0122: Use of the exec statement # W0141: Used builtin function '' # W0142: Used * or ** magic # W0201: Variables defined initially outside the scope of __init__ (reconsider this, added by Kristinn). # W0212: Locally enabling protected-access # W0402: Uses of a deprecated module 'string' # W0404: 41: Reimport 'XX' (imported line NN) # W0511: TODO # W0603: Using the global statement # W0703: Catch "Exception" # W1201: Specify string format arguments as logging function parameters # W1202: Use % formatting in logging functions but pass the % parameters as arguments disable=C0103,C0111,C0302,F0401,I0010,I0011,R0201,R0801,R0901,R0902,R0903,R0904,R0911,R0912,R0913,R0914,R0915,R0921,R0922,W0122,W0141,W0142,W0201,W0212,W0402,W0404,W0511,W0603,W0703,W1201,W1202 [REPORTS] # Set the output format. Available formats are text, parseable, colorized, msvs # (visual studio) and html output-format=text # Put messages in a separate file for each module / package specified on the # command line instead of printing them on stdout. Reports (if any) will be # written in a file name "pylint_global.[txt|html]". files-output=no # Tells whether to display a full report or only the messages # CHANGED: reports=no # Python expression which should return a note less than 10 (10 is the highest # note). You have access to the variables errors warning, statement which # respectively contain the number of errors / warnings messages and the total # number of statements analyzed. This is used by the global evaluation report # (RP0004). evaluation=10.0 - ((float(5 * error + warning + refactor + convention) / statement) * 10) # Add a comment according to your evaluation note. This is used by the global # evaluation report (RP0004). comment=no [VARIABLES] # Tells whether we should check for unused import in __init__ files. init-import=no # A regular expression matching the beginning of the name of unused variables. # By default this is _ and dummy but we prefer _ and unused. dummy-variables-rgx=_|unused # List of additional names supposed to be defined in builtins. Remember that # you should avoid to define new builtins when possible. additional-builtins= [TYPECHECK] # Tells whether missing members accessed in mixin class should be ignored. A # mixin class is detected if its name ends with "mixin" (case insensitive). ignore-mixin-members=yes # List of classes names for which member attributes should not be checked # (useful for classes with attributes dynamically set). ignored-classes=SQLObject,twisted.internet.reactor,hashlib,google.appengine.api.memcache # When zope mode is activated, add a predefined set of Zope acquired attributes # to generated-members. zope=no # List of members which are set dynamically and missed by pylint inference # system, and so shouldn't trigger E0201 when accessed. Python regular # expressions are accepted. generated-members=REQUEST,acl_users,aq_parent,multiprocessing.managers.SyncManager [MISCELLANEOUS] # List of note tags to take in consideration, separated by a comma. notes=FIXME,XXX,TODO [SIMILARITIES] # Minimum lines number of a similarity. min-similarity-lines=4 # Ignore comments when computing similarities. ignore-comments=yes # Ignore docstrings when computing similarities. ignore-docstrings=yes [FORMAT] # Maximum number of characters on a single line. max-line-length=80 # Maximum number of lines in a module max-module-lines=1000 # String used as indentation unit. This is usually " " (4 spaces) or "\t" (1 # tab). # CHANGED: indent-string=' ' [BASIC] # Required attributes for module, separated by a comma required-attributes= # List of builtins function names that should not be used, separated by a comma bad-functions=map,filter,apply,input # Regular expression which should only match correct module names module-rgx=(([a-z_][a-z0-9_]*)|([A-Z][a-zA-Z0-9]+))$ # Regular expression which should only match correct module level names const-rgx=(([A-Z_][A-Z0-9_]*)|(__.*__))$ # Regular expression which should only match correct class names class-rgx=[A-Z_][a-zA-Z0-9]+$ # Regular expression which should only match correct function names function-rgx=[a-z_][a-z0-9_]{2,30}$ # Regular expression which should only match correct method names method-rgx=[a-z_][a-z0-9_]{2,30}$ # Regular expression which should only match correct instance attribute names attr-rgx=[a-z_][a-z0-9_]{2,30}$ # Regular expression which should only match correct argument names argument-rgx=[a-z_][a-z0-9_]{2,30}$ # Regular expression which should only match correct variable names variable-rgx=[a-z_][a-z0-9_]{2,30}$ # Regular expression which should only match correct list comprehension / # generator expression variable names inlinevar-rgx=[A-Za-z_][A-Za-z0-9_]*$ # Good variable names which should always be accepted, separated by a comma good-names=i,j,k,ex,Run,_ # Bad variable names which should always be refused, separated by a comma bad-names=foo,bar,baz,toto,tutu,tata # Regular expression which should only match functions or classes name which do # not require a docstring no-docstring-rgx=__.*__ [DESIGN] # Maximum number of arguments for function / method max-args=5 # Argument names that match this expression will be ignored. Default to name # with leading underscore ignored-argument-names=_.* # Maximum number of locals for function / method body max-locals=15 # Maximum number of return / yield for function / method body max-returns=6 # Maximum number of branch for function / method body max-branchs=12 # Maximum number of statements in function / method body max-statements=50 # Maximum number of parents for a class (see R0901). max-parents=7 # Maximum number of attributes for a class (see R0902). max-attributes=7 # Minimum number of public methods for a class (see R0903). min-public-methods=2 # Maximum number of public methods for a class (see R0904). max-public-methods=20 [CLASSES] # List of interface methods to ignore, separated by a comma. This is used for # instance to not check methods defines in Zope's Interface base class. ignore-iface-methods=isImplementedBy,deferred,extends,names,namesAndDescriptions,queryDescriptionFor,getBases,getDescriptionFor,getDoc,getName,getTaggedValue,getTaggedValueTags,isEqualOrExtendedBy,setTaggedValue,isImplementedByInstancesOf,adaptWith,is_implemented_by # List of method names used to declare (i.e. assign) instance attributes. defining-attr-methods=__init__,__new__,setUp # List of valid names for the first argument in a class method. valid-classmethod-first-arg=cls [IMPORTS] # Deprecated modules which should not be used, separated by a comma deprecated-modules=regsub,string,TERMIOS,Bastion,rexec # Create a graph of every (i.e. internal and external) dependencies in the # given file (report RP0402 must not be disabled) import-graph= # Create a graph of external dependencies in the given file (report RP0402 must # not be disabled) ext-import-graph= # Create a graph of internal dependencies in the given file (report RP0402 must # not be disabled) int-import-graph= [EXCEPTIONS] # Exceptions that will emit a warning when being caught. Defaults to # "Exception" overgeneral-exceptions=Exception artifacts-20170808/utils/run_linter.sh000077500000000000000000000042601314241367100176310ustar00rootroot00000000000000#!/bin/bash # A small script that runs the linter on all files. # # Copyright 2013 The dfVFS Project Authors. # Please see the AUTHORS file for details on individual authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. EXIT_FAILURE=1; EXIT_SUCCESS=0; # Function to check if the linting of the changes is correct. linting_is_correct() { # Examples of the output of "git status -s" # If a file is added: # A utils/common.sh # If a file is modified: # M utils/common.sh # If a file is renamed: # R utils/common.sh -> utils/uncommon.sh # If a file is modified and renamed: # RM utils/common.sh -> utils/uncommon.sh AWK_SCRIPT="if (\$1 == \"A\" || \$1 == \"AM\" || \$1 == \"M\" || \$1 == \"MM\") { print \$2; } else if (\$1 == \"R\" || \$1 == \"RM\") { print \$4; }"; # First find all files that need linter FILES=`git status -s | grep -v "^?" | awk "{ ${AWK_SCRIPT} }" | grep "\.py$"`; LINTER="pylint --rcfile=utils/pylintrc" echo "Running changes by pylint."; for FILE in ${FILES}; do if test "${FILE}" = "setup.py" || test "${FILE}" = "utils/upload.py"; then echo " -- Skipping: ${FILE} --" continue fi if test `echo ${FILE} | tail -c8` == "_pb2.py"; then echo "Skipping compiled protobufs: ${FILE}" continue fi echo " -- Checking: ${FILE} --" ${LINTER} "${FILE}" if test $? -ne 0; then echo "Fix linter errors before proceeding." return ${FALSE}; fi done if test $? -ne 0; then return ${FALSE}; fi echo "Linter clear."; return ${TRUE}; } if ! linting_is_correct; then echo "Aborted - fix the issues reported by the linter."; exit ${EXIT_FAILURE}; fi exit ${EXIT_SUCCESS}; artifacts-20170808/utils/update_dependencies.py000077500000000000000000000254101314241367100214560ustar00rootroot00000000000000#!/usr/bin/python # -*- coding: utf-8 -*- """Script to update the dependencies in various configuration files.""" import os import sys # Change PYTHONPATH to include dependencies. sys.path.insert(0, u'.') import utils.dependencies # pylint: disable=wrong-import-position class DependencyFileWriter(object): """Dependency file writer.""" def __init__(self, dependency_helper): """Initializes a dependency file writer. Args: dependency_helper (DependencyHelper): dependency helper. """ super(DependencyFileWriter, self).__init__() self._dependency_helper = dependency_helper class AppveyorYmlWriter(DependencyFileWriter): """Appveyor.yml file writer.""" _PATH = os.path.join(u'appveyor.yml') _VERSION_PYWIN32 = u'220' _VERSION_WMI = u'1.4.9' _DOWNLOAD_PIP = ( u' - ps: (new-object net.webclient).DownloadFile(' u'\'https://bootstrap.pypa.io/get-pip.py\', ' u'\'C:\\Projects\\get-pip.py\')') _DOWNLOAD_PYWIN32 = ( u' - ps: (new-object net.webclient).DownloadFile(' u'\'https://github.com/log2timeline/l2tbinaries/raw/master/win32/' u'pywin32-{0:s}.win32-py2.7.exe\', ' u'\'C:\\Projects\\pywin32-{0:s}.win32-py2.7.exe\')').format( _VERSION_PYWIN32) _DOWNLOAD_WMI = ( u' - ps: (new-object net.webclient).DownloadFile(' u'\'https://github.com/log2timeline/l2tbinaries/raw/master/win32/' u'WMI-{0:s}.win32.exe\', \'C:\\Projects\\WMI-{0:s}.win32.exe\')').format( _VERSION_WMI) _INSTALL_PIP = ( u' - cmd: "%PYTHON%\\\\python.exe C:\\\\Projects\\\\get-pip.py"') _INSTALL_PYWIN32 = ( u' - cmd: "%PYTHON%\\\\Scripts\\\\easy_install.exe ' u'C:\\\\Projects\\\\pywin32-{0:s}.win32-py2.7.exe"').format( _VERSION_PYWIN32) _INSTALL_WMI = ( u' - cmd: "%PYTHON%\\\\Scripts\\\\easy_install.exe ' u'C:\\\\Projects\\\\WMI-{0:s}.win32.exe"').format(_VERSION_WMI) _DOWNLOAD_L2TDEVTOOLS = ( u' - cmd: git clone https://github.com/log2timeline/l2tdevtools.git && ' u'move l2tdevtools ..\\') _FILE_HEADER = [ u'environment:', u' matrix:', u' - PYTHON: "C:\\\\Python27"', u'', u'install:', (u' - cmd: \'"C:\\Program Files\\Microsoft SDKs\\Windows\\v7.1\\Bin\\' u'SetEnv.cmd" /x86 /release\''), _DOWNLOAD_PIP, _DOWNLOAD_PYWIN32, _DOWNLOAD_WMI, _INSTALL_PIP, _INSTALL_PYWIN32, _INSTALL_WMI, _DOWNLOAD_L2TDEVTOOLS] _L2TDEVTOOLS_UPDATE = ( u' - cmd: mkdir dependencies && set PYTHONPATH=..\\l2tdevtools && ' u'"%PYTHON%\\\\python.exe" ..\\l2tdevtools\\tools\\update.py ' u'--download-directory dependencies --machine-type x86 ' u'--msi-targetdir "%PYTHON%" {0:s}') _FILE_FOOTER = [ u'', u'build: off', u'', u'test_script:', u' - "%PYTHON%\\\\python.exe run_tests.py"', u''] def Write(self): """Writes an appveyor.yml file.""" file_content = [] file_content.extend(self._FILE_HEADER) dependencies = self._dependency_helper.GetL2TBinaries() dependencies.extend([u'yapf']) dependencies = u' '.join(dependencies) l2tdevtools_update = self._L2TDEVTOOLS_UPDATE.format(dependencies) file_content.append(l2tdevtools_update) file_content.extend(self._FILE_FOOTER) file_content = u'\n'.join(file_content) file_content = file_content.encode(u'utf-8') with open(self._PATH, 'wb') as file_object: file_object.write(file_content) class DPKGControlWriter(DependencyFileWriter): """Dpkg control file writer.""" _PATH = os.path.join(u'config', u'dpkg', u'control') _PROJECT_NAME = u'artifacts' _MAINTAINER = u'Forensic artifacts ' _FILE_HEADER = [ u'Source: {0:s}'.format(_PROJECT_NAME), u'Section: python', u'Priority: extra', u'Maintainer: {0:s}'.format(_MAINTAINER), (u'Build-Depends: debhelper (>= 7), python-all (>= 2.7~), ' u'python-setuptools, python3-all (>= 3.4~), python3-setuptools'), u'Standards-Version: 3.9.5', u'X-Python-Version: >= 2.7', u'X-Python3-Version: >= 3.4', u'Homepage: https://github.com/ForensicArtifacts/artifacts', u'', u'Package: artifacts-data', u'Architecture: all', u'Depends: ${misc:Depends}', u'Description: Data files for ForensicArtifacts.com Artifact Repository', (u' A free, community-sourced, machine-readable knowledge base of ' u'forensic'), (u' artifacts that the world can use both as an information source and ' u'within other tools.'), u''] _PYTHON2_PACKAGE_HEADER = [ u'Package: python-{0:s}'.format(_PROJECT_NAME), u'Architecture: all'] _PYTHON3_PACKAGE_HEADER = [ u'Package: python3-{0:s}'.format(_PROJECT_NAME), u'Architecture: all'] _PYTHON_PACKAGE_DESCRIPTION = [ (u'Description: Python bindings for ForensicArtifacts.com Artifact ' u'Repository'), (u' A free, community-sourced, machine-readable knowledge base of ' u'forensic'), (u' artifacts that the world can use both as an information source ' u'and within other tools.'), u''] _PYTHON_PACKAGE_FOOTER = [ u'Package: artifacts-tools', u'Architecture: all', (u'Depends: python-artifacts, python (>= 2.7~), ${python:Depends}, ' u'${misc:Depends}'), u'Description: Tools for ForensicArtifacts.com Artifact Repository', (u' A free, community-sourced, machine-readable knowledge base of ' u'forensic'), (u' artifacts that the world can use both as an information source and ' u'within other tools.'), u''] def Write(self): """Writes a dpkg control file.""" file_content = [] file_content.extend(self._FILE_HEADER) file_content.extend(self._PYTHON2_PACKAGE_HEADER) dependencies = self._dependency_helper.GetDPKGDepends() dependencies.extend([u'${python:Depends}', u'${misc:Depends}']) dependencies = u', '.join(dependencies) file_content.append(u'Depends: artifacts-data, {0:s}'.format(dependencies)) file_content.extend(self._PYTHON_PACKAGE_DESCRIPTION) file_content.extend(self._PYTHON3_PACKAGE_HEADER) dependencies = dependencies.replace(u'python', u'python3') file_content.append(u'Depends: artifacts-data, {0:s}'.format(dependencies)) file_content.extend(self._PYTHON_PACKAGE_DESCRIPTION) file_content.extend(self._PYTHON_PACKAGE_FOOTER) file_content = u'\n'.join(file_content) file_content = file_content.encode(u'utf-8') with open(self._PATH, 'wb') as file_object: file_object.write(file_content) class RequirementsWriter(DependencyFileWriter): """Requirements.txt file writer.""" _PATH = u'requirements.txt' _FILE_HEADER = [ u'pip >= 7.0.0', u'pytest', u'yapf'] def Write(self): """Writes a requirements.txt file.""" file_content = [] file_content.extend(self._FILE_HEADER) dependencies = self._dependency_helper.GetInstallRequires() for dependency in dependencies: file_content.append(u'{0:s}'.format(dependency)) file_content = u'\n'.join(file_content) file_content = file_content.encode(u'utf-8') with open(self._PATH, 'wb') as file_object: file_object.write(file_content) class SetupCfgWriter(DependencyFileWriter): """Setup.cfg file writer.""" _PATH = u'setup.cfg' _MAINTAINER = u'Forensic artifacts ' _FILE_HEADER = [ u'[bdist_rpm]', u'release = 1', u'packager = {0:s}'.format(_MAINTAINER), u'doc_files = ACKNOWLEDGEMENTS', u' AUTHORS', u' LICENSE', u' README', u'build_requires = python-setuptools'] def Write(self): """Writes a setup.cfg file.""" file_content = [] file_content.extend(self._FILE_HEADER) dependencies = self._dependency_helper.GetRPMRequires() for index, dependency in enumerate(dependencies): if index == 0: file_content.append(u'requires = {0:s}'.format(dependency)) else: file_content.append(u' {0:s}'.format(dependency)) file_content = u'\n'.join(file_content) file_content = file_content.encode(u'utf-8') with open(self._PATH, 'wb') as file_object: file_object.write(file_content) class TravisBeforeInstallScriptWriter(DependencyFileWriter): """Travis-CI install.sh file writer.""" _PATH = os.path.join(u'config', u'travis', u'install.sh') _FILE_HEADER = [ u'#!/bin/bash', u'#', u'# Script to set up Travis-CI test VM.', u'', (u'COVERALL_DEPENDENCIES="python-coverage python-coveralls ' u'python-docopt";'), u''] _FILE_FOOTER = [ u'', u'# Exit on error.', u'set -e;', u'', u'if test ${TRAVIS_OS_NAME} = "osx";', u'then', u'\tgit clone https://github.com/log2timeline/l2tdevtools.git;', u'', u'\tmv l2tdevtools ../;', u'\tmkdir dependencies;', u'', (u'\tPYTHONPATH=../l2tdevtools ../l2tdevtools/tools/update.py ' u'--download-directory=dependencies ${L2TBINARIES_DEPENDENCIES} ' u'${L2TBINARIES_TEST_DEPENDENCIES};'), u'', u'elif test ${TRAVIS_OS_NAME} = "linux";', u'then', u'\tsudo add-apt-repository ppa:gift/dev -y;', u'\tsudo apt-get update -q;', u'\t# Only install the Python 2 dependencies.', (u'\t# Also see: https://docs.travis-ci.com/user/languages/python/' u'#Travis-CI-Uses-Isolated-virtualenvs'), (u'\tsudo apt-get install -y ${COVERALL_DEPENDENCIES} ' u'${PYTHON2_DEPENDENCIES} ${PYTHON2_TEST_DEPENDENCIES};'), u'fi', u''] def Write(self): """Writes an install.sh file.""" file_content = [] file_content.extend(self._FILE_HEADER) dependencies = self._dependency_helper.GetL2TBinaries() dependencies = u' '.join(dependencies) file_content.append(u'L2TBINARIES_DEPENDENCIES="{0:s}";'.format( dependencies)) file_content.append(u'') file_content.append(u'L2TBINARIES_TEST_DEPENDENCIES="yapf";') file_content.append(u'') dependencies = self._dependency_helper.GetDPKGDepends(exclude_version=True) dependencies = u' '.join(dependencies) file_content.append(u'PYTHON2_DEPENDENCIES="{0:s}";'.format(dependencies)) file_content.append(u'') file_content.append(u'PYTHON2_TEST_DEPENDENCIES="python-yapf";') file_content.extend(self._FILE_FOOTER) file_content = u'\n'.join(file_content) file_content = file_content.encode(u'utf-8') with open(self._PATH, 'wb') as file_object: file_object.write(file_content) if __name__ == u'__main__': helper = utils.dependencies.DependencyHelper() for writer_class in ( AppveyorYmlWriter, DPKGControlWriter, RequirementsWriter, SetupCfgWriter, TravisBeforeInstallScriptWriter): writer = writer_class(helper) writer.Write() artifacts-20170808/utils/update_version.sh000077500000000000000000000007721314241367100205030ustar00rootroot00000000000000#!/bin/bash # Script to update the version information. DATE_VERSION=`date +"%Y%m%d"`; DATE_DPKG=`date -R`; EMAIL_DPKG="Forensic artifacts "; sed -i -e "s/^\(__version__ = \)'[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'$/\1'${DATE_VERSION}'/" artifacts/__init__.py sed -i -e "s/^\(python-artifacts \)([0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]-1)/\1(${DATE_VERSION}-1)/" config/dpkg/changelog sed -i -e "s/^\( -- ${EMAIL_DPKG} \).*$/\1${DATE_DPKG}/" config/dpkg/changelog