pax_global_header00006660000000000000000000000064141314452020014506gustar00rootroot0000000000000052 comment=4acfc55da28c92730f645a47e8bb085e9407ecdc artifacts-20211012/000077500000000000000000000000001413144520200137205ustar00rootroot00000000000000artifacts-20211012/.github/000077500000000000000000000000001413144520200152605ustar00rootroot00000000000000artifacts-20211012/.github/workflows/000077500000000000000000000000001413144520200173155ustar00rootroot00000000000000artifacts-20211012/.github/workflows/test_docker.yml000066400000000000000000000047311413144520200223530ustar00rootroot00000000000000# Run tests on Fedora and Ubuntu Docker images using GIFT CORP and GIFT PPA on commit name: test_docker on: [push] jobs: test_fedora: runs-on: ubuntu-latest strategy: matrix: version: ['33', '34'] container: image: registry.fedoraproject.org/fedora:${{ matrix.version }} steps: - uses: actions/checkout@v2 - name: Set up container run: | dnf install -y dnf-plugins-core langpacks-en - name: Install dependencies run: | dnf copr -y enable @gift/dev dnf install -y python3 python3-mock python3-pbr python3-pyyaml python3-setuptools python3-six - name: Run tests env: LANG: C.utf8 run: | python3 ./run_tests.py - name: Run end-to-end tests run: | if test -f tests/end-to-end.py; then PYTHONPATH=. python3 ./tests/end-to-end.py --debug -c config/end-to-end.ini; fi - name: Build source distribution run: | python3 ./setup.py sdist - name: Build binary distribution run: | python3 ./setup.py bdist - name: Run build and install test run: | python3 ./setup.py build python3 ./setup.py install test_ubuntu: runs-on: ubuntu-latest strategy: matrix: version: ['18.04', '20.04'] container: image: ubuntu:${{ matrix.version }} steps: - uses: actions/checkout@v2 - name: Set up container env: DEBIAN_FRONTEND: noninteractive run: | apt-get update -q apt-get install -y libterm-readline-gnu-perl locales software-properties-common locale-gen en_US.UTF-8 ln -f -s /usr/share/zoneinfo/UTC /etc/localtime - name: Install dependencies run: | add-apt-repository -y ppa:gift/dev apt-get update -q apt-get install -y python3 python3-distutils python3-mock python3-pbr python3-setuptools python3-six python3-yaml - name: Run tests env: LANG: en_US.UTF-8 run: | python3 ./run_tests.py - name: Run end-to-end tests env: LANG: en_US.UTF-8 run: | if test -f tests/end-to-end.py; then PYTHONPATH=. python3 ./tests/end-to-end.py --debug -c config/end-to-end.ini; fi - name: Build source distribution run: | python3 ./setup.py sdist - name: Build binary distribution run: | python3 ./setup.py bdist - name: Run build and install test run: | python3 ./setup.py build python3 ./setup.py install artifacts-20211012/.github/workflows/test_tox.yml000066400000000000000000000033111413144520200217070ustar00rootroot00000000000000# Run tox tests on Ubuntu Docker images using GIFT PPA name: test_tox on: pull_request: branches: - main push: branches: - main jobs: build: runs-on: ubuntu-latest strategy: matrix: include: - python-version: '3.6' toxenv: 'py36' - python-version: '3.7' toxenv: 'py37' - python-version: '3.8' toxenv: 'py38,coverage,codecov' - python-version: '3.9' toxenv: 'py39' - python-version: '3.10' toxenv: 'py310' - python-version: '3.8' toxenv: 'pylint' - python-version: '3.8' toxenv: 'docs' container: image: ubuntu:20.04 steps: - uses: actions/checkout@v2 - name: Set up container env: DEBIAN_FRONTEND: noninteractive run: | apt-get update -q apt-get install -y libterm-readline-gnu-perl locales software-properties-common locale-gen en_US.UTF-8 ln -f -s /usr/share/zoneinfo/UTC /etc/localtime - name: Install dependencies env: DEBIAN_FRONTEND: noninteractive run: | add-apt-repository -y universe add-apt-repository -y ppa:deadsnakes/ppa add-apt-repository -y ppa:gift/dev apt-get update -q apt-get install -y build-essential git libffi-dev python${{ matrix.python-version }} python${{ matrix.python-version }}-dev python${{ matrix.python-version }}-venv python3-distutils python3-mock python3-pbr python3-pip python3-setuptools python3-six python3-yaml - name: Install tox run: | python3 -m pip install tox - name: Run tests env: LANG: en_US.UTF-8 run: | tox -e${{ matrix.toxenv }} artifacts-20211012/.gitignore000066400000000000000000000003161413144520200157100ustar00rootroot00000000000000# Files to ignore by git # Back-up files *~ *.swp # Generic auto-generated build files *.pyc *.pyo # Specific auto-generated build files /__pycache__ /artifacts.egg-info /build /dist # Tests files .tox artifacts-20211012/.pylintrc000066400000000000000000000453671413144520200156040ustar00rootroot00000000000000# Pylint 2.9.x configuration file # # This file is generated by l2tdevtools update-dependencies.py, any dependency # related changes should be made in dependencies.ini. [MASTER] # A comma-separated list of package or module names from where C extensions may # be loaded. Extensions are loading into the active Python interpreter and may # run arbitrary code. extension-pkg-allow-list= # A comma-separated list of package or module names from where C extensions may # be loaded. Extensions are loading into the active Python interpreter and may # run arbitrary code. (This is an alternative name to extension-pkg-allow-list # for backward compatibility.) extension-pkg-whitelist= # Return non-zero exit code if any of these messages/categories are detected, # even if score is above --fail-under value. Syntax same as enable. Messages # specified are enabled, while categories only check already-enabled messages. fail-on= # Specify a score threshold to be exceeded before program exits with error. fail-under=10.0 # Files or directories to be skipped. They should be base names, not paths. ignore=CVS # Add files or directories matching the regex patterns to the ignore-list. The # regex matches against paths. ignore-paths= # Files or directories matching the regex patterns are skipped. The regex # matches against base names, not paths. ignore-patterns= # Python code to execute, usually for sys.path manipulation such as # pygtk.require(). #init-hook= # Use multiple processes to speed up Pylint. Specifying 0 will auto-detect the # number of processors available to use. jobs=1 # Control the amount of potential inferred values when inferring a single # object. This can help the performance when dealing with large functions or # complex, nested conditions. limit-inference-results=100 # List of plugins (as comma separated values of python module names) to load, # usually to register additional checkers. load-plugins=pylint.extensions.docparams # Pickle collected data for later comparisons. persistent=yes # When enabled, pylint would attempt to guess common misconfiguration and emit # user-friendly hints instead of false-positive error messages. suggestion-mode=yes # Allow loading of arbitrary C extensions. Extensions are imported into the # active Python interpreter and may run arbitrary code. unsafe-load-any-extension=no [MESSAGES CONTROL] # Only show warnings with the listed confidence levels. Leave empty to show # all. Valid levels: HIGH, INFERENCE, INFERENCE_FAILURE, UNDEFINED. confidence= # Disable the message, report, category or checker with the given id(s). You # can either give multiple identifiers separated by comma (,) or put this # option multiple times (only on the command line, not in the configuration # file where it should appear only once). You can also use "--disable=all" to # disable everything first and then reenable specific checks. For example, if # you want to run only the similarities checker, you can use "--disable=all # --enable=similarities". If you want to run only the classes checker, but have # no Warning level messages displayed, use "--disable=all --enable=classes # --disable=W". disable=assignment-from-none, bad-inline-option, deprecated-pragma, duplicate-code, eq-without-hash, file-ignored, fixme, locally-disabled, locally-enabled, logging-format-interpolation, metaclass-assignment, missing-param-doc, no-absolute-import, no-self-use, parameter-unpacking, raise-missing-from, raw-checker-failed, super-with-arguments, suppressed-message, too-few-public-methods, too-many-ancestors, too-many-boolean-expressions, too-many-branches, too-many-instance-attributes, too-many-lines, too-many-locals, too-many-nested-blocks, too-many-public-methods, too-many-return-statements, too-many-statements, unsubscriptable-object, useless-object-inheritance, useless-suppression # Enable the message, report, category or checker with the given id(s). You can # either give multiple identifier separated by comma (,) or put this option # multiple time (only on the command line, not in the configuration file where # it should appear only once). See also the "--disable" option for examples. enable=c-extension-no-member [REPORTS] # Python expression which should return a score less than or equal to 10. You # have access to the variables 'error', 'warning', 'refactor', and 'convention' # which contain the number of messages in each category, as well as 'statement' # which is the total number of statements analyzed. This score is used by the # global evaluation report (RP0004). evaluation=10.0 - ((float(5 * error + warning + refactor + convention) / statement) * 10) # Template used to display messages. This is a python new-style format string # used to format the message information. See doc for all details. #msg-template= # Set the output format. Available formats are text, parseable, colorized, json # and msvs (visual studio). You can also give a reporter class, e.g. # mypackage.mymodule.MyReporterClass. output-format=text # Tells whether to display a full report or only the messages. reports=no # Activate the evaluation score. score=no [REFACTORING] # Maximum number of nested blocks for function / method body max-nested-blocks=5 # Complete name of functions that never returns. When checking for # inconsistent-return-statements if a never returning function is called then # it will be considered as an explicit return statement and no message will be # printed. never-returning-functions=sys.exit,argparse.parse_error [VARIABLES] # List of additional names supposed to be defined in builtins. Remember that # you should avoid defining new builtins when possible. additional-builtins= # Tells whether unused global variables should be treated as a violation. allow-global-unused-variables=yes # List of names allowed to shadow builtins allowed-redefined-builtins= # List of strings which can identify a callback function by name. A callback # name must start or end with one of those strings. callbacks=cb_, _cb # A regular expression matching the name of dummy variables (i.e. expected to # not be used). dummy-variables-rgx=_+$|(_[a-zA-Z0-9_]*[a-zA-Z0-9]+?$)|dummy|^ignored_|^unused_ # Argument names that match this expression will be ignored. Default to name # with leading underscore. ignored-argument-names=_.*|^ignored_|^unused_ # Tells whether we should check for unused import in __init__ files. init-import=no # List of qualified module names which can have objects that can redefine # builtins. redefining-builtins-modules=six.moves,past.builtins,future.builtins,builtins,io [TYPECHECK] # List of decorators that produce context managers, such as # contextlib.contextmanager. Add to this list to register other decorators that # produce valid context managers. contextmanager-decorators=contextlib.contextmanager # List of members which are set dynamically and missed by pylint inference # system, and so shouldn't trigger E1101 when accessed. Python regular # expressions are accepted. generated-members= # Tells whether missing members accessed in mixin class should be ignored. A # mixin class is detected if its name ends with "mixin" (case insensitive). ignore-mixin-members=yes # Tells whether to warn about missing members when the owner of the attribute # is inferred to be None. ignore-none=yes # This flag controls whether pylint should warn about no-member and similar # checks whenever an opaque object is returned when inferring. The inference # can return multiple potential results while evaluating a Python object, but # some branches might not be evaluated, which results in partial inference. In # that case, it might be useful to still emit no-member and other checks for # the rest of the inferred objects. ignore-on-opaque-inference=yes # List of class names for which member attributes should not be checked (useful # for classes with dynamically set attributes). This supports the use of # qualified names. ignored-classes=optparse.Values,thread._local,_thread._local # List of module names for which member attributes should not be checked # (useful for modules/projects where namespaces are manipulated during runtime # and thus existing member attributes cannot be deduced by static analysis). It # supports qualified module names, as well as Unix pattern matching. ignored-modules= # Show a hint with possible names when a member name was not found. The aspect # of finding the hint is based on edit distance. missing-member-hint=yes # The minimum edit distance a name should have in order to be considered a # similar match for a missing member name. missing-member-hint-distance=1 # The total number of similar names that should be taken in consideration when # showing a hint for a missing member. missing-member-max-choices=1 # List of decorators that change the signature of a decorated function. signature-mutators= [LOGGING] # The type of string formatting that logging methods do. `old` means using % # formatting, `new` is for `{}` formatting. logging-format-style=old # Logging modules to check that the string format arguments are in logging # function parameter format. logging-modules=logging [BASIC] # Naming style matching correct argument names. argument-naming-style=snake_case # Regular expression matching correct argument names. Overrides argument- # naming-style. argument-rgx=(([a-z][a-z0-9_]*)|(_[a-z0-9_]*))$ # Naming style matching correct attribute names. attr-naming-style=snake_case # Regular expression matching correct attribute names. Overrides attr-naming- # style. attr-rgx=(([a-z][a-z0-9_]*)|(_[a-z0-9_]*))$ # Bad variable names which should always be refused, separated by a comma. bad-names=foo, bar, baz, toto, tutu, tata # Bad variable names regexes, separated by a comma. If names match any regex, # they will always be refused bad-names-rgxs= # Naming style matching correct class attribute names. class-attribute-naming-style=any # Regular expression matching correct class attribute names. Overrides class- # attribute-naming-style. class-attribute-rgx=([A-Za-z_][A-Za-z0-9_]*|(__.*__))$ # Naming style matching correct class constant names. class-const-naming-style=UPPER_CASE # Regular expression matching correct class constant names. Overrides class- # const-naming-style. #class-const-rgx= # Naming style matching correct class names. class-naming-style=PascalCase # Regular expression matching correct class names. Overrides class-naming- # style. class-rgx=[A-Z_][a-zA-Z0-9]+$ # Naming style matching correct constant names. const-naming-style=UPPER_CASE # Regular expression matching correct constant names. Overrides const-naming- # style. const-rgx=(([a-zA-Z_][a-zA-Z0-9_]*)|(__.*__))$ # Minimum line length for functions/classes that require docstrings, shorter # ones are exempt. docstring-min-length=-1 # Naming style matching correct function names. function-naming-style=snake_case # Regular expression matching correct function names. Overrides function- # naming-style. function-rgx=[A-Z_][a-zA-Z0-9_]*$ # Good variable names which should always be accepted, separated by a comma. good-names=i, j, k, ex, Run, _ # Good variable names regexes, separated by a comma. If names match any regex, # they will always be accepted good-names-rgxs= # Include a hint for the correct naming format with invalid-name. include-naming-hint=no # Naming style matching correct inline iteration names. inlinevar-naming-style=any # Regular expression matching correct inline iteration names. Overrides # inlinevar-naming-style. inlinevar-rgx=[A-Za-z_][A-Za-z0-9_]*$ # Naming style matching correct method names. method-naming-style=snake_case # Regular expression matching correct method names. Overrides method-naming- # style. method-rgx=(test|[A-Z_])[a-zA-Z0-9_]*$ # Naming style matching correct module names. module-naming-style=snake_case # Regular expression matching correct module names. Overrides module-naming- # style. module-rgx=(([a-z_][a-z0-9_]*)|([A-Z][a-zA-Z0-9]+))$ # Colon-delimited sets of names that determine each other's naming style when # the name regexes allow several styles. name-group= # Regular expression which should only match function or class names that do # not require a docstring. no-docstring-rgx=^_ # List of decorators that produce properties, such as abc.abstractproperty. Add # to this list to register other decorators that produce valid properties. # These decorators are taken in consideration only for invalid-name. property-classes=abc.abstractproperty # Naming style matching correct variable names. variable-naming-style=snake_case # Regular expression matching correct variable names. Overrides variable- # naming-style. variable-rgx=(([a-z][a-z0-9_]*)|(_[a-z0-9_]*))$ [MISCELLANEOUS] # List of note tags to take in consideration, separated by a comma. notes=FIXME, XXX, TODO # Regular expression of note tags to take in consideration. #notes-rgx= [FORMAT] # Expected format of line ending, e.g. empty (any line ending), LF or CRLF. expected-line-ending-format= # Regexp for a line that is allowed to be longer than the limit. ignore-long-lines=^\s*(# )??$ # Number of spaces of indent required inside a hanging or continued line. indent-after-paren=4 # String used as indentation unit. This is usually " " (4 spaces) or "\t" (1 # tab). indent-string=' ' # Maximum number of characters on a single line. max-line-length=80 # Maximum number of lines in a module. max-module-lines=1000 # Allow the body of a class to be on the same line as the declaration if body # contains single statement. single-line-class-stmt=no # Allow the body of an if to be on the same line as the test if there is no # else. single-line-if-stmt=no [SPELLING] # Limits count of emitted suggestions for spelling mistakes. max-spelling-suggestions=4 # Spelling dictionary name. Available dictionaries: en_AG (hunspell), en_AU # (hunspell), en_BS (hunspell), en_BW (hunspell), en_BZ (hunspell), en_CA # (hunspell), en_DK (hunspell), en_GB (hunspell), en_GH (hunspell), en_HK # (hunspell), en_IE (hunspell), en_IN (hunspell), en_JM (hunspell), en_MW # (hunspell), en_NA (hunspell), en_NG (hunspell), en_NZ (hunspell), en_PH # (hunspell), en_SG (hunspell), en_TT (hunspell), en_US (hunspell), en_ZA # (hunspell), en_ZM (hunspell), en_ZW (hunspell). spelling-dict= # List of comma separated words that should be considered directives if they # appear and the beginning of a comment and should not be checked. spelling-ignore-comment-directives=fmt: on,fmt: off,noqa:,noqa,nosec,isort:skip,mypy: # List of comma separated words that should not be checked. spelling-ignore-words= # A path to a file that contains the private dictionary; one word per line. spelling-private-dict-file= # Tells whether to store unknown words to the private dictionary (see the # --spelling-private-dict-file option) instead of raising a message. spelling-store-unknown-words=no [SIMILARITIES] # Ignore comments when computing similarities. ignore-comments=yes # Ignore docstrings when computing similarities. ignore-docstrings=yes # Ignore imports when computing similarities. ignore-imports=no # Ignore function signatures when computing similarities. ignore-signatures=no # Minimum lines number of a similarity. min-similarity-lines=4 [STRING] # This flag controls whether inconsistent-quotes generates a warning when the # character used as a quote delimiter is used inconsistently within a module. check-quote-consistency=no # This flag controls whether the implicit-str-concat should generate a warning # on implicit string concatenation in sequences defined over several lines. check-str-concat-over-line-jumps=no [DESIGN] # Maximum number of arguments for function / method. max-args=10 # Maximum number of attributes for a class (see R0902). max-attributes=7 # Maximum number of boolean expressions in an if statement (see R0916). max-bool-expr=5 # Maximum number of branch for function / method body. max-branches=12 # Maximum number of locals for function / method body. max-locals=15 # Maximum number of parents for a class (see R0901). max-parents=7 # Maximum number of public methods for a class (see R0904). max-public-methods=20 # Maximum number of return / yield for function / method body. max-returns=6 # Maximum number of statements in function / method body. max-statements=50 # Minimum number of public methods for a class (see R0903). min-public-methods=2 [CLASSES] # Warn about protected attribute access inside special methods check-protected-access-in-special-methods=no # List of method names used to declare (i.e. assign) instance attributes. defining-attr-methods=__init__, __new__, setUp, __post_init__ # List of member names, which should be excluded from the protected access # warning. exclude-protected=_asdict, _fields, _replace, _source, _make # List of valid names for the first argument in a class method. valid-classmethod-first-arg=cls # List of valid names for the first argument in a metaclass class method. valid-metaclass-classmethod-first-arg=cls [IMPORTS] # List of modules that can be imported at any level, not just the top level # one. allow-any-import-level= # Allow wildcard imports from modules that define __all__. allow-wildcard-with-all=no # Analyse import fallback blocks. This can be used to support both Python 2 and # 3 compatible code, which means that the block might have code that exists # only in one or another interpreter, leading to false positives when analysed. analyse-fallback-blocks=no # Deprecated modules which should not be used, separated by a comma. deprecated-modules=optparse,tkinter.tix # Output a graph (.gv or any supported image format) of external dependencies # to the given file (report RP0402 must not be disabled). ext-import-graph= # Output a graph (.gv or any supported image format) of all (i.e. internal and # external) dependencies to the given file (report RP0402 must not be # disabled). import-graph= # Output a graph (.gv or any supported image format) of internal dependencies # to the given file (report RP0402 must not be disabled). int-import-graph= # Force import order to recognize a module as part of the standard # compatibility libraries. known-standard-library= # Force import order to recognize a module as part of a third party library. known-third-party=enchant # Couples of modules and preferred modules, separated by a comma. preferred-modules= [EXCEPTIONS] # Exceptions that will emit a warning when being caught. Defaults to # "BaseException, Exception". overgeneral-exceptions=BaseException, Exception artifacts-20211012/.style.yapf000066400000000000000000000003071413144520200160170ustar00rootroot00000000000000[style] based_on_style = chromium allow_split_before_dict_value = False coalesce_brackets = True join_multiple_lines = True split_before_first_argument = True split_penalty_after_opening_bracket = 0 artifacts-20211012/ACKNOWLEDGEMENTS000066400000000000000000000002271413144520200161760ustar00rootroot00000000000000Acknowledgements: artifacts Thanks to contributors (alphabetically based on last name): Sean Gillespie Andreas Moser Sebastian Welsh Andrew Williams artifacts-20211012/AUTHORS000066400000000000000000000007501413144520200147720ustar00rootroot00000000000000Copyright 2014 The ForensicArtifacts.com Artifact Repository project. # Names should be added to this file with this pattern: # # For individuals: # Name (email address) # Name (email address), organization # # For organizations: # Organization (fnmatch pattern) # # See python fnmatch module documentation for more information. Greg Castle (github@mailgreg.com), Google Inc. Matt Churchill (matt@mattchurchill.net), CrowdStrike Joachim Metz (joachim.metz@gmail.com), Google Inc. artifacts-20211012/LICENSE000066400000000000000000000260751413144520200147370ustar00rootroot00000000000000Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "{}" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives. Copyright {yyyy} {name of copyright owner} Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. artifacts-20211012/MANIFEST.in000066400000000000000000000011411413144520200154530ustar00rootroot00000000000000include ACKNOWLEDGEMENTS AUTHORS LICENSE README include dependencies.ini run_tests.py utils/__init__.py utils/dependencies.py include utils/check_dependencies.py include requirements.txt test_requirements.txt recursive-include config * recursive-include data * recursive-include test_data * exclude .gitignore exclude *.pyc recursive-include tools *.py recursive-exclude tools *.pyc recursive-exclude artifacts *.pyc # The test scripts are not required in a binary distribution package they # are considered source distribution files and excluded in find_package() # in setup.py. recursive-include tests *.py artifacts-20211012/README000066400000000000000000000004571413144520200146060ustar00rootroot00000000000000Digital Forensics Artifacts Repository A free, community-sourced, machine-readable knowledge base of digital forensic artifacts that the world can use both as an information source and within other tools. For more information see: * Project documentation: https://artifacts.readthedocs.io/en/latest artifacts-20211012/README.md000066400000000000000000000016441413144520200152040ustar00rootroot00000000000000## Digital Forensics Artifacts Repository A free, community-sourced, machine-readable knowledge base of digital forensic artifacts that the world can use both as an information source and within other tools. If you'd like to use the artifacts in your own tools, **all you need to be able to do is read YAML**. That is it, no other dependencies. The Python code in this project is just used to validate all the artifacts to make sure they follow the specification. For more information see: * Project documentation: https://artifacts.readthedocs.io/en/latest ## Contributing Please send us your contribution! See [the developers guide](https://github.com/ForensicArtifacts/artifacts/wiki/Developers-guide) for instructions. ## Contact * [forensicartifacts@googlegroups.com](https://groups.google.com/forum/#!forum/forensicartifacts) * Artifacts channel of [Open Source DFIR Slack](https://github.com/open-source-dfir/slack) artifacts-20211012/appveyor.yml000066400000000000000000000023021413144520200163050ustar00rootroot00000000000000environment: matrix: - DESCRIPTION: "Windows with 32-bit Python 3.9" MACHINE_TYPE: "x86" APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2019 PYTHON: "C:\\Python39" PYTHON_VERSION: "3.9" L2TBINARIES_TRACK: "dev" - DESCRIPTION: "Windows with 64-bit Python 3.9" MACHINE_TYPE: "amd64" APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2019 PYTHON: "C:\\Python39-x64" PYTHON_VERSION: "3.9" L2TBINARIES_TRACK: "dev" - DESCRIPTION: "Mac OS with Python 3.9" APPVEYOR_BUILD_WORKER_IMAGE: macos HOMEBREW_NO_INSTALL_CLEANUP: 1 install: - cmd: "%PYTHON%\\python.exe -m pip install -U pip setuptools wheel" - cmd: "%PYTHON%\\python.exe -m pip install pywin32 WMI" - cmd: "%PYTHON%\\python.exe %PYTHON%\\Scripts\\pywin32_postinstall.py -install" - ps: If ($isWindows) { .\config\appveyor\install.ps1 } - sh: config/appveyor/install.sh build_script: - cmd: "%PYTHON%\\python.exe setup.py bdist_msi bdist_wheel" test_script: - cmd: "%PYTHON%\\python.exe run_tests.py" - cmd: IF EXIST "tests\\end-to-end.py" ( set PYTHONPATH=. && "%PYTHON%\\python.exe" "tests\\end-to-end.py" --debug -c "config\\end-to-end.ini" ) - sh: config/appveyor/runtests.sh artifacts: - path: dist\*.whl artifacts-20211012/artifacts.ini000066400000000000000000000010211413144520200163730ustar00rootroot00000000000000[project] name: artifacts status: alpha name_description: Digital Forensics Artifacts Repository maintainer: Forensic artifacts homepage_url: https://github.com/ForensicArtifacts/artifacts git_url: https://github.com/ForensicArtifacts/artifacts.git description_short: ForensicArtifacts.com Artifact Repository. description_long: A free, community-sourced, machine-readable knowledge base of forensic artifacts that the world can use both as an information source and within other tools. artifacts-20211012/artifacts/000077500000000000000000000000001413144520200157005ustar00rootroot00000000000000artifacts-20211012/artifacts/__init__.py000066400000000000000000000001431413144520200200070ustar00rootroot00000000000000# -*- coding: utf-8 -*- """ForensicArtifacts.com Artifact Repository.""" __version__ = '20211012' artifacts-20211012/artifacts/artifact.py000066400000000000000000000065311413144520200200540ustar00rootroot00000000000000# -*- coding: utf-8 -*- """The artifact definition.""" from __future__ import unicode_literals from artifacts import errors from artifacts import registry class ArtifactDefinition(object): """Artifact definition interface. Attributes: conditions (list[str]): conditions. description (str): description. name (str): name that uniquely identifiers the artifact definition. labels (list[str]): labels. provides (list[str]): hints to what information the artifact definition provides. sources (list[str]): sources. supported_os (list[str]): supported operating systems. urls (list[str]): URLs with more information about the artifact definition. """ def __init__(self, name, description=None): """Initializes an artifact definition. Args: name (str): name that uniquely identifiers the artifact definition. description (Optional[str]): description of the artifact definition. """ super(ArtifactDefinition, self).__init__() self.conditions = [] self.description = description self.name = name self.labels = [] self.provides = [] self.sources = [] self.supported_os = [] self.urls = [] def AppendSource(self, type_indicator, attributes): """Appends a source. If you want to implement your own source type you should create a subclass in source_type.py and change the AppendSource method to handle the new subclass. This function raises FormatError if an unsupported source type indicator is encountered. Args: type_indicator (str): source type indicator. attributes (dict[str, object]): source attributes. Returns: SourceType: a source type. Raises: FormatError: if the type indicator is not set or unsupported, or if required attributes are missing. """ if not type_indicator: raise errors.FormatError('Missing type indicator.') try: source_object = registry.ArtifactDefinitionsRegistry.CreateSourceType( type_indicator, attributes) except (AttributeError, TypeError) as exception: raise errors.FormatError(( 'Unable to create source type: {0:s} for artifact definition: {1:s} ' 'with error: {2!s}').format(type_indicator, self.name, exception)) self.sources.append(source_object) return source_object def AsDict(self): """Represents an artifact as a dictionary. Returns: dict[str, object]: artifact attributes. """ sources = [] for source in self.sources: source_definition = { 'type': source.type_indicator, 'attributes': source.AsDict() } if source.supported_os: source_definition['supported_os'] = source.supported_os if source.conditions: source_definition['conditions'] = source.conditions sources.append(source_definition) artifact_definition = { 'name': self.name, 'doc': self.description, 'sources': sources, } if self.labels: artifact_definition['labels'] = self.labels if self.supported_os: artifact_definition['supported_os'] = self.supported_os if self.provides: artifact_definition['provides'] = self.provides if self.conditions: artifact_definition['conditions'] = self.conditions if self.urls: artifact_definition['urls'] = self.urls return artifact_definition artifacts-20211012/artifacts/definitions.py000066400000000000000000000042331413144520200205670ustar00rootroot00000000000000# -*- coding: utf-8 -*- """Constants and definitions.""" from __future__ import unicode_literals TYPE_INDICATOR_ARTIFACT_GROUP = 'ARTIFACT_GROUP' TYPE_INDICATOR_COMMAND = 'COMMAND' TYPE_INDICATOR_DIRECTORY = 'DIRECTORY' TYPE_INDICATOR_FILE = 'FILE' TYPE_INDICATOR_PATH = 'PATH' TYPE_INDICATOR_WINDOWS_REGISTRY_KEY = 'REGISTRY_KEY' TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE = 'REGISTRY_VALUE' TYPE_INDICATOR_WMI_QUERY = 'WMI' LABELS = { 'Antivirus': 'Antivirus related artifacts, e.g. quarantine files.', 'Authentication': 'Authentication artifacts.', 'Browser': 'Web Browser artifacts.', 'Cloud': 'Cloud applications artifacts.', 'Cloud Storage': 'Cloud storage artifacts.', 'Configuration Files': 'Configuration files artifacts.', 'Docker': 'Docker artifacts.', 'Execution': 'Contain execution events.', 'ExternalAccount': ( 'Information about any user accounts e.g. username, ' 'account ID, etc.'), 'External Media': 'Contain external media data or events e.g. USB drives.', 'Hadoop': 'Hadoop artifacts.', 'IM': 'Instant Messaging / Chat applications artifacts.', 'iOS': 'Artifacts related to iOS devices connected to the system.', 'History Files': 'History files artifacts e.g. .bash_history.', 'KnowledgeBase': 'Artifacts used in knowledge base generation.', 'Logs': 'Contain log files.', 'Mail': 'Mail client applications artifacts.', 'Memory': 'Artifacts retrieved from memory.', 'Network': 'Describe networking state.', 'Plist': 'Artifact that is a plist.', 'Processes': 'Describe running processes.', 'Rekall': 'Artifacts using the Rekall memory forensics framework.', 'Software': 'Installed software.', 'SQLiteDB': 'Artifact that is a SQLite database.', 'System': 'Core system artifacts.', 'Users': 'Information about users.' } SUPPORTED_OS_DARWIN = 'Darwin' SUPPORTED_OS_LINUX = 'Linux' SUPPORTED_OS_WINDOWS = 'Windows' SUPPORTED_OS = frozenset([ SUPPORTED_OS_DARWIN, SUPPORTED_OS_LINUX, SUPPORTED_OS_WINDOWS]) TOP_LEVEL_KEYS = frozenset([ 'conditions', 'doc', 'labels', 'name', 'provides', 'sources', 'supported_os', 'urls']) artifacts-20211012/artifacts/errors.py000066400000000000000000000006031413144520200175650ustar00rootroot00000000000000# -*- coding: utf-8 -*- """The error objects.""" class Error(Exception): """The error interface.""" class CodeStyleError(Error): """Error that is raised when code formatting fails style checks.""" class FormatError(Error): """Error that is raised when the format is incorrect.""" class MissingDependencyError(Error): """Artifact references artifact that is undefined.""" artifacts-20211012/artifacts/reader.py000066400000000000000000000276521413144520200175300ustar00rootroot00000000000000# -*- coding: utf-8 -*- """The artifact reader objects.""" from __future__ import unicode_literals import abc import glob import io import os import json import yaml from artifacts import artifact from artifacts import definitions from artifacts import errors class BaseArtifactsReader(object): """Artifacts reader interface. Attributes: labels (set[str]): defined labels. supported_os (set[str]): supported operating systems. """ # Note that redundant-returns-doc and redundant-yields-doc are broken for # pylint 1.7.x for abstract methods. # pylint: disable=redundant-returns-doc,redundant-yields-doc def __init__(self): """Initializes an artifacts reader.""" super(BaseArtifactsReader, self).__init__() self.labels = set() self.supported_os = set() @abc.abstractmethod def ReadArtifactDefinitionValues(self, artifact_definition_values): """Reads an artifact definition from a dictionary. Args: artifact_definition_values (dict[str, object]): artifact definition values. Returns: ArtifactDefinition: an artifact definition. Raises: FormatError: if the format of the artifact definition is not set or incorrect. """ @abc.abstractmethod def ReadDirectory(self, path, extension=None): """Reads artifact definitions from a directory. This function does not recurse sub directories. Args: path (str): path of the directory to read from. extension (Optional[str]): extension of the filenames to read. Yields: ArtifactDefinition: an artifact definition. """ @abc.abstractmethod def ReadFile(self, filename): """Reads artifact definitions from a file. Args: filename (str): name of the file to read from. Yields: ArtifactDefinition: an artifact definition. """ @abc.abstractmethod def ReadFileObject(self, file_object): """Reads artifact definitions from a file-like object. Args: file_object (file): file-like object to read from. Yields: ArtifactDefinition: an artifact definition. Raises: FormatError: if the format of the artifact definition is not set or incorrect. """ class ArtifactsReader(BaseArtifactsReader): """Artifacts reader common functionality.""" # Note that redundant-yields-doc is broken for pylint 1.7.x for # abstract methods. # pylint: disable=redundant-yields-doc def __init__(self): """Initializes an artifacts reader.""" super(ArtifactsReader, self).__init__() self.labels = set(definitions.LABELS) self.supported_os = set(definitions.SUPPORTED_OS) def _ReadLabels(self, artifact_definition_values, artifact_definition, name): """Reads the optional artifact definition labels. Args: artifact_definition_values (dict[str, object]): artifact definition values. artifact_definition (ArtifactDefinition): an artifact definition. name (str): name of the artifact definition. Raises: FormatError: if there are undefined labels. """ labels = artifact_definition_values.get('labels', []) undefined_labels = set(labels).difference(self.labels) if undefined_labels: raise errors.FormatError( 'Artifact definition: {0:s} found undefined labels: {1:s}.'.format( name, ', '.join(undefined_labels))) artifact_definition.labels = labels # Pylint fails on detecting the type of definition_object based on # the docstring. # pylint: disable=missing-type-doc def _ReadSupportedOS(self, definition_values, definition_object, name): """Reads the optional artifact or source type supported OS. Args: definition_values (dict[str, object]): artifact definition values. definition_object (ArtifactDefinition|SourceType): the definition object. name (str): name of the artifact definition. Raises: FormatError: if there are undefined supported operating systems. """ supported_os = definition_values.get('supported_os', []) if not isinstance(supported_os, list): raise errors.FormatError( 'Invalid supported_os type: {0!s}'.format(type(supported_os))) undefined_supported_os = set(supported_os).difference(self.supported_os) if undefined_supported_os: error_string = ( 'Artifact definition: {0:s} undefined supported operating system: ' '{1:s}.').format(name, ', '.join(undefined_supported_os)) raise errors.FormatError(error_string) definition_object.supported_os = supported_os def _ReadSources(self, artifact_definition_values, artifact_definition, name): """Reads the artifact definition sources. Args: artifact_definition_values (dict[str, object]): artifact definition values. artifact_definition (ArtifactDefinition): an artifact definition. name (str): name of the artifact definition. Raises: FormatError: if the type indicator is not set or unsupported, or if required attributes are missing. """ sources = artifact_definition_values.get('sources') if not sources: raise errors.FormatError( 'Invalid artifact definition: {0:s} missing sources.'.format(name)) for source in sources: type_indicator = source.get('type', None) if not type_indicator: raise errors.FormatError( 'Invalid artifact definition: {0:s} source type.'.format(name)) attributes = source.get('attributes', None) try: source_type = artifact_definition.AppendSource( type_indicator, attributes) except errors.FormatError as exception: raise errors.FormatError( 'Invalid artifact definition: {0:s}, with error: {1!s}'.format( name, exception)) # TODO: deprecate these left overs from the collector definition. if source_type: if source.get('returned_types', None): raise errors.FormatError(( 'Invalid artifact definition: {0:s} returned_types no longer ' 'supported.').format(name)) source_type.conditions = source.get('conditions', []) self._ReadSupportedOS(source, source_type, name) if set(source_type.supported_os) - set( artifact_definition.supported_os): raise errors.FormatError(( 'Invalid artifact definition: {0:s} missing ' 'supported_os.').format(name)) def ReadArtifactDefinitionValues(self, artifact_definition_values): """Reads an artifact definition from a dictionary. Args: artifact_definition_values (dict[str, object]): artifact definition values. Returns: ArtifactDefinition: an artifact definition. Raises: FormatError: if the format of the artifact definition is not set or incorrect. """ if not artifact_definition_values: raise errors.FormatError('Missing artifact definition values.') different_keys = ( set(artifact_definition_values) - definitions.TOP_LEVEL_KEYS) if different_keys: different_keys = ', '.join(different_keys) raise errors.FormatError('Undefined keys: {0:s}'.format(different_keys)) name = artifact_definition_values.get('name', None) if not name: raise errors.FormatError('Invalid artifact definition missing name.') # The description is assumed to be mandatory. description = artifact_definition_values.get('doc', None) if not description: raise errors.FormatError( 'Invalid artifact definition: {0:s} missing description.'.format( name)) artifact_definition = artifact.ArtifactDefinition( name, description=description) if artifact_definition_values.get('collectors', []): raise errors.FormatError( 'Invalid artifact definition: {0:s} still uses collectors.'.format( name)) urls = artifact_definition_values.get('urls', []) if not isinstance(urls, list): raise errors.FormatError( 'Invalid artifact definition: {0:s} urls is not a list.'.format( name)) # TODO: check conditions. artifact_definition.conditions = artifact_definition_values.get( 'conditions', []) artifact_definition.provides = artifact_definition_values.get( 'provides', []) self._ReadLabels(artifact_definition_values, artifact_definition, name) self._ReadSupportedOS(artifact_definition_values, artifact_definition, name) artifact_definition.urls = urls self._ReadSources(artifact_definition_values, artifact_definition, name) return artifact_definition def ReadDirectory(self, path, extension='yaml'): """Reads artifact definitions from a directory. This function does not recurse sub directories. Args: path (str): path of the directory to read from. extension (Optional[str]): extension of the filenames to read. Yields: ArtifactDefinition: an artifact definition. """ if extension: glob_spec = os.path.join(path, '*.{0:s}'.format(extension)) else: glob_spec = os.path.join(path, '*') for artifact_file in glob.glob(glob_spec): for artifact_definition in self.ReadFile(artifact_file): yield artifact_definition def ReadFile(self, filename): """Reads artifact definitions from a file. Args: filename (str): name of the file to read from. Yields: ArtifactDefinition: an artifact definition. """ with io.open(filename, 'r', encoding='utf-8') as file_object: for artifact_definition in self.ReadFileObject(file_object): yield artifact_definition @abc.abstractmethod def ReadFileObject(self, file_object): """Reads artifact definitions from a file-like object. Args: file_object (file): file-like object to read from. Yields: ArtifactDefinition: an artifact definition. Raises: FormatError: if the format of the artifact definition is not set or incorrect. """ class JsonArtifactsReader(ArtifactsReader): """JSON artifacts reader.""" def ReadFileObject(self, file_object): """Reads artifact definitions from a file-like object. Args: file_object (file): file-like object to read from. Yields: ArtifactDefinition: an artifact definition. Raises: FormatError: if the format of the JSON artifact definition is not set or incorrect. """ # TODO: add try, except? json_definitions = json.loads(file_object.read()) last_artifact_definition = None for json_definition in json_definitions: try: artifact_definition = self.ReadArtifactDefinitionValues(json_definition) except errors.FormatError as exception: error_location = 'At start' if last_artifact_definition: error_location = 'After: {0:s}'.format(last_artifact_definition.name) raise errors.FormatError( '{0:s} {1!s}'.format(error_location, exception)) yield artifact_definition last_artifact_definition = artifact_definition class YamlArtifactsReader(ArtifactsReader): """YAML artifacts reader.""" def ReadFileObject(self, file_object): """Reads artifact definitions from a file-like object. Args: file_object (file): file-like object to read from. Yields: ArtifactDefinition: an artifact definition. Raises: FormatError: if the format of the YAML artifact definition is not set or incorrect. """ # TODO: add try, except? yaml_generator = yaml.safe_load_all(file_object) last_artifact_definition = None for yaml_definition in yaml_generator: try: artifact_definition = self.ReadArtifactDefinitionValues(yaml_definition) except errors.FormatError as exception: error_location = 'At start' if last_artifact_definition: error_location = 'After: {0:s}'.format(last_artifact_definition.name) raise errors.FormatError( '{0:s} {1!s}'.format(error_location, exception)) yield artifact_definition last_artifact_definition = artifact_definition artifacts-20211012/artifacts/registry.py000066400000000000000000000162071413144520200201300ustar00rootroot00000000000000# -*- coding: utf-8 -*- """The artifact definitions registry.""" from __future__ import unicode_literals from artifacts import definitions from artifacts import errors from artifacts import source_type class ArtifactDefinitionsRegistry(object): """Artifact definitions registry.""" _source_type_classes = { definitions.TYPE_INDICATOR_ARTIFACT_GROUP: source_type.ArtifactGroupSourceType, definitions.TYPE_INDICATOR_COMMAND: source_type.CommandSourceType, definitions.TYPE_INDICATOR_DIRECTORY: source_type.DirectorySourceType, definitions.TYPE_INDICATOR_FILE: source_type.FileSourceType, definitions.TYPE_INDICATOR_PATH: source_type.PathSourceType, definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY: source_type.WindowsRegistryKeySourceType, definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE: source_type.WindowsRegistryValueSourceType, definitions.TYPE_INDICATOR_WMI_QUERY: source_type.WMIQuerySourceType, } def __init__(self): """Initializes an artifact definitions registry.""" super(ArtifactDefinitionsRegistry, self).__init__() self._artifact_definitions = {} self._artifact_name_references = set() self._defined_artifact_names = set() @classmethod def CreateSourceType(cls, type_indicator, attributes): """Creates a source type object. Args: type_indicator (str): source type indicator. attributes (dict[str, object]): source attributes. Returns: SourceType: a source type. Raises: FormatError: if the type indicator is not set or unsupported, or if required attributes are missing. """ if type_indicator not in cls._source_type_classes: raise errors.FormatError( 'Unsupported type indicator: {0:s}.'.format(type_indicator)) return cls._source_type_classes[type_indicator](**attributes) def DeregisterDefinition(self, artifact_definition): """Deregisters an artifact definition. Artifact definitions are identified based on their lower case name. Args: artifact_definition (ArtifactDefinition): an artifact definition. Raises: KeyError: if an artifact definition is not set for the corresponding name. """ artifact_definition_name = artifact_definition.name.lower() if artifact_definition_name not in self._artifact_definitions: raise KeyError( 'Artifact definition not set for name: {0:s}.'.format( artifact_definition.name)) del self._artifact_definitions[artifact_definition_name] @classmethod def DeregisterSourceType(cls, source_type_class): """Deregisters a source type. Source types are identified based on their type indicator. Args: source_type_class (type): source type. Raises: KeyError: if a source type is not set for the corresponding type indicator. """ if source_type_class.TYPE_INDICATOR not in cls._source_type_classes: raise KeyError( 'Source type not set for type: {0:s}.'.format( source_type_class.TYPE_INDICATOR)) del cls._source_type_classes[source_type_class.TYPE_INDICATOR] def GetDefinitionByName(self, name): """Retrieves a specific artifact definition by name. Args: name (str): name of the artifact definition. Returns: ArtifactDefinition: an artifact definition or None if not available. """ if not name: return None return self._artifact_definitions.get(name.lower(), None) def GetDefinitions(self): """Retrieves the artifact definitions. Returns: list[ArtifactDefinition]: artifact definitions. """ return self._artifact_definitions.values() def GetUndefinedArtifacts(self): """Retrieves the names of undefined artifacts used by artifact groups. Returns: set[str]: undefined artifacts names. """ return self._artifact_name_references - self._defined_artifact_names def RegisterDefinition(self, artifact_definition): """Registers an artifact definition. Artifact definitions are identified based on their lower case name. Args: artifact_definition (ArtifactDefinition): an artifact definition. Raises: KeyError: if artifact definition is already set for the corresponding name. """ artifact_definition_name = artifact_definition.name.lower() if artifact_definition_name in self._artifact_definitions: raise KeyError( 'Artifact definition already set for name: {0:s}.'.format( artifact_definition.name)) self._artifact_definitions[artifact_definition_name] = artifact_definition self._defined_artifact_names.add(artifact_definition.name) for source in artifact_definition.sources: if source.type_indicator == definitions.TYPE_INDICATOR_ARTIFACT_GROUP: self._artifact_name_references.update(source.names) @classmethod def RegisterSourceType(cls, source_type_class): """Registers a source type. Source types are identified based on their type indicator. Args: source_type_class (type): source type. Raises: KeyError: if source types is already set for the corresponding type indicator. """ if source_type_class.TYPE_INDICATOR in cls._source_type_classes: raise KeyError( 'Source type already set for type: {0:s}.'.format( source_type_class.TYPE_INDICATOR)) cls._source_type_classes[source_type_class.TYPE_INDICATOR] = ( source_type_class) @classmethod def RegisterSourceTypes(cls, source_type_classes): """Registers source types. Source types are identified based on their type indicator. Args: source_type_classes (list[type]): source types. """ for source_type_class in source_type_classes: cls.RegisterSourceType(source_type_class) def ReadFromDirectory(self, artifacts_reader, path, extension='yaml'): """Reads artifact definitions into the registry from files in a directory. This function does not recurse sub directories. Args: artifacts_reader (ArtifactsReader): an artifacts reader. path (str): path of the directory to read from. extension (Optional[str]): extension of the filenames to read. Raises: KeyError: if a duplicate artifact definition is encountered. """ for artifact_definition in artifacts_reader.ReadDirectory( path, extension=extension): self.RegisterDefinition(artifact_definition) def ReadFromFile(self, artifacts_reader, filename): """Reads artifact definitions into the registry from a file. Args: artifacts_reader (ArtifactsReader): an artifacts reader. filename (str): name of the file to read from. """ for artifact_definition in artifacts_reader.ReadFile(filename): self.RegisterDefinition(artifact_definition) def ReadFileObject(self, artifacts_reader, file_object): """Reads artifact definitions into the registry from a file-like object. Args: artifacts_reader (ArtifactsReader): an artifacts reader. file_object (file): file-like object to read from. """ for artifact_definition in artifacts_reader.ReadFileObject(file_object): self.RegisterDefinition(artifact_definition) artifacts-20211012/artifacts/source_type.py000066400000000000000000000330371413144520200206210ustar00rootroot00000000000000# -*- coding: utf-8 -*- """The source type objects. The source type objects define the source of the artifact data. In earlier versions of the artifact definitions collector definitions had a similar purpose as the source type. Currently the following source types are defined: * artifact; the source is one or more artifact definitions; * file; the source is one or more files; * path; the source is one or more paths; * Windows Registry key; the source is one or more Windows Registry keys; * Windows Registry value; the source is one or more Windows Registry values; * WMI query; the source is a Windows Management Instrumentation query. The difference between the file and path source types are that file should be used to define file entries that contain data and path, file entries that define a location. E.g. on Windows %SystemRoot% could be considered a path artifact definition, pointing to a location e.g. C:\\Windows. And where C:\\Windows\\System32\\winevt\\Logs\\AppEvent.evt a file artifact definition, pointing to the Application Event Log file. """ from __future__ import unicode_literals import abc from artifacts import definitions from artifacts import errors class SourceType(object): """Artifact definition source type interface.""" # Note that redundant-returns-doc is broken for pylint 1.7.x for # abstract methods. # pylint: disable=redundant-returns-doc TYPE_INDICATOR = None def __init__(self): """Initializes an artifact definition source type. Raises: FormatError: if the indicator is not defined. """ super(SourceType, self).__init__() if not self.TYPE_INDICATOR: raise errors.FormatError('Missing type indicator.') @property def type_indicator(self): """str: type indicator.""" return self.TYPE_INDICATOR @abc.abstractmethod def AsDict(self): """Represents a source type as a dictionary. Returns: dict[str, str]: source type attributes. """ class ArtifactGroupSourceType(SourceType): """Artifact group source type.""" TYPE_INDICATOR = definitions.TYPE_INDICATOR_ARTIFACT_GROUP def __init__(self, names=None): """Initializes a source type. Args: names (Optional[str]): artifact definition names. Raises: FormatError: when artifact names is not set. """ if not names: raise errors.FormatError('Missing names value.') super(ArtifactGroupSourceType, self).__init__() self.names = names def AsDict(self): """Represents a source type as a dictionary. Returns: dict[str, str]: source type attributes. """ return {'names': self.names} class CommandSourceType(SourceType): """Command source type.""" TYPE_INDICATOR = definitions.TYPE_INDICATOR_COMMAND def __init__(self, args=None, cmd=None): """Initializes a source type. Args: args (list[str]): arguments to the command to run. cmd (str): command to run. Raises: FormatError: when args or cmd is not set. """ if args is None or cmd is None: raise errors.FormatError('Missing args or cmd value.') super(CommandSourceType, self).__init__() self.args = args self.cmd = cmd def AsDict(self): """Represents a source type as a dictionary. Returns: dict[str, str]: source type attributes. """ return {'cmd': self.cmd, 'args': self.args} class DirectorySourceType(SourceType): """Directory source type.""" TYPE_INDICATOR = definitions.TYPE_INDICATOR_DIRECTORY def __init__(self, paths=None, separator='/'): """Initializes a source type. Args: paths (Optional[str]): paths relative to the root of the file system. separator (Optional[str]): path segment separator. Raises: FormatError: when paths is not set or not a list type. """ if not paths: raise errors.FormatError('Missing paths value.') if not isinstance(paths, list): raise errors.FormatError('Invalid paths value, not a list.') super(DirectorySourceType, self).__init__() self.paths = paths self.separator = separator def AsDict(self): """Represents a source type as a dictionary. Returns: dict[str, str]: source type attributes. """ source_type_attributes = {'paths': self.paths} if self.separator != '/': source_type_attributes['separator'] = self.separator return source_type_attributes class FileSourceType(SourceType): """File source type.""" TYPE_INDICATOR = definitions.TYPE_INDICATOR_FILE def __init__(self, paths=None, separator='/'): """Initializes a source type. Args: paths (Optional[str]): paths relative to the root of the file system. separator (Optional[str]): path segment separator. Raises: FormatError: when paths is not set or not a list type. """ if not paths: raise errors.FormatError('Missing paths value.') if not isinstance(paths, list): raise errors.FormatError('Invalid paths value, not a list.') super(FileSourceType, self).__init__() self.paths = paths self.separator = separator def AsDict(self): """Represents a source type as a dictionary. Returns: dict[str, str]: source type attributes. """ source_type_attributes = {'paths': self.paths} if self.separator != '/': source_type_attributes['separator'] = self.separator return source_type_attributes class PathSourceType(SourceType): """Path source type.""" TYPE_INDICATOR = definitions.TYPE_INDICATOR_PATH def __init__(self, paths=None, separator='/'): """Initializes a source type. Args: paths (Optional[str]): paths relative to the root of the file system. separator (Optional[str]): path segment separator. Raises: FormatError: when paths is not set or not a list type. """ if not paths: raise errors.FormatError('Missing paths value.') if not isinstance(paths, list): raise errors.FormatError('Invalid paths value, not a list.') super(PathSourceType, self).__init__() self.paths = paths self.separator = separator def AsDict(self): """Represents a source type as a dictionary. Returns: dict[str, str]: source type attributes. """ source_type_attributes = {'paths': self.paths} if self.separator != '/': source_type_attributes['separator'] = self.separator return source_type_attributes class WindowsRegistryKeySourceType(SourceType): """Windows Registry key source type.""" TYPE_INDICATOR = definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY VALID_PREFIXES = [ r'HKEY_LOCAL_MACHINE', r'HKEY_USERS', r'HKEY_CLASSES_ROOT', r'%%current_control_set%%', ] def __init__(self, keys=None): """Initializes a source type. Args: keys (Optional[list[str]]): key paths relative to the root of the Windows Registry. Raises: FormatError: when keys is not set. """ if not keys: raise errors.FormatError('Missing keys value.') if not isinstance(keys, list): raise errors.FormatError('keys must be a list') for key in keys: self.ValidateKey(key) super(WindowsRegistryKeySourceType, self).__init__() self.keys = keys def AsDict(self): """Represents a source type as a dictionary. Returns: dict[str, str]: source type attributes. """ return {'keys': self.keys} @classmethod def ValidateKey(cls, key_path): """Validates this key against supported key names. Args: key_path (str): path of a Windows Registry key. Raises: FormatError: when key is not supported. """ for prefix in cls.VALID_PREFIXES: if key_path.startswith(prefix): return # TODO: move check to validator. if key_path.startswith('HKEY_CURRENT_USER\\'): raise errors.FormatError( 'HKEY_CURRENT_USER\\ is not supported instead use: ' 'HKEY_USERS\\%%users.sid%%\\') raise errors.FormatError( 'Unupported Registry key path: {0:s}'.format(key_path)) class WindowsRegistryValueSourceType(SourceType): """Windows Registry value source type.""" TYPE_INDICATOR = definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE def __init__(self, key_value_pairs=None): """Initializes a source type. Args: key_value_pairs (Optional[list[tuple[str, str]]]): key path and value name pairs, where key paths are relative to the root of the Windows Registry. Raises: FormatError: when key value pairs is not set. """ if not key_value_pairs: raise errors.FormatError('Missing key value pairs value.') if not isinstance(key_value_pairs, list): raise errors.FormatError('key_value_pairs must be a list') for pair in key_value_pairs: if not isinstance(pair, dict): raise errors.FormatError('key_value_pair must be a dict') if set(pair.keys()) != set(['key', 'value']): key_value_pairs = ', '.join([ '{0:s}: {1:s}'.format(key, value) for key, value in key_value_pairs ]) error_message = ( 'key_value_pair missing "key" and "value" keys, got: ' '{0:s}').format(key_value_pairs) raise errors.FormatError(error_message) WindowsRegistryKeySourceType.ValidateKey(pair['key']) super(WindowsRegistryValueSourceType, self).__init__() self.key_value_pairs = key_value_pairs def AsDict(self): """Represents a source type as a dictionary. Returns: dict[str, str]: source type attributes. """ return {'key_value_pairs': self.key_value_pairs} class WMIQuerySourceType(SourceType): """WMI query source type. Attributes: base_object (str): WMI base object. query (str): WMI query. """ TYPE_INDICATOR = definitions.TYPE_INDICATOR_WMI_QUERY def __init__(self, base_object=None, query=None): """Initializes a source type. Args: base_object (Optional[str]): WMI base object. query (Optional[str]): WMI query. Raises: FormatError: when query is not set. """ if not query: raise errors.FormatError('Missing query value.') super(WMIQuerySourceType, self).__init__() self.base_object = base_object self.query = query def AsDict(self): """Represents a source type as a dictionary. Returns: dict[str, str]: source type attributes. """ source_type_attributes = {'query': self.query} if self.base_object: source_type_attributes['base_object'] = self.base_object return source_type_attributes class SourceTypeFactory(object): """Source type factory.""" _source_type_classes = { definitions.TYPE_INDICATOR_ARTIFACT_GROUP: ArtifactGroupSourceType, definitions.TYPE_INDICATOR_COMMAND: CommandSourceType, definitions.TYPE_INDICATOR_DIRECTORY: DirectorySourceType, definitions.TYPE_INDICATOR_FILE: FileSourceType, definitions.TYPE_INDICATOR_PATH: PathSourceType, definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY: WindowsRegistryKeySourceType, definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE: WindowsRegistryValueSourceType, definitions.TYPE_INDICATOR_WMI_QUERY: WMIQuerySourceType, } @classmethod def CreateSourceType(cls, type_indicator, attributes): """Creates a source type. Args: type_indicator (str): source type indicator. attributes (dict[str, object]): source type attributes. Returns: SourceType: a source type. Raises: FormatError: if the type indicator is not set or unsupported, or if required attributes are missing. """ if type_indicator not in cls._source_type_classes: raise errors.FormatError( 'Unsupported type indicator: {0:s}.'.format(type_indicator)) return cls._source_type_classes[type_indicator](**attributes) @classmethod def DeregisterSourceType(cls, source_type_class): """Deregisters a source type. Source types are identified based on their type indicator. Args: source_type_class (type): source type. Raises: KeyError: if a source type is not set for the corresponding type indicator. """ if source_type_class.TYPE_INDICATOR not in cls._source_type_classes: raise KeyError( 'Source type not set for type: {0:s}.'.format( source_type_class.TYPE_INDICATOR)) del cls._source_type_classes[source_type_class.TYPE_INDICATOR] @classmethod def GetSourceTypes(cls): """Retrieves the source types. Returns: list[type]: source types. """ return cls._source_type_classes.values() @classmethod def GetSourceTypeIndicators(cls): """Retrieves the source type indicators. Returns: list[str]: source type indicators. """ return cls._source_type_classes.keys() @classmethod def RegisterSourceType(cls, source_type_class): """Registers a source type. Source types are identified based on their type indicator. Args: source_type_class (type): source type. Raises: KeyError: if source types is already set for the corresponding type indicator. """ if source_type_class.TYPE_INDICATOR in cls._source_type_classes: raise KeyError( 'Source type already set for type: {0:s}.'.format( source_type_class.TYPE_INDICATOR)) cls._source_type_classes[source_type_class.TYPE_INDICATOR] = ( source_type_class) @classmethod def RegisterSourceTypes(cls, source_type_classes): """Registers source types. Source types are identified based on their type indicator. Args: source_type_classes (list[type]): source types. """ for source_type_class in source_type_classes: cls.RegisterSourceType(source_type_class) artifacts-20211012/artifacts/writer.py000066400000000000000000000053041413144520200175700ustar00rootroot00000000000000# -*- coding: utf-8 -*- """The artifact writer objects.""" from __future__ import unicode_literals import abc import json import yaml class BaseArtifactsWriter(object): """Artifacts writer interface.""" # Note that redundant-returns-doc is broken for # pylint 1.7.x for # abstract methods. # pylint: disable=redundant-returns-doc @abc.abstractmethod def FormatArtifacts(self, artifacts): """Formats artifacts to desired output format. Args: artifacts (list[ArtifactDefinition]): artifact definitions. Returns: str: formatted string of artifact definition. """ @abc.abstractmethod def WriteArtifactsFile(self, artifacts, filename): """Writes artifact definitions to a file. Args: artifacts (list[ArtifactDefinition]): artifact definitions to be written. filename (str): name of the file to write artifacts to. """ class ArtifactWriter(BaseArtifactsWriter): """File artifacts writer.""" # Note that redundant-returns-doc is broken for # pylint 1.7.x for # abstract methods. # pylint: disable=redundant-returns-doc @abc.abstractmethod def FormatArtifacts(self, artifacts): """Formats artifacts to desired output format. Args: artifacts (ArtifactDefinition|list[ArtifactDefinition]): artifact definitions. Returns: str: formatted string of artifact definition. """ def WriteArtifactsFile(self, artifacts, filename): """Writes artifact definitions to a file. Args: artifacts (list[ArtifactDefinition]): artifact definitions to be written. filename (str): name of the file to write artifacts to. """ with open(filename, 'w') as file_object: file_object.write(self.FormatArtifacts(artifacts)) class JsonArtifactsWriter(ArtifactWriter): """JSON artifacts writer interface.""" def FormatArtifacts(self, artifacts): """Formats artifacts to desired output format. Args: artifacts (list[ArtifactDefinition]): artifact definitions. Returns: str: formatted string of artifact definition. """ artifact_definitions = [artifact.AsDict() for artifact in artifacts] json_data = json.dumps(artifact_definitions) return json_data class YamlArtifactsWriter(ArtifactWriter): """YAML artifacts writer interface.""" def FormatArtifacts(self, artifacts): """Formats artifacts to desired output format. Args: artifacts (list[ArtifactDefinition]): artifact definitions. Returns: str: formatted string of artifact definition. """ # TODO: improve output formatting of yaml artifact_definitions = [artifact.AsDict() for artifact in artifacts] yaml_data = yaml.safe_dump_all(artifact_definitions) return yaml_data artifacts-20211012/config/000077500000000000000000000000001413144520200151655ustar00rootroot00000000000000artifacts-20211012/config/appveyor/000077500000000000000000000000001413144520200170325ustar00rootroot00000000000000artifacts-20211012/config/appveyor/install.ps1000066400000000000000000000014031413144520200211230ustar00rootroot00000000000000# Script to set up tests on AppVeyor Windows. $Dependencies = "PyYAML mock pbr six" $Dependencies = ${Dependencies} -split " " $Output = Invoke-Expression -Command "git clone https://github.com/log2timeline/l2tdevtools.git ..\l2tdevtools 2>&1" Write-Host (${Output} | Out-String) If ($env:APPVEYOR_REPO_BRANCH -eq "main") { $Track = "stable" } Else { $Track = $env:APPVEYOR_REPO_BRANCH } New-Item -ItemType "directory" -Name "dependencies" $env:PYTHONPATH = "..\l2tdevtools" $Output = Invoke-Expression -Command "& '${env:PYTHON}\python.exe' ..\l2tdevtools\tools\update.py --download-directory dependencies --machine-type ${env:MACHINE_TYPE} --msi-targetdir ${env:PYTHON} --track ${env:L2TBINARIES_TRACK} ${Dependencies} 2>&1" Write-Host (${Output} | Out-String) artifacts-20211012/config/appveyor/install.sh000077500000000000000000000001331413144520200210340ustar00rootroot00000000000000# Script to set up tests on AppVeyor MacOS. set -e brew update brew install tox || true artifacts-20211012/config/appveyor/runtests.sh000077500000000000000000000007171413144520200212650ustar00rootroot00000000000000#!/bin/sh # Script to run tests # Set the following environment variables to build pycrypto and yara-python. export CFLAGS="-I/usr/local/include -I/usr/local/opt/openssl@1.1/include ${CFLAGS}"; export LDFLAGS="-L/usr/local/lib -L/usr/local/opt/openssl@1.1/lib ${LDFLAGS}"; export TOX_TESTENV_PASSENV="CFLAGS LDFLAGS"; # Set the following environment variables to ensure tox can find Python 3.9. export PATH="/usr/local/opt/python@3.9/bin:${PATH}"; tox -e py39 artifacts-20211012/config/dpkg/000077500000000000000000000000001413144520200161125ustar00rootroot00000000000000artifacts-20211012/config/dpkg/artifacts-data.dirs000066400000000000000000000000251413144520200216610ustar00rootroot00000000000000/usr/share/artifacts artifacts-20211012/config/dpkg/artifacts-data.install000066400000000000000000000000331413144520200223650ustar00rootroot00000000000000data/* usr/share/artifacts artifacts-20211012/config/dpkg/artifacts-tools.install000066400000000000000000000000101413144520200226070ustar00rootroot00000000000000usr/bin artifacts-20211012/config/dpkg/changelog000066400000000000000000000002371413144520200177660ustar00rootroot00000000000000artifacts (20211012-1) unstable; urgency=low * Auto-generated -- Forensic artifacts Tue, 12 Oct 2021 21:04:48 +0200 artifacts-20211012/config/dpkg/clean000066400000000000000000000000261413144520200171150ustar00rootroot00000000000000artifacts/*.pyc *.pyc artifacts-20211012/config/dpkg/compat000066400000000000000000000000021413144520200173100ustar00rootroot000000000000009 artifacts-20211012/config/dpkg/control000066400000000000000000000025001413144520200175120ustar00rootroot00000000000000Source: artifacts Section: python Priority: extra Maintainer: Forensic artifacts Build-Depends: debhelper (>= 9), dh-python, python3-all (>= 3.6~), python3-setuptools Standards-Version: 4.1.4 X-Python3-Version: >= 3.6 Homepage: https://github.com/ForensicArtifacts/artifacts Package: artifacts-data Architecture: all Depends: ${misc:Depends} Description: Data files for Digital Forensics Artifacts Repository A free, community-sourced, machine-readable knowledge base of forensic artifacts that the world can use both as an information source and within other tools. Package: python3-artifacts Architecture: all Depends: artifacts-data (>= ${binary:Version}), python3-yaml (>= 3.10), ${python3:Depends}, ${misc:Depends} Description: Python 3 module of Digital Forensics Artifacts Repository A free, community-sourced, machine-readable knowledge base of forensic artifacts that the world can use both as an information source and within other tools. Package: artifacts-tools Architecture: all Depends: python3-artifacts (>= ${binary:Version}), ${python3:Depends}, ${misc:Depends} Description: Tools of Digital Forensics Artifacts Repository A free, community-sourced, machine-readable knowledge base of forensic artifacts that the world can use both as an information source and within other tools. artifacts-20211012/config/dpkg/copyright000066400000000000000000000017711413144520200200530ustar00rootroot00000000000000Format: http://dep.debian.net/deps/dep5 Upstream-Name: artifacts Source: https://github.com/ForensicArtifacts/artifacts/ Files: * Copyright: 2014 The ForensicArtifacts.com Artifact Repository project. License: Apache-2.0 Files: debian/* Copyright: 2014 The ForensicArtifacts.com Artifact Repository project. License: Apache-2.0 License: Apache-2.0 Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at . http://www.apache.org/licenses/LICENSE-2.0 . Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. . On Debian systems, the complete text of the Apache version 2.0 license can be found in "/usr/share/common-licenses/Apache-2.0". artifacts-20211012/config/dpkg/python3-artifacts.install000066400000000000000000000001431413144520200230620ustar00rootroot00000000000000usr/lib/python3*/dist-packages/artifacts/*.py usr/lib/python3*/dist-packages/artifacts*.egg-info/* artifacts-20211012/config/dpkg/rules000077500000000000000000000001721413144520200171720ustar00rootroot00000000000000#!/usr/bin/make -f %: dh $@ --buildsystem=pybuild --with=python3 .PHONY: override_dh_auto_test override_dh_auto_test: artifacts-20211012/config/dpkg/source/000077500000000000000000000000001413144520200174125ustar00rootroot00000000000000artifacts-20211012/config/dpkg/source/format000066400000000000000000000000141413144520200206200ustar00rootroot000000000000003.0 (quilt) artifacts-20211012/data/000077500000000000000000000000001413144520200146315ustar00rootroot00000000000000artifacts-20211012/data/antivirus.yaml000066400000000000000000000100741413144520200175430ustar00rootroot00000000000000# Anti-Virus artifacts. name: EsetAVQuarantine doc: Eset Anti-Virus Quarantine (Infected) files. sources: - type: FILE attributes: {paths: ['/Library/Application Support/ESET/esets/cache/quarantine/*']} supported_os: [Darwin] labels: [Antivirus] --- name: MicrosoftAVQuarantine doc: Microsoft Anti-Virus Quarantine (Infected) files. sources: - type: FILE attributes: paths: - '%%environ_allusersappdata%%\Microsoft\Microsoft Antimalware\Quarantine\**' - '%%environ_allusersappdata%%\Microsoft\Windows Defender\Quarantine\**' separator: '\' supported_os: [Windows] labels: [Antivirus] --- name: MicrosoftAVLogs doc: Microsoft Anti-Virus log files. sources: - type: FILE attributes: paths: - '%%environ_allusersappdata%%\Microsoft\Windows Defender\Support\MPLog-*.log' - '%%environ_allusersappdata%%\Microsoft\Windows Defender\Support\MPDetection-*.log' separator: '\' supported_os: [Windows] labels: [Antivirus, Logs] --- name: WindowsDefenderExclusions doc: | Directories, processes and extensions configured not to be scanned by Windows Defender. The can be set locally or through group policy objects (GPO). Certain malware families (for example, Tofsee) are known to add directories to the Paths list in order to avoid being detected by Windows Defender. Other malware (for example, REvil) use the existing exclusions to be ignored by Anti-Virus products. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\Exclusions\Paths\*' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\Exclusions\Processes\*' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\Exclusions\Extensions\*' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\Exclusions\TemporaryPaths\*' - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Exclusions\Paths\*' - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Exclusions\Processes\*' - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Exclusions\Extensions\*' - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Exclusions\TemporaryPaths\*' supported_os: [Windows] urls: - 'https://blog.malwarebytes.com/detections/pum-optional-msexclusion/' - 'https://answers.microsoft.com/en-us/protect/forum/all/windows-defender-how-to-remove-exclusions/2a0cc465-97b2-46ea-ae77-b87075ed124e' - 'https://blog.talosintelligence.com/2019/05/threat-roundup-0503-0510.html' - 'https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/' --- name: SophosAVLogs doc: Sophos Anti-Virus log files. sources: - type: FILE attributes: {paths: ['/Library/Logs/Sophos*.log']} supported_os: [Darwin] - type: FILE attributes: paths: ['%%environ_allusersappdata%%\Sophos\Sophos Anti-Virus\Logs\*'] separator: '\' supported_os: [Windows] supported_os: [Darwin, Windows] labels: [Antivirus, Logs] --- name: SophosAVQuarantine doc: Sophos Anti-Virus Quarantine (Infected) files. sources: - type: FILE attributes: {paths: ['/Users/Shared/Infected/*']} supported_os: [Darwin] - type: FILE attributes: paths: ['%%environ_allusersappdata%%\Sophos\Sophos Anti-Virus\INFECTED\*'] separator: '\' supported_os: [Windows] supported_os: [Darwin, Windows] labels: [Antivirus] --- name: SymantecAVLogs doc: Symantec Anti-Virus Log Files. sources: - type: FILE attributes: paths: - '%%environ_allusersappdata%%\Symantec\Symantec Endpoint Protection\*\Data\Logs\*.log' - '%%environ_allusersappdata%%\Symantec\Symantec Endpoint Protection\*\Data\Logs\AV\*.log' - '%%users.localappdata%%\Symantec\Symantec Endpoint Protection\Logs\*.log' separator: '\' supported_os: [Windows] supported_os: [Windows] labels: [Antivirus, Logs] --- name: SymantecAVQuarantine doc: Symantec Anti-Virus Quarantine (Infected) files. sources: - type: FILE attributes: paths: ['%%environ_allusersappdata%%\Symantec\Symantec Endpoint Protection\**5\*.vbn'] separator: '\' supported_os: [Windows] supported_os: [Windows] labels: [Antivirus, Logs] artifacts-20211012/data/applications.yaml000066400000000000000000000061141413144520200202050ustar00rootroot00000000000000# Application artifacts. name: NodeJSPackageManagerCacheFiles doc: Node JS package manager (NPM) cache files sources: - type: FILE attributes: paths: ['%%users.homedir%%/.npm/*'] supported_os: [Darwin, Linux] - type: FILE attributes: paths: ['%%users.appdata%%\npm-cache\*'] separator: '\' supported_os: [Windows] supported_os: [Darwin, Linux, Windows] urls: ['https://docs.npmjs.com/cli/cache'] --- name: MicrosoftOfficeMRU doc: Microsoft Office Most Recently Used sources: - type: FILE attributes: paths: - '%%users.homedir%%/Library/Preferences/com.microsoft.office.plist' - '%%users.homedir%%/Library/Containers/com.microsoft.*/Data/Library/Preferences/com.microsoft.*.securebookmarks.plist' separator: '/' supported_os: [Darwin] - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Office\*\*\File MRU', value: 'Item *'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Office\*\*\Place MRU', value: 'Item *'} supported_os: [Windows] supported_os: [Darwin, Windows] urls: ['https://github.com/mac4n6/macMRU-Parser'] --- name: MicrosoftOutlookPABFiles doc: Microsoft Outlook PAB Files sources: - type: FILE attributes: paths: - '%%users.localappdata%%\Microsoft\Outlook\*.pab' - '%%users.userprofile%%\Documents\Outlook Files\*.pab' separator: '\' labels: [Users, Mail] supported_os: [Windows] urls: ['https://forensicswiki.xyz/wiki/index.php?title=Personal_Folder_File_(PAB,_PST,_OST)'] --- name: MicrosoftOutlookPSTFiles doc: Microsoft Outlook PST Files sources: - type: FILE attributes: paths: - '%%users.localappdata%%\Microsoft\Outlook\*.pst' - '%%users.userprofile%%\Documents\Outlook Files\*.pst' separator: '\' labels: [Users, Mail] supported_os: [Windows] urls: ['https://forensicswiki.xyz/wiki/index.php?title=Personal_Folder_File_(PAB,_PST,_OST)'] --- name: MicrosoftOutlookOSTFiles doc: Microsoft Outlook OST Files sources: - type: FILE attributes: paths: - '%%users.localappdata%%\Microsoft\Outlook\*.ost' - '%%users.userprofile%%\Documents\Outlook Files\*.ost' separator: '\' labels: [Users, Mail] supported_os: [Windows] urls: ['https://forensicswiki.xyz/wiki/index.php?title=Personal_Folder_File_(PAB,_PST,_OST)'] --- name: WinRARExternalViewer doc: Executable run when a file is opened by WinRAR inside an archive. sources: - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_USERS\%%users.sid%%\Software\WinRAR\Viewer\', value: 'ExternalViewer'}]} supported_os: [Windows] urls: - 'http://www.hexacorn.com/blog/2012/09/16/beyond-good-ol-run-key-part-2/' - 'http://acritum.com/software/manuals/winrar/html/helpinterfaceviewing.htm' --- name: WinRARAVScan doc: Executable run to scan a file when it is opened by WinRAR. sources: - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_USERS\%%users.sid%%\Software\WinRAR\VirusScan\', value: 'Name'}]} supported_os: [Windows] urls: - 'http://www.hexacorn.com/blog/2012/09/16/beyond-good-ol-run-key-part-2/' - 'http://acritum.com/software/manuals/winrar/html/helpcommandsvirusscan.htm' artifacts-20211012/data/cloud_services.yaml000066400000000000000000000054051413144520200205320ustar00rootroot00000000000000# Cloud service artifacts. name: CloudStorageClients doc: Multiple cloud storage client artifacts. sources: - type: ARTIFACT_GROUP attributes: names: - 'DropboxClient' - 'GoogleDriveClient' - 'SkyDriveClient' labels: [Cloud Storage] supported_os: [Darwin,Linux,Windows] --- name: DropboxClient doc: Dropbox cloud storage client artifacts. sources: - type: FILE attributes: paths: - '%%users.appdata%%\Dropbox\*.db*' - '%%users.localappdata%%\Dropbox\*.db*' separator: '\' supported_os: [Windows] - type: FILE attributes: paths: - '%%users.homedir%%/.dropbox/*.db*' supported_os: [Darwin,Linux] supported_os: [Darwin,Linux,Windows] labels: [Cloud Storage] urls: ['https://forensicswiki.xyz/wiki/index.php?title=Dropbox'] --- name: GoogleDriveClient doc: Google Drive cloud storage client artifacts. sources: - type: FILE attributes: paths: - '%%users.localappdata%%\Google\Drive\snapshot.db' - '%%users.localappdata%%\Google\Drive\sync_config.db' - '%%users.localappdata%%\Google\Drive\sync_config.log*' - '%%users.localappdata%%\Google\Drive\user_default\snapshot.db' - '%%users.localappdata%%\Google\Drive\user_default\sync_config.db' - '%%users.localappdata%%\Google\Drive\user_default\sync_config.log*' - '%%users.localappdata%%\Google\Drive\user_default\sync_log.log*' separator: '\' supported_os: [Windows] - type: FILE attributes: paths: - '%%users.homedir%%/Library/Application Support/Google/Drive/snapshot.db' - '%%users.homedir%%/Library/Application Support/Google/Drive/sync_config.db' - '%%users.homedir%%/Library/Application Support/Google/Drive/sync_config.log*' - '%%users.homedir%%/Library/Application Support/Google/Drive/user_default/snapshot.db' - '%%users.homedir%%/Library/Application Support/Google/Drive/user_default/sync_config.db' - '%%users.homedir%%/Library/Application Support/Google/Drive/user_default/sync_config.log*' supported_os: [Darwin] supported_os: [Darwin, Windows] labels: [Cloud Storage] urls: ['https://forensicswiki.xyz/wiki/index.php?title=Google_Drive'] --- name: SkyDriveClient doc: | Microsoft Sky Drive cloud storage client artifacts. Note that Sky Drive was renamed to One Drive. sources: - type: FILE attributes: paths: - '%%users.localappdata%%\Microsoft\SkyDrive\logs\*.log' - '%%users.localappdata%%\Microsoft\SkyDrive\setup\logs\*.log' - '%%users.localappdata%%\Microsoft\SkyDrive\settings\ApplicationSettings.xml' - '%%users.localappdata%%\Microsoft\SkyDrive\settings\*.dat' - '%%users.localappdata%%\Microsoft\SkyDrive\settings\*.ini' separator: '\' supported_os: [Windows] supported_os: [Windows] labels: [Cloud Storage] urls: ['https://forensicswiki.xyz/wiki/index.php?title=One_Drive#Sky_Drive_client'] artifacts-20211012/data/config_files.yaml000066400000000000000000000032001413144520200201370ustar00rootroot00000000000000# Configuration file artifacts. name: JupyterConfigFile doc: Jupyter notebook configuration file sources: - type: FILE attributes: {paths: ['%%users.homedir%%/.jupyter/jupyter_notebook_config.py']} labels: [Configuration Files] supported_os: [Linux] --- name: NfsExportsFile doc: NFS Exports configuration sources: - type: FILE attributes: paths: - '/etc/exports' - '/private/etc/exports' supported_os: [Darwin] - type: FILE attributes: {paths: ['/etc/exports']} supported_os: [Linux] labels: [Configuration Files] supported_os: [Linux, Darwin] --- name: RedisConfigFile doc: Redis configuration file sources: - type: FILE attributes: paths: - '%%environ_programfiles%%\Redis\conf\redis.windows.conf' - '%%environ_programfiles%%\Redis\conf\redis.conf' separator: '\' supported_os: [Windows] - type: FILE attributes: paths: - '/etc/redis/redis.conf' supported_os: [Linux] - type: FILE attributes: paths: - '/etc/redis/redis.conf' - '/private/etc/redis/redis.conf' supported_os: [Darwin] labels: [Configuration Files] supported_os: [Darwin, Linux, Windows] --- name: SshdConfigFile doc: Sshd configuration sources: - type: FILE attributes: paths: - '/etc/ssh/sshd_config' - '/private/etc/ssh/sshd_config' supported_os: [Darwin] - type: FILE attributes: {paths: ['/etc/ssh/sshd_config']} supported_os: [Linux] labels: [Configuration Files] supported_os: [Linux, Darwin] --- name: SshUserConfigFile doc: User ssh configuration file sources: - type: FILE attributes: {paths: ['%%users.homedir%%/.ssh/config']} labels: [Configuration Files] supported_os: [Linux, Darwin] artifacts-20211012/data/docker.yaml000066400000000000000000000011071413144520200167630ustar00rootroot00000000000000# Docker artifacts --- name: DockerContainerConfig doc: Docker container configuration files sources: - type: FILE attributes: paths: - '/var/lib/docker/containers/*/config.v2.json' - '/var/lib/docker/containers/*/config.json' labels: [Docker, Configuration Files] supported_os: [Linux] --- name: GKEDockerContainerLogs doc: Location where stdout and stderr from containers is logged in a Google Kubernetes Engine (GKE) environment. sources: - type: FILE attributes: {paths: ['/var/lib/docker/containers/*/*-json.log*']} labels: [Docker, Logs] supported_os: [Linux] artifacts-20211012/data/hadoop.yaml000066400000000000000000000004101413144520200167620ustar00rootroot00000000000000# Hadoop artifacts name: HadoopAppRoot doc: Location where Hadoop application files are stored sources: - type: FILE attributes: {paths: ['/hadoop/yarn/system/rmstore/FSRMStateRoot/RMAppRoot/application_*/application_*']} labels: [Hadoop] supported_os: [Linux] artifacts-20211012/data/installed_modules.yaml000066400000000000000000000123041413144520200212240ustar00rootroot00000000000000# Modules for interpreted languages. name: PythonDistInfo doc: | Python module files distributed in the dist-info format of PEP-0376 (currently linux only). dist-info is always a directory that must contain METADATA, RECORD and INSTALLER. It may also contain REQUESTED. sources: - type: FILE attributes: paths: - '%%users.homedir%%/.local/lib/python*/dist-packages/*.dist-info/*' - '%%users.homedir%%/.local/lib/python*/site-packages/*.dist-info/*' - '/usr/lib/python*/dist-packages/*.dist-info/*' - '/usr/lib/python*/site-packages/*.dist-info/*' - '/usr/lib64/python*/dist-packages/*.dist-info/*' - '/usr/lib64/python*/site-packages/*.dist-info/*' - '/usr/local/lib/python*/dist-packages/*.dist-info/*' - '/usr/local/lib/python*/site-packages/*.dist-info/*' - '/usr/local/lib64/python*/dist-packages/*.dist-info/*' - '/usr/local/lib64/python*/site-packages/*.dist-info/*' supported_os: [Linux] supported_os: [Linux] labels: [Software] urls: ['https://www.python.org/dev/peps/pep-0376/'] --- name: PythonEggInfo doc: | Python module files distributed in .egg formats (currently linux only). Python eggs can have multiple formats, as described by setuptools. .egg files can be either a zipfile or a directory that contains an info file. .egg-info files can be either a directory or a file. If they are directories, they should contain a MANIFEST that identifies the installed module. PEP-0370 describes a default install location for per-user modules. sources: - type: FILE attributes: paths: # Files containing the install metadata in either a flat file or zipfile. - '%%users.homedir%%/.local/lib/python*/site-packages/*.egg' - '%%users.homedir%%/.local/lib/python*/site-packages/*.egg-info' - '%%users.homedir%%/.cache/pip/*.egg' - '%%users.homedir%%/.cache/pip/*.egg-info' - '/usr/lib/python*/dist-packages/*.egg' - '/usr/lib/python*/dist-packages/*.egg-info' - '/usr/lib/python*/site-packages/*.egg' - '/usr/lib/python*/site-packages/*.egg-info' - '/usr/lib64/python*/dist-packages/*.egg' - '/usr/lib64/python*/dist-packages/*.egg-info' - '/usr/lib64/python*/site-packages/*.egg' - '/usr/lib64/python*/site-packages/*.egg-info' - '/usr/local/lib/python*/dist-packages/*.egg' - '/usr/local/lib/python*/dist-packages/*.egg-info' - '/usr/local/lib/python*/site-packages/*.egg' - '/usr/local/lib/python*/site-packages/*.egg-info' - '/usr/local/lib64/python*/dist-packages/*.egg' - '/usr/local/lib64/python*/dist-packages/*.egg-info' - '/usr/local/lib64/python*/site-packages/*.egg' - '/usr/local/lib64/python*/site-packages/*.egg-info' - '/usr/share/pyshared/*.egg' - '/usr/share/pyshared/*.egg-info' # Directories containing the install metadata as separate files. - '%%users.homedir%%/.local/lib/python*/site-packages/*.egg/*' - '%%users.homedir%%/.local/lib/python*/site-packages/*.egg-info/*' - '%%users.homedir%%/.cache/pip/*.egg/*' - '%%users.homedir%%/.cache/pip/*.egg-info/*' - '/usr/lib/python*/dist-packages/*.egg/*' - '/usr/lib/python*/dist-packages/*.egg-info/*' - '/usr/lib/python*/site-packages/*.egg/*' - '/usr/lib/python*/site-packages/*.egg-info/*' - '/usr/lib64/python*/dist-packages/*.egg/*' - '/usr/lib64/python*/dist-packages/*.egg-info/*' - '/usr/lib64/python*/site-packages/*.egg/*' - '/usr/lib64/python*/site-packages/*.egg-info/*' - '/usr/local/lib/python*/dist-packages/*.egg/*' - '/usr/local/lib/python*/dist-packages/*.egg-info/*' - '/usr/local/lib/python*/site-packages/*.egg/*' - '/usr/local/lib/python*/site-packages/*.egg-info/*' - '/usr/local/lib64/python*/dist-packages/*.egg/*' - '/usr/local/lib64/python*/dist-packages/*.egg-info/*' - '/usr/local/lib64/python*/site-packages/*.egg/*' - '/usr/local/lib64/python*/site-packages/*.egg-info/*' - '/usr/share/pyshared/*.egg/*' - '/usr/share/pyshared/*.egg-info/*' supported_os: [Linux] supported_os: [Linux] labels: [Software] urls: - 'https://pythonhosted.org/setuptools/formats.html' - 'https://www.python.org/dev/peps/pep-0370/' --- name: PythonModuleInfo doc: Python module installation information. sources: - type: ARTIFACT_GROUP attributes: names: - PythonDistInfo - PythonEggInfo - PythonWheelInfo labels: [Software] --- name: PythonWheelInfo doc: | Python module files distributed in the wheel format (currently linux only). Zip archives with the .whl extension. Wheels are installed per the standard installer described in PEP-0376, so should mostly be discoverable as dist-info entries. sources: - type: FILE attributes: paths: - '/usr/share/python-wheels/*.whl' - '%%users.homedir%%/.cache/pip/wheels/*.whl' supported_os: [Linux] supported_os: [Linux] labels: [Software] urls: - 'https://wheel.readthedocs.org/en/latest/' - 'http://pip.readthedocs.org/en/stable/reference/pip_install/' --- name: RubyGems doc: Ruby Gems (currently linux only). sources: - type: FILE attributes: paths: - '%%users.homedir%%/.gem/ruby/**2/*.gemspec' - '/var/lib/gems/**2/*.gemspec' - '/usr/share/rubygems-integration/**2/*.gemspec' supported_os: [Linux] supported_os: [Linux] urls: ['http://guides.rubygems.org'] artifacts-20211012/data/instant_messaging.yaml000066400000000000000000000033151413144520200212340ustar00rootroot00000000000000# Instant Messaging applications specific artifacts. name: SkypeChatSync doc: Chat Sync Directory sources: - type: FILE attributes: paths: ['%%users.homedir%%/Library/Application Support/Skype/*/chatsync/*'] supported_os: [Darwin] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Skype' --- name: SkypeDb doc: Main Skype database sources: - type: FILE attributes: paths: ['%%users.homedir%%/Library/Application Support/Skype/*/Main.db'] supported_os: [Darwin] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Skype' --- name: SkypeMainDirectory doc: Skype Directory sources: - type: DIRECTORY attributes: paths: ['%%users.homedir%%/Library/Application Support/Skype/*'] supported_os: [Darwin] supported_os: [Darwin] --- name: SkypePreferences doc: Skype Preferences and Recent Searches sources: - type: FILE attributes: paths: ['%%users.homedir%%/Library/Preferences/com.skype.skype.plist'] supported_os: [Darwin] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Skype' --- name: SkypeUserProfile doc: Skype User profile sources: - type: FILE attributes: paths: ['%%users.homedir%%/Library/Application Support/Skype/*/*'] supported_os: [Darwin] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Skype'artifacts-20211012/data/java.yaml000066400000000000000000000010531413144520200164350ustar00rootroot00000000000000# Java related artifacts. name: JavaCacheFiles doc: Java Plug-in cache. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/.java/deployment/cache/**']} supported_os: [Linux] - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Caches/Java/cache/**']} supported_os: [Darwin] - type: FILE attributes: paths: - '%%users.appdata%%\Sun\Java\Deployment\cache\**' - '%%users.userprofile%%\AppData\LocalLow\Sun\Java\Deployment\cache\**' separator: '\' supported_os: [Windows] supported_os: [Windows, Linux, Darwin] artifacts-20211012/data/kaspersky_careto.yaml000066400000000000000000000111551413144520200210710ustar00rootroot00000000000000# Artifacts from the Kaspersky Careto report. name: KasperskyCaretoDarwinFiles doc: Darwin Careto IOCs. sources: - type: FILE attributes: paths: - /Applications/.DS_Store.app/**10 - /Library/LaunchAgents/com.apple.launchport.plist supported_os: [Darwin] urls: ['http://www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf'] --- name: KasperskyCaretoIndicators doc: Kaspersky Careto Indicators. sources: - type: ARTIFACT_GROUP attributes: names: - KasperskyCaretoWindowsFiles - KasperskyCaretoWindowsRegKeys - KasperskyCaretoDarwinFiles supported_os: [Windows, Darwin] urls: ['http://www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf'] --- name: KasperskyCaretoWindowsFiles doc: Windows Careto IOCs. sources: - type: FILE attributes: paths: - '%%environ_systemroot%%\System32\objframe.dll' - '%%environ_systemroot%%\System32\shlink32.dll' - '%%environ_systemroot%%\System32\shlink64.dll' - '%%environ_systemroot%%\System32\cdllait32.dll' - '%%environ_systemroot%%\System32\cdllait64.dll' - '%%environ_systemroot%%\System32\cdlluninstallws32.dll' - '%%environ_systemroot%%\System32\cdlluninstallws64.dll' - '%%environ_systemroot%%\System32\cdlluninstallsgh32.dll' - '%%environ_systemroot%%\System32\cdlluninstallsgh64.dll' - '%%environ_systemroot%%\System32\c_50225.nls' - '%%environ_systemroot%%\System32\c_50227.nls' - '%%environ_systemroot%%\System32\c_50229.nls' - '%%environ_systemroot%%\System32\c_51932.nls' - '%%environ_systemroot%%\System32\c_51936.nls' - '%%environ_systemroot%%\System32\c_51949.nls' - '%%environ_systemroot%%\System32\c_51950.nls' - '%%environ_systemroot%%\System32\c_57002.nls' - '%%environ_systemroot%%\System32\c_57006.nls' - '%%environ_systemroot%%\System32\c_57008.nls' - '%%environ_systemroot%%\System32\c_57010.nls' - '%%environ_systemroot%%\System32\cdgext32.dll' - '%%environ_systemroot%%\System32\cfgbkmgrs.dll' - '%%environ_systemroot%%\System32\cfgmgr64.dll' - '%%environ_systemroot%%\System32\comsvrpcs.dll' - '%%environ_systemroot%%\System32\d3dx8_20.dll' - '%%environ_systemroot%%\System32\dllcomm.dll' - '%%environ_systemroot%%\System32\drivers\wmimgr.sys' - '%%environ_systemroot%%\System32\drvinfo.bin' - '%%environ_systemroot%%\System32\FCache.bin' - '%%environ_systemroot%%\System32\FFExtendedCommand.dll' - '%%environ_systemroot%%\System32\gpktcsp32.dll' - '%%environ_systemroot%%\System32\HPQueue.bin' - '%%environ_systemroot%%\System32\LPQueue.bin' - '%%environ_systemroot%%\System32\mdwmnsp.dll' - '%%environ_systemroot%%\System32\rpcdist.dll' - '%%environ_systemroot%%\System32\scsvrft.dll' - '%%environ_systemroot%%\System32\sdptbw.dll' - '%%environ_systemroot%%\System32\slbkbw.dll' - '%%environ_systemroot%%\System32\skypeie6plugin.dll' - '%%environ_systemroot%%\System32\wmspdmgr.dll' - '%%environ_systemroot%%\System32\mfcn30.dll' - '%%environ_systemroot%%\System32\siiw9x.dll' - '%%environ_systemroot%%\System32\nmwcdlog.dll' - '%%environ_systemroot%%\System32\WifiScan.dll' - '%%environ_systemroot%%\System32\awview32.dll' - '%%environ_systemroot%%\System32\awcodc32.dll' - '%%users.temp%%\~DF01AC74D8BE15EE01.tmp' - '%%users.temp%%\~DF23BF45A473C42B56.tmp' - '%%users.temp%%\~DFA0528CD81300F372.tmp' - '%%users.temp%%\~DF8471938479DA49221.tmp' - '%%users.appdata%%\microsoft\c_27803.nls' - '%%users.appdata%%\microsoft\objframe.dll' - '%%users.appdata%%\microsoft\shmgr.dll' separator: '\' supported_os: [Windows] urls: ['http://www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf'] --- name: KasperskyCaretoWindowsRegKeys doc: Windows Careto IOCs. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\WindowsUpdate', value: 'CISCNF4654'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\WindowsUpdate', value: 'CISCNF0654'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\WindowsUpdate', value: 'CISCNF4654'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\WindowsUpdate', value: 'CISCNF0654'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\\CLSID\{ECD4FC4D-521C-11D0-B792-00A0C90312E1}', value: 'InprocServer32'} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{E6BB64BE-0618-4353-9193-0AFE606D6F0C}', value: 'InprocServer32'} supported_os: [Windows] urls: ['http://www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf'] artifacts-20211012/data/legacy.yaml000066400000000000000000000155461413144520200167740ustar00rootroot00000000000000# Deprecated definitions kept for backwards compatibility with GRR # for the time being. # # https://github.com/google/grr/blob/master/grr/config/artifacts.py # https://github.com/google/grr/blob/master/grr/parsers/windows_registry_parser.py name: AllUsersAppDataEnvironmentVariable doc: The %ProgramData% environment variable. sources: - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'ProgramData'}]} provides: [environ_allusersappdata] supported_os: [Windows] urls: ['http://environmentvariables.org/ProgramData'] --- name: AllUsersProfileEnvironmentVariable doc: The %AllUsersProfile% environment variable. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\ProfilesDirectory' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\AllUsersProfile' provides: [environ_allusersprofile] supported_os: [Windows] urls: ['http://support.microsoft.com/kb//214653'] --- name: CurrentControlSet doc: The control set the system is currently using. sources: - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\SYSTEM\Select', value: 'Current'}]} provides: [current_control_set] supported_os: [Windows] urls: ['https://github.com/libyal/winreg-kb/blob/main/documentation/System%20keys.asciidoc'] --- name: LinuxRelease doc: | Linux specific distribution information. See: lsb_release(1) man page, or the LSB Specification under the 'Command Behaviour' section. sources: - type: FILE attributes: paths: - '/etc/enterprise-release' - '/etc/lsb-release' - '/etc/oracle-release' - '/etc/redhat-release' - '/etc/system-release' provides: [os_release, os_major_version, os_minor_version] labels: [Software] supported_os: [Linux] --- name: OSXUsers doc: Users directories in /Users sources: - type: DIRECTORY attributes: {paths: ['/Users/*']} labels: [Users] supported_os: [Darwin] provides: [users.username] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Users' --- name: ProgramFiles doc: The %ProgramFiles% environment variable. sources: - type: PATH attributes: paths: ['\Program Files'] separator: '\' - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion', value: 'ProgramFilesDir'}]} provides: [environ_programfiles] supported_os: [Windows] urls: ['http://environmentvariables.org/ProgramFiles'] --- name: ProgramFilesx86 doc: The %ProgramFiles (x86)% environment variable. sources: - type: PATH attributes: paths: ['\Program Files (x86)'] separator: '\' - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion', value: 'ProgramFilesDir (x86)'}]} provides: [environ_programfilesx86] supported_os: [Windows] urls: ['http://environmentvariables.org/ProgramFiles'] --- name: SystemDriveEnvironmentVariable doc: | The %SystemDrive% environment variable, usually "C:". This value isn't actually present in the Registry but with some parsing we can figure it out from SystemRoot. sources: - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion', value: 'SystemRoot'}]} provides: [environ_systemdrive] supported_os: [Windows] urls: - 'http://environmentvariables.org/SystemDrive' - 'https://msdn.microsoft.com/en-us/library/cc231436.aspx' --- name: SystemRoot doc: The system root directory path, defined by %SystemRoot%, typically "C:\Windows". sources: - type: PATH attributes: paths: - '\Windows' - '\WinNT' - '\WINNT35' - '\WTSRV' separator: '\' - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion', value: 'SystemRoot'}]} provides: [environ_systemroot] supported_os: [Windows] urls: ['http://environmentvariables.org/SystemRoot'] --- name: TempEnvironmentVariable doc: The %TEMP% environment variable. sources: - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment', value: 'TEMP'}]} provides: [environ_temp] supported_os: [Windows] urls: ['http://environmentvariables.org/WinDir'] --- name: WinCodePage doc: The codepage of the system. sources: - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CodePage', value: 'ACP'}]} provides: [code_page] supported_os: [Windows] urls: ['http://en.wikipedia.org/wiki/Windows_code_page'] --- name: WinDirEnvironmentVariable doc: The %WinDir% environment variable. sources: - type: PATH attributes: paths: - '\Windows' - '\WinNT' - '\WINNT35' - '\WTSRV' separator: '\' - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment', value: 'windir'}]} provides: [environ_windir] supported_os: [Windows] urls: ['http://environmentvariables.org/WinDir'] --- name: WinDomainName doc: The Windows domain the system is connected to. sources: - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters', value: 'Domain'}]} provides: [domain] supported_os: [Windows] --- name: WindowsEnvironmentVariableAllUsersAppData doc: The %ProgramData% environment variable. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'ProgramData'} provides: [environ_allusersappdata] supported_os: [Windows] urls: ['http://environmentvariables.org/ProgramData'] --- name: WindowsEventLogProviders doc: Windows EventLog provider Registry keys, replaced by WindowsEventLogSources. sources: - type: REGISTRY_KEY attributes: keys: ['HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\*\*'] supported_os: [Windows] urls: ['https://winreg-kb.readthedocs.io/en/latest/sources/EventLog-keys.html'] --- name: WinPathEnvironmentVariable doc: The %PATH% environment variable. sources: - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment', value: 'Path'}]} provides: [environ_path] supported_os: [Windows] urls: ['http://environmentvariables.org/WinDir'] --- name: WinTimeZone doc: The timezone of the system in Olson format. sources: - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation', value: 'StandardName'}]} provides: [time_zone] supported_os: [Windows] urls: ['https://github.com/libyal/winreg-kb/blob/main/documentation/Time%20zone%20keys.asciidoc'] artifacts-20211012/data/linux.yaml000066400000000000000000000421721413144520200166620ustar00rootroot00000000000000# Linux specific artifacts. name: AnacronFiles doc: Anacron files. sources: - type: FILE attributes: paths: - '/etc/anacrontab' - '/etc/cron.daily/*' - '/etc/cron.hourly/*' - '/etc/cron.monthly/*' - '/etc/cron.weekly/*' - '/var/spool/anacron/cron.daily' - '/var/spool/anacron/cron.hourly' - '/var/spool/anacron/cron.monthly' - '/var/spool/anacron/cron.weekly' labels: [Configuration Files] supported_os: [Linux] --- name: APTSources doc: APT package sources list sources: - type: FILE attributes: paths: - '/etc/apt/sources.list' - '/etc/apt/sources.list.d/*.list' labels: [Configuration Files, System] supported_os: [Linux] urls: ['http://manpages.ubuntu.com/manpages/trusty/en/man5/sources.list.5.html'] --- name: APTTrustKeys doc: APT trusted keys sources: - type: FILE attributes: paths: - '/etc/apt/trusted.gpg' - '/etc/apt/trusted.gpg.d/*.gpg' - '/etc/apt/trustdb.gpg' - '/usr/share/keyrings/*.gpg' labels: [Configuration Files, System] supported_os: [Linux] urls: ['https://wiki.debian.org/SecureApt'] --- name: CronAtAllowDenyFiles doc: Files containing users authorised to run cron or at jobs. sources: - type: FILE attributes: paths: - '/etc/cron.allow' - '/etc/cron.deny' - '/etc/at.allow' - '/etc/at.deny' labels: [Configuration Files] supported_os: [Linux] urls: - http://manpages.ubuntu.com/manpages/saucy/man5/at.allow.5.html - http://manpages.ubuntu.com/manpages/precise/en/man1/crontab.1.html --- name: DebianPackagesLogFiles doc: Linux dpkg log files. sources: - type: FILE attributes: paths: - '/var/log/dpkg.log*' - '/var/log/apt/history.log*' labels: [Logs] supported_os: [Linux] --- name: DebianPackagesStatus doc: Linux dpkg status file. sources: - type: FILE attributes: {paths: ['/var/lib/dpkg/status']} labels: [Software] supported_os: [Linux] --- name: DebianVersion doc: Debian version information. sources: - type: FILE attributes: {paths: ['/etc/debian_version']} provides: [os_release, os_major_version, os_minor_version] labels: [Software] supported_os: [Linux] --- name: DNSResolvConfFile doc: DNS Resolver configuration file. sources: - type: FILE attributes: {paths: ['/etc/resolv.conf']} labels: [Configuration Files] supported_os: [Linux] urls: ['http://man7.org/linux/man-pages/man5/resolv.conf.5.html'] --- name: GnomeApplicationState doc: Gnome application state for frequent application data. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/.local/share/gnome-shell/application_state']} labels: [Configuration Files] supported_os: [Linux] urls: ['https://forensicswiki.xyz/wiki/index.php?title=Gnome_Desktop_Environment'] --- name: HostAccessPolicyConfiguration doc: Linux files related to host access policy configuration. sources: - type: FILE attributes: paths: - '/etc/hosts.allow' - '/etc/hosts.deny' labels: [Configuration Files] supported_os: [Linux] --- name: IPTablesRules doc: List IPTables rules. sources: - type: COMMAND attributes: args: ["-L", "-n", "-v"] cmd: /sbin/iptables labels: [System] supported_os: [Linux] --- name: KernelModules doc: Kernel modules to be loaded on boot. sources: - type: FILE attributes: paths: - '/etc/modules.conf' - '/etc/modprobe.d/*' supported_os: [Linux] --- name: LinuxAtJobs doc: Linux at jobs. sources: - type: FILE attributes: {paths: ['/var/spool/at/*']} labels: [Configuration Files] supported_os: [Linux] --- name: LinuxAuditLogs doc: Linux audit log files. sources: - type: FILE attributes: {paths: ['/var/log/audit/*']} labels: [Logs] supported_os: [Linux] --- name: LinuxAuthLogs doc: Linux authentication log files. sources: - type: FILE attributes: paths: - '/var/log/auth.log*' - '/var/log/secure.log*' labels: [Logs, Authentication] supported_os: [Linux] --- name: LinuxCronLogs doc: Linux cron log files. sources: - type: FILE attributes: {paths: ['/var/log/cron.log*']} labels: [Logs] supported_os: [Linux] --- name: LinuxCronTabs doc: Crontab files. sources: - type: FILE attributes: paths: - '/etc/crontab' - '/etc/cron.d/*' - '/var/spool/cron/**' labels: [Configuration Files] supported_os: [Linux] --- name: LinuxDaemonLogFiles doc: Linux daemon log files. sources: - type: FILE attributes: {paths: ['/var/log/daemon.log*']} labels: [Logs] supported_os: [Linux] --- name: LinuxDistributionRelease doc: Linux distribution release information of non-LSB compliant systems. sources: - type: FILE attributes: paths: - '/etc/centos-release' - '/etc/enterprise-release' - '/etc/oracle-release' - '/etc/redhat-release' - '/etc/SuSE-release' - '/etc/system-release' provides: [os_release, os_major_version, os_minor_version] labels: [Software] supported_os: [Linux] --- name: LinuxDSDTTable doc: Linux file containing DSDT table. sources: - type: FILE attributes: {paths: ['/sys/firmware/acpi/tables/DSDT']} labels: [System] urls: ['https://www.kernel.org/doc/Documentation/acpi/initrd_table_override.txt'] supported_os: [Linux] --- name: LinuxFstab doc: Linux fstab file. sources: - type: FILE attributes: {paths: ['/etc/fstab']} labels: [System, Configuration Files] supported_os: [Linux] urls: ['http://en.wikipedia.org/wiki/Fstab'] --- name: LinuxGrubConfiguration doc: Linux grub configuration file. sources: - type: FILE attributes: paths: - '/boot/grub/grub.cfg' - '/boot/grub2/grub.cfg' labels: [System, Configuration Files] supported_os: [Linux] urls: ['https://en.wikipedia.org/wiki/GNU_GRUB'] --- name: LinuxHostnameFile doc: Linux hostname file. sources: - type: FILE attributes: {paths: ['/etc/hostname']} labels: [Configuration Files, System] supported_os: [Linux] --- name: LinuxInitrdFiles doc: Initrd (initramfs) files in /boot/ executed on startup. sources: - type: FILE attributes: paths: - '/boot/initramfs*' - '/boot/initrd*' labels: [Configuration Files, System] supported_os: [Linux] urls: - 'http://en.wikipedia.org/wiki/Initrd' - 'https://www.kernel.org/doc/Documentation/initrd.txt' --- name: LinuxIssueFile doc: Linux prelogin message and identification (issue) file. sources: - type: FILE attributes: paths: - '/etc/issue' - '/etc/issue.net' labels: [Configuration Files, System] supported_os: [Linux] urls: ['https://linux.die.net/man/5/issue'] --- name: LinuxKernelLogFiles doc: Linux kernel log files. sources: - type: FILE attributes: {paths: ['/var/log/kern.log*']} labels: [Logs] supported_os: [Linux] --- name: LinuxLastlogFile doc: Linux lastlog file. sources: - type: FILE attributes: {paths: ['/var/log/lastlog']} labels: [Logs, Authentication] supported_os: [Linux] --- name: LinuxLoaderSystemPreloadFile doc: Linux dynamic linker/loader system-wide preload file (ld.so.preload). sources: - type: FILE attributes: {paths: ['/etc/ld.so.preload']} labels: [Configuration Files] supported_os: [Linux] urls: ['http://man7.org/linux/man-pages/man8/ld.so.8.html'] --- name: LinuxLSBInit doc: Linux LSB-style init scripts. sources: - type: FILE attributes: paths: - '/etc/init.d/*' - '/etc/insserv.conf' - '/etc/insserv.conf.d/**' labels: [Configuration Files, System] supported_os: [Linux] urls: ['https://wiki.debian.org/LSBInitScripts'] --- name: LinuxLocalTime doc: Local time zone configuation sources: - type: FILE attributes: {paths: ['/etc/localtime']} labels: [System] supported_os: [Linux] --- name: LinuxLSBRelease doc: Linux Standard Base (LSB) release information sources: - type: FILE attributes: {paths: ['/etc/lsb-release']} provides: [os_release, os_major_version, os_minor_version] labels: [Software] supported_os: [Linux] urls: ['https://linux.die.net/man/1/lsb_release'] --- name: LinuxMessagesLogFiles doc: Linux messages log files. sources: - type: FILE attributes: {paths: ['/var/log/messages*']} labels: [Logs] supported_os: [Linux] --- name: LinuxMountCmd doc: Linux output of mount sources: - type: COMMAND attributes: args: [] cmd: /bin/mount labels: [System] supported_os: [Linux] --- name: LinuxMountInfo doc: Linux mount options. sources: - type: ARTIFACT_GROUP attributes: names: - LinuxFstab - LinuxProcMounts labels: [System, Configuration Files] supported_os: [Linux] --- name: LinuxPamConfigs doc: Configuration files for PAM. sources: - type: FILE attributes: paths: - '/etc/pam.conf' - '/etc/pam.d' - '/etc/pam.d/*' labels: [Authentication, Configuration Files] supported_os: [Linux] urls: ['http://www.linux-pam.org/'] --- name: LinuxPasswdFile doc: | Linux passwd file. A passwd file consist of colon seperated values in the format: username:password:uid:gid:full name:home directory:shell sources: - type: FILE attributes: {paths: ['/etc/passwd']} labels: [Configuration Files, System] supported_os: [Linux] --- name: LinuxReleaseInfo doc: Release information for Linux platforms. sources: - type: ARTIFACT_GROUP attributes: names: - LinuxDistributionRelease - LinuxLSBRelease - LinuxSystemdOSRelease provides: [os_release, os_major_version, os_minor_version] labels: [Software] supported_os: [Linux] --- name: LinuxRsyslogConfigs doc: Linux rsyslog configurations. sources: - type: FILE attributes: paths: - '/etc/rsyslog.conf' - '/etc/rsyslog.d' - '/etc/rsyslog.d/*' labels: [Configuration Files, Logs] supported_os: [Linux] urls: ['http://www.rsyslog.com/doc/rsyslog_conf.html'] --- name: LinuxScheduleFiles doc: All Linux job scheduling files. sources: - type: ARTIFACT_GROUP attributes: names: - AnacronFiles - LinuxCronTabs - LinuxAtJobs labels: [Configuration Files] supported_os: [Linux] --- name: LinuxServices doc: Services running on a Linux system. sources: - type: ARTIFACT_GROUP attributes: names: - LinuxXinetd - LinuxLSBInit - LinuxSysVInit - LinuxSystemdServices labels: [Configuration Files, System] supported_os: [Linux] --- name: LinuxSSDTTables doc: Linux files containing SSDT table. sources: - type: FILE attributes: {paths: ['/sys/firmware/acpi/tables/SSDT*']} labels: [System] urls: ['https://www.kernel.org/doc/Documentation/acpi/initrd_table_override.txt'] supported_os: [Linux] --- name: LinuxSudoReplayLogs doc: Linux sudoreplay log files. sources: - type: FILE attributes: {paths: ['/var/log/sudo-io/**']} labels: [Logs, Authentication] supported_os: [Linux] --- name: LinuxSysLogFiles doc: Linux syslog log files. sources: - type: FILE attributes: {paths: ['/var/log/syslog.log*']} labels: [Logs] supported_os: [Linux] --- name: LinuxSyslogNgConfigs doc: Linux syslog-ng configurations. sources: - type: FILE attributes: paths: - '/etc/syslog-ng/syslog-ng.conf' - '/etc/syslog-ng/conf-d/*.conf' labels: [Configuration Files, Logs] supported_os: [Linux] urls: ['http://linux.die.net/man/5/syslog-ng.conf'] --- name: LinuxSystemdOSRelease doc: Linux systemd /etc/os-release file sources: - type: FILE attributes: paths: - '/etc/os-release' - '/usr/lib/os-release' provides: [os_release, os_major_version, os_minor_version] labels: [Software] supported_os: [Linux] urls: ['https://www.freedesktop.org/software/systemd/man/os-release.html'] --- name: LinuxSystemdServices doc: Linux systemd service unit files sources: - type: FILE attributes: paths: - '/etc/systemd/system.control/*.service' - '/etc/systemd/systemd.attached/*.service' - '/etc/systemd/system/*.service' - '/etc/systemd/user/*.service' - '/lib/systemd/system/*.service' - '/lib/systemd/user/*.service' - '/run/systemd/generator.early/*.service' - '/run/systemd/generator.late/*.service' - '/run/systemd/generator/*.service' - '/run/systemd/system.control/*.service' - '/run/systemd/systemd.attached/*.service' - '/run/systemd/system/*.service' - '/run/systemd/transient/*.service' - '/run/systemd/user/*.service' - '/run/user/*/systemd/generator.early/*.service' - '/run/user/*/systemd/generator.late/*.service' - '/run/user/*/systemd/generator/*.service' - '/run/user/*/systemd/transient/*.service' - '/run/user/*/systemd/user.control/*.service' - '/run/user/*/systemd/user/*.service' - '/usr/lib/systemd/system/*.service' - '/usr/lib/systemd/user/*.service' - '%%users.homedir%%/.config/systemd/user.control/*.service' - '%%users.homedir%%/.config/systemd/user/*.service' - '%%users.homedir%%/.local/share/systemd/user/*.service' labels: [Configuration Files, System] supported_os: [Linux] urls: ['https://https://www.freedesktop.org/software/systemd/man/systemd.unit.html#System%20Unit%20Search%20Path'] --- name: LinuxSysVInit doc: Services started by sysv-style init scripts. sources: - type: FILE attributes: paths: - '/etc/rc*.d' - '/etc/rc*.d/*' - '/etc/rc.d/rc*.d/*' - '/etc/rc.d/init.d/*' labels: [Configuration Files, System] supported_os: [Linux] urls: - 'http://savannah.nongnu.org/projects/sysvinit' - 'http://docs.oracle.com/cd/E37670_01/E41138/html/ol_svcscripts.html' --- name: LinuxTimezoneFile doc: Linux timezone file. sources: - type: FILE attributes: {paths: ['/etc/timezone']} labels: [Configuration Files, System] supported_os: [Linux] --- name: LinuxUtmpFiles doc: Linux btmp, utmp and wtmp login record files. sources: - type: FILE attributes: paths: - '/var/log/btmp' - '/var/log/wtmp' - '/var/run/utmp' labels: [Logs, Authentication] supported_os: [Linux] urls: ['https://github.com/libyal/dtformats/blob/main/documentation/Utmp%20login%20records%20format.asciidoc'] --- name: LinuxWtmp doc: Linux wtmp login record file sources: - type: FILE attributes: {paths: ['/var/log/wtmp']} labels: [Logs, Authentication] provides: [users.username, users.last_logon] supported_os: [Linux] urls: ['https://github.com/libyal/dtformats/blob/main/documentation/Utmp%20login%20records%20format.asciidoc'] --- name: LinuxXinetd doc: Linux xinetd configurations. sources: - type: FILE attributes: paths: - '/etc/xinetd.conf' - '/etc/xinetd.d/**' labels: [Configuration Files, System] supported_os: [Linux] urls: ['http://en.wikipedia.org/wiki/Xinetd'] --- name: ListProcessesPsCommand doc: Full process listing via the 'ps' command. sources: - type: COMMAND attributes: args: ['-ef'] cmd: /bin/ps supported_os: [Linux] urls: ['https://gitlab.com/procps-ng/procps'] --- name: LoadedKernelModules doc: Linux output of lsmod. sources: - type: COMMAND attributes: args: [] cmd: /sbin/lsmod supported_os: [Linux] --- name: LoginPolicyConfiguration doc: Linux files related to login policy configuration. sources: - type: FILE attributes: paths: - '/etc/netgroup' - '/etc/nsswitch.conf' - '/etc/passwd' - '/etc/shadow' - '/etc/security/access.conf' - '/root/.k5login' labels: [Authentication, Configuration Files] supported_os: [Linux] --- name: NetgroupConfiguration doc: Linux netgroup configuration. sources: - type: FILE attributes: {paths: ['/etc/netgroup']} labels: [Authentication, Configuration Files] provides: [users.username] supported_os: [Linux] --- name: NtpConfFile doc: The configuration file for ntpd. e.g. ntp.conf. sources: - type: FILE attributes: {paths: ['/etc/ntp.conf']} labels: [Configuration Files] supported_os: [Linux] urls: ['https://www.freebsd.org/cgi/man.cgi?query=ntp.conf&sektion=5'] --- name: PCIDevicesInfoFiles doc: Info and config files for PCI devices located on the system. sources: - type: FILE attributes: paths: - '/sys/bus/pci/devices/*/vendor' - '/sys/bus/pci/devices/*/device' - '/sys/bus/pci/devices/*/class' - '/sys/bus/pci/devices/*/config' labels: [Configuration Files, System] urls: - 'https://www.kernel.org/doc/Documentation/ABI/testing/sysfs-bus-pci' - 'https://www.kernel.org/doc/Documentation/filesystems/sysfs-pci.txt' - 'https://wiki.debian.org/HowToIdentifyADevice/PCI' supported_os: [Linux] --- name: SecretsServiceDatabaseFile doc: The System Security Services Daemon (SSSD) database file. sources: - type: FILE attributes: paths: - '/var/lib/sss/secrets/secrets.ldb' - '/var/lib/sss/secrets/.secrets.mkey' labels: [System, Configuration Files] supported_os: [Linux] urls: - 'https://docs.pagure.org/SSSD.sssd/design_pages/secrets_service.html' - 'https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html' --- name: SSHHostPubKeys doc: SSH host public keys sources: - type: FILE attributes: paths: - '/etc/ssh/ssh_host_*_key.pub' labels: [Authentication, Configuration Files] supported_os: [Linux] --- name: ThumbnailCacheFolder doc: Thumbnail cache folder. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/.thumbnails/**3']} labels: [Users] supported_os: [Linux] --- name: YumSources doc: Yum package sources list sources: - type: FILE attributes: paths: - '/etc/yum.conf' - '/etc/yum.repos.d/*.repo' labels: [Configuration Files, System] supported_os: [Linux] urls: ['https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-Configuring_Yum_and_Yum_Repositories.html'] --- name: ZeitgeistDatabase doc: Zeitgeist user activity database. sources: - type: FILE attributes: paths: - '%%users.homedir%%/.local/share/zeitgeist/activity.sqlite' - '%%users.homedir%%/.local/share/zeitgeist/activity.sqlite-wal' labels: [Users, Logs] urls: ['https://forensicswiki.xyz/wiki/index.php?title=Zeitgeist'] supported_os: [Linux] artifacts-20211012/data/linux_proc.yaml000066400000000000000000000124701413144520200177030ustar00rootroot00000000000000# Linux specific /proc artifacts. name: LinuxASLREnabled doc: Kernel ASLR state. sources: - type: FILE attributes: {paths: ['/proc/sys/kernel/randomize_va_space']} labels: [System] supported_os: [Linux] urls: ['https://www.kernel.org/doc/Documentation/sysctl/kernel.txt'] --- name: LinuxIgnoreICMPBroadcasts doc: Whether the system ignores ICMP pings. sources: - type: FILE attributes: {paths: ['/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts']} labels: [Network, System] supported_os: [Linux] urls: ['https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt'] --- name: LinuxKernelBootloader doc: Bootloader state acquired from the kernel. sources: - type: FILE attributes: paths: - '/proc/sys/kernel/bootloader_type' - '/proc/sys/kernel/bootloader_version' labels: [System] supported_os: [Linux] urls: ['https://www.kernel.org/doc/Documentation/sysctl/kernel.txt'] --- name: LinuxKernelModuleRestrictions doc: Module loading controls. sources: - type: FILE attributes: paths: - '/proc/sys/kernel/kexec_load_disabled' - '/proc/sys/kernel/modules_disabled' labels: [System] supported_os: [Linux] urls: ['https://www.kernel.org/doc/Documentation/sysctl/kernel.txt'] --- name: LinuxKernelModuleTaintStatus doc: Taint state of loaded modules (binary blobs, unsigned modules etc). sources: - type: FILE attributes: {paths: ['/proc/sys/kernel/tainted']} labels: [System] supported_os: [Linux] urls: ['https://www.kernel.org/doc/Documentation/sysctl/kernel.txt'] --- name: LinuxNetworkIpForwardingState doc: IP forwarding states. sources: - type: FILE attributes: paths: - '/proc/sys/net/ipv*/conf/*/forwarding' - '/proc/sys/net/ipv4/conf/*/mc_forwarding' - '/proc/sys/net/ipv4/ip_forward' labels: [Network, System] supported_os: [Linux] urls: ['https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt'] --- name: LinuxNetworkPathFilteringSettings doc: States that determine how the system responds to route manipulation. sources: - type: FILE attributes: paths: - '/proc/sys/net/ipv*/conf/*/accept_source_route' - '/proc/sys/net/ipv4/conf/*/rp_filter' - '/proc/sys/net/ipv4/conf/*/log_martians' labels: [Network, System] supported_os: [Linux] urls: ['https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt'] --- name: LinuxNetworkRedirectState doc: Redirect send/receive states. sources: - type: FILE attributes: paths: - '/proc/sys/net/ipv*/conf/*/accept_redirects' - '/proc/sys/net/ipv4/conf/*/secure_redirects' - '/proc/sys/net/ipv4/conf/*/send_redirects' labels: [Network, System] supported_os: [Linux] urls: ['https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt'] --- name: LinuxProcArp doc: ARP table via /proc/net/arp. sources: - type: FILE attributes: paths: - '/proc/net/arp' labels: [Network] supported_os: [Linux] --- name: LinuxProcMounts doc: Current mounted filesystems. sources: - type: FILE attributes: paths: - '/proc/mounts' labels: [System] supported_os: [Linux] urls: ['https://www.kernel.org/doc/Documentation/filesystems/proc.txt'] --- name: LinuxProcSysHardeningSettings doc: Linux sysctl settings obtained from /proc/sys. sources: - type: ARTIFACT_GROUP attributes: names: - 'LinuxASLREnabled' - 'LinuxIgnoreICMPBroadcasts' - 'LinuxKernelBootloader' - 'LinuxKernelModuleTaintStatus' - 'LinuxKernelModuleRestrictions' - 'LinuxNetworkIpForwardingState' - 'LinuxNetworkPathFilteringSettings' - 'LinuxNetworkRedirectState' - 'LinuxRestrictedDmesgReadPrivileges' - 'LinuxRestrictedKernelPointerReadPrivileges' - 'LinuxSecureSuidCoreDumps' - 'LinuxSecureFsLinks' - 'LinuxSyncookieState' labels: [System] supported_os: [Linux] --- name: LinuxRestrictedDmesgReadPrivileges doc: Restrict whether non-privileged users can read dmesg. sources: - type: FILE attributes: paths: - '/proc/sys/kernel/dmesg_restrict' labels: [System] supported_os: [Linux] urls: ['https://www.kernel.org/doc/Documentation/sysctl/kernel.txt'] --- name: LinuxRestrictedKernelPointerReadPrivileges doc: Memory address obfuscation settings. sources: - type: FILE attributes: {paths: ['/proc/sys/kernel/kptr_restrict']} labels: [System] supported_os: [Linux] urls: ['https://www.kernel.org/doc/Documentation/sysctl/kernel.txt'] --- name: LinuxSecureFsLinks doc: Security controls to restrict operations on links in world writable directories. sources: - type: FILE attributes: paths: - '/proc/sys/fs/protected_hardlinks' - '/proc/sys/fs/protected_symlinks' labels: [System] supported_os: [Linux] urls: ['https://www.kernel.org/doc/Documentation/sysctl/fs.txt'] --- name: LinuxSecureSuidCoreDumps doc: Security controls for suid core dumps. sources: - type: FILE attributes: {paths: ['/proc/sys/fs/suid_dumpable']} labels: [System] supported_os: [Linux] urls: ['https://www.kernel.org/doc/Documentation/sysctl/fs.txt'] --- name: LinuxSyncookieState doc: Whether the system uses syncookies. sources: - type: FILE attributes: {paths: ['/proc/sys/net/ipv4/tcp_syncookies']} labels: [Network, System] supported_os: [Linux] urls: ['https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt'] --- name: LinuxSysctlCmd doc: Linux output of systctl -a. sources: - type: COMMAND attributes: args: ["-a"] cmd: /sbin/sysctl supported_os: [Linux] urls: ['https://www.kernel.org/doc/Documentation/sysctl'] artifacts-20211012/data/macos.yaml000066400000000000000000001046121413144520200166230ustar00rootroot00000000000000# MacOS (Darwin) specific artifacts. name: MacOSAppleSystemLogFiles doc: Apple system log (ASL) files sources: - type: FILE attributes: paths: - '/private/var/log/asl/*' - '/var/log/asl/*' labels: [System, Logs] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Logs' --- name: MacOSApplications doc: Applications sources: - type: DIRECTORY attributes: {paths: ['/Applications/*']} labels: [Users, Software] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#User_Directories' --- name: MacOSApplicationsRecentItems doc: Recent Items application specific sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Preferences/*LSSharedFileList.plist']} labels: [Users, Software] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Recent_Items' --- name: MacOSApplicationSupport doc: Application Support Directory sources: - type: DIRECTORY attributes: {paths: ['%%users.homedir%%/Library/Application Support/*']} labels: [Users, Software] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Misc.' --- name: MacOSAtJobs doc: MacOS at jobs sources: - type: FILE attributes: {paths: ['/usr/lib/cron/jobs/*']} labels: [System] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Info_Misc.' - 'https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/at.1.html#//apple_ref/doc/man/1/at' --- name: MacOSAuditLogFiles doc: Audit log files sources: - type: FILE attributes: paths: - '/private/var/audit/*' - '/var/audit/*' labels: [System, Logs] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Logs' --- name: MacOSBashHistory doc: Terminal Commands History sources: - type: FILE attributes: {paths: ['%%users.homedir%%/.bash_history']} labels: [Users, Logs] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Logs' --- name: MacOSBashSessions doc: Terminal Commands Sessions sources: - type: FILE attributes: {paths: ['%%users.homedir%%/.bash_sessions/*']} labels: [Users, Logs] supported_os: [Darwin] urls: ['https://www.swiftforensics.com/2018/05/bash-sessions-in-macos.html'] --- name: MacOSBluetoothPlistFile doc: Bluetooth preferences and paired device information plist file sources: - type: FILE attributes: {paths: ['/Library/Preferences/com.apple.Bluetooth.plist']} labels: [System, Logs] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Preferences' --- name: MacOSCoreAnalyticsFiles doc: macOS 10.13 (High Sierra) CoreAnalytics log files. sources: - type: FILE attributes: paths: - '/Library/Logs/DiagnosticReports/*.core_analytics' - '/private/var/db/analyticsd/aggregates/*' - '/var/db/analyticsd/aggregates/*' labels: [Logs, System] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X#Diagnostic_Reports' - 'https://www.crowdstrike.com/blog/i-know-what-you-did-last-month-a-new-artifact-of-execution-on-macos-10-13/' --- name: MacOSCronTabs doc: Cron tabs sources: - type: FILE attributes: paths: - '/etc/crontab' - '/private/etc/crontab' - '/usr/lib/cron/tabs/*' labels: [System] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Info_Misc.' --- name: MacOSDock doc: Dock database sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Preferences/com.apple.Dock.plist']} labels: [Users] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Preferences' --- name: MacOSGlobalPreferencesPlistFile doc: Global Preferences plist file sources: - type: FILE attributes: {paths: ['/Library/Preferences/.GlobalPreferences.plist']} labels: [System] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Preferences' --- name: MacOSHostsFile doc: Hosts file sources: - type: FILE attributes: paths: - '/etc/hosts' - '/private/etc/hosts' labels: [System, Network] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Networking' --- name: MacOSiCloudAccounts doc: iCloud Accounts sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Application Support/iCloud/Accounts/*']} labels: [Users, Software, Cloud, ExternalAccount] supported_os: [Darwin] --- name: MacOSiCloudPreferences doc: iCloud user preferences sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Preferences/MobileMeAccounts.plist']} labels: [Users, Cloud, ExternalAccount] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Preferences' --- name: MacOSiDevices doc: Attached iDevices sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Preferences/com.apple.iPod.plist']} labels: [Users, External Media] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Preferences' --- name: MacOSInstallationHistory doc: Software Installation History sources: - type: FILE attributes: {paths: ['/Library/Receipts/InstallHistory.plist']} labels: [System] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Software_Installation' --- name: MacOSInstallationLogFile doc: Installation log file sources: - type: FILE attributes: paths: - '/private/var/log/install.log' - '/var/log/install.log' labels: [System, Logs] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Logs' --- name: MacOSiOSBackupInfo doc: iOS device backup information sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Application Support/MobileSync/Backup/*/info.plist']} labels: [Users, iOS] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#iDevice_Backup' --- name: MacOSiOSBackupManifest doc: iOS device backup apps information sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Application Support/MobileSync/Backup/*/Manifest.plist']} labels: [Users, iOS] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#iDevice_Backup' --- name: MacOSiOSBackupMbdb doc: iOS device backup files information sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Application Support/MobileSync/Backup/*/Manifest.mdbd']} labels: [Users, iOS] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#iDevice_Backup' --- name: MacOSiOSBackupsMainDirectory doc: iOS device backups directory sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Application Support/MobileSync/Backup/*']} labels: [Users, iOS] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#iDevice_Backup' --- name: MacOSiOSBackupStatus doc: iOS device backup status information sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Application Support/MobileSync/Backup/*/Status.plist']} labels: [Users, iOS] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#iDevice_Backup' --- name: MacOSKeychains doc: Keychain Directory sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Keychains/*']} labels: [Users] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Misc.' --- name: MacOSKeyboardLayoutPlistFile doc: Keyboard layout plist file sources: - type: FILE attributes: {paths: ['/Library/Preferences/com.apple.HIToolbox.plist']} labels: [System] supported_os: [Darwin] --- name: MacOSKextFiles doc: Kernel extension (.kext) files sources: - type: FILE attributes: paths: - '/System/Library/Extensions/*' - '/Library/Extensions/*' labels: [System] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Kernel_Extension' --- name: MacOSDuetKnowledgeBase doc: KnowledgeC User and Application usage database sources: - type: FILE attributes: paths: - '%%users.homedir%%/Library/Application Support/Knowledge/knowledgeC.db' - '/private/var/db/CoreDuet/Knowledge/knowledgeC.db' - '/var/db/CoreDuet/Knowledge/knowledgeC.db' labels: [Users, Logs] supported_os: [Darwin] urls: ['https://www.mac4n6.com/blog/2018/8/5/knowledge-is-power-using-the-knowledgecdb-database-on-macos-and-ios-to-determine-precise-user-and-application-usage'] --- name: MacOSLaunchAgentsPlistFiles doc: Launch Agents plist files sources: - type: FILE attributes: paths: - '/Library/LaunchAgents/*' - '/System/Library/LaunchAgents/*' - '%%users.homedir%%/Library/LaunchAgents/*' labels: [System] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Autorun_Locations' --- name: MacOSLaunchDaemonsPlistFiles doc: Launch Daemons plist files sources: - type: FILE attributes: paths: - '/Library/LaunchDaemons/*' - '/System/Library/LaunchDaemons/*' - '%%users.homedir%%/Library/LaunchDaemons/*' labels: [System] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Autorun_Locations' --- name: MacOSLastlogFile doc: Mac OS X lastlog file. sources: - type: FILE attributes: paths: - '/private/var/log/lastlog' - '/var/log/lastlog' labels: [Logs, Authentication] supported_os: [Darwin] --- name: MacOSLoadedKexts doc: MacOS Loaded Kernel Extensions. sources: - type: COMMAND attributes: args: [] cmd: /usr/sbin/kextstat labels: [System] supported_os: [Darwin] --- name: MacOSLocalTime doc: Local time zone configuation sources: - type: FILE attributes: paths: - '/etc/localtime' - '/private/etc/localtime' labels: [System] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Info_Misc.' --- name: MacOSLoginWindowPlistFile doc: Log-in Window information plist file sources: - type: FILE attributes: {paths: ['/Library/Preferences/com.apple.loginwindow.plist']} labels: [System, Authentication] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Preferences' --- name: MacOSMailAccounts doc: Mail Accounts. Until now only V2, V3 and V5 have been observed. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Mail/V[0-9]/MailData/Accounts.plist']} labels: [Users, Software, Mail] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Mail' --- name: MacOSMailBackupTOC doc: Mail Backup Table of Content. Until now only V2, V3 and V5 have been observed. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Mail/V[0-9]/MailData/BackupTOC.plist']} labels: [Users, Software, Mail] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Mail' --- name: MacOSMailboxes doc: Mail Mailbox Directory. Until now only V2, V3 and V5 have been observed. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Mail/V[0-9]/Mailboxes/*']} labels: [Users, Software, Mail] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Mail' --- name: MacOSMailDownloadAttachments doc: Mail Downloads Directory sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Containers/com.apple.mail/Data/Library/Mail Downloads/*']} labels: [Users, Software, Mail] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Mail' --- name: MacOSMailEnvelopIndex doc: Mail Envelope Index. Until now only V2, V3 and V5 have been observed. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Mail/V[0-9]/MailData/Envelope Index']} labels: [Users, Software, Mail] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Mail' --- name: MacOSMailIMAP doc: Mail IMAP Synched Mailboxes. Until now only V2, V3 and V5 have been observed. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Mail/V[0-9]/IMAP-*/*']} labels: [Users, Software, Mail] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Mail' --- name: MacOSMailMainDirectory doc: Mail Main Folder. Until now only V2, V3 and V5 have been observed. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Mail/V[0-9]/*']} labels: [Users, Software, Mail] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Mail' --- name: MacOSMailOpenedAttachments doc: Mail Opened Attachments sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Mail/V[0-9]/MailData/OpenedAttachmentsV2.plist']} labels: [Users, Software, Mail] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Mail' --- name: MacOSMailPOP doc: Mail POP Synched Mailboxes. Until now only V2, V3 and V5 have been observed. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Mail/V[0-9]/POP-*/*']} labels: [Users, Software, Mail] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Mail' --- name: MacOSMailPreferences doc: Mail Preferences sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Preferences/com.apple.Mail.plist']} labels: [Users, Software, Mail] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Mail' --- name: MacOSMailRecentContacts doc: Mail Recent Contacts sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Application Support/AddressBook/MailRecents-v4.abcdmr']} labels: [Users, Software, Mail] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Mail' --- name: MacOSMailSignatures doc: Mail Signatures by Account. Until now only V2, V3 and V5 have been observed. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Mail/V[0-9]/MailData/Signatures/*']} labels: [Users, Software, Mail] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Mail' --- name: MacOSMiscLogs doc: Misc. Logs sources: - type: FILE attributes: {paths: ['/Library/Logs/*']} labels: [Users, Logs] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Logs' --- name: MacOSMountedDMGs doc: MacOS Mounted DMG files. sources: - type: COMMAND attributes: args: ['info'] cmd: /usr/bin/hdiutil labels: [System] supported_os: [Darwin] --- name: MacOSNotificationCenter doc: MacOS NotificationCenter database sources: - type: FILE attributes: paths: - '%%users.homedir%%/Library/Application Support/NotificationCenter/*.db' - '/private/var/folders/[a-z][0-9]/*/0/com.apple.notificationcenter/db/db' - '/private/var/folders/[a-z][0-9]/*/0/com.apple.notificationcenter/db2/db' - '/var/folders/[a-z][0-9]/*/0/com.apple.notificationcenter/db/db' - '/var/folders/[a-z][0-9]/*/0/com.apple.notificationcenter/db2/db' labels: [Users, Logs] supported_os: [Darwin] --- name: MacOSPeriodicSystemFunctions doc: Periodic system functions scripts and configuration sources: - type: FILE attributes: paths: - '/etc/daily.local/*' - '/etc/defaults/periodic.conf' - '/etc/monthly.local/*' - '/etc/periodic/**2' - '/etc/periodic.conf' - '/etc/periodic.conf.local' - '/etc/periodic/daily/*' - '/etc/periodic/monthly/*' - '/etc/periodic/weekly/*' - '/etc/weekly.local/*' - '/private/etc/daily.local/*' - '/private/etc/defaults/periodic.conf' - '/private/etc/monthly.local/*' - '/private/etc/periodic/**2' - '/private/etc/periodic.conf' - '/private/etc/periodic.conf.local' - '/private/etc/periodic/daily/*' - '/private/etc/periodic/monthly/*' - '/private/etc/periodic/weekly/*' - '/private/etc/weekly.local/*' - '/usr/local/etc/periodic/**2' labels: [System] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Info_Misc.' - 'https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/periodic.8.html#//apple_ref/doc/man/8/periodic' --- name: MacOSQuarantineEvents doc: Quarantine Event Database sources: - type: FILE attributes: paths: - '%%users.homedir%%/Library/Preferences/com.apple.LaunchServices.QuarantineEvents' - '%%users.homedir%%/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2' labels: [Users, Software] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Preferences' --- name: MacOSRecentItems doc: Recent Items sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Preferences/com.apple.recentitems.plist']} labels: [Users] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Recent_Items' --- name: MacOSRemoteDesktopAdministratorSystem doc: Apple Remote Desktop (ARD) was first released in 2002 and is Apple’s desktop management system for software distribution, asset management, and remote assistance. sources: - type: FILE attributes: paths: - '/private/var/db/RemoteManagement/ClientCaches/*' - '/var/db/RemoteManagement/ClientCaches/*' - '/private/var/db/RemoteManagement/RMDB/rmdb.sqlite3' - '/var/db/RemoteManagement/RMDB/rmdb.sqlite3' labels: [System, Network] supported_os: [Darwin] urls: - 'https://help.apple.com/remotedesktop/mac/3.9/' - 'https://www.fireeye.com/blog/threat-research/2019/10/leveraging-apple-remote-desktop-for-good-and-evil.html' - 'https://github.com/fireeye/ARDvark#ard-artifacts-to-parse' --- name: MacOSRemoteDesktopClientSystem doc: Apple Remote Desktop (ARD) was first released in 2002 and is Apple’s desktop management system for software distribution, asset management, and remote assistance. sources: - type: FILE attributes: paths: - '/private/var/db/RemoteManagement/caches/AppUsage.plist' - '/var/db/RemoteManagement/caches/AppUsage.plist' - '/private/var/db/RemoteManagement/caches/UserAcct.tmp' - '/var/db/RemoteManagement/caches/UserAcct.tmp' labels: [System, Network] supported_os: [Darwin] urls: - 'https://help.apple.com/remotedesktop/mac/3.9/' - 'https://www.fireeye.com/blog/threat-research/2019/10/leveraging-apple-remote-desktop-for-good-and-evil.html' - 'https://github.com/fireeye/ARDvark#ard-artifacts-to-parse' --- name: MacOSSidebarLists doc: | Sidebar Lists Preferences This plist contains the names of volumes mounted on the desktop that have appeared in the sidebar list. sources: - type: FILE attributes: paths: - '%%users.homedir%%/Library/Preferences/com.apple.sidebarlists.plist' - '%%users.homedir%%/Preferences/com.apple.sidebarlists.plist' labels: [Users, External Media] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Preferences' --- name: MacOSSleepimageFile doc: Sleepimage file which contains the content of memory before going to sleep sources: - type: FILE attributes: paths: - '/private/var/vm/sleepimage' - '/var/vm/sleepimage' labels: [System] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Sleep.2FHibernate_and_Swap_Image_File' --- name: MacOSStartupItemsPlistFiles doc: Startup Items plist files sources: - type: FILE attributes: paths: - '/Library/StartupItems/*' - '/System/Library/StartupItems/*' labels: [System] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Autorun_Locations' --- name: MacOSSwapFiles doc: Swap files sources: - type: FILE attributes: paths: - '/private/var/vm/swapfile[0-9]' - '/var/vm/swapfile[0-9]' labels: [System] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Sleep.2FHibernate_and_Swap_Image_File' --- name: MacOSSystemConfigurationPreferencesPlistFile doc: System configuration preferences plist file sources: - type: FILE attributes: {paths: ['/Library/Preferences/SystemConfiguration/preferences.plist']} labels: [System] supported_os: [Darwin] --- name: MacOSSystemInstallationTime doc: System installation time sources: - type: FILE attributes: paths: - '/private/var/db/.AppleSetupDone' - '/var/db/.AppleSetupDone' labels: [System] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Settings_and_Informations' --- name: MacOSSystemLogFiles doc: System log files sources: - type: FILE attributes: paths: - '/private/var/log/*' - '/var/log/*' labels: [System, Logs] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Logs' --- name: MacOSSystemPreferencesPlistFiles doc: System Preferences plist files sources: - type: FILE attributes: {paths: ['/Library/Preferences/**']} labels: [System] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Preferences' --- name: MacOSSystemVersionPlistFile doc: Operating system name and version plist file sources: - type: FILE attributes: {paths: ['/System/Library/CoreServices/SystemVersion.plist']} labels: [System] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Settings_and_Informations' --- name: MacOSTimeMachinePlistFile doc: Time Machine information plist file sources: - type: FILE attributes: {paths: ['/Library/Preferences/com.apple.TimeMachine.plist']} labels: [System] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Preferences' --- name: MacOSUnifiedLogging doc: Apple Unified Logging and Activity Tracing sources: - type: FILE attributes: paths: - '/private/var/db/diagnostics/*.tracev3' - '/private/var/db/diagnostics/*/*.tracev3' - '/private/var/db/uuidtext/*/*' - '/var/db/diagnostics/*.tracev3' - '/var/db/diagnostics/*/*.tracev3' - '/var/db/uuidtext/*/*' labels: [System, Logs] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://github.com/mac4n6/Presentations/blob/master/Logs%20Unite!%20-%20Forensic%20Analysis%20of%20Apple%20Unified%20Logs/LogsUnite.pdf' --- name: MacOSUpdate doc: Software Update sources: - type: FILE attributes: {paths: ['/Library/Preferences/com.apple.SoftwareUpdate.plist']} labels: [System] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Software_Installation' --- name: MacOSUserApplicationLogs doc: User and Applications Logs Directory sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Logs/*']} labels: [Users, Logs] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Logs' --- name: MacOSUserDesktopDirectory doc: Desktop Directory sources: - type: DIRECTORY attributes: {paths: ['%%users.homedir%%/Desktop/*']} labels: [Users] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#User_Directories' --- name: MacOSUserDocumentsDirectory doc: Documents Directory sources: - type: DIRECTORY attributes: {paths: ['%%users.homedir%%/Documents/*']} labels: [Users] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#User_Directories' --- name: MacOSUserDownloadsDirectory doc: User downloads directory sources: - type: DIRECTORY attributes: {paths: ['%%users.homedir%%/Downloads/*']} labels: [Users] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#User_Directories' --- name: MacOSUserGlobalPreferences doc: User Global Preferences sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Preferences/.GlobalPreferences.plist']} labels: [Users] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Preferences' --- name: MacOSUserLibraryDirectory doc: Library Directory sources: - type: DIRECTORY attributes: {paths: ['%%users.homedir%%/Library/*']} labels: [Users] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#User_Directories' --- name: MacOSUserLoginItems doc: Login Items sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Preferences/com.apple.loginitems.plist']} labels: [Users] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Autorun_Locations_2' --- name: MacOSUserMoviesDirectory doc: Movies Directory sources: - type: DIRECTORY attributes: {paths: ['%%users.homedir%%/Movies/*']} labels: [Users] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#User_Directories' --- name: MacOSUserMusicDirectory doc: Music Directory sources: - type: DIRECTORY attributes: {paths: ['%%users.homedir%%/Music/*']} labels: [Users] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#User_Directories' --- name: MacOSUserPasswordHashesPlistFiles doc: User password hashes plist files sources: - type: FILE attributes: paths: - '/private/var/db/dslocal/nodes/Default/users/*.plist' - '/var/db/dslocal/nodes/Default/users/*.plist' labels: [System, Users, Authentication] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#System_Settings_and_Informations' --- name: MacOSUserPicturesDirectory doc: Pictures Directory sources: - type: DIRECTORY attributes: {paths: ['%%users.homedir%%/Pictures/*']} labels: [Users] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#User_Directories' --- name: MacOSUserPreferences doc: User preferences directory sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Preferences/*']} labels: [Users] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Preferences' --- name: MacOSUserPublicDirectory doc: Public Directory sources: - type: DIRECTORY attributes: {paths: ['%%users.homedir%%/Public/*']} labels: [Users] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#User_Directories' --- name: MacOSUsers doc: Users directories in /Users sources: - type: DIRECTORY attributes: {paths: ['/Users/*']} labels: [Users] supported_os: [Darwin] provides: [users.username] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Users' --- name: MacOSUserSocialAccounts doc: User's Social Accounts sources: - type: FILE attributes: paths: - '%%users.homedir%%/Library/Accounts/Accounts3.sqlite' - '%%users.homedir%%/Library/Accounts/Accounts3.sqlite-wal' - '%%users.homedir%%/Library/Accounts/Accounts4.sqlite' - '%%users.homedir%%/Library/Accounts/Accounts4.sqlite-wal' labels: [Users, ExternalAccount] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#User.27s_Accounts' - 'https://lab.wallarm.com/hunting-the-files-34caa0c1496' --- name: MacOSUserTrash doc: User Trash Folder sources: - type: FILE attributes: {paths: ['%%users.homedir%%/.Trash/*']} labels: [Users] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Misc.' --- name: MacOSUtmpFile doc: Mac OS X utmp and wmtp login record file. sources: - type: FILE attributes: paths: - '/private/var/run/utmp' - '/private/var/log/wtmp' - '/var/run/utmp' - '/var/log/wtmp' labels: [Logs, Authentication] supported_os: [Darwin] urls: ['https://github.com/libyal/dtformats/blob/main/documentation/Utmp%20login%20records%20format.asciidoc'] --- name: MacOSUtmpxFile doc: Mac OS X 10.5 utmpx login record file. sources: - type: FILE attributes: paths: - '/private/var/run/utmpx' - '/var/run/utmpx' labels: [Logs, Authentication] supported_os: [Darwin] urls: ['https://github.com/libyal/dtformats/blob/main/documentation/Utmp%20login%20records%20format.asciidoc'] --- name: MacOSWirelessNetworks doc: Remembered Wireless Networks sources: - type: FILE attributes: {paths: ['/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist']} labels: [System, Network] supported_os: [Darwin] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Networking' --- name: MacOSFSEvents doc: Mac OS X file system event log sources: - type: FILE attributes: {paths: ['/.fseventsd/*']} labels: [Logs, System, Users] supported_os: [Darwin] urls: - 'http://nicoleibrahim.com/apple-fsevents-forensics/' - 'https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1498158287.pdf' --- name: MacOSTCC doc: Apple's Transparency, Consent, Control (TCC) framework database sources: - type: FILE attributes: paths: - '/Library/Application Support/com.apple.TCC/TCC.db' - '%%users.homedir%%/Library/Application Support/com.apple.TCC/TCC.db' labels: [System] supported_os: [Darwin] urls: - https://blog.fleetsmith.com/tcc-a-quick-primer/ - https://carlashley.com/2018/09/06/reading-tcc-logs-in-macos/ artifacts-20211012/data/ntfs.yaml000066400000000000000000000015771413144520200165010ustar00rootroot00000000000000# NTFS specific artifacts. name: NTFSMFTFiles doc: | The NTFS $MFT and $MFTMirr file system metadata files. GRR collection note: you currently need to specify 'use tsk' and 'ignore download size limits' for this artifact to work. This will go away in the future. sources: - type: FILE attributes: paths: - '%%environ_systemdrive%%\$MFT' - '%%environ_systemdrive%%\$MFTMirr' separator: '\' labels: [System] supported_os: [Windows] --- name: NTFSLogFile doc: | The NTFS $LogFile file system metadata file. GRR collection note: you currently need to specify 'use tsk' and 'ignore download size limits' for this artifact to work. This will go away in the future. sources: - type: FILE attributes: paths: ['%%environ_systemdrive%%\$LogFile'] separator: '\' urls: ['https://sourceforge.net/projects/linux-ntfs/'] labels: [System] supported_os: [Windows] artifacts-20211012/data/tomcat.yaml000066400000000000000000000103121413144520200170010ustar00rootroot00000000000000# Apache Tomcat artifacts. name: TomcatFiles doc: Tomcat files. sources: - type: ARTIFACT_GROUP attributes: names: - 'TomcatLogFiles' - 'TomcatPasswordFile' labels: [Software] supported_os: [Darwin,Linux,Windows] --- name: TomcatLogFiles doc: Tomcat log files. sources: - type: FILE attributes: paths: - '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat*\logs\**\access_log*' - '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat*\logs\access_log*' - '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat*\logs\**\catalina.out' - '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat*\logs\catalina.out' - '%%environ_programfiles%%\Apache Software Foundation\Tomcat*\logs\**\access_log*' - '%%environ_programfiles%%\Apache Software Foundation\Tomcat*\logs\access_log*' - '%%environ_programfiles%%\Apache Software Foundation\Tomcat*\logs\**\catalina.out' - '%%environ_programfiles%%\Apache Software Foundation\Tomcat*\logs\catalina.out' - '%%environ_programfilesx86%%\Apache Software Foundation\Tomcat*\logs\**\access_log*' - '%%environ_programfilesx86%%\Apache Software Foundation\Tomcat*\logs\access_log*' - '%%environ_programfilesx86%%\Apache Software Foundation\Tomcat*\logs\**\catalina.out' - '%%environ_programfilesx86%%\Apache Software Foundation\Tomcat*\logs\catalina.out' separator: '\' supported_os: [Windows] - type: FILE attributes: paths: - '/opt/tomcat*/logs/**/access_log*' - '/opt/tomcat*/logs/access_log*' - '/opt/tomcat*/logs/**/catalina.out' - '/opt/tomcat*/logs/catalina.out' - '/usr/local/tomcat*/logs/**/access_log*' - '/usr/local/tomcat*/logs/access_log*' - '/usr/local/tomcat*/logs/**/catalina.out' - '/usr/local/tomcat*/logs/catalina.out' - '/usr/share/tomcat*/logs/**/access_log*' - '/usr/share/tomcat*/logs/access_log*' - '/usr/share/tomcat*/logs/**/catalina.out' - '/usr/share/tomcat*/logs/catalina.out' - '/var/lib/tomcat*/logs/**/access_log*' - '/var/lib/tomcat*/logs/access_log*' - '/var/lib/tomcat*/logs/**/catalina.out' - '/var/lib/tomcat*/logs/catalina.out' supported_os: [Linux] - type: FILE attributes: paths: - '/Library/Tomcat/logs/**/access_log*' - '/Library/Tomcat/logs/access_log*' - '/Library/Tomcat/logs/**/catalina.out' - '/Library/Tomcat/logs/catalina.out' - '/usr/local/apache-tomcat*/logs/**/access_log*' - '/usr/local/apache-tomcat*/logs/access_log*' - '/usr/local/apache-tomcat*/logs/**/catalina.out' - '/usr/local/apache-tomcat*/logs/catalina.out' - '/usr/local/Cellar/tomcat*/logs/**/access_log*' # Default location for Homebrew - '/usr/local/Cellar/tomcat*/logs/access_log*' # Default location for Homebrew - '/usr/local/Cellar/tomcat*/logs/**/catalina.out' # Default location for Homebrew - '/usr/local/Cellar/tomcat*/logs/catalina.out' # Default location for Homebrew supported_os: [Darwin] supported_os: [Windows,Linux,Darwin] urls: - 'https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Access_Logging' - 'https://tomcat.apache.org/tomcat-8.0-doc/logging.html' --- name: TomcatPasswordFile doc: Tomcat password file. sources: - type: FILE attributes: paths: - '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat*\conf\tomcat-users.xml' - '%%environ_programfiles%%\Apache Software Foundation\Tomcat*\conf\tomcat-users.xml' - '%%environ_programfilesx86%%\Apache Software Foundation\Tomcat*\conf\tomcat-users.xml' separator: '\' supported_os: [Windows] - type: FILE attributes: paths: - '/opt/tomcat*/conf/tomcat-users.xml' - '/private/var/lib/tomcat*/conf/tomcat-users.xml' - '/usr/local/tomcat*/conf/tomcat-users.xml' - '/usr/share/tomcat*/conf/tomcat-users.xml' - '/var/lib/tomcat*/conf/tomcat-users.xml' supported_os: [Linux] - type: FILE attributes: paths: - '/Library/Tomcat/conf/tomcat-users.xml' - '/usr/local/apache-tomcat-*/conf/tomcat-users.xml' - '/usr/local/Cellar/tomcat/*/conf/tomcat-users.xml' # Default location for Homebrew supported_os: [Darwin] supported_os: [Windows,Linux,Darwin] urls: ['https://tomcat.apache.org/tomcat-8.0-doc/manager-howto.html#Configuring_Manager_Application_Access'] artifacts-20211012/data/unix_common.yaml000066400000000000000000000150461413144520200200560ustar00rootroot00000000000000# Artifacts common to Unix based OSs name: AllShellConfigs doc: Common shell configuration files containing global, users & root settings. sources: - type: ARTIFACT_GROUP attributes: names: - 'GlobalShellConfigs' - 'RootUserShellConfigs' - 'UsersShellConfigs' labels: [Configuration Files] supported_os: [Linux, Darwin] --- name: AllUsersShellHistory doc: Common shell history files for root and users. sources: - type: ARTIFACT_GROUP attributes: names: - 'RootUserShellHistory' - 'UsersShellHistory' labels: [History Files] supported_os: [Linux, Darwin] --- name: GlobalShellConfigs doc: Unix global shell configuration files. sources: - type: FILE attributes: paths: - '/etc/bash.bashrc' - '/etc/bashrc' - '/etc/csh.cshrc' - '/etc/csh.login' - '/etc/csh.logout' - '/etc/kshrc' - '/etc/profile' - '/etc/zshenv' - '/etc/zshrc' - '/etc/zsh/zlogin' - '/etc/zsh/zlogout' - '/etc/zsh/zprofile' - '/etc/zsh/zshenv' - '/etc/zsh/zshrc' - '/private/etc/bash.bashrc' - '/private/etc/bashrc' - '/private/etc/csh.cshrc' - '/private/etc/csh.login' - '/private/etc/csh.logout' - '/private/etc/kshrc' - '/private/etc/profile' - '/private/etc/zshenv' - '/private/etc/zshrc' - '/private/etc/zsh/zlogin' - '/private/etc/zsh/zlogout' - '/private/etc/zsh/zprofile' - '/private/etc/zsh/zshenv' - '/private/etc/zsh/zshrc' supported_os: [Darwin] - type: FILE attributes: paths: - '/etc/bash.bashrc' - '/etc/bashrc' - '/etc/csh.cshrc' - '/etc/csh.login' - '/etc/csh.logout' - '/etc/kshrc' - '/etc/profile' - '/etc/zshenv' - '/etc/zshrc' - '/etc/zsh/zlogin' - '/etc/zsh/zlogout' - '/etc/zsh/zprofile' - '/etc/zsh/zshenv' - '/etc/zsh/zshrc' supported_os: [Linux] labels: [Configuration Files] supported_os: [Linux, Darwin] --- name: RootUserShellConfigs doc: Common unix root shell configuration files. sources: - type: FILE attributes: paths: - '/root/.bash_logout' - '/root/.bash_profile' - '/root/.bashrc' - '/root/.cshrc' - '/root/.ksh' - '/root/.logout' - '/root/.profile' - '/root/.tcsh' - '/root/.zlogin' - '/root/.zlogout' - '/root/.zprofile' labels: [Configuration Files] supported_os: [Linux, Darwin] --- name: RootUserShellHistory doc: Common unix root shell history files. sources: - type: FILE attributes: paths: - '/root/.bash_history' - '/root/.sh_history' - '/root/.zhistory' - '/root/.zsh_history' labels: [History Files] supported_os: [Linux, Darwin] --- name: UnixGroups doc: Unix groups file. sources: - type: FILE attributes: paths: - '/etc/group' - '/private/etc/group' supported_os: [Darwin] - type: FILE attributes: {paths: ['/etc/group']} supported_os: [Linux] labels: [Authentication] supported_os: [Linux, Darwin] --- name: UnixHostsFile doc: Unix hosts file sources: - type: FILE attributes: paths: - '/etc/hosts' - '/private/etc/hosts' supported_os: [Darwin] - type: FILE attributes: {paths: ['/etc/hosts']} supported_os: [Linux] labels: [Configuration Files] supported_os: [Linux, Darwin] --- name: UnixPasswd doc: Unix /etc/passwd file. sources: - type: FILE attributes: paths: - '/etc/passwd' - '/private/etc/passwd' supported_os: [Darwin] - type: FILE attributes: {paths: ['/etc/passwd']} supported_os: [Linux] labels: [Authentication] supported_os: [Linux, Darwin] --- name: UnixShadowFile doc: Unix /etc/shadow file. sources: - type: FILE attributes: paths: - '/etc/shadow' - '/private/etc/shadow' supported_os: [Darwin] - type: FILE attributes: {paths: ['/etc/shadow']} supported_os: [Linux] labels: [Authentication] supported_os: [Linux, Darwin] --- name: UnixSudoersConfiguration doc: Unix sudoers configuration. sources: - type: FILE attributes: paths: - '/etc/sudoers' - '/private/etc/sudoers' supported_os: [Darwin] - type: FILE attributes: {paths: ['/etc/sudoers']} supported_os: [Linux] labels: [Authentication, Configuration Files] supported_os: [Linux, Darwin] --- name: UnixUsersGroups doc: Unix users and groups files. sources: - type: ARTIFACT_GROUP attributes: names: - 'UnixGroups' - 'UnixPasswd' - 'UnixShadowFile' labels: [Authentication] supported_os: [Linux, Darwin] --- name: UsersShellConfigs doc: Common Unix user shell configuration files. sources: - type: FILE attributes: paths: - '%%users.homedir%%/.bash_logout' - '%%users.homedir%%/.bash_profile' - '%%users.homedir%%/.bashrc' - '%%users.homedir%%/.cshrc' - '%%users.homedir%%/.ksh' - '%%users.homedir%%/.logout' - '%%users.homedir%%/.profile' - '%%users.homedir%%/.tcsh' - '%%users.homedir%%/.zlogin' - '%%users.homedir%%/.zlogout' - '%%users.homedir%%/.zprofile' supported_os: [Linux, Darwin] - type: FILE attributes: paths: - '%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.bash_logout' - '%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.bash_profile' - '%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.bashrc' - '%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.cshrc' - '%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.ksh' - '%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.logout' - '%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.profile' - '%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.tcsh' - '%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.zlogin' - '%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.zlogout' - '%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.zprofile' separator: '\' supported_os: [Windows] labels: [Configuration Files] supported_os: [Linux, Darwin, Windows] --- name: UsersShellHistory doc: Common Unix user shell history files. sources: - type: FILE attributes: paths: - '%%users.homedir%%/.bash_history' - '%%users.homedir%%/.sh_history' - '%%users.homedir%%/.zhistory' - '%%users.homedir%%/.zsh_history' supported_os: [Linux, Darwin] - type: FILE attributes: paths: - '%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.bash_history' - '%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.sh_history' - '%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.zhistory' - '%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.zsh_history' separator: '\' supported_os: [Windows] labels: [History Files] supported_os: [Linux, Darwin, Windows] artifacts-20211012/data/webbrowser.yaml000066400000000000000000001071531413144520200177050ustar00rootroot00000000000000# Web browser artifacts. name: BrowserCache doc: Web browser cache of multiple web browsers. sources: - type: ARTIFACT_GROUP attributes: names: - 'ChromeCache' - 'FirefoxCache' - 'InternetExplorerCache' - 'SafariCache' labels: [Browser] supported_os: [Darwin,Linux,Windows] --- name: BrowserHistory doc: Web browser history of multiple web browsers. sources: - type: ARTIFACT_GROUP attributes: names: - 'ChromeHistory' - 'FirefoxHistory' - 'InternetExplorerHistory' - 'OperaHistory' - 'SafariDownloads' - 'SafariHistory' labels: [Browser] supported_os: [Darwin,Linux,Windows] --- name: ChromeStorage doc: | Google Chrome, Canary and Chromium browser artifacts for Storage APIs. Includes Web Storage (sessionStorage for session-only data and localStorage for persistent data), IndexedDB (used for structured data), and FileSystem (object storage in a virtual file system). sources: - type: ARTIFACT_GROUP attributes: names: - 'ChromeLocalStorage' - 'ChromeSessionStorage' - 'ChromeFileSystem' - 'ChromeIndexedDB' labels: [Browser] supported_os: [Darwin,Linux,Windows] urls: - 'https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API' - 'https://developer.mozilla.org/en-US/docs/Web/API/IndexedDB_API' - 'https://developer.mozilla.org/en-US/docs/Web/API/FileSystem' --- name: ChromeCache doc: | Google Chrome, Canary and Chromium browser caches. Canary uses "Chrome SxS" on windows. * Disk cache (or Cache) * Media cache * Application cache * GPU shader cache * PNaCl translation cache sources: - type: FILE attributes: paths: - '%%users.localappdata%%\Google\Chrome\User Data\*\Application Cache\Cache\*' - '%%users.localappdata%%\Google\Chrome\User Data\*\Cache\*' - '%%users.localappdata%%\Google\Chrome\User Data\*\Media Cache\*' - '%%users.localappdata%%\Google\Chrome\User Data\*\GPUCache\*' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Application Cache\Cache\*' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Cache\*' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Media Cache\*' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\GPUCache\*' - '%%users.localappdata%%\Chromium\User Data\*\Application Cache\Cache\*' - '%%users.localappdata%%\Chromium\User Data\*\Cache\*' - '%%users.localappdata%%\Chromium\User Data\*\Media Cache\*' - '%%users.localappdata%%\Chromium\User Data\*\GPUCache\*' separator: '\' supported_os: [Windows] - type: FILE attributes: paths: - '%%users.homedir%%/Caches/Google/Chrome/*/Cache/*' - '%%users.homedir%%/Library/Caches/Google/Chrome/*/Cache/*' - '%%users.homedir%%/Library/Caches/Google/Chrome/*/Media Cache/*' - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Application Cache/Cache/*' - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/GPUCache/*' - '%%users.homedir%%/Library/Caches/Google/Chrome/PnaclTranslationCache/*' - '%%users.homedir%%/Caches/Google/Chrome Canary/*/Cache/*' - '%%users.homedir%%/Library/Caches/Google/Chrome Canary/*/Cache/*' - '%%users.homedir%%/Library/Caches/Google/Chrome Canary/*/Media Cache/*' - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Application Cache/Cache/*' - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/GPUCache/*' - '%%users.homedir%%/Library/Caches/Google/Chrome Canary/PnaclTranslationCache/*' - '%%users.homedir%%/Caches/Chromium/*/Cache/*' - '%%users.homedir%%/Library/Caches/Chromium/*/Cache/*' - '%%users.homedir%%/Library/Caches/Chromium/*/Media Cache/*' - '%%users.homedir%%/Library/Application Support/Chromium/*/Application Cache/Cache/*' - '%%users.homedir%%/Library/Application Support/Chromium/*/GPUCache/*' - '%%users.homedir%%/Library/Caches/Chromium/PnaclTranslationCache/*' supported_os: [Darwin] - type: FILE attributes: paths: - '%%users.homedir%%/.cache/google-chrome/Cache/*' - '%%users.homedir%%/.cache/google-chrome/*/Cache/*' - '%%users.homedir%%/.cache/google-chrome/*/Media Cache/*' - '%%users.homedir%%/.cache/google-chrome/PnaclTranslationCache/*' - '%%users.homedir%%/.config/google-chrome/*/Application Cache/*' - '%%users.homedir%%/.config/google-chrome/*/Cache/*' - '%%users.homedir%%/.config/google-chrome/*/Media Cache/*' - '%%users.homedir%%/.config/google-chrome/*/GPUCache/*' - '%%users.homedir%%/.cache/chromium/Cache/*' - '%%users.homedir%%/.cache/chromium/*/Cache/*' - '%%users.homedir%%/.cache/chromium/*/Media Cache/*' - '%%users.homedir%%/.cache/chromium/PnaclTranslationCache/*' - '%%users.homedir%%/.config/chromium/*/Application Cache/*' - '%%users.homedir%%/.config/chromium/*/Cache/*' - '%%users.homedir%%/.config/chromium/*/Media Cache/*' - '%%users.homedir%%/.config/chromium/*/GPUCache/*' - '%%users.homedir%%/.cache/chrome-remote-desktop/chrome-profile/Cache/*' - '%%users.homedir%%/.cache/chrome-remote-desktop/chrome-profile/*/Cache/*' - '%%users.homedir%%/.cache/chrome-remote-desktop/chrome-profile/*/Media Cache/*' - '%%users.homedir%%/.cache/chrome-remote-desktop/chrome-profile/PnaclTranslationCache/*' - '%%users.homedir%%/.cache/chrome-remote-desktop/chrome-config/google-chrome/Cache/*' - '%%users.homedir%%/.cache/chrome-remote-desktop/chrome-config/google-chrome/*/Cache/*' - '%%users.homedir%%/.cache/chrome-remote-desktop/chrome-config/google-chrome/*/Media Cache/*' - '%%users.homedir%%/.cache/chrome-remote-desktop/chrome-config/google-chrome/PnaclTranslationCache/*' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Application Cache/*' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Cache/*' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Media Cache/*' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/GPUCache/*' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Application Cache/*' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Cache/*' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Media Cache/*' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/GPUCache/*' supported_os: [Linux] supported_os: [Windows,Darwin,Linux] labels: [Browser] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/webbrowser/ChromeCache.html'] --- name: ChromeCookies doc: Chrome Cookies database. sources: - type: FILE attributes: paths: - '%%users.localappdata%%\Chromium\User Data\*\Cookies' - '%%users.localappdata%%\Chromium\User Data\*\Cookies-journal' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Cookies' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Cookies-journal' - '%%users.localappdata%%\Google\Chrome\User Data\*\Cookies' - '%%users.localappdata%%\Google\Chrome\User Data\*\Cookies-journal' separator: '\' supported_os: [Windows] - type: FILE attributes: paths: - '%%users.homedir%%/.config/google-chrome/*/Cookies' - '%%users.homedir%%/.config/google-chrome/*/Cookies-journal' - '%%users.homedir%%/.config/chromium/*/Cookies' - '%%users.homedir%%/.config/chromium/*/Cookies-journal' - '%%users.homedir%%/.config/google-chrome-beta/*/Cookies' - '%%users.homedir%%/.config/google-chrome-beta/*/Cookies-journal' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Cookies' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Cookies-journal' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Cookies' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Cookies-journal' supported_os: [Linux] - type: FILE attributes: paths: - '%%users.homedir%%/Library/Application Support/Chromium/*/Cookies' - '%%users.homedir%%/Library/Application Support/Chromium/*/Cookies-journal' - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Cookies' - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Cookies-journal' - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Cookies' - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Cookies-journal' supported_os: [Darwin] supported_os: [Windows,Darwin,Linux] labels: [Browser] --- name: ChromeExtensionActivity doc: Chrome Extension Activity database. sources: - type: FILE attributes: paths: - '%%users.localappdata%%\Google\Chrome\User Data\*\Extension Activity' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Extension Activity' - '%%users.localappdata%%\Chromium\User Data\*\Extension Activity' separator: '\' supported_os: [Windows] - type: FILE attributes: paths: - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Extension Activity' - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Extension Activity' - '%%users.homedir%%/Library/Application Support/Chromium/*/Extension Activity' supported_os: [Darwin] - type: FILE attributes: paths: - '%%users.homedir%%/.config/google-chrome/*/Extension Activity' - '%%users.homedir%%/.config/chromium/*/Extension Activity' supported_os: [Linux] supported_os: [Windows,Darwin,Linux] labels: [Browser] urls: ['https://forensicswiki.xyz/wiki/index.php?title=Google_Chrome#Extension_Activity_database'] --- name: ChromeExtensions doc: Chrome browser extension files. sources: - type: FILE attributes: paths: - '%%users.localappdata%%\Google\Chrome\User Data\*\Extensions\**10' - '%%users.localappdata%%\Chromium\User Data\*\Extensions\**10' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Extensions\**10' separator: '\' supported_os: [Windows] - type: FILE attributes: paths: - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Extensions/**10' - '%%users.homedir%%/Library/Application Support/Chromium/*/Extensions/**10' - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Extensions/**10' supported_os: [Darwin] - type: FILE attributes: paths: - '%%users.homedir%%/.config/google-chrome/*/Extensions/**10' - '%%users.homedir%%/.config/google-chrome-beta/*/Extensions/**10' - '%%users.homedir%%/.config/chromium/*/Extensions/**10' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Extensions/**10' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Extensions/**10' supported_os: [Linux] supported_os: [Windows, Darwin, Linux] labels: [Browser] urls: ['https://forensicswiki.xyz/wiki/index.php?title=Google_Chrome#Extensions'] --- name: ChromeExtensionRegistryKeys doc: Chrome extensions installed by writing windows registry keys. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extensions\**5' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Google\Chrome\Extensions\**5' labels: [Browser] supported_os: [Windows] urls: ['https://developer.chrome.com/extensions/external_extensions#registry'] --- name: ChromeFileSystem doc: | Google Chrome, Canary and Chromium File System files. The File System directory backs Chrome's fileSystem API. Inside this directory are a mixture of the data files saved using the fileSystem API and LevelDB directories that track the logical structure of the virtual file system. sources: - type: FILE attributes: paths: - '%%users.localappdata%%\Chromium\User Data\*\File System\**5' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\File System\**5' - '%%users.localappdata%%\Google\Chrome\User Data\*\File System\**5' separator: '\' supported_os: [Windows] - type: FILE attributes: paths: - '%%users.homedir%%/.config/google-chrome/*/File System/**5' - '%%users.homedir%%/.config/chromium/*/File System/**5' - '%%users.homedir%%/.config/google-chrome-beta/*/File System/**5' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/File System/**5' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/File System/**5' supported_os: [Linux] - type: FILE attributes: paths: - '%%users.homedir%%/Library/Application Support/Chromium/*/File System/**5' - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/File System/**5' - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/File System/**5' supported_os: [Darwin] supported_os: [Windows,Darwin,Linux] labels: [Browser] urls: - 'https://developer.chrome.com/apps/fileSystem' - 'https://developer.mozilla.org/en-US/docs/Web/API/FileSystem' - 'https://dfir.blog/deciphering-browser-hieroglyphics-leveldb-filesystem/' --- name: ChromeHistory doc: Chrome browser history. sources: - type: FILE attributes: paths: - '%%users.localappdata%%\Chromium\User Data\*\Archived History' - '%%users.localappdata%%\Chromium\User Data\*\Archived History-journal' - '%%users.localappdata%%\Chromium\User Data\*\History' - '%%users.localappdata%%\Chromium\User Data\*\History-journal' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Archived History' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Archived History-journal' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\History' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\History-journal' - '%%users.localappdata%%\Google\Chrome\User Data\*\Archived History' - '%%users.localappdata%%\Google\Chrome\User Data\*\Archived History-journal' - '%%users.localappdata%%\Google\Chrome\User Data\*\History' - '%%users.localappdata%%\Google\Chrome\User Data\*\History-journal' separator: '\' supported_os: [Windows] - type: FILE attributes: paths: - '%%users.homedir%%/Library/Application Support/Chromium/*/Archived History' - '%%users.homedir%%/Library/Application Support/Chromium/*/Archived History-journal' - '%%users.homedir%%/Library/Application Support/Chromium/*/History' - '%%users.homedir%%/Library/Application Support/Chromium/*/History-journal' - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Archived History' - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Archived History-journal' - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/History' - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/History-journal' - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Archived History' - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Archived History-journal' - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/History' - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/History-journal' supported_os: [Darwin] - type: FILE attributes: paths: - '%%users.homedir%%/.config/chromium/*/Archived History' - '%%users.homedir%%/.config/chromium/*/Archived History-journal' - '%%users.homedir%%/.config/chromium/*/History' - '%%users.homedir%%/.config/chromium/*/History-journal' - '%%users.homedir%%/.config/google-chrome/*/Archived History' - '%%users.homedir%%/.config/google-chrome/*/Archived History-journal' - '%%users.homedir%%/.config/google-chrome/*/History' - '%%users.homedir%%/.config/google-chrome/*/History-journal' - '%%users.homedir%%/.config/google-chrome-beta/*/Archived History' - '%%users.homedir%%/.config/google-chrome-beta/*/Archived History-journal' - '%%users.homedir%%/.config/google-chrome-beta/*/History' - '%%users.homedir%%/.config/google-chrome-beta/*/History-journal' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Archived History' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Archived History-journal' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/History' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/History-journal' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Archived History' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Archived History-journal' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/History' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/History-journal' supported_os: [Linux] supported_os: [Windows,Darwin,Linux] labels: [Browser] urls: ['https://forensicswiki.xyz/wiki/index.php?title=Google_Chrome'] --- name: ChromeIndexedDB doc: | Google Chrome, Canary and Chromium IndexedDB files. The IndexedDB directory contains one directory per origin that uses IndexedDB, named like https_www.example.com_0.indexeddb.leveldb, chrome-extension_app-id-xxx_0.indexeddb.leveldb, or https_www.example.com_0.indexeddb.blob. Inside each of the *.leveldb directories are the files the comprise a LevelDB database, which in turn holds IndexedDB data for that origin. There may be an accompanying .blob directory, which contains a nested folder structure of blobs. sources: - type: FILE attributes: paths: - '%%users.localappdata%%\Chromium\User Data\*\IndexedDB\**5' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\IndexedDB\**5' - '%%users.localappdata%%\Google\Chrome\User Data\*\IndexedDB\**5' separator: '\' supported_os: [Windows] - type: FILE attributes: paths: - '%%users.homedir%%/.config/google-chrome/*/IndexedDB/**5' - '%%users.homedir%%/.config/chromium/*/IndexedDB/**5' - '%%users.homedir%%/.config/google-chrome-beta/*/IndexedDB/**5' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/IndexedDB/**5' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/IndexedDB/**5' supported_os: [Linux] - type: FILE attributes: paths: - '%%users.homedir%%/Library/Application Support/Chromium/*/IndexedDB/**5' - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/IndexedDB/**5' - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/IndexedDB/**5' supported_os: [Darwin] supported_os: [Windows,Darwin,Linux] labels: [Browser] urls: - 'https://developer.mozilla.org/en-US/docs/Web/API/IndexedDB_API' --- name: ChromeLocalStorage doc: | Google Chrome, Canary and Chromium Local Storage files. * Chrome v60 and below used individual .sqlite files per origin for Local Storage, stored in the Local Storage directory root. * In Chrome v61, a leveldb directory was added inside the root Local Storage directory, and new origins saved Local Storage data in a single LevelDB there. * Existing .sqlite files are kept (not moved to leveldb), so it is possible for a single Chrome profile to use both SQLite and LevelDB for Local Storage. sources: - type: FILE attributes: paths: - '%%users.localappdata%%\Chromium\User Data\*\Local Storage\**' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Local Storage\**' - '%%users.localappdata%%\Google\Chrome\User Data\*\Local Storage\**' separator: '\' supported_os: [Windows] - type: FILE attributes: paths: - '%%users.homedir%%/.config/google-chrome/*/Local Storage/**' - '%%users.homedir%%/.config/chromium/*/Local Storage/**' - '%%users.homedir%%/.config/google-chrome-beta/*/Local Storage/**' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Local Storage/**' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Local Storage/**' supported_os: [Linux] - type: FILE attributes: paths: - '%%users.homedir%%/Library/Application Support/Chromium/*/Local Storage/**' - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Local Storage/**' - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Local Storage/**' supported_os: [Darwin] supported_os: [Windows,Darwin,Linux] labels: [Browser] --- name: ChromePreferences doc: Chrome Preferences file. sources: - type: FILE attributes: paths: - '%%users.localappdata%%\Google\Chrome\User Data\*\Preferences' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Preferences' - '%%users.localappdata%%\Chromium\User Data\*\Preferences' separator: '\' supported_os: [Windows] - type: FILE attributes: paths: - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Preferences' - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Preferences' - '%%users.homedir%%/Library/Application Support/Chromium/*/Preferences' supported_os: [Darwin] - type: FILE attributes: paths: - '%%users.homedir%%/.config/google-chrome/*/Preferences' - '%%users.homedir%%/.config/chromium/*/Preferences' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Preferences' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Preferences' supported_os: [Linux] supported_os: [Windows,Darwin,Linux] labels: [Browser] urls: ['https://forensicswiki.xyz/wiki/index.php?title=Google_Chrome#Configuration'] --- name: ChromeSessionStorage doc: | Google Chrome, Canary and Chromium Session Storage files. The Session Storage directory contains the files that comprise a LevelDB database, which in turn holds the Session Storage data. sources: - type: FILE attributes: paths: - '%%users.localappdata%%\Chromium\User Data\*\Session Storage\*' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Session Storage\*' - '%%users.localappdata%%\Google\Chrome\User Data\*\Session Storage\*' separator: '\' supported_os: [Windows] - type: FILE attributes: paths: - '%%users.homedir%%/.config/google-chrome/*/Session Storage/*' - '%%users.homedir%%/.config/chromium/*/Session Storage/*' - '%%users.homedir%%/.config/google-chrome-beta/*/Session Storage/*' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Session Storage/*' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Session Storage/*' supported_os: [Linux] - type: FILE attributes: paths: - '%%users.homedir%%/Library/Application Support/Chromium/*/Session Storage/*' - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Session Storage/*' - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Session Storage/*' supported_os: [Darwin] supported_os: [Windows,Darwin,Linux] labels: [Browser] --- name: FirefoxCache doc: Mozilla Firefox browser caches. sources: - type: FILE attributes: paths: - '%%users.localappdata%%\Mozilla\Firefox\Profiles\*.default\Cache\*' - '%%users.localappdata%%\Mozilla\Firefox\Profiles\*.default\cache2\*' - '%%users.localappdata%%\Mozilla\Firefox\Profiles\*.default\cache2\doomed\*' - '%%users.localappdata%%\Mozilla\Firefox\Profiles\*.default\cache2\entries\*' separator: '\' supported_os: [Windows] - type: FILE attributes: paths: - '%%users.homedir%%/Library/Caches/Firefox/Profiles/*.default/Cache/*' - '%%users.homedir%%/Library/Caches/Firefox/Profiles/*.default/cache2/*' - '%%users.homedir%%/Library/Caches/Firefox/Profiles/*.default/cache2/doomed/*' - '%%users.homedir%%/Library/Caches/Firefox/Profiles/*.default/cache2/entries/*' supported_os: [Darwin] - type: FILE attributes: paths: - '%%users.homedir%%/.mozilla/firefox/*.default/Cache/*' - '%%users.homedir%%/.cache/mozilla/firefox/*.default/Cache/*' - '%%users.homedir%%/.cache/mozilla/firefox/*.default/cache2/*' - '%%users.homedir%%/.cache/mozilla/firefox/*.default/cache2/doomed/*' - '%%users.homedir%%/.cache/mozilla/firefox/*.default/cache2/entries/*' supported_os: [Linux] supported_os: [Windows,Darwin,Linux] labels: [Browser] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/webbrowser/FirefoxCache.html'] --- name: FirefoxHistory doc: Firefox browser history (places.sqlite). sources: - type: FILE attributes: paths: - '%%users.localappdata%%\Mozilla\Firefox\Profiles\*\places.sqlite' - '%%users.localappdata%%\Mozilla\Firefox\Profiles\*\places.sqlite-wal' - '%%users.appdata%%\Mozilla\Firefox\Profiles\*\places.sqlite' - '%%users.localappdata%%\Mozilla\Firefox\Profiles\*\places.sqlite-wal' separator: '\' supported_os: [Windows] - type: FILE attributes: paths: - '%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/places.sqlite' - '%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/places.sqlite-wal' supported_os: [Darwin] - type: FILE attributes: paths: - '%%users.homedir%%/.mozilla/firefox/*/places.sqlite' - '%%users.homedir%%/.mozilla/firefox/*/places.sqlite-wal' supported_os: [Linux] supported_os: [Windows,Darwin,Linux] labels: [Browser] urls: ['https://forensicswiki.xyz/wiki/index.php?title=Mozilla_Firefox'] --- name: InternetExplorerBrowserHelperObjects doc: Loaded on Internet Explorer startup sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*' supported_os: [Windows] urls: - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'http://regenerus.com/malware-common-loadpoints/' - 'https://code.google.com/p/regripper/wiki/ASEPs' --- name: InternetExplorerCache doc: | Microsoft Internet Explorer (MSIE) browser cache. * MSIE 4 - 9 Temporary Internet files. * MSIE 10 INetCache files. sources: - type: FILE attributes: paths: - '%%users.localappdata%%\Microsoft\Windows\Temporary Internet Files\Content.IE5\*\*' - '%%users.localappdata%%\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\*\*' - '%%users.localappdata%%\Microsoft\Windows\INetCache\IE\*\*' - '%%users.localappdata%%\Microsoft\Windows\INetCache\Low\*\*' separator: '\' labels: [Browser] supported_os: [Windows] urls: ['https://forensicswiki.xyz/wiki/index.php?title=Internet_Explorer'] --- name: InternetExplorerCookies doc: | Microsoft Internet Explorer (MSIE) browser cookies. * MSIE 4 - 9 Cache files (index.dat) sources: - type: FILE attributes: paths: - '%%users.appdata%%\Microsoft\Windows\Cookies\index.dat' - '%%users.appdata%%\Microsoft\Windows\Cookies\Low\index.dat' separator: '\' labels: [Browser] supported_os: [Windows] urls: ['https://forensicswiki.xyz/wiki/index.php?title=Internet_Explorer'] --- name: InternetExplorerHistory doc: | Microsoft Internet Explorer (MSIE) browser history. * MSIE 4 - 9 Cache files (index.dat); * MSIE 10 WebCacheV*.dat files. sources: - type: FILE attributes: paths: - '%%users.appdata%%\Microsoft\Windows\IEDownloadHistory\index.dat' - '%%users.localappdata%%\Microsoft\Feeds Cache\index.dat' - '%%users.localappdata%%\Microsoft\Windows\History\History.IE5\*\index.dat' - '%%users.localappdata%%\Microsoft\Windows\History\History.IE5\index.dat' - '%%users.localappdata%%\Microsoft\Windows\History\Low\History.IE5\*\index.dat' - '%%users.localappdata%%\Microsoft\Windows\History\Low\History.IE5\index.dat' - '%%users.localappdata%%\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat' - '%%users.localappdata%%\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat' - '%%users.localappdata%%\Microsoft\Windows\WebCache\WebCacheV*.dat' - '%%users.userprofile%%\Local Settings\History\History.IE5\index.dat' separator: '\' labels: [Browser] supported_os: [Windows] urls: ['https://forensicswiki.xyz/wiki/index.php?title=Internet_Explorer'] --- name: InternetExplorerProtectedModeElevationPolicies doc: | Trust levels of apps launched from low rights IE sessions. The ElevationPolicy dictates how IE handles applications that want to execute in other applications that reside outside of the Low Rights IE session. * AppName is the executable * AppPath is the directory * CLSID is used if it launches a COM server through CoCreateInstance * Policy (DWORD) is the trust level, of 0 through 3. * 3 Protected Mode silently launches the broker as a medium integrity process. * 2 Protected Mode prompts the user for permission to launch the process. If permission is granted, the process is launched as a medium integrity process. * 1 Protected Mode silently launches the broker as a low integrity process. * 0 Protected Mode prevents the process from launching. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'Policy'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'AppName'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'AppPath'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'CLSID'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'Policy'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'AppName'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'AppPath'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'CLSID'} labels: [Browser] supported_os: [Windows] urls: - 'http://blogs.technet.com/b/juanand/archive/2010/10/29/internet-explorer-protected-mode-elevation-policy-and-administrative-templates.aspx' - 'https://msdn.microsoft.com/en-us/library/bb250462(VS.85).aspx' --- name: InternetExplorerProtectedModeDisable doc: | Microsoft Internet Explorer (MSIE) Protected Mode Banner can be suppressed by setting NoProtectedModeBanner. * Applies to versions 7-11 sources: - type: REGISTRY_KEY attributes: {keys: ['HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner']} labels: [Browser] supported_os: [Windows] urls: ['http://www.blackforce.co.uk/2014/01/07/disable-protected-mode-is-turned-off-for-the-internet-zone-group-policy'] --- name: InternetExplorer6Settings doc: Registry keys affecting default behavior for Microsoft Internet Explorer 6. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', value: 'AboutURLs'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', value: 'UrlSearchHooks'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', value: 'Extensions'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', value: 'ExplorerBars'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', value: 'Toolbar'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', value: 'SearchURL'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main', value: 'Default_Page_URL'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main', value: 'Default_Search_URL'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main', value: 'Search Page'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main', value: 'Start Page'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main', value: 'Search Bar'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search', value: 'CustomizeSearch'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer', value: 'UrlSearchHooks'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer', value: 'Extensions'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer', value: 'ExplorerBars'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer', value: 'Toolbar'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer', value: 'SearchURL'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Main', value: 'Default_Page_URL'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Main', value: 'Default_Search_URL'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Main', value: 'Search Page'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Main', value: 'Start Page'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Main', value: 'Search Bar'} labels: [Browser] supported_os: [Windows] urls: - 'https://support.microsoft.com/en-us/kb/895339' - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' --- name: InternetExplorerTypedURLsKeys doc: Microsoft Internet Explorer TypedUrls keys. sources: - type: REGISTRY_KEY attributes: {keys: ['HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\TypedURLs\*']} labels: [Browser] supported_os: [Windows] urls: ['https://forensicswiki.xyz/wiki/index.php?title=Internet_Explorer#Typed_URLs'] --- name: OperaHistory doc: Opera browser history (global_history.dat). sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Opera/global_history.dat']} supported_os: [Darwin] - type: FILE attributes: {paths: ['%%users.homedir%%/.opera/global_history.dat']} supported_os: [Linux] - type: FILE attributes: paths: - '%%users.appdata%%\Opera\Opera\global_history.dat' - '%%users.appdata%%\Opera Software\Opera Stable\History' separator: '\' supported_os: [Windows] supported_os: [Windows,Darwin,Linux] labels: [Browser] urls: ['https://forensicswiki.xyz/wiki/index.php?title=Opera'] --- name: SafariCache doc: Safari browser cache (cache.db). sources: - type: FILE attributes: paths: ['%%users.localappdata%%\Apple Computer\Safari\cache.db'] separator: '\' supported_os: [Windows] - type: FILE attributes: paths: - '%%users.homedir%%/Library/Caches/com.apple.Safari/Cache.db' - '%%users.homedir%%/Library/Caches/com.apple.Safari/Cache.db-wal' supported_os: [Darwin] supported_os: [Windows, Darwin] labels: [Browser] urls: ['https://forensicswiki.xyz/wiki/index.php?title=Apple_Safari'] --- name: SafariDownloads doc: Safari downloads history (Downloads.plist). sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Safari/Downloads.plist']} supported_os: [Darwin] - type: FILE attributes: paths: - '%%users.localappdata%%\Apple Computer\Safari\Downloads.plist' - '%%users.appdata%%\Apple Computer\Safari\Downloads.plist' separator: '\' supported_os: [Windows] labels: [Users, Browser] supported_os: [Darwin, Windows] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X' - 'https://forensicswiki.xyz/wiki/index.php?title=Mac_OS_X_10.9_-_Artifacts_Location#Safari' - 'https://www.forensicswiki.org/wiki/Apple_Safari' --- name: SafariHistory doc: Safari browser history (History.plist). sources: - type: FILE attributes: paths: - '%%users.localappdata%%\Apple Computer\Safari\History.plist' - '%%users.appdata%%\Apple Computer\Safari\History.plist' separator: '\' supported_os: [Windows] - type: FILE attributes: paths: - '%%users.homedir%%/Library/Safari/History.plist' - '%%users.homedir%%/Library/Safari/History.db' - '%%users.homedir%%/Library/Safari/History.db-wal' supported_os: [Darwin] supported_os: [Windows, Darwin] labels: [Browser] urls: ['https://forensicswiki.xyz/wiki/index.php?title=Apple_Safari'] --- name: SafariExtensions doc: Safari browser Extensions. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Safari/Extensions/**']} supported_os: [Darwin] supported_os: [Darwin] labels: [Browser] urls: ['http://www.forensicswiki.org/wiki/Apple_Safari'] artifacts-20211012/data/webservers.yaml000066400000000000000000000015261413144520200177100ustar00rootroot00000000000000# Webserver related artifacts. name: NginxAccessLogs doc: Location where nginx access logs are stored sources: - type: FILE attributes: paths: - '/var/log/nginx/access.log*' labels: [Software, Logs] supported_os: [Linux] --- name: ApacheAccessLogs doc: Location where Apache access logs are stored sources: - type: FILE attributes: paths: - '/var/log/apache/access.log*' - '/var/log/apache2/access.log*' - '/var/log/httpd/access.log' labels: [Software, Logs] supported_os: [Linux] --- name: WordpressConfigFile doc: WordPress configuration file sources: - type: FILE attributes: paths: - '/private/var/www/**/wp-config.php' - '/private/var/www/wp-config.php' - '/var/www/**/wp-config.php' - '/var/www/wp-config.php' - '/wp/wp-config.php' labels: [Configuration Files] supported_os: [Linux, Darwin] artifacts-20211012/data/windows.yaml000066400000000000000000004707121413144520200172220ustar00rootroot00000000000000# Windows specific artifacts. name: WindowsActiveDesktop doc: Windows Active Desktop settings and components. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Desktop\Components\*' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Desktop\General' conditions: [os_major_version < 6] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/ActiveDesktop.html'] --- name: WindowsActivitiesCacheDatabase doc: SQLite database containing the Windows activities cache. sources: - type: FILE attributes: paths: ['%%users.localappdata%%\ConnectedDevicesPlatform\L.%%users.username%%\ActivitiesCache.db'] separator: '\' labels: [Users] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/ActivitiesCacheDatabase.html'] --- name: WindowsAlternateShell doc: Alternate Shell to be run via Userinit. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot', value: 'AlternateShell'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option', value: 'UseAlternateShell'} supported_os: [Windows] urls: - 'https://www.microsoftpressstore.com/articles/article.aspx' - 'https://technet.microsoft.com/en-us/library/cc976124.aspx' - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' --- name: WindowsAMCacheHveFile doc: The AMCache file, stored in the Windows NT Registry file format. sources: - type: FILE attributes: paths: - '%%environ_systemroot%%\AppCompat\Programs\Amcache.hve' - '%%environ_systemroot%%\AppCompat\Programs\Amcache.hve.LOG1' - '%%environ_systemroot%%\AppCompat\Programs\Amcache.hve.LOG2' separator: '\' conditions: [os_major_version >= 6 AND os_minor_version >= 1] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/AMCache.html'] --- name: WindowsAppCertDLLs doc: Windows AppCertDLLs persistence. sources: - type: REGISTRY_KEY attributes: keys: ['HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDLLs'] supported_os: [Windows] urls: ['http://blogs.technet.com/b/mmpc/archive/2011/03/19/how-to-defang-the-fake-defragmenter.aspx'] --- name: WindowsAppCompatCache doc: Windows Application Compatibility Cache sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility', value: 'AppCompatCache'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatCache', value: 'AppCompatCache'} supported_os: [Windows] urls: ['https://github.com/libyal/winreg-kb/blob/main/documentation/Application%20Compatibility%20Cache%20key.asciidoc'] --- name: WindowsAppInitDLLs doc: | Windows Application Initial (AppInit) DLLs persistence. AppInit DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded into each user mode process on the system. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows', value: 'AppInit_DLLs'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows', value: 'AppInit_DLLs'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Windows', value: 'AppInit_DLLs'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows', value: 'AppInit_DLLs'} supported_os: [Windows] urls: - 'https://msdn.microsoft.com/en-us/library/windows/desktop/dd744762(v=vs.85).aspx' - 'https://support.microsoft.com/en-us/kb/197571' --- name: WindowsApplicationRegistration doc: Windows Application Registration (AppPath) Registry keys. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\*' supported_os: [Windows] urls: - 'https://github.com/keydet89/RegRipper2.8/blob/master/plugins/apppaths.pl' - 'http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/' - 'https://msdn.microsoft.com/en-us/library/windows/desktop/ee872121(v=vs.85).aspx' --- name: WindowsApplicationCompatibilityInstalledShimDatabases doc: | Windows Application Compatibility Installed Shim Databases. drvmain.sdb, frxmain.sdb, msimain.sdb, pcamain.sdb, and sysmain.sdb are shim database files (SDB files) that are provided by Windows, and contain many predefined shims that address known application compability issues. Note that these database files are not signed. Windows also supports custom shim database. These are typically installed by the sdbinst.exe utility. Note, that shim database files can also exist elsewhere in the file system. Windows application shims provide a way for the operating system to apply patches to executables before they are run, ultimately providing a lightweight mechanism for applying hot fixes and making modifications to ensure compatibility across the various versions of Windows. This functionality can also be leveraged maliciously to change how certain programs operate, or to provide capabilities to malware, such as the ability to bypass UAC, gain persistence by injecting loading into legitimate processes, or avoid detection by disabling anti-virus software. sources: - type: FILE attributes: paths: - '%%environ_windir%%\AppPatch\drvmain.sdb' - '%%environ_windir%%\AppPatch\frxmain.sdb' - '%%environ_windir%%\AppPatch\msimain.sdb' - '%%environ_windir%%\AppPatch\pcamain.sdb' - '%%environ_windir%%\AppPatch\sysmain.sdb' - '%%environ_windir%%\AppPatch\AppPatch64\Custom\*' - '%%environ_windir%%\AppPatch\Custom\*' - '%%environ_windir%%\AppPatch\Custom\Custom64\*' - '%%environ_windir%%\AppPatch\CustomSDB\*' separator: '\' labels: [Users] supported_os: [Windows] urls: - 'https://attack.mitre.org/techniques/T1138/' - 'https://countercept.com/blog/hunting-for-application-shim-databases/' - 'http://files.brucon.org/2015/Tomczak_and_Ballenthin_Shims_for_the_Win.pdf' - 'https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf' --- name: WindowsApplicationCompatibilityShimDatabaseMappings doc: | Windows Application Compatibility Shim Database Mappings. Mappings between the Windows Application Compatibility shim database files and the programs that they apply to. Windows allows for custom application shims to be installed via the sdbinst.exe application. For example a mapping for 'notepad.exe': Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ AppCompatFlags\Custom\notepad.exe Value: {00000000-1111-2222-3333-444444444444}.sdb = 0 Key: AppCompatFlags\InstalledSDB\{00000000-1111-2222-3333-444444444444} Value: DatabasePath = "C:\Windows\AppPatch\Custom\{00000000-1111-2222-3333-444444444444}.sdb" Windows application shims provide a way for the operating system to apply patches to executables before they are run, ultimately providing a lightweight mechanism for applying hot fixes and making modifications to ensure compatibility across the various versions of Windows. This functionality can also be leveraged maliciously to change how certain programs operate, or to provide capabilities to malware, such as the ability to bypass UAC, gain persistence by injecting loading into legitimate processes, or avoid detection by disabling anti-virus software. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\*', value: 'DatabaseDescription'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\*', value: 'DatabasePath'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\*', value: '*'} supported_os: [Windows] urls: - 'https://attack.mitre.org/techniques/T1138/' - 'https://countercept.com/blog/hunting-for-application-shim-databases/' --- name: WindowsApplicationCompatibilityShims doc: Windows Application Compatibility Shim Database Files and Application Mappings sources: - type: ARTIFACT_GROUP attributes: names: - 'WindowsApplicationCompatibilityInstalledShimDatabases' - 'WindowsApplicationCompatibilityShimDatabaseMappings' labels: [System] supported_os: [Windows] --- name: WinAppXRT doc: WinAppXRT DLL loaded by .Net applications when the APPX_PROCESS environment variable is set. sources: - type: FILE attributes: paths: - '%%environ_systemroot%%\system32\WinAppXRT.dll' - '%%environ_systemroot%%\WinAppXRT.dll' - '%%environ_systemroot%%\System32\Wbem\WinAppXRT.dll' - '%%environ_systemroot%%\System32\WindowsPowerShell\v1.0\WinAppXRT.dll' separator: '\' supported_os: [Windows] conditions: [os_major_version >= 6 AND os_minor_version >= 2] urls: ['http://www.hexacorn.com/blog/2014/08/31/beyond-good-ol-run-key-part-17/'] --- name: WindowsAutoexecBat doc: Windows autoexec.bat file sources: - type: FILE attributes: paths: - '%%environ_systemdrive%%\autoexec.bat' - '%%environ_windir%%\autoexec.nt' separator: '\' supported_os: [Windows] --- name: WindowsAutomaticDebugging doc: Windows automatic debugging (Aedebug) sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug', value: 'Debugger'} supported_os: [Windows] urls: - 'https://msdn.microsoft.com/en-us/library/windows/desktop/bb204634(v=vs.85).aspx' - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' --- name: WindowsAutomaticDebuggingExclusionList doc: Windows automatic debugging (Aedebug) exclusion list sources: - type: REGISTRY_KEY attributes: keys: ['HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AutoExclusionList\*'] supported_os: [Windows] urls: ['https://msdn.microsoft.com/en-us/library/windows/desktop/bb204634(v=vs.85).aspx'] --- name: WindowsAutorun doc: Filebased Tests. sources: - type: FILE attributes: paths: ['%%environ_systemdrive%%\autorun.inf'] separator: '\' supported_os: [Windows] --- name: WindowsAvailableTimeZones doc: Timezones available on a Windows system. sources: - type: REGISTRY_KEY attributes: {keys: ['HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Time Zones\*']} supported_os: [Windows] urls: ['https://github.com/libyal/winreg-kb/blob/main/documentation/Time%20zone%20keys.asciidoc'] --- name: WindowsBITSQueueManagerDatabases doc: Databases that contain the Windows BITS jobs definition and state. sources: - type: FILE attributes: paths: - '%%environ_allusersprofile%%\Microsoft\Network\Downloader\qmgr*.dat' - '%%environ_allusersprofile%%\Microsoft\Network\Downloader\qmgr.db' separator: '\' supported_os: [Windows] urls: ['http://dfrws.org/2015/proceedings/presentations/DFRWS2015-pres3.pdf'] --- name: WindowsBootVerificationProgram doc: Path to custom startup verification program. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\BootVerificationProgram', value: 'ImagePath'}] supported_os: [Windows] urls: - 'https://technet.microsoft.com/en-us/library/cc786702(WS.10).aspx' - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' --- name: WindowsCIMRepositoryFiles doc: | Windows Common Information Model (CIM) repository. Persistent database that holds the schema, also called the object repository or class store, that models the managed environment and defines every piece of data exposed by WMI. This definition does not specify the copies of the CIM repository that are stored in system restore points. sources: - type: FILE attributes: paths: # Windows 95 OSR 2.5, 98, Millennium Edition (Me) - '%%environ_windir%%\System\Wbem\Repository\cim.rep' # Windows NT4 and 2000 - '%%environ_systemroot%%\System32\wbem\Repository\CIM.REC' - '%%environ_systemroot%%\System32\wbem\Repository\CIM.REP' # Windows Vista and later - '%%environ_systemroot%%\System32\wbem\Repository\INDEX.BTR' - '%%environ_systemroot%%\System32\wbem\Repository\INDEX.MAP' - '%%environ_systemroot%%\System32\wbem\Repository\MAPPING.VER' - '%%environ_systemroot%%\System32\wbem\Repository\MAPPING[1-3].MAP' - '%%environ_systemroot%%\System32\wbem\Repository\OBJECTS.DATA' - '%%environ_systemroot%%\System32\wbem\Repository\OBJECTS.MAP' # Windows XP and Windows 2003 - '%%environ_systemroot%%\System32\wbem\Repository\FS\INDEX.BTR' - '%%environ_systemroot%%\System32\wbem\Repository\FS\INDEX.MAP' - '%%environ_systemroot%%\System32\wbem\Repository\FS\MAPPING.VER' - '%%environ_systemroot%%\System32\wbem\Repository\FS\MAPPING[1-2].MAP' - '%%environ_systemroot%%\System32\wbem\Repository\FS\OBJECTS.DATA' - '%%environ_systemroot%%\System32\wbem\Repository\FS\OBJECTS.MAP' separator: '\' supported_os: [Windows] urls: - 'https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf' - 'https://github.com/libyal/dtformats/blob/main/documentation/WMI%20repository%20file%20format.asciidoc' --- name: WindowsCodePage doc: The system code page. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CodePage', value: 'ACP'} provides: [code_page] supported_os: [Windows] urls: ['https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/Codepage.html'] --- name: WindowsComputerName doc: The name of the system. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ComputerName', value: 'ComputerName'} supported_os: [Windows] --- name: WindowsCommandProcessorAutoRun doc: Commands that are run each time the Command Processor (Cmd.exe) is started. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor', value: 'AutoRun'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Command Processor', value: 'AutoRun'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Command Processor', value: 'AutoRun'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Command Processor', value: 'AutoRun'} supported_os: [Windows] urls: - 'https://technet.microsoft.com/en-us/library/cc779439(v=ws.10).aspx' - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'http://blogs.msdn.com/b/oldnewthing/archive/2007/11/21/6447771.aspx' - 'https://technet.microsoft.com/en-us/library/cc756720(v=ws.10).aspx' --- name: WindowsCOMInprocHandlers doc: Windows COM in-process handlers sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*', value: 'InprocHandler'} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*', value: 'InprocHandler32'} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*', value: 'InprocHandler'} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*', value: 'InprocHandler32'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*', value: 'InprocHandler'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*', value: 'InprocHandler32'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*', value: 'InprocHandler'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*', value: 'InprocHandler32'} supported_os: [Windows] urls: - 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms694515(v=vs.85).aspx' - 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms691354(v=vs.85).aspx' - 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms693485(v=vs.85).aspx' --- name: WindowsCOMInprocServers doc: Windows COM in-process servers sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\InprocServer', value: ''} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\InprocServer32', value: ''} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\InprocServer', value: ''} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\InprocServer32', value: ''} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*\InprocServer', value: ''} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*\InprocServer32', value: ''} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*\InprocServer', value: ''} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*\InprocServer32', value: ''} supported_os: [Windows] urls: - 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms694515(v=vs.85).aspx' - 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms682390(v=vs.85).aspx' - 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms694328(v=vs.85).aspx' --- name: WindowsCOMLocalServers doc: Windows COM local servers sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*', value: 'LocalServer'} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\LocalServer32', value: ''} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\LocalServer32', value: 'ServerExecutable'} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*', value: 'LocalServer'} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\LocalServer32', value: ''} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\LocalServer32', value: 'ServerExecutable'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*', value: 'LocalServer'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*\LocalServer32', value: ''} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*\LocalServer32', value: 'ServerExecutable'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*', value: 'LocalServer'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*\LocalServer32', value: ''} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*\LocalServer32', value: 'ServerExecutable'} supported_os: [Windows] urls: - 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms694515(v=vs.85).aspx' - 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms686595(v=vs.85).aspx' --- name: WindowsCOMProperties doc: | Various properties of Windows COM Objects. These artifacts are meant to highlight properties of COM objects that, although legitimate, are known to be associated with persistence techniques or other capabilities that malware can leverage. ShellFolder\HideOnDesktop, ShellFolder\Attributes (specifically with value 0xf090013d), and InprocServer\LoadWithoutCOM are associated with a technique to cause iexplore or explorer to load a malicious DLL by registering a COM object and invoking it through the use of Junction Folders. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\ShellFolder', value: 'Attributes'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*\ShellFolder', value: 'Attributes'} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\ShellFolder', value: 'Attributes'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*\ShellFolder', value: 'Attributes'} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\ShellFolder', value: 'HideOnDesktop'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*\ShellFolder', value: 'HideOnDesktop'} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\ShellFolder', value: 'HideOnDesktop'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*\ShellFolder', value: 'HideOnDesktop'} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\InprocServer32', value: 'LoadWithoutCOM'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*\InprocServer32', value: 'LoadWithoutCOM'} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\InprocServer32', value: 'LoadWithoutCOM'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*\InprocServer32', value: 'LoadWithoutCOM'} supported_os: [Windows] urls: - 'https://ired.team/offensive-security/code-execution/forcing-iexplore.exe-to-load-a-malicious-dll-via-com-abuse' - 'https://labs.nettitude.com/blog/com-and-the-powerthief/' --- name: WindowsCOMRegisteredTypeLibraries doc: Windows COM registered type libraries sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Typelib\*\*\*\*', value: ''} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\Typelib\*\*\*\*', value: ''} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Typelib\*\*\*\*', value: ''} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\Typelib\*\*\*\*', value: ''} supported_os: [Windows] urls: ['https://github.com/libyal/winreg-kb/blob/main/documentation/Component%20Object%20Model%20keys.asciidoc#type-libraries-key'] --- name: WindowsSearchFilterHandlers doc: | Windows Search filter handlers configured for file types and applications. Windows Search loads DLLs that implement the IFilter interface in order to scan files for text and extract certain types of information. Malware can replace the filter handler for a given file type or CLSID with itself to gain execution when a search operation is performed on that file. Search operations can be performed indirectly in a number of cases; for instance, the .txt, .html, and .rtf filter handlers are invoked when indexing email message bodies. The filter handler to use is specified indirectly via a persistent handler. The persistent handler GUID is indicated via the PersistentHandler subkey for a file type or application GUID. The filter handler CLSID is indicated via the PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF} subkey under the persistent handler GUID key path. This artifact inspects both of these paths. NOTE: Only the HKEY_LOCAL_MACHINE root key needs be checked, because these are the only keys used. SearchFilterHost.exe runs under the SYSTEM account, which does not have access to HKEY_CURRENT_USER. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\*\PersistentHandler', value: ''} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\PersistentHandler', value: ''} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\PersistentHandler', value: ''} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\PersistentHandler', value: ''} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF}', value: ''} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF}', value: ''} supported_os: [Windows] urls: - 'https://docs.microsoft.com/en-us/windows/desktop/search/-search-ifilter-about' - 'https://docs.microsoft.com/en-us/windows/desktop/search/-search-ifilter-implementations' - 'https://docs.microsoft.com/en-us/windows/desktop/search/-search-ifilter-registering-filters' --- name: WindowsConfigSys doc: Windows config.sys file sources: - type: FILE attributes: paths: - '%%environ_systemdrive%%\config.sys' - '%%environ_windir%%\config.nt' separator: '\' supported_os: [Windows] --- name: WindowsControlPanelFilePaths doc: DLLs listed here will be run when the user opens the Windows Control Panel. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Control Panel\CPLs' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Control Panel\CPLs' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Control Panel\CPLs' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Control Panel\CPLs' supported_os: [Windows] urls: - 'https://msdn.microsoft.com/en-us/library/windows/desktop/hh127454(v=vs.85).aspx' - 'http://www.geoffchappell.com/studies/windows/shell/shell32/classes/controlpanel.htm' - 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms683844(v=vs.85).aspx' --- name: WindowsCredentialProviderFilters doc: Windows Credential Provider Filters sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\*' supported_os: [Windows] urls: ['http://blog.leetsys.com/2012/01/02/capturing-windows-7-credentials-at-logon-using-custom-credential-provider/'] --- name: WindowsCredentialProviders doc: CLSIDs of applications to use as Credential Providers sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\*' supported_os: [Windows] urls: - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'http://blogs.technet.com/b/ad/archive/2009/05/26/thoughts-on-single-sign-on-and-credential-providers.aspx' - 'http://blog.leetsys.com/2012/01/02/capturing-windows-7-credentials-at-logon-using-custom-credential-provider/' - 'https://www.sophos.com/en-us/support/knowledgebase/114190.aspx' --- name: WindowsCommonFilePlacementAttacks doc: Common files associated with search order hijacking and other file placement attacks. sources: - type: FILE attributes: paths: - '%%environ_programfiles%%\Internet Explorer\sxs.dll' - '%%environ_programfilesx86%%\Internet Explorer\sxs.dll' - '%%environ_systemdrive%%\explorer.exe' - '%%environ_systemdrive%%\program.exe' - '%%environ_systemroot%%\linkinfo.dll' - '%%environ_systemroot%%\ntshrui.dll' - '%%environ_systemroot%%\System32\oci.dll' - '%%environ_systemroot%%\System32\sysprep\cryptbase.dll' - '%%environ_systemroot%%\SysWOW64\oci.dll' - '%%environ_systemroot%%\SysWOW64\sysprep\cryptbase.dll' separator: '\' supported_os: [Windows] urls: - 'http://web.cs.ucdavis.edu/~su/publications/issta10-loading.pdf' - 'https://www.mandiant.com/blog/fxsst/' --- name: WindowsCurrentVersion doc: The Windows current version sources: - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion', value: 'CurrentVersion'}]} supported_os: [Windows] urls: ['https://github.com/libyal/winreg-kb/blob/main/documentation/System%20keys.asciidoc'] --- name: WindowsDebugger doc: Windows Debugger peristence or AV disable. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*', value: 'Debugger'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*', value: 'Debugger'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*', value: 'Debugger'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*', value: 'Debugger'} supported_os: [Windows] urls: ['https://msdn.microsoft.com/en-us/library/a329t4ed%28VS.71%29.aspx'] --- name: WindowsDomainCachedCredentials doc: Windows domain cached credentials sources: - type: REGISTRY_VALUE attributes: key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\Security\Cache', value: 'NL$*'}] supported_os: [Windows] urls: ['http://juggernaut.wikidot.com/cached-credentials'] --- name: WindowsDomainName doc: The domain the system is connected to. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters', value: 'Domain'} provides: [domain] supported_os: [Windows] --- name: WindowsEnvironmentUserLoginScripts doc: User login scripts configured via Windows environment variables. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_USERS\%%users.sid%%\Environment', value: 'UserInitLogonServer'} - {key: 'HKEY_USERS\%%users.sid%%\Environment', value: 'UserInitLogonScript'} - {key: 'HKEY_USERS\%%users.sid%%\Environment', value: 'UserInitMprLogonScript'} supported_os: [Windows] urls: - 'http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/' - 'https://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/cb6f1d6f-60a6-4369-803e-ec03d902e638/gina-how-to-run-domain-scripts-after-logon' --- name: WindowsEnvironmentVariableAllUsersProfile doc: The system-wide %AllUsersProfile% environment variable contains the path of the of the "All Users" or "Common" profile directory. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'AllUsersProfile'} provides: [environ_allusersprofile] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] --- name: WindowsEnvironmentVariableAppxProcess doc: | The user-specific %APPX_PROCESS% environment variable is used for .NET applications. If set, a .NET applications will attempt to load WinAppXRT.dll from %PATH%, which can be used as a persistence mechanism by malware. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_USERS\%%users.sid%%\Environment', value: 'APPX_PROCESS'} supported_os: [Windows] conditions: [os_major_version >= 6 AND os_minor_version >= 2] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] --- name: WindowsEnvironmentVariableCommonProgramFiles doc: The %COMMONPROGRAMFILES% environment variable contains the path of the common program files folder. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion', value: 'CommonFilesDir'} provides: [environ_commonprogramfiles] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] --- name: WindowsEnvironmentVariableCommonProgramFilesX86 doc: The %COMMONPROGRAMFILES(X86)% environment variable contains the path of the 32-bit common program files folder on a 64-bit Windows installation. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion', value: 'CommonFilesDir (x86)'} provides: [environ_commonprogramfilesx86] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] --- name: WindowsEnvironmentVariableComSpec doc: The %ComSpec% environment variable contains the path of the command processor, typically "cmd.exe". sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment', value: 'ComSpec'} provides: [environ_comspec] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] --- name: WindowsEnvironmentVariableDriverData doc: The %DriverData% environment variable contains the path of the directory used for temporary state files of user-mode drivers. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment', value: 'DriverData'} provides: [environ_driverdata] supported_os: [Windows] conditions: [os_major_version >= 10] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] --- name: WindowsEnvironmentVariablePath doc: The %PATH% environment variable contains an ordered list of paths of directories that will be searched on execution request without a specific path. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment', value: 'Path'} provides: [environ_path] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] --- name: WindowsEnvironmentVariableProfilesDirectory doc: The %ProfilesDirectory% environment variable contain a path of a directory that contains the users' profile directories, typically "%SystemDrive%\Users". sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'ProfilesDirectory'} provides: [environ_profilesdirectory] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] --- name: WindowsEnvironmentVariableProgramData doc: The %ProgramData% environment variable contains a path of the "Program Data" directory. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'ProgramData'} provides: [environ_programdata] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] --- name: WindowsEnvironmentVariableProgramFiles doc: The %ProgramFiles% environment variable contains a path of the "Program Files" directory. sources: - type: PATH attributes: paths: ['\Program Files'] separator: '\' - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion', value: 'ProgramFilesDir'} provides: [environ_programfiles] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] --- name: WindowsEnvironmentVariableProgramFilesX86 doc: The %ProgramFiles(x86)% environment variable contains a path of the 32-bit "Program Files" directory on a 64-bit Windows installation. sources: - type: PATH attributes: paths: ['\Program Files (x86)'] separator: '\' - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion', value: 'ProgramFilesDir (x86)'} provides: [environ_programfilesx86] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] --- name: WindowsEnvironmentVariableSystemDrive doc: | The %SystemDrive% environment variable contains the letter of the drive in which the system directory is located, typically "C:". This value is not present in the Windows Registry but can be derived from %SystemRoot%. sources: - type: ARTIFACT_GROUP attributes: {names: ['WindowsEnvironmentVariableSystemRoot']} provides: [environ_systemdrive] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] --- name: WindowsEnvironmentVariableSystemRoot doc: The %SystemRoot%, environment variable contains the path of the system directory, typically "C:\Windows". sources: - type: PATH attributes: paths: - '\Windows' - '\WinNT' - '\WINNT35' - '\WTSRV' separator: '\' - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion', value: 'SystemRoot'} provides: [environ_systemroot] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] --- name: WindowsEnvironmentVariableTemp doc: The %TEMP% environment variable. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment', value: 'TEMP'} provides: [environ_temp] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] --- name: WindowsEnvironmentVariableWinDir doc: The %WinDir%, environment variable contains the path of the Windows directory, typically "C:\Windows". sources: - type: PATH attributes: paths: - '\Windows' - '\WinNT' - '\WINNT35' - '\WTSRV' separator: '\' - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment', value: 'windir'} provides: [environ_windir] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] --- name: WindowsEventLogPublishers doc: Windows EventLog publishers (or providers) Registry keys. sources: - type: REGISTRY_KEY attributes: keys: ['HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\*'] supported_os: [Windows] urls: ['https://winreg-kb.readthedocs.io/en/latest/sources/EventLog-keys.html'] --- name: WindowsEventLogSources doc: Windows EventLog sources Registry keys. sources: - type: REGISTRY_KEY attributes: keys: ['HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\*\*'] supported_os: [Windows] urls: ['https://winreg-kb.readthedocs.io/en/latest/sources/EventLog-keys.html'] --- name: WindowsEventLogs doc: Windows Event logs. sources: - type: ARTIFACT_GROUP attributes: names: - 'WindowsEventLogApplication' - 'WindowsEventLogSecurity' - 'WindowsEventLogSystem' - 'WindowsXMLEventLogApplication' - 'WindowsXMLEventLogSecurity' - 'WindowsXMLEventLogSysmon' - 'WindowsXMLEventLogSystem' - 'WindowsXMLEventLogTerminalServices' labels: [Logs] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html'] --- name: WindowsEventLogApplication doc: Application Windows Event Log. sources: - type: FILE attributes: paths: ['%%environ_systemroot%%\System32\winevt\Logs\AppEvent.evt'] separator: '\' conditions: [os_major_version < 6] labels: [Logs] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html'] --- name: WindowsEventLogSecurity doc: Security Windows Event Log. sources: - type: FILE attributes: paths: ['%%environ_systemroot%%\System32\winevt\Logs\SecEvent.evt'] separator: '\' conditions: [os_major_version < 6] labels: [Logs] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html'] --- name: WindowsEventLogSystem doc: System Windows Event Log. sources: - type: FILE attributes: paths: ['%%environ_systemroot%%\System32\winevt\Logs\SysEvent.evt'] separator: '\' conditions: [os_major_version < 6] labels: [Logs] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html'] --- name: WindowsXMLEventLogApplication doc: Application Windows XML Event Log. sources: - type: FILE attributes: paths: ['%%environ_systemroot%%\System32\winevt\Logs\Application.evtx'] separator: '\' conditions: [os_major_version >= 6] labels: [Logs] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html'] --- name: WindowsXMLEventLogSecurity doc: Security Windows XML Event Log. sources: - type: FILE attributes: paths: ['%%environ_systemroot%%\System32\winevt\Logs\Security.evtx'] separator: '\' conditions: [os_major_version >= 6] labels: [Logs] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html'] --- name: WindowsXMLEventLogSysmon doc: Sysmon Windows XML Event Log. sources: - type: FILE attributes: paths: ['%%environ_systemroot%%\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx'] separator: '\' labels: [Logs] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html'] --- name: WindowsXMLEventLogSystem doc: System Windows XML Event Log. sources: - type: FILE attributes: paths: ['%%environ_systemroot%%\System32\winevt\Logs\System.evtx'] separator: '\' conditions: [os_major_version >= 6] labels: [Logs] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html'] --- name: WindowsXMLEventLogTerminalServices doc: TerminalServices Windows XML Event Log. sources: - type: FILE attributes: paths: ['%%environ_systemroot%%\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx'] separator: '\' conditions: [os_major_version >= 6] labels: [Logs] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html'] --- name: WindowsExcludeFromKnownDLLs doc: ExcludeFromKnownDLLs can be used to bypass search order hijacking protection. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager', value: 'ExcludeFromKnownDLLs'}] supported_os: [Windows] urls: ['https://msdn.microsoft.com/en-us/library/windows/desktop/ms682586%28v=vs.85%29.aspx'] --- name: WindowsExplorerAppKey doc: Handlers for special keys on some keyboards (file path or CLSID). sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AppKey\*', value: 'ShellExecute'} supported_os: [Windows] urls: - 'http://answers.microsoft.com/en-us/windows/forum/windows_vista-hardware/assigning-the-special-keys-at-the-top-of-the/d1ab2e13-5297-457d-a8e8-bc2c883d8b58?db=5' - 'http://h30434.www3.hp.com/t5/Notebook-Hardware/How-do-I-customize-the-Action-Keys/td-p/379207' --- name: WindowsExplorerAutoplayHandlers doc: Handlers for autoplay events in Windows Explorer. sources: - type: REGISTRY_KEY attributes: keys: ['HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\*'] supported_os: [Windows] urls: - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'https://msdn.microsoft.com/en-us/library/windows/desktop/aa468474.aspx' --- name: WindowsExplorerContextMenuHandlers doc: Handlers for subcommands on context menu sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CommandStore\shell\*', value: 'CommandStateHandler'} - {key: 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CommandStore\shell\*', value: 'ExplorerCommandHandler'} - {key: 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CommandStore\shell\*', value: 'command'} - {key: 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CommandStore\shell\*\command', value: 'DelegateExecute'} supported_os: [Windows] urls: - 'https://msdn.microsoft.com/en-us/library/windows/desktop/hh127467(v=vs.85).aspx' - 'https://msdn.microsoft.com/en-us/library/windows/desktop/cc144171(v=vs.85).aspx' - 'http://www.windowrdb.com/w.php?w=hklm-software-microsoft-windows-currentversion-explorer-commandstore-shell-windows-closewindow' - 'http://www.checkfilename.com/view-details/Windows-7-Ultimate/RespageIndex/4/sTab/2/' --- name: WindowsExplorerNamespaceCommonPlaces doc: CLSIDs listed here are used to populate the Common Places items. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace\DelegateFolders' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\CommonPlaces\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\CommonPlaces\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\CommonPlaces\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\CommonPlaces\NameSpace\DelegateFolders' supported_os: [Windows] urls: - 'https://msdn.microsoft.com/en-us/library/windows/desktop/hh127450(v=vs.85).aspx' - 'http://www.geoffchappell.com/studies/windows/shell/shell32/classes/commonplacesfolder.htm' - 'http://www.windowrdb.com/w.php?w=hklm-software-microsoft-windows-currentversion-explorer-commonplaces' --- name: WindowsExplorerNamespaceControlPanel doc: CLSIDs listed here are used to populate the Control Panel items. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\ControlPanel\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\ControlPanel\NameSpace\DelegateFolders' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanelWOW64\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanelWOW64\NameSpace' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpaceWOW64\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanelWOW64\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\ControlPanelWOW64\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\ControlPanelWOW64\NameSpace\DelegateFolders' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\ControlPanel\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\ControlPanel\NameSpace\DelegateFolders' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ControlPanelWOW64\NameSpace' - 'HKEY_USERS\%%users.sid%%\Wow6432Node\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\ControlPanelWOW64\NameSpace\DelegateFolders' supported_os: [Windows] urls: - 'https://msdn.microsoft.com/en-us/library/windows/desktop/hh127450(v=vs.85).aspx' - 'http://www.geoffchappell.com/studies/windows/shell/shell32/classes/controlpanel.htm' --- name: WindowsExplorerNamespaceDesktop doc: CLSIDs listed here are used to populate the Desktop items. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\Desktop\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\Desktop\NameSpace\DelegateFolders' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Wow6432Node\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\Desktop\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\Desktop\NameSpace\DelegateFolders' supported_os: [Windows] urls: - 'https://social.technet.microsoft.com/Forums/windowsserver/en-US/2760309c-89d1-414c-a04c-ce4178e90787/hide-libraries-icon-from-desktop' - 'http://www.geoffchappell.com/studies/windows/shell/shell32/classes/regfolder.htm' - 'http://www.geoffchappell.com/notes/windows/shell/controlpanel/desktopicons.htm' - 'https://support.microsoft.com/en-us/kb/321777' --- name: WindowsExplorerNamespaceMyComputer doc: CLSIDs listed here are used to populate the MyComputer items. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\MyComputer\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\MyComputer\NameSpace\DelegateFolders' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Wow6432Node\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\MyComputer\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\MyComputer\NameSpace\DelegateFolders' supported_os: [Windows] urls: - 'http://www.geoffchappell.com/studies/windows/shell/shell32/classes/mycomputer.htm' - 'http://www.howtogeek.com/168081/how-to-remove-the-folders-from-my-computer-in-windows-8.1/' - 'http://answers.microsoft.com/en-us/windows/forum/windows8_1-files/how-to-remove-these-folders-from-windows-81/777c4ba3-7853-453e-bfa0-9a0f4245b9e1?db=5' --- name: WindowsExplorerNamespaceNetworkNeighborhood doc: CLSIDs listed here are used to populate the Network Neighborhood items. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\NetworkNeighborhood\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\NetworkNeighborhood\NameSpace\DelegateFolders' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\NetworkNeighborhood\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\NetworkNeighborhood\NameSpace\DelegateFolders' supported_os: [Windows] urls: - 'http://www.geoffchappell.com/studies/windows/shell/shell32/classes/regfolder.htm' - 'http://www.lavasoft.com/mylavasoft/rogues/secretservice' - 'http://www.wikihow.com/Manually-Remove-Macatte-Malware' --- name: WindowsExplorerNamespacePrintersAndFaxes doc: CLSIDs listed here are used to populate the Printer and Fax items. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\PrintersAndFaxes\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\PrintersAndFaxes\NameSpace\DelegateFolders' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\PrintersAndFaxes\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\PrintersAndFaxes\NameSpace\DelegateFolders' supported_os: [Windows] urls: - 'http://www.geoffchappell.com/studies/windows/shell/shell32/classes/printers.htm' --- name: WindowsFileTypeAutorunAssociations doc: | Registry value for what application class identifier (CLSID) to launch for a file extension. Extension subkeys start with a dot. The '(Default)' value will be a ProgID, which points to another entry in HKCR specifying the command to run to open a file of the given type. The WindowsShellOpenCommand artifact is associated with these ProgID command invocations. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\.*', value: ''} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\.*', value: ''} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\.*', value: ''} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\.*', value: ''} supported_os: [Windows] urls: - 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms678415(v=vs.85).aspx' - 'https://docs.microsoft.com/en-us/windows/desktop/shell/fa-file-types' --- name: WindowsFirewallLogFile doc: Windows Firewall default logfile sources: - type: FILE attributes: paths: ['%%environ_systemroot%%\System32\logfiles\firewall\pfirewall.log'] separator: '\' labels: [System] supported_os: [Windows] urls: ['https://docs.microsoft.com/en-us/windows/access-protection/windows-firewall/configure-the-windows-firewall-log'] --- name: WindowsFirewallEnabledRules doc: Command to list the enabled Windows Firewall rules. sources: - type: COMMAND attributes: args: ["advfirewall", "monitor", "show", "firewall", "rule", "name=all"] cmd: netsh.exe labels: [System] supported_os: [Windows] --- name: WindowsFirewallRules doc: Command to list the configured Windows Firewall rules. sources: - type: COMMAND attributes: args: ["advfirewall", "firewall", "show", "rule", "name=all"] cmd: netsh.exe labels: [System] supported_os: [Windows] --- name: WindowsGroupPolicyScripts doc: Windows group policy scripts sources: - type: FILE attributes: paths: - '%%environ_systemroot%%\System32\GroupPolicy\User\Scripts\psscripts.ini' - '%%environ_systemroot%%\System32\GroupPolicy\User\Scripts\scripts.ini' - '%%environ_systemroot%%\System32\GroupPolicy\User\Scripts\Logoff\*' - '%%environ_systemroot%%\System32\GroupPolicy\User\Scripts\Logon\*' - '%%environ_systemroot%%\System32\GroupPolicy\Machine\Scripts\psscripts.ini' - '%%environ_systemroot%%\System32\GroupPolicy\Machine\Scripts\scripts.ini' - '%%environ_systemroot%%\System32\GroupPolicy\Machine\Scripts\Shutdown\*' - '%%environ_systemroot%%\System32\GroupPolicy\Machine\Scripts\Startup\*' separator: '\' supported_os: [Windows] --- name: WindowsHostsFiles doc: The Windows hosts and lmhosts file. sources: - type: FILE attributes: paths: - '%%environ_systemroot%%\System32\Drivers\etc\Lmhosts' - '%%environ_systemroot%%\System32\Drivers\etc\hosts' separator: '\' supported_os: [Windows] --- name: WindowsHotkeyReplacement doc: Hotkey executable replacement. sources: - type: FILE attributes: paths: - '%%environ_systemroot%%\System32\magnifier.exe' - '%%environ_systemroot%%\System32\sethc.exe' - '%%environ_systemroot%%\System32\utilman.exe' separator: '\' supported_os: [Windows] --- name: WindowsInstallationDateTime doc: Windows installation date and time sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion', value: 'InstallDate'} supported_os: [Windows] --- name: WindowsLanguage doc: The system language. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language', value: 'Default'} supported_os: [Windows] urls: ['https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/Language.html'] --- name: WindowsLogoffScript doc: Windows policy logoff script sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\Windows\System\Scripts', value: 'Logoff'} - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Scripts', value: 'Logoff'} supported_os: [Windows] urls: ['https://technet.microsoft.com/en-us/library/ff404236.aspx'] --- name: WindowsLogonScript doc: Windows policy logon script sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\Windows\System\Scripts', value: 'Logon'} - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Scripts', value: 'Logon'} supported_os: [Windows] urls: ['https://technet.microsoft.com/en-us/library/ff404236.aspx'] --- name: WindowsLSAAuthenticationPackages doc: Authentication Packages can be injected into LSASS. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa', value: 'Authentication Packages'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig', value: 'Authentication Packages'} supported_os: [Windows] urls: - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'https://technet.microsoft.com/en-us/library/cc963218.aspx' --- name: WindowsLSANotificationPackages doc: Notification Packages can be injected into LSASS. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa', value: 'Notification Packages'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig', value: 'Notification Packages'} supported_os: [Windows] urls: - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'https://technet.microsoft.com/en-us/library/cc963221.aspx' --- name: WindowsLSASecurityPackages doc: Security Packages can be injected into LSASS. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa', value: 'Security Packages'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig', value: 'Security Packages'} supported_os: [Windows] urls: - 'https://msdn.microsoft.com/en-us/library/windows/desktop/aa379392(v=vs.85).aspx' - 'https://dl.mandiant.com/EE/library/MIRcon2014/MIRcon_2014_IR_Track_Analysis_of_Malicious_SSP.pdf' --- name: WindowsMetroApplicationCache doc: Windows Metro application cache. sources: - type: FILE attributes: paths: ['%%users.localappdata%%\Packages\*\AC\INetCache'] separator: '\' supported_os: [Windows] urls: - 'http://www.forensicmag.com/article/2012/09/microsoft-windows-8-forensic-first-look' --- name: WindowsMetroApplicationCookies doc: Windows Metro application cookies. sources: - type: FILE attributes: paths: ['%%users.localappdata%%\Packages\*\AC\INetCookies'] separator: '\' supported_os: [Windows] urls: - 'http://www.forensicmag.com/article/2012/09/microsoft-windows-8-forensic-first-look' --- name: WindowsMetroApplicationHistory doc: Windows Metro application history. sources: - type: FILE attributes: paths: ['%%users.localappdata%%\Packages\*\AC\INetHistory'] separator: '\' supported_os: [Windows] urls: - 'http://www.forensicmag.com/article/2012/09/microsoft-windows-8-forensic-first-look' --- name: WindowsMetroUserPinnedFavoriteTiles doc: Windows Metro user-pinned favorite tiles. sources: - type: FILE attributes: paths: ['%%users.localappdata%%\Microsoft\Windows\RoamingTiles'] separator: '\' supported_os: [Windows] urls: - 'http://www.forensicmag.com/article/2012/09/microsoft-windows-8-forensic-first-look' --- name: WindowsMostRecentApplication doc: Windows Most Recent Application name key sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\*\MostRecentApplication', value: 'Name'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\*\MostRecentApplication', value: 'Name'} supported_os: [Windows] urls: - 'http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_ransom.smc7' - 'https://www.symantec.com/security_response/writeup.jsp?docid=2014-092314-3644-99&tabid=2' --- name: WindowsMSDTCDLLs doc: Windows MSDTC attempts to load these DLLs on start sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\MSDTC\MTxOCI\*' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\MSDTC\MTxOCI\*' supported_os: [Windows] urls: ['https://www.mandiant.com/blog/hikit-rootkit-advanced-persistent-attack-techniques-part-1-2/'] --- name: WindowsMultiMediaDrivers doc: Configured drivers for different multimedia filetypes. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\*' - 'HKEY_USERS\%%users.sid%%\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\*' - 'HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32\*' - 'HKEY_USERS\%%users.sid%%\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32\*' supported_os: [Windows] urls: - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'https://support.microsoft.com/en-us/kb/126054' - 'https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2' --- name: WindowsNetworkShellHelpers doc: Windows Network Shell (netsh) helpers are loaded on boot sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Netsh' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Netsh' supported_os: [Windows] urls: ['https://support.microsoft.com/en-us/kb/242468'] --- name: WindowsOpenSaveMRU doc: Information about files opened or saved in a Windows shell dialog. sources: - type: REGISTRY_KEY attributes: keys: ['HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDIg32\OpenSaveMRU\*\*'] conditions: [os_major_version < 6] supported_os: [Windows] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=OpenSaveMRU' - 'https://digital-forensics.sans.org/blog/2010/04/02/openrunsavemru-lastvisitedmru' --- name: WindowsOpenSavePidlMRU doc: Information about files opened or saved in a Windows shell dialog. sources: - type: REGISTRY_KEY attributes: keys: ['HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\*\*'] conditions: [os_major_version >= 6] supported_os: [Windows] urls: - 'https://digital-forensics.sans.org/blog/2010/04/02/openrunsavemru-lastvisitedmru' - 'https://forensicswiki.xyz/wiki/index.php?title=OpenSavePidlMRU' --- name: WindowsPendingFileRenames doc: Windows Pending file renames on reboot sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager', value: 'PendingFileRenameOperations'} supported_os: [Windows] urls: ['https://technet.microsoft.com/en-us/library/cc960241.aspx'] --- name: WindowsPendingGPOs doc: | Windows Pending GPOs registry settings. This is a persistence mechanism known to be used by the Gootkit malware family. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\IEAK\GroupPolicy\PendingGPOs', value: 'Path1'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\IEAK\GroupPolicy\PendingGPOs', value: 'Path1'} supported_os: [Windows] urls: ['https://www.certego.net/en/news/malware-tales-gootkit/'] --- name: WindowsPersistenceMechanisms doc: Persistence mechanisms in Windows. sources: - type: ARTIFACT_GROUP attributes: names: - WindowsPersistenceRegistryKeys - WindowsPowerShellDefaultProfiles - WindowsServices labels: [Software] supported_os: [Windows] --- name: WindowsPersistenceRegistryKeys doc: Windows Registry keys used for persistence. sources: - type: ARTIFACT_GROUP attributes: names: - InternetExplorerBrowserHelperObjects - WindowsActiveDesktop - WindowsActiveSyncAutoStart - WindowsAlternateShell - WindowsAppCertDLLs - WindowsAppInitDLLs - WindowsBootVerificationProgram - WindowsCommandProcessorAutoRun - WindowsCredentialProviderFilters - WindowsCredentialProviders - WindowsDebugger - WindowsEnvironmentUserLoginScripts - WindowsExplorerAutoplayHandlers - WindowsFileTypeAutorunAssociations - WindowsFontDrivers - WindowsIconServiceLib - WindowsLSAAuthenticationPackages - WindowsLSANotificationPackages - WindowsLSASecurityPackages - WindowsMSDTCDLLs - WindowsMultiMediaDrivers - WindowsNetworkShellHelpers - WindowsPendingGPOs - WindowsPLAPProviders - WindowsPrintMonitors - WindowsRunGrpConv - WindowsRunKeys - WindowsRunServices - WindowsScreenSaverExecutable - WindowsSearchFilterHandlers - WindowsSecurityProviders - WindowsServiceControlManagerExtension - WindowsSessionManagerBootExecute - WindowsSessionManagerExecute - WindowsSessionManagerS0InitialCommand - WindowsSessionManagerSetupExecute - WindowsSessionManagerSubSystems - WindowsSessionManagerWOWCommandLine - WindowsSetupCommandLine - WindowsSharedTaskScheduler - WindowsShellExecuteHooks - WindowsShellExtensions - WindowsShellIconOverlayIdentifiers - WindowsShellLoadAndRun - WindowsShellOpenCommand - WindowsShellRunasCommand - WindowsShellServiceObjects - WindowsStubPaths - WindowsSystemPolicyShell - WindowsTerminalServerInitialProgram - WindowsTerminalServerRunKeys - WindowsTerminalServerStartupPrograms - WindowsToolPaths - WindowsWinlogonAppSetup - WindowsWinlogonAvailableShells - WindowsWinlogonGinaDLL - WindowsWinlogonGPExtensions - WindowsWinlogonNotify - WindowsWinlogonShell - WindowsWinlogonSystem - WindowsWinlogonTaskman - WindowsWinlogonUiHost - WindowsWinlogonUserinit - WindowsWinlogonVMApplet - WinSock2LayeredServiceProviders - WinSock2NamespaceProviders labels: [Software] supported_os: [Windows] --- name: WindowsPLAPProviders doc: Windows Pre-Logon Access Provider (PLAP) Providers sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\*' supported_os: [Windows] urls: ['https://msdn.microsoft.com/en-us/library/windows/desktop/bb530584(v=vs.85).aspx'] --- name: WindowsPolicyDisallowRun doc: Restrict users from running specific applications, typically used by malware to block AV. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\*' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\*' labels: [System] supported_os: [Windows] urls: - 'https://support.microsoft.com/en-us/kb/323525' - 'https://blog.malwarebytes.com/detections/pum-optional-disallowrun/' --- name: WindowsPowerShellDefaultProfiles doc: Default PowerShell Profile files. These files are executed by default when PowerShell starts up. sources: - type: FILE attributes: paths: - '%%environ_systemroot%%\system32\WindowsPowerShell\v1.0\profile.ps1' - '%%environ_systemroot%%\system32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1' - '%%users.userprofile%%\Documents\WindowsPowerShell\profile.ps1' - '%%users.userprofile%%\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1' separator: '\' supported_os: [Windows] urls: - 'https://technet.microsoft.com/en-us/magazine/2008.10.windowspowershell.aspx#id0190010' - 'http://www.hexacorn.com/blog/2014/08/27/beyond-good-ol-run-key-part-16/' --- name: WindowsPowerShellEnableScripts doc: Registry keys that control whether PowerShell scripts can execute directly. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\Windows\PowerShell', value: 'EnableScripts'} - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell', value: 'EnableScripts'} supported_os: [Windows] urls: - 'https://technet.microsoft.com/library/hh847748.aspx' - 'http://www.hexacorn.com/blog/2014/08/27/beyond-good-ol-run-key-part-16/' --- name: WindowsPowerShellExecutionPolicies doc: PowerShell Script Execution Policies for all users, and the system. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\Windows\PowerShell', value: 'ExecutionPolicy'} - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell', value: 'ExecutionPolicy'} supported_os: [Windows] urls: - 'https://technet.microsoft.com/library/hh847748.aspx' - 'http://www.hexacorn.com/blog/2014/08/27/beyond-good-ol-run-key-part-16/' --- name: WindowsPowerShellHistory doc: History of commands executed in an interactive PowerShell session. sources: - type: FILE attributes: paths: ['%%users.appdata%%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt'] separator: '\' supported_os: [Windows] urls: - 'https://0xdf.gitlab.io/2018/11/08/powershell-history-file.html' - 'https://docs.microsoft.com/en-us/powershell/module/psreadline/get-psreadlineoption?view=powershell-7.1' --- name: WindowsPrefetchFiles doc: Windows Prefetch files. sources: - type: FILE attributes: paths: ['%%environ_systemroot%%\Prefetch\*.pf'] separator: '\' labels: [System] supported_os: [Windows] urls: ['https://forensicswiki.xyz/wiki/index.php?title=Prefetch'] --- name: WindowsPrintMonitors doc: Windows Print Monitor DLL config. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Monitors\*', value: 'Driver'}] supported_os: [Windows] urls: - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'https://support.microsoft.com/en-us/kb/102966' --- name: WindowsProductName doc: The Windows product name sources: - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion', value: 'ProductName'}]} supported_os: [Windows] urls: ['https://github.com/libyal/winreg-kb/blob/main/documentation/System%20keys.asciidoc'] --- name: WindowsProgramsCache doc: Windows Programs Cache sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage', value: 'ProgramsCache'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2', value: 'ProgramsCache'} supported_os: [Windows] urls: ['https://github.com/libyal/winreg-kb/blob/main/documentation/Programs%20Cache%20values.asciidoc'] --- name: WindowsProgramsCacheJumpLists doc: Windows Programs Cache Jump Lists sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2', value: 'ProgramsCacheSMP'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2', value: 'ProgramsCacheTBP'} supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/JumpLists.html'] --- name: WindowsProxyPACAutoConfigURL doc: Windows Proxy PAC AutoConfigURL. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Internet Settings', value: 'AutoConfigURL'} labels: [System, Network] supported_os: [Windows] urls: ['https://blogs.msdn.microsoft.com/askie/2015/07/17/how-can-i-configure-proxy-autoconfigurl-setting-using-group-policy-preference-gpp/'] --- name: WindowsProxyServerSettings doc: | Windows Proxy Server Settings. Malware can modify these settings to redirect traffic through a malicious program running on the machine (for instance, by specifying 127.0.0.1 as the IP address of the proxy server to use) or to a malicious host on the local network or internet. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings', value: 'ProxyServer'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Internet Settings', value: 'ProxyServer'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings', value: 'ProxyServer'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings', value: 'ProxyServer'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet\ManualProxies', value: 'ProxyServer'} - {key: 'HKEY_USERS\%%users.sid%%\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet\ManualProxies', value: 'ProxyServer'} labels: [System, Network] supported_os: [Windows] urls: ['https://blog.malwarebytes.com/detections/pum-optional-proxyhijacker/'] --- name: WindowsRecentFileCacheBCF doc: The RecentFileCache.bcf file. sources: - type: FILE attributes: paths: ['%%environ_systemroot%%\AppCompat\Programs\RecentFileCache.bcf'] separator: '\' conditions: [os_major_version >= 6 AND os_minor_version >= 1] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RecentFileCache.html'] --- name: WindowsRecycleBin doc: Windows Recycle Bin (Recyler, $Recycle.Bin) files. sources: - type: FILE attributes: paths: - '\$Recycle.Bin\**' - '\Recycler\**' separator: '\' labels: [Users] supported_os: [Windows] urls: ['https://forensicswiki.xyz/wiki/index.php?title=Windows#Recycle_Bin'] --- name: WindowsRegistryCurrentControlSet doc: The current control set of the Windows Registry. sources: - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\Select', value: 'Current'}]} provides: [current_control_set] supported_os: [Windows] urls: ['https://github.com/libyal/winreg-kb/blob/main/documentation/System%20keys.asciidoc'] --- name: WindowsRegistryFilesAndTransactionLogs doc: Windows user and system Registry files and transaction logs. sources: - type: ARTIFACT_GROUP attributes: names: - 'WindowsSystemRegistryFiles' - 'WindowsSystemRegistryTransactionLogFiles' - 'WindowsUserRegistryFiles' - 'WindowsUserRegistryTransactionLogFiles' labels: [System,Users] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RegistryFiles.html'] --- name: WindowsRegistryProfiles doc: | Get SIDs for all users on the system with profiles present in the Registry. This looks in the Windows Registry where the profiles are stored and retrieves the paths for each profile. sources: - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\*', value: 'ProfileImagePath'}]} labels: [Users] provides: [users.sid, users.userprofile, users.homedir, users.username] supported_os: [Windows] urls: ['http://msdn.microsoft.com/en-us/library/windows/desktop/bb776892(v=vs.85).aspx'] --- name: WindowsReleaseIdentifier doc: | The Windows 10 release identifier (or version number). This Windows Registry value contains the semi-annual Windows 10 version number. sources: - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion', value: 'ReleaseID'}]} supported_os: [Windows] urls: ['https://www.microsoft.com/en-us/itpro/windows-10/release-information'] --- name: WindowsRoverAutostartDLL doc: | Windows Rover autostart DLL. The DLL loaded via the Windows Rover autostart mechanism. If this file exists, and the Rover autostart Registry key is set, userinit.exe will load this file and call its RunMonitor export. sources: - type: FILE attributes: paths: ['%%environ_systemroot%%\System32\rover.dll'] separator: '\' supported_os: [Windows] urls: ['http://www.hexacorn.com/blog/2014/05/21/beyond-good-ol-run-key-part-12/'] --- name: WindowsRoverAutostartKey doc: | Windows Rover autostart Registry key. When set userinit.exe will load the DLL at %SystemRoot%\System32\rover.dll and call its RunMonitor export. sources: - type: REGISTRY_KEY attributes: {keys: ['HKEY_CLASSES_ROOT\CLSID\{16d12736-7a9e-4765-bec6-f301d679caaa}']} supported_os: [Windows] urls: ['http://www.hexacorn.com/blog/2014/05/21/beyond-good-ol-run-key-part-12/'] --- name: WindowsRunGrpConv doc: | The Windows RunGrpConv Registry value. When this Registry value is non-zero userinit.exe will launch grpconv.exe at user login. sources: - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'RunGrpConv'}]} supported_os: [Windows] conditions: [os_major_version <= 5] urls: - 'http://www.hexacorn.com/blog/2014/06/18/beyond-good-ol-run-key-part-13/' - 'http://www.exploit-id.com/local-exploits/windows-xp-sp2-grpconv-exe' --- name: WindowsRunKeys doc: | Windows Run and RunOnce keys. Note users.sid will currently only expand to SIDs with profiles on the system, not all SIDs. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\*' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\*' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Run\*' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\RunOnce\*' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\*' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\*' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\*' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx\*' labels: [Software] supported_os: [Windows] urls: - 'https://msdn.microsoft.com/en-us/library/windows/desktop/aa376977%28v=vs.85%29.aspx' - 'https://support.microsoft.com/en-us/kb/137367' - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'https://technet.microsoft.com/en-us/magazine/ee851671.aspx' --- name: WindowsRunServices doc: Windows Run Services. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\*' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\*' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\*' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\RunServices\*' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce\*' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\*' supported_os: [Windows] urls: - 'https://support.microsoft.com/en-us/kb/179365' - 'https://threatvector.cylance.com/en_us/home/windows-registry-persistence-part-2-the-run-keys-and-search-order.html' --- name: WindowsScheduledTasks doc: Windows Scheduled Tasks. sources: - type: FILE attributes: paths: - '%%environ_systemroot%%\Tasks\**10' - '%%environ_systemroot%%\System32\Tasks\**10' - '%%environ_systemroot%%\SysWow64\Tasks\**10' separator: '\' supported_os: [Windows] urls: ['https://forensicswiki.xyz/wiki/index.php?title=Windows#Scheduled_Tasks'] --- name: WindowsScreenSaverExecutable doc: ScreenSaver Executable sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\Windows\Control Panel\Desktop', value: 'scrnsave.exe'} - {key: 'HKEY_USERS\%%users.sid%%\Control Panel\Desktop', value: 'scrnsave.exe'} supported_os: [Windows] urls: - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'https://technet.microsoft.com/en-us/library/cc737855(v=ws.10).aspx' - 'https://technet.microsoft.com/en-us/library/cc957840.aspx' --- name: WindowsSearchDatabase doc: Windows Search database (Windows.edb). sources: - type: FILE attributes: paths: ['%%environ_allusersappdata%%\Microsoft\Search\Data\Applications\Windows\Windows.edb'] separator: '\' labels: [Software] supported_os: [Windows] urls: ['https://forensicswiki.xyz/wiki/index.php?title=Windows_Desktop_Search'] --- name: WindowsSecurityProviders doc: Security Providers DLLs sources: - type: REGISTRY_KEY attributes: keys: ['HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\*'] supported_os: [Windows] urls: - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'https://github.com/wmark/security-configuration/blob/master/Windows/disable-weak-ciphers-and-enable-TLS1.x.reg' --- name: WindowsServiceControlManagerExtension doc: Windows service control manager extension sources: - type: REGISTRY_VALUE attributes: key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control', value: 'ServiceControlManagerExtension'}] labels: [Software] supported_os: [Windows] urls: - 'http://forum.sysinternals.com/autoruns-and-windows-7_topic19770.html' - 'https://support.microsoft.com/en-us/kb/102985' - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'http://www.silentrunners.org/Silent%20Runners.vbs' --- name: WindowsServices doc: | Windows services from the Registry. Malware can add new services to gain persistence, or modify existing ones to avoid detection. For example, the ZeroAccess rootkit will make the following changes to the WSCSVC (Windows Security Service Center), WINDEFEND (Windows Defender), and MPSSVC (Windows Firewall) services, among others * Set 'Start' to 4, indicating that the service should be disabled * Set 'DeleteFlag' to 1, indicating that the service should be removed * Set 'ErrorControl' to 0 and 'Type' to 32, causing it to fail to be started by the Service Controller and no error messages generated sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\*\*' - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\*\Parameters\*' labels: [Software] supported_os: [Windows] urls: - 'http://support.microsoft.com/kb/103000' - 'https://github.com/libyal/winreg-kb/blob/main/documentation/System%20keys.asciidoc' --- name: WindowsActionCenterSettings doc: | Windows Action Center Settings Malware can modify these keys to disable notifications that occur when various security features are disabled. One malware family known to modify these keys is Kovter, a well-known trojan. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{e8433b72-5842-4d43-8645-bc2c35960837}.check.*', value: 'CheckSetting'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Action Center\Checks\{e8433b72-5842-4d43-8645-bc2c35960837}.check.*', value: 'CheckSetting'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance', value: 'Enabled'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance', value: 'Enabled'} labels: [System] supported_os: [Windows] urls: - 'https://winaero.com/blog/registry-tweak-to-disable-action-center-notifications-in-windows-7/' - 'https://blog.talosintelligence.com/2019/05/threat-roundup-0517-0524.html' - 'https://blogs.technet.microsoft.com/platforms_lync_cloud/2017/05/05/disabling-windows-10-action-center-notifications/' --- name: WindowsBootConfigurationSettings doc: | Windows Boot Configuration Settings. These Windows Registry values are associated with the Windows Boot Configuration Settings. Malware, like Cerber (ransomware), is known to change the Windows Boot Configuration Settings and disable recovery options like the ability to boot into safe mode. 'bcdedit.exe' can be used to modify the Windows Boot Configuration Settings. The mappings of registry key to associated bcdedit commands is as follows: * 16000009: 'bcdedit.exe /set {default} recoveryenabled ' * 00 gets stored for 'no', 01 gets stored for 'yes' * 250000e0: 'bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures' * 01 00 00 00 00 00 00 00 gets stored. Otherwise, the key is not present The wildcard component of the Windows Registry key is the identifier associated with the Windows Boot Loader instance on a given machine. This identifier can be determined by running 'bcdedit.exe /v' and looking at the 'identifier' under the Windows Boot Loader section (on Windows 7 and Windows 10, '{default}' [used by Cerber] points to this instance). sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\BCD00000000\Objects\*\Elements\16000009', value: 'Element'} - {key: 'HKEY_LOCAL_MACHINE\BCD00000000\Objects\*\Elements\250000e0', value: 'Element'} labels: [System] supported_os: [Windows] urls: - 'https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/bcd-system-store-settings-for-uefi' - 'https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html' --- name: WindowsDisallowedSystemCertificates doc: | Windows Disallowed System Certificates Malware can add code-signing certificates associated with antivirus programs to the disallowed list to prevent the AV programs from running. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates\*' - 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\Disallowed\Certificates\*' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\Disallowed\Certificates\*' labels: [System] supported_os: [Windows] urls: - 'https://blog.malwarebytes.com/detections/pum-optional-misplacedcertificate/' --- name: WindowsExplorerSettings doc: | Windows Explorer Settings Malware can modify these keys to make it more difficult for the user to detect and remove malicious software. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'Hidden'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'Hidden'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'Hidden'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'Hidden'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'HideFileExt'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'HideFileExt'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'HideFileExt'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'HideFileExt'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'ShowSuperHidden'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'ShowSuperHidden'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'ShowSuperHidden'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'ShowSuperHidden'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'HideSCAHealth'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'HideSCAHealth'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'HideSCAHealth'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'HideSCAHealth'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoControlPanel'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoControlPanel'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoControlPanel'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoControlPanel'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoFolderOptions'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoFolderOptions'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoFolderOptions'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoFolderOptions'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoRun'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoRun'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoRun'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoRun'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoViewContextMenu'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoViewContextMenu'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoViewContextMenu'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoViewContextMenu'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'ShowControlPanel'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'ShowControlPanel'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'ShowControlPanel'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'ShowControlPanel'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'TaskbarNoNotification'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'TaskbarNoNotification'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'TaskbarNoNotification'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'TaskbarNoNotification'} labels: [System] supported_os: [Windows] urls: - 'https://www.sdkhere.com/2016/02/analysis-of-malware-using-wmi-query.html' - 'https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_mandrom.e' - 'https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_deleter.ah' - 'https://blog.malwarebytes.com/detections/pum-optional-disabledrightclick/' - 'https://blog.malwarebytes.com/detections/pum-optional-disableshowcontrolpanel/' --- name: WindowsSystemSettings doc: | Windows System Settings Malware can modify these keys to make it more difficult for the user to detect and remove malicious software. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System', value: 'DisableCAD'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\System', value: 'DisableCAD'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System', value: 'DisableCAD'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System', value: 'DisableCAD'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System', value: 'DisableRegistryTools'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\System', value: 'DisableRegistryTools'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System', value: 'DisableRegistryTools'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System', value: 'DisableRegistryTools'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System', value: 'DisableTaskMgr'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\System', value: 'DisableTaskMgr'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System', value: 'DisableTaskMgr'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System', value: 'DisableTaskMgr'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System', value: 'NoDispCPL'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\System', value: 'NoDispCPL'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System', value: 'NoDispCPL'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System', value: 'NoDispCPL'} - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System', value: 'DisableCMD'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\Windows\System', value: 'DisableCMD'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Policies\Microsoft\Windows\System', value: 'DisableCMD'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Policies\Microsoft\Windows\System', value: 'DisableCMD'} labels: [System] supported_os: [Windows] urls: - 'https://www.sdkhere.com/2016/02/analysis-of-malware-using-wmi-query.html' - 'https://www.thewindowsclub.com/enable-disable-command-prompt-windows' - 'https://blog.malwarebytes.com/detections/pum-optional-disableregistrytools/' - 'https://blog.malwarebytes.com/detections/pum-optional-disabletaskmgr/' - 'https://www.stigviewer.com/stig/windows_7/2014-04-02/finding/V-1154' - 'https://blog.malwarebytes.com/detections/pum-optional-nodispcpl/' - 'https://blog.malwarebytes.com/detections/pum-optional-disablecmdprompt/' --- name: WindowsFirewallAuthorizedApplications doc: | Windows Firewall Authorized Applications Malware can add paths to this list to more easily communicate over the network on an infected machine. For instance, Emotet modifies some these settings after gaining execution. sources: - type: REGISTRY_KEY attributes: keys: # Windows XP and 2003 - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List\*' - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\StandardProfile\AuthorizedApplications\List\*' # Windows Vista and later - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\*' - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\AuthorizedApplications\List\*' - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\*' labels: [System] supported_os: [Windows] urls: - 'https://threatvector.cylance.com/en_us/home/threat-spotlight-eyepyramid-malware.html' - 'https://blog.talosintelligence.com/2019/05/threat-roundup-0524-0531.html' --- name: WindowsFirewallGloballyOpenPorts doc: | Windows Firewall Globally Open Ports Malware can add to the list of open ports to avoid having to create Windows Firewall exceptions tied to specific applications. sources: - type: REGISTRY_KEY attributes: keys: # Windows XP and 2003 - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List\*' - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\StandardProfile\GloballyOpenPorts\List\*' # Windows Vista and later - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\*' - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\GloballyOpenPorts\List\*' - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\*' labels: [System] supported_os: [Windows] urls: - 'https://qaforce.wordpress.com/2009/10/06/windows-firewall-registry-keys/' - 'https://github.com/steeve85/Malwares/wiki/Registry' --- name: WindowsFirewallPolicySettings doc: | Windows Firewall Policy Settings Malware can modify these settings to more easily communicate over the network on an infected machine. For instance, Emotet modifies some these settings after gaining execution. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile', value: 'EnableFirewall'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile', value: 'DisableNotifications'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile', value: 'DoNotAllowExceptions'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile', value: 'DefaultInboundAction'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile', value: 'DefaultOutboundAction'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile', value: 'EnableFirewall'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile', value: 'DisableNotifications'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile', value: 'DoNotAllowExceptions'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile', value: 'DefaultInboundAction'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile', value: 'DefaultOutboundAction'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile', value: 'EnableFirewall'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile', value: 'DisableNotifications'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile', value: 'DoNotAllowExceptions'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile', value: 'DefaultInboundAction'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile', value: 'DefaultOutboundAction'} labels: [System] supported_os: [Windows] urls: - 'https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/networking-mpssvc-svc-privateprofile-enablefirewall' - 'https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/networking-mpssvc-svc-privateprofile-disablenotifications' - 'https://blog.talosintelligence.com/2019/05/threat-roundup-0503-0510.html' --- name: WindowsSecurityCenterSettings doc: | Windows Security Center Settings Malware can modify these settings to avoid detection on an infected machine. For instance, Emotet modifies some of these settings after gaining execution. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center', value: 'AntiSpyWareDisableNotify'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Security Center', value: 'AntiSpyWareDisableNotify'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center', value: 'AntiVirusDisableNotify'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Security Center', value: 'AntiVirusDisableNotify'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center', value: 'AntiVirusOverride'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Security Center', value: 'AntiVirusOverride'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center', value: 'AutoUpdateDisableNotify'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Security Center', value: 'AutoUpdateDisableNotify'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center', value: 'FirewallDisableNotify'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Security Center', value: 'FirewallDisableNotify'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center', value: 'FirewallOverride'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Security Center', value: 'FirewallOverride'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center', value: 'UpdatesDisableNotify'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Security Center', value: 'UpdatesDisableNotify'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center', value: 'UpdatesOverride'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Security Center', value: 'UpdatesOverride'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center', value: 'UacDisableNotify'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Security Center', value: 'UacDisableNotify'} labels: [System] supported_os: [Windows] urls: - 'https://blog.talosintelligence.com/2019/05/threat-roundup-0503-0510.html' - 'https://blog.appriver.com/phorphiex/trik-botnet-campaign-leads-to-multiple-infections-ransomware-banking-trojan-cryptojacking' - 'https://ccm.net/faq/1446-disabling-security-alerts-under-vista' --- name: WindowsSystemRestoreSettings doc: | Windows System Restore Settings Some malware, especially ransomware, will disable system restore to make system recovery more difficult. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore', value: 'DisableConfig'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore', value: 'DisableConfig'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Policies\Microsoft\Windows NT\SystemRestore', value: 'DisableConfig'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\SystemRestore', value: 'DisableConfig'} - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore', value: 'DisableSR'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore', value: 'DisableSR'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Policies\Microsoft\Windows NT\SystemRestore', value: 'DisableSR'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\SystemRestore', value: 'DisableSR'} - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer', value: 'LimitSystemRestoreCheckpointing'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Policies\Microsoft\Windows\Installer', value: 'LimitSystemRestoreCheckpointing'} labels: [System] supported_os: [Windows] urls: - 'https://blog.talosintelligence.com/2019/05/threat-roundup-0503-0510.html' - 'https://www.windows-commandline.com/enable-disable-system-restore-service/' - 'https://docs.microsoft.com/en-us/windows/desktop/msi/limitsystemrestorecheckpointing' --- name: WindowsUserAccountControlSettings doc: | Windows User Account Control Settings Malware sometimes disables UAC to make it easier to perform actions on an infected machine. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System', value: 'EnableLUA'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System', value: 'EnableLUA'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System', value: 'ConsentPromptBehaviorAdmin'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System', value: 'ConsentPromptBehaviorAdmin'} labels: [System] supported_os: [Windows] urls: - 'https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpsb/958053ae-5397-4f96-977f-b7700ee461ec' - 'https://blog.talosintelligence.com/2019/05/threat-roundup-0503-0510.html' - 'https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpsb/341747f5-6b5d-4d30-85fc-fa1cc04038d4' --- name: WindowsUpgradeSettings doc: | Windows Upgrade Settings Malware sometimes disables a machine ability to upgrade from previous versions of Windows to Windows 10. One malware family known to modify these keys is Kovter, a well-known trojan. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate', value: 'DisableOSUpgrade'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Policies\Microsoft\Windows\WindowsUpdate', value: 'DisableOSUpgrade'} - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\OSUpgrade', value: 'ReservationsAllowed'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Policies\Microsoft\Windows\WindowsUpdate\OSUpgrade', value: 'ReservationsAllowed'} labels: [System] supported_os: [Windows] urls: - 'https://www.ghacks.net/2016/01/08/disableosupgrade-prevents-the-upgrade-to-windows-10/' - 'https://blog.talosintelligence.com/2019/05/threat-roundup-0517-0524.html' --- name: WindowsUpdateSettings doc: Windows Update Settings sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU', value: 'NoAutoUpdate'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Policies\Microsoft\Windows\WindowsUpdate\AU', value: 'NoAutoUpdate'} labels: [System] supported_os: [Windows] urls: - 'https://docs.microsoft.com/en-us/windows/deployment/update/waas-wu-settings' - 'https://blog.talosintelligence.com/2019/06/threat-roundup-0531-0607.html' --- name: WindowsFontDrivers doc: Windows font drivers from the Registry. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Font Drivers\*' labels: [Software] supported_os: [Windows] urls: - 'https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2' --- name: WindowsSessionManagerBootExecute doc: Windows Session Manager BootExecute persistence. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager', value: 'BootExecute'}] supported_os: [Windows] urls: ['https://technet.microsoft.com/en-us/library/cc963230.aspx'] --- name: WindowsSessionManagerExecute doc: | Windows Session Manager Execute persistence This entry shouldn't be populated after Windows has been installed sources: - type: REGISTRY_VALUE attributes: key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager', value: 'Execute'}] supported_os: [Windows] urls: - 'https://technet.microsoft.com/en-us/library/cc976130.aspx' - 'https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2' --- name: WindowsSessionManagerS0InitialCommand doc: | Windows Session Manager S0InitialCommand persistence This entry shouldn't be populated after Windows has been installed sources: - type: REGISTRY_VALUE attributes: key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager', value: 'S0InitialCommand'}] supported_os: [Windows] urls: - 'https://msdn.microsoft.com/en-us/library/windows/desktop/dd392286%28v=vs.85%29.aspx' - 'https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2' --- name: WindowsSessionManagerSetupExecute doc: | Windows Session Manager SetupExecute persistence This entry shouldn't be populated after Windows has been installed sources: - type: REGISTRY_VALUE attributes: key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager', value: 'SetupExecute'}] supported_os: [Windows] urls: - 'https://msdn.microsoft.com/en-us/library/windows/desktop/dd392286%28v=vs.85%29.aspx' - 'https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2' --- name: WindowsSessionManagerSubSystems doc: Windows Session Manager SubSystems persistence sources: - type: REGISTRY_VALUE attributes: key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems', value: 'Windows'}] supported_os: [Windows] urls: - 'https://technet.microsoft.com/en-us/library/cc976130.aspx' - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' --- name: WindowsSessionManagerWOWCommandLine doc: Windows Session Manager Windows-on-Windows (WOW) command line sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\WOW', value: 'cmdline'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\WOW', value: 'wowcmdline'} supported_os: [Windows] urls: ['https://support.microsoft.com/en-us/kb/102986'] --- name: WindowsSetupCommandLine doc: Command line invocation used for custom setup and deployment tasks sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\Setup', value: 'CmdLine'} supported_os: [Windows] urls: ['https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2'] --- name: WindowsSharedTaskScheduler doc: Runs on windows boot. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\*' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\*' supported_os: [Windows] urls: - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'http://www.bleepingcomputer.com/tutorials/windows-program-automatic-startup-locations/' --- name: WindowsShellExecuteHooks doc: Shell execution hooks are called when ShellExecuteEx() is called. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\*' supported_os: [Windows] urls: - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'http://regenerus.com/malware-common-loadpoints/' - 'https://code.google.com/p/regripper/wiki/ASEPs' --- name: WindowsShellExtensions doc: Approved extensions to the Windows Shell (explorer.exe). sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved' supported_os: [Windows] urls: ['https://msdn.microsoft.com/en-us/library/windows/desktop/cc144110(v=vs.85).aspx'] --- name: WindowsShellHandlersRegistryKeys doc: | Windows registry values for shell handler artifacts. ContextMenuHandlers are added to right-click menus. CopyHookHandlers, DragDropHandlers, and ColumnHandlers are similar contextual settings to trigger on these actions. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Classes\*\ShellEx\ColumnHandlers\*' - 'HKEY_LOCAL_MACHINE\Software\Classes\*\ShellEx\ContextMenuHandlers\*' - 'HKEY_LOCAL_MACHINE\Software\Classes\*\ShellEx\CopyHookHandlers\*' - 'HKEY_LOCAL_MACHINE\Software\Classes\*\ShellEx\DragDropHandlers\*' - 'HKEY_LOCAL_MACHINE\Software\Classes\*\ShellEx\PropertySheetHandlers\*' - 'HKEY_LOCAL_MACHINE\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\*' - 'HKEY_LOCAL_MACHINE\Software\Classes\Directory\Background\ShellEx\CopyHookHandlers\*' - 'HKEY_LOCAL_MACHINE\Software\Classes\Directory\Background\ShellEx\DragDropHandlers\*' - 'HKEY_LOCAL_MACHINE\Software\Classes\Directory\Background\ShellEx\PropertySheetHandlers\*' - 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\ShellEx\ColumnHandlers\*' - 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\ShellEx\ContextMenuHandlers\*' - 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\ShellEx\CopyHookHandlers\*' - 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\ShellEx\DragDropHandlers\*' - 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\ShellEx\PropertySheetHandlers\*' - 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\Directory\Background\ShellEx\ContextMenuHandlers\*' - 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\Directory\Background\ShellEx\CopyHookHandlers\*' - 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\Directory\Background\ShellEx\DragDropHandlers\*' - 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\Directory\Background\ShellEx\PropertySheetHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\*\ShellEx\ColumnHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\*\ShellEx\ContextMenuHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\*\ShellEx\CopyHookHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\*\ShellEx\DragDropHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\*\ShellEx\PropertySheetHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\Directory\Background\ShellEx\CopyHookHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\Directory\Background\ShellEx\DragDropHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\Directory\Background\ShellEx\PropertySheetHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\*\ShellEx\ColumnHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\*\ShellEx\ContextMenuHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\*\ShellEx\CopyHookHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\*\ShellEx\DragDropHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\*\ShellEx\PropertySheetHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\Directory\Background\ShellEx\ContextMenuHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\Directory\Background\ShellEx\CopyHookHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\Directory\Background\ShellEx\DragDropHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\Directory\Background\ShellEx\PropertySheetHandlers\*' supported_os: [Windows] urls: - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'http://www.codeguru.com/cpp/com-tech/shell/article.php/c4515/Logging-the-Shell-Activity.htm' - 'http://www.trendmicro.com/vinfo/us/threat-encyclopedia/archive/malware/troj_qoolaid.r' --- name: WindowsShellIconOverlayIdentifiers doc: Called to display custom icons. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*' supported_os: [Windows] urls: - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'https://msdn.microsoft.com/en-us/library/windows/desktop/hh127455(v=vs.85).aspx' --- name: WindowsShellLoadAndRun doc: Windows Shell Load and Run values sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Windows', value: 'Load'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Windows', value: 'Run'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows', value: 'Load'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows', value: 'Run'} supported_os: [Windows] urls: ['https://support.microsoft.com/en-us/kb/103865'] --- name: WindowsIconServiceLib doc: | Windows Icon Service Library Name The value should default to 'IconCodecService.dll' sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows', value: 'IconServiceLib'} supported_os: [Windows] urls: ['https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2'] --- name: WindowsShellOpenCommand doc: Executed every time this file type is opened. For most file types, the value should be '"%1" %*'. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\*\shell\open\command', value: ''} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\*\shell\open\command', value: 'IsolatedCommand'} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\shell\open\command', value: ''} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\shell\open\command', value: 'IsolatedCommand'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\*\shell\open\command', value: ''} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\*\shell\open\command', value: 'IsolatedCommand'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\*\shell\open\command', value: ''} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\*\shell\open\command', value: 'IsolatedCommand'} supported_os: [Windows] urls: - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2' - 'https://pentestlab.blog/2017/06/09/uac-bypass-sdclt/' --- name: WindowsShellRunasCommand doc: | Executed every time an executable or script file type is run as administrator. For most file types, the value should be '"%1" %*' or something similar. Example file type subkeys include 'exefile', 'batfile', and 'cmdfile'. These keys can be modified by malware as a way to be periodically executed or to bypass UAC. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\*\shell\runas\command', value: ''} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\*\shell\runas\command', value: 'IsolatedCommand'} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\shell\runas\command', value: ''} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\shell\runas\command', value: 'IsolatedCommand'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\*\shell\runas\command', value: ''} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\*\shell\runas\command', value: 'IsolatedCommand'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\*\shell\runas\command', value: ''} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\*\shell\runas\command', value: 'IsolatedCommand'} supported_os: [Windows] urls: - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2' - 'https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/' --- name: WindowsShellServiceObjects doc: Windows Shell (explorer.exe) service objects delayed load. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad' supported_os: [Windows] urls: ['http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=TrojanClicker:Win32/Zirit.X#tab=2'] --- name: WindowsSetupApiLogs doc: Windows setup API logs. sources: - type: FILE attributes: paths: ['%%environ_systemroot%%\setupapi.log'] separator: '\' conditions: [os_major_version < 6] - type: FILE attributes: paths: - '%%environ_systemroot%%\inf\setupapi.app.log' - '%%environ_systemroot%%\inf\setupapi.dev.log' - '%%environ_systemroot%%\inf\setupapi.offline.log' separator: '\' conditions: [os_major_version >= 6] labels: [Logs] supported_os: [Windows] urls: ['https://forensicswiki.xyz/wiki/index.php?title=Setup_API_Logs'] --- name: WindowsShutdownScript doc: Windows policy shutdown script sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Scripts', value: 'Shutdown'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\*\*', value: 'Script'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\*\*', value: 'Parameters'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown\*\*', value: 'Script'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown\*\*', value: 'Parameters'} supported_os: [Windows] urls: - 'https://technet.microsoft.com/en-us/library/ff404236.aspx' - 'https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2' --- name: WindowsStartupFolderModification doc: Windows startup folder Registry values. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Common Startup'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Startup'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Common Startup'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Startup'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Common Startup'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Startup'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Common Startup'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Startup'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Common Startup'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Startup'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Common Startup'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Startup'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Common Startup'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Startup'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Common Startup'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Startup'} supported_os: [Windows] --- name: WindowsStartupFolders doc: Windows startup folder persistence. sources: - type: FILE attributes: paths: - '%%environ_allusersprofile%%\Microsoft\Windows\Start Menu\Programs\Startup\*' - '%%environ_allusersprofile%%\Start Menu\Programs\Startup\*' - '%%users.appdata%%\Microsoft\Windows\Start Menu\Programs\Startup\*' - '%%users.userprofile%%\Start Menu\Programs\Startup\*' separator: '\' supported_os: [Windows] --- name: WindowsStartupScript doc: Windows policy startup script sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Scripts', value: 'Startup'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\*\*', value: 'Script'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\*\*', value: 'Parameters'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup\*\*', value: 'Script'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup\*\*', value: 'Parameters'} supported_os: [Windows] urls: - 'https://technet.microsoft.com/en-us/library/ff404236.aspx' - 'https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2' --- name: WindowsStubPaths doc: | Windows StubPath persistence. Each time a user logs in, the Active Setup Installed Components in HKLM are compared ot the ones in HKCU, and if any are missing, or if the associated version is less, the program is executed. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\*', value: 'StubPath'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\*', value: 'Version'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\*', value: 'StubPath'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\*', value: 'Version'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Active Setup\Installed Components\*', value: 'StubPath'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Active Setup\Installed Components\*', value: 'Version'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\*', value: 'StubPath'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\*', value: 'Version'} supported_os: [Windows] urls: - 'https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2' - 'http://bonemanblog.blogspot.com/2004/12/active-setup-registry-keys-and-their.html' --- name: WindowsSuperFetchFiles doc: Windows SuperFetch files. sources: - type: FILE attributes: paths: - '%%environ_systemroot%%\Prefetch\Ag*.db' - '%%environ_systemroot%%\Prefetch\Ag*.db.trx' separator: '\' labels: [System] supported_os: [Windows] urls: ['https://forensicswiki.xyz/wiki/index.php?title=SuperFetch'] --- name: WindowsSystemIniFiles doc: Windows system ini files sources: - type: FILE attributes: paths: - '%%environ_systemdrive%%\system.ini' - '%%environ_windir%%\win.ini' - '%%environ_windir%%\wininit.ini' separator: '\' supported_os: [Windows] --- name: WindowsSystemPolicyShell doc: Windows System policy replacement shell (custom user interface). sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System', value: 'Shell'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System', value: 'Shell'} supported_os: [Windows] urls: ['https://technet.microsoft.com/en-us/library/cc728472(v=ws.10).aspx'] --- name: WindowsSystemRegistryFilesBackup doc: Backup of Windows system Registry files. sources: - type: FILE attributes: paths: - '%%environ_systemroot%%\System32\config\RegBack\SAM' - '%%environ_systemroot%%\System32\config\RegBack\SECURITY' - '%%environ_systemroot%%\System32\config\RegBack\SOFTWARE' - '%%environ_systemroot%%\System32\config\RegBack\SYSTEM' separator: '\' labels: [System] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RegistryFiles.html'] --- name: WindowsSystemRegistryTransactionLogFilesBackup doc: | Backup of Windows system Registry transaction log files. These files have been observed to be typically 0 byte in size. sources: - type: FILE attributes: paths: - '%%environ_systemroot%%\System32\config\RegBack\SAM.LOG' - '%%environ_systemroot%%\System32\config\RegBack\SAM.LOG1' - '%%environ_systemroot%%\System32\config\RegBack\SAM.LOG2' - '%%environ_systemroot%%\System32\config\RegBack\SECURITY.LOG' - '%%environ_systemroot%%\System32\config\RegBack\SECURITY.LOG1' - '%%environ_systemroot%%\System32\config\RegBack\SECURITY.LOG2' - '%%environ_systemroot%%\System32\config\RegBack\SOFTWARE.LOG' - '%%environ_systemroot%%\System32\config\RegBack\SOFTWARE.LOG1' - '%%environ_systemroot%%\System32\config\RegBack\SOFTWARE.LOG2' - '%%environ_systemroot%%\System32\config\RegBack\SYSTEM.LOG' - '%%environ_systemroot%%\System32\config\RegBack\SYSTEM.LOG1' - '%%environ_systemroot%%\System32\config\RegBack\SYSTEM.LOG2' separator: '\' labels: [System] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RegistryFiles.html'] --- name: WindowsSystemRegistryFiles doc: Windows system Registry files. sources: - type: FILE attributes: paths: - '%%environ_systemroot%%\System32\config\SAM' - '%%environ_systemroot%%\System32\config\SECURITY' - '%%environ_systemroot%%\System32\config\SOFTWARE' - '%%environ_systemroot%%\System32\config\SYSTEM' - '\System Volume Information\Syscache.hve' separator: '\' labels: [System] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RegistryFiles.html'] --- name: WindowsSystemRegistryTransactionLogFiles doc: Windows system Registry transaction log files. sources: - type: FILE attributes: paths: - '%%environ_systemroot%%\System32\config\SAM.LOG' - '%%environ_systemroot%%\System32\config\SAM.LOG1' - '%%environ_systemroot%%\System32\config\SAM.LOG2' - '%%environ_systemroot%%\System32\config\SECURITY.LOG' - '%%environ_systemroot%%\System32\config\SECURITY.LOG1' - '%%environ_systemroot%%\System32\config\SECURITY.LOG2' - '%%environ_systemroot%%\System32\config\SOFTWARE.LOG' - '%%environ_systemroot%%\System32\config\SOFTWARE.LOG1' - '%%environ_systemroot%%\System32\config\SOFTWARE.LOG2' - '%%environ_systemroot%%\System32\config\SYSTEM.LOG' - '%%environ_systemroot%%\System32\config\SYSTEM.LOG1' - '%%environ_systemroot%%\System32\config\SYSTEM.LOG2' separator: '\' labels: [System] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RegistryFiles.html'] --- name: WindowsSystemRegistryFilesAndTransactionLogs doc: Windows system Registry files and transaction logs. sources: - type: ARTIFACT_GROUP attributes: names: - 'WindowsSystemRegistryFiles' - 'WindowsSystemRegistryTransactionLogFiles' labels: [System] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RegistryFiles.html'] --- name: WindowsSystemResourceUsageMonitorDatabaseFile doc: Windows System Resource Usage Monitor (SRUM) database file. sources: - type: FILE attributes: paths: ['%%environ_systemroot%%\System32\sru\SRUDB.dat'] separator: '\' supported_os: [Windows] urls: ['https://github.com/libyal/esedb-kb/blob/main/documentation/System%20Resource%20Usage%20Monitor%20(SRUM).asciidoc'] --- name: WindowsTempDirectories doc: Contents of the Windows temporary directories sources: - type: FILE attributes: paths: - '%%environ_systemdrive%%\Temp\*' - '%%environ_systemroot%%\Temp\*' - '%%users.localappdata%%\Temp\*' separator: '\' supported_os: [Windows] --- name: WindowsTerminalServerRunKeys doc: Windows Terminal Server Run keys sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce\*' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx\*' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\*' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce\*' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx\*' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\*' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce\*' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx\*' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\*' supported_os: [Windows] urls: ['http://gladiator-antivirus.com/forum/index.php?showtopic=24610'] --- name: WindowsTerminalServerStartupPrograms doc: Windows Terminal Server Startup Programs sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd', value: 'StartupPrograms'} supported_os: [Windows] urls: ['http://forum.sysinternals.com/rdpclip_topic4729.html'] --- name: WindowsTerminalServerInitialProgram doc: Windows Terminal Server Initial Program sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp', value: 'InitialProgram'} - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services', value: 'InitialProgram'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\Windows NT\Terminal Services', value: 'InitialProgram'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Policies\Microsoft\Windows NT\Terminal Services', value: 'InitialProgram'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Policies\Microsoft\Windows NT\Terminal Services', value: 'InitialProgram'} supported_os: [Windows] urls: ['https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2'] --- name: WindowsActiveSyncAutoStart doc: Windows ActiveSync AutoStart entries sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows CE Services\AutoStartOnConnect\*' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows CE Services\AutoStartOnDisconnect\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows CE Services\AutoStartOnConnect\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows CE Services\AutoStartOnDisconnect\*' supported_os: [Windows] urls: ['https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2'] --- name: WindowsTimezone doc: The time zone of the system as a Windows time zone name or in MUI form. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation', value: 'StandardName'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation', value: 'TimeZoneKeyName'} provides: [time_zone] supported_os: [Windows] urls: ['https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/Time-zones.html'] --- name: WindowsToolPaths doc: Paths to windows tools such as defrag, chkdsk. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\BackupPath' - 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\ChkDskPath' - 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\cleanuppath' - 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\DefragPath' supported_os: [Windows] urls: - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'http://www.liutilities.com/products/registrybooster/tweaklibrary/tweaks/11118/' --- name: WindowsUninstallKeys doc: Uninstall Registry keys sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\*\*' - 'HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*\*' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Uninstall\*\*' supported_os: [Windows] urls: ['https://msdn.microsoft.com/en-us/library/aa372105(v=vs.85).aspx'] --- name: WindowsUpdateBuildRevision doc: | Windows kernel update build revision (UBR). This Windows Registry value contains the monthly rollup patch version. sources: - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion', value: 'UBR'}]} supported_os: [Windows] urls: ['https://social.technet.microsoft.com/Forums/en-US/cadee4de-24d0-403e-9f3e-75868abf8f34'] --- name: WindowsUpdateStatus doc: Windows auto update status. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Detect', value: 'LastError'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Detect', value: 'LastSuccessTime'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Download', value: 'LastError'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Download', value: 'LastSuccessTime'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install', value: 'LastError'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install', value: 'LastSuccessTime'} supported_os: [Windows] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=Windows_Update' - 'http://blogs.msdn.com/b/aruns_blog/archive/2011/06/20/active-setup-registry-key-what-it-is-and-how-to-create-in-the-package-using-admin-studio-install-shield.aspx' --- name: WindowsUserAutomaticDestinationsJumpLists doc: Windows user AutomaticDestinations Jump Lists. sources: - type: FILE attributes: paths: ['%%users.appdata%%\Microsoft\Windows\Recent\AutomaticDestinations\*.automaticDestinations-ms'] separator: '\' labels: [Users] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/JumpLists.html'] --- name: WindowsUserCustomDestinationsJumpLists doc: Windows user CustomDestinations Jump Lists. sources: - type: FILE attributes: paths: ['%%users.appdata%%\Microsoft\Windows\Recent\CustomDestinations\*.customDestinations-ms'] separator: '\' labels: [Users] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/JumpLists.html'] --- name: WindowsUserDownloadsDirectory doc: User downloads directory sources: - type: DIRECTORY attributes: paths: ['%%users.userprofile%%\Downloads\*'] separator: '\' labels: [Users] supported_os: [Windows] --- name: WindowsUserJumpLists doc: Windows user Jump Lists. sources: - type: ARTIFACT_GROUP attributes: names: - 'WindowsProgramsCacheJumpLists' - 'WindowsUserAutomaticDestinationsJumpLists' - 'WindowsUserCustomDestinationsJumpLists' labels: [Users] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/JumpLists.html'] --- name: WindowsUserRecentFiles doc: Windows user specific recent files. sources: - type: FILE attributes: paths: - '%%users.appdata%%\Microsoft\Office\Recent\*' - '%%users.appdata%%\Microsoft\Windows\Recent\*' separator: '\' labels: [Users] supported_os: [Windows] --- name: WindowsUserRegistryFiles doc: Windows user specific Registry files. sources: - type: FILE attributes: paths: - '%%users.userprofile%%\NTUSER.DAT' - '%%users.userprofile%%\NTUSER.MAN' - '%%users.localappdata%%\Microsoft\Windows\UsrClass.dat' separator: '\' labels: [Users] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RegistryFiles.html'] --- name: WindowsUserRegistryTransactionLogFiles doc: Windows user Registry transaction log files. sources: - type: FILE attributes: paths: - '%%users.userprofile%%\NTUSER.DAT.LOG' - '%%users.userprofile%%\NTUSER.DAT.LOG1' - '%%users.userprofile%%\NTUSER.DAT.LOG2' - '%%users.localappdata%%\Microsoft\Windows\UsrClass.dat.LOG' - '%%users.localappdata%%\Microsoft\Windows\UsrClass.dat.LOG1' - '%%users.localappdata%%\Microsoft\Windows\UsrClass.dat.LOG2' separator: '\' labels: [Users] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RegistryFiles.html'] --- name: WindowsUserRegistryFilesAndTransactionLogs doc: Windows user Registry files and transaction logs. sources: - type: ARTIFACT_GROUP attributes: names: - 'WindowsUserRegistryFiles' - 'WindowsUserRegistryTransactionLogFiles' labels: [Users] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RegistryFiles.html'] --- name: WindowsUserShellFolders doc: The Shell Folders information for Windows users. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\*' - 'HKEY_USERS\%%users.sid%%\Environment\*' - 'HKEY_USERS\%%users.sid%%\Volatile Environment\*' provides: - users.cookies - users.appdata - users.personal - users.startup - users.homedir - users.desktop - users.internet_cache - users.localappdata - users.localappdata_low - users.recent - users.userprofile - users.temp supported_os: [Windows] --- name: WindowsWinlogonGinaDLL doc: Windows Gina DLL replacement. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'GinaDLL'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'GinaDLL'} supported_os: [Windows] urls: ['https://technet.microsoft.com/en-us/library/cc939701.aspx'] --- name: WindowsWinlogonNotify doc: Windows Winlogon Notify DLL names. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\*', value: 'DLLName'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\*', value: 'DLLName'} supported_os: [Windows] urls: ['https://msdn.microsoft.com/en-us/library/windows/desktop/aa379402(v=vs.85).aspx'] --- name: WindowsWinlogonShell doc: Windows shell replacement. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Shell'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Shell'} supported_os: [Windows] urls: ['https://msdn.microsoft.com/en-us/library/ms838576%28v=winembedded.5%29.aspx'] --- name: WindowsWinlogonSystem doc: Applications launched by Winlogon in the system context during the system initialisation. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'System'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'System'} supported_os: [Windows] urls: - 'https://code.google.com/p/regripper/wiki/ASEPs' - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'http://regenerus.com/malware-common-loadpoints/' --- name: WindowsWinlogonTaskman doc: Windows Winlogon Taskman replacement. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Taskman'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Taskman'} supported_os: [Windows] urls: ['https://technet.microsoft.com/en-us/library/cc939701.aspx'] --- name: WindowsWinlogonUiHost doc: Windows Winlogon UI screen application sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'UiHost'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'UiHost'} supported_os: [Windows] urls: - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'http://www.bleepingcomputer.com/forums/t/14028/change-the-loginwelcome-screen/' --- name: WindowsWinlogonUserinit doc: Windows Winlogon Userinit replacement. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Userinit'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Userinit'} supported_os: [Windows] urls: ['https://technet.microsoft.com/en-us/library/cc939862.aspx'] --- name: WindowsWinlogonAvailableShells doc: | Windows Server Winlogon Available Shells Used to specify an alternate shell application to be launched when logging into Windows Server 2012 and later. Legitimate keys under AvailableShells should just cause cmd.exe or explorer.exe to be executed, whereas malicious programs may create keys that cause malware to be run when a user logs in. sources: - type: REGISTRY_KEY attributes: keys: ['HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells\AvailableShells\*'] supported_os: [Windows] urls: - https://andymorgan.wordpress.com/2012/03/30/changing-the-default-shell-of-windows-server-8-core/ - https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2 --- name: WindowsWinlogonVMApplet doc: Windows VMApplet replacement. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'VMApplet'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'VMApplet'} supported_os: [Windows] urls: ['https://technet.microsoft.com/en-us/library/cc939701.aspx'] --- name: WindowsWinstart doc: Windows winstart.bat file sources: - type: FILE attributes: paths: - '%%environ_windir%%\winstart.bat' - '%%environ_windir%%\dosstart.bat' separator: '\' supported_os: [Windows] --- name: WindowsWinlogonAppSetup doc: Windows Winlogon Appsetup sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'AppSetup'} supported_os: [Windows] urls: ['https://technet.microsoft.com/en-us/library/cc939701.aspx'] --- name: WindowsWinlogonGPExtensions doc: | Windows Winlogon Group Policy Extensions These keys specifiy DLLs that should be loaded when the group policy engine loads, and can act as a persistence mechanism for malware. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\*', value: ''} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\*', value: 'DllName'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\*', value: ''} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\*', value: 'DllName'} supported_os: [Windows] urls: ['https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2'] --- name: WinSock2LayeredServiceProviders doc: Used to filter TCP/IP traffic through WinSock2. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\*' - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\*' supported_os: [Windows] urls: - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'https://en.wikipedia.org/wiki/Layered_Service_Provider' - 'https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2' --- name: WinSock2NamespaceProviders doc: Used to provide name-resolution services through WinSock2 sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\*', value: 'LibraryPath'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\*', value: 'LibraryPath'} supported_os: [Windows] urls: - 'https://www.symantec.com/security_response/writeup.jsp?docid=2012-020609-4221-99&tabid=2' - 'http://www.nirsoft.net/utils/winsock_service_providers.html' - 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms739923(v=vs.85).aspx' - 'https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2' --- name: WindowsDNSSettings doc: Windows Registry Keys that contain DNS and DHCP settings. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters', value: 'NameServer'} - {key: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\*', value: 'NameServer'} - {key: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters', value: 'NameServer'} - {key: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\*', value: 'DhcpNameServer'} - {key: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\*', value: 'DhcpServer'} labels: [System, Network] supported_os: [Windows] urls: ['https://technet.microsoft.com/en-us/library/dd197418(v=ws.10).aspx'] artifacts-20211012/data/windows_dll_hijacking.yaml000066400000000000000000000140331413144520200220520ustar00rootroot00000000000000# DLL Hijack Locations name: DLLHijackLocations doc: DLL search order hijacking locations collected from base Windows 7. urls: ['https://www.fireeye.com/blog/threat-research/2010/07/malware-persistence-windows-registry.html'] sources: - type: FILE attributes: paths: - '%%environ_windir%%\EXPLORERFRAME.dll' - '%%environ_windir%%\DUser.dll' - '%%environ_windir%%\DUI70.dll' - '%%environ_windir%%\UxTheme.dll' - '%%environ_windir%%\POWRPROF.dll' - '%%environ_windir%%\dwmapi.dll' - '%%environ_windir%%\slc.dll' - '%%environ_windir%%\gdiplus.dll' - '%%environ_windir%%\Secur32.dll' - '%%environ_windir%%\SSPICLI.dll' - '%%environ_windir%%\PROPSYS.dll' - '%%environ_windir%%\WINSTA.dll' - '%%environ_windir%%\CRYPTBASE.dll' - '%%environ_windir%%\WindowsCodecs.dll' - '%%environ_windir%%\profapi.dll' - '%%environ_windir%%\apphelp.dll' - '%%environ_windir%%\EhStorShell.dll' - '%%environ_windir%%\cscui.dll' - '%%environ_windir%%\CSCDLL.dll' - '%%environ_windir%%\CSCAPI.dll' - '%%environ_windir%%\ntshrui.dll' - '%%environ_windir%%\srvcli.dll' - '%%environ_windir%%\IconCodecService.dll' - '%%environ_windir%%\CRYPTSP.dll' - '%%environ_windir%%\rsaenh.dll' - '%%environ_windir%%\RpcRtRemote.dll' - '%%environ_windir%%\SndVolSSO.dll' - '%%environ_windir%%\HID.dll' - '%%environ_windir%%\MMDevApi.dll' - '%%environ_windir%%\timedate.cpl' - '%%environ_windir%%\ATL.dll' - '%%environ_windir%%\actxprxy.dll' - '%%environ_windir%%\ntmarta.dll' - '%%environ_windir%%\shdocvw.dll' - '%%environ_windir%%\LINKINFO.dll' - '%%environ_windir%%\USERENV.dll' - '%%environ_windir%%\shacct.dll' - '%%environ_windir%%\gameux.dll' - '%%environ_windir%%\XmlLite.dll' - '%%environ_windir%%\wer.dll' - '%%environ_windir%%\SAMLIB.dll' - '%%environ_windir%%\msls31.dll' - '%%environ_windir%%\tiptsf.dll' - '%%environ_windir%%\authui.dll' - '%%environ_windir%%\CRYPTUI.dll' - '%%environ_windir%%\msiltcfg.dll' - '%%environ_windir%%\VERSION.dll' - '%%environ_windir%%\msi.dll' - '%%environ_windir%%\NetworkExplorer.dll' - '%%environ_windir%%\WINMM.dll' - '%%environ_windir%%\wdmaud.drv' - '%%environ_windir%%\ksuser.dll' - '%%environ_windir%%\AVRT.dll' - '%%environ_windir%%\AUDIOSES.dll' - '%%environ_windir%%\msacm32.drv' - '%%environ_windir%%\MSACM32.dll' - '%%environ_windir%%\midimap.dll' - '%%environ_windir%%\netutils.dll' - '%%environ_windir%%\stobject.dll' - '%%environ_windir%%\BatMeter.dll' - '%%environ_windir%%\WTSAPI32.dll' - '%%environ_windir%%\es.dll' - '%%environ_windir%%\prnfldr.dll' - '%%environ_windir%%\WINSPOOL.DRV' - '%%environ_windir%%\dxp.dll' - '%%environ_windir%%\Syncreg.dll' - '%%environ_windir%%\netshell.dll' - '%%environ_windir%%\IPHLPAPI.dll' - '%%environ_windir%%\WINNSI.dll' - '%%environ_windir%%\nlaapi.dll' - '%%environ_windir%%\AltTab.dll' - '%%environ_windir%%\pnidui.dll' - '%%environ_windir%%\QUtil.dll' - '%%environ_windir%%\wevtapi.dll' - '%%environ_windir%%\dhcpcsvc6.dll' - '%%environ_windir%%\dhcpcsvc.dll' - '%%environ_windir%%\credssp.dll' - '%%environ_windir%%\npmproxy.dll' - '%%environ_windir%%\cscobj.dll' - '%%environ_windir%%\Wlanapi.dll' - '%%environ_windir%%\wlanutil.dll' - '%%environ_windir%%\wwanapi.dll' - '%%environ_windir%%\wwapi.dll' - '%%environ_windir%%\QAgent.dll' - '%%environ_windir%%\srchadmin.dll' - '%%environ_windir%%\mssprxy.dll' - '%%environ_windir%%\bthprops.cpl' - '%%environ_windir%%\ieframe.dll' - '%%environ_windir%%\OLEACC.dll' - '%%environ_windir%%\SyncCenter.dll' - '%%environ_windir%%\Actioncenter.dll' - '%%environ_windir%%\imapi2.dll' - '%%environ_windir%%\SXS.dll' - '%%environ_windir%%\hgcpl.dll' - '%%environ_windir%%\provsvc.dll' - '%%environ_windir%%\wkscli.dll' - '%%environ_windir%%\fxsst.dll' - '%%environ_windir%%\FXSAPI.dll' - '%%environ_windir%%\FXSRESM.dll' - '%%environ_windir%%\ieproxy.dll' - '%%environ_windir%%\thumbcache.dll' - '%%environ_windir%%\rasadhlp.dll' - '%%environ_windir%%\MPR.dll' - '%%environ_windir%%\vmhgfs.dll' - '%%environ_windir%%\drprov.dll' - '%%environ_windir%%\ntlanman.dll' - '%%environ_windir%%\davclnt.dll' - '%%environ_windir%%\DAVHLPR.dll' - '%%environ_windir%%\StructuredQuery.dll' - '%%environ_windir%%\UIAnimation.dll' - '%%environ_windir%%\DEVRTL.dll' - '%%environ_windir%%\MLANG.dll' - '%%environ_windir%%\wscinterop.dll' - '%%environ_windir%%\WSCAPI.dll' - '%%environ_windir%%\wscui.cpl' - '%%environ_windir%%\werconcpl.dll' - '%%environ_windir%%\framedynos.dll' - '%%environ_windir%%\wercplsupport.dll' - '%%environ_windir%%\msxml6.dll' - '%%environ_windir%%\hcproviders.dll' - '%%environ_windir%%\zipfldr.dll' - '%%environ_windir%%\rarext.dll' - '%%environ_windir%%\7-zip.dll' - '%%environ_windir%%\twext.dll' - '%%environ_windir%%\WinCDEmuContextMenu.dll' - '%%environ_windir%%\syncui.dll' - '%%environ_windir%%\SYNCENG.dll' - '%%environ_windir%%\shlext010.dll' - '%%environ_windir%%\ATL90.dll' - '%%environ_windir%%\acppage.dll' - '%%environ_windir%%\sfc.dll' - '%%environ_windir%%\sfc_os.dll' - '%%environ_windir%%\dsrole.dll' - '%%environ_windir%%\ACLUI.dll' - '%%environ_windir%%\NTDSAPI.dll' - '%%environ_windir%%\PhotoBase.dll' - '%%environ_windir%%\sbdrop.dll' - '%%environ_windir%%\tquery.dll' - '%%environ_windir%%\EhStorAPI.dll' - '%%environ_windir%%\SearchFolder.dll' - '%%environ_windir%%\NaturalLanguage6.dll' - '%%environ_windir%%\NLSData0009.dll' - '%%environ_windir%%\NLSLexicons0009.dll' - '%%environ_windir%%\MsftEdit.dll' - '%%environ_windir%%\dnsapi.dll' - '%%environ_windir%%\RASAPI32.dll' - '%%environ_windir%%\rasman.dll' - '%%environ_windir%%\rtutils.dll' - '%%environ_windir%%\sensapi.dll' separator: '\' supported_os: [Windows] artifacts-20211012/data/wmi.yaml000066400000000000000000000217771413144520200163270ustar00rootroot00000000000000# WMI specific artifacts. name: WMIAccountUsersDomain doc: | Fill out user AD domain information based on username. We expect this artifact to be collected with WindowsRegistryProfiles to supply the rest of the user information. This artifact optimizes retrieval of user information by limiting the WMI query to users for which we have a username for. Specifically this solves the issue that in a domain setting, querying for all users via WMI will give you the list of all local and domain accounts which means a large data transfer from an Active Directory server. This artifact relies on having the users.username field populated in the knowledge base. Unfortunately even limiting by username this query can be slow, and this artifact runs it for each user present on the system. sources: - type: WMI attributes: {query: SELECT * FROM Win32_UserAccount WHERE name='%%users.username%%'} labels: [Users] provides: [users.userdomain] supported_os: [Windows] urls: ['http://msdn.microsoft.com/en-us/library/windows/desktop/aa394507(v=vs.85).aspx'] --- name: WMIAntivirusProduct doc: Enumerate the registered antivirus. sources: - type: WMI attributes: {query: SELECT * FROM AntivirusProduct, base_object: 'winmgmts:\root\SecurityCenter2'} supported_os: [Windows] --- name: WMIComputerSystemProduct doc: Computer System Product including Identifiying number queried from WMI. sources: - type: WMI attributes: {query: SELECT * FROM Win32_ComputerSystemProduct} labels: [System] supported_os: [Windows] urls: ['http://msdn.microsoft.com/en-us/library/aa394105(v=vs.85).aspx'] --- name: WMIDNSClientCache doc: DNS client cache via Windows Management Instrumentation (WMI). sources: - type: WMI attributes: {query: SELECT * from MSFT_DNSClientCache, base_object: 'winmgmts:\root\StandardCimv2'} conditions: [os_major_version >= 6 AND os_minor_version >= 2] labels: [Network] supported_os: [Windows] urls: ['https://docs.microsoft.com/en-us/previous-versions/windows/desktop/dnsclientcimprov/msft-dnsclientcache'] --- name: WMIDrivers doc: Installed drivers via Windows Management Instrumentation (WMI). sources: - type: WMI attributes: {query: 'SELECT DisplayName, Description, InstallDate, Name, PathName, Status, State, ServiceType from Win32_SystemDriver'} conditions: [os_major_version >= 6] labels: [Software] supported_os: [Windows] --- name: WMIEnumerateASEC doc: Enumerate instances of ActiveScriptEventConsumer. sources: - type: WMI attributes: {query: SELECT * FROM ActiveScriptEventConsumer, base_object: 'winmgmts:\root\subscription'} supported_os: [Windows] --- name: WMIEnumerateCLEC doc: Enumerate instances of CommandLineEventConsumer. sources: - type: WMI attributes: {query: SELECT * FROM CommandLineEventConsumer, base_object: 'winmgmts:\root\subscription'} supported_os: [Windows] --- name: WMIHotFixes doc: Installed hotfixes via Windows Management Instrumentation (WMI). sources: - type: WMI attributes: {query: SELECT * from Win32_QuickFixEngineering} conditions: [os_major_version >= 6] labels: [Software] supported_os: [Windows] --- name: WMIInstalledSoftware doc: Installed software via Windows Management Instrumentation (WMI). sources: - type: WMI attributes: {query: 'SELECT Name, Vendor, Description, InstallDate, InstallDate2, Version from Win32_Product'} conditions: [os_major_version >= 6] labels: [Software] supported_os: [Windows] --- name: WMILastBootupTime doc: Last system boot time (UTC) retrieved from WMI. sources: - type: WMI attributes: {query: SELECT LastBootUpTime FROM Win32_OperatingSystem} labels: [System] supported_os: [Windows] urls: ['https://msdn.microsoft.com/en-us/library/windows/desktop/aa394239(v=vs.85).aspx'] --- name: WMILogicalDisks doc: Disk information via Windows Management Instrumentation (WMI). sources: - type: WMI attributes: {query: SELECT * FROM Win32_LogicalDisk} labels: [System] supported_os: [Windows] urls: ['http://msdn.microsoft.com/en-us/library/aa394173(v=vs.85).aspx'] --- name: WMILoggedOnSessions doc: Logged on users queried from WMI. sources: - type: WMI attributes: {query: SELECT * FROM Win32_LogonSession} supported_os: [Windows] --- name: WMILoggedOnUsers doc: Logged on users queried from WMI. sources: - type: WMI attributes: {query: SELECT * FROM Win32_LoggedonUser} supported_os: [Windows] --- name: WMILoginUsers doc: | Login Users via Windows Management Instrumentation (WMI). This WMI query may take a long time to complete when run on a domain and will create load on a domain controller. sources: - type: WMI attributes: {query: SELECT * from Win32_GroupUser where Name = "login_users"} conditions: [os_major_version >= 6] labels: [Software] supported_os: [Windows] --- name: WMINetNeighbors doc: TCP/IP neighbors via Windows Management Instrumentation (WMI). sources: - type: WMI attributes: {query: SELECT * from MSFT_NetNeighbor, base_object: 'winmgmts:\root\StandardCimv2'} conditions: [os_major_version >= 6 AND os_minor_version >= 2] labels: [Network] supported_os: [Windows] urls: ['https://docs.microsoft.com/en-us/previous-versions/windows/desktop/nettcpipprov/msft-netneighbor'] --- name: WMINetTCPConnections doc: TCP connections via Windows Management Instrumentation (WMI). sources: - type: WMI attributes: {query: SELECT * from MSFT_NetTCPConnection, base_object: 'winmgmts:\root\StandardCimv2'} conditions: [os_major_version >= 6 AND os_minor_version >= 2] labels: [Network] supported_os: [Windows] urls: ['https://docs.microsoft.com/en-us/previous-versions/windows/desktop/nettcpipprov/msft-nettcpconnection'] --- name: WMINetUDPEndpoints doc: UDP endpoints via Windows Management Instrumentation (WMI). sources: - type: WMI attributes: {query: SELECT * from MSFT_NetUDPEndpoint, base_object: 'winmgmts:\root\StandardCimv2'} conditions: [os_major_version >= 6 AND os_minor_version >= 2] labels: [Network] supported_os: [Windows] urls: ['https://docs.microsoft.com/en-us/previous-versions/windows/desktop/nettcpipprov/msft-netudpendpoint'] --- name: WMIOperatingSystem doc: Operating system installed on the computer via Windows Management Instrumentation (WMI). sources: - type: WMI attributes: {query: SELECT * from Win32_OperatingSystem} conditions: [os_major_version >= 6] labels: [System] supported_os: [Windows] urls: ['https://docs.microsoft.com/en-us/windows/desktop/cimwin32prov/win32-operatingsystem'] --- name: WMIPhysicalMemory doc: Physical memory information via Windows Management Instrumentation (WMI). sources: - type: WMI attributes: {query: SELECT * from Win32_PhysicalMemory} conditions: [os_major_version >= 6] labels: [System] supported_os: [Windows] urls: ["http://msdn.microsoft.com/en-us/library/aa394347%28v=vs.85%29.aspx"] --- name: WMIProcessList doc: Process listing via Windows Management Instrumentation (WMI). sources: - type: WMI attributes: {query: SELECT * from Win32_Process} conditions: [os_major_version >= 6] labels: [Software] supported_os: [Windows] --- name: WMIProfileUsersHomeDir doc: | Get user homedir from Win32_UserProfile based on a known user's SID. This artifact relies on having the SID field users.sid populated in the knowledge base. We expect it to be collected with WindowsRegistryProfiles to supply the rest of the user information. sources: - type: WMI attributes: {query: SELECT * FROM Win32_UserProfile WHERE SID='%%users.sid%%'} labels: [Users] provides: [users.homedir] supported_os: [Windows] urls: ['http://msdn.microsoft.com/en-us/library/windows/desktop/ee886409(v=vs.85).aspx'] --- name: WMIScheduledTasks doc: Scheduled tasks that are registered on the computer via Windows Management Instrumentation (WMI). sources: - type: WMI attributes: {query: SELECT * from MSFT_ScheduledTask, base_object: 'winmgmts:\root\Microsoft\Windows\TaskScheduler'} conditions: [os_major_version >= 6 AND os_minor_version >= 2] labels: [System] supported_os: [Windows] urls: ['https://wutils.com/wmi/root/microsoft/windows/taskscheduler/msft_scheduledtask/'] --- name: WMIServices doc: Services queried from WMI. sources: - type: WMI attributes: {query: SELECT * FROM Win32_Service} supported_os: [Windows] --- name: WMIStartupCommands doc: Commands that run automatically when a user logs onto the computer system via Windows Management Instrumentation (WMI). sources: - type: WMI attributes: {query: SELECT * from Win32_StartupCommand} conditions: [os_major_version >= 6] labels: [System] supported_os: [Windows] urls: ['https://docs.microsoft.com/en-us/windows/desktop/cimwin32prov/win32-startupcommand'] --- name: WMIUsers doc: | Users via Windows Management Instrumentation (WMI). Note that in a domain setup, this will probably return all users in the domain which will be expensive and slow. Consider limiting by SID like WMIProfileUsersHomeDir. sources: - type: WMI attributes: {query: SELECT * FROM Win32_UserAccount} labels: [Users] supported_os: [Windows] urls: ['http://msdn.microsoft.com/en-us/library/windows/desktop/aa394507(v=vs.85).aspx'] --- name: WMIVolumeShadowCopies doc: A List of Volume Shadow Copies from WMI. sources: - type: WMI attributes: {query: SELECT * FROM Win32_ShadowCopy} labels: [System] supported_os: [Windows] artifacts-20211012/dependencies.ini000066400000000000000000000002261413144520200170470ustar00rootroot00000000000000[yaml] dpkg_name: python-yaml l2tbinaries_name: PyYAML minimum_version: 3.10 pypi_name: PyYAML rpm_name: python2-pyyaml version_property: __version__ artifacts-20211012/docs/000077500000000000000000000000001413144520200146505ustar00rootroot00000000000000artifacts-20211012/docs/Artifacts definition format and style guide.asciidoc000066400000000000000000000001301413144520200265660ustar00rootroot00000000000000Moved to: https://artifacts.readthedocs.io/en/latest/sources/Format-specification.html artifacts-20211012/docs/conf.py000066400000000000000000000120261413144520200161500ustar00rootroot00000000000000# -*- coding: utf-8 -*- """Sphinx build configuration file.""" import os import sys from sphinx.ext import apidoc from docutils import nodes from docutils import transforms # Change PYTHONPATH to include artifacts module and dependencies. sys.path.insert(0, os.path.abspath('..')) import artifacts # pylint: disable=wrong-import-position import utils.dependencies # pylint: disable=wrong-import-position # -- General configuration ------------------------------------------------ # If your documentation needs a minimal Sphinx version, state it here. needs_sphinx = '2.0.1' # Add any Sphinx extension module names here, as strings. They can be # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom # ones. extensions = [ 'recommonmark', 'sphinx.ext.autodoc', 'sphinx.ext.coverage', 'sphinx.ext.doctest', 'sphinx.ext.napoleon', 'sphinx.ext.viewcode', 'sphinx_markdown_tables', 'sphinx_rtd_theme', ] # We cannot install architecture dependent Python modules on readthedocs, # therefore we mock most imports. pip_installed_modules = set(['six']) dependency_helper = utils.dependencies.DependencyHelper( dependencies_file=os.path.join('..', 'dependencies.ini'), test_dependencies_file=os.path.join('..', 'test_dependencies.ini')) modules_to_mock = set(dependency_helper.dependencies.keys()) modules_to_mock = modules_to_mock.difference(pip_installed_modules) autodoc_mock_imports = sorted(modules_to_mock) # Options for the Sphinx Napoleon extension, which reads Google-style # docstrings. napoleon_google_docstring = True napoleon_numpy_docstring = False napoleon_include_private_with_doc = False napoleon_include_special_with_doc = True # General information about the project. # pylint: disable=redefined-builtin project = 'Digital Forensics Artifacts Repository' copyright = 'The Digital Forensics Artifacts Repository Project Authors' version = artifacts.__version__ release = artifacts.__version__ # Add any paths that contain templates here, relative to this directory. templates_path = ['_templates'] # List of patterns, relative to source directory, that match files and # directories to ignore when looking for source files. exclude_patterns = ['_build'] # The master toctree document. master_doc = 'index' # The name of the Pygments (syntax highlighting) style to use. pygments_style = 'sphinx' # -- Options for HTML output ---------------------------------------------- # The theme to use for HTML and HTML Help pages. See the documentation for # a list of builtin themes. html_theme = 'sphinx_rtd_theme' # Output file base name for HTML help builder. htmlhelp_basename = 'artifactsdoc' # -- Options linkcheck ---------------------------------------------------- linkcheck_ignore = [ ] # -- Code to rewrite links for readthedocs -------------------------------- # This function is a Sphinx core event callback, the format of which is detailed # here: https://www.sphinx-doc.org/en/master/extdev/appapi.html#events # pylint: disable=unused-argument def RunSphinxAPIDoc(app): """Runs sphinx-apidoc to auto-generate documentation. Args: app (sphinx.application.Sphinx): Sphinx application. Required by the the Sphinx event callback API. """ current_directory = os.path.abspath(os.path.dirname(__file__)) module_path = os.path.join(current_directory, '..', 'artifacts') api_directory = os.path.join(current_directory, 'sources', 'api') apidoc.main(['-o', api_directory, module_path, '--force']) class MarkdownLinkFixer(transforms.Transform): """Transform definition to parse .md references to internal pages.""" default_priority = 1000 _URI_PREFIXES = [] def _FixLinks(self, node): """Corrects links to .md files not part of the documentation. Args: node (docutils.nodes.Node): docutils node. Returns: docutils.nodes.Node: docutils node, with correct URIs outside of Markdown pages outside the documentation. """ if isinstance(node, nodes.reference) and 'refuri' in node: reference_uri = node['refuri'] for uri_prefix in self._URI_PREFIXES: if (reference_uri.startswith(uri_prefix) and not ( reference_uri.endswith('.asciidoc') or reference_uri.endswith('.md'))): node['refuri'] = reference_uri + '.md' break return node def _Traverse(self, node): """Traverses the document tree rooted at node. Args: node (docutils.nodes.Node): docutils node. """ self._FixLinks(node) for child_node in node.children: self._Traverse(child_node) # pylint: disable=arguments-differ def apply(self): """Applies this transform on document tree.""" self._Traverse(self.document) # pylint: invalid-name def setup(app): """Called at Sphinx initialization. Args: app (sphinx.application.Sphinx): Sphinx application. """ # Triggers sphinx-apidoc to generate API documentation. app.connect('builder-inited', RunSphinxAPIDoc) app.add_config_value( 'recommonmark_config', {'enable_auto_toc_tree': True}, True) app.add_transform(MarkdownLinkFixer) artifacts-20211012/docs/index.rst000066400000000000000000000012611413144520200165110ustar00rootroot00000000000000Welcome to the Forensics Artifacts documentation ================================================ Digital Forensics Artifacts Repository, is a free, community-sourced, machine-readable knowledge base of digital forensic artifacts that the world can use both as an information source and within other tools. The source code is available from the `project page `__. .. toctree:: :maxdepth: 2 sources/user/index sources/background/index Format specification API documentation Indices and tables ================== * :ref:`genindex` * :ref:`modindex` * :ref:`search` artifacts-20211012/docs/requirements.txt000066400000000000000000000001371413144520200201350ustar00rootroot00000000000000docutils recommonmark sphinx >= 2.0.1,< 4.1.0 sphinx-markdown-tables sphinx-rtd-theme >= 0.5.1 artifacts-20211012/docs/sources/000077500000000000000000000000001413144520200163335ustar00rootroot00000000000000artifacts-20211012/docs/sources/Format-specification.md000066400000000000000000000320511413144520200227240ustar00rootroot00000000000000# Artifact definition format and style guide The best way to show what an artifact definition is, is by example. The following example is the artifact definition for the Windows EVTX System Event Logs. ```yaml name: WindowsSystemEventLogEvtx doc: Windows System Event log for Vista or later systems. sources: - type: FILE attributes: {paths: ['%%environ_systemroot%%\System32\winevt\Logs\System.evtx']} conditions: [os_major_version >= 6] labels: [Logs] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html'] ``` The artifact definition can have the following values: Value | Description --- | --- name | The name. An unique string that identifies the artifact definition. See section: [Name](#name). doc | The description (or documentation). A human readable string that describes the artifact definition. See section: [Description](#description). sources | A list of source definitions. See section: [Sources](#sources). conditions | Optional list of conditions that describe when the artifact definition should apply. See section: [Conditions](#conditions). labels | Optional list of predefined labels. See section: [Labels](#labels). provides | Optional list of *TODO* supported_os | Optional list that indicates which operating systems the artifact definition applies to. See section: [Supported operating system](#supported-operating-system). urls | Optional list of URLs with more contextual information. Ideally the artifact definition links to an article that discusses the artifact in more depth for example on [Digital Forensics Artifact Knowledge Base](https://github.com/ForensicArtifacts/artifacts-kb). ## Name **Style note**: The name of an artifact defintion should be in CamelCase name without spaces. As of July 2016 we are migrating to the following naming convention: * Prefix platform specific artifact definitions with the name of the operating system using "Linux", "MacOS" or "Windows" * If not platform specific: ** prefix with the application name, for example "ChromeHistory". ** prefix with the name of the subsystem, for example "WMIComputerSystemProduct". **Style note**: If the sole source of the artifact definition for example are files use "BrowserHistoryFiles" instead of "BrowserHistory" to reduce ambiguity. ## Description **Style note**: Typically one line description of the artifact, mentioning important caveats. If more than one line is necessary, use the multi-line YAML Literal Style as indicated by the `|` character. ```yaml doc: | The Windows run keys. Note users.sid will currently only expand to SIDs with profiles on the system, not all SIDs. ``` **Style note**: the short description (first line) and the longer portion are separated by an empty line. **Style note**: explicit newlines (\n) should not be used. ## Sources Every source definition starts with a `type` followed by arguments for example: ```yaml sources: - type: COMMAND attributes: args: [-qa] cmd: /bin/rpm ``` ```yaml sources: - type: FILE attributes: paths: - /root/.bashrc - /root/.cshrc - /root/.ksh - /root/.logout - /root/.profile - /root/.tcsh - /root/.zlogin - /root/.zlogout - /root/.zprofile - /root/.zprofile ``` **Style note**: where sources take a single argument with a single value, the one-line {} form should be used to save on line breaks as below: ```yaml - type: FILE attributes: {paths: ['%%environ_systemroot%%\System32\winevt\Logs\System.evtx']} ``` Value | Description --- | --- attributes | A dictionary of keyword attributes specific to the type of source definition. type | The source type. conditions | Optional list of conditions to when the artifact definition should apply. See section: [Conditions](#conditions). supported_os | Optional list that indicates which operating systems the artifact definition applies to. See section: [Supported operating system](#supported-operating-system). ### Source types Currently the following different source types are defined: Value | Description --- | --- ARTIFACT_GROUP | A source that consists of a group of other artifacts. COMMAND | A source that consists of the output of a command. FILE | A source that consists of the contents of files. PATH | A source that consists of the contents of paths. REGISTRY_KEY | A source that consists of the contents of Windows Registry keys. REGISTRY_VALUE | A source that consists of the contents of Windows Registry values. WMI | A source that consists of the output of Windows Management Instrumentation (WMI) queries. The sources types are defined in [definitions.py](https://github.com/ForensicArtifacts/artifacts/blob/main/artifacts/definitions.py). as TYPE_INDICATOR constants. ### Artifact group source The artifact group source is a source that consists of a group of other artifacts e.g. ```yaml - type: ARTIFACT_GROUP attributes: names: [WindowsRunKeys, WindowsServices] ``` Where `attributes` can contain the following values: Value | Description --- | --- names | A list of artifact definition names that make up this "composite" artifact. This can also be used to group multiple artifact definitions into one for convenience. ### Command source The command source is a source that consists of the output of a command e.g. ```yaml - type: COMMAND attributes: args: [-qa] cmd: /bin/rpm ``` Where `attributes` can contain the following values: Value | Description --- | --- args | A list arguments to pass to the command. cmd | The path of the command. ### File source The file source is a source that consists of the contents of files e.g. ```yaml - type: FILE attributes: paths: ['%%environ_systemroot%%\System32\winevt\Logs\System.evtx'] ``` Where `attributes` can contain the following values: Value | Description --- | --- paths | A list of file paths that can potentially be collected. The paths can use parameter expansion e.g. `%%environ_systemroot%%`. See section: [Parameter expansion and globs](parameter-expansion-and-globs). separator | Optional path segment seperator e.g. '\' for Windows systems. When not specified the default path segment separator is '/'. ### Path source The path source is a source that consists of the contents of paths e.g. ```yaml - type: PATH attributes: paths: ['\Program Files'] separator: '\' ``` Where `attributes` can contain the following values: Value | Description --- | --- paths | A list of file paths that can potentially be collected. The paths can use parameter expansion e.g. `%%environ_systemroot%%`. See section: [Parameter expansion and globs](parameter-expansion-and-globs). separator | Optional path segment seperator e.g. '\' for Windows systems. When not specified the default path segment separator is '/'. ### Windows Registry key source The Windows Registry key source is a source that consists of the contents of Windows Registry keys e.g. ```yaml sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\TypedURLs\*' ``` Where `attributes` can contain the following values: Value | Description --- | --- keys | A list of Windows Registry key paths that can potentially be collected. The paths can use parameter expansion e.g. `%%users.sid%%`. See section: [Parameter expansion and globs](parameter-expansion-and-globs). ### Windows Registry value source The Windows Registry value source is a source that consists of the contents of Windows Registry values e.g. ```yaml - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\WindowsUpdate', value: 'CISCNF4654'} ``` Where `attributes` can contain the following values: Value | Description --- | --- key_value_pairs | A list of Windows Registry key paths and value names that can potentially be collected. The key path can use parameter expansion e.g. `%%users.sid%%`. See section: [Parameter expansion and globs](parameter-expansion-and-globs). ### Windows Management Instrumentation (WMI) query source The Windows Management Instrumentation (WMI) query source is a source that consists of the output of Windows Management Instrumentation (WMI) queries e.g. ```yaml - type: WMI attributes: query: SELECT * FROM Win32_UserAccount WHERE name='%%users.username%%' ``` Where `attributes` can contain the following values: Value | Description --- | --- base_object | Optional WMI base object e.g. `winmgmts:\root\SecurityCenter2` query | The Windows Management Instrumentation (WMI) query. The query can use parameter expansion e.g. `%%users.username%%`. See section: [Parameter expansion and globs](parameter-expansion-and-globs). ## Conditions *TODO: work is in progress to move this out of GRR into something more portable.* Artifact conditions are currently implemented using the link:https://github.com/google/objectfilter[objectfilter] system that allows you to apply complex conditions to the attributes of an object. Artifacts can apply conditions to any of the Knowledge Base object attributes as defined in the GRR link:https://github.com/google/grr/blob/master/proto/knowledge_base.proto[knowledge_base.proto]. **Style note**: single quotes should be used for strings when writing conditions. ```yaml conditions: [os_major_version >= 6 and time_zone == 'America/Los_Angeles'] ``` ## Supported operating system Since operating system (OS) conditions are a very common constraint, this has been provided as a separate option "supported_os" to simplify syntax. For supported_os no quotes are required. The currently supported operating systems are: * Darwin (also used for Mac OS X) * Linux * Windows ```yaml supported_os: [Darwin, Linux, Windows] ``` This can be translated to objectfilter as: ```yaml ["os =='Darwin'" OR "os=='Linux'" OR "os == 'Windows'"] ``` ## Labels Currently the following different labels are defined: Value | Description --- | --- Antivirus | Antivirus related artifacts, e.g. quarantine files. Authentication | Authentication artifacts. Browser | Web Browser artifacts. Cloud Storage | Cloud Storage artifacts. Configuration Files | Configuration files artifacts. Execution | Contain execution events. External Media | Contain external media data or events e.g. USB drives. KnowledgeBase | Artifacts used in knowledge base generation. Logs | Contain log files. Memory | Artifacts retrieved from memory. Network | Describe networking state. Processes | Describe running processes. Software | Installed software. System | Core system artifacts. Users | Information about users. The labes are defined in link:https://github.com/ForensicArtifacts/artifacts/blob/main/artifacts/definitions.py[definitions.py]. ## Parameter expansion and globs **TODO: add text** ## Additional style notes ### Artifact definition YAML files Artifact definition YAML filenames should be of the form: ``` $FILENAME.yaml ``` Where $FILENAME is name of the file e.g. windows.yaml. Each defintion file should have a comment at the top of the file with a one-line summary describing the type of artifact definitions contained in the file e.g. ```yaml # Windows specific artifacts. ``` ### Lists Generally use the short `[]` format for single-item lists that fit inside 80 characters to save on unnecessary line breaks: ```yaml labels: [Logs] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html'] ``` and the bulleted list form for multi-item lists or long lines: ```yaml paths: - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Run\*' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\RunOnce\*' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\*' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\*' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\*' ``` ### Quotes Quotes should not be used for doc strings, artifact names, and simple lists like labels and supported_os. Paths and URLs should use single quotes to avoid the need for manual escaping. ```yaml paths: ['%%environ_temp%%\*.exe'] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html'] ``` Double quotes should be used where escaping causes problems, such as regular expressions: ```yaml content_regex_list: ["^%%users.username%%:[^:]*\n"] ``` ### Minimize the number of definitions by using multiple sources To minimize the number of artifacts in the list, combine them using the supported_os and conditions attributes where it makes sense. e.g. rather than having FirefoxHistoryWindows, FirefoxHistoryLinux, FirefoxHistoryDarwin, do: ```yaml name: FirefoxHistory doc: Firefox places.sqlite files. sources: - type: FILE attributes: paths: - %%users.localappdata%%\Mozilla\Firefox\Profiles\*\places.sqlite - %%users.appdata%%\Mozilla\Firefox\Profiles\*\places.sqlite supported_os: [Windows] - type: FILE attributes: paths: [%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/places.sqlite] supported_os: [Darwin] - type: FILE attributes: paths: ['%%users.homedir%%/.mozilla/firefox/*/places.sqlite'] supported_os: [Linux] labels: [Browser] supported_os: [Windows, Linux, Darwin] ``` artifacts-20211012/docs/sources/api/000077500000000000000000000000001413144520200171045ustar00rootroot00000000000000artifacts-20211012/docs/sources/api/artifacts.rst000066400000000000000000000022301413144520200216130ustar00rootroot00000000000000artifacts package ================= Submodules ---------- artifacts.artifact module ------------------------- .. automodule:: artifacts.artifact :members: :undoc-members: :show-inheritance: artifacts.definitions module ---------------------------- .. automodule:: artifacts.definitions :members: :undoc-members: :show-inheritance: artifacts.errors module ----------------------- .. automodule:: artifacts.errors :members: :undoc-members: :show-inheritance: artifacts.reader module ----------------------- .. automodule:: artifacts.reader :members: :undoc-members: :show-inheritance: artifacts.registry module ------------------------- .. automodule:: artifacts.registry :members: :undoc-members: :show-inheritance: artifacts.source\_type module ----------------------------- .. automodule:: artifacts.source_type :members: :undoc-members: :show-inheritance: artifacts.writer module ----------------------- .. automodule:: artifacts.writer :members: :undoc-members: :show-inheritance: Module contents --------------- .. automodule:: artifacts :members: :undoc-members: :show-inheritance: artifacts-20211012/docs/sources/api/modules.rst000066400000000000000000000001001413144520200212750ustar00rootroot00000000000000artifacts ========= .. toctree:: :maxdepth: 4 artifacts artifacts-20211012/docs/sources/background/000077500000000000000000000000001413144520200204525ustar00rootroot00000000000000artifacts-20211012/docs/sources/background/Stats.md000066400000000000000000000020201413144520200220640ustar00rootroot00000000000000## Statistics The artifact definitions can be found in the [data directory](https://github.com/ForensicArtifacts/artifacts/tree/main/data) and the format is described in detail in the [Style Guide](https://artifacts.readthedocs.io/en/latest/sources/Format-specification.html). Status of the repository as of 2021-10-12 Description | Number --- | --- Number of artifact definitions: | 577 Number of file paths: | 1222 Number of Windows Registry key paths: | 679 ### Artifact definition source types Identifier | Number --- | --- ARTIFACT_GROUP | 24 COMMAND | 9 DIRECTORY | 14 FILE | 319 PATH | 8 REGISTRY_KEY | 53 REGISTRY_VALUE | 124 WMI | 26 ### Operating systems Identifier | Number --- | --- Darwin | 42 Linux | 33 Windows | 31 ### Labels Identifier | Number --- | --- Antivirus | 7 Authentication | 19 Browser | 28 Cloud | 2 Cloud Storage | 4 Configuration Files | 47 Docker | 2 External Media | 2 ExternalAccount | 3 Hadoop | 1 History Files | 3 Logs | 49 Mail | 15 Network | 17 Software | 43 System | 113 Users | 73 iOS | 5 artifacts-20211012/docs/sources/background/Terminology.md000066400000000000000000000015511413144520200233060ustar00rootroot00000000000000# Terminology The term artifact (or artefact) is widely used within computer (or digital) forensics, though there is no official definition of this term. The definition closest to the meaning of the word within computer forensics is that of the word artifact within [archaeology](https://en.wikipedia.org/wiki/Artifact_(archaeology)). The term should not be confused with the word artifact used within [software development](https://en.wikipedia.org/wiki/Artifact_(software_development)). If archaeology defines an artifact as: ``` something made or given shape by man, such as a tool or a work of art, esp an object of archaeological interest ``` The definition of artifact within computer forensics could be: ``` An object of digital archaeological interest. ``` Where digital archaeology roughly refers to computer forensics without the forensic (legal) context. artifacts-20211012/docs/sources/background/index.rst000066400000000000000000000023741413144520200223210ustar00rootroot00000000000000########## Background ########## The first version of the artifact definitions originated from the `GRR project `__, where it is used to describe and quickly collect data of interest, for example specific files or Windows Registry keys. The goal of the format is to provide a tool independent way to describe the majority of forensic artifacts in a language that is readable by humans and machines. The format is designed to be simple and straight forward, so that a digital forensic analysist is able to quickly write artifact definitions during an investigation without having to rely on complex standards or tooling. The format is intended to describe forensically-relevant data on a machine, while being tool agnostic. In particular we intentionally avoided adding IOC-like logic, or describing how the data should be collected since this various between tools. For some background on the artifacts system and how we expect it to be used see `this Blackhat presentation `__ and `YouTube video `__ from the GRR team. .. toctree:: :maxdepth: 2 Terminology Statistics artifacts-20211012/docs/sources/user/000077500000000000000000000000001413144520200173115ustar00rootroot00000000000000artifacts-20211012/docs/sources/user/Installation-instructions.md000066400000000000000000000032471413144520200250440ustar00rootroot00000000000000# Installation instructions ## pip **Note that using pip outside virtualenv is not recommended since it ignores your systems package manager. If you aren't comfortable debugging package installation issues, this is not the option for you.** Create and activate a virtualenv: ```bash virtualenv artifactsenv cd artifactsenv source ./bin/activate ``` Upgrade pip and install Forensics Artifacts dependencies: ```bash pip install --upgrade pip pip install artifacts ``` To deactivate the virtualenv run: ```bash deactivate ``` ## Ubuntu 18.04 and 20.04 LTS To install Forensics Artifacts from the [GIFT Personal Package Archive (PPA)](https://launchpad.net/~gift): ```bash sudo add-apt-repository ppa:gift/stable ``` Update and install Forensics Artifacts: ```bash sudo apt-get update sudo apt-get install python3-artifacts ``` ## Windows The [l2tbinaries](https://github.com/log2timeline/l2tbinaries) contains the necessary packages for running Forensics Artifacts. l2tbinaries provides the following branches: * main; branch intended for the "packaged release" of Forensics Artifacts and dependencies; * dev; branch intended for the "development release" of Forensics Artifacts; * testing; branch intended for testing newly created packages. The l2tdevtools project provides [an update script](https://github.com/log2timeline/l2tdevtools/wiki/Update-script) to ease the process of keeping the dependencies up to date. The script requires [pywin32](https://github.com/mhammond/pywin32/releases) and [Python WMI](https://pypi.org/project/WMI/). To install the release versions of the dependencies run: ``` set PYTHONPATH=. C:\Python38\python.exe tools\update.py --preset artifacts ``` artifacts-20211012/docs/sources/user/index.rst000066400000000000000000000004671413144520200211610ustar00rootroot00000000000000############### Getting started ############### To be able to use Forensics Artifacts you first need to install it. There are multiple ways to install Forensics Artifacts, check the following instructions for more detail. .. toctree:: :maxdepth: 2 Installation instructions artifacts-20211012/requirements.txt000066400000000000000000000000341413144520200172010ustar00rootroot00000000000000pip >= 7.0.0 PyYAML >= 3.10 artifacts-20211012/run_tests.py000077500000000000000000000012701413144520200163230ustar00rootroot00000000000000#!/usr/bin/env python # -*- coding: utf-8 -*- """Script to run the tests.""" from __future__ import print_function import sys import unittest # Change PYTHONPATH to include dependencies. sys.path.insert(0, '.') import utils.dependencies # pylint: disable=wrong-import-position if __name__ == '__main__': print('Using Python version {0!s}'.format(sys.version)) dependency_helper = utils.dependencies.DependencyHelper() if not dependency_helper.CheckTestDependencies(): sys.exit(1) test_suite = unittest.TestLoader().discover('tests', pattern='*.py') test_results = unittest.TextTestRunner(verbosity=2).run(test_suite) if not test_results.wasSuccessful(): sys.exit(1) artifacts-20211012/setup.cfg000066400000000000000000000004721413144520200155440ustar00rootroot00000000000000[metadata] license_file = LICENSE [bdist_rpm] release = 1 packager = Forensic artifacts doc_files = ACKNOWLEDGEMENTS AUTHORS LICENSE README build_requires = python3-setuptools requires = python3-pyyaml >= 3.10 [bdist_wheel] universal = 1 artifacts-20211012/setup.py000077500000000000000000000160421413144520200154400ustar00rootroot00000000000000#!/usr/bin/env python # -*- coding: utf-8 -*- """Installation and deployment script.""" import glob import os import pkg_resources import sys try: from setuptools import find_packages, setup except ImportError: from distutils.core import find_packages, setup try: from distutils.command.bdist_msi import bdist_msi except ImportError: bdist_msi = None try: from distutils.command.bdist_rpm import bdist_rpm except ImportError: bdist_rpm = None version_tuple = (sys.version_info[0], sys.version_info[1]) if version_tuple < (3, 6): print(( 'Unsupported Python version: {0:s}, version 3.6 or higher ' 'required.').format(sys.version)) sys.exit(1) # Change PYTHONPATH to include artifacts so that we can get the version. sys.path.insert(0, '.') import artifacts # pylint: disable=wrong-import-position if not bdist_msi: BdistMSICommand = None else: class BdistMSICommand(bdist_msi): """Custom handler for the bdist_msi command.""" # pylint: disable=invalid-name def run(self): """Builds an MSI.""" # Command bdist_msi does not support the library version, neither a date # as a version but if we suffix it with .1 everything is fine. self.distribution.metadata.version += '.1' bdist_msi.run(self) if not bdist_rpm: BdistRPMCommand = None else: class BdistRPMCommand(bdist_rpm): """Custom handler for the bdist_rpm command.""" # pylint: disable=invalid-name def _make_spec_file(self): """Generates the text of an RPM spec file. Returns: list[str]: lines of the RPM spec file. """ # Note that bdist_rpm can be an old style class. if issubclass(BdistRPMCommand, object): spec_file = super(BdistRPMCommand, self)._make_spec_file() else: spec_file = bdist_rpm._make_spec_file(self) python_package = 'python3' description = [] requires = '' summary = '' in_description = False python_spec_file = [] for line in iter(spec_file): if line.startswith('Summary: '): summary = line[9:] elif line.startswith('BuildRequires: '): line = 'BuildRequires: {0:s}-setuptools, {0:s}-devel'.format( python_package) elif line.startswith('Requires: '): requires = line[10:] continue elif line.startswith('%description'): in_description = True elif line.startswith('python setup.py build'): if python_package == 'python3': line = '%py3_build' else: line = '%py2_build' elif line.startswith('python setup.py install'): if python_package == 'python3': line = '%py3_install' else: line = '%py2_install' elif line.startswith('%files'): lines = [ '%files -n %{name}-data', '%defattr(644,root,root,755)', '%license LICENSE', '%doc ACKNOWLEDGEMENTS AUTHORS README', '%{_datadir}/%{name}/*', '', '%files -n {0:s}-%{{name}}'.format(python_package), '%defattr(644,root,root,755)', '%license LICENSE', '%doc ACKNOWLEDGEMENTS AUTHORS README'] lines.extend([ '%{python3_sitelib}/artifacts/*.py', '%{python3_sitelib}/artifacts*.egg-info/*', '', '%exclude %{_prefix}/share/doc/*', '%exclude %{python3_sitelib}/artifacts/__pycache__/*']) python_spec_file.extend(lines) break elif line.startswith('%prep'): in_description = False python_spec_file.extend([ '%package -n %{name}-data', 'Summary: Data files for {0:s}'.format(summary), '', '%description -n %{name}-data']) python_spec_file.extend(description) python_spec_file.append( '%package -n {0:s}-%{{name}}'.format(python_package)) python_summary = 'Python 3 module of {0:s}'.format(summary) python_spec_file.extend([ 'Requires: artifacts-data >= %{{version}} {0:s}'.format( requires), 'Summary: {0:s}'.format(python_summary), '', '%description -n {0:s}-%{{name}}'.format(python_package)]) python_spec_file.extend(description) python_spec_file.extend([ '%package -n %{name}-tools', 'Requires: {0:s}-artifacts >= %{{version}}'.format( python_package), 'Summary: Tools for {0:s}'.format(summary), '', '%description -n %{name}-tools']) python_spec_file.extend(description) elif in_description: # Ignore leading white lines in the description. if not description and not line: continue description.append(line) python_spec_file.append(line) python_spec_file.extend([ '', '%files -n %{name}-tools', '%{_bindir}/*.py']) return python_spec_file def parse_requirements_from_file(path): """Parses requirements from a requirements file. Args: path (str): path to the requirements file. Yields: str: name and optional version information of the required package. """ with open(path, 'r') as file_object: file_contents = file_object.read() for requirement in pkg_resources.parse_requirements(file_contents): try: name = str(requirement.req) except AttributeError: name = str(requirement) if name.startswith('pip '): continue yield name artifacts_description = ( 'ForensicArtifacts.com Artifact Repository.') artifacts_long_description = ( 'A free, community-sourced, machine-readable knowledge base of forensic ' 'artifacts that the world can use both as an information source and within' ' other tools.') setup( name='artifacts', version=artifacts.__version__, description=artifacts_description, long_description=artifacts_long_description, license='Apache License, Version 2.0', url='https://github.com/ForensicArtifacts/artifacts', maintainer='Forensic artifacts', maintainer_email='forensicartifacts@googlegroups.com', cmdclass={ 'bdist_msi': BdistMSICommand, 'bdist_rpm': BdistRPMCommand}, classifiers=[ 'Development Status :: 3 - Alpha', 'Environment :: Console', 'Operating System :: OS Independent', 'Programming Language :: Python', ], packages=find_packages('.', exclude=[ 'docs', 'tests', 'tests.*', 'tools', 'utils']), package_dir={ 'artifacts': 'artifacts' }, scripts=glob.glob(os.path.join('tools', '[a-z]*.py')), data_files=[ ('share/artifacts', glob.glob( os.path.join('data', '*'))), ('share/doc/artifacts', [ 'ACKNOWLEDGEMENTS', 'AUTHORS', 'LICENSE', 'README']), ], install_requires=parse_requirements_from_file('requirements.txt'), tests_require=parse_requirements_from_file('test_requirements.txt'), ) artifacts-20211012/test_data/000077500000000000000000000000001413144520200156705ustar00rootroot00000000000000artifacts-20211012/test_data/definitions.json000066400000000000000000000050111413144520200210730ustar00rootroot00000000000000[{"conditions": ["os_major_version >= 6"], "name": "SecurityEventLogEvtx", "sources": [{"attributes": {"paths": ["%%environ_systemroot%%\\System32\\winevt\\Logs\\Security.evtx"]}, "type": "FILE"}], "supported_os": ["Windows"], "labels": ["Logs"], "doc": "Windows Security Event log for Vista or later systems.", "urls": ["http://www.forensicswiki.org/wiki/Windows_XML_Event_Log_(EVTX)"]}, {"name": "AllUsersProfileEnvironmentVariable", "sources": [{"attributes": {"keys": ["HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\ProfilesDirectory", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\AllUsersProfile"]}, "type": "REGISTRY_KEY"}], "provides": ["environ_allusersprofile"], "supported_os": ["Windows"], "doc": "The %AllUsersProfile% environment variable.", "urls": ["http://support.microsoft.com/kb//214653"]}, {"name": "CurrentControlSet", "sources": [{"attributes": {"key_value_pairs": [{"value": "Current", "key": "HKEY_LOCAL_MACHINE\\SYSTEM\\Select"}]}, "type": "REGISTRY_VALUE"}], "provides": ["current_control_set"], "supported_os": ["Windows"], "doc": "The control set the system is currently using.", "urls": ["https://code.google.com/p/winreg-kb/wiki/SystemKeys"]}, {"name": "WMIProfileUsersHomeDir", "sources": [{"attributes": {"query": "SELECT * FROM Win32_UserProfile WHERE SID='%%users.sid%%'"}, "type": "WMI"}], "provides": ["users.homedir"], "supported_os": ["Windows"], "labels": ["Users"], "doc": "Get user homedir from Win32_UserProfile based on a known user's SID.\n\nThis artifact relies on having the SID field users.sid populated in the knowledge\nbase. We expect it to be collected with WindowsRegistryProfiles to\nsupply the rest of the user information.\n", "urls": ["http://msdn.microsoft.com/en-us/library/windows/desktop/ee886409(v=vs.85).aspx"]}, {"labels": ["Logs"], "name": "EventLogs", "sources": [{"attributes": {"names": ["ApplicationEventLog", "ApplicationEventLogEvtx", "SecurityEventLog", "SecurityEventLogEvtx", "SystemEventLog", "SystemEventLogEvtx"]}, "type": "ARTIFACT_GROUP"}], "doc": "Windows Event logs.", "supported_os": ["Windows"]}, {"labels": ["Software"], "name": "RedhatPackagesList", "sources": [{"attributes": {"args": ["-qa"], "cmd": "/bin/rpm"}, "type": "COMMAND"}], "doc": "Linux output of rpm -qa.", "supported_os": ["Linux"]}, {"labels": ["System"], "name": "OSXLoadedKexts", "sources": [{"attributes": {"args": [], "cmd": "/usr/sbin/kextstat"}, "type": "COMMAND"}], "doc": "Mac OS X Loaded Kernel Extensions.", "supported_os": ["Darwin"]}]artifacts-20211012/test_data/definitions.yaml000066400000000000000000000045511413144520200210740ustar00rootroot00000000000000# Test artifact definitions. name: SecurityEventLogEvtx doc: Windows Security Event log for Vista or later systems. sources: - type: FILE attributes: {paths: ['%%environ_systemroot%%\System32\winevt\Logs\Security.evtx']} conditions: [os_major_version >= 6] labels: [Logs] supported_os: [Windows] urls: ['http://www.forensicswiki.org/wiki/Windows_XML_Event_Log_(EVTX)'] --- name: AllUsersProfileEnvironmentVariable doc: The %AllUsersProfile% environment variable. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\ProfilesDirectory' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\AllUsersProfile' provides: [environ_allusersprofile] supported_os: [Windows] urls: ['http://support.microsoft.com/kb//214653'] --- name: CurrentControlSet doc: The control set the system is currently using. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\SYSTEM\Select', value: 'Current'} provides: [current_control_set] supported_os: [Windows] urls: ['https://code.google.com/p/winreg-kb/wiki/SystemKeys'] --- name: WMIProfileUsersHomeDir doc: | Get user homedir from Win32_UserProfile based on a known user's SID. This artifact relies on having the SID field users.sid populated in the knowledge base. We expect it to be collected with WindowsRegistryProfiles to supply the rest of the user information. sources: - type: WMI attributes: {query: SELECT * FROM Win32_UserProfile WHERE SID='%%users.sid%%'} labels: [Users] provides: [users.homedir] supported_os: [Windows] urls: ['http://msdn.microsoft.com/en-us/library/windows/desktop/ee886409(v=vs.85).aspx'] --- name: EventLogs doc: Windows Event logs. sources: - type: ARTIFACT_GROUP attributes: names: - 'ApplicationEventLog' - 'ApplicationEventLogEvtx' - 'SecurityEventLog' - 'SecurityEventLogEvtx' - 'SystemEventLog' - 'SystemEventLogEvtx' labels: [Logs] supported_os: [Windows] --- name: RedhatPackagesList doc: Linux output of rpm -qa. sources: - type: COMMAND attributes: args: [-qa] cmd: /bin/rpm labels: [Software] supported_os: [Linux] --- name: OSXLoadedKexts doc: Mac OS X Loaded Kernel Extensions. sources: - type: COMMAND attributes: args: [] cmd: /usr/sbin/kextstat labels: [System] supported_os: [Darwin] artifacts-20211012/test_dependencies.ini000066400000000000000000000004341413144520200201070ustar00rootroot00000000000000[mock] dpkg_name: python-mock minimum_version: 2.0.0 rpm_name: python2-mock version_property: __version__ [pbr] dpkg_name: python-pbr minimum_version: 4.2.0 rpm_name: python2-pbr [six] dpkg_name: python-six minimum_version: 1.1.0 rpm_name: python2-six version_property: __version__ artifacts-20211012/test_requirements.txt000066400000000000000000000000501413144520200202360ustar00rootroot00000000000000mock >= 2.0.0 pbr >= 4.2.0 six >= 1.1.0 artifacts-20211012/tests/000077500000000000000000000000001413144520200150625ustar00rootroot00000000000000artifacts-20211012/tests/__init__.py000066400000000000000000000000301413144520200171640ustar00rootroot00000000000000# -*- coding: utf-8 -*- artifacts-20211012/tests/reader_test.py000066400000000000000000000310601413144520200177350ustar00rootroot00000000000000# -*- coding: utf-8 -*- """Tests for the artifact definitions readers.""" from __future__ import unicode_literals import io import unittest import yaml from artifacts import definitions from artifacts import errors from artifacts import reader from tests import test_lib class YamlArtifactsReaderTest(test_lib.BaseTestCase): """YAML artifacts reader tests.""" _DEFINITION_INVALID_LABELS = """\ name: BadLabel doc: badlabel. sources: - type: ARTIFACT_GROUP attributes: names: - 'SystemEventLogEvtx' labels: Logs supported_os: [Windows] """ _DEFINITION_INVALID_SUPPORTED_OS_1 = """\ name: BadSupportedOS doc: supported_os should be an array of strings. sources: - type: ARTIFACT_GROUP attributes: names: - 'SystemEventLogEvtx' labels: [Logs] supported_os: Windows """ _DEFINITION_INVALID_SUPPORTED_OS_2 = """\ name: BadTopSupportedOS doc: Top supported_os should match supported_os from sources. sources: - type: ARTIFACT_GROUP attributes: names: - 'SystemEventLogEvtx' supported_os: [Windows] labels: [Logs] """ _DEFINITION_INVALID_URLS = """\ name: BadUrls doc: badurls. sources: - type: ARTIFACT_GROUP attributes: names: - 'SystemEventLogEvtx' supported_os: [Windows] urls: 'http://example.com' """ _DEFINITION_WITH_EXTRA_KEY = """\ name: WithExtraKey doc: definition with extra_key sources: - type: ARTIFACT_GROUP attributes: names: - 'SystemEventLogEvtx' extra_key: 'wrong' labels: [Logs] supported_os: [Windows] """ _DEFINITION_WITH_RETURN_TYPES = """\ name: WithReturnTypes doc: definition with return_types sources: - type: ARTIFACT_GROUP attributes: names: [WindowsRunKeys, WindowsServices] returned_types: [PersistenceFile] """ _DEFINITION_WITHOUT_DOC = """\ name: NoDoc sources: - type: ARTIFACT_GROUP attributes: names: - 'SystemEventLogEvtx' """ _DEFINITION_WITHOUT_NAME = """\ name: NoNames doc: Missing names attr. sources: - type: ARTIFACT_GROUP attributes: - 'SystemEventLogEvtx' """ _DEFINITION_WITHOUT_SOURCES = """\ name: BadSources doc: must have one sources. labels: [Logs] supported_os: [Windows] """ def testReadFileObject(self): """Tests the ReadFileObject function.""" test_file = self._GetTestFilePath(['definitions.yaml']) self._SkipIfPathNotExists(test_file) artifact_reader = reader.YamlArtifactsReader() with open(test_file, 'rb') as file_object: artifact_definitions = list(artifact_reader.ReadFileObject(file_object)) self.assertEqual(len(artifact_definitions), 7) # Artifact with file source type. artifact_definition = artifact_definitions[0] self.assertEqual(artifact_definition.name, 'SecurityEventLogEvtx') expected_description = ( 'Windows Security Event log for Vista or later systems.') self.assertEqual(artifact_definition.description, expected_description) self.assertEqual(len(artifact_definition.sources), 1) source_type = artifact_definition.sources[0] self.assertIsNotNone(source_type) self.assertEqual( source_type.type_indicator, definitions.TYPE_INDICATOR_FILE) expected_paths = [ '%%environ_systemroot%%\\System32\\winevt\\Logs\\Security.evtx' ] self.assertEqual(sorted(source_type.paths), sorted(expected_paths)) self.assertEqual(len(artifact_definition.conditions), 1) expected_condition = 'os_major_version >= 6' self.assertEqual(artifact_definition.conditions[0], expected_condition) self.assertEqual(len(artifact_definition.labels), 1) self.assertEqual(artifact_definition.labels[0], 'Logs') self.assertEqual(len(artifact_definition.supported_os), 1) self.assertEqual(artifact_definition.supported_os[0], 'Windows') self.assertEqual(len(artifact_definition.urls), 1) expected_url = ( 'http://www.forensicswiki.org/wiki/Windows_XML_Event_Log_(EVTX)') self.assertEqual(artifact_definition.urls[0], expected_url) # Artifact with Windows Registry key source type. artifact_definition = artifact_definitions[1] self.assertEqual( artifact_definition.name, 'AllUsersProfileEnvironmentVariable') self.assertEqual(len(artifact_definition.sources), 1) source_type = artifact_definition.sources[0] self.assertIsNotNone(source_type) self.assertEqual( source_type.type_indicator, definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY) expected_key1 = ( 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\' 'ProfileList\\ProfilesDirectory') expected_key2 = ( 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\' 'ProfileList\\AllUsersProfile') expected_keys = [expected_key1, expected_key2] self.assertEqual(sorted(source_type.keys), sorted(expected_keys)) # Artifact with Windows Registry value source type. artifact_definition = artifact_definitions[2] self.assertEqual(artifact_definition.name, 'CurrentControlSet') self.assertEqual(len(artifact_definition.sources), 1) source_type = artifact_definition.sources[0] self.assertIsNotNone(source_type) self.assertEqual( source_type.type_indicator, definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE) self.assertEqual(len(source_type.key_value_pairs), 1) key_value_pair = source_type.key_value_pairs[0] expected_key = 'HKEY_LOCAL_MACHINE\\SYSTEM\\Select' self.assertEqual(key_value_pair['key'], expected_key) self.assertEqual(key_value_pair['value'], 'Current') # Artifact with WMI query source type. artifact_definition = artifact_definitions[3] self.assertEqual(artifact_definition.name, 'WMIProfileUsersHomeDir') expected_provides = sorted(['users.homedir']) self.assertEqual(sorted(artifact_definition.provides), expected_provides) self.assertEqual(len(artifact_definition.sources), 1) source_type = artifact_definition.sources[0] self.assertIsNotNone(source_type) self.assertEqual( source_type.type_indicator, definitions.TYPE_INDICATOR_WMI_QUERY) expected_query = ( 'SELECT * FROM Win32_UserProfile WHERE SID=\'%%users.sid%%\'') self.assertEqual(source_type.query, expected_query) # Artifact with artifact definition source type. artifact_definition = artifact_definitions[4] self.assertEqual(artifact_definition.name, 'EventLogs') self.assertEqual(len(artifact_definition.sources), 1) source_type = artifact_definition.sources[0] self.assertIsNotNone(source_type) self.assertEqual( source_type.type_indicator, definitions.TYPE_INDICATOR_ARTIFACT_GROUP) # Artifact with command definition source type. artifact_definition = artifact_definitions[5] self.assertEqual(artifact_definition.name, 'RedhatPackagesList') self.assertEqual(len(artifact_definition.sources), 1) source_type = artifact_definition.sources[0] self.assertIsNotNone(source_type) self.assertEqual( source_type.type_indicator, definitions.TYPE_INDICATOR_COMMAND) # Artifact with COMMAND definition collector definition. artifact_definition = artifact_definitions[5] self.assertEqual(artifact_definition.name, 'RedhatPackagesList') self.assertEqual(len(artifact_definition.sources), 1) collector_definition = artifact_definition.sources[0] self.assertIsNotNone(collector_definition) self.assertEqual( collector_definition.type_indicator, definitions.TYPE_INDICATOR_COMMAND) def testReadFileObjectInvalidLabels(self): """Tests the ReadFileObject function on an invalid labels.""" artifact_reader = reader.YamlArtifactsReader() file_object = io.StringIO(initial_value=self._DEFINITION_INVALID_LABELS) with self.assertRaises(errors.FormatError): _ = list(artifact_reader.ReadFileObject(file_object)) def testReadFileObjectInvalidSupportedOS(self): """Tests the ReadFileObject function on an invalid supported_os.""" artifact_reader = reader.YamlArtifactsReader() file_object = io.StringIO( initial_value=self._DEFINITION_INVALID_SUPPORTED_OS_1) with self.assertRaises(errors.FormatError): _ = list(artifact_reader.ReadFileObject(file_object)) file_object = io.StringIO( initial_value=self._DEFINITION_INVALID_SUPPORTED_OS_2) with self.assertRaises(errors.FormatError): _ = list(artifact_reader.ReadFileObject(file_object)) def testReadFileObjectInvalidURLs(self): """Tests the ReadFileObject function on an invalid urls.""" artifact_reader = reader.YamlArtifactsReader() file_object = io.StringIO(initial_value=self._DEFINITION_INVALID_URLS) with self.assertRaises(errors.FormatError): _ = list(artifact_reader.ReadFileObject(file_object)) def testReadFileObjectWithExtraKey(self): """Tests the ReadFileObject function on a definition with extra key.""" artifact_reader = reader.YamlArtifactsReader() file_object = io.StringIO(initial_value=self._DEFINITION_WITH_EXTRA_KEY) with self.assertRaises(errors.FormatError): _ = list(artifact_reader.ReadFileObject(file_object)) def testReadFileObjectWithReturnTypes(self): """Tests the ReadFileObject function on a definition with return types.""" artifact_reader = reader.YamlArtifactsReader() file_object = io.StringIO(initial_value=self._DEFINITION_WITH_RETURN_TYPES) with self.assertRaises(errors.FormatError): _ = list(artifact_reader.ReadFileObject(file_object)) def testReadFileObjectWithoutDoc(self): """Tests the ReadFileObject function on a definition without doc.""" artifact_reader = reader.YamlArtifactsReader() file_object = io.StringIO(initial_value=self._DEFINITION_WITHOUT_DOC) with self.assertRaises(errors.FormatError): _ = list(artifact_reader.ReadFileObject(file_object)) def testReadFileObjectWithoutName(self): """Tests the ReadFileObject function on a definition without name.""" artifact_reader = reader.YamlArtifactsReader() file_object = io.StringIO(initial_value=self._DEFINITION_WITHOUT_NAME) with self.assertRaises(errors.FormatError): _ = list(artifact_reader.ReadFileObject(file_object)) def testReadFileObjectWithoutSources(self): """Tests the ReadFileObject function on a definition without sources.""" artifact_reader = reader.YamlArtifactsReader() file_object = io.StringIO(initial_value=self._DEFINITION_WITHOUT_SOURCES) with self.assertRaises(errors.FormatError): _ = list(artifact_reader.ReadFileObject(file_object)) def testReadYamlFile(self): """Tests the ReadFile function.""" test_file = self._GetTestFilePath(['definitions.yaml']) self._SkipIfPathNotExists(test_file) artifact_reader = reader.YamlArtifactsReader() artifact_definitions = list(artifact_reader.ReadFile(test_file)) self.assertEqual(len(artifact_definitions), 7) def testReadDirectory(self): """Tests the ReadDirectory function.""" artifact_reader = reader.YamlArtifactsReader() test_file = self._GetTestFilePath(['.']) artifact_definitions = list(artifact_reader.ReadDirectory(test_file)) self.assertEqual(len(artifact_definitions), 7) def testArtifactAsDict(self): """Tests the AsDict function.""" test_file = self._GetTestFilePath(['definitions.yaml']) self._SkipIfPathNotExists(test_file) artifact_reader = reader.YamlArtifactsReader() with open(test_file, 'r') as file_object: for artifact_definition in yaml.safe_load_all(file_object): artifact_object = artifact_reader.ReadArtifactDefinitionValues( artifact_definition) self.assertEqual(artifact_definition, artifact_object.AsDict()) def testDefinitionsAsDict(self): """Tests the AsDict function.""" artifact_reader = reader.YamlArtifactsReader() artifact_definitions = list(artifact_reader.ReadDirectory('data')) last_artifact_definition = None for artifact in artifact_definitions: try: artifact_definition = artifact.AsDict() except errors.FormatError: error_location = 'At start' if last_artifact_definition: error_location = 'After: {0}'.format(last_artifact_definition.name) self.fail('{0} failed to convert to dict'.format(error_location)) last_artifact_definition = artifact_definition class JsonArtifactsReaderTest(test_lib.BaseTestCase): """JSON artifacts reader tests.""" def testReadJsonFile(self): """Tests the ReadFile function.""" test_file = self._GetTestFilePath(['definitions.json']) self._SkipIfPathNotExists(test_file) artifact_reader = reader.JsonArtifactsReader() artifact_definitions = list(artifact_reader.ReadFile(test_file)) self.assertEqual(len(artifact_definitions), 7) if __name__ == '__main__': unittest.main() artifacts-20211012/tests/registry_test.py000066400000000000000000000115071413144520200203470ustar00rootroot00000000000000# -*- coding: utf-8 -*- """Tests for the artifact definitions registry.""" from __future__ import unicode_literals import io import unittest from artifacts import errors from artifacts import reader from artifacts import registry from artifacts import source_type from tests import test_lib class TestSourceType(source_type.SourceType): """Class that implements a test source type.""" TYPE_INDICATOR = 'test' def __init__(self, test=None): """Initializes the source type object. Args: test (Optional[str]): test string. Raises: FormatError: when test is not set. """ if not test: raise errors.FormatError('Missing test value.') super(TestSourceType, self).__init__() self.test = test def AsDict(self): """Represents a source type as a dictionary. Returns: dict[str, str]: source type attributes. """ return {'test': self.test} class ArtifactDefinitionsRegistryTest(test_lib.BaseTestCase): """Tests for the artifact definitions registry.""" # pylint: disable=protected-access def testArtifactDefinitionsRegistry(self): """Tests the ArtifactDefinitionsRegistry functions.""" test_file = self._GetTestFilePath(['definitions.yaml']) self._SkipIfPathNotExists(test_file) artifact_registry = registry.ArtifactDefinitionsRegistry() artifact_reader = reader.YamlArtifactsReader() for artifact_definition in artifact_reader.ReadFile(test_file): artifact_registry.RegisterDefinition(artifact_definition) # Make sure the test file got turned into artifacts. self.assertEqual(len(artifact_registry.GetDefinitions()), 7) artifact_definition = artifact_registry.GetDefinitionByName('EventLogs') self.assertIsNotNone(artifact_definition) # Try to register something already registered with self.assertRaises(KeyError): artifact_registry.RegisterDefinition(artifact_definition) # Deregister artifact_registry.DeregisterDefinition(artifact_definition) # Check it is gone with self.assertRaises(KeyError): artifact_registry.DeregisterDefinition(artifact_definition) self.assertEqual(len(artifact_registry.GetDefinitions()), 6) test_artifact_definition = artifact_registry.GetDefinitionByName( 'SecurityEventLogEvtx') self.assertIsNotNone(test_artifact_definition) self.assertEqual(test_artifact_definition.name, 'SecurityEventLogEvtx') expected_description = ( 'Windows Security Event log for Vista or later systems.') self.assertEqual(test_artifact_definition.description, expected_description) bad_args = io.BytesIO( b'name: SecurityEventLogEvtx\n' b'doc: Windows Security Event log for Vista or later systems.\n' b'sources:\n' b'- type: FILE\n' b' attributes: {broken: [\'%%environ_systemroot%%\\System32\\' b'winevt\\Logs\\Security.evtx\']}\n' b'conditions: [os_major_version >= 6]\n' b'labels: [Logs]\n' b'supported_os: [Windows]\n' b'urls: [\'http://www.forensicswiki.org/wiki/\n' b'Windows_XML_Event_Log_(EVTX)\']\n') generator = artifact_reader.ReadFileObject(bad_args) with self.assertRaises(errors.FormatError): next(generator) def testSourceTypeFunctions(self): """Tests the source type functions.""" number_of_source_types = len( registry.ArtifactDefinitionsRegistry._source_type_classes) registry.ArtifactDefinitionsRegistry.RegisterSourceType(TestSourceType) self.assertEqual( len(registry.ArtifactDefinitionsRegistry._source_type_classes), number_of_source_types + 1) with self.assertRaises(KeyError): registry.ArtifactDefinitionsRegistry.RegisterSourceType(TestSourceType) registry.ArtifactDefinitionsRegistry.DeregisterSourceType(TestSourceType) self.assertEqual( len(registry.ArtifactDefinitionsRegistry._source_type_classes), number_of_source_types) registry.ArtifactDefinitionsRegistry.RegisterSourceTypes([TestSourceType]) self.assertEqual( len(registry.ArtifactDefinitionsRegistry._source_type_classes), number_of_source_types + 1) with self.assertRaises(KeyError): registry.ArtifactDefinitionsRegistry.RegisterSourceTypes([TestSourceType]) source_object = registry.ArtifactDefinitionsRegistry.CreateSourceType( 'test', {'test': 'test123'}) self.assertIsNotNone(source_object) self.assertEqual(source_object.test, 'test123') with self.assertRaises(errors.FormatError): source_object = registry.ArtifactDefinitionsRegistry.CreateSourceType( 'test', {}) with self.assertRaises(errors.FormatError): source_object = registry.ArtifactDefinitionsRegistry.CreateSourceType( 'bogus', {}) registry.ArtifactDefinitionsRegistry.DeregisterSourceType(TestSourceType) if __name__ == '__main__': unittest.main() artifacts-20211012/tests/source_type_test.py000066400000000000000000000124361413144520200210420ustar00rootroot00000000000000# -*- coding: utf-8 -*- """Tests for the source type objects.""" from __future__ import unicode_literals import unittest from artifacts import errors from artifacts import source_type from tests import test_lib class TestSourceType(source_type.SourceType): """Class that implements a test source type.""" TYPE_INDICATOR = 'test' def __init__(self, test=None): """Initializes the source type object. Args: test (Optional[str]): test string. Raises: FormatError: when test is not set. """ if not test: raise errors.FormatError('Missing test value.') super(TestSourceType, self).__init__() self.test = test def AsDict(self): """Represents a source type as a dictionary. Returns: dict[str, str]: source type attributes. """ return {'test': self.test} class SourceTypeTest(test_lib.BaseTestCase): """Class to test the artifact source type.""" class ArtifactGroupSourceTypeTest(test_lib.BaseTestCase): """Class to test the artifact group source type.""" def testInitialize(self): """Tests the __init__ function.""" source_type.ArtifactGroupSourceType(names=['test']) class FileSourceTypeTest(test_lib.BaseTestCase): """Class to test the files source type.""" def testInitialize(self): """Tests the __init__ function.""" source_type.FileSourceType(paths=['test']) source_type.FileSourceType(paths=['test'], separator='\\') with self.assertRaises(errors.FormatError): source_type.FileSourceType() with self.assertRaises(errors.FormatError): source_type.FileSourceType(paths='test') class PathSourceTypeTest(test_lib.BaseTestCase): """Class to test the paths source type.""" def testInitialize(self): """Tests the __init__ function.""" source_type.PathSourceType(paths=['test']) source_type.PathSourceType(paths=['test'], separator='\\') with self.assertRaises(errors.FormatError): source_type.PathSourceType() with self.assertRaises(errors.FormatError): source_type.PathSourceType(paths='test') class WindowsRegistryKeySourceTypeTest(test_lib.BaseTestCase): """Class to test the Windows Registry keys source type.""" def testInitialize(self): """Tests the __init__ function.""" source_type.WindowsRegistryKeySourceType(keys=['HKEY_LOCAL_MACHINE\\test']) with self.assertRaises(errors.FormatError): source_type.WindowsRegistryKeySourceType(keys='HKEY_LOCAL_MACHINE\\test') class WindowsRegistryValueSourceTypeTest(test_lib.BaseTestCase): """Class to test the Windows Registry value source type.""" def testInitialize(self): """Tests the __init__ function.""" key_value_pair = {'key': 'HKEY_LOCAL_MACHINE\\test', 'value': 'test'} source_type.WindowsRegistryValueSourceType(key_value_pairs=[key_value_pair]) key_value_pair = {'bad': 'test', 'value': 'test'} with self.assertRaises(errors.FormatError): source_type.WindowsRegistryValueSourceType( key_value_pairs=[key_value_pair]) with self.assertRaises(errors.FormatError): source_type.WindowsRegistryValueSourceType(key_value_pairs=key_value_pair) class WMIQuerySourceTypeTest(test_lib.BaseTestCase): """Class to test the WMI query source type.""" def testInitialize(self): """Tests the __init__ function.""" source_type.WMIQuerySourceType(query='test') class SourceTypeFactoryTest(test_lib.BaseTestCase): """Class to test the source type factory.""" def testCreateSourceType(self): """Tests the source type creation.""" source_type.SourceTypeFactory.RegisterSourceTypes([TestSourceType]) with self.assertRaises(KeyError): source_type.SourceTypeFactory.RegisterSourceTypes([TestSourceType]) source_object = source_type.SourceTypeFactory.CreateSourceType( 'test', {'test': 'test123'}) self.assertIsNotNone(source_object) self.assertEqual(source_object.test, 'test123') with self.assertRaises(errors.FormatError): source_object = source_type.SourceTypeFactory.CreateSourceType( 'test', {}) with self.assertRaises(errors.FormatError): source_object = source_type.SourceTypeFactory.CreateSourceType( 'bogus', {}) source_type.SourceTypeFactory.DeregisterSourceType(TestSourceType) def testRegisterSourceType(self): """Tests the source type registration functions.""" expected_number_of_source_types = len( source_type.SourceTypeFactory.GetSourceTypes()) source_type.SourceTypeFactory.RegisterSourceType(TestSourceType) number_of_source_types = len(source_type.SourceTypeFactory.GetSourceTypes()) self.assertEqual( number_of_source_types, expected_number_of_source_types + 1) source_type.SourceTypeFactory.DeregisterSourceType(TestSourceType) number_of_source_types = len(source_type.SourceTypeFactory.GetSourceTypes()) self.assertEqual(number_of_source_types, expected_number_of_source_types) def testRegisterSourceTypeRaisesWhenAlreadyRegistered(self): """Tests the source type registration functions when already registered.""" source_type.SourceTypeFactory.RegisterSourceType(TestSourceType) with self.assertRaises(KeyError): source_type.SourceTypeFactory.RegisterSourceType(TestSourceType) source_type.SourceTypeFactory.DeregisterSourceType(TestSourceType) if __name__ == '__main__': unittest.main() artifacts-20211012/tests/test_lib.py000066400000000000000000000033521413144520200172440ustar00rootroot00000000000000# -*- coding: utf-8 -*- """Shared functions and classes for testing.""" from __future__ import unicode_literals import os import shutil import tempfile import unittest class BaseTestCase(unittest.TestCase): """The base test case.""" _DATA_PATH = os.path.join(os.getcwd(), 'data') _TEST_DATA_PATH = os.path.join(os.getcwd(), 'test_data') # Show full diff results, part of TestCase so does not follow our naming # conventions. maxDiff = None def _GetTestFilePath(self, path_segments): """Retrieves the path of a test file in the test data directory. Args: path_segments (list[str]): path segments inside the test data directory. Returns: str: path of the test file. """ # Note that we need to pass the individual path segments to os.path.join # and not a list. return os.path.join(self._TEST_DATA_PATH, *path_segments) def _SkipIfPathNotExists(self, path): """Skips the test if the path does not exist. Args: path (str): path of a test file. Raises: SkipTest: if the path path does not exist and the test should be skipped. """ if not os.path.exists(path): filename = os.path.basename(path) raise unittest.SkipTest('missing test file: {0:s}'.format(filename)) class TempDirectory(object): """Class that implements a temporary directory.""" def __init__(self): """Initializes a temporary directory.""" super(TempDirectory, self).__init__() self.name = '' def __enter__(self): """Make this work with the 'with' statement.""" self.name = tempfile.mkdtemp() return self.name def __exit__(self, unused_type, unused_value, unused_traceback): """Make this work with the 'with' statement.""" shutil.rmtree(self.name, True) artifacts-20211012/tests/validator_test.py000066400000000000000000000022451413144520200204630ustar00rootroot00000000000000#!/usr/bin/env python # -*- coding: utf-8 -*- """Tests for the artifact definitions validator.""" from __future__ import unicode_literals import glob import os import unittest from artifacts import errors from tools import validator from tests import test_lib class ArtifactDefinitionsValidatorTest(test_lib.BaseTestCase): """Class to test the validator.""" def testArtifactDefinitionsValidator(self): """Runs the validator over all the YAML artifact definitions files.""" validator_object = validator.ArtifactDefinitionsValidator() for definitions_file in glob.glob(os.path.join('data', '*.yaml')): result = validator_object.CheckFile(definitions_file) self.assertTrue( result, msg='in definitions file: {0}'.format(definitions_file)) undefined_artifacts = validator_object.GetUndefinedArtifacts() if undefined_artifacts: raise errors.MissingDependencyError( 'Artifacts group referencing undefined artifacts: {0}'.format( undefined_artifacts)) # TODO: add tests that deliberately provide invalid definitions to see # if the validator works correctly. if __name__ == '__main__': unittest.main() artifacts-20211012/tests/writer_test.py000066400000000000000000000035261413144520200200150ustar00rootroot00000000000000# -*- coding: utf-8 -*- """Tests for the artifact definitions readers.""" from __future__ import unicode_literals import os import unittest from artifacts import reader from artifacts import writer from tests import test_lib class ArtifactsWriterTest(test_lib.BaseTestCase): """Class to test the artifacts writer.""" def _TestArtifactsConversion( self, artifact_reader, artifact_writer, filename): """Tests artifacts conversion. Args: artifact_reader (ArtifactsReader): artifact reader. artifact_writer (ArtifactsWriter): artifact writer. filename (str): name of the file to convert. """ test_file = self._GetTestFilePath([filename]) self._SkipIfPathNotExists(test_file) artifact_definitions = list(artifact_reader.ReadFile(test_file)) with test_lib.TempDirectory() as temporary_directory: output_file = os.path.join(temporary_directory, filename) artifact_writer.WriteArtifactsFile(artifact_definitions, output_file) converted_artifact_definitions = list( artifact_reader.ReadFile(output_file)) self.assertListEqual( [artifact.AsDict() for artifact in artifact_definitions], [artifact.AsDict() for artifact in converted_artifact_definitions]) def testJsonWriter(self): """Tests conversion with the JsonArtifactsWriter.""" artifact_reader = reader.JsonArtifactsReader() artifact_writer = writer.JsonArtifactsWriter() self._TestArtifactsConversion( artifact_reader, artifact_writer, 'definitions.json') def testYamlWriter(self): """Tests conversion with the YamlArtifactsWriter.""" artifact_reader = reader.YamlArtifactsReader() artifact_writer = writer.YamlArtifactsWriter() self._TestArtifactsConversion( artifact_reader, artifact_writer, 'definitions.yaml') if __name__ == '__main__': unittest.main() artifacts-20211012/tools/000077500000000000000000000000001413144520200150605ustar00rootroot00000000000000artifacts-20211012/tools/__init__.py000066400000000000000000000000561413144520200171720ustar00rootroot00000000000000#!/usr/bin/env python # -*- coding: utf-8 -*- artifacts-20211012/tools/stats.py000077500000000000000000000101351413144520200165730ustar00rootroot00000000000000#!/usr/bin/env python # -*- coding: utf-8 -*- """Report statistics about the artifact collection.""" from __future__ import print_function from __future__ import unicode_literals import sys import time from artifacts import definitions from artifacts import reader class ArtifactStatistics(object): """Generate and print statistics about artifact definitions.""" def __init__(self): """Initializes artifact statistics.""" super(ArtifactStatistics, self).__init__() self._label_counts = {} self._os_counts = {} self._path_count = 0 self._reg_key_count = 0 self._source_type_counts = {} self._total_count = 0 def _PrintDictAsTable(self, title, src_dict): """Prints a table of artifact definitions. Args: title (str): title of the table. src_dict (dict[str, ArtifactDefinition]): artifact definitions by name. """ print('### {0:s}'.format(title)) print('') print('Identifier | Number') print('--- | ---') for key, value in sorted(src_dict.items()): print('{0:s} | {1!s}'.format(key, value)) print('') def PrintOSTable(self): """Prints a table of artifact definitions by operating system.""" self._PrintDictAsTable('Operating systems', self._os_counts) def PrintLabelTable(self): """Prints a table of artifact definitions by label.""" self._PrintDictAsTable('Labels', self._label_counts) def PrintSourceTypeTable(self): """Prints a table of artifact definitions by source type.""" self._PrintDictAsTable( 'Artifact definition source types', self._source_type_counts) def PrintSummaryTable(self): """Prints a summary table.""" date_time_string = time.strftime('%Y-%m-%d') print("""Status of the repository as of {0:s} Description | Number --- | --- Number of artifact definitions: | {1:d} Number of file paths: | {2:d} Number of Windows Registry key paths: | {3:d} """.format( date_time_string, self._total_count, self._path_count, self._reg_key_count)) def BuildStats(self): """Builds the statistics.""" artifact_reader = reader.YamlArtifactsReader() self._label_counts = {} self._os_counts = {} self._path_count = 0 self._reg_key_count = 0 self._source_type_counts = {} self._total_count = 0 for artifact_definition in artifact_reader.ReadDirectory('data'): if hasattr(artifact_definition, 'labels'): for label in artifact_definition.labels: self._label_counts[label] = self._label_counts.get(label, 0) + 1 for source in artifact_definition.sources: self._total_count += 1 source_type = source.type_indicator self._source_type_counts[source_type] = self._source_type_counts.get( source_type, 0) + 1 if source_type == definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY: self._reg_key_count += len(source.keys) elif source_type == definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE: self._reg_key_count += len(source.key_value_pairs) elif source_type in (definitions.TYPE_INDICATOR_FILE, definitions.TYPE_INDICATOR_DIRECTORY): self._path_count += len(source.paths) os_list = source.supported_os for os_str in os_list: self._os_counts[os_str] = self._os_counts.get(os_str, 0) + 1 def PrintStats(self): """Build stats and print in MarkDown format.""" print("""## Statistics The artifact definitions can be found in the [data directory]({0:s}) and the format is described in detail in the [Style Guide]({1:s}). """.format('https://github.com/ForensicArtifacts/artifacts/tree/main/data', ('https://artifacts.readthedocs.io/en/latest/sources/' 'Format-specification.html'))) self.BuildStats() self.PrintSummaryTable() self.PrintSourceTypeTable() self.PrintOSTable() self.PrintLabelTable() def Main(): """The main program function. Returns: bool: True if successful or False if not. """ statsbuilder = ArtifactStatistics() statsbuilder.PrintStats() return True if __name__ == '__main__': if not Main(): sys.exit(1) else: sys.exit(0) artifacts-20211012/tools/validator.py000077500000000000000000000514251413144520200174310ustar00rootroot00000000000000#!/usr/bin/env python # -*- coding: utf-8 -*- """Tool to validate artifact definitions.""" from __future__ import print_function from __future__ import unicode_literals import argparse import glob import logging import os import sys from artifacts import definitions from artifacts import errors from artifacts import reader from artifacts import registry class ArtifactDefinitionsValidator(object): """Artifact definitions validator.""" LEGACY_PATH = os.path.join('data', 'legacy.yaml') _MACOS_PRIVATE_SUB_PATHS = ('etc', 'tftpboot', 'tmp', 'var') _SUPPORTED_POSIX_USERS_VARIABLES = [ '%%users.homedir%%'] _SUPPORTED_WINDOWS_ENVIRONMENT_VARIABLES = [ '%%environ_allusersappdata%%', '%%environ_allusersprofile%%', '%%environ_programfiles%%', '%%environ_programfilesx86%%', '%%environ_systemdrive%%', '%%environ_systemroot%%', '%%environ_windir%%'] _SUPPORTED_WINDOWS_USERS_VARIABLES = [ '%%users.appdata%%', '%%users.localappdata%%', '%%users.sid%%', '%%users.temp%%', '%%users.username%%', '%%users.userprofile%%'] def __init__(self): """Initializes an artifact definitions validator.""" super(ArtifactDefinitionsValidator, self).__init__() self._artifact_registry = registry.ArtifactDefinitionsRegistry() self._artifact_registry_key_paths = set() def _CheckGlobstarInPathSegment( self, filename, artifact_definition, path, path_segment): """Checks if a globstar in a path segment is valid. Args: filename (str): name of the artifacts definition file. artifact_definition (ArtifactDefinition): artifact definition. path (str): path of which the path segment originated. path_segment (str): path segment to validate. Returns: bool: True if the globstar is valid. """ if not path_segment.startswith('**'): logging.warning(( 'Unuspported globstar with prefix: {0:s} for path: {1:s} defined by ' 'artifact definition: {2:s} in file: {3:s}').format( path_segment, path, artifact_definition.name, filename)) return False if len(path_segment) > 2: try: recursion_depth = int(path_segment[2:], 10) except (TypeError, ValueError): logging.warning(( 'Unuspported globstar with suffix: {0:s} for path: {1:s} defined ' 'by artifact definition: {2:s} in file: {3:s}').format( path_segment, path, artifact_definition.name, filename)) return False if recursion_depth <= 0 or recursion_depth > 10: logging.warning(( 'Globstar with unsupported recursion depth: {0:s} for path: {1:s} ' 'defined by artifact definition: {2:s} in file: {3:s}').format( path_segment, path, artifact_definition.name, filename)) return False return True def _CheckMacOSPaths(self, filename, artifact_definition, source, paths): """Checks if the paths are valid MacOS paths. Args: filename (str): name of the artifacts definition file. artifact_definition (ArtifactDefinition): artifact definition. source (SourceType): source definition. paths (list[str]): paths to validate. Returns: bool: True if the MacOS paths is valid. """ result = True paths_with_private = [] paths_with_symbolic_link_to_private = [] for path in paths: path_lower = path.lower() path_segments = path_lower.split(source.separator) if not path_segments: logging.warning(( 'Empty path defined by artifact definition: {0:s} in file: ' '{1:s}').format(artifact_definition.name, filename)) result = False elif len(path_segments) == 1: continue elif path_segments[1] in self._MACOS_PRIVATE_SUB_PATHS: paths_with_symbolic_link_to_private.append(path) elif path_segments[1] == 'private' and len(path_segments) >= 2: if path_segments[2] in self._MACOS_PRIVATE_SUB_PATHS: paths_with_private.append(path) else: logging.warning(( 'Unsupported private path: {0:s} defined by artifact definition: ' '{1:s} in file: {2:s}').format( path, artifact_definition.name, filename)) result = False has_globstar = False for path_segment in path_segments: if '**' in path_segment: if has_globstar: logging.warning(( 'Unsupported path: {0:s} with multiple globstars defined by ' 'artifact definition: {1:s} in file: {2:s}').format( path, artifact_definition.name, filename)) result = False break has_globstar = True if not self._CheckGlobstarInPathSegment( filename, artifact_definition, path, path_segment): result = False if has_globstar and path.endswith(source.separator): logging.warning(( 'Unsupported path: {0:s} with globstar and trailing path ' 'separator defined by artifact definition: {1:s} in file: ' '{2:s}').format(path, artifact_definition.name, filename)) result = False for private_path in paths_with_private: if private_path[8:] not in paths_with_symbolic_link_to_private: logging.warning(( 'Missing symbolic link: {0:s} for path: {1:s} defined by artifact ' 'definition: {2:s} in file: {3:s}').format( private_path[8:], private_path, artifact_definition.name, filename)) result = False for path in paths_with_symbolic_link_to_private: private_path = '/private{0:s}'.format(path) if private_path not in paths_with_private: logging.warning(( 'Missing path: {0:s} for symbolic link: {1:s} defined by artifact ' 'definition: {2:s} in file: {3:s}').format( private_path, path, artifact_definition.name, filename)) result = False return result def _CheckPath(self, filename, artifact_definition, source, path): """Checks if a path is valid. Args: filename (str): name of the artifacts definition file. artifact_definition (ArtifactDefinition): artifact definition. source (SourceType): source definition. path (str): path to validate. Returns: bool: True if the path is valid. """ result = True path_segments = path.split(source.separator) has_globstar = False for path_segment in path_segments: if '**' in path_segment: if has_globstar: logging.warning(( 'Unsupported path: {0:s} with multiple globstars defined by ' 'artifact definition: {1:s} in file: {2:s}').format( path, artifact_definition.name, filename)) result = False break has_globstar = True if not self._CheckGlobstarInPathSegment( filename, artifact_definition, path, path_segment): result = False if has_globstar and path.endswith(source.separator): logging.warning(( 'Unsupported path: {0:s} with globstar and trailing path ' 'separator defined by artifact definition: {1:s} in file: ' '{2:s}').format(path, artifact_definition.name, filename)) result = False return result def _CheckWindowsPath(self, filename, artifact_definition, source, path): """Checks if a path is a valid Windows path. Args: filename (str): name of the artifacts definition file. artifact_definition (ArtifactDefinition): artifact definition. source (SourceType): source definition. path (str): path to validate. Returns: bool: True if the Windows path is valid. """ result = True number_of_forward_slashes = path.count('/') number_of_backslashes = path.count('\\') if (number_of_forward_slashes < number_of_backslashes and source.separator != '\\'): logging.warning(( 'Incorrect path separator: {0:s} in path: {1:s} defined ' 'by artifact definition: {2:s} in file: {3:s}').format( source.separator, path, artifact_definition.name, filename)) result = False if source.separator != '\\': return result path_lower = path.lower() path_segments = path_lower.split(source.separator) if not path_segments: logging.warning(( 'Empty path defined by artifact definition: {0:s} in file: ' '{1:s}').format(artifact_definition.name, filename)) result = False elif path_segments[0].startswith('%%users.') and path_segments[0] not in ( '%%users.appdata%%', '%%users.homedir%%', '%%users.localappdata%%', '%%users.temp%%', '%%users.username%%', '%%users.userprofile%%'): logging.warning(( 'Unsupported "{0:s}" in path: {1:s} defined by artifact ' 'definition: {2:s} in file: {3:s}').format( path_segments[0], path, artifact_definition.name, filename)) result = False elif path_segments[0] == '%%users.homedir%%': logging.warning(( 'Replace "%%users.homedir%%" by "%%users.userprofile%%" in path: ' '{0:s} defined by artifact definition: {1:s} in file: ' '{2:s}').format(path, artifact_definition.name, filename)) result = False elif path_lower.startswith('%%users.userprofile%%\\appdata\\local\\'): logging.warning(( 'Replace "%%users.userprofile%%\\AppData\\Local" by ' '"%%users.localappdata%%" in path: {0:s} defined by artifact ' 'definition: {1:s} in file: {2:s}').format( path, artifact_definition.name, filename)) result = False elif path_lower.startswith('%%users.userprofile%%\\appdata\\roaming\\'): logging.warning(( 'Replace "%%users.userprofile%%\\AppData\\Roaming" by ' '"%%users.appdata%%" in path: {0:s} defined by artifact ' 'definition: {1:s} in file: {2:s}').format( path, artifact_definition.name, filename)) result = False elif path_lower.startswith('%%users.userprofile%%\\application data\\'): logging.warning(( 'Replace "%%users.userprofile%%\\Application Data" by ' '"%%users.appdata%%" in path: {0:s} defined by artifact ' 'definition: {1:s} in file: {2:s}').format( path, artifact_definition.name, filename)) result = False elif path_lower.startswith( '%%users.userprofile%%\\local settings\\application data\\'): logging.warning(( 'Replace "%%users.userprofile%%\\Local Settings\\Application Data" ' 'by "%%users.localappdata%%" in path: {0:s} defined by artifact ' 'definition: {1:s} in file: {2:s}').format( path, artifact_definition.name, filename)) result = False has_globstar = False for path_segment in path_segments: if path_segment.startswith('%%') and path_segment.endswith('%%'): if (path_segment.startswith('%%environ_') and path_segment not in self._SUPPORTED_WINDOWS_ENVIRONMENT_VARIABLES): result = False logging.warning(( 'Artifact definition: {0:s} in file: {1:s} contains Windows ' 'path that contains an unuspported environment variable: ' '"{2:s}".').format( artifact_definition.name, filename, path_segment)) elif (path_segment.startswith('%%users.') and path_segment not in self._SUPPORTED_WINDOWS_USERS_VARIABLES): result = False logging.warning(( 'Artifact definition: {0:s} in file: {1:s} contains Windows ' 'path that contains an unsupported users variable: ' '"{2:s}". ').format( artifact_definition.name, filename, path_segment)) elif '**' in path_segment: if has_globstar: logging.warning(( 'Unsupported path: {0:s} with multiple globstars defined by ' 'artifact definition: {1:s} in file: {2:s}').format( path, artifact_definition.name, filename)) result = False break has_globstar = True if not self._CheckGlobstarInPathSegment( filename, artifact_definition, path, path_segment): result = False if has_globstar and path.endswith(source.separator): logging.warning(( 'Unsupported path: {0:s} with globstar and trailing path ' 'separator defined by artifact definition: {1:s} in file: ' '{2:s}').format(path, artifact_definition.name, filename)) result = False return result def _CheckWindowsRegistryKeyPath( self, filename, artifact_definition, key_path): """Checks if a path is a valid Windows Registry key path. Args: filename (str): name of the artifacts definition file. artifact_definition (ArtifactDefinition): artifact definition. key_path (str): Windows Registry key path to validate. Returns: bool: True if the Windows Registry key path is valid. """ result = True key_path_segments = key_path.lower().split('\\') if key_path_segments[0] == '%%current_control_set%%': result = False logging.warning(( 'Artifact definition: {0:s} in file: {1:s} contains Windows ' 'Registry key path that starts with ' '%%CURRENT_CONTROL_SET%%. Replace %%CURRENT_CONTROL_SET%% with ' 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet').format( artifact_definition.name, filename)) for segment_index, key_path_segment in enumerate(key_path_segments): if key_path_segment.startswith('%%') and key_path_segment.endswith('%%'): if (segment_index == 1 and key_path_segment == '%%users.sid%%' and key_path_segments[0] == 'hkey_users'): continue if key_path_segment.startswith('%%environ_'): result = False logging.warning(( 'Artifact definition: {0:s} in file: {1:s} contains Windows ' 'Registry key path that contains an environment variable: ' '"{2:s}". Usage of environment variables in key paths is not ' 'encouraged at this time.').format( artifact_definition.name, filename, key_path_segment)) elif key_path_segment.startswith('%%users.'): result = False logging.warning(( 'Artifact definition: {0:s} in file: {1:s} contains Windows ' 'Registry key path that contains a users variable: "{2:s}". ' 'Usage of users variables in key paths, except for ' '"HKEY_USERS\\%%users.sid%%", is not encouraged at this ' 'time.').format( artifact_definition.name, filename, key_path_segment)) return result def _HasDuplicateRegistryKeyPaths( self, filename, artifact_definition, source): """Checks if Registry key paths are not already defined by other artifacts. Note that at the moment this function will only find exact duplicate Registry key paths. Args: filename (str): name of the artifacts definition file. artifact_definition (ArtifactDefinition): artifact definition. source (SourceType): source definition. Returns: bool: True if the Registry key paths defined by the source type are used in other artifacts. """ result = False intersection = self._artifact_registry_key_paths.intersection( set(source.keys)) if intersection: duplicate_key_paths = '\n'.join(intersection) logging.warning(( 'Artifact definition: {0:s} in file: {1:s} has duplicate ' 'Registry key paths:\n{2:s}').format( artifact_definition.name, filename, duplicate_key_paths)) result = True self._artifact_registry_key_paths.update(source.keys) return result def CheckDirectory(self, path): """Validates the artifacts definition in a specific directory. Args: path (str): path of the directory containing the artifacts definition files. Returns: bool: True if the file contains valid artifacts definitions. """ for filename in glob.glob(os.path.join(path, '*.yaml')): result = self.CheckFile(filename) if not result: break return result def CheckFile(self, filename): """Validates the artifacts definition in a specific file. Args: filename (str): name of the artifacts definition file. Returns: bool: True if the file contains valid artifacts definitions. """ result = True artifact_reader = reader.YamlArtifactsReader() try: for artifact_definition in artifact_reader.ReadFile(filename): try: self._artifact_registry.RegisterDefinition(artifact_definition) except KeyError: logging.warning( 'Duplicate artifact definition: {0:s} in file: {1:s}'.format( artifact_definition.name, filename)) result = False artifact_definition_supports_macos = ( definitions.SUPPORTED_OS_DARWIN in ( artifact_definition.supported_os)) artifact_definition_supports_windows = ( definitions.SUPPORTED_OS_WINDOWS in ( artifact_definition.supported_os)) for source in artifact_definition.sources: if source.type_indicator in ( definitions.TYPE_INDICATOR_FILE, definitions.TYPE_INDICATOR_PATH): if (definitions.SUPPORTED_OS_DARWIN in source.supported_os or ( artifact_definition_supports_macos and not source.supported_os)): if not self._CheckMacOSPaths( filename, artifact_definition, source, source.paths): result = False elif (artifact_definition_supports_windows or definitions.SUPPORTED_OS_WINDOWS in source.supported_os): for path in source.paths: if not self._CheckWindowsPath( filename, artifact_definition, source, path): result = False else: for path in source.paths: if not self._CheckPath( filename, artifact_definition, source, path): result = False elif source.type_indicator == ( definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY): # Exempt the legacy file from duplicate checking because it has # duplicates intentionally. if (filename != self.LEGACY_PATH and self._HasDuplicateRegistryKeyPaths( filename, artifact_definition, source)): result = False for key_path in source.keys: if not self._CheckWindowsRegistryKeyPath( filename, artifact_definition, key_path): result = False elif source.type_indicator == ( definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE): for key_value_pair in source.key_value_pairs: if not self._CheckWindowsRegistryKeyPath( filename, artifact_definition, key_value_pair['key']): result = False except errors.FormatError as exception: logging.warning( 'Unable to validate file: {0:s} with error: {1!s}'.format( filename, exception)) result = False return result def GetUndefinedArtifacts(self): """Retrieves the names of undefined artifacts used by artifact groups. Returns: set[str]: undefined artifacts names. """ return self._artifact_registry.GetUndefinedArtifacts() def Main(): """The main program function. Returns: bool: True if successful or False if not. """ args_parser = argparse.ArgumentParser( description='Validates an artifact definitions file.') args_parser.add_argument( 'definitions', nargs='?', action='store', metavar='PATH', default=None, help=('path of the file or directory that contains the artifact ' 'definitions.')) options = args_parser.parse_args() if not options.definitions: print('Source value is missing.') print('') args_parser.print_help() print('') return False if not os.path.exists(options.definitions): print('No such file or directory: {0:s}'.format(options.definitions)) print('') return False validator = ArtifactDefinitionsValidator() if os.path.isdir(options.definitions): print('Validating definitions in: {0:s}/*.yaml'.format(options.definitions)) result = validator.CheckDirectory(options.definitions) elif os.path.isfile(options.definitions): print('Validating definitions in: {0:s}'.format(options.definitions)) result = validator.CheckFile(options.definitions) if not result: print('FAILURE') return False print('SUCCESS') return True if __name__ == '__main__': if not Main(): sys.exit(1) else: sys.exit(0) artifacts-20211012/tox.ini000066400000000000000000000023071413144520200152350ustar00rootroot00000000000000[tox] envlist = py3{6,7,8,9,10},coverage,docs,pylint [testenv] pip_pre = True setenv = PYTHONPATH = {toxinidir} deps = -rrequirements.txt -rtest_requirements.txt coverage: coverage commands = py3{6,7,8,9,10}: ./run_tests.py coverage: coverage erase coverage: coverage run --source=artifacts --omit="*_test*,*__init__*,*test_lib*" run_tests.py [testenv:codecov] skip_install = true passenv = GITHUB_ACTION GITHUB_HEAD_REF GITHUB_REF GITHUB_REPOSITORY GITHUB_RUN_ID GITHUB_SHA deps = codecov < 2.1.10 commands = codecov [testenv:docs] usedevelop = true deps = -rdocs/requirements.txt commands = sphinx-build -b html -d build/doctrees docs dist/docs sphinx-build -b linkcheck docs dist/docs [testenv:pylint] skipsdist=True pip_pre = True setenv = PYTHONPATH = {toxinidir} deps = -rrequirements.txt -rtest_requirements.txt pylint >= 2.9.0, < 2.10.0 commands = pylint --version # Ignore setup.py for now due to: # setup.py:15:0: E0001: Cannot import 'distutils.command.bdist_msi' due to # syntax error 'expected an indented block (, line 347)' (syntax-error) pylint --rcfile=.pylintrc artifacts tests tools artifacts-20211012/utils/000077500000000000000000000000001413144520200150605ustar00rootroot00000000000000artifacts-20211012/utils/__init__.py000066400000000000000000000000001413144520200171570ustar00rootroot00000000000000artifacts-20211012/utils/check_dependencies.py000077500000000000000000000006461413144520200212260ustar00rootroot00000000000000#!/usr/bin/env python # -*- coding: utf-8 -*- """Script to check for the availability and version of dependencies.""" import sys # Change PYTHONPATH to include dependencies. sys.path.insert(0, '.') import utils.dependencies # pylint: disable=wrong-import-position if __name__ == '__main__': dependency_helper = utils.dependencies.DependencyHelper() if not dependency_helper.CheckDependencies(): sys.exit(1) artifacts-20211012/utils/dependencies.py000066400000000000000000000272301413144520200200640ustar00rootroot00000000000000# -*- coding: utf-8 -*- """Helper to check for availability and version of dependencies.""" import configparser import os import re class DependencyDefinition(object): """Dependency definition. Attributes: dpkg_name (str): name of the dpkg package that provides the dependency. is_optional (bool): True if the dependency is optional. l2tbinaries_name (str): name of the l2tbinaries package that provides the dependency. maximum_version (str): maximum supported version, a greater or equal version is not supported. minimum_version (str): minimum supported version, a lesser version is not supported. name (str): name of (the Python module that provides) the dependency. pypi_name (str): name of the PyPI package that provides the dependency. python2_only (bool): True if the dependency is only supported by Python 2. python3_only (bool): True if the dependency is only supported by Python 3. rpm_name (str): name of the rpm package that provides the dependency. skip_check (bool): True if the dependency should be skipped by the CheckDependencies or CheckTestDependencies methods of DependencyHelper. skip_requires (bool): True if the dependency should be excluded from requirements.txt or setup.py install_requires. version_property (str): name of the version attribute or function. """ def __init__(self, name): """Initializes a dependency configuration. Args: name (str): name of the dependency. """ super(DependencyDefinition, self).__init__() self.dpkg_name = None self.is_optional = False self.l2tbinaries_name = None self.maximum_version = None self.minimum_version = None self.name = name self.pypi_name = None self.python2_only = False self.python3_only = False self.rpm_name = None self.skip_check = None self.skip_requires = None self.version_property = None class DependencyDefinitionReader(object): """Dependency definition reader.""" _VALUE_NAMES = frozenset([ 'dpkg_name', 'is_optional', 'l2tbinaries_name', 'maximum_version', 'minimum_version', 'pypi_name', 'python2_only', 'python3_only', 'rpm_name', 'skip_check', 'skip_requires', 'version_property']) def _GetConfigValue(self, config_parser, section_name, value_name): """Retrieves a value from the config parser. Args: config_parser (ConfigParser): configuration parser. section_name (str): name of the section that contains the value. value_name (str): name of the value. Returns: object: configuration value or None if the value does not exists. """ try: return config_parser.get(section_name, value_name) except configparser.NoOptionError: return None def Read(self, file_object): """Reads dependency definitions. Args: file_object (file): file-like object to read from. Yields: DependencyDefinition: dependency definition. """ config_parser = configparser.ConfigParser(interpolation=None) config_parser.read_file(file_object) for section_name in config_parser.sections(): dependency_definition = DependencyDefinition(section_name) for value_name in self._VALUE_NAMES: value = self._GetConfigValue(config_parser, section_name, value_name) setattr(dependency_definition, value_name, value) yield dependency_definition class DependencyHelper(object): """Dependency helper. Attributes: dependencies (dict[str, DependencyDefinition]): dependencies. """ _VERSION_NUMBERS_REGEX = re.compile(r'[0-9.]+') _VERSION_SPLIT_REGEX = re.compile(r'\.|\-') def __init__( self, dependencies_file='dependencies.ini', test_dependencies_file='test_dependencies.ini'): """Initializes a dependency helper. Args: dependencies_file (Optional[str]): path to the dependencies configuration file. test_dependencies_file (Optional[str]): path to the test dependencies configuration file. """ super(DependencyHelper, self).__init__() self._test_dependencies = {} self.dependencies = {} dependency_reader = DependencyDefinitionReader() with open(dependencies_file, 'r') as file_object: for dependency in dependency_reader.Read(file_object): self.dependencies[dependency.name] = dependency if os.path.exists(test_dependencies_file): with open(test_dependencies_file, 'r') as file_object: for dependency in dependency_reader.Read(file_object): self._test_dependencies[dependency.name] = dependency def _CheckPythonModule(self, dependency): """Checks the availability of a Python module. Args: dependency (DependencyDefinition): dependency definition. Returns: tuple: containing: bool: True if the Python module is available and conforms to the minimum required version, False otherwise. str: status message. """ module_object = self._ImportPythonModule(dependency.name) if not module_object: status_message = 'missing: {0:s}'.format(dependency.name) return False, status_message if not dependency.version_property: return True, dependency.name return self._CheckPythonModuleVersion( dependency.name, module_object, dependency.version_property, dependency.minimum_version, dependency.maximum_version) def _CheckPythonModuleVersion( self, module_name, module_object, version_property, minimum_version, maximum_version): """Checks the version of a Python module. Args: module_object (module): Python module. module_name (str): name of the Python module. version_property (str): version attribute or function. minimum_version (str): minimum version. maximum_version (str): maximum version. Returns: tuple: containing: bool: True if the Python module is available and conforms to the minimum required version, False otherwise. str: status message. """ module_version = None if not version_property.endswith('()'): module_version = getattr(module_object, version_property, None) else: version_method = getattr( module_object, version_property[:-2], None) if version_method: module_version = version_method() if not module_version: status_message = ( 'unable to determine version information for: {0:s}').format( module_name) return False, status_message # Make sure the module version is a string. module_version = '{0!s}'.format(module_version) # Split the version string and convert every digit into an integer. # A string compare of both version strings will yield an incorrect result. # Strip any semantic suffixes such as a1, b1, pre, post, rc, dev. module_version = self._VERSION_NUMBERS_REGEX.findall(module_version)[0] if module_version[-1] == '.': module_version = module_version[:-1] try: module_version_map = list( map(int, self._VERSION_SPLIT_REGEX.split(module_version))) except ValueError: status_message = 'unable to parse module version: {0:s} {1:s}'.format( module_name, module_version) return False, status_message if minimum_version: try: minimum_version_map = list( map(int, self._VERSION_SPLIT_REGEX.split(minimum_version))) except ValueError: status_message = 'unable to parse minimum version: {0:s} {1:s}'.format( module_name, minimum_version) return False, status_message if module_version_map < minimum_version_map: status_message = ( '{0:s} version: {1!s} is too old, {2!s} or later required').format( module_name, module_version, minimum_version) return False, status_message if maximum_version: try: maximum_version_map = list( map(int, self._VERSION_SPLIT_REGEX.split(maximum_version))) except ValueError: status_message = 'unable to parse maximum version: {0:s} {1:s}'.format( module_name, maximum_version) return False, status_message if module_version_map > maximum_version_map: status_message = ( '{0:s} version: {1!s} is too recent, {2!s} or earlier ' 'required').format(module_name, module_version, maximum_version) return False, status_message status_message = '{0:s} version: {1!s}'.format(module_name, module_version) return True, status_message def _ImportPythonModule(self, module_name): """Imports a Python module. Args: module_name (str): name of the module. Returns: module: Python module or None if the module cannot be imported. """ try: module_object = list(map(__import__, [module_name]))[0] except ImportError: return None # If the module name contains dots get the upper most module object. if '.' in module_name: for submodule_name in module_name.split('.')[1:]: module_object = getattr(module_object, submodule_name, None) return module_object def _PrintCheckDependencyStatus( self, dependency, result, status_message, verbose_output=True): """Prints the check dependency status. Args: dependency (DependencyDefinition): dependency definition. result (bool): True if the Python module is available and conforms to the minimum required version, False otherwise. status_message (str): status message. verbose_output (Optional[bool]): True if output should be verbose. """ if not result or dependency.is_optional: if dependency.is_optional: status_indicator = '[OPTIONAL]' else: status_indicator = '[FAILURE]' print('{0:s}\t{1:s}'.format(status_indicator, status_message)) elif verbose_output: print('[OK]\t\t{0:s}'.format(status_message)) def CheckDependencies(self, verbose_output=True): """Checks the availability of the dependencies. Args: verbose_output (Optional[bool]): True if output should be verbose. Returns: bool: True if the dependencies are available, False otherwise. """ print('Checking availability and versions of dependencies.') check_result = True for _, dependency in sorted(self.dependencies.items()): if dependency.skip_check: continue result, status_message = self._CheckPythonModule(dependency) if not result and not dependency.is_optional: check_result = False self._PrintCheckDependencyStatus( dependency, result, status_message, verbose_output=verbose_output) if check_result and not verbose_output: print('[OK]') print('') return check_result def CheckTestDependencies(self, verbose_output=True): """Checks the availability of the dependencies when running tests. Args: verbose_output (Optional[bool]): True if output should be verbose. Returns: bool: True if the dependencies are available, False otherwise. """ if not self.CheckDependencies(verbose_output=verbose_output): return False print('Checking availability and versions of test dependencies.') check_result = True for dependency in sorted( self._test_dependencies.values(), key=lambda dependency: dependency.name): if dependency.skip_check: continue result, status_message = self._CheckPythonModule(dependency) if not result: check_result = False self._PrintCheckDependencyStatus( dependency, result, status_message, verbose_output=verbose_output) if check_result and not verbose_output: print('[OK]') print('') return check_result artifacts-20211012/utils/pylintrc000066400000000000000000000215611413144520200166540ustar00rootroot00000000000000# File copied from: # http://src.chromium.org/chrome/trunk/tools/depot_tools/pylintrc # Date: 2013-06-29. [MASTER] # Specify a configuration file. #rcfile= # Python code to execute, usually for sys.path manipulation such as # pygtk.require(). #init-hook= # Profiled execution. profile=no # Add files or directories to the blacklist. They should be base names, not # paths. ignore=CVS # Pickle collected data for later comparisons. persistent=yes # List of plugins (as comma separated values of python modules names) to load, # usually to register additional checkers. load-plugins= [MESSAGES CONTROL] # Enable the message, report, category or checker with the given id(s). You can # either give multiple identifier separated by comma (,) or put this option # multiple time. #enable= # Disable the message, report, category or checker with the given id(s). You # can either give multiple identifier separated by comma (,) or put this option # multiple time (only on the command line, not in the configuration file where # it should appear only once). # CHANGED: # C0103: Invalid name "" # C0111: Missing docstring # C0302: Too many lines in module (N) # # F0401: Unable to import 'module' # pylint acting strangely: plaso/lib/event.py: F0401: 26,0: Unable to import 'google.protobuf' # # I0010: Unable to consider inline option '' # I0011: Locally disabling WNNNN # # R0201: Method could be a function # R0801: Similar lines in N files # R0901: Too many ancestors (8/7) # R0902: Too many instance attributes (N/7) # R0903: Too few public methods (N/2) # R0904: Too many public methods (N/20) # R0911: Too many return statements (N/6) # R0912: Too many branches (N/12) # R0913: Too many arguments (N/5) # R0914: Too many local variables (N/15) # R0915: Too many statements (N/50) # R0921: Abstract class not referenced # R0922: Abstract class is only referenced 1 times # W0122: Use of the exec statement # W0141: Used builtin function '' # W0142: Used * or ** magic # W0201: Variables defined initially outside the scope of __init__ (reconsider this, added by Kristinn). # W0212: Locally enabling protected-access # W0402: Uses of a deprecated module 'string' # W0404: 41: Reimport 'XX' (imported line NN) # W0511: TODO # W0603: Using the global statement # W0703: Catch "Exception" # W1201: Specify string format arguments as logging function parameters # W1202: Use % formatting in logging functions but pass the % parameters as arguments disable=C0103,C0111,C0302,F0401,I0010,I0011,R0201,R0801,R0901,R0902,R0903,R0904,R0911,R0912,R0913,R0914,R0915,R0921,R0922,W0122,W0141,W0142,W0201,W0212,W0402,W0404,W0511,W0603,W0703,W1201,W1202 [REPORTS] # Set the output format. Available formats are text, parseable, colorized, msvs # (visual studio) and html output-format=text # Put messages in a separate file for each module / package specified on the # command line instead of printing them on stdout. Reports (if any) will be # written in a file name "pylint_global.[txt|html]". files-output=no # Tells whether to display a full report or only the messages # CHANGED: reports=no # Python expression which should return a note less than 10 (10 is the highest # note). You have access to the variables errors warning, statement which # respectively contain the number of errors / warnings messages and the total # number of statements analyzed. This is used by the global evaluation report # (RP0004). evaluation=10.0 - ((float(5 * error + warning + refactor + convention) / statement) * 10) # Add a comment according to your evaluation note. This is used by the global # evaluation report (RP0004). comment=no [VARIABLES] # Tells whether we should check for unused import in __init__ files. init-import=no # A regular expression matching the beginning of the name of unused variables. # By default this is _ and dummy but we prefer _ and unused. dummy-variables-rgx=_|unused # List of additional names supposed to be defined in builtins. Remember that # you should avoid to define new builtins when possible. additional-builtins= [TYPECHECK] # Tells whether missing members accessed in mixin class should be ignored. A # mixin class is detected if its name ends with "mixin" (case insensitive). ignore-mixin-members=yes # List of classes names for which member attributes should not be checked # (useful for classes with attributes dynamically set). ignored-classes=SQLObject,twisted.internet.reactor,hashlib,google.appengine.api.memcache # When zope mode is activated, add a predefined set of Zope acquired attributes # to generated-members. zope=no # List of members which are set dynamically and missed by pylint inference # system, and so shouldn't trigger E0201 when accessed. Python regular # expressions are accepted. generated-members=REQUEST,acl_users,aq_parent,multiprocessing.managers.SyncManager [MISCELLANEOUS] # List of note tags to take in consideration, separated by a comma. notes=FIXME,XXX,TODO [SIMILARITIES] # Minimum lines number of a similarity. min-similarity-lines=4 # Ignore comments when computing similarities. ignore-comments=yes # Ignore docstrings when computing similarities. ignore-docstrings=yes [FORMAT] # Maximum number of characters on a single line. max-line-length=80 # Maximum number of lines in a module max-module-lines=1000 # String used as indentation unit. This is usually " " (4 spaces) or "\t" (1 # tab). # CHANGED: indent-string=' ' [BASIC] # Required attributes for module, separated by a comma required-attributes= # List of builtins function names that should not be used, separated by a comma bad-functions=map,filter,apply,input # Regular expression which should only match correct module names module-rgx=(([a-z_][a-z0-9_]*)|([A-Z][a-zA-Z0-9]+))$ # Regular expression which should only match correct module level names const-rgx=(([A-Z_][A-Z0-9_]*)|(__.*__))$ # Regular expression which should only match correct class names class-rgx=[A-Z_][a-zA-Z0-9]+$ # Regular expression which should only match correct function names function-rgx=[a-z_][a-z0-9_]{2,30}$ # Regular expression which should only match correct method names method-rgx=[a-z_][a-z0-9_]{2,30}$ # Regular expression which should only match correct instance attribute names attr-rgx=[a-z_][a-z0-9_]{2,30}$ # Regular expression which should only match correct argument names argument-rgx=[a-z_][a-z0-9_]{2,30}$ # Regular expression which should only match correct variable names variable-rgx=[a-z_][a-z0-9_]{2,30}$ # Regular expression which should only match correct list comprehension / # generator expression variable names inlinevar-rgx=[A-Za-z_][A-Za-z0-9_]*$ # Good variable names which should always be accepted, separated by a comma good-names=i,j,k,ex,Run,_ # Bad variable names which should always be refused, separated by a comma bad-names=foo,bar,baz,toto,tutu,tata # Regular expression which should only match functions or classes name which do # not require a docstring no-docstring-rgx=__.*__ [DESIGN] # Maximum number of arguments for function / method max-args=5 # Argument names that match this expression will be ignored. Default to name # with leading underscore ignored-argument-names=_.* # Maximum number of locals for function / method body max-locals=15 # Maximum number of return / yield for function / method body max-returns=6 # Maximum number of branch for function / method body max-branchs=12 # Maximum number of statements in function / method body max-statements=50 # Maximum number of parents for a class (see R0901). max-parents=7 # Maximum number of attributes for a class (see R0902). max-attributes=7 # Minimum number of public methods for a class (see R0903). min-public-methods=2 # Maximum number of public methods for a class (see R0904). max-public-methods=20 [CLASSES] # List of interface methods to ignore, separated by a comma. This is used for # instance to not check methods defines in Zope's Interface base class. ignore-iface-methods=isImplementedBy,deferred,extends,names,namesAndDescriptions,queryDescriptionFor,getBases,getDescriptionFor,getDoc,getName,getTaggedValue,getTaggedValueTags,isEqualOrExtendedBy,setTaggedValue,isImplementedByInstancesOf,adaptWith,is_implemented_by # List of method names used to declare (i.e. assign) instance attributes. defining-attr-methods=__init__,__new__,setUp # List of valid names for the first argument in a class method. valid-classmethod-first-arg=cls [IMPORTS] # Deprecated modules which should not be used, separated by a comma deprecated-modules=regsub,string,TERMIOS,Bastion,rexec # Create a graph of every (i.e. internal and external) dependencies in the # given file (report RP0402 must not be disabled) import-graph= # Create a graph of external dependencies in the given file (report RP0402 must # not be disabled) ext-import-graph= # Create a graph of internal dependencies in the given file (report RP0402 must # not be disabled) int-import-graph= [EXCEPTIONS] # Exceptions that will emit a warning when being caught. Defaults to # "Exception" overgeneral-exceptions=Exception artifacts-20211012/utils/update_version.sh000077500000000000000000000012431413144520200204460ustar00rootroot00000000000000#!/bin/bash # Script to update the version information. EXIT_FAILURE=1; EXIT_SUCCESS=0; VERSION=`date -u +"%Y%m%d"` DPKG_DATE=`date -R` # Update the Python module version. sed "s/__version__ = '[0-9]*'/__version__ = '${VERSION}'/" -i artifacts/__init__.py # Update the version in the dpkg configuration files. cat > config/dpkg/changelog << EOT artifacts (${VERSION}-1) unstable; urgency=low * Auto-generated -- Forensic artifacts ${DPKG_DATE} EOT # Regenerate the statistics documentation. PYTHONPATH=. ./tools/stats.py > docs/sources/background/Stats.md # Regenerate the API documentation. tox -edocs exit ${EXIT_SUCCESS};