pax_global_header00006660000000000000000000000064145052713040014513gustar00rootroot0000000000000052 comment=7fa98faca9c736bcf7336a94357d31fa6d9c3e26 artifacts-20230928/000077500000000000000000000000001450527130400137465ustar00rootroot00000000000000artifacts-20230928/.github/000077500000000000000000000000001450527130400153065ustar00rootroot00000000000000artifacts-20230928/.github/workflows/000077500000000000000000000000001450527130400173435ustar00rootroot00000000000000artifacts-20230928/.github/workflows/test_docker.yml000066400000000000000000000047231450527130400224020ustar00rootroot00000000000000# Run tests on Fedora and Ubuntu Docker images using GIFT CORP and GIFT PPA on commit name: test_docker on: [push] permissions: read-all jobs: test_fedora: runs-on: ubuntu-latest strategy: matrix: version: ['38'] container: image: registry.fedoraproject.org/fedora:${{ matrix.version }} steps: - uses: actions/checkout@v3 - name: Set up container run: | dnf install -y dnf-plugins-core langpacks-en - name: Install dependencies run: | dnf copr -y enable @gift/dev dnf install -y @development-tools python3 python3-devel python3-pyyaml python3-setuptools - name: Run tests env: LANG: C.utf8 run: | python3 ./run_tests.py - name: Run end-to-end tests run: | if test -f tests/end-to-end.py; then PYTHONPATH=. python3 ./tests/end-to-end.py --debug -c config/end-to-end.ini; fi - name: Build source distribution run: | python3 ./setup.py sdist - name: Build binary distribution run: | python3 ./setup.py bdist - name: Run build and install test run: | python3 ./setup.py build python3 ./setup.py install test_ubuntu: runs-on: ubuntu-latest strategy: matrix: version: ['22.04'] container: image: ubuntu:${{ matrix.version }} steps: - uses: actions/checkout@v3 - name: Set up container env: DEBIAN_FRONTEND: noninteractive run: | apt-get update -q apt-get install -y libterm-readline-gnu-perl locales software-properties-common locale-gen en_US.UTF-8 ln -f -s /usr/share/zoneinfo/UTC /etc/localtime - name: Install dependencies run: | add-apt-repository -y ppa:gift/dev apt-get update -q apt-get install -y build-essential python3 python3-dev python3-distutils python3-setuptools python3-yaml - name: Run tests env: LANG: en_US.UTF-8 run: | python3 ./run_tests.py - name: Run end-to-end tests env: LANG: en_US.UTF-8 run: | if test -f tests/end-to-end.py; then PYTHONPATH=. python3 ./tests/end-to-end.py --debug -c config/end-to-end.ini; fi - name: Build source distribution run: | python3 ./setup.py sdist - name: Build binary distribution run: | python3 ./setup.py bdist - name: Run build and install test run: | python3 ./setup.py build python3 ./setup.py install artifacts-20230928/.github/workflows/test_docs.yml000066400000000000000000000025261450527130400220620ustar00rootroot00000000000000# Run docs tox tests on Ubuntu Docker images using GIFT PPA name: test_docs on: pull_request: branches: - main push: branches: - main permissions: read-all jobs: build: runs-on: ubuntu-latest strategy: matrix: include: - python-version: '3.11' toxenv: 'docs' container: image: ubuntu:22.04 steps: - uses: actions/checkout@v3 - name: Set up container env: DEBIAN_FRONTEND: noninteractive run: | apt-get update -q apt-get install -y libterm-readline-gnu-perl locales software-properties-common locale-gen en_US.UTF-8 ln -f -s /usr/share/zoneinfo/UTC /etc/localtime - name: Install dependencies env: DEBIAN_FRONTEND: noninteractive run: | add-apt-repository -y universe add-apt-repository -y ppa:deadsnakes/ppa add-apt-repository -y ppa:gift/dev apt-get update -q apt-get install -y build-essential git libffi-dev python${{ matrix.python-version }} python${{ matrix.python-version }}-dev python${{ matrix.python-version }}-venv python3-distutils python3-pip python3-setuptools python3-yaml - name: Install tox run: | python3 -m pip install tox - name: Run tests env: LANG: en_US.UTF-8 run: | tox -e${{ matrix.toxenv }} artifacts-20230928/.github/workflows/test_tox.yml000066400000000000000000000077461450527130400217550ustar00rootroot00000000000000# Run tox tests on Ubuntu Docker images using GIFT PPA name: test_tox on: pull_request: branches: - main push: branches: - main permissions: read-all jobs: build: runs-on: ubuntu-latest strategy: matrix: include: - python-version: '3.7' toxenv: 'py37' - python-version: '3.8' toxenv: 'py38' - python-version: '3.9' toxenv: 'py39' - python-version: '3.10' toxenv: 'py310' - python-version: '3.11' toxenv: 'py311' container: image: ubuntu:22.04 steps: - uses: actions/checkout@v3 - name: Set up container env: DEBIAN_FRONTEND: noninteractive run: | apt-get update -q apt-get install -y libterm-readline-gnu-perl locales software-properties-common locale-gen en_US.UTF-8 ln -f -s /usr/share/zoneinfo/UTC /etc/localtime - name: Install dependencies env: DEBIAN_FRONTEND: noninteractive run: | add-apt-repository -y universe add-apt-repository -y ppa:deadsnakes/ppa add-apt-repository -y ppa:gift/dev apt-get update -q apt-get install -y build-essential git libffi-dev python${{ matrix.python-version }} python${{ matrix.python-version }}-dev python${{ matrix.python-version }}-venv python3-distutils python3-pip python3-setuptools python3-yaml - name: Install tox run: | python3 -m pip install tox - name: Run tests env: LANG: en_US.UTF-8 run: | tox -e${{ matrix.toxenv }} coverage: runs-on: ubuntu-latest strategy: matrix: include: - python-version: '3.11' toxenv: 'py311,coverage' container: image: ubuntu:22.04 steps: - uses: actions/checkout@v3 - name: Set up container env: DEBIAN_FRONTEND: noninteractive run: | apt-get update -q apt-get install -y libterm-readline-gnu-perl locales software-properties-common locale-gen en_US.UTF-8 ln -f -s /usr/share/zoneinfo/UTC /etc/localtime - name: Install dependencies env: DEBIAN_FRONTEND: noninteractive run: | add-apt-repository -y universe add-apt-repository -y ppa:deadsnakes/ppa add-apt-repository -y ppa:gift/dev apt-get update -q apt-get install -y build-essential git libffi-dev python${{ matrix.python-version }} python${{ matrix.python-version }}-dev python${{ matrix.python-version }}-venv python3-distutils python3-pip python3-setuptools python3-yaml - name: Install tox run: | python3 -m pip install tox - name: Run tests with coverage env: LANG: en_US.UTF-8 run: | tox -e${{ matrix.toxenv }} - name: Upload coverage report to Codecov uses: codecov/codecov-action@v3 lint: runs-on: ubuntu-latest strategy: matrix: include: - python-version: '3.11' toxenv: 'lint' container: image: ubuntu:22.04 steps: - uses: actions/checkout@v3 - name: Set up container env: DEBIAN_FRONTEND: noninteractive run: | apt-get update -q apt-get install -y libterm-readline-gnu-perl locales software-properties-common locale-gen en_US.UTF-8 ln -f -s /usr/share/zoneinfo/UTC /etc/localtime - name: Install dependencies env: DEBIAN_FRONTEND: noninteractive run: | add-apt-repository -y universe add-apt-repository -y ppa:deadsnakes/ppa add-apt-repository -y ppa:gift/dev apt-get update -q apt-get install -y build-essential git libffi-dev python${{ matrix.python-version }} python${{ matrix.python-version }}-dev python${{ matrix.python-version }}-venv python3-distutils python3-pip python3-setuptools python3-yaml - name: Install tox run: | python3 -m pip install tox - name: Run linter env: LANG: en_US.UTF-8 run: | tox -e${{ matrix.toxenv }} artifacts-20230928/.gitignore000066400000000000000000000003161450527130400157360ustar00rootroot00000000000000# Files to ignore by git # Back-up files *~ *.swp # Generic auto-generated build files *.pyc *.pyo # Specific auto-generated build files /__pycache__ /artifacts.egg-info /build /dist # Tests files .tox artifacts-20230928/.pylintrc000066400000000000000000000547221450527130400156250ustar00rootroot00000000000000# Pylint 2.17.x configuration file # # This file is generated by l2tdevtools update-dependencies.py, any dependency # related changes should be made in dependencies.ini. [MAIN] # Analyse import fallback blocks. This can be used to support both Python 2 and # 3 compatible code, which means that the block might have code that exists # only in one or another interpreter, leading to false positives when analysed. analyse-fallback-blocks=no # Clear in-memory caches upon conclusion of linting. Useful if running pylint # in a server-like mode. clear-cache-post-run=no # Load and enable all available extensions. Use --list-extensions to see a list # all available extensions. #enable-all-extensions= # In error mode, messages with a category besides ERROR or FATAL are # suppressed, and no reports are done by default. Error mode is compatible with # disabling specific errors. #errors-only= # Always return a 0 (non-error) status code, even if lint errors are found. # This is primarily useful in continuous integration scripts. #exit-zero= # A comma-separated list of package or module names from where C extensions may # be loaded. Extensions are loading into the active Python interpreter and may # run arbitrary code. extension-pkg-allow-list= # A comma-separated list of package or module names from where C extensions may # be loaded. Extensions are loading into the active Python interpreter and may # run arbitrary code. (This is an alternative name to extension-pkg-allow-list # for backward compatibility.) extension-pkg-whitelist= # Return non-zero exit code if any of these messages/categories are detected, # even if score is above --fail-under value. Syntax same as enable. Messages # specified are enabled, while categories only check already-enabled messages. fail-on= # Specify a score threshold under which the program will exit with error. fail-under=10 # Interpret the stdin as a python script, whose filename needs to be passed as # the module_or_package argument. #from-stdin= # Files or directories to be skipped. They should be base names, not paths. ignore=CVS # Add files or directories matching the regular expressions patterns to the # ignore-list. The regex matches against paths and can be in Posix or Windows # format. Because '\\' represents the directory delimiter on Windows systems, # it can't be used as an escape character. ignore-paths= # Files or directories matching the regular expression patterns are skipped. # The regex matches against base names, not paths. The default value ignores # Emacs file locks ignore-patterns=^\.# # List of module names for which member attributes should not be checked # (useful for modules/projects where namespaces are manipulated during runtime # and thus existing member attributes cannot be deduced by static analysis). It # supports qualified module names, as well as Unix pattern matching. ignored-modules= # Python code to execute, usually for sys.path manipulation such as # pygtk.require(). #init-hook= # Use multiple processes to speed up Pylint. Specifying 0 will auto-detect the # number of processors available to use, and will cap the count on Windows to # avoid hangs. jobs=1 # Control the amount of potential inferred values when inferring a single # object. This can help the performance when dealing with large functions or # complex, nested conditions. limit-inference-results=100 # List of plugins (as comma separated values of python module names) to load, # usually to register additional checkers. # load-plugins= load-plugins=pylint.extensions.docparams # Pickle collected data for later comparisons. persistent=yes # Minimum Python version to use for version dependent checks. Will default to # the version used to run pylint. py-version=3.11 # Discover python modules and packages in the file system subtree. # recursive=no recursive=yes # Add paths to the list of the source roots. Supports globbing patterns. The # source root is an absolute path or a path relative to the current working # directory used to determine a package namespace for modules located under the # source root. source-roots= # When enabled, pylint would attempt to guess common misconfiguration and emit # user-friendly hints instead of false-positive error messages. suggestion-mode=yes # Allow loading of arbitrary C extensions. Extensions are imported into the # active Python interpreter and may run arbitrary code. unsafe-load-any-extension=no # In verbose mode, extra non-checker-related info will be displayed. #verbose= [BASIC] # Naming style matching correct argument names. argument-naming-style=snake_case # Regular expression matching correct argument names. Overrides argument- # naming-style. If left empty, argument names will be checked with the set # naming style. #argument-rgx= argument-rgx=(([a-z][a-z0-9_]*)|(_[a-z0-9_]*))$ # Naming style matching correct attribute names. attr-naming-style=snake_case # Regular expression matching correct attribute names. Overrides attr-naming- # style. If left empty, attribute names will be checked with the set naming # style. #attr-rgx= attr-rgx=(([a-z][a-z0-9_]*)|(_[a-z0-9_]*))$ # Bad variable names which should always be refused, separated by a comma. bad-names=foo, bar, baz, toto, tutu, tata # Bad variable names regexes, separated by a comma. If names match any regex, # they will always be refused bad-names-rgxs= # Naming style matching correct class attribute names. class-attribute-naming-style=any # Regular expression matching correct class attribute names. Overrides class- # attribute-naming-style. If left empty, class attribute names will be checked # with the set naming style. #class-attribute-rgx= class-attribute-rgx=([A-Za-z_][A-Za-z0-9_]*|(__.*__))$ # Naming style matching correct class constant names. class-const-naming-style=UPPER_CASE # Regular expression matching correct class constant names. Overrides class- # const-naming-style. If left empty, class constant names will be checked with # the set naming style. #class-const-rgx= # Naming style matching correct class names. class-naming-style=PascalCase # Regular expression matching correct class names. Overrides class-naming- # style. If left empty, class names will be checked with the set naming style. #class-rgx= class-rgx=[A-Z_][a-zA-Z0-9]+$ # Naming style matching correct constant names. const-naming-style=UPPER_CASE # Regular expression matching correct constant names. Overrides const-naming- # style. If left empty, constant names will be checked with the set naming # style. #const-rgx= const-rgx=(([a-zA-Z_][a-zA-Z0-9_]*)|(__.*__))$ # Minimum line length for functions/classes that require docstrings, shorter # ones are exempt. docstring-min-length=-1 # Naming style matching correct function names. function-naming-style=snake_case # Regular expression matching correct function names. Overrides function- # naming-style. If left empty, function names will be checked with the set # naming style. #function-rgx= function-rgx=[A-Z_][a-zA-Z0-9_]*$ # Good variable names which should always be accepted, separated by a comma. good-names=i, j, k, ex, Run, _ # Good variable names regexes, separated by a comma. If names match any regex, # they will always be accepted good-names-rgxs= # Include a hint for the correct naming format with invalid-name. include-naming-hint=no # Naming style matching correct inline iteration names. inlinevar-naming-style=any # Regular expression matching correct inline iteration names. Overrides # inlinevar-naming-style. If left empty, inline iteration names will be checked # with the set naming style. #inlinevar-rgx= inlinevar-rgx=[A-Za-z_][A-Za-z0-9_]*$ # Naming style matching correct method names. method-naming-style=snake_case # Regular expression matching correct method names. Overrides method-naming- # style. If left empty, method names will be checked with the set naming style. #method-rgx= method-rgx=(test|[A-Z_])[a-zA-Z0-9_]*$ # Naming style matching correct module names. module-naming-style=snake_case # Regular expression matching correct module names. Overrides module-naming- # style. If left empty, module names will be checked with the set naming style. #module-rgx= module-rgx=(([a-z_][a-z0-9_]*)|([A-Z][a-zA-Z0-9]+))$ # Colon-delimited sets of names that determine each other's naming style when # the name regexes allow several styles. name-group= # Regular expression which should only match function or class names that do # not require a docstring. no-docstring-rgx=^_ # List of decorators that produce properties, such as abc.abstractproperty. Add # to this list to register other decorators that produce valid properties. # These decorators are taken in consideration only for invalid-name. property-classes=abc.abstractproperty # Regular expression matching correct type alias names. If left empty, type # alias names will be checked with the set naming style. #typealias-rgx= # Regular expression matching correct type variable names. If left empty, type # variable names will be checked with the set naming style. #typevar-rgx= # Naming style matching correct variable names. variable-naming-style=snake_case # Regular expression matching correct variable names. Overrides variable- # naming-style. If left empty, variable names will be checked with the set # naming style. #variable-rgx= variable-rgx=(([a-z][a-z0-9_]*)|(_[a-z0-9_]*))$ [CLASSES] # Warn about protected attribute access inside special methods check-protected-access-in-special-methods=no # List of method names used to declare (i.e. assign) instance attributes. defining-attr-methods=__init__, __new__, setUp, asyncSetUp, __post_init__ # List of member names, which should be excluded from the protected access # warning. exclude-protected=_asdict,_fields,_replace,_source,_make,os._exit # List of valid names for the first argument in a class method. valid-classmethod-first-arg=cls # List of valid names for the first argument in a metaclass class method. # valid-metaclass-classmethod-first-arg=mcs valid-metaclass-classmethod-first-arg=cls [DESIGN] # List of regular expressions of class ancestor names to ignore when counting # public methods (see R0903) exclude-too-few-public-methods= # List of qualified class names to ignore when counting class parents (see # R0901) ignored-parents= # Maximum number of arguments for function / method. # max-args=5 max-args=10 # Maximum number of attributes for a class (see R0902). max-attributes=7 # Maximum number of boolean expressions in an if statement (see R0916). max-bool-expr=5 # Maximum number of branch for function / method body. max-branches=12 # Maximum number of locals for function / method body. max-locals=15 # Maximum number of parents for a class (see R0901). max-parents=7 # Maximum number of public methods for a class (see R0904). max-public-methods=20 # Maximum number of return / yield for function / method body. max-returns=6 # Maximum number of statements in function / method body. max-statements=50 # Minimum number of public methods for a class (see R0903). min-public-methods=2 [EXCEPTIONS] # Exceptions that will emit a warning when caught. overgeneral-exceptions=builtins.BaseException,builtins.Exception [FORMAT] # Expected format of line ending, e.g. empty (any line ending), LF or CRLF. expected-line-ending-format= # Regexp for a line that is allowed to be longer than the limit. ignore-long-lines=^\s*(# )??$ # Number of spaces of indent required inside a hanging or continued line. indent-after-paren=4 # String used as indentation unit. This is usually " " (4 spaces) or "\t" (1 # tab). # indent-string=' ' indent-string=' ' # Maximum number of characters on a single line. # max-line-length=100 max-line-length=80 # Maximum number of lines in a module. max-module-lines=1000 # Allow the body of a class to be on the same line as the declaration if body # contains single statement. single-line-class-stmt=no # Allow the body of an if to be on the same line as the test if there is no # else. single-line-if-stmt=no [IMPORTS] # List of modules that can be imported at any level, not just the top level # one. allow-any-import-level= # Allow explicit reexports by alias from a package __init__. allow-reexport-from-package=no # Allow wildcard imports from modules that define __all__. allow-wildcard-with-all=no # Deprecated modules which should not be used, separated by a comma. deprecated-modules= # Output a graph (.gv or any supported image format) of external dependencies # to the given file (report RP0402 must not be disabled). ext-import-graph= # Output a graph (.gv or any supported image format) of all (i.e. internal and # external) dependencies to the given file (report RP0402 must not be # disabled). import-graph= # Output a graph (.gv or any supported image format) of internal dependencies # to the given file (report RP0402 must not be disabled). int-import-graph= # Force import order to recognize a module as part of the standard # compatibility libraries. known-standard-library= # Force import order to recognize a module as part of a third party library. known-third-party=enchant # Couples of modules and preferred modules, separated by a comma. preferred-modules= [LOGGING] # The type of string formatting that logging methods do. `old` means using % # formatting, `new` is for `{}` formatting. logging-format-style=old # Logging modules to check that the string format arguments are in logging # function parameter format. logging-modules=logging [MESSAGES CONTROL] # Only show warnings with the listed confidence levels. Leave empty to show # all. Valid levels: HIGH, CONTROL_FLOW, INFERENCE, INFERENCE_FAILURE, # UNDEFINED. confidence=HIGH, CONTROL_FLOW, INFERENCE, INFERENCE_FAILURE, UNDEFINED # Disable the message, report, category or checker with the given id(s). You # can either give multiple identifiers separated by comma (,) or put this # option multiple times (only on the command line, not in the configuration # file where it should appear only once). You can also use "--disable=all" to # disable everything first and then re-enable specific checks. For example, if # you want to run only the similarities checker, you can use "--disable=all # --enable=similarities". If you want to run only the classes checker, but have # no Warning level messages displayed, use "--disable=all --enable=classes # --disable=W". disable=assignment-from-none, bad-inline-option, consider-using-f-string, deprecated-pragma, duplicate-code, file-ignored, fixme, locally-disabled, logging-format-interpolation, logging-fstring-interpolation, missing-param-doc, raise-missing-from, raw-checker-failed, super-with-arguments, suppressed-message, too-few-public-methods, too-many-ancestors, too-many-boolean-expressions, too-many-branches, too-many-instance-attributes, too-many-lines, too-many-locals, too-many-nested-blocks, too-many-public-methods, too-many-return-statements, too-many-statements, unsubscriptable-object, useless-object-inheritance, useless-suppression, use-symbolic-message-instead # Enable the message, report, category or checker with the given id(s). You can # either give multiple identifier separated by comma (,) or put this option # multiple time (only on the command line, not in the configuration file where # it should appear only once). See also the "--disable" option for examples. enable=c-extension-no-member [METHOD_ARGS] # List of qualified names (i.e., library.method) which require a timeout # parameter e.g. 'requests.api.get,requests.api.post' timeout-methods=requests.api.delete,requests.api.get,requests.api.head,requests.api.options,requests.api.patch,requests.api.post,requests.api.put,requests.api.request [MISCELLANEOUS] # List of note tags to take in consideration, separated by a comma. notes=FIXME, XXX, TODO # Regular expression of note tags to take in consideration. notes-rgx= [REFACTORING] # Maximum number of nested blocks for function / method body max-nested-blocks=5 # Complete name of functions that never returns. When checking for # inconsistent-return-statements if a never returning function is called then # it will be considered as an explicit return statement and no message will be # printed. never-returning-functions=sys.exit,argparse.parse_error [REPORTS] # Python expression which should return a score less than or equal to 10. You # have access to the variables 'fatal', 'error', 'warning', 'refactor', # 'convention', and 'info' which contain the number of messages in each # category, as well as 'statement' which is the total number of statements # analyzed. This score is used by the global evaluation report (RP0004). evaluation=max(0, 0 if fatal else 10.0 - ((float(5 * error + warning + refactor + convention) / statement) * 10)) # Template used to display messages. This is a python new-style format string # used to format the message information. See doc for all details. msg-template= # Set the output format. Available formats are text, parseable, colorized, json # and msvs (visual studio). You can also give a reporter class, e.g. # mypackage.mymodule.MyReporterClass. #output-format= # Tells whether to display a full report or only the messages. reports=no # Activate the evaluation score. # score=yes score=no [SIMILARITIES] # Comments are removed from the similarity computation ignore-comments=yes # Docstrings are removed from the similarity computation ignore-docstrings=yes # Imports are removed from the similarity computation ignore-imports=yes # Signatures are removed from the similarity computation ignore-signatures=yes # Minimum lines number of a similarity. min-similarity-lines=4 [SPELLING] # Limits count of emitted suggestions for spelling mistakes. max-spelling-suggestions=4 # Spelling dictionary name. Available dictionaries: en_AG (hunspell), en_AU # (hunspell), en_BS (hunspell), en_BW (hunspell), en_BZ (hunspell), en_CA # (hunspell), en_DK (hunspell), en_GB (hunspell), en_GH (hunspell), en_HK # (hunspell), en_IE (hunspell), en_IN (hunspell), en_JM (hunspell), en_MW # (hunspell), en_NA (hunspell), en_NG (hunspell), en_NZ (hunspell), en_PH # (hunspell), en_SG (hunspell), en_TT (hunspell), en_US (hunspell), en_ZA # (hunspell), en_ZM (hunspell), en_ZW (hunspell). spelling-dict= # List of comma separated words that should be considered directives if they # appear at the beginning of a comment and should not be checked. spelling-ignore-comment-directives=fmt: on,fmt: off,noqa:,noqa,nosec,isort:skip,mypy: # List of comma separated words that should not be checked. spelling-ignore-words= # A path to a file that contains the private dictionary; one word per line. spelling-private-dict-file= # Tells whether to store unknown words to the private dictionary (see the # --spelling-private-dict-file option) instead of raising a message. spelling-store-unknown-words=no [STRING] # This flag controls whether inconsistent-quotes generates a warning when the # character used as a quote delimiter is used inconsistently within a module. check-quote-consistency=no # This flag controls whether the implicit-str-concat should generate a warning # on implicit string concatenation in sequences defined over several lines. check-str-concat-over-line-jumps=no [TYPECHECK] # List of decorators that produce context managers, such as # contextlib.contextmanager. Add to this list to register other decorators that # produce valid context managers. contextmanager-decorators=contextlib.contextmanager # List of members which are set dynamically and missed by pylint inference # system, and so shouldn't trigger E1101 when accessed. Python regular # expressions are accepted. generated-members= # Tells whether to warn about missing members when the owner of the attribute # is inferred to be None. ignore-none=yes # This flag controls whether pylint should warn about no-member and similar # checks whenever an opaque object is returned when inferring. The inference # can return multiple potential results while evaluating a Python object, but # some branches might not be evaluated, which results in partial inference. In # that case, it might be useful to still emit no-member and other checks for # the rest of the inferred objects. ignore-on-opaque-inference=yes # List of symbolic message names to ignore for Mixin members. ignored-checks-for-mixins=no-member, not-async-context-manager, not-context-manager, attribute-defined-outside-init # List of class names for which member attributes should not be checked (useful # for classes with dynamically set attributes). This supports the use of # qualified names. ignored-classes=optparse.Values,thread._local,_thread._local,argparse.Namespace # Show a hint with possible names when a member name was not found. The aspect # of finding the hint is based on edit distance. missing-member-hint=yes # The minimum edit distance a name should have in order to be considered a # similar match for a missing member name. missing-member-hint-distance=1 # The total number of similar names that should be taken in consideration when # showing a hint for a missing member. missing-member-max-choices=1 # Regex pattern to define which classes are considered mixins. mixin-class-rgx=.*[Mm]ixin # List of decorators that change the signature of a decorated function. signature-mutators= [VARIABLES] # List of additional names supposed to be defined in builtins. Remember that # you should avoid defining new builtins when possible. additional-builtins= # Tells whether unused global variables should be treated as a violation. allow-global-unused-variables=yes # List of names allowed to shadow builtins allowed-redefined-builtins= # List of strings which can identify a callback function by name. A callback # name must start or end with one of those strings. callbacks=cb_, _cb # A regular expression matching the name of dummy variables (i.e. expected to # not be used). dummy-variables-rgx=_+$|(_[a-zA-Z0-9_]*[a-zA-Z0-9]+?$)|dummy|^ignored_|^unused_ # Argument names that match this expression will be ignored. ignored-argument-names=_.*|^ignored_|^unused_ # Tells whether we should check for unused import in __init__ files. init-import=no # List of qualified module names which can have objects that can redefine # builtins. redefining-builtins-modules=six.moves,past.builtins,future.builtins,builtins,io artifacts-20230928/.yamllint.yaml000066400000000000000000000002251450527130400165400ustar00rootroot00000000000000extends: default rules: line-length: disable indentation: spaces: consistent indent-sequences: false check-multi-line-strings: true artifacts-20230928/ACKNOWLEDGEMENTS000066400000000000000000000002271450527130400162240ustar00rootroot00000000000000Acknowledgements: artifacts Thanks to contributors (alphabetically based on last name): Sean Gillespie Andreas Moser Sebastian Welsh Andrew Williams artifacts-20230928/AUTHORS000066400000000000000000000007501450527130400150200ustar00rootroot00000000000000Copyright 2014 The ForensicArtifacts.com Artifact Repository project. # Names should be added to this file with this pattern: # # For individuals: # Name (email address) # Name (email address), organization # # For organizations: # Organization (fnmatch pattern) # # See python fnmatch module documentation for more information. Greg Castle (github@mailgreg.com), Google Inc. Matt Churchill (matt@mattchurchill.net), CrowdStrike Joachim Metz (joachim.metz@gmail.com), Google Inc. artifacts-20230928/LICENSE000066400000000000000000000260751450527130400147650ustar00rootroot00000000000000Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "{}" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives. Copyright {yyyy} {name of copyright owner} Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. artifacts-20230928/MANIFEST.in000066400000000000000000000011411450527130400155010ustar00rootroot00000000000000include ACKNOWLEDGEMENTS AUTHORS LICENSE README include dependencies.ini run_tests.py utils/__init__.py utils/dependencies.py include utils/check_dependencies.py include requirements.txt test_requirements.txt recursive-include config * recursive-include data * recursive-include test_data * exclude .gitignore exclude *.pyc recursive-include tools *.py recursive-exclude tools *.pyc recursive-exclude artifacts *.pyc # The test scripts are not required in a binary distribution package they # are considered source distribution files and excluded in find_package() # in setup.py. recursive-include tests *.py artifacts-20230928/README000066400000000000000000000004571450527130400146340ustar00rootroot00000000000000Digital Forensics Artifacts Repository A free, community-sourced, machine-readable knowledge base of digital forensic artifacts that the world can use both as an information source and within other tools. For more information see: * Project documentation: https://artifacts.readthedocs.io/en/latest artifacts-20230928/README.md000066400000000000000000000016441450527130400152320ustar00rootroot00000000000000## Digital Forensics Artifacts Repository A free, community-sourced, machine-readable knowledge base of digital forensic artifacts that the world can use both as an information source and within other tools. If you'd like to use the artifacts in your own tools, **all you need to be able to do is read YAML**. That is it, no other dependencies. The Python code in this project is just used to validate all the artifacts to make sure they follow the specification. For more information see: * Project documentation: https://artifacts.readthedocs.io/en/latest ## Contributing Please send us your contribution! See [the developers guide](https://github.com/ForensicArtifacts/artifacts/wiki/Developers-guide) for instructions. ## Contact * [forensicartifacts@googlegroups.com](https://groups.google.com/forum/#!forum/forensicartifacts) * Artifacts channel of [Open Source DFIR Slack](https://github.com/open-source-dfir/slack) artifacts-20230928/appveyor.yml000066400000000000000000000021041450527130400163330ustar00rootroot00000000000000environment: matrix: - DESCRIPTION: "Windows with 32-bit Python 3.11" MACHINE_TYPE: "x86" APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2022 PYTHON: "C:\\Python311" PYTHON_VERSION: "3.11" L2TBINARIES_TRACK: "dev" - DESCRIPTION: "Windows with 64-bit Python 3.11" MACHINE_TYPE: "amd64" APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2022 PYTHON: "C:\\Python311-x64" PYTHON_VERSION: "3.11" L2TBINARIES_TRACK: "dev" - DESCRIPTION: "Mac OS with Python 3.11" APPVEYOR_BUILD_WORKER_IMAGE: macos-monterey HOMEBREW_NO_INSTALL_CLEANUP: 1 install: - cmd: "%PYTHON%\\python.exe -m pip install -U pip setuptools twine wheel" - ps: If ($isWindows) { .\config\appveyor\install.ps1 } - sh: config/appveyor/install.sh build_script: - cmd: "%PYTHON%\\python.exe setup.py bdist_wheel" test_script: - cmd: "%PYTHON%\\python.exe run_tests.py" - cmd: IF EXIST "tests\\end-to-end.py" ( set PYTHONPATH=. && "%PYTHON%\\python.exe" "tests\\end-to-end.py" --debug -c "config\\end-to-end.ini" ) - sh: config/appveyor/runtests.sh artifacts: - path: dist\*.whl artifacts-20230928/artifacts.ini000066400000000000000000000010211450527130400164210ustar00rootroot00000000000000[project] name: artifacts status: alpha name_description: Digital Forensics Artifacts Repository maintainer: Forensic artifacts homepage_url: https://github.com/ForensicArtifacts/artifacts git_url: https://github.com/ForensicArtifacts/artifacts.git description_short: ForensicArtifacts.com Artifact Repository. description_long: A free, community-sourced, machine-readable knowledge base of forensic artifacts that the world can use both as an information source and within other tools. artifacts-20230928/artifacts/000077500000000000000000000000001450527130400157265ustar00rootroot00000000000000artifacts-20230928/artifacts/__init__.py000066400000000000000000000001431450527130400200350ustar00rootroot00000000000000# -*- coding: utf-8 -*- """ForensicArtifacts.com Artifact Repository.""" __version__ = '20230928' artifacts-20230928/artifacts/artifact.py000066400000000000000000000063121450527130400200770ustar00rootroot00000000000000# -*- coding: utf-8 -*- """The artifact definition.""" from artifacts import errors from artifacts import registry class ArtifactDefinition(object): """Artifact definition interface. Attributes: aliases (list[str]): aliases that identify the artifact definition. description (str): description. name (str): name that uniquely identifiers the artifact definition. provides (list[str]): hints to what information the artifact definition provides. sources (list[str]): sources. supported_os (list[str]): supported operating systems. urls (list[str]): URLs with more information about the artifact definition. """ def __init__(self, name, aliases=None, description=None): """Initializes an artifact definition. Args: name (str): name that uniquely identifiers the artifact definition. aliases (Optional[str]): aliases that identify the artifact definition. description (Optional[str]): description of the artifact definition. """ super(ArtifactDefinition, self).__init__() self.aliases = aliases or [] self.description = description self.name = name self.provides = [] self.sources = [] self.supported_os = [] self.urls = [] def AppendSource(self, type_indicator, attributes): """Appends a source. If you want to implement your own source type you should create a subclass in source_type.py and change the AppendSource method to handle the new subclass. This function raises FormatError if an unsupported source type indicator is encountered. Args: type_indicator (str): source type indicator. attributes (dict[str, object]): source attributes. Returns: SourceType: a source type. Raises: FormatError: if the type indicator is not set or unsupported, or if required attributes are missing. """ if not type_indicator: raise errors.FormatError('Missing type indicator.') try: source_object = registry.ArtifactDefinitionsRegistry.CreateSourceType( type_indicator, attributes) except (AttributeError, TypeError) as exception: raise errors.FormatError(( f'Unable to create source type: {type_indicator:s} for artifact ' f'definition: {self.name:s} with error: {exception!s}')) self.sources.append(source_object) return source_object def AsDict(self): """Represents an artifact as a dictionary. Returns: dict[str, object]: artifact attributes. """ sources = [] for source in self.sources: source_definition = { 'type': source.type_indicator, 'attributes': source.AsDict() } if source.supported_os: source_definition['supported_os'] = source.supported_os sources.append(source_definition) artifact_definition = { 'name': self.name, 'doc': self.description, 'sources': sources, } if self.aliases: artifact_definition['aliases'] = self.aliases if self.supported_os: artifact_definition['supported_os'] = self.supported_os if self.provides: artifact_definition['provides'] = self.provides if self.urls: artifact_definition['urls'] = self.urls return artifact_definition artifacts-20230928/artifacts/definitions.py000066400000000000000000000016621450527130400206200ustar00rootroot00000000000000# -*- coding: utf-8 -*- """Constants and definitions.""" TYPE_INDICATOR_ARTIFACT_GROUP = 'ARTIFACT_GROUP' TYPE_INDICATOR_COMMAND = 'COMMAND' TYPE_INDICATOR_DIRECTORY = 'DIRECTORY' # deprecated use PATH instead. TYPE_INDICATOR_FILE = 'FILE' TYPE_INDICATOR_PATH = 'PATH' TYPE_INDICATOR_WINDOWS_REGISTRY_KEY = 'REGISTRY_KEY' TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE = 'REGISTRY_VALUE' TYPE_INDICATOR_WMI_QUERY = 'WMI' SUPPORTED_OS_DARWIN = 'Darwin' SUPPORTED_OS_ESXI = 'ESXi' SUPPORTED_OS_LINUX = 'Linux' SUPPORTED_OS_WINDOWS = 'Windows' SUPPORTED_OS = frozenset([ SUPPORTED_OS_DARWIN, SUPPORTED_OS_ESXI, SUPPORTED_OS_LINUX, SUPPORTED_OS_WINDOWS]) TOP_LEVEL_KEYS = frozenset([ 'aliases', # conditions have been deprecated as of version 20220710. 'conditions', 'doc', # labels have been deprecated as of version 20220311. 'labels', 'name', 'provides', 'sources', 'supported_os', 'urls']) artifacts-20230928/artifacts/errors.py000066400000000000000000000006031450527130400176130ustar00rootroot00000000000000# -*- coding: utf-8 -*- """The error objects.""" class Error(Exception): """The error interface.""" class CodeStyleError(Error): """Error that is raised when code formatting fails style checks.""" class FormatError(Error): """Error that is raised when the format is incorrect.""" class MissingDependencyError(Error): """Artifact references artifact that is undefined.""" artifacts-20230928/artifacts/reader.py000066400000000000000000000252501450527130400175460ustar00rootroot00000000000000# -*- coding: utf-8 -*- """The artifact reader objects.""" import abc import glob import io import os import json import yaml from artifacts import artifact from artifacts import definitions from artifacts import errors class BaseArtifactsReader(object): """Artifacts reader interface. Attributes: supported_os (set[str]): supported operating systems. """ # Note that redundant-returns-doc and redundant-yields-doc are broken for # pylint 1.7.x for abstract methods. # pylint: disable=redundant-returns-doc,redundant-yields-doc def __init__(self): """Initializes an artifacts reader.""" super(BaseArtifactsReader, self).__init__() self.supported_os = set() @abc.abstractmethod def ReadArtifactDefinitionValues(self, artifact_definition_values): """Reads an artifact definition from a dictionary. Args: artifact_definition_values (dict[str, object]): artifact definition values. Returns: ArtifactDefinition: an artifact definition. Raises: FormatError: if the format of the artifact definition is not set or incorrect. """ @abc.abstractmethod def ReadDirectory(self, path, extension=None): """Reads artifact definitions from a directory. This function does not recurse sub directories. Args: path (str): path of the directory to read from. extension (Optional[str]): extension of the filenames to read. Yields: ArtifactDefinition: an artifact definition. """ @abc.abstractmethod def ReadFile(self, filename): """Reads artifact definitions from a file. Args: filename (str): name of the file to read from. Yields: ArtifactDefinition: an artifact definition. """ @abc.abstractmethod def ReadFileObject(self, file_object): """Reads artifact definitions from a file-like object. Args: file_object (file): file-like object to read from. Yields: ArtifactDefinition: an artifact definition. Raises: FormatError: if the format of the artifact definition is not set or incorrect. """ class ArtifactsReader(BaseArtifactsReader): """Artifacts reader common functionality.""" # Note that redundant-yields-doc is broken for pylint 1.7.x for # abstract methods. # pylint: disable=redundant-yields-doc def __init__(self): """Initializes an artifacts reader.""" super(ArtifactsReader, self).__init__() self.supported_os = set(definitions.SUPPORTED_OS) # Pylint fails on detecting the type of definition_object based on # the docstring. # pylint: disable=missing-type-doc def _ReadSupportedOS(self, definition_values, definition_object, name): """Reads the optional artifact or source type supported OS. Args: definition_values (dict[str, object]): artifact definition values. definition_object (ArtifactDefinition|SourceType): the definition object. name (str): name of the artifact definition. Raises: FormatError: if there are undefined supported operating systems. """ supported_os = definition_values.get('supported_os', []) if not isinstance(supported_os, list): supported_os_type = type(supported_os) raise errors.FormatError( f'Invalid supported_os type: {supported_os_type!s}') undefined_supported_os = set(supported_os).difference(self.supported_os) if undefined_supported_os: undefined_supported_os = ', '.join(undefined_supported_os) raise errors.FormatError(( f'Artifact definition: {name:s} undefined supported operating ' f'system: {undefined_supported_os:s}.')) definition_object.supported_os = supported_os def _ReadSources(self, artifact_definition_values, artifact_definition, name): """Reads the artifact definition sources. Args: artifact_definition_values (dict[str, object]): artifact definition values. artifact_definition (ArtifactDefinition): an artifact definition. name (str): name of the artifact definition. Raises: FormatError: if the type indicator is not set or unsupported, or if required attributes are missing. """ sources = artifact_definition_values.get('sources') if not sources: raise errors.FormatError( f'Invalid artifact definition: {name:s} missing sources.') for source in sources: type_indicator = source.get('type', None) if not type_indicator: raise errors.FormatError( f'Invalid artifact definition: {name:s} source type.') attributes = source.get('attributes', None) try: source_type = artifact_definition.AppendSource( type_indicator, attributes) except errors.FormatError as exception: raise errors.FormatError( f'Invalid artifact definition: {name:s}, with error: {exception!s}') # TODO: deprecate these left overs from the collector definition. if source_type: if source.get('returned_types', None): raise errors.FormatError(( f'Invalid artifact definition: {name:s} returned_types no longer ' f'supported.')) self._ReadSupportedOS(source, source_type, name) if set(source_type.supported_os) - set( artifact_definition.supported_os): raise errors.FormatError(( f'Invalid artifact definition: {name:s} missing ' f'supported_os.')) def ReadArtifactDefinitionValues(self, artifact_definition_values): """Reads an artifact definition from a dictionary. Args: artifact_definition_values (dict[str, object]): artifact definition values. Returns: ArtifactDefinition: an artifact definition. Raises: FormatError: if the format of the artifact definition is not set or incorrect. """ if not artifact_definition_values: raise errors.FormatError('Missing artifact definition values.') different_keys = ( set(artifact_definition_values) - definitions.TOP_LEVEL_KEYS) if different_keys: different_keys = ', '.join(different_keys) raise errors.FormatError(f'Undefined keys: {different_keys:s}') name = artifact_definition_values.get('name', None) if not name: raise errors.FormatError('Invalid artifact definition missing name.') # The description is assumed to be mandatory. description = artifact_definition_values.get('doc', None) if not description: raise errors.FormatError( f'Invalid artifact definition: {name:s} missing description.') aliases = artifact_definition_values.get('aliases', None) artifact_definition = artifact.ArtifactDefinition( name, aliases=aliases, description=description) if artifact_definition_values.get('collectors', []): raise errors.FormatError( f'Invalid artifact definition: {name:s} still uses collectors.') urls = artifact_definition_values.get('urls', []) if not isinstance(urls, list): raise errors.FormatError( f'Invalid artifact definition: {name:s} urls is not a list.') artifact_definition.provides = artifact_definition_values.get( 'provides', []) self._ReadSupportedOS(artifact_definition_values, artifact_definition, name) artifact_definition.urls = urls self._ReadSources(artifact_definition_values, artifact_definition, name) return artifact_definition def ReadDirectory(self, path, extension='yaml'): """Reads artifact definitions from a directory. This function does not recurse sub directories. Args: path (str): path of the directory to read from. extension (Optional[str]): extension of the filenames to read. Yields: ArtifactDefinition: an artifact definition. """ if extension: glob_spec = os.path.join(path, f'*.{extension:s}') else: glob_spec = os.path.join(path, '*') for artifact_file in glob.glob(glob_spec): for artifact_definition in self.ReadFile(artifact_file): yield artifact_definition def ReadFile(self, filename): """Reads artifact definitions from a file. Args: filename (str): name of the file to read from. Yields: ArtifactDefinition: an artifact definition. """ with io.open(filename, 'r', encoding='utf-8') as file_object: for artifact_definition in self.ReadFileObject(file_object): yield artifact_definition @abc.abstractmethod def ReadFileObject(self, file_object): """Reads artifact definitions from a file-like object. Args: file_object (file): file-like object to read from. Yields: ArtifactDefinition: an artifact definition. Raises: FormatError: if the format of the artifact definition is not set or incorrect. """ class JsonArtifactsReader(ArtifactsReader): """JSON artifacts reader.""" def ReadFileObject(self, file_object): """Reads artifact definitions from a file-like object. Args: file_object (file): file-like object to read from. Yields: ArtifactDefinition: an artifact definition. Raises: FormatError: if the format of the JSON artifact definition is not set or incorrect. """ # TODO: add try, except? json_definitions = json.loads(file_object.read()) last_artifact_definition = None for json_definition in json_definitions: try: artifact_definition = self.ReadArtifactDefinitionValues(json_definition) except errors.FormatError as exception: error_location = 'At start' if last_artifact_definition: error_location = f'After: {last_artifact_definition.name:s}' raise errors.FormatError(f'{error_location:s} {exception!s}') yield artifact_definition last_artifact_definition = artifact_definition class YamlArtifactsReader(ArtifactsReader): """YAML artifacts reader.""" def ReadFileObject(self, file_object): """Reads artifact definitions from a file-like object. Args: file_object (file): file-like object to read from. Yields: ArtifactDefinition: an artifact definition. Raises: FormatError: if the format of the YAML artifact definition is not set or incorrect. """ # TODO: add try, except? yaml_generator = yaml.safe_load_all(file_object) last_artifact_definition = None for yaml_definition in yaml_generator: try: artifact_definition = self.ReadArtifactDefinitionValues(yaml_definition) except errors.FormatError as exception: error_location = 'At start' if last_artifact_definition: error_location = f'After: {last_artifact_definition.name:s}' raise errors.FormatError(f'{error_location:s} {exception!s}') yield artifact_definition last_artifact_definition = artifact_definition artifacts-20230928/artifacts/registry.py000066400000000000000000000205041450527130400201510ustar00rootroot00000000000000# -*- coding: utf-8 -*- """The artifact definitions registry.""" from artifacts import definitions from artifacts import errors from artifacts import source_type class ArtifactDefinitionsRegistry(object): """Artifact definitions registry.""" _source_type_classes = { definitions.TYPE_INDICATOR_ARTIFACT_GROUP: source_type.ArtifactGroupSourceType, definitions.TYPE_INDICATOR_COMMAND: source_type.CommandSourceType, definitions.TYPE_INDICATOR_DIRECTORY: source_type.DirectorySourceType, definitions.TYPE_INDICATOR_FILE: source_type.FileSourceType, definitions.TYPE_INDICATOR_PATH: source_type.PathSourceType, definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY: source_type.WindowsRegistryKeySourceType, definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE: source_type.WindowsRegistryValueSourceType, definitions.TYPE_INDICATOR_WMI_QUERY: source_type.WMIQuerySourceType} def __init__(self): """Initializes an artifact definitions registry.""" super(ArtifactDefinitionsRegistry, self).__init__() self._artifact_definitions_by_alias = {} self._artifact_definitions_by_name = {} self._artifact_name_references = set() self._defined_artifact_names = set() @classmethod def CreateSourceType(cls, type_indicator, attributes): """Creates a source type object. Args: type_indicator (str): source type indicator. attributes (dict[str, object]): source attributes. Returns: SourceType: a source type. Raises: FormatError: if the type indicator is not set or unsupported, or if required attributes are missing. """ if type_indicator not in cls._source_type_classes: raise errors.FormatError( f'Unsupported type indicator: {type_indicator:s}.') return cls._source_type_classes[type_indicator](**attributes) def DeregisterDefinition(self, artifact_definition): """Deregisters an artifact definition. Artifact definitions are identified based on their lower case name. Args: artifact_definition (ArtifactDefinition): an artifact definition. Raises: KeyError: if an artifact definition is not set for the corresponding name. """ artifact_definition_name = artifact_definition.name.lower() if artifact_definition_name not in self._artifact_definitions_by_name: raise KeyError(( f'Artifact definition not set for name: ' f'{artifact_definition.name:s}.')) for alias in artifact_definition.aliases: if alias.lower() not in self._artifact_definitions_by_alias: raise KeyError(f'Artifact definition not set for alias: {alias:s}.') del self._artifact_definitions_by_name[artifact_definition_name] for alias in artifact_definition.aliases: del self._artifact_definitions_by_alias[alias.lower()] @classmethod def DeregisterSourceType(cls, source_type_class): """Deregisters a source type. Source types are identified based on their type indicator. Args: source_type_class (type): source type. Raises: KeyError: if a source type is not set for the corresponding type indicator. """ if source_type_class.TYPE_INDICATOR not in cls._source_type_classes: raise KeyError(( f'Source type not set for type: ' f'{source_type_class.TYPE_INDICATOR:s}.')) del cls._source_type_classes[source_type_class.TYPE_INDICATOR] def GetDefinitionByAlias(self, alias): """Retrieves a specific artifact definition by alias. Args: alias (str): alias of the artifact definition. Returns: ArtifactDefinition: an artifact definition or None if not available. """ if not alias: return None return self._artifact_definitions_by_alias.get(alias.lower(), None) def GetDefinitionByName(self, name): """Retrieves a specific artifact definition by name. Args: name (str): name of the artifact definition. Returns: ArtifactDefinition: an artifact definition or None if not available. """ if not name: return None return self._artifact_definitions_by_name.get(name.lower(), None) def GetDefinitions(self): """Retrieves the artifact definitions. Returns: list[ArtifactDefinition]: artifact definitions. """ return self._artifact_definitions_by_name.values() def GetUndefinedArtifacts(self): """Retrieves the names of undefined artifacts used by artifact groups. Returns: set[str]: undefined artifacts names. """ return self._artifact_name_references - self._defined_artifact_names def RegisterDefinition(self, artifact_definition): """Registers an artifact definition. Artifact definitions are identified based on their lower case name. Args: artifact_definition (ArtifactDefinition): an artifact definition. Raises: KeyError: if artifact definition is already set for the corresponding name or alias. """ artifact_definition_name = artifact_definition.name.lower() if artifact_definition_name in self._artifact_definitions_by_name: raise KeyError(( f'Artifact definition already set for name: ' f'{artifact_definition.name:s}.')) for alias in artifact_definition.aliases: alias_lower = alias.lower() if alias_lower in self._artifact_definitions_by_alias: raise KeyError(f'Artifact definition already set for alias: {alias:s}.') if alias_lower in self._artifact_definitions_by_name: raise KeyError( f'Artifact definition alias: {alias:s} already used as name.') self._artifact_definitions_by_name[artifact_definition_name] = ( artifact_definition) self._defined_artifact_names.add(artifact_definition.name) for alias in artifact_definition.aliases: self._artifact_definitions_by_alias[alias.lower()] = artifact_definition for source in artifact_definition.sources: if source.type_indicator == definitions.TYPE_INDICATOR_ARTIFACT_GROUP: self._artifact_name_references.update(source.names) @classmethod def RegisterSourceType(cls, source_type_class): """Registers a source type. Source types are identified based on their type indicator. Args: source_type_class (type): source type. Raises: KeyError: if source types is already set for the corresponding type indicator. """ if source_type_class.TYPE_INDICATOR in cls._source_type_classes: raise KeyError(( f'Source type already set for type: ' f'{source_type_class.TYPE_INDICATOR:s}.')) cls._source_type_classes[source_type_class.TYPE_INDICATOR] = ( source_type_class) @classmethod def RegisterSourceTypes(cls, source_type_classes): """Registers source types. Source types are identified based on their type indicator. Args: source_type_classes (list[type]): source types. """ for source_type_class in source_type_classes: cls.RegisterSourceType(source_type_class) def ReadFromDirectory(self, artifacts_reader, path, extension='yaml'): """Reads artifact definitions into the registry from files in a directory. This function does not recurse sub directories. Args: artifacts_reader (ArtifactsReader): an artifacts reader. path (str): path of the directory to read from. extension (Optional[str]): extension of the filenames to read. Raises: KeyError: if a duplicate artifact definition is encountered. """ for artifact_definition in artifacts_reader.ReadDirectory( path, extension=extension): self.RegisterDefinition(artifact_definition) def ReadFromFile(self, artifacts_reader, filename): """Reads artifact definitions into the registry from a file. Args: artifacts_reader (ArtifactsReader): an artifacts reader. filename (str): name of the file to read from. """ for artifact_definition in artifacts_reader.ReadFile(filename): self.RegisterDefinition(artifact_definition) def ReadFileObject(self, artifacts_reader, file_object): """Reads artifact definitions into the registry from a file-like object. Args: artifacts_reader (ArtifactsReader): an artifacts reader. file_object (file): file-like object to read from. """ for artifact_definition in artifacts_reader.ReadFileObject(file_object): self.RegisterDefinition(artifact_definition) artifacts-20230928/artifacts/source_type.py000066400000000000000000000326101450527130400206430ustar00rootroot00000000000000# -*- coding: utf-8 -*- """The source type objects. The source type objects define the source of the artifact data. In earlier versions of the artifact definitions collector definitions had a similar purpose as the source type. Currently the following source types are defined: * artifact; the source is one or more artifact definitions; * file; the source is one or more files; * path; the source is one or more paths; * Windows Registry key; the source is one or more Windows Registry keys; * Windows Registry value; the source is one or more Windows Registry values; * WMI query; the source is a Windows Management Instrumentation query. The difference between the file and path source types are that file should be used to define file entries that contain data and path, file entries that define a location. E.g. on Windows %SystemRoot% could be considered a path artifact definition, pointing to a location e.g. C:\\Windows. And where C:\\Windows\\System32\\winevt\\Logs\\AppEvent.evt a file artifact definition, pointing to the Application Event Log file. """ import abc from artifacts import definitions from artifacts import errors class SourceType(object): """Artifact definition source type interface.""" # Note that redundant-returns-doc is broken for pylint 1.7.x for # abstract methods. # pylint: disable=redundant-returns-doc TYPE_INDICATOR = None def __init__(self): """Initializes an artifact definition source type. Raises: FormatError: if the indicator is not defined. """ super(SourceType, self).__init__() if not self.TYPE_INDICATOR: raise errors.FormatError('Missing type indicator.') @property def type_indicator(self): """str: type indicator.""" return self.TYPE_INDICATOR @abc.abstractmethod def AsDict(self): """Represents a source type as a dictionary. Returns: dict[str, str]: source type attributes. """ class ArtifactGroupSourceType(SourceType): """Artifact group source type.""" TYPE_INDICATOR = definitions.TYPE_INDICATOR_ARTIFACT_GROUP def __init__(self, names=None): """Initializes a source type. Args: names (Optional[str]): artifact definition names. Raises: FormatError: when artifact names is not set. """ if not names: raise errors.FormatError('Missing names value.') super(ArtifactGroupSourceType, self).__init__() self.names = names def AsDict(self): """Represents a source type as a dictionary. Returns: dict[str, str]: source type attributes. """ return {'names': self.names} class CommandSourceType(SourceType): """Command source type.""" TYPE_INDICATOR = definitions.TYPE_INDICATOR_COMMAND def __init__(self, args=None, cmd=None): """Initializes a source type. Args: args (list[str]): arguments to the command to run. cmd (str): command to run. Raises: FormatError: when args or cmd is not set. """ if args is None or cmd is None: raise errors.FormatError('Missing args or cmd value.') super(CommandSourceType, self).__init__() self.args = args self.cmd = cmd def AsDict(self): """Represents a source type as a dictionary. Returns: dict[str, str]: source type attributes. """ return {'cmd': self.cmd, 'args': self.args} class DirectorySourceType(SourceType): """Directory source type.""" TYPE_INDICATOR = definitions.TYPE_INDICATOR_DIRECTORY def __init__(self, paths=None, separator='/'): """Initializes a source type. Args: paths (Optional[str]): paths relative to the root of the file system. separator (Optional[str]): path segment separator. Raises: FormatError: when paths is not set or not a list type. """ if not paths: raise errors.FormatError('Missing paths value.') if not isinstance(paths, list): raise errors.FormatError('Invalid paths value, not a list.') super(DirectorySourceType, self).__init__() self.paths = paths self.separator = separator def AsDict(self): """Represents a source type as a dictionary. Returns: dict[str, str]: source type attributes. """ source_type_attributes = {'paths': self.paths} if self.separator != '/': source_type_attributes['separator'] = self.separator return source_type_attributes class FileSourceType(SourceType): """File source type.""" TYPE_INDICATOR = definitions.TYPE_INDICATOR_FILE def __init__(self, paths=None, separator='/'): """Initializes a source type. Args: paths (Optional[str]): paths relative to the root of the file system. separator (Optional[str]): path segment separator. Raises: FormatError: when paths is not set or not a list type. """ if not paths: raise errors.FormatError('Missing paths value.') if not isinstance(paths, list): raise errors.FormatError('Invalid paths value, not a list.') super(FileSourceType, self).__init__() self.paths = paths self.separator = separator def AsDict(self): """Represents a source type as a dictionary. Returns: dict[str, str]: source type attributes. """ source_type_attributes = {'paths': self.paths} if self.separator != '/': source_type_attributes['separator'] = self.separator return source_type_attributes class PathSourceType(SourceType): """Path source type.""" TYPE_INDICATOR = definitions.TYPE_INDICATOR_PATH def __init__(self, paths=None, separator='/'): """Initializes a source type. Args: paths (Optional[str]): paths relative to the root of the file system. separator (Optional[str]): path segment separator. Raises: FormatError: when paths is not set or not a list type. """ if not paths: raise errors.FormatError('Missing paths value.') if not isinstance(paths, list): raise errors.FormatError('Invalid paths value, not a list.') super(PathSourceType, self).__init__() self.paths = paths self.separator = separator def AsDict(self): """Represents a source type as a dictionary. Returns: dict[str, str]: source type attributes. """ source_type_attributes = {'paths': self.paths} if self.separator != '/': source_type_attributes['separator'] = self.separator return source_type_attributes class WindowsRegistryKeySourceType(SourceType): """Windows Registry key source type.""" TYPE_INDICATOR = definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY VALID_PREFIXES = [ r'HKEY_LOCAL_MACHINE', r'HKEY_USERS', r'HKEY_CLASSES_ROOT', r'%%current_control_set%%', ] def __init__(self, keys=None): """Initializes a source type. Args: keys (Optional[list[str]]): key paths relative to the root of the Windows Registry. Raises: FormatError: when keys is not set. """ if not keys: raise errors.FormatError('Missing keys value.') if not isinstance(keys, list): raise errors.FormatError('keys must be a list') for key in keys: self.ValidateKey(key) super(WindowsRegistryKeySourceType, self).__init__() self.keys = keys def AsDict(self): """Represents a source type as a dictionary. Returns: dict[str, str]: source type attributes. """ return {'keys': self.keys} @classmethod def ValidateKey(cls, key_path): """Validates this key against supported key names. Args: key_path (str): path of a Windows Registry key. Raises: FormatError: when key is not supported. """ for prefix in cls.VALID_PREFIXES: if key_path.startswith(prefix): return # TODO: move check to validator. if key_path.startswith('HKEY_CURRENT_USER\\'): raise errors.FormatError( 'HKEY_CURRENT_USER\\ is not supported instead use: ' 'HKEY_USERS\\%%users.sid%%\\') raise errors.FormatError(f'Unupported Registry key path: {key_path:s}') class WindowsRegistryValueSourceType(SourceType): """Windows Registry value source type.""" TYPE_INDICATOR = definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE def __init__(self, key_value_pairs=None): """Initializes a source type. Args: key_value_pairs (Optional[list[tuple[str, str]]]): key path and value name pairs, where key paths are relative to the root of the Windows Registry. Raises: FormatError: when key value pairs is not set. """ if not key_value_pairs: raise errors.FormatError('Missing key value pairs value.') if not isinstance(key_value_pairs, list): raise errors.FormatError('key_value_pairs must be a list') for pair in key_value_pairs: if not isinstance(pair, dict): raise errors.FormatError('key_value_pair must be a dict') if set(pair.keys()) != set(['key', 'value']): key_value_pairs = ', '.join([ f'{key:s}: {value:s}' for key, value in key_value_pairs]) raise errors.FormatError(( f'key_value_pair missing "key" and "value" keys, got: ' f'{key_value_pairs:s}')) WindowsRegistryKeySourceType.ValidateKey(pair['key']) super(WindowsRegistryValueSourceType, self).__init__() self.key_value_pairs = key_value_pairs def AsDict(self): """Represents a source type as a dictionary. Returns: dict[str, str]: source type attributes. """ return {'key_value_pairs': self.key_value_pairs} class WMIQuerySourceType(SourceType): """WMI query source type. Attributes: base_object (str): WMI base object. query (str): WMI query. """ TYPE_INDICATOR = definitions.TYPE_INDICATOR_WMI_QUERY def __init__(self, base_object=None, query=None): """Initializes a source type. Args: base_object (Optional[str]): WMI base object. query (Optional[str]): WMI query. Raises: FormatError: when query is not set. """ if not query: raise errors.FormatError('Missing query value.') super(WMIQuerySourceType, self).__init__() self.base_object = base_object self.query = query def AsDict(self): """Represents a source type as a dictionary. Returns: dict[str, str]: source type attributes. """ source_type_attributes = {'query': self.query} if self.base_object: source_type_attributes['base_object'] = self.base_object return source_type_attributes class SourceTypeFactory(object): """Source type factory.""" _source_type_classes = { definitions.TYPE_INDICATOR_ARTIFACT_GROUP: ArtifactGroupSourceType, definitions.TYPE_INDICATOR_COMMAND: CommandSourceType, definitions.TYPE_INDICATOR_DIRECTORY: DirectorySourceType, definitions.TYPE_INDICATOR_FILE: FileSourceType, definitions.TYPE_INDICATOR_PATH: PathSourceType, definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY: WindowsRegistryKeySourceType, definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE: WindowsRegistryValueSourceType, definitions.TYPE_INDICATOR_WMI_QUERY: WMIQuerySourceType, } @classmethod def CreateSourceType(cls, type_indicator, attributes): """Creates a source type. Args: type_indicator (str): source type indicator. attributes (dict[str, object]): source type attributes. Returns: SourceType: a source type. Raises: FormatError: if the type indicator is not set or unsupported, or if required attributes are missing. """ if type_indicator not in cls._source_type_classes: raise errors.FormatError( f'Unsupported type indicator: {type_indicator:s}.') return cls._source_type_classes[type_indicator](**attributes) @classmethod def DeregisterSourceType(cls, source_type_class): """Deregisters a source type. Source types are identified based on their type indicator. Args: source_type_class (type): source type. Raises: KeyError: if a source type is not set for the corresponding type indicator. """ if source_type_class.TYPE_INDICATOR not in cls._source_type_classes: raise KeyError(( f'Source type not set for type: ' f'{source_type_class.TYPE_INDICATOR:s}.')) del cls._source_type_classes[source_type_class.TYPE_INDICATOR] @classmethod def GetSourceTypes(cls): """Retrieves the source types. Returns: list[type]: source types. """ return cls._source_type_classes.values() @classmethod def GetSourceTypeIndicators(cls): """Retrieves the source type indicators. Returns: list[str]: source type indicators. """ return cls._source_type_classes.keys() @classmethod def RegisterSourceType(cls, source_type_class): """Registers a source type. Source types are identified based on their type indicator. Args: source_type_class (type): source type. Raises: KeyError: if source types is already set for the corresponding type indicator. """ if source_type_class.TYPE_INDICATOR in cls._source_type_classes: raise KeyError(( f'Source type already set for type: ' f'{source_type_class.TYPE_INDICATOR:s}.')) cls._source_type_classes[source_type_class.TYPE_INDICATOR] = ( source_type_class) @classmethod def RegisterSourceTypes(cls, source_type_classes): """Registers source types. Source types are identified based on their type indicator. Args: source_type_classes (list[type]): source types. """ for source_type_class in source_type_classes: cls.RegisterSourceType(source_type_class) artifacts-20230928/artifacts/writer.py000066400000000000000000000052551450527130400176230ustar00rootroot00000000000000# -*- coding: utf-8 -*- """The artifact writer objects.""" import abc import json import yaml class BaseArtifactsWriter(object): """Artifacts writer interface.""" # Note that redundant-returns-doc is broken for # pylint 1.7.x for # abstract methods. # pylint: disable=redundant-returns-doc @abc.abstractmethod def FormatArtifacts(self, artifacts): """Formats artifacts to desired output format. Args: artifacts (list[ArtifactDefinition]): artifact definitions. Returns: str: formatted string of artifact definition. """ @abc.abstractmethod def WriteArtifactsFile(self, artifacts, filename): """Writes artifact definitions to a file. Args: artifacts (list[ArtifactDefinition]): artifact definitions to be written. filename (str): name of the file to write artifacts to. """ class ArtifactWriter(BaseArtifactsWriter): """File artifacts writer.""" # Note that redundant-returns-doc is broken for # pylint 1.7.x for # abstract methods. # pylint: disable=redundant-returns-doc @abc.abstractmethod def FormatArtifacts(self, artifacts): """Formats artifacts to desired output format. Args: artifacts (ArtifactDefinition|list[ArtifactDefinition]): artifact definitions. Returns: str: formatted string of artifact definition. """ def WriteArtifactsFile(self, artifacts, filename): """Writes artifact definitions to a file. Args: artifacts (list[ArtifactDefinition]): artifact definitions to be written. filename (str): name of the file to write artifacts to. """ with open(filename, 'w', encoding='utf-8') as file_object: file_object.write(self.FormatArtifacts(artifacts)) class JsonArtifactsWriter(ArtifactWriter): """JSON artifacts writer interface.""" def FormatArtifacts(self, artifacts): """Formats artifacts to desired output format. Args: artifacts (list[ArtifactDefinition]): artifact definitions. Returns: str: formatted string of artifact definition. """ artifact_definitions = [artifact.AsDict() for artifact in artifacts] json_data = json.dumps(artifact_definitions) return json_data class YamlArtifactsWriter(ArtifactWriter): """YAML artifacts writer interface.""" def FormatArtifacts(self, artifacts): """Formats artifacts to desired output format. Args: artifacts (list[ArtifactDefinition]): artifact definitions. Returns: str: formatted string of artifact definition. """ # TODO: improve output formatting of yaml artifact_definitions = [artifact.AsDict() for artifact in artifacts] yaml_data = yaml.safe_dump_all(artifact_definitions) return yaml_data artifacts-20230928/config/000077500000000000000000000000001450527130400152135ustar00rootroot00000000000000artifacts-20230928/config/appveyor/000077500000000000000000000000001450527130400170605ustar00rootroot00000000000000artifacts-20230928/config/appveyor/install.ps1000066400000000000000000000014441450527130400211560ustar00rootroot00000000000000# Script to set up tests on AppVeyor Windows. $Dependencies = "PyYAML" If ($Dependencies.Length -gt 0) { $Dependencies = ${Dependencies} -split " " $Output = Invoke-Expression -Command "git clone https://github.com/log2timeline/l2tdevtools.git ..\l2tdevtools 2>&1" | %{ "$_" } Write-Host (${Output} | Out-String) If ($env:APPVEYOR_REPO_BRANCH -eq "main") { $Track = "stable" } Else { $Track = $env:APPVEYOR_REPO_BRANCH } New-Item -ItemType "directory" -Name "dependencies" $env:PYTHONPATH = "..\l2tdevtools" $Output = Invoke-Expression -Command "& '${env:PYTHON}\python.exe' ..\l2tdevtools\tools\update.py --download-directory dependencies --machine-type ${env:MACHINE_TYPE} --track ${env:L2TBINARIES_TRACK} ${Dependencies} 2>&1" | %{ "$_" } Write-Host (${Output} | Out-String) } artifacts-20230928/config/appveyor/install.sh000077500000000000000000000001751450527130400210700ustar00rootroot00000000000000# Script to set up tests on AppVeyor MacOS. set -e brew update -q brew install -q gettext gnu-sed python@3.11 tox || true artifacts-20230928/config/appveyor/runtests.sh000077500000000000000000000011541450527130400213070ustar00rootroot00000000000000#!/bin/sh # Script to run tests # Set the following environment variables to build libyal with gettext. export CPPFLAGS="-I/usr/local/include -I/usr/local/opt/gettext/include ${CPPFLAGS}"; export LDFLAGS="-L/usr/local/lib -L/usr/local/opt/gettext/lib ${LDFLAGS}"; # Set the following environment variables to build pycrypto and yara-python. export CPPFLAGS="-I/usr/local/opt/openssl@1.1/include ${CPPFLAGS}"; export LDFLAGS="-L/usr/local/opt/openssl@1.1/lib ${LDFLAGS}"; # Set the following environment variables to ensure tox can find Python 3.11. export PATH="/usr/local/opt/python@3.11/bin:${PATH}"; tox -e py311 artifacts-20230928/config/dpkg/000077500000000000000000000000001450527130400161405ustar00rootroot00000000000000artifacts-20230928/config/dpkg/artifacts-data.dirs000066400000000000000000000000251450527130400217070ustar00rootroot00000000000000/usr/share/artifacts artifacts-20230928/config/dpkg/artifacts-data.install000066400000000000000000000000331450527130400224130ustar00rootroot00000000000000data/* usr/share/artifacts artifacts-20230928/config/dpkg/artifacts-tools.install000066400000000000000000000000101450527130400226350ustar00rootroot00000000000000usr/bin artifacts-20230928/config/dpkg/changelog000066400000000000000000000002371450527130400200140ustar00rootroot00000000000000artifacts (20230928-1) unstable; urgency=low * Auto-generated -- Forensic artifacts Thu, 28 Sep 2023 13:23:32 +0200 artifacts-20230928/config/dpkg/clean000066400000000000000000000000261450527130400171430ustar00rootroot00000000000000artifacts/*.pyc *.pyc artifacts-20230928/config/dpkg/compat000066400000000000000000000000021450527130400173360ustar00rootroot000000000000009 artifacts-20230928/config/dpkg/control000066400000000000000000000024301450527130400175420ustar00rootroot00000000000000Source: artifacts Section: python Priority: extra Maintainer: Forensic artifacts Build-Depends: debhelper (>= 9), dh-python, python3-all (>= 3.6~), python3-setuptools Standards-Version: 4.1.4 X-Python3-Version: >= 3.6 Homepage: https://github.com/ForensicArtifacts/artifacts Package: artifacts-data Architecture: all Depends: ${misc:Depends} Description: Data files for Digital Forensics Artifacts Repository A free, community-sourced, machine-readable knowledge base of forensic artifacts that the world can use both as an information source and within other tools. Package: python3-artifacts Architecture: all Depends: artifacts-data (>= ${binary:Version}), python3-yaml (>= 3.10), ${misc:Depends} Description: Python 3 module of Digital Forensics Artifacts Repository A free, community-sourced, machine-readable knowledge base of forensic artifacts that the world can use both as an information source and within other tools. Package: artifacts-tools Architecture: all Depends: python3-artifacts (>= ${binary:Version}), ${misc:Depends} Description: Tools of Digital Forensics Artifacts Repository A free, community-sourced, machine-readable knowledge base of forensic artifacts that the world can use both as an information source and within other tools. artifacts-20230928/config/dpkg/copyright000066400000000000000000000017711450527130400201010ustar00rootroot00000000000000Format: http://dep.debian.net/deps/dep5 Upstream-Name: artifacts Source: https://github.com/ForensicArtifacts/artifacts/ Files: * Copyright: 2014 The ForensicArtifacts.com Artifact Repository project. License: Apache-2.0 Files: debian/* Copyright: 2014 The ForensicArtifacts.com Artifact Repository project. License: Apache-2.0 License: Apache-2.0 Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at . http://www.apache.org/licenses/LICENSE-2.0 . Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. . On Debian systems, the complete text of the Apache version 2.0 license can be found in "/usr/share/common-licenses/Apache-2.0". artifacts-20230928/config/dpkg/python3-artifacts.install000066400000000000000000000001431450527130400231100ustar00rootroot00000000000000usr/lib/python3*/dist-packages/artifacts/*.py usr/lib/python3*/dist-packages/artifacts*.egg-info/* artifacts-20230928/config/dpkg/rules000077500000000000000000000001721450527130400172200ustar00rootroot00000000000000#!/usr/bin/make -f %: dh $@ --buildsystem=pybuild --with=python3 .PHONY: override_dh_auto_test override_dh_auto_test: artifacts-20230928/config/dpkg/source/000077500000000000000000000000001450527130400174405ustar00rootroot00000000000000artifacts-20230928/config/dpkg/source/format000066400000000000000000000000141450527130400206460ustar00rootroot000000000000003.0 (quilt) artifacts-20230928/data/000077500000000000000000000000001450527130400146575ustar00rootroot00000000000000artifacts-20230928/data/antivirus.yaml000066400000000000000000000151521450527130400175730ustar00rootroot00000000000000# Anti-Virus artifacts. --- name: Bit9LocalCache doc: Bit9 local cache database. sources: - type: FILE attributes: paths: ['%%environ_allusersappdata%%\Bit9\Parity Agent\cache.*'] separator: '\' supported_os: [Windows] --- name: CrowdstrikeQuarantine doc: Crowdstrike stores quarantined files encoded on disk. sources: - type: FILE attributes: paths: - '/Library/CS/Quarantine/*' - '/Library/Application Support/Crowdstrike/Falcon/Quarantine/*' supported_os: [Darwin] - type: FILE attributes: paths: ['%%environ_systemroot%%\System32\drivers\CrowdStrike\Quarantine\*'] separator: '\' supported_os: [Windows] supported_os: [Darwin, Windows] --- # TODO: rename to CrowdstrikeAgentIdentifier and make CrowdstrikeAgentID and alias name: CrowdstrikeAgentID doc: Identifier of a CrowdStrike agent. sources: - type: FILE supported_os: [Darwin] attributes: paths: ['/Library/CS/registry.base'] - type: COMMAND supported_os: [Linux] attributes: cmd: '/opt/CrowdStrike/falconctl' args: ['-g', '--cid', '--aid'] - type: REGISTRY_VALUE supported_os: [Windows] attributes: key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CSAgent\Sim', value: 'AG'}] supported_os: [Darwin, Linux, Windows] --- name: EsetAVQuarantine doc: Eset Anti-Virus Quarantine (Infected) files. sources: - type: FILE attributes: {paths: ['/Library/Application Support/ESET/esets/cache/quarantine/*']} supported_os: [Darwin] - type: FILE attributes: paths: ['%%environ_allusersappdata%%\ESET\ESET NOD32 Antivirus\Logs\**'] separator: '\' supported_os: [Windows] supported_os: [Darwin, Windows] --- name: MicrosoftAVQuarantine doc: Microsoft Anti-Virus Quarantine (Infected) files. sources: - type: FILE attributes: paths: - '%%environ_allusersappdata%%\Microsoft\Microsoft Antimalware\Quarantine\**' - '%%environ_allusersappdata%%\Microsoft\Windows Defender\Quarantine\**' separator: '\' supported_os: [Windows] --- name: MicrosoftAVLogs doc: Microsoft Anti-Virus log files. sources: - type: FILE attributes: paths: - '%%environ_allusersappdata%%\Microsoft\Windows AntiMalware\Support\MPDetection-*.log' - '%%environ_allusersappdata%%\Microsoft\Windows AntiMalware\Support\MPLog-*.log' - '%%environ_allusersappdata%%\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\**' - '%%environ_allusersappdata%%\Microsoft\Windows Defender\Support\MPDetection-*.log' - '%%environ_allusersappdata%%\Microsoft\Windows Defender\Support\MPLog-*.log' - '%%environ_systemroot%%\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log' - '%%environ_systemroot%%\Temp\MpCmdRun.log' - '%%users.temp%%\MpCmdRun.log' separator: '\' supported_os: [Windows] --- name: WindowsDefenderScanDetectionHistoryFiles doc: Microsoft Windows Defender scan detection history files. sources: - type: FILE attributes: paths: ['%%environ_allusersappdata%%\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\*\*-*-*-*'] separator: '\' supported_os: [Windows] --- name: WindowsDefenderExclusions doc: | Directories, processes and extensions configured not to be scanned by Windows Defender. The can be set locally or through group policy objects (GPO). Certain malware families (for example, Tofsee) are known to add directories to the Paths list in order to avoid being detected by Windows Defender. Other malware (for example, REvil) use the existing exclusions to be ignored by Anti-Virus products. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\Exclusions\Paths\*' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\Exclusions\Processes\*' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\Exclusions\Extensions\*' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\Exclusions\TemporaryPaths\*' - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Exclusions\Paths\*' - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Exclusions\Processes\*' - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Exclusions\Extensions\*' - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Exclusions\TemporaryPaths\*' supported_os: [Windows] urls: - 'https://blog.malwarebytes.com/detections/pum-optional-msexclusion/' - 'https://answers.microsoft.com/en-us/protect/forum/all/windows-defender-how-to-remove-exclusions/2a0cc465-97b2-46ea-ae77-b87075ed124e' - 'https://blog.talosintelligence.com/2019/05/threat-roundup-0503-0510.html' - 'https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/' --- name: SantaLogs doc: Local Santa logs. sources: - type: FILE attributes: paths: - '/var/db/santa/*' - '/private/var/db/santa/*' supported_os: [Darwin] --- name: SophosAVLogs doc: Sophos Anti-Virus log files. sources: - type: FILE attributes: {paths: ['/Library/Logs/Sophos*.log']} supported_os: [Darwin] - type: FILE attributes: paths: ['%%environ_allusersappdata%%\Sophos\Sophos Anti-Virus\Logs\*'] separator: '\' supported_os: [Windows] supported_os: [Darwin, Windows] --- name: SophosAVQuarantine doc: Sophos Anti-Virus Quarantine (Infected) files. sources: - type: FILE attributes: {paths: ['/Users/Shared/Infected/*']} supported_os: [Darwin] - type: FILE attributes: paths: ['%%environ_allusersappdata%%\Sophos\Sophos Anti-Virus\INFECTED\*'] separator: '\' supported_os: [Windows] supported_os: [Darwin, Windows] --- name: SymantecAVLogs doc: Symantec Anti-Virus Log Files. sources: - type: FILE attributes: paths: - '%%environ_allusersappdata%%\Symantec\Symantec Endpoint Protection\*\Data\Logs\*.log' - '%%environ_allusersappdata%%\Symantec\Symantec Endpoint Protection\*\Data\Logs\AV\*.log' - '%%environ_allusersappdata%%\Symantec\Symantec Endpoint Protection\Logs\AV\*.log' - '%%users.localappdata%%\Symantec\Symantec Endpoint Protection\Logs\*.log' separator: '\' supported_os: [Windows] supported_os: [Windows] --- name: SymantecAVQuarantine doc: Symantec Anti-Virus quarantine (infected) and cloud submission files. sources: - type: FILE attributes: paths: - '%%environ_allusersappdata%%\Symantec\Symantec Endpoint Protection\**5\*.vbn' - '%%environ_allusersappdata%%\Symantec\Symantec Endpoint Protection\Quarantine\**' - '%%environ_allusersappdata%%\Symantec\Symantec Endpoint Protection\*\Data\Quarantine\**' - '%%environ_allusersappdata%%\Symantec\Symantec Endpoint Protection\*\Data\CmnClnt\ccSubSDK\**' separator: '\' supported_os: [Windows] supported_os: [Windows] artifacts-20230928/data/applications.yaml000066400000000000000000000102301450527130400202250ustar00rootroot00000000000000# Application artifacts. --- name: MicrosoftOfficeAutosave aliases: [WindowsMsOfficeAutosave] doc: Automatically created Microsoft Office recovery files. sources: - type: FILE attributes: paths: - '%%users.appdata%%\Microsoft\Word\**' - '%%users.appdata%%\Microsoft\Excel\**' - '%%users.appdata%%\Microsoft\Powerpoint\**' - '%%users.appdata%%\Microsoft\Publisher\**' separator: '\' supported_os: [Windows] urls: ['https://forensics.wiki/windows#microsoft-office-autosave'] --- name: MicrosoftOfficeMRU doc: Microsoft Office Most Recently Used sources: - type: FILE attributes: paths: - '%%users.homedir%%/Library/Preferences/com.microsoft.office.plist' - '%%users.homedir%%/Library/Containers/com.microsoft.*/Data/Library/Preferences/com.microsoft.*.securebookmarks.plist' separator: '/' supported_os: [Darwin] - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Office\*\*\File MRU', value: 'Item *'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Office\*\*\Place MRU', value: 'Item *'} supported_os: [Windows] supported_os: [Darwin, Windows] urls: ['https://github.com/mac4n6/macMRU-Parser'] --- name: MicrosoftOutlookPABFiles doc: Microsoft Outlook PAB Files sources: - type: FILE attributes: paths: - '%%users.localappdata%%\Microsoft\Outlook\*.pab' - '%%users.userprofile%%\Documents\Outlook Files\*.pab' separator: '\' supported_os: [Windows] urls: ['https://forensics.wiki/personal_folder_file_(pab,_pst,_ost)'] --- name: MicrosoftOutlookPSTFiles doc: Microsoft Outlook PST Files sources: - type: FILE attributes: paths: - '%%users.localappdata%%\Microsoft\Outlook\*.pst' - '%%users.userprofile%%\Documents\Outlook Files\*.pst' separator: '\' supported_os: [Windows] urls: ['https://forensics.wiki/personal_folder_file_(pab,_pst,_ost)'] --- name: MicrosoftOutlookOSTFiles doc: Microsoft Outlook OST Files sources: - type: FILE attributes: paths: - '%%users.localappdata%%\Microsoft\Outlook\*.ost' - '%%users.userprofile%%\Documents\Outlook Files\*.ost' separator: '\' supported_os: [Windows] urls: ['https://forensics.wiki/personal_folder_file_(pab,_pst,_ost)'] --- name: NodeJSPackageManagerCacheFiles doc: Node JS package manager (NPM) cache files sources: - type: FILE attributes: paths: ['%%users.homedir%%/.npm/*'] supported_os: [Darwin, Linux] - type: FILE attributes: paths: ['%%users.appdata%%\npm-cache\*'] separator: '\' supported_os: [Windows] supported_os: [Darwin, Linux, Windows] urls: ['https://docs.npmjs.com/cli/cache'] --- name: WinRARExternalViewer doc: Executable run when a file is opened by WinRAR inside an archive. sources: - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_USERS\%%users.sid%%\Software\WinRAR\Viewer\', value: 'ExternalViewer'}]} supported_os: [Windows] urls: - 'http://www.hexacorn.com/blog/2012/09/16/beyond-good-ol-run-key-part-2/' - 'http://acritum.com/software/manuals/winrar/html/helpinterfaceviewing.htm' --- name: WinRARAVScan doc: Executable run to scan a file when it is opened by WinRAR. sources: - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_USERS\%%users.sid%%\Software\WinRAR\VirusScan\', value: 'Name'}]} supported_os: [Windows] urls: - 'http://www.hexacorn.com/blog/2012/09/16/beyond-good-ol-run-key-part-2/' - 'http://acritum.com/software/manuals/winrar/html/helpcommandsvirusscan.htm' --- name: MicrosoftSqlServerErrorLogs doc: Microsoft SQL Server's error log files. sources: - type: FILE attributes: paths: - '%%environ_programfiles%%\Microsoft SQL Server\*\MSSQL\LOG\ERRORLOG*' - '%%environ_programfilesx86%%\Microsoft SQL Server\*\MSSQL\LOG\ERRORLOG*' separator: '\' supported_os: [Windows] --- name: MozillaThunderbird doc: Mozilla Thunderbird files. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/.thunderbird/**']} supported_os: [Linux] --- name: GnomeEvolution doc: Gnome Evolution files. sources: - type: FILE attributes: paths: - '%%users.homedir%%/.cache/evolution/**' - '%%users.homedir%%/.config/evolution/**' - '%%users.homedir%%/.local/share/evolution/**' supported_os: [Linux] artifacts-20230928/data/cloud_services.yaml000066400000000000000000000053431450527130400205610ustar00rootroot00000000000000# Cloud service artifacts. --- name: CloudStorageClients doc: Multiple cloud storage client artifacts. sources: - type: ARTIFACT_GROUP attributes: names: - 'DropboxClient' - 'GoogleDriveClient' - 'SkyDriveClient' supported_os: [Darwin, Linux, Windows] --- name: DropboxClient doc: Dropbox cloud storage client artifacts. sources: - type: FILE attributes: paths: - '%%users.appdata%%\Dropbox\*.db*' - '%%users.localappdata%%\Dropbox\*.db*' - '%%users.localappdata%%\Dropbox\instance*\sync_history.db' separator: '\' supported_os: [Windows] - type: FILE attributes: paths: - '%%users.homedir%%/.dropbox/*.db*' - '%%users.homedir%%/.dropbox/instance*/sync_history.db' supported_os: [Darwin, Linux] supported_os: [Darwin, Linux, Windows] urls: ['https://forensics.wiki/dropbox'] --- name: GoogleDriveClient doc: Google Drive cloud storage client artifacts. sources: - type: FILE attributes: paths: - '%%users.localappdata%%\Google\Drive\snapshot.db' - '%%users.localappdata%%\Google\Drive\sync_config.db' - '%%users.localappdata%%\Google\Drive\sync_config.log*' - '%%users.localappdata%%\Google\Drive\user_default\snapshot.db' - '%%users.localappdata%%\Google\Drive\user_default\sync_config.db' - '%%users.localappdata%%\Google\Drive\user_default\sync_config.log*' - '%%users.localappdata%%\Google\Drive\user_default\sync_log.log*' separator: '\' supported_os: [Windows] - type: FILE attributes: paths: - '%%users.homedir%%/Library/Application Support/Google/Drive/snapshot.db' - '%%users.homedir%%/Library/Application Support/Google/Drive/sync_config.db' - '%%users.homedir%%/Library/Application Support/Google/Drive/sync_config.log*' - '%%users.homedir%%/Library/Application Support/Google/Drive/user_default/snapshot.db' - '%%users.homedir%%/Library/Application Support/Google/Drive/user_default/sync_config.db' - '%%users.homedir%%/Library/Application Support/Google/Drive/user_default/sync_config.log*' supported_os: [Darwin] supported_os: [Darwin, Windows] urls: ['https://forensics.wiki/google_drive'] --- name: SkyDriveClient doc: | Microsoft Sky Drive cloud storage client artifacts. Note that Sky Drive was renamed to One Drive. sources: - type: FILE attributes: paths: - '%%users.localappdata%%\Microsoft\SkyDrive\logs\*.log' - '%%users.localappdata%%\Microsoft\SkyDrive\setup\logs\*.log' - '%%users.localappdata%%\Microsoft\SkyDrive\settings\ApplicationSettings.xml' - '%%users.localappdata%%\Microsoft\SkyDrive\settings\*.dat' - '%%users.localappdata%%\Microsoft\SkyDrive\settings\*.ini' separator: '\' supported_os: [Windows] supported_os: [Windows] urls: ['https://forensics.wiki/one_drive#sky-drive-client'] artifacts-20230928/data/config_files.yaml000066400000000000000000000032001450527130400201650ustar00rootroot00000000000000# Configuration file artifacts. --- name: JupyterConfigFile doc: Jupyter notebook configuration file sources: - type: FILE attributes: {paths: ['%%users.homedir%%/.jupyter/jupyter_notebook_config.py']} supported_os: [Linux] --- name: NfsExportsFile doc: NFS Exports configuration sources: - type: FILE attributes: paths: - '/etc/exports' - '/private/etc/exports' supported_os: [Darwin] - type: FILE attributes: {paths: ['/etc/exports']} supported_os: [Linux] supported_os: [Linux, Darwin] --- name: RedisConfigFile doc: Redis configuration file sources: - type: FILE attributes: paths: - '%%environ_programfiles%%\Redis\conf\redis.windows.conf' - '%%environ_programfiles%%\Redis\conf\redis.conf' separator: '\' supported_os: [Windows] - type: FILE attributes: paths: - '/etc/redis/redis.conf' supported_os: [Linux] - type: FILE attributes: paths: - '/etc/redis/redis.conf' - '/private/etc/redis/redis.conf' supported_os: [Darwin] supported_os: [Darwin, Linux, Windows] --- name: SambaConfigFile doc: Samba configuration file sources: - type: FILE attributes: paths: - '/etc/samba/smb.conf' supported_os: [Linux] --- name: SshdConfigFile doc: Sshd configuration sources: - type: FILE attributes: paths: - '/etc/ssh/sshd_config' - '/private/etc/ssh/sshd_config' supported_os: [Darwin] - type: FILE attributes: {paths: ['/etc/ssh/sshd_config']} supported_os: [Linux] supported_os: [Linux, Darwin] --- name: SshUserConfigFile doc: User ssh configuration file sources: - type: FILE attributes: {paths: ['%%users.homedir%%/.ssh/config']} supported_os: [Linux, Darwin] artifacts-20230928/data/containerd.yaml000066400000000000000000000014541450527130400176750ustar00rootroot00000000000000# containerd artifacts --- name: ContainerdConfig doc: containerd configuration files sources: - type: FILE attributes: paths: - '/etc/containerd/config.toml' - '/var/lib/containerd/io.containerd.metadata.v1.bolt/meta.db' - '/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/metadata.db' - '/var/run/containerd/io.containerd.runtime.v2.task/*/*/config.json' - '/var/run/containerd/io.containerd.runtime.v2.task/*/*/options.json' supported_os: [Linux] --- name: ContainerdLogs doc: containerd related events in the log files sources: - type: FILE attributes: paths: - '/var/run/containerd/io.containerd.runtime.v2.task/*/*/log.json' - '/var/log/daemon.log' - '/var/log/daemon.log.*.gz' - '/var/log/syslog*' - '/var/log/message*' supported_os: [Linux] artifacts-20230928/data/database_servers.yaml000066400000000000000000000142641450527130400210670ustar00rootroot00000000000000# Database Server artifacts --- name: ElasticsearchAccessLog doc: Location where Elasticsearch access logs are stored. sources: - type: FILE attributes: {paths: ['/var/log/elasticsearch/*_access.log']} supported_os: [Linux] --- name: ElasticsearchAuditLog doc: Location where Elasticsearch audit logs are stored. sources: - type: FILE attributes: paths: - '/var/log/elasticsearch/*_audit.json' - '/var/log/elasticsearch/*_audit.log' supported_os: [Linux] urls: ['https://www.elastic.co/guide/en/elasticsearch/reference/current/audit-log-output.html'] --- name: ElasticsearchGCLog doc: Location where Elasticsearch GC logs are stored. sources: - type: FILE attributes: paths: - '/var/log/elasticsearch/gc.log' - '/var/log/elasticsearch/gc.log.[0-9]' supported_os: [Linux] urls: ['https://www.elastic.co/guide/en/elasticsearch/reference/current/important-settings.html#gc-logging'] --- name: ElasticsearchLogs doc: Location where Elasticsearch logs are stored. sources: - type: FILE attributes: paths: - '/var/log/elasticsearch/*.log' - '/var/log/elasticsearch/*.json' - '/var/log/elasticsearch/*.json.gz' supported_os: [Linux] --- name: ElasticsearchServerLog doc: Location where Elasticsearch server logs are stored. sources: - type: FILE attributes: paths: - '/var/log/elasticsearch/*_server.json' - '/var/log/elasticsearch/*-*.json' - '/var/log/elasticsearch/*-*.json.gz' supported_os: [Linux] urls: ['https://www.elastic.co/guide/en/elasticsearch/reference/current/logging.html#loggin-configuration'] --- name: MongoDBConfigurationFile doc: MongoDB configuration file. sources: - type: FILE attributes: paths: - '/usr/local/etc/mongod.conf' - '/opt/homebrew/etc/mongod.conf' supported_os: [Darwin] - type: FILE attributes: paths: ['/etc/mongod.conf'] supported_os: [Linux] supported_os: [Darwin, Linux] urls: ['https://www.mongodb.com/docs/manual/reference/configuration-options/'] --- name: MongoDBDatabasePath doc: MongoDB database Path. sources: - type: FILE attributes: {paths: ['/usr/local/var/mongodb/*']} supported_os: [Darwin] - type: PATH attributes: paths: - '/data/db/*' - '/var/lib/mongo/*' - '/var/lib/mongodb/*' supported_os: [Linux] - type: FILE attributes: paths: ['\data\db\*'] separator: '\' supported_os: [Windows] supported_os: [Darwin, Linux, Windows] urls: ['https://www.mongodb.com/docs/manual/reference/configuration-options/#mongodb-setting-storage.dbPath'] --- name: MongoDBLogFiles doc: MongoDB log files. sources: - type: FILE attributes: {paths: ['/var/log/mongodb/mongod.log*']} supported_os: [Linux] --- name: MySQLConfigurationFiles doc: MySQL configuration files. sources: - type: FILE attributes: paths: - '/etc/my.cnf' - '/etc/mysql/mysql.conf.d/mysqld.cnf' supported_os: [Linux] --- name: MySQLDataDictionary doc: MySQL data dictionary. sources: - type: FILE attributes: {paths: ['/var/lib/mysql/mysql.ibd']} supported_os: [Linux] urls: ['https://dev.mysql.com/doc/refman/8.0/en/data-dictionary-transactional-storage.html'] --- name: MySQLDataDirectory doc: MySQL data directory. sources: - type: FILE attributes: paths: - '/var/lib/mysql/*' - '/var/lib/mysql/*/*' supported_os: [Linux] urls: - 'https://dev.mysql.com/doc/refman/8.0/en/data-directory.html' - 'https://dev.mysql.com/doc/refman/8.0/en/innodb-architecture.html' --- name: MySQLLogFiles doc: MySQL log files. sources: - type: FILE attributes: paths: - '/var/log/mysql/error.log*' - '/var/log/mysql.log*' - '/var/log/*.log*' supported_os: [Linux] --- name: OpenSearchLogFiles doc: OpenSearch log files. sources: - type: FILE attributes: paths: - '/var/log/opensearch/*.log' - '/var/log/opensearch/*.json' supported_os: [Linux] urls: ['https://opensearch.org/docs/latest/opensearch/logs/'] --- name: PostgreSQLConfigurationFiles doc: PostgreSQL configuration files. sources: - type: FILE attributes: paths: - '/etc/postgresql/*/*/postgresql.conf' - '/etc/postgresql/*/*/pg_hba.conf' - '/etc/postgresql/*/*/pg_ident.conf' - '/var/lib/pgsql/postgresql.conf' - '/var/lib/pgsql/pg_hba.conf' - '/var/lib/pgsql/pg_ident.conf' - '/var/lib/pgsql/data/postgresql.conf' - '/var/lib/pgsql/data/pg_hba.conf' - '/var/lib/pgsql/data/pg_ident.conf' supported_os: [Linux] urls: - 'https://www.postgresql.org/docs/current/runtime-config-file-locations.html' - 'https://docs.fedoraproject.org/en-US/quick-docs/postgresql/' - 'https://wiki.debian.org/PostgreSql' --- name: PostgreSQLDataDirectory doc: PostgreSQL data directory. sources: - type: FILE attributes: paths: - '/var/lib/pgsql/data/*' - '/var/lib/pgsql/data-old/*' - '/var/lib/pgsql/*/*' - '/var/lib/postgresql/*/main/*/*' supported_os: [Linux] urls: - 'https://www.postgresql.org/docs/current/storage-file-layout.html' - 'https://docs.fedoraproject.org/en-US/quick-docs/postgresql/' - 'https://wiki.debian.org/PostgreSql' --- name: PostgreSQLLogFiles doc: PostgreSQL log files. sources: - type: FILE attributes: paths: - '/var/log/postgresql/postgresql.log*' - '/var/log/postgresql/postgresql.csv*' - '/var/log/postgresql/postgresql-*.log*' - '/var/log/postgresql/postgresql-*.csv*' - '/var/log/postgresql/postgresql-*-*.log*' - '/var/log/postgresql/postgresql-*-*.csv*' - '/var/lib/pgsql/data/log/postgresql.log*' - '/var/lib/pgsql/data/log/postgresql.csv*' - '/var/lib/pgsql/data/log/postgresql-*.log*' - '/var/lib/pgsql/data/log/postgresql-*.csv*' - '/var/lib/pgsql/data/log/postgresql-*-*.log*' - '/var/lib/pgsql/data/log/postgresql-*-*.csv*' supported_os: [Linux] urls: ['https://www.postgresql.org/docs/14/runtime-config-logging.html'] --- name: RedisConfigurationFile doc: Redis configuration files. sources: - type: FILE attributes: paths: - '/etc/redis/*' - '/etc/init.d/redis_*' supported_os: [Linux] --- name: RedisDataDirectory doc: Redis Data Directory. sources: - type: FILE attributes: paths: - '/var/redis/*' - '/var/redis/*/*' supported_os: [Linux] --- name: RedisLogFiles doc: Redis log files. sources: - type: FILE attributes: paths: - '/var/log/redis/redis*.log*' - '/var/log/redis*.log*' supported_os: [Linux] artifacts-20230928/data/docker.yaml000066400000000000000000000010121450527130400170040ustar00rootroot00000000000000# Docker artifacts --- name: DockerContainerConfig doc: Docker container configuration files sources: - type: FILE attributes: paths: - '/var/lib/docker/containers/*/config.v2.json' - '/var/lib/docker/containers/*/config.json' supported_os: [Linux] --- name: GKEDockerContainerLogs doc: Location where stdout and stderr from containers is logged in a Google Kubernetes Engine (GKE) environment. sources: - type: FILE attributes: {paths: ['/var/lib/docker/containers/*/*-json.log*']} supported_os: [Linux] artifacts-20230928/data/esxi.yaml000066400000000000000000000070221450527130400165140ustar00rootroot00000000000000# ESXi artifacts --- name: ESXApiForwarder doc: Records activities related to the vSphere Trust Authority API forwarder. sources: - type: FILE attributes: {paths: ['/var/run/log/esxapiadapter.log']} supported_os: [ESXi] --- name: ESXiAttestationService doc: Records activities related to the vSphere Trust Authority Attestation Service. sources: - type: FILE attributes: {paths: ['/var/run/log/attestd.log']} supported_os: [ESXi] --- name: ESXiAuthenticationLog doc: Contains all events related to authentication for the local system. sources: - type: FILE attributes: {paths: ['/var/log/auth.log']} supported_os: [ESXi] --- name: ESXiHostAgentLog doc: Contains information about the agent that manages and configures the ESXi host and its virtual machines. sources: - type: FILE attributes: {paths: ['/var/log/hostd.log']} supported_os: [ESXi] --- name: ESXiKeyProviderService doc: Records activities related to the vSphere Trust Authority Key Provider Service. sources: - type: FILE attributes: {paths: ['/var/run/log/kmxd.log']} supported_os: [ESXi] --- name: ESXiQuickBootLog doc: Contains all events related to restarting an ESXi host through Quick Boot. sources: - type: FILE attributes: {paths: ['/var/log/loadESX.log']} supported_os: [ESXi] --- name: ESXiShellLog doc: Contains a record of all commands typed into the ESXi Shell and shell events (for example, when the shell was enabled) sources: - type: FILE attributes: {paths: ['/var/log/shell.log']} supported_os: [ESXi] --- name: ESXiSystemLogsDirectory doc: ESXi System Logs Directory sources: - type: FILE attributes: {paths: ['/var/run/log/*']} supported_os: [ESXi] urls: ['https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.monitoring.doc/GUID-DACC9E0E-E857-4AE1-A469-3FDAE2B391A0.html'] --- name: ESXiSystemMessageslog doc: Contains all general log messages and can be used for troubleshooting. This information was formerly located in the messages log file. sources: - type: FILE attributes: {paths: ['/var/log/syslog.log']} supported_os: [ESXi] --- name: ESXTokenService doc: Records activities related to the vSphere Trust Authority ESX Token Service. sources: - type: FILE attributes: {paths: ['/var/run/log/esxtokend.log']} supported_os: [ESXi] --- name: ESXiTrustedInfrastructureAgentLog doc: Records activities related to the Client Service on the ESXi Trusted Host. sources: - type: FILE attributes: {paths: ['/var/run/log/kmxa.log']} supported_os: [ESXi] --- name: ESXiVMKernelLog doc: Records activities related to virtual machines and ESXi. sources: - type: FILE attributes: {paths: ['/var/log/vmkernel.log']} supported_os: [ESXi] --- name: ESXiVMKernelSummaryLog doc: Used to determine uptime and availability statistics for ESXi (comma separated). sources: - type: FILE attributes: {paths: ['/var/log/vmksummarylog.log']} supported_os: [ESXi] --- name: ESXiVMKernelWarningsLog doc: Records activities related to virtual machines. sources: - type: FILE attributes: {paths: ['/var/log/vmkwarning.log']} supported_os: [ESXi] --- name: vCenterServerAgentLog doc: Contains information about the agent that communicates with vCenter Server (if the host is managed by vCenter Server). sources: - type: FILE attributes: {paths: ['/var/log/vxpa.log']} supported_os: [ESXi] --- name: vSphereClientLogsDirectory doc: vSphere Client Logs Directory sources: - type: FILE attributes: {paths: ['/var/log/vmware/vsphere-ui/logs/*']} supported_os: [ESXi] urls: ['https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.monitoring.doc/GUID-7E10C58F-16EA-44AB-8AA0-8D4A66399879.html'] artifacts-20230928/data/file_systems.yaml000066400000000000000000000020061450527130400202470ustar00rootroot00000000000000# File system artifacts. --- name: NTFSMFTFiles doc: The NTFS $MFT and $MFTMirr file system metadata files. sources: - type: FILE attributes: paths: - '%%environ_systemdrive%%\$MFT' - '%%environ_systemdrive%%\$MFTMirr' separator: '\' urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/file_systems/NTFS.html'] supported_os: [Windows] --- name: NTFSLogFile doc: The NTFS $LogFile file system metadata file. sources: - type: FILE attributes: paths: ['%%environ_systemdrive%%\$LogFile'] separator: '\' urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/file_systems/NTFS.html'] supported_os: [Windows] --- name: NTFSUSNJournal doc: | The NTFS $UsnJnrl file system metadata file. Note that this currently does not include the $J alternate data stream name. sources: - type: FILE attributes: paths: ['%%environ_systemdrive%%\$Extend\$UsnJrnl'] separator: '\' urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/file_systems/NTFS.html'] supported_os: [Windows] artifacts-20230928/data/hadoop.yaml000066400000000000000000000023521450527130400170170ustar00rootroot00000000000000# Hadoop artifacts --- name: HadoopAppRoot doc: Location where Hadoop application files are stored sources: - type: FILE attributes: paths: - '/hadoop/*/yarn/system/rmstore/FSRMStateRoot/RMAppRoot/application_*/application_*' - '/hadoop/yarn/system/rmstore/FSRMStateRoot/RMAppRoot/application_*/application_*' - '/**2/hadoop/*/yarn/system/rmstore/FSRMStateRoot/RMAppRoot/application_*/application_*' - '/**2/hadoop/yarn/system/rmstore/FSRMStateRoot/RMAppRoot/application_*/application_*' supported_os: [Linux] --- name: HadoopYarnLogs doc: Location where Hadoop Yarn LevelDB/Timeline files are stored sources: - type: FILE attributes: paths: - '/hadoop/yarn/timeline/leveldb-timeline-store.ldb/*' - '/hadoop/*/yarn/timeline/leveldb-timeline-store.ldb/*' - '/**2/hadoop/yarn/timeline/leveldb-timeline-store.ldb/*' - '/**2/hadoop/*/yarn/timeline/leveldb-timeline-store.ldb/*' supported_os: [Linux] --- name: HadoopAppLogs doc: Location where Hadoop application logs are stored sources: - type: FILE attributes: paths: - '/hadoop/logs/*' - '/hadoop/logs/userlogs/application_*/container_*/*' - '/**2/hadoop/logs/*' - '/**2/hadoop/logs/userlogs/application_*/container_*/*' supported_os: [Linux] artifacts-20230928/data/ics.yaml000066400000000000000000000015061450527130400163230ustar00rootroot00000000000000# Artifacts related to ICS related software --- name: WindowsSiemensWinCCLogFile doc: Siemens WinCC software logs. sources: - type: FILE attributes: paths: - '%%environ_programfiles%%\Siemens\WinCC\Diagnose\*' - '%%environ_programfiles%%\Common Files\Siemens\ace\bin\Diagnosis\*' - '%%environ_programfilesx86%%\Siemens\WinCC\Diagnose\*' - '%%environ_programfilesx86%%\Common Files\Siemens\ace\bin\Diagnosis\*' - '%%environ_windir%%\security\SecurityController\*' - '%%environ_allusersappdata%%\Siemens\Automation\Logfiles\*' - '%%environ_allusersappdata%%\Siemens\Automation\Logfiles\Setup\*' - '%%environ_allusersappdata%%\Siemens\Logs\*' separator: '\' supported_os: [Windows] urls: ['https://cache.industry.siemens.com/dl/files/865/109757865/att_963121/v5/109757865_WinCC_Diagnostics_en.pdf'] artifacts-20230928/data/installed_module_paths.yaml000066400000000000000000000036461450527130400222770ustar00rootroot00000000000000# Artifacts of third-party package managers. --- name: FlatpakAppPaths doc: Get paths of installed Flatpak app. sources: - type: PATH attributes: paths: ['/var/lib/flatpak/app/*'] supported_os: [Linux] urls: ['https://docs.flatpak.org/'] supported_os: [Linux] --- name: NpmPackagesPath doc: Get path of NPM packages that are globally installed (currently linux only). sources: - type: PATH attributes: paths: - '/usr/local/lib/node_modules/*' - '/usr/lib/node_modules/*' supported_os: [Linux] supported_os: [Linux] urls: ['https://docs.npmjs.com/'] --- name: PythonDistInfoPath doc: | Get the path of Python module files distributed in the dist-info format of PEP-0376 (currently Linux only). dist-info is always a directory that must contain METADATA, RECORD and INSTALLER. It may also contain REQUESTED. sources: - type: PATH attributes: paths: - '%%users.homedir%%/.local/lib/python*/dist-packages/*.dist-info' - '%%users.homedir%%/.local/lib/python*/site-packages/*.dist-info' - '/usr/lib/python*/dist-packages/*.dist-info' - '/usr/lib/python*/site-packages/*.dist-info' - '/usr/lib64/python*/dist-packages/*.dist-info' - '/usr/lib64/python*/site-packages/*.dist-info' - '/usr/local/lib/python*/dist-packages/*.dist-info' - '/usr/local/lib/python*/site-packages/*.dist-info' - '/usr/local/lib64/python*/dist-packages/*.dist-info' - '/usr/local/lib64/python*/site-packages/*.dist-info' supported_os: [Linux] supported_os: [Linux] urls: ['https://www.python.org/dev/peps/pep-0376/'] --- name: VSCodeExtensionsPath doc: Get paths of Visual Studio Code extensions sources: - type: PATH attributes: paths: ['%%users.userprofile%%/.vscode/extensions/*'] supported_os: [Windows] - type: PATH attributes: paths: ['%%users.homedir%%/.vscode/extensions/*'] supported_os: [Darwin, Linux] supported_os: [Darwin, Linux, Windows] urls: ['https://code.visualstudio.com/'] artifacts-20230928/data/installed_modules.yaml000066400000000000000000000121731450527130400212560ustar00rootroot00000000000000# Modules for interpreted languages. --- name: PythonDistInfo doc: | Python module files distributed in the dist-info format of PEP-0376 (currently linux only). dist-info is always a directory that must contain METADATA, RECORD and INSTALLER. It may also contain REQUESTED. sources: - type: FILE attributes: paths: - '%%users.homedir%%/.local/lib/python*/dist-packages/*.dist-info/*' - '%%users.homedir%%/.local/lib/python*/site-packages/*.dist-info/*' - '/usr/lib/python*/dist-packages/*.dist-info/*' - '/usr/lib/python*/site-packages/*.dist-info/*' - '/usr/lib64/python*/dist-packages/*.dist-info/*' - '/usr/lib64/python*/site-packages/*.dist-info/*' - '/usr/local/lib/python*/dist-packages/*.dist-info/*' - '/usr/local/lib/python*/site-packages/*.dist-info/*' - '/usr/local/lib64/python*/dist-packages/*.dist-info/*' - '/usr/local/lib64/python*/site-packages/*.dist-info/*' supported_os: [Linux] supported_os: [Linux] urls: ['https://www.python.org/dev/peps/pep-0376/'] --- name: PythonEggInfo doc: | Python module files distributed in .egg formats (currently linux only). Python eggs can have multiple formats, as described by setuptools. .egg files can be either a zipfile or a directory that contains an info file. .egg-info files can be either a directory or a file. If they are directories, they should contain a MANIFEST that identifies the installed module. PEP-0370 describes a default install location for per-user modules. sources: - type: FILE attributes: paths: # Files containing the install metadata in either a flat file or zipfile. - '%%users.homedir%%/.local/lib/python*/site-packages/*.egg' - '%%users.homedir%%/.local/lib/python*/site-packages/*.egg-info' - '%%users.homedir%%/.cache/pip/*.egg' - '%%users.homedir%%/.cache/pip/*.egg-info' - '/usr/lib/python*/dist-packages/*.egg' - '/usr/lib/python*/dist-packages/*.egg-info' - '/usr/lib/python*/site-packages/*.egg' - '/usr/lib/python*/site-packages/*.egg-info' - '/usr/lib64/python*/dist-packages/*.egg' - '/usr/lib64/python*/dist-packages/*.egg-info' - '/usr/lib64/python*/site-packages/*.egg' - '/usr/lib64/python*/site-packages/*.egg-info' - '/usr/local/lib/python*/dist-packages/*.egg' - '/usr/local/lib/python*/dist-packages/*.egg-info' - '/usr/local/lib/python*/site-packages/*.egg' - '/usr/local/lib/python*/site-packages/*.egg-info' - '/usr/local/lib64/python*/dist-packages/*.egg' - '/usr/local/lib64/python*/dist-packages/*.egg-info' - '/usr/local/lib64/python*/site-packages/*.egg' - '/usr/local/lib64/python*/site-packages/*.egg-info' - '/usr/share/pyshared/*.egg' - '/usr/share/pyshared/*.egg-info' # Directories containing the install metadata as separate files. - '%%users.homedir%%/.local/lib/python*/site-packages/*.egg/*' - '%%users.homedir%%/.local/lib/python*/site-packages/*.egg-info/*' - '%%users.homedir%%/.cache/pip/*.egg/*' - '%%users.homedir%%/.cache/pip/*.egg-info/*' - '/usr/lib/python*/dist-packages/*.egg/*' - '/usr/lib/python*/dist-packages/*.egg-info/*' - '/usr/lib/python*/site-packages/*.egg/*' - '/usr/lib/python*/site-packages/*.egg-info/*' - '/usr/lib64/python*/dist-packages/*.egg/*' - '/usr/lib64/python*/dist-packages/*.egg-info/*' - '/usr/lib64/python*/site-packages/*.egg/*' - '/usr/lib64/python*/site-packages/*.egg-info/*' - '/usr/local/lib/python*/dist-packages/*.egg/*' - '/usr/local/lib/python*/dist-packages/*.egg-info/*' - '/usr/local/lib/python*/site-packages/*.egg/*' - '/usr/local/lib/python*/site-packages/*.egg-info/*' - '/usr/local/lib64/python*/dist-packages/*.egg/*' - '/usr/local/lib64/python*/dist-packages/*.egg-info/*' - '/usr/local/lib64/python*/site-packages/*.egg/*' - '/usr/local/lib64/python*/site-packages/*.egg-info/*' - '/usr/share/pyshared/*.egg/*' - '/usr/share/pyshared/*.egg-info/*' supported_os: [Linux] supported_os: [Linux] urls: - 'https://pythonhosted.org/setuptools/formats.html' - 'https://www.python.org/dev/peps/pep-0370/' --- name: PythonModuleInfo doc: Python module installation information. sources: - type: ARTIFACT_GROUP attributes: names: - PythonDistInfo - PythonEggInfo - PythonWheelInfo --- name: PythonWheelInfo doc: | Python module files distributed in the wheel format (currently linux only). Zip archives with the .whl extension. Wheels are installed per the standard installer described in PEP-0376, so should mostly be discoverable as dist-info entries. sources: - type: FILE attributes: paths: - '/usr/share/python-wheels/*.whl' - '%%users.homedir%%/.cache/pip/wheels/*.whl' supported_os: [Linux] supported_os: [Linux] urls: - 'https://wheel.readthedocs.org/en/latest/' - 'http://pip.readthedocs.org/en/stable/reference/pip_install/' --- name: RubyGems doc: Ruby Gems (currently linux only). sources: - type: FILE attributes: paths: - '%%users.homedir%%/.gem/ruby/**2/*.gemspec' - '/var/lib/gems/**2/*.gemspec' - '/usr/share/rubygems-integration/**2/*.gemspec' supported_os: [Linux] supported_os: [Linux] urls: ['http://guides.rubygems.org'] artifacts-20230928/data/instant_messaging.yaml000066400000000000000000000044141450527130400212630ustar00rootroot00000000000000# Instant Messaging applications specific artifacts. --- name: SkypeChatSync doc: Chat Sync Directory sources: - type: FILE attributes: paths: ['%%users.homedir%%/Library/Application Support/Skype/*/chatsync/*'] supported_os: [Darwin] supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#skype'] --- name: SkypeDb doc: Main Skype database sources: - type: FILE attributes: paths: ['%%users.homedir%%/Library/Application Support/Skype/*/Main.db'] supported_os: [Darwin] supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#skype'] --- name: SkypeMainDirectory doc: Skype Directory sources: - type: PATH attributes: paths: ['%%users.homedir%%/Library/Application Support/Skype/*'] supported_os: [Darwin] supported_os: [Darwin] --- name: SkypePreferences doc: Skype Preferences and Recent Searches sources: - type: FILE attributes: paths: ['%%users.homedir%%/Library/Preferences/com.skype.skype.plist'] supported_os: [Darwin] supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#skype'] --- name: SkypeUserProfile doc: Skype User profile sources: - type: FILE attributes: paths: ['%%users.homedir%%/Library/Application Support/Skype/*/*'] supported_os: [Darwin] supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#skype'] --- name: SignalApplicationContent doc: Signal Application Content and Configuration sources: - type: FILE attributes: paths: - '%%users.homedir%%/.var/app/org.signal.Signal/*/attachments.noindex/*' - '%%users.homedir%%/.var/app/org.signal.Signal/*/Cache/*' - '%%users.homedir%%/.var/app/org.signal.Signal/*/logs/*' - '%%users.homedir%%/.var/app/org.signal.Signal/config.json' supported_os: [Linux] supported_os: [Linux] --- name: SignalDatabase doc: Signal Database file. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/.var/app/org.signal.Signal/db.sqlite']} supported_os: [Linux] supported_os: [Linux] --- name: XChatLogs doc: XChat Log Files sources: - type: FILE attributes: paths: - '%%users.homedir%%/.xchat2/xchatlogs/*.log' - '%%users.homedir%%/.xchat2/xchatlogs/*/*.log' supported_os: [Linux] supported_os: [Linux] urls: ['http://xchat.org/faq/#q222'] artifacts-20230928/data/java.yaml000066400000000000000000000010561450527130400164660ustar00rootroot00000000000000# Java related artifacts. --- name: JavaCacheFiles doc: Java Plug-in cache. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/.java/deployment/cache/**']} supported_os: [Linux] - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Caches/Java/cache/**']} supported_os: [Darwin] - type: FILE attributes: paths: - '%%users.appdata%%\Sun\Java\Deployment\cache\**' - '%%users.userprofile%%\AppData\LocalLow\Sun\Java\Deployment\cache\**' separator: '\' supported_os: [Windows] supported_os: [Windows, Linux, Darwin] artifacts-20230928/data/kaspersky_careto.yaml000066400000000000000000000120661450527130400211210ustar00rootroot00000000000000# Artifact definitions based on the Kaspersky Careto report. --- name: KasperskyCaretoDarwinFile aliases: [KasperskyCaretoDarwinFiles] doc: Kaspersky Careto Darwin file system indicators of compromise (IOCs). sources: - type: FILE attributes: paths: - /Applications/.DS_Store.app/**10 - /Library/LaunchAgents/com.apple.launchport.plist supported_os: [Darwin] urls: ['https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20133638/unveilingthemask_v1.0.pdf'] --- name: KasperskyCaretoIndicators doc: Kaspersky Careto indicators of compromise (IOCs). sources: - type: ARTIFACT_GROUP attributes: names: - KasperskyCaretoDarwinFile - KasperskyCaretoWindowsFile - KasperskyCaretoWindowsRegistryValue supported_os: [Windows, Darwin] urls: ['https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20133638/unveilingthemask_v1.0.pdf'] --- name: KasperskyCaretoWindowsFile aliases: [KasperskyCaretoWindowsFiles] doc: Kaspersky Careto Windows file system indicators of compromise (IOCs). sources: - type: FILE attributes: paths: - '%%environ_systemroot%%\System32\awcodc32.dll' - '%%environ_systemroot%%\System32\awview32.dll' - '%%environ_systemroot%%\System32\c_50225.nls' - '%%environ_systemroot%%\System32\c_50227.nls' - '%%environ_systemroot%%\System32\c_50229.nls' - '%%environ_systemroot%%\System32\c_51932.nls' - '%%environ_systemroot%%\System32\c_51936.nls' - '%%environ_systemroot%%\System32\c_51949.nls' - '%%environ_systemroot%%\System32\c_51950.nls' - '%%environ_systemroot%%\System32\c_57002.nls' - '%%environ_systemroot%%\System32\c_57006.nls' - '%%environ_systemroot%%\System32\c_57008.nls' - '%%environ_systemroot%%\System32\c_57010.nls' - '%%environ_systemroot%%\System32\cdgext32.dll' - '%%environ_systemroot%%\System32\cdllait32.dll' - '%%environ_systemroot%%\System32\cdllait64.dll' - '%%environ_systemroot%%\System32\cdlluninstallsgh32.dll' - '%%environ_systemroot%%\System32\cdlluninstallsgh64.dll' - '%%environ_systemroot%%\System32\cdlluninstallws32.dll' - '%%environ_systemroot%%\System32\cdlluninstallws64.dll' - '%%environ_systemroot%%\System32\cfgbkmgrs.dll' - '%%environ_systemroot%%\System32\cfgmgr64.dll' - '%%environ_systemroot%%\System32\comsvrpcs.dll' - '%%environ_systemroot%%\System32\d3dx8_20.dll' - '%%environ_systemroot%%\System32\dllcomm.dll' - '%%environ_systemroot%%\System32\drivers\wmimgr.sys' - '%%environ_systemroot%%\System32\drvinfo.bin' - '%%environ_systemroot%%\System32\FCache.bin' - '%%environ_systemroot%%\System32\FFExtendedCommand.dll' - '%%environ_systemroot%%\System32\gpktcsp32.dll' - '%%environ_systemroot%%\System32\HPQueue.bin' - '%%environ_systemroot%%\System32\LPQueue.bin' - '%%environ_systemroot%%\System32\mdwmnsp.dll' - '%%environ_systemroot%%\System32\mfcn30.dll' - '%%environ_systemroot%%\System32\nmwcdlog.dll' - '%%environ_systemroot%%\System32\objframe.dll' - '%%environ_systemroot%%\System32\rpcdist.dll' - '%%environ_systemroot%%\System32\scsvrft.dll' - '%%environ_systemroot%%\System32\sdptbw.dll' - '%%environ_systemroot%%\System32\shlink32.dll' - '%%environ_systemroot%%\System32\shlink64.dll' - '%%environ_systemroot%%\System32\siiw9x.dll' - '%%environ_systemroot%%\System32\skypeie6plugin.dll' - '%%environ_systemroot%%\System32\slbkbw.dll' - '%%environ_systemroot%%\System32\WifiScan.dll' - '%%environ_systemroot%%\System32\wmspdmgr.dll' - '%%users.appdata%%\microsoft\c_27803.nls' - '%%users.appdata%%\microsoft\objframe.dll' - '%%users.appdata%%\microsoft\shmgr.dll' - '%%users.temp%%\~DF01AC74D8BE15EE01.tmp' - '%%users.temp%%\~DF23BF45A473C42B56.tmp' - '%%users.temp%%\~DF8471938479DA49221.tmp' - '%%users.temp%%\~DFA0528CD81300F372.tmp' separator: '\' supported_os: [Windows] urls: ['https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20133638/unveilingthemask_v1.0.pdf'] --- name: KasperskyCaretoWindowsRegistryValue aliases: [KasperskyCaretoWindowsRegKeys] doc: Kaspersky Careto Windows Registry indicators of compromise (IOCs). sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\WindowsUpdate', value: 'CISCNF4654'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\WindowsUpdate', value: 'CISCNF0654'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\WindowsUpdate', value: 'CISCNF4654'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\WindowsUpdate', value: 'CISCNF0654'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\\CLSID\{ECD4FC4D-521C-11D0-B792-00A0C90312E1}', value: 'InprocServer32'} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{E6BB64BE-0618-4353-9193-0AFE606D6F0C}', value: 'InprocServer32'} supported_os: [Windows] urls: ['https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20133638/unveilingthemask_v1.0.pdf'] artifacts-20230928/data/kubernetes.yaml000066400000000000000000000121471450527130400177170ustar00rootroot00000000000000# Kubernetes artifacts --- name: KubernetesLogs doc: Log files that contain information about the Kubernetes installation of a node. sources: - type: FILE attributes: {paths: ['/var/log/syslog*']} supported_os: [Linux] --- name: KubernetesCertificates doc: | Certificate files that are used for a Kubernetes cluster. The files are typically only present on the control-plane node. sources: - type: FILE attributes: paths: - '/etc/kubernetes/admin.conf' - '/etc/kubernetes/controller-manager.conf' - '/etc/kubernetes/kubelet.conf' - '/etc/kubernetes/scheduler.conf' supported_os: [Linux] urls: ['https://kubernetes.io/docs/setup/best-practices/certificates/'] --- name: KubernetesClusterDatabase doc: | Kubernetes cluster (etcd) database. The cluster database is hosted within a Pod and can be configured to be deployed as distributed environment or single intance. The database is mounted from the local file system into the corresponding containers scheduled by a pod. The database contains information about the clusters state, deployed resourcees and also deleted components. sources: - type: FILE attributes: {paths: ['/var/lib/etcd/member/snap/db']} supported_os: [Linux] urls: - 'https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/' - 'https://github.com/etcd-io/etcd' - 'https://github.com/etcd-io/etcd/tree/main/tools/etcd-dump-db' --- name: KubernetesKubelet doc: | Installation path of the (Kubernetes) Kubelet component. This component is installed on all nodes that are member of a Kubernetes cluster. sources: - type: PATH attributes: {paths: ['/var/lib/kubelet']} supported_os: [Linux] urls: ['https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/'] --- name: KubernetesKubeletConfiguration doc: Files that stores the configuration of the local (Kubernetes) Kubelet. sources: - type: FILE attributes: paths: - '/var/lib/kubelet/config.yaml' - '/etc/kubernetes/kubelet.conf' supported_os: [Linux] urls: - 'https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/' - 'https://kubernetes.io/docs/reference/config-api/kubelet-config.v1beta1/' --- name: KubernetesKubeletNetworkPKI doc: Certificates and other keyfiles used for Kubelet and Kubernetes general PKI. sources: - type: PATH attributes: paths: - '/etc/kubernetes/pki' - '/var/lib/kubelet/pki' supported_os: [Linux] urls: ['https://kubernetes.io/docs/setup/best-practices/certificates'] --- name: KubernetesKubeletPod doc: Path of (Kubernetes) Kubelet component information about Pods scheduled to run on a particular node. sources: - type: PATH attributes: {paths: ['/var/lib/kubelet/pods']} supported_os: [Linux] --- name: KubernetesKubeletPodManifest doc: | Manifest file that has been used to deploy a (Kubernetes) Pod. The manifest contains the Pods specification. sources: - type: FILE attributes: {paths: ['/etc/kubernetes/manifests/*.yaml']} supported_os: [Linux] --- name: KubernetesKubeletPodContainer doc: | Path where the container resources created within a (Kubernetes) Pod are located. The paths naming would explain as the following: '/var/lib/kubelet/pods//containers//*' The Pod itself gets created/scheduled by the Kubelet component. The path 'containers/' does contain a directory for each container scheduled in that Pod. In each of that path there is a file located that gets mounted into the container at '/dev/termination-log'. This is the logfile that stores termination information in case a container terminates. The pod identifier of that file can be correlated to the container runtime installed on the host to find out the mount configuration. sources: - type: PATH attributes: {paths: ['/var/lib/kubelet/pods/*/containers']} supported_os: [Linux] urls: ['https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#container-v1-core'] --- name: KubernetesKubeletPodVolumes doc: | Volumes and other objects that are mounted into a (Kubernetes) Pod and respectively into the scheduled container(s). The type of volumes (or objects) are identified by the name appended to a tilde. Examples: * 'volumes/kubernetes.io~projected' -> describes a projected volume * 'volumes/kubernetes.io~configmap' -> describes a Kubernetes ConfigMap resource sources: - type: PATH attributes: {paths: ['/var/lib/kubelet/pods/*/volumes/*']} supported_os: [Linux] urls: - 'https://kubernetes.io/docs/concepts/storage/volumes' - 'https://kubernetes.io/docs/concepts/storage/projected-volumes/' - 'https://kubernetes.io/docs/concepts/storage/volumes/#configmap' --- name: KubernetesKubeletPodLogs doc: | Location where the log data of (Kubernetes) Pods can be found. The path's name would contain the following elements: '/var/log/pods/__//.log' Includes also redirected stdout, stderr and (if applicable) stdin of container executions. sources: - type: FILE attributes: {paths: ['/var/log/pods/*/*/*.log']} supported_os: [Linux] urls: - 'https://github.com/kubernetes/kubernetes/pull/74441' - 'https://kubernetes.io/docs/concepts/cluster-administration/logging/' artifacts-20230928/data/legacy.yaml000066400000000000000000000052671450527130400170210ustar00rootroot00000000000000# Deprecated definitions kept for backwards compatibility with GRR # for the time being. # # https://github.com/google/grr/blob/master/grr/config/artifacts.py # https://github.com/google/grr/blob/master/grr/parsers/windows_registry_parser.py --- name: AllUsersAppDataEnvironmentVariable doc: The %ProgramData% environment variable. sources: - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'ProgramData'}]} provides: [environ_allusersappdata] supported_os: [Windows] urls: ['http://environmentvariables.org/ProgramData'] --- name: AllUsersProfileEnvironmentVariable doc: The %AllUsersProfile% environment variable. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\ProfilesDirectory' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\AllUsersProfile' provides: [environ_allusersprofile] supported_os: [Windows] urls: ['http://support.microsoft.com/kb//214653'] --- name: LinuxRelease doc: | Linux specific distribution information. See: lsb_release(1) man page, or the LSB Specification under the 'Command Behaviour' section. sources: - type: FILE attributes: paths: - '/etc/enterprise-release' - '/etc/lsb-release' - '/etc/oracle-release' - '/etc/redhat-release' - '/etc/system-release' provides: [os_release, os_major_version, os_minor_version] supported_os: [Linux] --- name: SystemDriveEnvironmentVariable doc: | The %SystemDrive% environment variable, usually "C:". This value isn't actually present in the Registry but with some parsing we can figure it out from SystemRoot. sources: - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion', value: 'SystemRoot'}]} provides: [environ_systemdrive] supported_os: [Windows] urls: - 'http://environmentvariables.org/SystemDrive' - 'https://msdn.microsoft.com/en-us/library/cc231436.aspx' --- name: WinDomainName doc: The Windows domain the system is connected to. sources: - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters', value: 'Domain'}]} provides: [domain] supported_os: [Windows] --- name: WindowsEnvironmentVariableAllUsersAppData doc: The %ProgramData% environment variable. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'ProgramData'} provides: [environ_allusersappdata] supported_os: [Windows] urls: ['http://environmentvariables.org/ProgramData'] artifacts-20230928/data/linux.yaml000066400000000000000000000606441450527130400167140ustar00rootroot00000000000000# Linux specific artifacts. --- name: AnacronFiles doc: Anacron files. sources: - type: FILE attributes: paths: - '/etc/anacrontab' - '/etc/cron.daily/*' - '/etc/cron.hourly/*' - '/etc/cron.monthly/*' - '/etc/cron.weekly/*' - '/var/spool/anacron/cron.daily' - '/var/spool/anacron/cron.hourly' - '/var/spool/anacron/cron.monthly' - '/var/spool/anacron/cron.weekly' supported_os: [Linux] --- name: AptitudeLogFiles doc: Linux aptitude package manager log files. sources: - type: FILE attributes: {paths: ['/var/log/aptitude*']} supported_os: [Linux] urls: ['https://www.debian.org/doc/manuals/aptitude/rn01re01.en.html'] --- name: APTSources doc: APT package sources list sources: - type: FILE attributes: paths: - '/etc/apt/sources.list' - '/etc/apt/sources.list.d/*.list' supported_os: [Linux] urls: ['http://manpages.ubuntu.com/manpages/trusty/en/man5/sources.list.5.html'] --- name: APTTrustKeys doc: APT trusted keys sources: - type: FILE attributes: paths: - '/etc/apt/trusted.gpg' - '/etc/apt/trusted.gpg.d/*.gpg' - '/etc/apt/trustdb.gpg' - '/usr/share/keyrings/*.gpg' supported_os: [Linux] urls: ['https://wiki.debian.org/SecureApt'] --- name: CronAtAllowDenyFiles doc: Files containing users authorised to run cron or at jobs. sources: - type: FILE attributes: paths: - '/etc/cron.allow' - '/etc/cron.deny' - '/etc/at.allow' - '/etc/at.deny' supported_os: [Linux] urls: - http://manpages.ubuntu.com/manpages/saucy/man5/at.allow.5.html - http://manpages.ubuntu.com/manpages/precise/en/man1/crontab.1.html --- name: DebianPackagesLogFiles doc: Linux dpkg log files. sources: - type: FILE attributes: paths: - '/var/log/dpkg.log*' - '/var/log/apt/history.log*' - '/var/log/apt/term.log*' supported_os: [Linux] --- name: DebianPackagesStatus doc: Linux dpkg status file. sources: - type: FILE attributes: {paths: ['/var/lib/dpkg/status']} supported_os: [Linux] --- name: DebianVersion doc: Debian version information. sources: - type: FILE attributes: {paths: ['/etc/debian_version']} provides: [os_release, os_major_version, os_minor_version] supported_os: [Linux] --- name: DNSResolvConfFile doc: DNS Resolver configuration file. sources: - type: FILE attributes: {paths: ['/etc/resolv.conf']} supported_os: [Linux] urls: ['http://man7.org/linux/man-pages/man5/resolv.conf.5.html'] --- name: GnomeApplicationState doc: Gnome application state for frequent application data. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/.local/share/gnome-shell/application_state']} supported_os: [Linux] urls: ['https://forensics.wiki/gnome_desktop_environment'] --- name: FreeDesktopTrashInfoFiles doc: FreeDesktop.org Trash Info Files. sources: - type: FILE attributes: paths: - '%%users.homedir%%/.local/share/Trash/info/*.trashinfo' supported_os: [Linux] urls: - 'https://specifications.freedesktop.org/trash-spec/trashspec-latest.html' --- name: FreeDesktopTrashFiles doc: FreeDesktop.org Trash Files. sources: - type: FILE attributes: paths: - '%%users.homedir%%/.local/share/Trash/files/*' supported_os: [Linux] urls: - 'https://specifications.freedesktop.org/trash-spec/trashspec-latest.html' --- name: GnomeTracker doc: Gnome Tracker database and backup files. sources: - type: FILE attributes: paths: - '%%users.homedir%%/.cache/tracker/*' - '%%users.homedir%%/.local/share/tracker/data/*' supported_os: [Linux] urls: ['https://wiki.gnome.org/Projects/Tracker/Documentation/GettingStarted'] --- name: GTKRecentlyUsedDatabase doc: GTK Recent Manager database. sources: - type: FILE attributes: paths: - '%%users.homedir%%/.local/share/recently-used.xbel' supported_os: [Linux] --- name: HostAccessPolicyConfiguration doc: Linux files related to host access policy configuration. sources: - type: FILE attributes: paths: - '/etc/hosts.allow' - '/etc/hosts.deny' supported_os: [Linux] --- name: IPTablesRules doc: List IPTables rules. sources: - type: COMMAND attributes: args: ["-L", "-n", "-v"] cmd: /sbin/iptables supported_os: [Linux] --- name: KernelModules doc: Kernel modules to be loaded on boot. sources: - type: FILE attributes: paths: - '/etc/modules.conf' - '/etc/modprobe.d/*' supported_os: [Linux] --- name: LessHistoryFile doc: less history file which remembers search and shell commands sources: - type: FILE attributes: {paths: ['%%users.homedir%%/.lesshst']} supported_os: [Linux] urls: ['https://man7.org/linux/man-pages/man1/less.1.html'] --- name: LinuxAtJobs doc: Linux at jobs. sources: - type: FILE attributes: {paths: ['/var/spool/at/*']} supported_os: [Linux] --- name: LinuxAtJobsTemporaryOutputs doc: Linux at jobs temporary outputs. sources: - type: FILE attributes: paths: - '/var/spool/at/spool/*' - '/var/spool/cron/atspool/*' supported_os: [Linux] --- name: LinuxAuditLogs doc: Linux audit log files. sources: - type: FILE attributes: {paths: ['/var/log/audit/*']} supported_os: [Linux] --- name: LinuxAuthLogs doc: Linux authentication log files. sources: - type: FILE attributes: paths: - '/var/log/auth.log*' - '/var/log/secure*' supported_os: [Linux] --- name: LinuxCACertificatesConfiguration doc: Linux CA Certificates configuration file. sources: - type: FILE attributes: paths: - '/etc/ca-certificates.conf' --- name: LinuxCACertificates doc: Linux CA Certificates. sources: - type: FILE attributes: paths: - '/etc/ssl/certs/ca-certificates.crt' - '/usr/share/ca-certificates/*' - '/usr/local/share/ca-certificates/*' supported_os: [Linux] --- name: LinuxCronLogs doc: Linux cron log files. sources: - type: FILE attributes: {paths: ['/var/log/cron.log*']} supported_os: [Linux] --- name: LinuxCronTabs doc: Crontab files. sources: - type: FILE attributes: paths: - '/etc/crontab' - '/etc/cron.d/*' - '/var/spool/cron/**' supported_os: [Linux] --- name: LinuxDaemonLogFiles doc: Linux daemon log files. sources: - type: FILE attributes: {paths: ['/var/log/daemon.log*']} supported_os: [Linux] --- name: LinuxDHCPConfigurationFile doc: Linux DHCP Configuration File sources: - type: FILE attributes: paths: - '/etc/dhcp/dhcp.conf' supported_os: [Linux] --- name: LinuxDistributionRelease doc: Linux distribution release information of non-LSB compliant systems. sources: - type: FILE attributes: paths: - '/etc/centos-release' - '/etc/enterprise-release' - '/etc/oracle-release' - '/etc/redhat-release' - '/etc/rocky-release' - '/etc/SuSE-release' - '/etc/system-release' provides: [os_release, os_major_version, os_minor_version] supported_os: [Linux] --- name: LinuxDSDTTable doc: Linux file containing DSDT table. sources: - type: FILE attributes: {paths: ['/sys/firmware/acpi/tables/DSDT']} urls: ['https://www.kernel.org/doc/Documentation/acpi/initrd_table_override.txt'] supported_os: [Linux] --- name: LinuxFstab doc: Linux fstab file. sources: - type: FILE attributes: {paths: ['/etc/fstab']} supported_os: [Linux] urls: ['http://en.wikipedia.org/wiki/Fstab'] --- name: LinuxGrubConfiguration doc: Linux grub configuration file. sources: - type: FILE attributes: paths: - '/boot/grub/grub.cfg' - '/boot/grub2/grub.cfg' supported_os: [Linux] urls: ['https://en.wikipedia.org/wiki/GNU_GRUB'] --- name: LinuxHostnameFile doc: Linux hostname file. sources: - type: FILE attributes: {paths: ['/etc/hostname']} supported_os: [Linux] --- name: LinuxIfUpDownScripts doc: ifupdown scripts executed whenever a network interface goes up or down respectively. sources: - type: FILE attributes: paths: - '/etc/network/if-up.d/*' - '/etc/network/if-down.d/*' supported_os: [Linux] --- name: LinuxInitrdFiles doc: Initrd (initramfs) files in /boot/ executed on startup. sources: - type: FILE attributes: paths: - '/boot/initramfs*' - '/boot/initrd*' supported_os: [Linux] urls: - 'http://en.wikipedia.org/wiki/Initrd' - 'https://www.kernel.org/doc/Documentation/initrd.txt' --- name: LinuxIssueFile doc: Linux prelogin message and identification (issue) file. sources: - type: FILE attributes: paths: - '/etc/issue' - '/etc/issue.net' supported_os: [Linux] urls: ['https://linux.die.net/man/5/issue'] --- name: LinuxKerberosConfiguration doc: Linux Kerberos configuration information. sources: - type: FILE attributes: {paths: ['/etc/krb5.conf']} supported_os: [Linux] urls: ['https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html'] --- name: LinuxKernelLogFiles doc: Linux kernel log files. sources: - type: FILE attributes: {paths: ['/var/log/kern.log*']} supported_os: [Linux] --- name: LinuxLastlogFile doc: Linux lastlog file. sources: - type: FILE attributes: {paths: ['/var/log/lastlog']} supported_os: [Linux] --- name: LinuxLoaderSystemPreloadFile doc: Linux dynamic linker/loader system-wide preload file (ld.so.preload). sources: - type: FILE attributes: {paths: ['/etc/ld.so.preload']} supported_os: [Linux] urls: ['http://man7.org/linux/man-pages/man8/ld.so.8.html'] --- name: LinuxLSBInit doc: Linux LSB-style init scripts. sources: - type: FILE attributes: paths: - '/etc/init.d/*' - '/etc/insserv.conf' - '/etc/insserv.conf.d/**' supported_os: [Linux] urls: ['https://wiki.debian.org/LSBInitScripts'] --- name: LinuxLocalTime doc: Local time zone configuration sources: - type: FILE attributes: {paths: ['/etc/localtime']} supported_os: [Linux] --- name: LinuxLSBRelease doc: Linux Standard Base (LSB) release information sources: - type: FILE attributes: {paths: ['/etc/lsb-release']} provides: [os_release, os_major_version, os_minor_version] supported_os: [Linux] urls: ['https://linux.die.net/man/1/lsb_release'] --- name: LinuxMessagesLogFiles doc: Linux messages log files. sources: - type: FILE attributes: {paths: ['/var/log/messages*']} supported_os: [Linux] --- name: LinuxMountCmd doc: Linux output of mount sources: - type: COMMAND attributes: args: [] cmd: /bin/mount supported_os: [Linux] --- name: LinuxMountInfo doc: Linux mount options. sources: - type: ARTIFACT_GROUP attributes: names: - LinuxFstab - LinuxProcMounts supported_os: [Linux] --- name: LinuxNetworkManager doc: Linux NetworkManager files. sources: - type: FILE attributes: paths: - '/etc/NetworkManager/conf.d/name.conf' - '/etc/NetworkManager/NetworkManager.conf' - '/etc/NetworkManager/system-connections' - '/run/NetworkManager/conf.d/name.conf' - '/usr/lib/NetworkManager/conf.d/name.conf' - '/var/lib/NetworkManager/NetworkManager-intern.conf' - '/var/lib/NetworkManager/*' supported_os: [Linux] urls: - 'https://linux.die.net/man/5/networkmanager.conf' - 'https://man.archlinux.org/man/NetworkManager.conf.5.en#FILE_FORMAT' --- name: LinuxPamConfigs doc: Configuration files for PAM. sources: - type: FILE attributes: paths: - '/etc/pam.conf' - '/etc/pam.d' - '/etc/pam.d/common-password' - '/etc/pam.d/*' supported_os: [Linux] urls: ['http://www.linux-pam.org/'] --- name: LinuxPasswdFile doc: | Linux passwd file. A passwd file consist of colon separated values in the format: username:password:uid:gid:full name:home directory:shell sources: - type: FILE attributes: {paths: ['/etc/passwd']} supported_os: [Linux] --- name: LinuxReleaseInfo doc: Release information for Linux platforms. sources: - type: ARTIFACT_GROUP attributes: names: - LinuxDistributionRelease - LinuxLSBRelease - LinuxSystemdOSRelease provides: [os_release, os_major_version, os_minor_version] supported_os: [Linux] --- name: LinuxRsyslogConfigs doc: Linux rsyslog configurations. sources: - type: FILE attributes: paths: - '/etc/rsyslog.conf' - '/etc/rsyslog.d' - '/etc/rsyslog.d/*' supported_os: [Linux] urls: ['http://www.rsyslog.com/doc/rsyslog_conf.html'] --- name: LinuxScheduleFiles doc: All Linux job scheduling files. sources: - type: ARTIFACT_GROUP attributes: names: - AnacronFiles - LinuxCronTabs - LinuxAtJobs supported_os: [Linux] --- name: LinuxServices doc: Services running on a Linux system. sources: - type: ARTIFACT_GROUP attributes: names: - LinuxXinetd - LinuxLSBInit - LinuxSysVInit - LinuxSystemdServices supported_os: [Linux] --- name: LinuxSSDTTables doc: Linux files containing SSDT table. sources: - type: FILE attributes: {paths: ['/sys/firmware/acpi/tables/SSDT*']} urls: ['https://www.kernel.org/doc/Documentation/acpi/initrd_table_override.txt'] supported_os: [Linux] --- name: LinuxSudoReplayLogs doc: Linux sudoreplay log files. sources: - type: FILE attributes: {paths: ['/var/log/sudo-io/**']} supported_os: [Linux] --- name: LinuxSysctlConfigurationFiles doc: Linux sysctl preload/configuration files. sources: - type: FILE attributes: paths: - /etc/sysctl.d/*.conf - /run/sysctl.d/*.conf - /usr/local/lib/sysctl.d/*.conf - /usr/lib/sysctl.d/*.conf - /lib/sysctl.d/*.conf - /etc/sysctl.con supported_os: [Linux] urls: - 'https://man7.org/linux/man-pages/man5/sysctl.conf.5.html' --- name: LinuxSysLogFiles doc: Linux syslog log files. sources: - type: FILE attributes: {paths: ['/var/log/syslog*']} supported_os: [Linux] --- name: LinuxSyslogNgConfigs doc: Linux syslog-ng configurations. sources: - type: FILE attributes: paths: - '/etc/syslog-ng/syslog-ng.conf' - '/etc/syslog-ng/conf-d/*.conf' supported_os: [Linux] urls: ['http://linux.die.net/man/5/syslog-ng.conf'] --- name: LinuxSystemdJournalConfig doc: Linux systemd journal config file sources: - type: FILE attributes: {paths: ['/etc/systemd/journald.conf']} supported_os: [Linux] urls: ['https://wiki.archlinux.org/title/Systemd/Journal'] --- name: LinuxSystemdJournalLogs doc: Linux systemd journal log files sources: - type: FILE attributes: paths: - '/var/log/journal/*/*.journal' - '/var/log/journal/*/*.journal~' supported_os: [Linux] urls: ['https://wiki.archlinux.org/title/Systemd/Journal'] --- name: LinuxSystemdOSRelease doc: Linux systemd /etc/os-release file sources: - type: FILE attributes: paths: - '/etc/os-release' - '/usr/lib/os-release' provides: [os_release, os_major_version, os_minor_version] supported_os: [Linux] urls: ['https://www.freedesktop.org/software/systemd/man/os-release.html'] --- name: LinuxSystemdServices doc: Linux systemd service unit files sources: - type: FILE attributes: paths: - '/etc/systemd/system.control/*.service' - '/etc/systemd/systemd.attached/*.service' - '/etc/systemd/system/*.service' - '/etc/systemd/user/*.service' - '/lib/systemd/system/*.service' - '/lib/systemd/user/*.service' - '/run/systemd/generator.early/*.service' - '/run/systemd/generator.late/*.service' - '/run/systemd/generator/*.service' - '/run/systemd/system.control/*.service' - '/run/systemd/systemd.attached/*.service' - '/run/systemd/system/*.service' - '/run/systemd/transient/*.service' - '/run/systemd/user/*.service' - '/run/user/*/systemd/generator.early/*.service' - '/run/user/*/systemd/generator.late/*.service' - '/run/user/*/systemd/generator/*.service' - '/run/user/*/systemd/transient/*.service' - '/run/user/*/systemd/user.control/*.service' - '/run/user/*/systemd/user/*.service' - '/usr/lib/systemd/system/*.service' - '/usr/lib/systemd/user/*.service' - '%%users.homedir%%/.config/systemd/user.control/*.service' - '%%users.homedir%%/.config/systemd/user/*.service' - '%%users.homedir%%/.local/share/systemd/user/*.service' supported_os: [Linux] urls: ['https://www.freedesktop.org/software/systemd/man/systemd.unit.html#System%20Unit%20Search%20Path'] --- name: LinuxSystemdTimers doc: Linux systemd Timer files sources: - type: FILE attributes: paths: - '/etc/systemd/system.control/*.timer' - '/etc/systemd/systemd.attached/*.timer' - '/etc/systemd/system/*.timer' - '/etc/systemd/user/*.timer' - '/lib/systemd/system/*.timer' - '/lib/systemd/user/*.timer' - '/run/systemd/generator.early/*.timer' - '/run/systemd/generator.late/*.timer' - '/run/systemd/generator/*.timer' - '/run/systemd/system.control/*.timer' - '/run/systemd/systemd.attached/*.timer' - '/run/systemd/system/*.timer' - '/run/systemd/transient/*.timer' - '/run/systemd/user/*.timer' - '/run/user/*/systemd/generator.early/*.timer' - '/run/user/*/systemd/generator.late/*.timer' - '/run/user/*/systemd/generator/*.timer' - '/run/user/*/systemd/transient/*.timer' - '/run/user/*/systemd/user.control/*.timer' - '/run/user/*/systemd/user/*.timer' - '/usr/lib/systemd/system/*.timer' - '/usr/lib/systemd/user/*.timer' - '%%users.homedir%%/.config/systemd/user.control/*.timer' - '%%users.homedir%%/.config/systemd/user/*.timer' - '%%users.homedir%%/.local/share/systemd/user/*.timer' supported_os: [Linux] urls: ['https://www.freedesktop.org/software/systemd/man/systemd.timer.html#'] --- name: LinuxSysVInit doc: Services started by sysv-style init scripts. sources: - type: FILE attributes: paths: - '/etc/rc.local' - '/etc/rc*.d' - '/etc/rc*.d/*' - '/etc/rc.d/rc*.d/*' - '/etc/rc.d/init.d/*' supported_os: [Linux] urls: - 'http://savannah.nongnu.org/projects/sysvinit' - 'http://docs.oracle.com/cd/E37670_01/E41138/html/ol_svcscripts.html' --- name: LinuxTimezoneFile doc: Linux timezone file. sources: - type: FILE attributes: {paths: ['/etc/timezone']} supported_os: [Linux] --- name: LinuxUdevRules doc: Linux udev rules for the events received by the udev's daemon from the Linux kernel. sources: - type: FILE attributes: paths: - '/usr/lib/udev/rules.d/*' - '/etc/udev/rules.d/*' supported_os: [Linux] urls: ['https://wiki.archlinux.org/title/Udev'] --- name: LinuxUtmpFiles doc: Linux btmp, utmp and wtmp login record files. sources: - type: FILE attributes: paths: - '/var/log/btmp' - '/var/log/wtmp' - '/var/run/utmp' supported_os: [Linux] urls: ['https://github.com/libyal/dtformats/blob/main/documentation/Utmp%20login%20records%20format.asciidoc'] --- name: LinuxWtmp doc: Linux wtmp login record file sources: - type: FILE attributes: {paths: ['/var/log/wtmp']} provides: [users.username, users.last_logon] supported_os: [Linux] urls: ['https://github.com/libyal/dtformats/blob/main/documentation/Utmp%20login%20records%20format.asciidoc'] --- name: LinuxXinetd doc: Linux xinetd configurations. sources: - type: FILE attributes: paths: - '/etc/xinetd.conf' - '/etc/xinetd.d/**' supported_os: [Linux] urls: ['http://en.wikipedia.org/wiki/Xinetd'] --- name: ListProcessesPsCommand doc: Full process listing via the 'ps' command. sources: - type: COMMAND attributes: args: ['-ef'] cmd: /bin/ps supported_os: [Linux] urls: ['https://gitlab.com/procps-ng/procps'] --- name: LoadedKernelModules doc: Linux output of lsmod. sources: - type: COMMAND attributes: args: [] cmd: /sbin/lsmod supported_os: [Linux] --- name: LocateDatabase doc: locate/mlocate database and updatedb configuration. sources: - type: FILE attributes: paths: - '/var/lib/mlocate/mlocate.db' - '/etc/updatedb.conf' urls: - 'https://linux.die.net/man/1/locate' - 'https://linux.die.net/man/8/updatedb' supported_os: [Linux] --- name: LoginPolicyConfiguration doc: Linux files related to login policy configuration. sources: - type: FILE attributes: paths: - '/etc/netgroup' - '/etc/nsswitch.conf' - '/etc/passwd' - '/etc/shadow' - '/etc/security/access.conf' - '/root/.k5login' supported_os: [Linux] --- name: MySQLHistoryFile doc: MySQL History file. sources: - type: FILE attributes: paths: - '%%users.homedir%%/.mysql_history' supported_os: [Linux] --- name: NanoHistoryFile doc: nano history file that logs search and replace strings. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/.nano_history']} supported_os: [Linux] urls: ['https://www.nano-editor.org/dist/v2.2/nano.html'] --- name: NetgroupConfiguration doc: Linux netgroup configuration. sources: - type: FILE attributes: {paths: ['/etc/netgroup']} provides: [users.username] supported_os: [Linux] --- name: NtpConfFile doc: The configuration file for ntpd. e.g. ntp.conf. sources: - type: FILE attributes: {paths: ['/etc/ntp.conf']} supported_os: [Linux] urls: ['https://www.freebsd.org/cgi/man.cgi?query=ntp.conf&sektion=5'] --- name: PCIDevicesInfoFiles doc: Info and config files for PCI devices located on the system. sources: - type: FILE attributes: paths: - '/sys/bus/pci/devices/*/vendor' - '/sys/bus/pci/devices/*/device' - '/sys/bus/pci/devices/*/class' - '/sys/bus/pci/devices/*/config' urls: - 'https://www.kernel.org/doc/Documentation/ABI/testing/sysfs-bus-pci' - 'https://www.kernel.org/doc/Documentation/filesystems/sysfs-pci.txt' - 'https://wiki.debian.org/HowToIdentifyADevice/PCI' supported_os: [Linux] --- name: PostgreSQLHistoryFile doc: PostgreSQL History file. sources: - type: FILE attributes: paths: - '/var/lib/postgresql/.psql_history' - '/var/lib/pgsql/.psql_history' - '%%users.homedir%%/.psql_history' supported_os: [Linux] --- name: PythonHistoryFile doc: Python REPL history file. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/.python_history']} supported_os: [Linux] --- name: RHostsFile doc: RHosts file. sources: - type: FILE attributes: paths: - '%%users.homedir%%/.rhosts' supported_os: [Linux] --- name: SambaLogFiles doc: Samba log files. sources: - type: FILE attributes: paths: - '/var/log/samba/*.log' supported_os: [Linux] urls: - 'https://wiki.samba.org/index.php/Configuring_Logging_on_a_Samba_Server' --- name: SecretsServiceDatabaseFile doc: The System Security Services Daemon (SSSD) database file. sources: - type: FILE attributes: paths: - '/var/lib/sss/secrets/secrets.ldb' - '/var/lib/sss/secrets/.secrets.mkey' supported_os: [Linux] urls: - 'https://docs.pagure.org/SSSD.sssd/design_pages/secrets_service.html' - 'https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html' --- name: SQLiteHistoryFile doc: SQLite History file. sources: - type: FILE attributes: paths: - '%%users.homedir%%/.sqlite_history' supported_os: [Linux] --- name: SSHAuthorizedKeysFiles doc: SSH authorized keys files. sources: - type: FILE attributes: paths: - '%%users.homedir%%/.ssh/authorized_keys' - '%%users.homedir%%/.ssh/authorized_keys2' supported_os: [Linux] --- name: SSHHostPubKeys doc: SSH host public keys sources: - type: FILE attributes: paths: - '/etc/ssh/ssh_host_*_key.pub' supported_os: [Linux] --- name: SSHKnownHostsFiles doc: SSH known_hosts files. sources: - type: FILE attributes: paths: - '%%users.homedir%%/.ssh/known_hosts' - '/etc/ssh/known_hosts' supported_os: [Linux] --- name: ThumbnailCacheFolder doc: Thumbnail cache folder. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/.thumbnails/**3']} supported_os: [Linux] --- name: UFWConfigFiles doc: UFW Configuration files. sources: - type: FILE attributes: paths: - '/etc/default/ufw' - '/etc/ufw/sysctl.conf' - '/etc/ufw/*.rules' - '/etc/ufw/applications.d/*' supported_os: [Linux] --- name: UFWLogFile doc: UFW Log file. sources: - type: FILE attributes: paths: - '/var/log/ufw.log' supported_os: [Linux] --- name: Viminfo doc: Viminfo file. sources: - type: FILE attributes: paths: - '%%users.homedir%%/.viminfo' supported_os: [Linux] --- name: WgetHSTSdatabase doc: Default wget HTTP Strict Transport Security (HSTS) database sources: - type: FILE attributes: paths: - '%%users.homedir%%/.wget-hsts' supported_os: [Linux] urls: ['https://www.gnu.org/software/wget/manual/html_node/HTTPS-_0028SSL_002fTLS_0029-Options.html'] --- name: XDGAutostartEntries doc: XDG Autostart Entries sources: - type: FILE attributes: paths: - '/etc/xdg/autostart/*.desktop' - '%%users.homedir%%/.config/autostart/*.desktop' supported_os: [Linux] urls: ['https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html'] --- name: YumSources doc: Yum package sources list sources: - type: FILE attributes: paths: - '/etc/yum.conf' - '/etc/yum.repos.d/*.repo' supported_os: [Linux] urls: ['https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-Configuring_Yum_and_Yum_Repositories.html'] --- name: ZeitgeistDatabase doc: Zeitgeist user activity database. sources: - type: FILE attributes: paths: - '%%users.homedir%%/.local/share/zeitgeist/activity.sqlite' - '%%users.homedir%%/.local/share/zeitgeist/activity.sqlite-wal' urls: ['https://forensics.wiki/zeitgeist'] supported_os: [Linux] artifacts-20230928/data/linux_proc.yaml000066400000000000000000000117751450527130400177400ustar00rootroot00000000000000# Linux specific /proc artifacts. --- name: LinuxASLREnabled doc: Kernel ASLR state. sources: - type: FILE attributes: {paths: ['/proc/sys/kernel/randomize_va_space']} supported_os: [Linux] urls: ['https://www.kernel.org/doc/Documentation/sysctl/kernel.txt'] --- name: LinuxIgnoreICMPBroadcasts doc: Whether the system ignores ICMP pings. sources: - type: FILE attributes: {paths: ['/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts']} supported_os: [Linux] urls: ['https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt'] --- name: LinuxKernelBootloader doc: Bootloader state acquired from the kernel. sources: - type: FILE attributes: paths: - '/proc/sys/kernel/bootloader_type' - '/proc/sys/kernel/bootloader_version' supported_os: [Linux] urls: ['https://www.kernel.org/doc/Documentation/sysctl/kernel.txt'] --- name: LinuxKernelModuleRestrictions doc: Module loading controls. sources: - type: FILE attributes: paths: - '/proc/sys/kernel/kexec_load_disabled' - '/proc/sys/kernel/modules_disabled' supported_os: [Linux] urls: ['https://www.kernel.org/doc/Documentation/sysctl/kernel.txt'] --- name: LinuxKernelModuleTaintStatus doc: Taint state of loaded modules (binary blobs, unsigned modules etc). sources: - type: FILE attributes: {paths: ['/proc/sys/kernel/tainted']} supported_os: [Linux] urls: ['https://www.kernel.org/doc/Documentation/sysctl/kernel.txt'] --- name: LinuxNetworkIpForwardingState doc: IP forwarding states. sources: - type: FILE attributes: paths: - '/proc/sys/net/ipv*/conf/*/forwarding' - '/proc/sys/net/ipv4/conf/*/mc_forwarding' - '/proc/sys/net/ipv4/ip_forward' supported_os: [Linux] urls: ['https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt'] --- name: LinuxNetworkPathFilteringSettings doc: States that determine how the system responds to route manipulation. sources: - type: FILE attributes: paths: - '/proc/sys/net/ipv*/conf/*/accept_source_route' - '/proc/sys/net/ipv4/conf/*/rp_filter' - '/proc/sys/net/ipv4/conf/*/log_martians' supported_os: [Linux] urls: ['https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt'] --- name: LinuxNetworkRedirectState doc: Redirect send/receive states. sources: - type: FILE attributes: paths: - '/proc/sys/net/ipv*/conf/*/accept_redirects' - '/proc/sys/net/ipv4/conf/*/secure_redirects' - '/proc/sys/net/ipv4/conf/*/send_redirects' supported_os: [Linux] urls: ['https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt'] --- name: LinuxProcArp doc: ARP table via /proc/net/arp. sources: - type: FILE attributes: paths: - '/proc/net/arp' supported_os: [Linux] --- name: LinuxProcMounts doc: Current mounted filesystems. sources: - type: FILE attributes: paths: - '/proc/mounts' supported_os: [Linux] urls: ['https://www.kernel.org/doc/Documentation/filesystems/proc.txt'] --- name: LinuxProcSysHardeningSettings doc: Linux sysctl settings obtained from /proc/sys. sources: - type: ARTIFACT_GROUP attributes: names: - 'LinuxASLREnabled' - 'LinuxIgnoreICMPBroadcasts' - 'LinuxKernelBootloader' - 'LinuxKernelModuleTaintStatus' - 'LinuxKernelModuleRestrictions' - 'LinuxNetworkIpForwardingState' - 'LinuxNetworkPathFilteringSettings' - 'LinuxNetworkRedirectState' - 'LinuxRestrictedDmesgReadPrivileges' - 'LinuxRestrictedKernelPointerReadPrivileges' - 'LinuxSecureSuidCoreDumps' - 'LinuxSecureFsLinks' - 'LinuxSyncookieState' supported_os: [Linux] --- name: LinuxRestrictedDmesgReadPrivileges doc: Restrict whether non-privileged users can read dmesg. sources: - type: FILE attributes: paths: - '/proc/sys/kernel/dmesg_restrict' supported_os: [Linux] urls: ['https://www.kernel.org/doc/Documentation/sysctl/kernel.txt'] --- name: LinuxRestrictedKernelPointerReadPrivileges doc: Memory address obfuscation settings. sources: - type: FILE attributes: {paths: ['/proc/sys/kernel/kptr_restrict']} supported_os: [Linux] urls: ['https://www.kernel.org/doc/Documentation/sysctl/kernel.txt'] --- name: LinuxSecureFsLinks doc: Security controls to restrict operations on links in world writable directories. sources: - type: FILE attributes: paths: - '/proc/sys/fs/protected_hardlinks' - '/proc/sys/fs/protected_symlinks' supported_os: [Linux] urls: ['https://www.kernel.org/doc/Documentation/sysctl/fs.txt'] --- name: LinuxSecureSuidCoreDumps doc: Security controls for suid core dumps. sources: - type: FILE attributes: {paths: ['/proc/sys/fs/suid_dumpable']} supported_os: [Linux] urls: ['https://www.kernel.org/doc/Documentation/sysctl/fs.txt'] --- name: LinuxSyncookieState doc: Whether the system uses syncookies. sources: - type: FILE attributes: {paths: ['/proc/sys/net/ipv4/tcp_syncookies']} supported_os: [Linux] urls: ['https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt'] --- name: LinuxSysctlCmd doc: Linux output of systctl -a. sources: - type: COMMAND attributes: args: ["-a"] cmd: /sbin/sysctl supported_os: [Linux] urls: ['https://www.kernel.org/doc/Documentation/sysctl'] artifacts-20230928/data/linux_services.yaml000066400000000000000000000023051450527130400206050ustar00rootroot00000000000000# Linux services artifacts --- name: ApacheKafkaLogFiles doc: Apache Kafka Log files sources: - type: FILE attributes: paths: - '/opt/kafka/logs/*' - '/opt/kafka/logs/controller.log*' - '/opt/kafka/logs/kafka-*.log*' - '/opt/kafka/logs/server.log*' - '/opt/kafka/logs/state-change.log*' supported_os: [Linux] --- name: HAProxyLogFiles doc: HAProxy Log files sources: - type: FILE attributes: paths: - '/var/log/haproxy/*' - '/var/log/haproxy.log' - '/var/log/haproxy-traffic.log' - '/var/log/haproxy-admin.log' supported_os: [Linux] urls: - 'https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#8' - 'https://www.haproxy.com/blog/introduction-to-haproxy-logging/' --- name: JenkinsLogFile doc: Jenkins log file sources: - type: FILE attributes: {paths: ['/var/log/jenkins/jenkins.log']} supported_os: [Linux] urls: ['https://wiki.jenkins.io/display/JENKINS/Logging.html'] --- name: OsqueryLogFiles doc: Osquery daemon log files sources: - type: FILE attributes: paths: - '/var/log/osquery/osqueryd.results.log' - '/var/log/osquery/osqueryd.snapshots.log' supported_os: [Linux] urls: ['https://osquery.readthedocs.io/en/stable/deployment/logging/'] artifacts-20230928/data/macos.yaml000066400000000000000000001052621450527130400166530ustar00rootroot00000000000000# Mac OS (Darwin) specific artifacts. --- name: MacOSAddressBookImagesSQLiteDatabaseFile doc: Address book images SQLite database file. sources: - type: FILE attributes: paths: - '/Applications/Xcode.app/Contents/Developer/Platforms/*.platform/Developer/Library/CoreSimulator/Profiles/Runtimes/*.simruntime/Contents/Resources/SampleContent/Library/AddressBook/AddressBookImages.sqlitedb' - '%%users.homedir%%/Library/Developer/CoreSimulator/Devices/*/data/Library/AddressBook/AddressBookImages.sqlitedb' supported_os: [Darwin] --- name: MacOSApplePushServiceSQLiteDatabaseFile doc: Apple push service SQLite database file. sources: - type: FILE attributes: {paths: ['/Library/Application Support/ApplePushService/aps.db']} supported_os: [Darwin] --- name: MacOSApplicationBundleCacheSQLiteDatabaseFile doc: Application bundle cache SQLite database file. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Caches/*/Cache.db']} supported_os: [Darwin] --- name: MacOSAssetCacheInfoSQLiteDatabaseFile doc: Asset cache information SQLite database file. sources: - type: FILE attributes: {paths: ['/Library/Caches/com.apple.AssetCache/AssetInfo.db']} supported_os: [Darwin] --- name: MacOSAuthorizationRulesSQLiteDatabaseFile doc: | Authorization rules SQLite database file. Superscedes /etc/authorization seen Mac OS X 10.8 Mountain Lion and earlier versions. sources: - type: FILE attributes: paths: - '/private/var/db/auth.db' - '/var/db/auth.db' supported_os: [Darwin] --- name: MacOSCalendarCacheSQLiteDatabaseFile doc: Calendar cache SQLite database file. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Calendars/Calendar Cache']} supported_os: [Darwin] --- name: MacOSCallHistoryCacheSQLiteDatabaseFile doc: Call history cache SQLite database file. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Application Support/CallHistoryDB/CallHistory.storedata']} supported_os: [Darwin] --- name: MacOSAirportPreferencesPlistFile aliases: [MacOSWirelessNetworks] doc: Airport (wireless networking) preferences property list (plist) file. sources: - type: FILE attributes: {paths: ['/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist']} supported_os: [Darwin] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/macos/NetworkSettings.html'] --- name: MacOSAppleSetupDoneFile aliases: [MacOSSystemInstallationTime] doc: Mac OS .AppleSetupDone file that hints to the system installation date and time. sources: - type: FILE attributes: paths: - '/private/var/db/.AppleSetupDone' - '/var/db/.AppleSetupDone' supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#system-settings-and-informations'] --- name: MacOSAppleSystemLogFile aliases: [MacOSAppleSystemLogFiles] doc: Apple system log (ASL) files. sources: - type: FILE attributes: paths: - '/private/var/log/asl/*.asl' - '/private/var/log/DiagnosticMessages/*.asl' - '/var/log/asl/*.asl' - '/var/log/DiagnosticMessages/*.asl' supported_os: [Darwin] urls: - 'https://forensics.wiki/mac_os_x_10.9_artifacts_location#system-logs' - 'https://support.apple.com/guide/console/reports-cnsl664be99a/mac' --- name: MacOSApplicationsDirectory aliases: [MacOSApplications] doc: Contents of the Applications directory. sources: - type: PATH attributes: {paths: ['/Applications/*']} supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#user-directories'] --- name: MacOSApplicationsRecentItems doc: Recent Items application specific sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Preferences/*.LSSharedFileList.plist']} supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#recent-items'] --- name: MacOSAtJobs doc: MacOS at jobs sources: - type: FILE attributes: {paths: ['/usr/lib/cron/jobs/*']} supported_os: [Darwin] urls: - 'https://forensics.wiki/mac_os_x_10.9_artifacts_location#system-info-misc' - 'https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/at.1.html#//apple_ref/doc/man/1/at' --- name: MacOSAuditLogFile aliases: [MacOSAuditLogFiles] doc: Audit log files. sources: - type: FILE attributes: paths: # Name of the file consists of "startime.stoptime" where each time is formatted as: # "YYYYMMDDhhmmss". For example: "20141130081343.20141130081943". - '/private/var/audit/[0-9]*.[0-9]*' - '/var/audit/[0-9]*.[0-9]*' supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#system-logs'] --- name: MacOSBluetoothPlistFile doc: Bluetooth preferences and paired device information property list (plist) file sources: - type: FILE attributes: {paths: ['/Library/Preferences/com.apple.Bluetooth.plist']} supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#system-preferences'] --- name: MacOSCoreAnalyticsFile aliases: [MacOSCoreAnalyticsFiles] doc: CoreAnalytics log files. sources: - type: FILE attributes: paths: - '/Library/Logs/DiagnosticReports/*.core_analytics' - '/private/var/db/analyticsd/aggregates/*' - '/var/db/analyticsd/aggregates/*' supported_os: [Darwin] urls: - 'https://forensics.wiki/mac_os_x#diagnostic-reports' - 'https://www.crowdstrike.com/blog/i-know-what-you-did-last-month-a-new-artifact-of-execution-on-macos-10-13/' --- name: MacOSCronTabs doc: Cron tabs sources: - type: FILE attributes: paths: - '/etc/crontab' - '/private/etc/crontab' - '/usr/lib/cron/tabs/*' supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#system-info-misc'] --- name: MacOSDockConfigurationPlistFile aliases: [MacOSDock] doc: | Dock configuration property list (plist) file. This property list contains information about the configuration of a user's Dock. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Preferences/com.apple.Dock.plist']} supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#preferences'] --- name: MacOSDirectoryServicesLocalNodesSQLiteDatabaseFile doc: Directory services local nodes database. sources: - type: FILE attributes: paths: - '/private/var/db/dslocal/nodes/Default/sqlindex' - '/var/db/dslocal/nodes/Default/sqlindex' supported_os: [Darwin] --- name: MacOSDuetActivitySchedulerSQLiteDatabaseFile doc: Duet activity scheduler database. sources: - type: FILE attributes: paths: - '/private/var/db/DuetActivityScheduler/DuetActivitySchedulerClassC.db' - '/var/db/DuetActivityScheduler/DuetActivitySchedulerClassC.db' supported_os: [Darwin] --- name: MacOSDuetinteractionCSQLiteDatabaseFile doc: Duet interactionC database. sources: - type: FILE attributes: paths: - '/private/var/db/CoreDuet/People/interactionC.db' - '/var/db/CoreDuet/People/interactionC.db' supported_os: [Darwin] --- name: MacOSDuetKnowledgeCSQLiteDatabaseFile aliases: [MacOSDuetKnowledgeBase] doc: Duet knowledgeC User and Application usage database. sources: - type: FILE attributes: paths: - '%%users.homedir%%/Library/Application Support/Knowledge/knowledgeC.db' - '/private/var/db/CoreDuet/Knowledge/knowledgeC.db' - '/var/db/CoreDuet/Knowledge/knowledgeC.db' supported_os: [Darwin] urls: ['https://www.mac4n6.com/blog/2018/8/5/knowledge-is-power-using-the-knowledgecdb-database-on-macos-and-ios-to-determine-precise-user-and-application-usage'] --- name: MacOSDuetSQLiteDatabaseFile doc: Duet database. sources: - type: FILE attributes: paths: - '/private/var/db/CoreDuet/coreduetd.db' - '/var/db/CoreDuet/coreduetd.db' supported_os: [Darwin] --- name: MacOSDuetSystemEventsSQLiteDatabaseFile doc: Duet system events database. sources: - type: FILE attributes: paths: - '/private/var/db/CoreDuet/coreduetd.db' - '/var/db/CoreDuet/coreduetd.db' supported_os: [Darwin] --- name: MacOSFSEventsFile aliases: [MacOSFSEvents] doc: File system events disk log stream (fsevents) files. sources: - type: FILE attributes: {paths: ['/.fseventsd/*']} supported_os: [Darwin] urls: ['https://github.com/libyal/dtformats/blob/main/documentation/MacOS%20File%20System%20Events%20Disk%20Log%20Stream%20format.asciidoc'] --- name: MacOSGatekeeperOpaqueConfigurationSQLiteDatabaseFile doc: Gatekeeper opaque configuration database. sources: - type: FILE attributes: paths: - '/private/var/db/gkopaque.bundle/Contents/Resources/gkopaque.db' - '/var/db/gkopaque.bundle/Contents/Resources/gkopaque.db' supported_os: [Darwin] --- name: MacOSGlobalPreferencesPlistFile doc: | Global preferences property list (plist) file. This property list contains information about the system's locale and time zone. sources: - type: FILE attributes: {paths: ['/Library/Preferences/.GlobalPreferences.plist']} supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#system-preferences'] --- name: MacOSiCloudAccounts doc: iCloud Accounts sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Application Support/iCloud/Accounts/*']} supported_os: [Darwin] --- name: MacOSiCloudPreferences doc: iCloud user preferences sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Preferences/MobileMeAccounts.plist']} supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#preferences'] --- name: MacOSIdentityServicesSQLiteDatabaseFile doc: Identity services SQLite database file. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/IdentityServices/ids.db']} supported_os: [Darwin] --- name: MacOSiDevices doc: Attached iDevices sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Preferences/com.apple.iPod.plist']} supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#preferences'] --- name: MacOSInstallationHistoryPlistFile aliases: [MacOSInstallationHistory] doc: Software installation history property list (plist) file. sources: - type: FILE attributes: {paths: ['/Library/Receipts/InstallHistory.plist']} supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#software-installation'] --- name: MacOSInstallationLogFile doc: Software installation log file sources: - type: FILE attributes: paths: - '/private/var/log/install.log' - '/var/log/install.log' supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#system-logs'] --- name: MacOSiOSBackupInfo doc: iOS device backup information sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Application Support/MobileSync/Backup/*/info.plist']} supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#idevice-backup'] --- name: MacOSiOSBackupManifest doc: iOS device backup apps information sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Application Support/MobileSync/Backup/*/Manifest.plist']} supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#idevice-backup'] --- name: MacOSiOSBackupMbdb doc: iOS device backup files information sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Application Support/MobileSync/Backup/*/Manifest.mdbd']} supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#idevice-backup'] --- name: MacOSiOSBackupsMainDirectory doc: iOS device backups directory sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Application Support/MobileSync/Backup/*']} supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#idevice-backup'] --- name: MacOSiOSBackupStatus doc: iOS device backup status information. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Application Support/MobileSync/Backup/*/Status.plist']} supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#idevice-backup'] --- name: MacOSKernelExtensionFile aliases: [MacOSKextFiles] doc: Kernel extension (.kext) files. sources: - type: FILE attributes: paths: - '/Library/Extensions/*' - '/System/Library/Extensions/*' supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#kernel-extension'] --- name: MacOSKeyboardLayoutPlistFile doc: Keyboard layout property list (plist) file. sources: - type: FILE attributes: {paths: ['/Library/Preferences/com.apple.HIToolbox.plist']} supported_os: [Darwin] --- name: MacOSLastlogFile doc: Lastlog file. sources: - type: FILE attributes: paths: - '/private/var/log/lastlog' - '/var/log/lastlog' supported_os: [Darwin] --- name: MacOSLaunchAgentsPlistFile aliases: [MacOSLaunchAgentsPlistFiles] doc: Launch Agents property list (plist) files. sources: - type: FILE attributes: paths: - '/Library/LaunchAgents/*.plist' - '/System/Library/LaunchAgents/*.plist' - '%%users.homedir%%/Library/LaunchAgents/*.plist' supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#autorun-locations'] --- name: MacOSLaunchDaemonsPlistFile aliases: [MacOSLaunchDaemonsPlistFiles] doc: Launch Daemons property list (plist) files. sources: - type: FILE attributes: paths: - '/Library/LaunchDaemons/*.plist' - '/System/Library/LaunchDaemons/*.plist' - '%%users.homedir%%/Library/LaunchDaemons/*.plist' supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#autorun-locations'] --- name: MacOSLoadedKexts doc: MacOS Loaded Kernel Extensions. sources: - type: COMMAND attributes: args: [] cmd: /usr/sbin/kextstat supported_os: [Darwin] --- name: MacOSLogFile aliases: [MacOSMiscLogs] doc: Miscellaneous system log files. sources: - type: FILE attributes: {paths: ['/Library/Logs/*']} supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#logs'] --- name: MacOSLoginWindowPlistFile doc: Log-in window information property list (plist) file sources: - type: FILE attributes: {paths: ['/Library/Preferences/com.apple.loginwindow.plist']} supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#system-preferences'] --- name: MacOSMailAccounts doc: Mail Accounts. Until now only V2, V3 and V5 have been observed. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Mail/V[0-9]/MailData/Accounts.plist']} supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#mail'] --- name: MacOSMailBackupTOC doc: Mail Backup Table of Content. Until now only V2, V3 and V5 have been observed. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Mail/V[0-9]/MailData/BackupTOC.plist']} supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#mail'] --- name: MacOSMailboxes doc: Mail Mailbox Directory. Until now only V2, V3 and V5 have been observed. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Mail/V[0-9]/Mailboxes/*']} supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#mail'] --- name: MacOSMailDownloadAttachments doc: Mail Downloads Directory sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Containers/com.apple.mail/Data/Library/Mail Downloads/*']} supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#mail'] --- name: MacOSMailEnvelopIndex doc: Mail Envelope Index. Until now only V2, V3 and V5 have been observed. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Mail/V[0-9]/MailData/Envelope Index']} supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#mail'] --- name: MacOSMailIMAP doc: Mail IMAP Synched Mailboxes. Until now only V2, V3 and V5 have been observed. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Mail/V[0-9]/IMAP-*/*']} supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#mail'] --- name: MacOSMailMainDirectory doc: Mail Main Folder. Until now only V2, V3 and V5 have been observed. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Mail/V[0-9]/*']} supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#mail'] --- name: MacOSMailOpenedAttachments doc: Mail Opened Attachments sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Mail/V[0-9]/MailData/OpenedAttachmentsV2.plist']} supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#mail'] --- name: MacOSMailPOP doc: Mail POP Synched Mailboxes. Until now only V2, V3 and V5 have been observed. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Mail/V[0-9]/POP-*/*']} supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#mail'] --- name: MacOSMailPreferences doc: Mail Preferences sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Preferences/com.apple.Mail.plist']} supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#mail'] --- name: MacOSMailRecentContacts doc: Mail Recent Contacts sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Application Support/AddressBook/MailRecents-v4.abcdmr']} supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#mail'] --- name: MacOSMailSignatures doc: Mail Signatures by Account. Until now only V2, V3 and V5 have been observed. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Mail/V[0-9]/MailData/Signatures/*']} supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#mail'] --- name: MacOSMessageChatSQLiteDatabaseFile doc: iMessage chat SQLite database file. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Messages/chat.db']} supported_os: [Darwin] --- name: MacOSMountedDMGs doc: MacOS Mounted DMG files. sources: - type: COMMAND attributes: args: ['info'] cmd: /usr/bin/hdiutil supported_os: [Darwin] --- name: MacOSNetworkUsageSQLiteDatabaseFile doc: Network usage SQLite database file. sources: - type: FILE attributes: paths: - '/private/var/networkd/netusage.sqlite' - '/var/networkd/netusage.sqlite' supported_os: [Darwin] --- name: MacOSNotesSQLiteDatabaseFile doc: Notes SQLite database file. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Containers/com.apple.Notes/Data/Library/Notes/NotesV*.storedata']} supported_os: [Darwin] --- name: MacOSNotificationCenterSQLiteDatabaseFile aliases: [MacOSNotificationCenter] doc: MacOS NotificationCenter SQLite database files. sources: - type: FILE attributes: paths: - '%%users.homedir%%/Library/Application Support/NotificationCenter/*.db' - '/private/var/folders/[a-z][0-9]/*/0/com.apple.notificationcenter/db/db' - '/private/var/folders/[a-z][0-9]/*/0/com.apple.notificationcenter/db2/db' - '/var/folders/[a-z][0-9]/*/0/com.apple.notificationcenter/db/db' - '/var/folders/[a-z][0-9]/*/0/com.apple.notificationcenter/db2/db' supported_os: [Darwin] --- name: MacOSPeriodicSystemFunctionConfigurationFile aliases: [MacOSPeriodicSystemFunctions] doc: Configuration files of system function scripts that should run periodically. sources: - type: FILE attributes: paths: - '/etc/daily.local/*' - '/etc/defaults/periodic.conf' - '/etc/monthly.local/*' - '/etc/periodic/**2' - '/etc/periodic.conf' - '/etc/periodic.conf.local' - '/etc/periodic/daily/*' - '/etc/periodic/monthly/*' - '/etc/periodic/weekly/*' - '/etc/weekly.local/*' - '/private/etc/daily.local/*' - '/private/etc/defaults/periodic.conf' - '/private/etc/monthly.local/*' - '/private/etc/periodic/**2' - '/private/etc/periodic.conf' - '/private/etc/periodic.conf.local' - '/private/etc/periodic/daily/*' - '/private/etc/periodic/monthly/*' - '/private/etc/periodic/weekly/*' - '/private/etc/weekly.local/*' - '/usr/local/etc/periodic/**2' supported_os: [Darwin] urls: - 'https://forensics.wiki/mac_os_x_10.9_artifacts_location#system-info-misc' - 'https://www.freebsd.org/cgi/man.cgi?periodic' - 'https://www.freebsd.org/cgi/man.cgi?periodic.conf' --- name: MacOSQuarantineEventsSQLiteDatabaseFile aliases: [MacOSQuarantineEvents] doc: Quarantine events SQLite database file. sources: - type: FILE attributes: paths: - '%%users.homedir%%/Library/Preferences/com.apple.LaunchServices.QuarantineEvents' - '%%users.homedir%%/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2' supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#preferences'] --- name: MacOSRecentItemsPlistFile aliases: [MacOSRecentItems] doc: Recent items property list (plist) file. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Preferences/com.apple.recentitems.plist']} supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#recent-items'] --- name: MacOSRemoteDesktopAdministratorSystem doc: Apple Remote Desktop (ARD) was first released in 2002 and is Apple’s desktop management system for software distribution, asset management, and remote assistance. sources: - type: FILE attributes: paths: - '/private/var/db/RemoteManagement/ClientCaches/*' - '/private/var/db/RemoteManagement/RMDB/rmdb.sqlite3' - '/var/db/RemoteManagement/ClientCaches/*' - '/var/db/RemoteManagement/RMDB/rmdb.sqlite3' supported_os: [Darwin] urls: - 'https://help.apple.com/remotedesktop/mac/3.9/' - 'https://www.fireeye.com/blog/threat-research/2019/10/leveraging-apple-remote-desktop-for-good-and-evil.html' - 'https://github.com/fireeye/ARDvark#ard-artifacts-to-parse' --- name: MacOSRemoteDesktopClientSystem doc: Apple Remote Desktop (ARD) was first released in 2002 and is Apple’s desktop management system for software distribution, asset management, and remote assistance. sources: - type: FILE attributes: paths: - '/private/var/db/RemoteManagement/caches/AppUsage.plist' - '/var/db/RemoteManagement/caches/AppUsage.plist' - '/private/var/db/RemoteManagement/caches/UserAcct.tmp' - '/var/db/RemoteManagement/caches/UserAcct.tmp' supported_os: [Darwin] urls: - 'https://help.apple.com/remotedesktop/mac/3.9/' - 'https://www.fireeye.com/blog/threat-research/2019/10/leveraging-apple-remote-desktop-for-good-and-evil.html' - 'https://github.com/fireeye/ARDvark#ard-artifacts-to-parse' --- name: MacOSSidebarListsPlistFile aliases: [MacOSSidebarLists] doc: | Sidebar lists preferences property list (plist) file. This property list contains the names of volumes mounted on the desktop that have appeared in the sidebar list. sources: - type: FILE attributes: paths: - '%%users.homedir%%/Library/Preferences/com.apple.sidebarlists.plist' - '%%users.homedir%%/Preferences/com.apple.sidebarlists.plist' supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#preferences'] --- name: MacOSSiriAnalyticsSQLiteDatabaseFile doc: Siri analytics SQLite database file. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Assistant/SiriAnalytics.db']} supported_os: [Darwin] --- name: MacOSSiriSuggestionsEntitiesSQLiteDatabaseFile doc: Siri suggestions entities SQLite database file. sources: - type: FILE attributes: paths: - '%%users.homedir%%/Library/Suggestions/entities.db' - '%%users.homedir%%/Library/Suggestions/entities.db-wal' supported_os: [Darwin] --- name: MacOSSiriSuggestionsPendingQueueSQLiteDatabaseFile doc: Siri suggestions pending queue SQLite database file. sources: - type: FILE attributes: paths: - '%%users.homedir%%/Library/Suggestions/pending/queue.db' - '%%users.homedir%%/Library/Suggestions/pending/queue.db-wal' supported_os: [Darwin] --- name: MacOSSiriSuggestionsSnippetsSQLiteDatabaseFile doc: Siri suggestions snippets SQLite database file. sources: - type: FILE attributes: paths: - '%%users.homedir%%/Library/Suggestions/snippets.db' - '%%users.homedir%%/Library/Suggestions/snippets.db-wal' supported_os: [Darwin] --- name: MacOSSleepimageFile doc: Sleepimage file which contains the content of memory before going to sleep sources: - type: FILE attributes: paths: - '/private/var/vm/sleepimage' - '/var/vm/sleepimage' supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#sleep.2fhibernate-and-swap-image-file'] --- name: MacOSSoftwareUpdatePreferencesPlistFile aliases: [MacOSUpdate] doc: Software update preferences property list (plist) files. sources: - type: FILE attributes: {paths: ['/Library/Preferences/com.apple.SoftwareUpdate.plist']} supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#software-installation'] --- name: MacOSStartupItemsPlistFile aliases: [MacOSStartupItemsPlistFiles] doc: Startup Items property list (plist) files. sources: - type: FILE attributes: paths: - '/Library/StartupItems/*.plist' - '/System/Library/StartupItems/*.plist' supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#autorun-locations'] --- name: MacOSSwapFile aliases: [MacOSSwapFiles] doc: Swap file sources: - type: FILE attributes: paths: - '/private/var/vm/swapfile[0-9]' - '/var/vm/swapfile[0-9]' supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#sleep.2fhibernate-and-swap-image-file'] --- name: MacOSSystemConfigurationPreferencesPlistFile doc: System configuration preferences property list (plist) file. sources: - type: FILE attributes: {paths: ['/Library/Preferences/SystemConfiguration/preferences.plist']} supported_os: [Darwin] --- name: MacOSSystemLogFile aliases: [MacOSSystemLogFiles] doc: System log file. sources: - type: FILE attributes: paths: - '/private/var/log/*' - '/var/log/*' supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#system-logs'] --- name: MacOSSystemPolicySQLiteDatabaseFile doc: System policy database. sources: - type: FILE attributes: paths: - '/private/var/db/SystemPolicy' - '/var/db/SystemPolicy' supported_os: [Darwin] --- name: MacOSSystemPreferencesPlistFile aliases: [MacOSSystemPreferencesPlistFiles] doc: System Preferences property list (plist) files sources: - type: FILE attributes: {paths: ['/Library/Preferences/**/*.plist']} supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#system-preferences'] --- name: MacOSSystemVersionPlistFile doc: Operating system name and version property list (plist) file sources: - type: FILE attributes: {paths: ['/System/Library/CoreServices/SystemVersion.plist']} supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#system-settings-and-informations'] --- name: MacOSTCCSQLiteDatabaseFile aliases: [MacOSTCC] doc: Transparency, Consent, Control (TCC) framework SQLite database files. sources: - type: FILE attributes: paths: - '/Library/Application Support/com.apple.TCC/TCC.db' - '%%users.homedir%%/Library/Application Support/com.apple.TCC/TCC.db' supported_os: [Darwin] urls: ['https://forensics.wiki/tcc_database'] --- name: MacOSTextReplacementsSQLiteDatabaseFile doc: Text replacements SQLite database file. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/KeyboardServices/TextReplacements.db']} supported_os: [Darwin] --- name: MacOSTimeMachinePlistFile doc: Time Machine information property list (plist) file sources: - type: FILE attributes: {paths: ['/Library/Preferences/com.apple.TimeMachine.plist']} supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#system-preferences'] --- name: MacOSUnifiedLogging doc: Apple Unified Logging and Activity Tracing sources: - type: FILE attributes: paths: - '/private/var/db/diagnostics/*.tracev3' - '/private/var/db/diagnostics/*/*.tracev3' - '/private/var/db/uuidtext/*/*' - '/var/db/diagnostics/*.tracev3' - '/var/db/diagnostics/*/*.tracev3' - '/var/db/uuidtext/*/*' supported_os: [Darwin] urls: ['https://github.com/mac4n6/Presentations/blob/master/Logs%20Unite!%20-%20Forensic%20Analysis%20of%20Apple%20Unified%20Logs/LogsUnite.pdf'] --- name: MacOSUserApplicationLogFile aliases: [MacOSUserApplicationLogs] doc: User applications log files. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Logs/*.log']} supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#logs'] --- name: MacOSUserApplicationSupportDirectory aliases: [MacOSApplicationSupport] doc: Contents of the user Application Support directories. sources: - type: PATH attributes: {paths: ['%%users.homedir%%/Library/Application Support/*']} supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#misc'] --- name: MacOSUserDesktopDirectory doc: Contents of the user Desktop directories. sources: - type: PATH attributes: {paths: ['%%users.homedir%%/Desktop/*']} supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#user-directories'] --- name: MacOSUserDockDesktopPictureSQLiteDatabaseFile doc: Dock user desktop picture SQLite database file. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Application Support/Dock/desktoppicture.db']} supported_os: [Darwin] --- name: MacOSUserDocumentsDirectory doc: Contents of the user Documents directories. sources: - type: PATH attributes: {paths: ['%%users.homedir%%/Documents/*']} supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#user-directories'] --- name: MacOSUserGlobalPreferencesPlistFile aliases: [MacOSUserGlobalPreferences] doc: User global preferences property list (plist) file. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Preferences/.GlobalPreferences.plist']} supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#preferences'] --- name: MacOSUserKeychainFile aliases: [MacOSKeychains] doc: User keychain files. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Keychains/*.keychain']} supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#misc'] --- name: MacOSUserKeychainOCSPCacheSQLiteDatabaseFile doc: User keychain CRL and OCSP cache SQLite database file. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Keychains/*/ocspcache.sqlite3']} supported_os: [Darwin] --- name: MacOSUserLibraryDirectory doc: Contents of the user Library directories. sources: - type: PATH attributes: {paths: ['%%users.homedir%%/Library/*']} supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#user-directories'] --- name: MacOSUserLocalItemsKeychainKeybagSQLiteDatabaseFile doc: User (iCloud) local items keychain keybag SQLite database file. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Keychains/*/user.db']} supported_os: [Darwin] --- name: MacOSUserLocalItemsKeychainRecordsSQLiteDatabaseFile doc: User (iCloud) local items keychain encrypted records SQLite database file. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Keychains/*/keychain-2.db']} supported_os: [Darwin] --- name: MacOSUserLoginItemsPlistFile aliases: [MacOSUserLoginItems] doc: User login items property list (plist) file. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Preferences/com.apple.loginitems.plist']} supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#autorun-locations-2'] --- name: MacOSUserMoviesDirectory doc: Contents of the user Movies directories. sources: - type: PATH attributes: {paths: ['%%users.homedir%%/Movies/*']} supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#user-directories'] --- name: MacOSUserMusicDirectory doc: Contents of the user Music directories. sources: - type: PATH attributes: {paths: ['%%users.homedir%%/Music/*']} supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#user-directories'] --- name: MacOSUserPasswordHashesPlistFile aliases: [MacOSUserPasswordHashesPlistFiles] doc: User password hashes property list (plist) files. sources: - type: FILE attributes: paths: - '/private/var/db/dslocal/nodes/Default/users/*.plist' - '/var/db/dslocal/nodes/Default/users/*.plist' supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#system-settings-and-informations'] --- name: MacOSUserPicturesDirectory doc: Contents of the user Pictures directories. sources: - type: PATH attributes: {paths: ['%%users.homedir%%/Pictures/*']} supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#user-directories'] --- name: MacOSUserPreferencesDirectory aliases: [MacOSUserPreferences] doc: Contents of the user Preferences directories. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Preferences/*']} supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#preferences'] --- name: MacOSUserPublicDirectory doc: Contents of the user Public directories. sources: - type: PATH attributes: {paths: ['%%users.homedir%%/Public/*']} supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#user-directories'] --- name: MacOSUserAccountsSQLiteDatabaseFile aliases: [MacOSUserSocialAccounts] doc: | User Accounts SQLite database files. Seen Accounts3.sqlite and Accounts4.sqlite sources: - type: FILE attributes: paths: - '%%users.homedir%%/Library/Accounts/Accounts*.sqlite' - '%%users.homedir%%/Library/Accounts/Accounts*.sqlite-wal' supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#user.27s-accounts'] --- name: MacOSUserTrashDirectory aliases: [MacOSUserTrash] doc: Contents of the user Trash directories. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/.Trash/*']} supported_os: [Darwin] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#misc'] --- name: MacOSUtmpxFile doc: Utmpx login record file. sources: - type: FILE attributes: paths: - '/private/var/run/utmpx' - '/var/run/utmpx' supported_os: [Darwin] urls: ['https://github.com/libyal/dtformats/blob/main/documentation/Utmp%20login%20records%20format.asciidoc'] --- name: MacOSWalletSQLiteDatabaseFile doc: Apple Wallet SQLite database file. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Passes/passes23.sqlite']} supported_os: [Darwin] --- name: MacOSWirelessDiagnosticDataPersistentSQLiteDatabaseFile doc: Apple Wireless Diagnostic Data (AWDD) persistent SQLite database file. sources: - type: FILE attributes: paths: - '/private/var/db/awdd/persistent.db' - '/var/db/awdd/persistent.db' supported_os: [Darwin] --- name: MacOSXcodeiOSDeviceLogsSQLiteDatabaseFile doc: Xcode iOS Device Logs SQLite database file. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Developer/Xcode/iOS Device Logs/iOS Device Logs *.db']} supported_os: [Darwin] artifacts-20230928/data/shell.yaml000066400000000000000000000202651450527130400166570ustar00rootroot00000000000000# Shell user-interface artifact definitions. --- name: BashShellConfigurationFile doc: Bourne Again shell (bash) configuration files. sources: - type: FILE attributes: paths: - '%%users.homedir%%/.bash_logout' - '%%users.homedir%%/.bash_profile' - '%%users.homedir%%/.bashrc' - '/etc/bash.bashrc' - '/etc/bashrc' supported_os: [Darwin, Linux] - type: FILE attributes: paths: - '/private/etc/bash.bashrc' - '/private/etc/bashrc' supported_os: [Darwin] - type: FILE attributes: paths: - '%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.bash_logout' - '%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.bash_profile' - '%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.bashrc' separator: '\' supported_os: [Windows] supported_os: [Darwin, Linux, Windows] urls: ['https://forensics.wiki/bash_shell'] --- name: BashShellHistoryFile aliases: [MacOSBashHistory] doc: Bourne Again shell (bash) history files. sources: - type: FILE attributes: paths: - '%%users.homedir%%/.bash_history' supported_os: [Darwin, Linux] - type: FILE attributes: paths: ['%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.bash_history'] separator: '\' supported_os: [Windows] supported_os: [Darwin, Linux, Windows] urls: ['https://forensics.wiki/bash_shell'] --- name: BashShellSessionFile aliases: [MacOSBashSessions] doc: Bourne Again shell (bash) session files. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/.bash_sessions/*']} supported_os: [Darwin] urls: ['https://forensics.wiki/bash_shell'] --- name: BourneShellHistoryFile doc: Bourne shell (sh) history files. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/.sh_history']} supported_os: [Darwin, Linux] - type: FILE attributes: paths: ['%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.sh_history'] separator: '\' supported_os: [Windows] supported_os: [Darwin, Linux, Windows] urls: ['https://en.wikipedia.org/wiki/Bourne_shell'] --- name: CShellConfigurationFile doc: C shell (csh) configuration files. sources: - type: FILE attributes: paths: - '%%users.homedir%%/.cshrc' - '/etc/csh.cshrc' - '/etc/csh.login' - '/etc/csh.logout' supported_os: [Darwin, Linux] - type: FILE attributes: paths: - '/private/etc/csh.cshrc' - '/private/etc/csh.login' - '/private/etc/csh.logout' supported_os: [Darwin] - type: FILE attributes: paths: ['%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.cshrc'] separator: '\' supported_os: [Windows] supported_os: [Darwin, Linux, Windows] urls: ['https://en.wikipedia.org/wiki/C_shell'] --- name: FishShellConfigurationFile doc: FishShell (fish) configuration files. sources: - type: FILE attributes: paths: - '%%users.homedir%%/.config/fish/conf.d/config.fish' - '/etc/fish/conf.d/*.fish' - '%%users.homedir%%/.config/fish/config.fish' - '/etc/fish/config.fish' supported_os: [Linux] supported_os: [Linux] urls: ['https://fishshell.com/docs/current/language.html#configuration'] --- name: FishShellHistoryFile doc: Fish shell (fish) history files. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/.local/share/fish/fish_history']} supported_os: [Linux] supported_os: [Linux] urls: ['https://fishshell.com/docs/current/cmds/history.html'] --- name: KornShellConfigurationFile doc: KornShell (ksh) configuration files. sources: - type: FILE attributes: paths: - '%%users.homedir%%/.ksh' - '/etc/kshrc' supported_os: [Darwin, Linux] - type: FILE attributes: paths: - '/private/etc/kshrc' supported_os: [Darwin] - type: FILE attributes: paths: ['%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.ksh'] separator: '\' supported_os: [Windows] supported_os: [Darwin, Linux, Windows] urls: ['https://en.wikipedia.org/wiki/KornShell'] --- name: RootUserShellConfigs doc: Common Unix root shell configuration files. sources: - type: FILE attributes: paths: - '/root/.bash_logout' - '/root/.bash_profile' - '/root/.bashrc' - '/root/.cshrc' - '/root/.ksh' - '/root/.config/fish/config.fish' - '/root/.logout' - '/root/.profile' - '/root/.tcsh' - '/root/.zlogin' - '/root/.zlogout' - '/root/.zprofile' supported_os: [Darwin, Linux] --- name: RootUserShellHistory doc: Common Unix root shell history files. sources: - type: FILE attributes: paths: - '/root/.bash_history' - '/root/.local/share/fish/fish_history' - '/root/.sh_history' - '/root/.zhistory' - '/root/.zsh_history' supported_os: [Darwin, Linux] --- name: ShellConfigurationFile aliases: [AllShellConfigs, GlobalShellConfigs, UsersShellConfigs] doc: Group of shell configuration files. sources: - type: ARTIFACT_GROUP attributes: names: - 'BashShellConfigurationFile' - 'CShellConfigurationFile' - 'FishShellConfigurationFile' - 'KornShellConfigurationFile' - 'ShellLogoutFile' - 'ShellProfileFile' - 'TeeShellConfigurationFile' - 'ZShellConfigurationFile' supported_os: [Darwin, Linux, Windows] --- name: ShellHistoryFile aliases: [AllUsersShellHistory, UserShellHistory] doc: Group of shell history files. sources: - type: ARTIFACT_GROUP attributes: names: - 'BashShellHistoryFile' - 'BourneShellHistoryFile' - 'FishShellHistoryFile' - 'ZShellHistoryFile' supported_os: [Darwin, Linux, Windows] --- name: ShellLogoutFile doc: Shell logout file. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/.logout']} supported_os: [Darwin, Linux] - type: FILE attributes: paths: ['%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.logout'] separator: '\' supported_os: [Windows] supported_os: [Darwin, Linux, Windows] --- name: ShellProfileFile doc: Shell profile file. sources: - type: FILE attributes: paths: - '%%users.homedir%%/.profile' - '/etc/profile' supported_os: [Darwin, Linux] - type: FILE attributes: {paths: ['/private/etc/profile']} supported_os: [Darwin] - type: FILE attributes: paths: ['%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.profile'] separator: '\' supported_os: [Windows] supported_os: [Darwin, Linux, Windows] --- name: TeeShellConfigurationFile doc: Tee shell (tcsh) configuration files. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/.tcsh']} supported_os: [Darwin, Linux] - type: FILE attributes: paths: ['%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.tcsh'] separator: '\' supported_os: [Windows] supported_os: [Darwin, Linux, Windows] urls: ['https://en.wikipedia.org/wiki/Tcsh'] --- name: ZShellConfigurationFile doc: Z shell (zsh) configuration files. sources: - type: FILE attributes: paths: - '%%users.homedir%%/.zlogin' - '%%users.homedir%%/.zlogout' - '%%users.homedir%%/.zprofile' - '/etc/zshenv' - '/etc/zshrc' - '/etc/zsh/zlogin' - '/etc/zsh/zlogout' - '/etc/zsh/zprofile' - '/etc/zsh/zshenv' - '/etc/zsh/zshrc' supported_os: [Darwin, Linux] - type: FILE attributes: paths: - '/private/etc/zshenv' - '/private/etc/zshrc' - '/private/etc/zsh/zlogin' - '/private/etc/zsh/zlogout' - '/private/etc/zsh/zprofile' - '/private/etc/zsh/zshenv' - '/private/etc/zsh/zshrc' supported_os: [Darwin] - type: FILE attributes: paths: - '%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.zlogin' - '%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.zlogout' - '%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.zprofile' separator: '\' supported_os: [Windows] supported_os: [Darwin, Linux, Windows] urls: ['https://en.wikipedia.org/wiki/Z_shell'] --- name: ZShellHistoryFile doc: Z shell (zsh) history files. sources: - type: FILE attributes: paths: - '%%users.homedir%%/.zhistory' - '%%users.homedir%%/.zsh_history' supported_os: [Darwin, Linux] - type: FILE attributes: paths: - '%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.zhistory' - '%%users.localappdata%%\Packages\*\LocalState\rootfs\home\*\.zsh_history' separator: '\' supported_os: [Windows] supported_os: [Darwin, Linux, Windows] urls: ['https://en.wikipedia.org/wiki/Z_shell'] artifacts-20230928/data/tomcat.yaml000066400000000000000000000101511450527130400170300ustar00rootroot00000000000000# Apache Tomcat artifacts. --- name: TomcatFiles doc: Tomcat files. sources: - type: ARTIFACT_GROUP attributes: names: - 'TomcatLogFiles' - 'TomcatPasswordFile' supported_os: [Darwin, Linux, Windows] --- name: TomcatLogFiles doc: Tomcat log files. sources: - type: FILE attributes: paths: - '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat*\logs\**\access_log*' - '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat*\logs\access_log*' - '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat*\logs\**\catalina.out' - '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat*\logs\catalina.out' - '%%environ_programfiles%%\Apache Software Foundation\Tomcat*\logs\**\access_log*' - '%%environ_programfiles%%\Apache Software Foundation\Tomcat*\logs\access_log*' - '%%environ_programfiles%%\Apache Software Foundation\Tomcat*\logs\**\catalina.out' - '%%environ_programfiles%%\Apache Software Foundation\Tomcat*\logs\catalina.out' - '%%environ_programfilesx86%%\Apache Software Foundation\Tomcat*\logs\**\access_log*' - '%%environ_programfilesx86%%\Apache Software Foundation\Tomcat*\logs\access_log*' - '%%environ_programfilesx86%%\Apache Software Foundation\Tomcat*\logs\**\catalina.out' - '%%environ_programfilesx86%%\Apache Software Foundation\Tomcat*\logs\catalina.out' separator: '\' supported_os: [Windows] - type: FILE attributes: paths: - '/opt/tomcat*/logs/**/access_log*' - '/opt/tomcat*/logs/access_log*' - '/opt/tomcat*/logs/**/catalina.out' - '/opt/tomcat*/logs/catalina.out' - '/usr/local/tomcat*/logs/**/access_log*' - '/usr/local/tomcat*/logs/access_log*' - '/usr/local/tomcat*/logs/**/catalina.out' - '/usr/local/tomcat*/logs/catalina.out' - '/usr/share/tomcat*/logs/**/access_log*' - '/usr/share/tomcat*/logs/access_log*' - '/usr/share/tomcat*/logs/**/catalina.out' - '/usr/share/tomcat*/logs/catalina.out' - '/var/lib/tomcat*/logs/**/access_log*' - '/var/lib/tomcat*/logs/access_log*' - '/var/lib/tomcat*/logs/**/catalina.out' - '/var/lib/tomcat*/logs/catalina.out' supported_os: [Linux] - type: FILE attributes: paths: - '/Library/Tomcat/logs/**/access_log*' - '/Library/Tomcat/logs/access_log*' - '/Library/Tomcat/logs/**/catalina.out' - '/Library/Tomcat/logs/catalina.out' - '/usr/local/apache-tomcat*/logs/**/access_log*' - '/usr/local/apache-tomcat*/logs/access_log*' - '/usr/local/apache-tomcat*/logs/**/catalina.out' - '/usr/local/apache-tomcat*/logs/catalina.out' # Default locations for Homebrew - '/usr/local/Cellar/tomcat*/logs/**/access_log*' - '/usr/local/Cellar/tomcat*/logs/access_log*' - '/usr/local/Cellar/tomcat*/logs/**/catalina.out' - '/usr/local/Cellar/tomcat*/logs/catalina.out' supported_os: [Darwin] supported_os: [Darwin, Linux, Windows] urls: - 'https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Access_Logging' - 'https://tomcat.apache.org/tomcat-8.0-doc/logging.html' --- name: TomcatPasswordFile doc: Tomcat password file. sources: - type: FILE attributes: paths: - '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat*\conf\tomcat-users.xml' - '%%environ_programfiles%%\Apache Software Foundation\Tomcat*\conf\tomcat-users.xml' - '%%environ_programfilesx86%%\Apache Software Foundation\Tomcat*\conf\tomcat-users.xml' separator: '\' supported_os: [Windows] - type: FILE attributes: paths: - '/opt/tomcat*/conf/tomcat-users.xml' - '/private/var/lib/tomcat*/conf/tomcat-users.xml' - '/usr/local/tomcat*/conf/tomcat-users.xml' - '/usr/share/tomcat*/conf/tomcat-users.xml' - '/var/lib/tomcat*/conf/tomcat-users.xml' supported_os: [Linux] - type: FILE attributes: paths: - '/Library/Tomcat/conf/tomcat-users.xml' - '/usr/local/apache-tomcat-*/conf/tomcat-users.xml' # Default location for Homebrew - '/usr/local/Cellar/tomcat/*/conf/tomcat-users.xml' supported_os: [Darwin] supported_os: [Darwin, Linux, Windows] urls: ['https://tomcat.apache.org/tomcat-8.0-doc/manager-howto.html#Configuring_Manager_Application_Access'] artifacts-20230928/data/triage.yaml000066400000000000000000000214341450527130400170220ustar00rootroot00000000000000# Triage specific artifacts. --- name: TriageApplicationConfigsAndLogs doc: Group of configuration files and logs of installed applications. sources: - type: ARTIFACT_GROUP attributes: names: - ApacheAccessLogs - ApacheConfigurationFolder - ApacheDefaultSiteConfigurationFile - ApacheErrorLogs - ApacheKafkaLogFiles - ElasticsearchAccessLog - ElasticsearchAuditLog - ElasticsearchGCLog - ElasticsearchLogs - ElasticsearchServerLog - HadoopAppLogs - HadoopAppRoot - HadoopYarnLogs - HAProxyLogFiles - JenkinsLogFile - NginxAccessLogs - NginxErrorLogs - OsqueryLogFiles - TomcatLogFiles - TomcatPasswordFile - WordpressConfigFile supported_os: [Linux] - type: ARTIFACT_GROUP attributes: names: - MicrosoftIISLogs - MicrosoftSqlServerErrorLogs - RedisConfigFile - TomcatFiles - TomcatPasswordFile supported_os: [Windows] supported_os: [Linux, Windows] --- name: TriageDatabaseConfigsAndLogs doc: Group of configuration files and logs of installed databases. sources: - type: ARTIFACT_GROUP attributes: names: - MongoDBConfigurationFile - MongoDBLogFiles - MySQLConfigurationFiles - MySQLLogFiles - OpenSearchLogFiles - PostgreSQLConfigurationFiles - PostgreSQLLogFiles - RedisConfigFile - RedisConfigurationFile - RedisLogFiles supported_os: [Linux] --- name: TriageExecution doc: Group of process/command execution related artifacts. sources: - type: ARTIFACT_GROUP attributes: names: - JavaCacheFiles - WindowsAMCacheHveFile - WindowsCIMRepositoryFiles - WindowsCrashDumps - WindowsPrefetchFiles - WindowsRecentFileCacheBCF - WindowsStartupInfo - WindowsSuperFetchFiles - WindowsSystemResourceUsageMonitorDatabaseFile - WMICCMRUA supported_os: [Windows] --- name: TriageExternalMedia doc: Group of external media data or events related artifacts. sources: - type: ARTIFACT_GROUP attributes: names: - WindowsSetupApiLogs supported_os: [Windows] --- name: TriageFileSystem doc: Group of file system related artifacts. sources: - type: ARTIFACT_GROUP attributes: names: - NTFSLogFile - NTFSMFTFiles supported_os: [Windows] --- name: TriageHistoryFiles doc: Group of history files related artifacts. sources: - type: ARTIFACT_GROUP attributes: names: - BashShellHistoryFile - BourneShellHistoryFile - FishShellHistoryFile - MySQLHistoryFile - PostgreSQLHistoryFile - PythonHistoryFile - RootUserShellHistory - SQLiteHistoryFile - ZShellHistoryFile supported_os: [Linux] - type: ARTIFACT_GROUP attributes: names: - ShellConfigurationFile - ShellHistoryFile - WindowsPowerShellHistory supported_os: [Windows] supported_os: [Linux, Windows] --- name: TriageInteractiveActivity doc: Group of interactive user activity related artifacts. sources: - type: ARTIFACT_GROUP attributes: names: - DropboxClient - FreeDesktopTrashInfoFiles - GnomeApplicationState - GnomeTracker - GTKRecentlyUsedDatabase - SignalDatabase - ThumbnailCacheFolder - Viminfo - WgetHSTSdatabase - XChatLogs - ZeitgeistDatabase supported_os: [Linux] - type: ARTIFACT_GROUP attributes: names: - MicrosoftOfficeAutosave - MicrosoftOfficeMRU - WindowsActivitiesCacheDatabase - WindowsRDPClientBitmapCache - WindowsRecycleBinMetadata - WindowsSearchDatabase - WindowsUserAutomaticDestinationsJumpLists - WindowsUserCustomDestinationsJumpLists - WindowsUserRecentFiles supported_os: [Windows] supported_os: [Linux, Windows] --- name: TriageNetwork doc: Group of network related artifacts. sources: - type: ARTIFACT_GROUP attributes: names: - DNSResolvConfFile - HostAccessPolicyConfiguration - LinuxHostnameFile - LinuxIgnoreICMPBroadcasts - LinuxNetworkIpForwardingState - LinuxNetworkPathFilteringSettings - LinuxNetworkRedirectState - LinuxProcArp - LinuxSyncookieState - UFWConfigFiles - UnixHostsFile supported_os: [Linux] - type: ARTIFACT_GROUP attributes: names: - WindowsFirewallLogFile - WindowsHostsFiles supported_os: [Windows] supported_os: [Linux, Windows] --- name: TriagePersistence doc: Group of persistence mechanism related artifacts. sources: - type: ARTIFACT_GROUP attributes: names: - AnacronFiles - LinuxAtJobs - LinuxCronTabs - LinuxSystemdServices - LinuxSystemdTimers - LinuxSysVInit - XDGAutostartEntries supported_os: [Linux] - type: ARTIFACT_GROUP attributes: names: - WMIEnumerateASEC - WMIEnumerateCLEC - WindowsApplicationCompatibilityInstalledShimDatabases - WindowsAutoexecBat - WindowsAutorun - WindowsBITSQueueManagerDatabases - WindowsGroupPolicyScripts - WindowsPowerShellDefaultProfiles - WindowsScheduledTasks - WindowsStartupFolders - WindowsWinstart supported_os: [Windows] supported_os: [Linux, Windows] --- name: TriageSecurityAgents doc: Group of endpoint detection and response related artifacts. sources: - type: ARTIFACT_GROUP attributes: names: - EsetAVQuarantine - MicrosoftAVLogs - MicrosoftAVQuarantine - SophosAVLogs - SophosAVQuarantine - SymantecAVLogs - SymantecAVQuarantine supported_os: [Windows] --- name: TriageSystemConfiguration doc: Group of configuration files related artifacts. sources: - type: ARTIFACT_GROUP attributes: names: - APTSources - APTTrustKeys - CronAtAllowDenyFiles - DebianPackagesStatus - DebianVersion - KernelModules - LinuxASLREnabled - LinuxCACertificates - LinuxDHCPConfigurationFile - LinuxDSDTTable - LinuxFstab - LinuxGrubConfiguration - LinuxInitrdFiles - LinuxIssueFile - LinuxKernelBootloader - LinuxKernelModuleRestrictions - LinuxKernelModuleTaintStatus - LinuxLoaderSystemPreloadFile - LinuxLocalTime - LinuxLSBInit - LinuxLSBRelease - LinuxNetworkManager - LinuxPamConfigs - LinuxPasswdFile - LinuxProcMounts - LinuxRelease - LinuxRestrictedDmesgReadPrivileges - LinuxRestrictedKernelPointerReadPrivileges - LinuxRsyslogConfigs - LinuxSecureFsLinks - LinuxSecureSuidCoreDumps - LinuxSSDTTables - LinuxSysctlConfigurationFiles - LinuxSyslogNgConfigs - LinuxSystemdJournalConfig - LinuxSystemdOSRelease - LinuxTimezoneFile - LinuxXinetd - LocateDatabase - LoginPolicyConfiguration - NetgroupConfiguration - NfsExportsFile - NtpConfFile - PCIDevicesInfoFiles - SambaConfigFile - SecretsServiceDatabaseFile - SshdConfigFile - SSHHostPubKeys - UnixGroupsFile - UnixLocalTimeConfigurationFile - UnixPasswdFile - UnixShadowFile - UnixSudoersConfigurationFile - YumSources supported_os: [Linux] - type: ARTIFACT_GROUP attributes: names: - WindowsRegistryFilesAndTransactionLogs - WindowsSystemRegistryFilesAndTransactionLogsBackup supported_os: [Windows] supported_os: [Linux, Windows] --- name: TriageSystemLogs doc: Group of system logs related artifacts. sources: - type: ARTIFACT_GROUP attributes: names: - DebianPackagesLogFiles - LinuxAuditLogs - LinuxAuthLogs - LinuxCronLogs - LinuxDaemonLogFiles - LinuxKernelLogFiles - LinuxLastlogFile - LinuxMessagesLogFiles - LinuxSudoReplayLogs - LinuxSysLogFiles - LinuxSystemdJournalLogs - LinuxUtmpFiles - LinuxWtmp - SambaLogFiles - UFWLogFile - UnixUtmpFile supported_os: [Linux] - type: ARTIFACT_GROUP attributes: names: - WindowsUserAccessLogging - WindowsEventLogs supported_os: [Windows] supported_os: [Linux, Windows] --- name: TriageUserConfiguration doc: Group of user configuration related artifacts. sources: - type: ARTIFACT_GROUP attributes: names: - BashShellConfigurationFile - ChromePreferences - CShellConfigurationFile - FishShellConfigurationFile - JupyterConfigFile - KornShellConfigurationFile - RHostsFile - RootUserShellConfigs - ShellLogoutFile - ShellProfileFile - SignalApplicationContent - SSHAuthorizedKeysFiles - SSHKnownHostsFiles - SshUserConfigFile - TeeShellConfigurationFile - ZShellConfigurationFile supported_os: [Linux] --- name: TriageWebBrowserExtensions doc: Group of web browser extensions related artifacts. sources: - type: ARTIFACT_GROUP attributes: names: - ChromiumBasedBrowsersExtensions - ChromiumBasedBrowsersExtensionActivitySQLiteDatabaseFile - ChromePreferences - FirefoxAddOns supported_os: [Linux, Windows] --- name: TriageWebBrowserHistory doc: Group of web browser history related artifacts. sources: - type: ARTIFACT_GROUP attributes: names: - BrowserHistory - WindowsCryptnetUrlCacheMetadata supported_os: [Windows] artifacts-20230928/data/unix_common.yaml000066400000000000000000000054471450527130400201100ustar00rootroot00000000000000# Artifacts common to Unix-based operating systems. --- name: UnixGroupsFile aliases: [UnixGroups] doc: Unix groups file. sources: - type: FILE attributes: {paths: ['/etc/group']} supported_os: [Darwin, Linux] - type: FILE attributes: {paths: ['/private/etc/group']} supported_os: [Darwin] supported_os: [Darwin, Linux] --- name: UnixHostsFile aliases: [MacOSHostsFile] doc: Unix hosts file sources: - type: FILE attributes: {paths: ['/etc/hosts']} supported_os: [Darwin, Linux] - type: FILE attributes: {paths: ['/private/etc/hosts']} supported_os: [Darwin] supported_os: [Darwin, Linux] --- name: UnixLocalTimeConfigurationFile aliases: [MacOSLocalTime] doc: Unix local time zone configuration file. sources: - type: FILE attributes: {paths: ['/etc/localtime']} supported_os: [Darwin, Linux] - type: FILE attributes: {paths: ['/private/etc/localtime']} supported_os: [Darwin] supported_os: [Darwin, Linux] --- name: UnixPasswdFile aliases: [UnixPasswd] doc: Unix passwd file. sources: - type: FILE attributes: {paths: ['/etc/passwd']} supported_os: [Darwin, Linux] - type: FILE attributes: {paths: ['/private/etc/passwd']} supported_os: [Darwin] supported_os: [Darwin, Linux] --- name: UnixShadowFile doc: Unix shadow file. sources: - type: FILE attributes: {paths: ['/etc/shadow']} supported_os: [Darwin, Linux] - type: FILE attributes: {paths: ['/private/etc/shadow']} supported_os: [Darwin] supported_os: [Darwin, Linux] --- name: UnixShadowBackupFile doc: Unix shadow backup file. sources: - type: FILE attributes: {paths: ['/etc/shadow-']} supported_os: [Darwin, Linux] - type: FILE attributes: {paths: ['/private/etc/shadow-']} supported_os: [Darwin] supported_os: [Darwin, Linux] urls: ['https://man7.org/linux/man-pages/man5/shadow.5.html'] --- name: UnixSudoersConfigurationFile aliases: [UnixSudoersConfiguration] doc: Unix sudoers configuration file. sources: - type: FILE attributes: {paths: ['/etc/sudoers']} supported_os: [Darwin, Linux] - type: FILE attributes: {paths: ['/private/etc/sudoers']} supported_os: [Darwin] supported_os: [Darwin, Linux] --- name: UnixUsersGroups doc: Unix users and groups files. sources: - type: ARTIFACT_GROUP attributes: names: - 'UnixGroupsFile' - 'UnixPasswdFile' - 'UnixShadowFile' supported_os: [Darwin, Linux] --- name: UnixUtmpFile aliases: [MacOSUtmpFile] doc: Utmp login record files. sources: - type: FILE attributes: paths: - '/var/log/btmp' - '/var/log/wtmp' - '/var/run/utmp' supported_os: [Darwin, Linux] - type: FILE attributes: paths: - '/private/var/log/btmp' - '/private/var/log/wtmp' - '/private/var/run/utmp' supported_os: [Darwin] supported_os: [Darwin, Linux] urls: ['https://github.com/libyal/dtformats/blob/main/documentation/Utmp%20login%20records%20format.asciidoc'] artifacts-20230928/data/user.yaml000066400000000000000000000015741450527130400165300ustar00rootroot00000000000000# Operating system independent user artifact definitions. --- name: UsersDirectory aliases: [MacOSUsers, MacOSUsersDirectory, OSXUsers, UserHomeDirectory] doc: Contents of the Users directory. sources: - type: PATH attributes: {paths: ['/Users/*']} supported_os: [Darwin] provides: [users.username] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#users'] --- name: UserDownloadsDirectory aliases: [MacOSUserDownloadsDirectory, UserDownloads, WindowsUserDownloadsDirectory] doc: Contents of user Downloads directories. sources: - type: PATH attributes: paths: ['%%users.homedir%%/Downloads/*'] supported_os: [Darwin, Linux] - type: PATH attributes: paths: ['%%users.userprofile%%\Downloads\*'] separator: '\' supported_os: [Windows] supported_os: [Darwin, Linux, Windows] urls: ['https://forensics.wiki/mac_os_x_10.9_artifacts_location#user-directories'] artifacts-20230928/data/webbrowser.yaml000066400000000000000000002237201450527130400177320ustar00rootroot00000000000000# Web browser artifacts. --- name: BrowserCache doc: Web browser cache of multiple web browsers. sources: - type: ARTIFACT_GROUP attributes: names: - 'ChromeCache' - 'FirefoxCache' - 'InternetExplorerCache' - 'SafariCacheSQLiteDatabaseFile' supported_os: [Darwin, Linux, Windows] --- name: BrowserHistory doc: Web browser history of multiple web browsers. sources: - type: ARTIFACT_GROUP attributes: names: - 'ChromiumBasedBrowsersHistory' - 'FirefoxHistory' - 'FirefoxDownloads' - 'InternetExplorerHistory' - 'OperaHistoryFile' - 'SafariDownloadsPlistFile' - 'SafariHistorySQLiteDatabaseFile' - 'SafariHistoryPlistFile' supported_os: [Darwin, Linux, Windows] --- name: ChromeStorage doc: | Google Chrome, Canary and Chromium browser artifacts for Storage APIs. Includes Web Storage (sessionStorage for session-only data and localStorage for persistent data), IndexedDB (used for structured data), and FileSystem (object storage in a virtual file system). sources: - type: ARTIFACT_GROUP attributes: names: - 'ChromeLocalStorage' - 'ChromeSessionStorage' - 'ChromeFileSystem' - 'ChromeIndexedDB' supported_os: [Darwin, Linux, Windows] urls: - 'https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API' - 'https://developer.mozilla.org/en-US/docs/Web/API/IndexedDB_API' - 'https://developer.mozilla.org/en-US/docs/Web/API/FileSystem' --- name: ChromeCache aliases: [ChromiumCache, EdgeCache] doc: | Google Chrome, Canary and Chromium browser caches. Canary uses "Chrome SxS" on windows. * Disk cache (or Cache) * Media cache * Application cache * GPU shader cache * PNaCl translation cache sources: - type: FILE attributes: paths: - '%%users.localappdata%%\Google\Chrome\User Data\*\Application Cache\Cache\*' - '%%users.localappdata%%\Google\Chrome\User Data\*\Cache\*' - '%%users.localappdata%%\Google\Chrome\User Data\*\Cache\Cache_Data\*' - '%%users.localappdata%%\Google\Chrome\User Data\*\Media Cache\*' - '%%users.localappdata%%\Google\Chrome\User Data\*\GPUCache\*' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Application Cache\Cache\*' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Cache\*' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Cache\Cache_Data\*' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Media Cache\*' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\GPUCache\*' - '%%users.localappdata%%\Chromium\User Data\*\Application Cache\Cache\*' - '%%users.localappdata%%\Chromium\User Data\*\Cache\*' - '%%users.localappdata%%\Chromium\User Data\*\Cache\Cache_Data\*' - '%%users.localappdata%%\Chromium\User Data\*\Media Cache\*' - '%%users.localappdata%%\Chromium\User Data\*\GPUCache\*' - '%%users.localappdata%%\Microsoft\Edge\User Data\*\Cache\*' - '%%users.localappdata%%\Microsoft\Edge\User Data\*\Cache\Cache_Data\*' - '%%users.localappdata%%\Microsoft\Edge\User Data\*\GPUCache\*' separator: '\' supported_os: [Windows] - type: FILE attributes: paths: - '%%users.homedir%%/Caches/Google/Chrome/*/Cache/*' - '%%users.homedir%%/Library/Caches/Google/Chrome/*/Cache/*' - '%%users.homedir%%/Library/Caches/Google/Chrome/*/Media Cache/*' - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Application Cache/Cache/*' - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/GPUCache/*' - '%%users.homedir%%/Library/Caches/Google/Chrome/PnaclTranslationCache/*' - '%%users.homedir%%/Caches/Google/Chrome Canary/*/Cache/*' - '%%users.homedir%%/Library/Caches/Google/Chrome Canary/*/Cache/*' - '%%users.homedir%%/Library/Caches/Google/Chrome Canary/*/Media Cache/*' - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Application Cache/Cache/*' - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/GPUCache/*' - '%%users.homedir%%/Library/Caches/Google/Chrome Canary/PnaclTranslationCache/*' - '%%users.homedir%%/Caches/Chromium/*/Cache/*' - '%%users.homedir%%/Library/Caches/Chromium/*/Cache/*' - '%%users.homedir%%/Library/Caches/Chromium/*/Media Cache/*' - '%%users.homedir%%/Library/Application Support/Chromium/*/Application Cache/Cache/*' - '%%users.homedir%%/Library/Application Support/Chromium/*/GPUCache/*' - '%%users.homedir%%/Library/Caches/Chromium/PnaclTranslationCache/*' supported_os: [Darwin] - type: FILE attributes: paths: - '%%users.homedir%%/.cache/BraveSoftware/Brave-Browser/*/Cache/Cache_Data/*' - '%%users.homedir%%/.cache/google-chrome/Cache/*' - '%%users.homedir%%/.cache/google-chrome/*/Cache/*' - '%%users.homedir%%/.cache/google-chrome/*/Cache/Cache_Data/*' - '%%users.homedir%%/.cache/google-chrome/*/Media Cache/*' - '%%users.homedir%%/.cache/google-chrome/PnaclTranslationCache/*' - '%%users.homedir%%/.config/google-chrome/*/Application Cache/*' - '%%users.homedir%%/.config/google-chrome/*/Cache/*' - '%%users.homedir%%/.config/google-chrome/*/Cache/Cache_Data/*' - '%%users.homedir%%/.config/google-chrome/*/Media Cache/*' - '%%users.homedir%%/.config/google-chrome/*/GPUCache/*' - '%%users.homedir%%/.cache/chromium/Cache/*' - '%%users.homedir%%/.cache/chromium/*/Cache/*' - '%%users.homedir%%/.cache/chromium/*/Cache/Cache_Data/*' - '%%users.homedir%%/.cache/chromium/*/Media Cache/*' - '%%users.homedir%%/.cache/chromium/PnaclTranslationCache/*' - '%%users.homedir%%/.config/chromium/*/Application Cache/*' - '%%users.homedir%%/.config/chromium/*/Cache/*' - '%%users.homedir%%/.config/chromium/*/Cache/Cache_Data/*' - '%%users.homedir%%/.config/chromium/*/Media Cache/*' - '%%users.homedir%%/.config/chromium/*/GPUCache/*' - '%%users.homedir%%/.cache/chrome-remote-desktop/chrome-profile/Cache/*' - '%%users.homedir%%/.cache/chrome-remote-desktop/chrome-profile/*/Cache/*' - '%%users.homedir%%/.cache/chrome-remote-desktop/chrome-profile/*/Cache/Cache_Data/*' - '%%users.homedir%%/.cache/chrome-remote-desktop/chrome-profile/*/Media Cache/*' - '%%users.homedir%%/.cache/chrome-remote-desktop/chrome-profile/PnaclTranslationCache/*' - '%%users.homedir%%/.cache/chrome-remote-desktop/chrome-config/google-chrome/Cache/*' - '%%users.homedir%%/.cache/chrome-remote-desktop/chrome-config/google-chrome/*/Cache/*' - '%%users.homedir%%/.cache/chrome-remote-desktop/chrome-config/google-chrome/*/Cache/Cache_Data/*' - '%%users.homedir%%/.cache/chrome-remote-desktop/chrome-config/google-chrome/*/Media Cache/*' - '%%users.homedir%%/.cache/chrome-remote-desktop/chrome-config/google-chrome/PnaclTranslationCache/*' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Application Cache/*' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Cache/*' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Cache/Cache_Data/*' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Media Cache/*' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/GPUCache/*' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Application Cache/*' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Cache/*' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Cache/Cache_Data/*' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Media Cache/*' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/GPUCache/*' - '%%users.homedir%%/.cache/microsoft-edge/*/Cache/Cache_Data/*' supported_os: [Linux] supported_os: [Darwin, Linux, Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/webbrowser/ChromeCache.html'] --- name: ChromiumBasedBrowsersCache doc: | Caches of multiple Chromium-based browsers (Google Chrome, Brave, Chromium, Yandex, Opera, Edge, EdgeBeta). * Disk cache (or Cache) * Media cache * Application cache * GPU shader cache * PNaCl translation cache sources: - type: FILE attributes: paths: - '%%users.appdata%%\Brave\*\Application Cache\Cache\*' - '%%users.appdata%%\Brave\*\Cache\*' - '%%users.appdata%%\Brave\*\Cache\Cache_Data\*' - '%%users.appdata%%\Brave\*\GPUCache\*' - '%%users.appdata%%\Brave\*\Media Cache\*' - '%%users.appdata%%\Opera Software\Opera Stable\*\Application Cache\Cache\*' - '%%users.appdata%%\Opera Software\Opera Stable\*\Cache\*' - '%%users.appdata%%\Opera Software\Opera Stable\*\Cache\Cache_Data\*' - '%%users.appdata%%\Opera Software\Opera Stable\*\GPUCache\*' - '%%users.appdata%%\Opera Software\Opera Stable\*\Media Cache\*' - '%%users.localappdata%%\BraveSoftware\Brave-Browser\User Data\*\Application Cache\Cache\*' - '%%users.localappdata%%\BraveSoftware\Brave-Browser\User Data\*\Cache\*' - '%%users.localappdata%%\BraveSoftware\Brave-Browser\User Data\*\Cache\Cache_Data\*' - '%%users.localappdata%%\BraveSoftware\Brave-Browser\User Data\*\GPUCache\*' - '%%users.localappdata%%\BraveSoftware\Brave-Browser\User Data\*\Media Cache\*' - '%%users.localappdata%%\Chromium\*\Application Cache\Cache\*' - '%%users.localappdata%%\Chromium\*\Cache\*' - '%%users.localappdata%%\Chromium\*\Cache\Cache_Data\*' - '%%users.localappdata%%\Chromium\*\GPUCache\*' - '%%users.localappdata%%\Chromium\*\Media Cache\*' - '%%users.localappdata%%\Chromium\User Data\*\Application Cache\Cache\*' - '%%users.localappdata%%\Chromium\User Data\*\Cache\*' - '%%users.localappdata%%\Chromium\User Data\*\Cache\Cache_Data\*' - '%%users.localappdata%%\Chromium\User Data\*\GPUCache\*' - '%%users.localappdata%%\Chromium\User Data\*\Media Cache\*' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Application Cache\Cache\*' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Cache\*' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Cache\Cache_Data\*' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\GPUCache\*' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Media Cache\*' - '%%users.localappdata%%\Google\Chrome\User Data\*\Application Cache\Cache\*' - '%%users.localappdata%%\Google\Chrome\User Data\*\Cache\*' - '%%users.localappdata%%\Google\Chrome\User Data\*\Cache\Cache_Data\*' - '%%users.localappdata%%\Google\Chrome\User Data\*\GPUCache\*' - '%%users.localappdata%%\Google\Chrome\User Data\*\Media Cache\*' - '%%users.localappdata%%\Microsoft\Edge Beta\User Data\*\Application Cache\Cache\*' - '%%users.localappdata%%\Microsoft\Edge Beta\User Data\*\Cache\*' - '%%users.localappdata%%\Microsoft\Edge Beta\User Data\*\Cache\Cache_Data\*' - '%%users.localappdata%%\Microsoft\Edge Beta\User Data\*\GPUCache\*' - '%%users.localappdata%%\Microsoft\Edge Beta\User Data\*\Media Cache\*' - '%%users.localappdata%%\Microsoft\Edge\User Data\*\Application Cache\Cache\*' - '%%users.localappdata%%\Microsoft\Edge\User Data\*\Cache\*' - '%%users.localappdata%%\Microsoft\Edge\User Data\*\Cache\Cache_Data\*' - '%%users.localappdata%%\Microsoft\Edge\User Data\*\GPUCache\*' - '%%users.localappdata%%\Microsoft\Edge\User Data\*\Media Cache\*' - '%%users.localappdata%%\Opera Software\Opera Stable\*\Cache_Data\*' - '%%users.localappdata%%\Yandex\YandexBrowser\User Data\*\Application Cache\Cache\*' - '%%users.localappdata%%\Yandex\YandexBrowser\User Data\*\Cache\*' - '%%users.localappdata%%\Yandex\YandexBrowser\User Data\*\Cache\Cache_Data\*' - '%%users.localappdata%%\Yandex\YandexBrowser\User Data\*\GPUCache\*' - '%%users.localappdata%%\Yandex\YandexBrowser\User Data\*\Media Cache\*' separator: '\' supported_os: [Windows] - type: FILE attributes: paths: - '%%users.homedir%%/Caches/Chromium/*/Cache/*' - '%%users.homedir%%/Caches/Google/Chrome Canary/*/Cache/*' - '%%users.homedir%%/Caches/Google/Chrome/*/Cache/*' - '%%users.homedir%%/Library/Application Support/BraveSoftware/Brave-Browser/*/Application Cache/*' - '%%users.homedir%%/Library/Application Support/BraveSoftware/Brave-Browser/*/Cache/*' - '%%users.homedir%%/Library/Application Support/BraveSoftware/Brave-Browser/*/GPUCache/*' - '%%users.homedir%%/Library/Application Support/BraveSoftware/Brave-Browser/*/Media Cache/*' - '%%users.homedir%%/Library/Application Support/BraveSoftware/Brave-Browser/Cache/*' - '%%users.homedir%%/Library/Application Support/BraveSoftware/Brave-Browser/PnaclTranslationCache/*' - '%%users.homedir%%/Library/Application Support/Chromium/*/Application Cache/*' - '%%users.homedir%%/Library/Application Support/Chromium/*/Cache/*' - '%%users.homedir%%/Library/Application Support/Chromium/*/GPUCache/*' - '%%users.homedir%%/Library/Application Support/Chromium/*/Media Cache/*' - '%%users.homedir%%/Library/Application Support/Chromium/Cache/*' - '%%users.homedir%%/Library/Application Support/Chromium/PnaclTranslationCache/*' - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Application Cache/*' - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Cache/*' - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/GPUCache/*' - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Media Cache/*' - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/Cache/*' - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/PnaclTranslationCache/*' - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Application Cache/*' - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Cache/*' - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/GPUCache/*' - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Media Cache/*' - '%%users.homedir%%/Library/Application Support/Google/Chrome/Cache/*' - '%%users.homedir%%/Library/Application Support/Google/Chrome/PnaclTranslationCache/*' - '%%users.homedir%%/Library/Application Support/Microsoft Edge Beta/*/Application Cache/*' - '%%users.homedir%%/Library/Application Support/Microsoft Edge Beta/*/Cache/*' - '%%users.homedir%%/Library/Application Support/Microsoft Edge Beta/*/GPUCache/*' - '%%users.homedir%%/Library/Application Support/Microsoft Edge Beta/*/Media Cache/*' - '%%users.homedir%%/Library/Application Support/Microsoft Edge Beta/Cache/*' - '%%users.homedir%%/Library/Application Support/Microsoft Edge Beta/PnaclTranslationCache/*' - '%%users.homedir%%/Library/Application Support/Microsoft Edge/*/Application Cache/*' - '%%users.homedir%%/Library/Application Support/Microsoft Edge/*/Cache/*' - '%%users.homedir%%/Library/Application Support/Microsoft Edge/*/GPUCache/*' - '%%users.homedir%%/Library/Application Support/Microsoft Edge/*/Media Cache/*' - '%%users.homedir%%/Library/Application Support/Microsoft Edge/Cache/*' - '%%users.homedir%%/Library/Application Support/Microsoft Edge/PnaclTranslationCache/*' - '%%users.homedir%%/Library/Application Support/Yandex/YandexBrowser/*/Application Cache/*' - '%%users.homedir%%/Library/Application Support/Yandex/YandexBrowser/*/Cache/*' - '%%users.homedir%%/Library/Application Support/Yandex/YandexBrowser/*/GPUCache/*' - '%%users.homedir%%/Library/Application Support/Yandex/YandexBrowser/*/Media Cache/*' - '%%users.homedir%%/Library/Application Support/Yandex/YandexBrowser/Cache/*' - '%%users.homedir%%/Library/Application Support/Yandex/YandexBrowser/PnaclTranslationCache/*' - '%%users.homedir%%/Library/Application Support/com.operasoftware.Opera/*/Application Cache/*' - '%%users.homedir%%/Library/Application Support/com.operasoftware.Opera/*/Cache/*' - '%%users.homedir%%/Library/Application Support/com.operasoftware.Opera/*/GPUCache/*' - '%%users.homedir%%/Library/Application Support/com.operasoftware.Opera/*/Media Cache/*' - '%%users.homedir%%/Library/Application Support/com.operasoftware.Opera/Cache/*' - '%%users.homedir%%/Library/Application Support/com.operasoftware.Opera/PnaclTranslationCache/*' - '%%users.homedir%%/Library/Caches/Chromium/*/Application Cache/*' - '%%users.homedir%%/Library/Caches/Chromium/*/Cache/*' - '%%users.homedir%%/Library/Caches/Chromium/*/GPUCache/*' - '%%users.homedir%%/Library/Caches/Chromium/*/Media Cache/*' - '%%users.homedir%%/Library/Caches/Chromium/Cache/*' - '%%users.homedir%%/Library/Caches/Chromium/PnaclTranslationCache/*' - '%%users.homedir%%/Library/Caches/Google/Chrome Canary/*/Cache/*' - '%%users.homedir%%/Library/Caches/Google/Chrome Canary/*/Media Cache/*' - '%%users.homedir%%/Library/Caches/Google/Chrome Canary/Cache/*' - '%%users.homedir%%/Library/Caches/Google/Chrome Canary/PnaclTranslationCache/*' - '%%users.homedir%%/Library/Caches/Google/Chrome/*/Cache/*' - '%%users.homedir%%/Library/Caches/Google/Chrome/*/Media Cache/*' - '%%users.homedir%%/Library/Caches/Google/Chrome/Cache/*' - '%%users.homedir%%/Library/Caches/Google/Chrome/PnaclTranslationCache/*' supported_os: [Darwin] - type: FILE attributes: paths: - '%%users.homedir%%/.cache/BraveSoftware/Brave-Browser/Cache/Cache_Data/*' - '%%users.homedir%%/.cache/chrome-remote-desktop/chrome-config/google-chrome/*/Cache/*' - '%%users.homedir%%/.cache/chrome-remote-desktop/chrome-config/google-chrome/*/Cache/Cache_Data/*' - '%%users.homedir%%/.cache/chrome-remote-desktop/chrome-config/google-chrome/*/Media Cache/*' - '%%users.homedir%%/.cache/chrome-remote-desktop/chrome-config/google-chrome/Cache/*' - '%%users.homedir%%/.cache/chrome-remote-desktop/chrome-config/google-chrome/PnaclTranslationCache/*' - '%%users.homedir%%/.cache/chrome-remote-desktop/chrome-profile/*/Cache/*' - '%%users.homedir%%/.cache/chrome-remote-desktop/chrome-profile/*/Cache/Cache_Data/*' - '%%users.homedir%%/.cache/chrome-remote-desktop/chrome-profile/*/Media Cache/*' - '%%users.homedir%%/.cache/chrome-remote-desktop/chrome-profile/Cache/*' - '%%users.homedir%%/.cache/chrome-remote-desktop/chrome-profile/PnaclTranslationCache/*' - '%%users.homedir%%/.cache/chromium/*/Cache/*' - '%%users.homedir%%/.cache/chromium/*/Cache/Cache_Data/*' - '%%users.homedir%%/.cache/chromium/*/Media Cache/*' - '%%users.homedir%%/.cache/chromium/Cache/*' - '%%users.homedir%%/.cache/chromium/PnaclTranslationCache/*' - '%%users.homedir%%/.cache/google-chrome/*/Cache/*' - '%%users.homedir%%/.cache/google-chrome/*/Cache/Cache_Data/*' - '%%users.homedir%%/.cache/google-chrome/*/Media Cache/*' - '%%users.homedir%%/.cache/google-chrome/Cache/*' - '%%users.homedir%%/.cache/google-chrome/PnaclTranslationCache/*' - '%%users.homedir%%/.cache/microsoft-edge/*/Cache/Cache_Data/*' - '%%users.homedir%%/.cache/opera/*/Cache_Data/*' - '%%users.homedir%%/.config/BraveSoftware/Brave-Browser/*/Application Cache/*' - '%%users.homedir%%/.config/BraveSoftware/Brave-Browser/*/Cache/*' - '%%users.homedir%%/.config/BraveSoftware/Brave-Browser/*/GPUCache/*' - '%%users.homedir%%/.config/BraveSoftware/Brave-Browser/*/Media Cache/*' - '%%users.homedir%%/.config/BraveSoftware/Brave-Browser/Cache/*' - '%%users.homedir%%/.config/BraveSoftware/Brave-Browser/PnaclTranslationCache/*' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Application Cache/*' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Cache/*' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/GPUCache/*' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Media Cache/*' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/Cache/*' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/PnaclTranslationCache/*' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Application Cache/*' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Cache/*' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/GPUCache/*' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Media Cache/*' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/Cache/*' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/PnaclTranslationCache/*' - '%%users.homedir%%/.config/chromium/*/Application Cache/*' - '%%users.homedir%%/.config/chromium/*/Cache/*' - '%%users.homedir%%/.config/chromium/*/GPUCache/*' - '%%users.homedir%%/.config/chromium/*/Media Cache/*' - '%%users.homedir%%/.config/chromium/Cache/*' - '%%users.homedir%%/.config/chromium/PnaclTranslationCache/*' - '%%users.homedir%%/.config/google-chrome-beta/*/Application Cache/*' - '%%users.homedir%%/.config/google-chrome-beta/*/Cache/*' - '%%users.homedir%%/.config/google-chrome-beta/*/GPUCache/*' - '%%users.homedir%%/.config/google-chrome-beta/*/Media Cache/*' - '%%users.homedir%%/.config/google-chrome-beta/Cache/*' - '%%users.homedir%%/.config/google-chrome-beta/PnaclTranslationCache/*' - '%%users.homedir%%/.config/google-chrome/*/Application Cache/*' - '%%users.homedir%%/.config/google-chrome/*/Cache/*' - '%%users.homedir%%/.config/google-chrome/*/GPUCache/*' - '%%users.homedir%%/.config/google-chrome/*/Media Cache/*' - '%%users.homedir%%/.config/google-chrome/Cache/*' - '%%users.homedir%%/.config/google-chrome/PnaclTranslationCache/*' - '%%users.homedir%%/.config/microsoft-edge/*/GPUCache/*' - '%%users.homedir%%/.config/opera/*/Application Cache/*' - '%%users.homedir%%/.config/opera/*/Cache/*' - '%%users.homedir%%/.config/opera/*/GPUCache/*' - '%%users.homedir%%/.config/opera/*/Media Cache/*' - '%%users.homedir%%/.config/opera/Cache/*' - '%%users.homedir%%/.config/opera/GPUCache/*' - '%%users.homedir%%/.config/opera/PnaclTranslationCache/*' - '%%users.homedir%%/.config/yandex-browser-beta/*/Application Cache/*' - '%%users.homedir%%/.config/yandex-browser-beta/*/Cache/*' - '%%users.homedir%%/.config/yandex-browser-beta/*/GPUCache/*' - '%%users.homedir%%/.config/yandex-browser-beta/*/Media Cache/*' - '%%users.homedir%%/.config/yandex-browser-beta/Cache/*' - '%%users.homedir%%/.config/yandex-browser-beta/PnaclTranslationCache/*' - '%%users.homedir%%/snap/chromium/common/chromium/*/Application Cache/*' - '%%users.homedir%%/snap/chromium/common/chromium/*/Cache/*' - '%%users.homedir%%/snap/chromium/common/chromium/*/GPUCache/*' - '%%users.homedir%%/snap/chromium/common/chromium/*/Media Cache/*' - '%%users.homedir%%/snap/chromium/common/chromium/Cache/*' - '%%users.homedir%%/snap/chromium/common/chromium/PnaclTranslationCache/*' supported_os: [Linux] supported_os: [Darwin, Linux, Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/webbrowser/ChromeCache.html'] --- name: ChromeCookies doc: Chrome Cookies database. sources: - type: FILE attributes: paths: - '%%users.localappdata%%\BraveSoftware\Brave-Browser\User Data\*\Network\Cookies' - '%%users.localappdata%%\BraveSoftware\Brave-Browser\User Data\*\Network\Cookies-journal' - '%%users.localappdata%%\Chromium\User Data\*\Cookies' - '%%users.localappdata%%\Chromium\User Data\*\Cookies-journal' - '%%users.localappdata%%\Chromium\User Data\*\Network\Cookies' - '%%users.localappdata%%\Chromium\User Data\*\Network\Cookies-journal' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Cookies' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Cookies-journal' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Network\Cookies' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Network\Cookies-journal' - '%%users.localappdata%%\Google\Chrome\User Data\*\Cookies' - '%%users.localappdata%%\Google\Chrome\User Data\*\Cookies-journal' - '%%users.localappdata%%\Google\Chrome\User Data\*\Network\Cookies' - '%%users.localappdata%%\Google\Chrome\User Data\*\Network\Cookies-journal' - '%%users.localappdata%%\Microsoft\Edge\User Data\*\Cookies' - '%%users.localappdata%%\Microsoft\Edge\User Data\*\Cookies-journal' - '%%users.localappdata%%\Microsoft\Edge\User Data\*\Network\Cookies' - '%%users.localappdata%%\Microsoft\Edge\User Data\*\Network\Cookies-journal' - '%%users.appdata%%\Opera Software\Opera Stable\Network\Cookies' - '%%users.appdata%%\Opera Software\Opera Stable\Network\Cookies-journal' separator: '\' supported_os: [Windows] - type: FILE attributes: paths: - '%%users.homedir%%/.config/BraveSoftware/Brave-Browser/*/Cookies' - '%%users.homedir%%/.config/BraveSoftware/Brave-Browser/*/Cookies-journal' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Cookies' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Cookies-journal' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Network/Cookies' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Network/Cookies-journal' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Cookies' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Cookies-journal' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Network/Cookies' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Network/Cookies-journal' - '%%users.homedir%%/.config/chromium/*/Cookies' - '%%users.homedir%%/.config/chromium/*/Cookies-journal' - '%%users.homedir%%/.config/chromium/*/Network/Cookies' - '%%users.homedir%%/.config/chromium/*/Network/Cookies-journal' - '%%users.homedir%%/.config/google-chrome-beta/*/Cookies' - '%%users.homedir%%/.config/google-chrome-beta/*/Cookies-journal' - '%%users.homedir%%/.config/google-chrome-beta/*/Network/Cookies' - '%%users.homedir%%/.config/google-chrome-beta/*/Network/Cookies-journal' - '%%users.homedir%%/.config/google-chrome/*/Cookies' - '%%users.homedir%%/.config/google-chrome/*/Cookies-journal' - '%%users.homedir%%/.config/google-chrome/*/Network/Cookies' - '%%users.homedir%%/.config/google-chrome/*/Network/Cookies-journal' - '%%users.homedir%%/.config/microsoft-edge/*/Cookies' - '%%users.homedir%%/.config/microsoft-edge/*/Cookies-journal' - '%%users.homedir%%/.config/opera/Cookies' - '%%users.homedir%%/.config/opera/Cookies-journal' supported_os: [Linux] - type: FILE attributes: paths: - '%%users.homedir%%/Library/Application Support/Chromium/*/Cookies' - '%%users.homedir%%/Library/Application Support/Chromium/*/Cookies-journal' - '%%users.homedir%%/Library/Application Support/Chromium/*/Network/Cookies' - '%%users.homedir%%/Library/Application Support/Chromium/*/Network/Cookies-journal' - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Cookies' - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Cookies-journal' - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Network/Cookies' - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Network/Cookies-journal' - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Cookies' - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Cookies-journal' - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Network/Cookies' - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Network/Cookies-journal' supported_os: [Darwin] supported_os: [Darwin, Linux, Windows] --- name: ChromiumBasedBrowsersExtensions aliases: [ChromeExtensions] doc: | Browser extension files for multiple Chromium-based browsers, such as Google Chrome, Brave, Chromium, Yandex, Opera, Edge, EdgeBeta. sources: - type: FILE attributes: paths: - '%%users.homedir%%/Library/Application Support/BraveSoftware/Brave-Browser/*/Extensions/**10' - '%%users.homedir%%/Library/Application Support/Chromium/*/Extensions/**10' - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Extensions/**10' - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Extensions/**10' - '%%users.homedir%%/Library/Application Support/Microsoft Edge Beta/*/Extensions/**10' - '%%users.homedir%%/Library/Application Support/Microsoft Edge/*/Extensions/**10' - '%%users.homedir%%/Library/Application Support/Yandex/YandexBrowser/*/Extensions/**10' - '%%users.homedir%%/Library/Application Support/com.operasoftware.Opera/*/Extensions/**10' supported_os: [Darwin] - type: FILE attributes: paths: - '%%users.homedir%%/.config/BraveSoftware/Brave-Browser/*/Extensions/**10' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Extensions/**10' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Extensions/**10' - '%%users.homedir%%/.config/chromium/*/Extensions/**10' - '%%users.homedir%%/.config/google-chrome-beta/*/Extensions/**10' - '%%users.homedir%%/.config/google-chrome/*/Extensions/**10' - '%%users.homedir%%/.config/opera/*/Extensions/**10' - '%%users.homedir%%/.config/yandex-browser-beta/*/Extensions/**10' - '%%users.homedir%%/snap/chromium/common/chromium/*/Extensions/**10' supported_os: [Linux] - type: FILE attributes: paths: - '%%users.appdata%%\Opera Software\Opera Stable\*\Extensions\**10' - '%%users.appdata%%\Brave\*\Extensions\**10' - '%%users.localappdata%%\Chromium\*\Extensions\**10' - '%%users.localappdata%%\Chromium\User Data\*\Extensions\**10' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Extensions\**10' - '%%users.localappdata%%\Google\Chrome\User Data\*\Extensions\**10' - '%%users.localappdata%%\Microsoft\Edge Beta\User Data\*\Extensions\**10' - '%%users.localappdata%%\Microsoft\Edge\User Data\*\Extensions\**10' - '%%users.localappdata%%\Yandex\YandexBrowser\User Data\*\Extensions\**10' separator: '\' supported_os: [Windows] supported_os: [Darwin, Linux, Windows] urls: - 'https://forensics.wiki/google_chrome#chromium-based-browsers' - 'https://forensics.wiki/google_chrome#extensions' --- name: ChromiumBasedBrowsersExtensionActivitySQLiteDatabaseFile aliases: [ChromeExtensionActivity, ChromiumBasedBrowsersExtensionActivity] doc: | Browser Extension Activity SQLite database file for Chromium-based browsers, such as Google Chrome, Brave, Chromium, Yandex, Opera, Edge, EdgeBeta. sources: - type: FILE attributes: paths: - '%%users.homedir%%/Library/Application Support/BraveSoftware/Brave-Browser/*/Extension Activity' - '%%users.homedir%%/Library/Application Support/Chromium/*/Extension Activity' - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Extension Activity' - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Extension Activity' - '%%users.homedir%%/Library/Application Support/Microsoft Edge Beta/*/Extension Activity' - '%%users.homedir%%/Library/Application Support/Microsoft Edge/*/Extension Activity' - '%%users.homedir%%/Library/Application Support/Yandex/YandexBrowser/*/Extension Activity' - '%%users.homedir%%/Library/Application Support/com.operasoftware.Opera/*/Extension Activity' supported_os: [Darwin] - type: FILE attributes: paths: - '%%users.homedir%%/.config/BraveSoftware/Brave-Browser/*/Extension Activity' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Extension Activity' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Extension Activity' - '%%users.homedir%%/.config/chromium/*/Extension Activity' - '%%users.homedir%%/.config/google-chrome-beta/*/Extension Activity' - '%%users.homedir%%/.config/google-chrome/*/Extension Activity' - '%%users.homedir%%/.config/opera/*/Extension Activity' - '%%users.homedir%%/.config/yandex-browser-beta/*/Extension Activity' - '%%users.homedir%%/snap/chromium/common/chromium/*/Extension Activity' supported_os: [Linux] - type: FILE attributes: paths: - '%%users.appdata%%\Brave\*\Extension Activity' - '%%users.appdata%%\Opera Software\Opera Stable\*\Extension Activity' - '%%users.localappdata%%\Chromium\*\Extension Activity' - '%%users.localappdata%%\Chromium\User Data\*\Extension Activity' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Extension Activity' - '%%users.localappdata%%\Google\Chrome\User Data\*\Extension Activity' - '%%users.localappdata%%\Microsoft\Edge Beta\User Data\*\Extension Activity' - '%%users.localappdata%%\Microsoft\Edge\User Data\*\Extension Activity' - '%%users.localappdata%%\Yandex\YandexBrowser\User Data\*\Extension Activity' separator: '\' supported_os: [Windows] supported_os: [Darwin, Linux, Windows] urls: - 'https://forensics.wiki/google_chrome#chromium-based-browsers' - 'https://forensics.wiki/google_chrome#extension-activity-database' --- name: ChromeExtensionRegistryKeys doc: Chrome extensions installed by writing windows registry keys. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extensions\**5' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Google\Chrome\Extensions\**5' supported_os: [Windows] urls: ['https://developer.chrome.com/extensions/external_extensions#registry'] --- name: ChromeFileSystem doc: | Google Chrome, Canary and Chromium File System files. The File System directory backs Chrome's fileSystem API. Inside this directory are a mixture of the data files saved using the fileSystem API and LevelDB directories that track the logical structure of the virtual file system. sources: - type: FILE attributes: paths: - '%%users.localappdata%%\Chromium\User Data\*\File System\**5' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\File System\**5' - '%%users.localappdata%%\Google\Chrome\User Data\*\File System\**5' - '%%users.localappdata%%\Microsoft\Edge\User Data\*\File System\**5' separator: '\' supported_os: [Windows] - type: FILE attributes: paths: - '%%users.homedir%%/.config/google-chrome/*/File System/**5' - '%%users.homedir%%/.config/chromium/*/File System/**5' - '%%users.homedir%%/.config/google-chrome-beta/*/File System/**5' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/File System/**5' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/File System/**5' supported_os: [Linux] - type: FILE attributes: paths: - '%%users.homedir%%/Library/Application Support/Chromium/*/File System/**5' - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/File System/**5' - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/File System/**5' supported_os: [Darwin] supported_os: [Darwin, Linux, Windows] urls: - 'https://developer.chrome.com/apps/fileSystem' - 'https://developer.mozilla.org/en-US/docs/Web/API/FileSystem' - 'https://dfir.blog/deciphering-browser-hieroglyphics-leveldb-filesystem/' --- name: ChromiumBasedBrowsersHistory aliases: [ChromeHistory] doc: | Browsing history for multiple Chromium-based browsers (Google Chrome, Brave, Chromium, Yandex, Opera, Edge, EdgeBeta). sources: - type: FILE attributes: paths: - '%%users.homedir%%/Library/Application Support/BraveSoftware/Brave-Browser/*/Archived History' - '%%users.homedir%%/Library/Application Support/BraveSoftware/Brave-Browser/*/Archived History-journal' - '%%users.homedir%%/Library/Application Support/BraveSoftware/Brave-Browser/*/History' - '%%users.homedir%%/Library/Application Support/BraveSoftware/Brave-Browser/*/History-journal' - '%%users.homedir%%/Library/Application Support/Chromium/*/Archived History' - '%%users.homedir%%/Library/Application Support/Chromium/*/Archived History-journal' - '%%users.homedir%%/Library/Application Support/Chromium/*/History' - '%%users.homedir%%/Library/Application Support/Chromium/*/History-journal' - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Archived History' - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Archived History-journal' - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/History' - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/History-journal' - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Archived History' - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Archived History-journal' - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/History' - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/History-journal' - '%%users.homedir%%/Library/Application Support/Microsoft Edge Beta/*/Archived History' - '%%users.homedir%%/Library/Application Support/Microsoft Edge Beta/*/Archived History-journal' - '%%users.homedir%%/Library/Application Support/Microsoft Edge Beta/*/History' - '%%users.homedir%%/Library/Application Support/Microsoft Edge Beta/*/History-journal' - '%%users.homedir%%/Library/Application Support/Microsoft Edge/*/Archived History' - '%%users.homedir%%/Library/Application Support/Microsoft Edge/*/Archived History-journal' - '%%users.homedir%%/Library/Application Support/Microsoft Edge/*/History' - '%%users.homedir%%/Library/Application Support/Microsoft Edge/*/History-journal' - '%%users.homedir%%/Library/Application Support/Yandex/YandexBrowser/*/Archived History' - '%%users.homedir%%/Library/Application Support/Yandex/YandexBrowser/*/Archived History-journal' - '%%users.homedir%%/Library/Application Support/Yandex/YandexBrowser/*/History' - '%%users.homedir%%/Library/Application Support/Yandex/YandexBrowser/*/History-journal' - '%%users.homedir%%/Library/Application Support/com.operasoftware.Opera/*/Archived History' - '%%users.homedir%%/Library/Application Support/com.operasoftware.Opera/*/Archived History-journal' - '%%users.homedir%%/Library/Application Support/com.operasoftware.Opera/*/History' - '%%users.homedir%%/Library/Application Support/com.operasoftware.Opera/*/History-journal' supported_os: [Darwin] - type: FILE attributes: paths: - '%%users.homedir%%/.config/BraveSoftware/Brave-Browser/*/Archived History' - '%%users.homedir%%/.config/BraveSoftware/Brave-Browser/*/Archived History-journal' - '%%users.homedir%%/.config/BraveSoftware/Brave-Browser/*/History' - '%%users.homedir%%/.config/BraveSoftware/Brave-Browser/*/History-journal' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Archived History' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Archived History-journal' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/History' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/History-journal' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Archived History' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Archived History-journal' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/History' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/History-journal' - '%%users.homedir%%/.config/chromium/*/Archived History' - '%%users.homedir%%/.config/chromium/*/Archived History-journal' - '%%users.homedir%%/.config/chromium/*/History' - '%%users.homedir%%/.config/chromium/*/History-journal' - '%%users.homedir%%/.config/google-chrome-beta/*/Archived History' - '%%users.homedir%%/.config/google-chrome-beta/*/Archived History-journal' - '%%users.homedir%%/.config/google-chrome-beta/*/History' - '%%users.homedir%%/.config/google-chrome-beta/*/History-journal' - '%%users.homedir%%/.config/google-chrome/*/Archived History' - '%%users.homedir%%/.config/google-chrome/*/Archived History-journal' - '%%users.homedir%%/.config/google-chrome/*/History' - '%%users.homedir%%/.config/google-chrome/*/History-journal' - '%%users.homedir%%/.config/microsoft-edge/*/Archived History' - '%%users.homedir%%/.config/microsoft-edge/*/Archived History-journal' - '%%users.homedir%%/.config/microsoft-edge/*/History' - '%%users.homedir%%/.config/microsoft-edge/*/History-journal' - '%%users.homedir%%/.config/opera/*/Archived History' - '%%users.homedir%%/.config/opera/*/Archived History-journal' - '%%users.homedir%%/.config/opera/*/History' - '%%users.homedir%%/.config/opera/*/History-journal' - '%%users.homedir%%/.config/yandex-browser-beta/*/Archived History' - '%%users.homedir%%/.config/yandex-browser-beta/*/Archived History-journal' - '%%users.homedir%%/.config/yandex-browser-beta/*/History' - '%%users.homedir%%/.config/yandex-browser-beta/*/History-journal' - '%%users.homedir%%/snap/chromium/common/chromium/*/Archived History' - '%%users.homedir%%/snap/chromium/common/chromium/*/Archived History-journal' - '%%users.homedir%%/snap/chromium/common/chromium/*/History' - '%%users.homedir%%/snap/chromium/common/chromium/*/History-journal' supported_os: [Linux] - type: FILE attributes: paths: - '%%users.appdata%%\Brave\*\Archived History' - '%%users.appdata%%\Brave\*\Archived History-journal' - '%%users.appdata%%\Brave\*\History' - '%%users.appdata%%\Brave\*\History-journal' - '%%users.appdata%%\BraveSoftware\Brave-Browser\User Data\*\History' - '%%users.appdata%%\BraveSoftware\Brave-Browser\User Data\*\History-journal' - '%%users.appdata%%\Opera Software\Opera Stable\*\Archived History' - '%%users.appdata%%\Opera Software\Opera Stable\*\Archived History-journal' - '%%users.appdata%%\Opera Software\Opera Stable\*\History' - '%%users.appdata%%\Opera Software\Opera Stable\*\History-journal' - '%%users.localappdata%%\Chromium\*\Archived History' - '%%users.localappdata%%\Chromium\*\Archived History-journal' - '%%users.localappdata%%\Chromium\*\History' - '%%users.localappdata%%\Chromium\*\History-journal' - '%%users.localappdata%%\Chromium\User Data\*\Archived History' - '%%users.localappdata%%\Chromium\User Data\*\Archived History-journal' - '%%users.localappdata%%\Chromium\User Data\*\History' - '%%users.localappdata%%\Chromium\User Data\*\History-journal' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Archived History' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Archived History-journal' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\History' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\History-journal' - '%%users.localappdata%%\Google\Chrome\User Data\*\Archived History' - '%%users.localappdata%%\Google\Chrome\User Data\*\Archived History-journal' - '%%users.localappdata%%\Google\Chrome\User Data\*\History' - '%%users.localappdata%%\Google\Chrome\User Data\*\History-journal' - '%%users.localappdata%%\Microsoft\Edge Beta\User Data\*\Archived History' - '%%users.localappdata%%\Microsoft\Edge Beta\User Data\*\Archived History-journal' - '%%users.localappdata%%\Microsoft\Edge Beta\User Data\*\History' - '%%users.localappdata%%\Microsoft\Edge Beta\User Data\*\History-journal' - '%%users.localappdata%%\Microsoft\Edge\User Data\*\Archived History' - '%%users.localappdata%%\Microsoft\Edge\User Data\*\Archived History-journal' - '%%users.localappdata%%\Microsoft\Edge\User Data\*\History' - '%%users.localappdata%%\Microsoft\Edge\User Data\*\History-journal' - '%%users.localappdata%%\Yandex\YandexBrowser\User Data\*\Archived History' - '%%users.localappdata%%\Yandex\YandexBrowser\User Data\*\Archived History-journal' - '%%users.localappdata%%\Yandex\YandexBrowser\User Data\*\History' - '%%users.localappdata%%\Yandex\YandexBrowser\User Data\*\History-journal' separator: '\' supported_os: [Windows] supported_os: [Darwin, Linux, Windows] urls: - 'https://forensics.wiki/google_chrome' - 'https://forensics.wiki/google_chrome#chromium-based-browsers' --- name: ChromeIndexedDB doc: | Google Chrome, Canary and Chromium IndexedDB files. The IndexedDB directory contains one directory per origin that uses IndexedDB, named like https_www.example.com_0.indexeddb.leveldb, chrome-extension_app-id-xxx_0.indexeddb.leveldb, or https_www.example.com_0.indexeddb.blob. Inside each of the *.leveldb directories are the files the comprise a LevelDB database, which in turn holds IndexedDB data for that origin. There may be an accompanying .blob directory, which contains a nested folder structure of blobs. sources: - type: FILE attributes: paths: - '%%users.localappdata%%\Chromium\User Data\*\IndexedDB\**5' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\IndexedDB\**5' - '%%users.localappdata%%\Google\Chrome\User Data\*\IndexedDB\**5' - '%%users.localappdata%%\Microsoft\Edge\User Data\*\IndexedDB\**5' separator: '\' supported_os: [Windows] - type: FILE attributes: paths: - '%%users.homedir%%/.config/google-chrome/*/IndexedDB/**5' - '%%users.homedir%%/.config/chromium/*/IndexedDB/**5' - '%%users.homedir%%/.config/google-chrome-beta/*/IndexedDB/**5' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/IndexedDB/**5' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/IndexedDB/**5' supported_os: [Linux] - type: FILE attributes: paths: - '%%users.homedir%%/Library/Application Support/Chromium/*/IndexedDB/**5' - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/IndexedDB/**5' - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/IndexedDB/**5' supported_os: [Darwin] supported_os: [Darwin, Linux, Windows] urls: ['https://developer.mozilla.org/en-US/docs/Web/API/IndexedDB_API'] --- name: ChromeLocalStorage doc: | Google Chrome, Canary and Chromium Local Storage files. Chrome 60 and earlier versions used individual .sqlite files per origin for Local Storage, stored in the Local Storage directory root. In Chrome 61, a leveldb directory was added inside the root Local Storage directory, and new origins saved Local Storage data in a single LevelDB there. Existing .sqlite files are kept (not moved to leveldb), so it is possible for a single Chrome profile to use both SQLite and LevelDB for Local Storage. sources: - type: FILE attributes: paths: - '%%users.homedir%%/Library/Application Support/Chromium/*/Local Storage/**' - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Local Storage/**' - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Local Storage/**' supported_os: [Darwin] - type: FILE attributes: paths: - '%%users.homedir%%/.config/google-chrome/*/Local Storage/**' - '%%users.homedir%%/.config/chromium/*/Local Storage/**' - '%%users.homedir%%/.config/google-chrome-beta/*/Local Storage/**' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Local Storage/**' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Local Storage/**' supported_os: [Linux] - type: FILE attributes: paths: - '%%users.localappdata%%\Chromium\User Data\*\Local Storage\**' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Local Storage\**' - '%%users.localappdata%%\Google\Chrome\User Data\*\Local Storage\**' - '%%users.localappdata%%\Microsoft\Edge\User Data\*\Local Storage\**' separator: '\' supported_os: [Windows] supported_os: [Darwin, Linux, Windows] --- name: ChromePreferences doc: Chrome Preferences file. sources: - type: FILE attributes: paths: - '%%users.homedir%%/Library/Application Support/Chromium/*/Preferences' - '%%users.homedir%%/Library/Application Support/Chromium/*/Secure Preferences' - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Preferences' - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Secure Preferences' - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Preferences' - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Secure Preferences' supported_os: [Darwin] - type: FILE attributes: paths: - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Preferences' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Secure Preferences' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Preferences' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Secure Preferences' - '%%users.homedir%%/.config/chromium/*/Preferences' - '%%users.homedir%%/.config/chromium/*/Secure Preferences' - '%%users.homedir%%/.config/google-chrome/*/Preferences' - '%%users.homedir%%/.config/google-chrome/*/Secure Preferences' supported_os: [Linux] - type: FILE attributes: paths: - '%%users.localappdata%%\Chromium\User Data\*\Preferences' - '%%users.localappdata%%\Chromium\User Data\*\Secure Preferences' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Preferences' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Secure Preferences' - '%%users.localappdata%%\Google\Chrome\User Data\*\Preferences' - '%%users.localappdata%%\Google\Chrome\User Data\*\Secure Preferences' - '%%users.localappdata%%\Microsoft\Edge\User Data\*\Preferences' separator: '\' supported_os: [Windows] supported_os: [Darwin, Linux, Windows] urls: ['https://forensics.wiki/google_chrome#configuration'] --- name: ChromeSessionStorage doc: | Google Chrome, Canary and Chromium Sessions and Session Storage files. The Sessions directory contains information for restoring tabs and windows from a browsing session. The Session Storage directory contains the files that comprise a LevelDB database, which in turn holds the Session Storage data. sources: - type: FILE attributes: paths: - '%%users.homedir%%/Library/Application Support/Chromium/*/Session Storage/*' - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Session Storage/*' - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Session Storage/*' - '%%users.homedir%%/Library/Application Support/Chromium/*/Sessions/Session_*' - '%%users.homedir%%/Library/Application Support/Chromium/*/Sessions/Tabs_*' - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Sessions/Session_*' - '%%users.homedir%%/Library/Application Support/Google/Chrome/*/Sessions/Tabs_*' - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Sessions/Session_*' - '%%users.homedir%%/Library/Application Support/Google/Chrome Canary/*/Sessions/Tabs_*' supported_os: [Darwin] - type: FILE attributes: paths: - '%%users.homedir%%/.config/google-chrome/*/Session Storage/*' - '%%users.homedir%%/.config/chromium/*/Session Storage/*' - '%%users.homedir%%/.config/google-chrome-beta/*/Session Storage/*' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Session Storage/*' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Session Storage/*' - '%%users.homedir%%/.config/google-chrome/*/Sessions/Session_*' - '%%users.homedir%%/.config/google-chrome/*/Sessions/Tabs_*' - '%%users.homedir%%/.config/chromium/*/Sessions/Session_*' - '%%users.homedir%%/.config/chromium/*/Sessions/Tabs_*' - '%%users.homedir%%/.config/google-chrome-beta/*/Sessions/Session_*' - '%%users.homedir%%/.config/google-chrome-beta/*/Sessions/Tabs_*' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Sessions/Session_*' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-profile/*/Sessions/Tabs_*' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Sessions/Session_*' - '%%users.homedir%%/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Sessions/Tabs_*' supported_os: [Linux] - type: FILE attributes: paths: - '%%users.localappdata%%\Chromium\User Data\*\Session Storage\*' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Session Storage\*' - '%%users.localappdata%%\Google\Chrome\User Data\*\Session Storage\*' - '%%users.localappdata%%\Microsoft\Edge\User Data\*\Session Storage\*' - '%%users.localappdata%%\Chromium\User Data\*\Sessions\Session_*' - '%%users.localappdata%%\Chromium\User Data\*\Sessions\Tabs_*' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Sessions\Session_*' - '%%users.localappdata%%\Google\Chrome SxS\User Data\*\Sessions\Tabs_*' - '%%users.localappdata%%\Google\Chrome\User Data\*\Sessions\Session_*' - '%%users.localappdata%%\Google\Chrome\User Data\*\Sessions\Tabs_*' - '%%users.localappdata%%\Microsoft\Edge\User Data\*\Sessions\Session_*' - '%%users.localappdata%%\Microsoft\Edge\User Data\*\Sessions\Tabs_*' separator: '\' supported_os: [Windows] supported_os: [Darwin, Linux, Windows] --- name: FirefoxCache doc: Mozilla Firefox browser caches. sources: - type: FILE attributes: paths: - '%%users.homedir%%/Library/Caches/Firefox/Profiles/*.default/Cache/*' - '%%users.homedir%%/Library/Caches/Firefox/Profiles/*.default/cache2/*' - '%%users.homedir%%/Library/Caches/Firefox/Profiles/*.default/cache2/doomed/*' - '%%users.homedir%%/Library/Caches/Firefox/Profiles/*.default/cache2/entries/*' - '%%users.homedir%%/Library/Caches/Firefox/Profiles/*.default-*/Cache/*' - '%%users.homedir%%/Library/Caches/Firefox/Profiles/*.default-*/cache2/*' - '%%users.homedir%%/Library/Caches/Firefox/Profiles/*.default-*/cache2/doomed/*' - '%%users.homedir%%/Library/Caches/Firefox/Profiles/*.default-*/cache2/entries/*' supported_os: [Darwin] - type: FILE attributes: paths: - '%%users.homedir%%/.mozilla/firefox/*.default/Cache/*' - '%%users.homedir%%/.cache/mozilla/firefox/*.default/Cache/*' - '%%users.homedir%%/.cache/mozilla/firefox/*.default/cache2/*' - '%%users.homedir%%/.cache/mozilla/firefox/*.default/cache2/doomed/*' - '%%users.homedir%%/.cache/mozilla/firefox/*.default/cache2/entries/*' - '%%users.homedir%%/.cache/mozilla/firefox/*.default-*/Cache/*' - '%%users.homedir%%/.cache/mozilla/firefox/*.default-*/cache2/*' - '%%users.homedir%%/.cache/mozilla/firefox/*.default-*/cache2/doomed/*' - '%%users.homedir%%/.cache/mozilla/firefox/*.default-*/cache2/entries/*' - '%%users.homedir%%/snap/firefox/common/.cache/mozilla/firefox/*.default/Cache/*' - '%%users.homedir%%/snap/firefox/common/.cache/mozilla/firefox/*.default/cache2/*' - '%%users.homedir%%/snap/firefox/common/.cache/mozilla/firefox/*.default/cache2/doomed/*' - '%%users.homedir%%/snap/firefox/common/.cache/mozilla/firefox/*.default/cache2/entries/*' - '%%users.homedir%%/snap/firefox/common/.cache/mozilla/firefox/*.default-*/Cache/*' - '%%users.homedir%%/snap/firefox/common/.cache/mozilla/firefox/*.default-*/cache2/*' - '%%users.homedir%%/snap/firefox/common/.cache/mozilla/firefox/*.default-*/cache2/doomed/*' - '%%users.homedir%%/snap/firefox/common/.cache/mozilla/firefox/*.default-*/cache2/entries/*' supported_os: [Linux] - type: FILE attributes: paths: - '%%users.localappdata%%\Mozilla\Firefox\Profiles\*.default\Cache\*' - '%%users.localappdata%%\Mozilla\Firefox\Profiles\*.default\cache2\*' - '%%users.localappdata%%\Mozilla\Firefox\Profiles\*.default\cache2\doomed\*' - '%%users.localappdata%%\Mozilla\Firefox\Profiles\*.default\cache2\entries\*' - '%%users.localappdata%%\Mozilla\Firefox\Profiles\*.default-*\Cache\*' - '%%users.localappdata%%\Mozilla\Firefox\Profiles\*.default-*\cache2\*' - '%%users.localappdata%%\Mozilla\Firefox\Profiles\*.default-*\cache2\doomed\*' - '%%users.localappdata%%\Mozilla\Firefox\Profiles\*.default-*\cache2\entries\*' separator: '\' supported_os: [Windows] supported_os: [Darwin, Linux, Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/webbrowser/FirefoxCache.html'] --- name: FirefoxCookies doc: Firefox browser cookies (cookies.sqlite). sources: - type: FILE attributes: paths: - '%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/cookies.sqlite' - '%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/cookies.sqlite-wal' supported_os: [Darwin] - type: FILE attributes: paths: - '%%users.homedir%%/.mozilla/firefox/*/cookies.sqlite' - '%%users.homedir%%/.mozilla/firefox/*/cookies.sqlite-shm' - '%%users.homedir%%/.mozilla/firefox/*/cookies.sqlite-wal' supported_os: [Linux] - type: FILE attributes: paths: - '%%users.localappdata%%\Mozilla\Firefox\Profiles\*\cookies.sqlite' - '%%users.localappdata%%\Mozilla\Firefox\Profiles\*\cookies.sqlite-wal' - '%%users.appdata%%\Mozilla\Firefox\Profiles\*\cookies.sqlite' - '%%users.localappdata%%\Mozilla\Firefox\Profiles\*\cookies.sqlite-wal' separator: '\' supported_os: [Windows] supported_os: [Darwin, Linux, Windows] urls: ['https://forensics.wiki/mozilla_firefox'] --- name: FirefoxDownloads doc: Firefox browser downloads (downloads.sqlite). sources: - type: FILE attributes: paths: - '%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/downloads.sqlite' - '%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/downloads.sqlite-wal' supported_os: [Darwin] - type: FILE attributes: paths: - '%%users.homedir%%/.mozilla/firefox/*/downloads.sqlite' - '%%users.homedir%%/.mozilla/firefox/*/downloads.sqlite-wal' supported_os: [Linux] - type: FILE attributes: paths: - '%%users.localappdata%%\Mozilla\Firefox\Profiles\*\downloads.sqlite' - '%%users.localappdata%%\Mozilla\Firefox\Profiles\*\downloads.sqlite-wal' - '%%users.appdata%%\Mozilla\Firefox\Profiles\*\downloads.sqlite' - '%%users.localappdata%%\Mozilla\Firefox\Profiles\*\downloads.sqlite-wal' separator: '\' supported_os: [Windows] supported_os: [Darwin, Linux, Windows] urls: ['https://forensics.wiki/mozilla_firefox'] --- name: FirefoxHistory doc: Firefox browser history (places.sqlite). sources: - type: FILE attributes: paths: - '%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/places.sqlite' - '%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/places.sqlite-wal' supported_os: [Darwin] - type: FILE attributes: paths: - '%%users.homedir%%/.mozilla/firefox/*/places.sqlite' - '%%users.homedir%%/.mozilla/firefox/*/places.sqlite-wal' - '%%users.homedir%%/snap/firefox/common/.mozilla/firefox/*/places.sqlite' - '%%users.homedir%%/snap/firefox/common/.mozilla/firefox/*/places.sqlite-wal' supported_os: [Linux] - type: FILE attributes: paths: - '%%users.localappdata%%\Mozilla\Firefox\Profiles\*\places.sqlite' - '%%users.localappdata%%\Mozilla\Firefox\Profiles\*\places.sqlite-wal' - '%%users.appdata%%\Mozilla\Firefox\Profiles\*\places.sqlite' - '%%users.localappdata%%\Mozilla\Firefox\Profiles\*\places.sqlite-wal' separator: '\' supported_os: [Windows] supported_os: [Darwin, Linux, Windows] urls: ['https://forensics.wiki/mozilla_firefox'] --- name: FirefoxAddOns doc: Firefox browser add-ons/extensions. sources: - type: FILE attributes: paths: - '%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/addons.json' - '%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/extensions.json' - '%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/webapps/webapps.json' supported_os: [Darwin] - type: FILE attributes: paths: - '%%users.homedir%%/.mozilla/firefox/*/addons.json' - '%%users.homedir%%/.mozilla/firefox/*/extensions.json' - '%%users.homedir%%/.mozilla/firefox/*/webapps/webapps.json' supported_os: [Linux] - type: FILE attributes: paths: - '%%users.appdata%%\Mozilla\Firefox\Profiles\*\addons.json' - '%%users.appdata%%\Mozilla\Firefox\Profiles\*\extensions.json' - '%%users.appdata%%\Mozilla\Firefox\Profiles\*\webapps\webapps.json' - '%%users.localappdata%%\Mozilla\Firefox\Profiles\*\addons.json' - '%%users.localappdata%%\Mozilla\Firefox\Profiles\*\extensions.json' - '%%users.localappdata%%\Mozilla\Firefox\Profiles\*\webapps\webapps.json' separator: '\' supported_os: [Windows] supported_os: [Darwin, Linux, Windows] urls: ['https://github.com/osquery/osquery/blob/6969e075fd4118e36f6cab54b0956e53dde5ba3f/osquery/tables/applications/browser_firefox.cpp#'] --- name: InternetExplorerBrowserHelperObjects doc: Loaded on Internet Explorer startup sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*' supported_os: [Windows] urls: - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'http://regenerus.com/malware-common-loadpoints/' - 'https://code.google.com/p/regripper/wiki/ASEPs' --- name: InternetExplorerCache doc: | Microsoft Internet Explorer (MSIE) browser cache. * MSIE 4 - 9 Temporary Internet files. * MSIE 10 INetCache files. sources: - type: FILE attributes: paths: - '%%users.localappdata%%\Microsoft\Windows\Temporary Internet Files\Content.IE5\*\*' - '%%users.localappdata%%\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\*\*' - '%%users.localappdata%%\Microsoft\Windows\INetCache\IE\*\*' - '%%users.localappdata%%\Microsoft\Windows\INetCache\Low\*\*' separator: '\' supported_os: [Windows] urls: ['https://forensics.wiki/internet_explorer'] --- name: InternetExplorerCookies doc: | Microsoft Internet Explorer (MSIE) browser cookies. * MSIE 4 - 9 Cache files (index.dat) sources: - type: FILE attributes: paths: - '%%users.appdata%%\Microsoft\Windows\Cookies\index.dat' - '%%users.appdata%%\Microsoft\Windows\Cookies\Low\index.dat' separator: '\' supported_os: [Windows] urls: ['https://forensics.wiki/internet_explorer'] --- name: InternetExplorerHistory doc: | Microsoft Internet Explorer (MSIE) browser history. * MSIE 4 - 9 Cache files (index.dat); * MSIE 10 WebCacheV*.dat files. sources: - type: FILE attributes: paths: - '%%users.appdata%%\Microsoft\Windows\IEDownloadHistory\index.dat' - '%%users.localappdata%%\Microsoft\Feeds Cache\index.dat' - '%%users.localappdata%%\Microsoft\Windows\History\History.IE5\*\index.dat' - '%%users.localappdata%%\Microsoft\Windows\History\History.IE5\index.dat' - '%%users.localappdata%%\Microsoft\Windows\History\Low\History.IE5\*\index.dat' - '%%users.localappdata%%\Microsoft\Windows\History\Low\History.IE5\index.dat' - '%%users.localappdata%%\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat' - '%%users.localappdata%%\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat' - '%%users.localappdata%%\Microsoft\Windows\WebCache\WebCacheV*.dat' - '%%users.userprofile%%\Local Settings\History\History.IE5\index.dat' separator: '\' supported_os: [Windows] urls: ['https://forensics.wiki/internet_explorer'] --- name: InternetExplorerProtectedModeElevationPolicies doc: | Trust levels of apps launched from low rights IE sessions. The ElevationPolicy dictates how IE handles applications that want to execute in other applications that reside outside of the Low Rights IE session. AppName is the executable * AppPath is the directory * CLSID is used if it launches a COM server through CoCreateInstance * Policy (DWORD) is the trust level, of 0 through 3. * 3 Protected Mode silently launches the broker as a medium integrity process. * 2 Protected Mode prompts the user for permission to launch the process. If permission is granted, the process is launched as a medium integrity process. * 1 Protected Mode silently launches the broker as a low integrity process. * 0 Protected Mode prevents the process from launching. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'Policy'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'AppName'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'AppPath'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'CLSID'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'Policy'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'AppName'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'AppPath'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\*', value: 'CLSID'} supported_os: [Windows] urls: - 'http://blogs.technet.com/b/juanand/archive/2010/10/29/internet-explorer-protected-mode-elevation-policy-and-administrative-templates.aspx' - 'https://msdn.microsoft.com/en-us/library/bb250462(VS.85).aspx' --- name: InternetExplorerProtectedModeDisable doc: | Microsoft Internet Explorer (MSIE) Protected Mode Banner can be suppressed by setting NoProtectedModeBanner. * Applies to versions 7-11 sources: - type: REGISTRY_KEY attributes: {keys: ['HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner']} supported_os: [Windows] urls: ['http://www.blackforce.co.uk/2014/01/07/disable-protected-mode-is-turned-off-for-the-internet-zone-group-policy'] --- name: InternetExplorer6Settings doc: Registry keys affecting default behavior for Microsoft Internet Explorer 6. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', value: 'AboutURLs'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', value: 'UrlSearchHooks'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', value: 'Extensions'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', value: 'ExplorerBars'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', value: 'Toolbar'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', value: 'SearchURL'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main', value: 'Default_Page_URL'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main', value: 'Default_Search_URL'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main', value: 'Search Page'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main', value: 'Start Page'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main', value: 'Search Bar'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search', value: 'CustomizeSearch'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer', value: 'UrlSearchHooks'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer', value: 'Extensions'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer', value: 'ExplorerBars'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer', value: 'Toolbar'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer', value: 'SearchURL'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Main', value: 'Default_Page_URL'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Main', value: 'Default_Search_URL'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Main', value: 'Search Page'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Main', value: 'Start Page'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Main', value: 'Search Bar'} supported_os: [Windows] urls: - 'https://support.microsoft.com/en-us/kb/895339' - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' --- name: InternetExplorerTypedURLsKeys doc: Microsoft Internet Explorer TypedUrls keys. sources: - type: REGISTRY_KEY attributes: {keys: ['HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\TypedURLs\*']} supported_os: [Windows] urls: ['https://forensics.wiki/internet_explorer#typed-urls'] --- name: OperaHistoryFile aliases: [OperaHistory] doc: Opera browser history (global_history.dat) file. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Opera/global_history.dat']} supported_os: [Darwin] - type: FILE attributes: {paths: ['%%users.homedir%%/.opera/global_history.dat']} supported_os: [Linux] - type: FILE attributes: paths: - '%%users.appdata%%\Opera\Opera\global_history.dat' - '%%users.appdata%%\Opera Software\Opera Stable\History' - '%%users.appdata%%\Opera Software\Opera Stable\History-journal' separator: '\' supported_os: [Windows] supported_os: [Darwin, Linux, Windows] urls: ['https://forensics.wiki/opera'] --- name: SafariAutoFillCorrectionsSQLiteDatabaseFile doc: Safari browser auto-fill corrections SQLite database file. sources: - type: FILE attributes: paths: - '%%users.homedir%%/Library/Safari/AutoFillCorrections.db' - '%%users.homedir%%/Library/Safari/AutoFillCorrections.db-wal' supported_os: [Darwin] urls: ['https://forensics.wiki/apple_safari'] --- name: SafariCacheSQLiteDatabaseFile aliases: [SafariCache] doc: Safari browser cache (cache.db) SQLite database file. sources: - type: FILE attributes: paths: - '%%users.homedir%%/Library/Caches/com.apple.Safari/Cache.db' - '%%users.homedir%%/Library/Caches/com.apple.Safari/Cache.db-wal' - '%%users.homedir%%/Library/Containers/com.apple.Safari/Data/Library/Caches/com.apple.Safari/Cache.db' - '%%users.homedir%%/Library/Containers/com.apple.Safari/Data/Library/Caches/com.apple.Safari/Cache.db-wal' supported_os: [Darwin] - type: FILE attributes: paths: ['%%users.localappdata%%\Apple Computer\Safari\cache.db'] separator: '\' supported_os: [Windows] supported_os: [Darwin, Windows] urls: ['https://forensics.wiki/apple_safari'] --- name: SafariCloudAutoFillCorrectionsSQLiteDatabaseFile doc: Safari browser cloud auto-fill corrections SQLite database file. sources: - type: FILE attributes: paths: - '%%users.homedir%%/Library/Safari/CloudAutoFillCorrections.db' - '%%users.homedir%%/Library/Safari/CloudAutoFillCorrections.db-wal' supported_os: [Darwin] urls: ['https://forensics.wiki/apple_safari'] --- name: SafariCookies doc: Safari Cookies database. sources: - type: FILE attributes: paths: - '%%users.homedir%%/Library/Cookies/Cookies.binarycookies' - '%%users.homedir%%/Library/Containers/com.apple.Safari/Data/Library/Cookies/Cookies.binarycookies' supported_os: [Darwin] urls: ['https://forensics.wiki/apple_safari'] --- name: SafariDownloadsPlistFile aliases: [SafariDownloads] doc: Safari downloads history (Downloads.plist) property list (plist) file. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Safari/Downloads.plist']} supported_os: [Darwin] - type: FILE attributes: paths: - '%%users.localappdata%%\Apple Computer\Safari\Downloads.plist' - '%%users.appdata%%\Apple Computer\Safari\Downloads.plist' separator: '\' supported_os: [Windows] supported_os: [Darwin, Windows] urls: ['https://forensics.wiki/apple_safari/'] --- name: SafariExtensions doc: Safari browser extensions. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Safari/Extensions/**']} supported_os: [Darwin] urls: ['https://forensics.wiki/apple_safari/'] --- name: SafariFaviconsCacheSQLiteDatabaseFile doc: Safari browser favicons cache SQLite database file. sources: - type: FILE attributes: paths: - '%%users.homedir%%/Library/Safari/Favicon Cache/favicons.db' - '%%users.homedir%%/Library/Safari/Favicon Cache/favicons.db-wal' supported_os: [Darwin] urls: ['https://forensics.wiki/apple_safari'] --- name: SafariHistory doc: Safari browser history. sources: - type: ARTIFACT_GROUP attributes: names: - 'SafariHistorySQLiteDatabaseFile' - 'SafariHistoryPlistFile' supported_os: [Darwin, Windows] urls: ['https://forensics.wiki/apple_safari'] --- name: SafariHistoryPlistFile doc: Safari browser history (History.plist) property list (plist) file. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Safari/History.plist']} supported_os: [Darwin] - type: FILE attributes: paths: - '%%users.localappdata%%\Apple Computer\Safari\History.plist' - '%%users.appdata%%\Apple Computer\Safari\History.plist' separator: '\' supported_os: [Windows] supported_os: [Darwin, Windows] urls: ['https://forensics.wiki/apple_safari'] --- name: SafariHistorySQLiteDatabaseFile doc: Safari browser history SQLite database file. sources: - type: FILE attributes: paths: - '%%users.homedir%%/Library/Safari/History.db' - '%%users.homedir%%/Library/Safari/History.db-wal' supported_os: [Darwin] urls: ['https://forensics.wiki/apple_safari'] --- name: SafariPerSitePreferencesSQLiteDatabaseFile doc: Safari browser per site preferences SQLite database file. sources: - type: FILE attributes: paths: - '%%users.homedir%%/Library/Safari/PerSitePreferences.db' - '%%users.homedir%%/Library/Safari/PerSitePreferences.db-wal' supported_os: [Darwin] urls: ['https://forensics.wiki/apple_safari'] --- name: SafariTabSnapshotsMetadataSQLiteDatabaseFile doc: Safari browser tab snapshots metadata SQLite database file. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/Caches/com.apple.Safari/TabSnapshots/Metadata.db']} supported_os: [Darwin] urls: ['https://forensics.wiki/apple_safari'] --- name: SafariTouchIconCacheSettingsSQLiteDatabaseFile doc: Safari browser touch icon cache settings SQLite database file. sources: - type: FILE attributes: paths: - '%%users.homedir%%/Library/Safari/Touch Icons Cache/TouchIconCacheSettings.db' - '%%users.homedir%%/Library/Safari/Touch Icons Cache/TouchIconCacheSettings.db-wal' supported_os: [Darwin] urls: ['https://forensics.wiki/apple_safari'] --- name: WebKitPubSubSQLiteDatabaseFile doc: WebKit RSS feed (PubSub) SQLite database file. sources: - type: FILE attributes: {paths: ['%%users.homedir%%/Library/PubSub/Database/Database.sqlite3']} supported_os: [Darwin] artifacts-20230928/data/webservers.yaml000066400000000000000000000055041450527130400177360ustar00rootroot00000000000000# Webserver related artifacts. --- name: ApacheConfigurationFolder doc: Location where Apache keeps configuration files sources: - type: FILE attributes: paths: - '/etc/apache2/*.conf' - '/etc/httpd/*.conf' - '/etc/httpd/conf.d/*.conf' - '/etc/httpd/conf.modules.d/*.conf' supported_os: [Linux] --- name: ApacheDefaultSiteConfigurationFile doc: Location where Apache keeps the default site configuration file. sources: - type: FILE attributes: {paths: ['/etc/apache2/sites-available/000-default.conf']} supported_os: [Linux] --- name: ApacheAccessLogs doc: Location where Apache access logs are stored sources: - type: FILE attributes: paths: - '/var/log/apache/access_log*' - '/var/log/apache/access.log*' - '/var/log/apache2/access_log*' - '/var/log/apache2/access.log*' - '/var/log/apache2/other_vhosts_access_log*' - '/var/log/apache2/other_vhosts_access.log*' - '/var/log/httpd/access_log*' - '/var/log/httpd/access.log*' supported_os: [Linux] - type: FILE attributes: paths: ['%%environ_systemdrive%%\**6\logs\access.log*'] separator: '\' supported_os: [Windows] supported_os: [Linux, Windows] --- name: ApacheErrorLogs doc: Location where Apache error logs are stored sources: - type: FILE attributes: paths: - '/var/log/apache/error*' - '/var/log/apache/error.log*' - '/var/log/apache2/error*' - '/var/log/apache2/error.log*' - '/var/log/httpd/error*' - '/var/log/httpd/error.log*' supported_os: [Linux] - type: FILE attributes: paths: ['%%environ_systemdrive%%\**6\logs\error.log*'] separator: '\' supported_os: [Windows] supported_os: [Linux, Windows] --- name: NginxAccessLogs doc: Location where nginx access logs are stored sources: - type: FILE attributes: {paths: ['/var/log/nginx/access.log*']} supported_os: [Linux] - type: FILE attributes: paths: ['%%environ_systemdrive%%\nginx\logs\*.log*'] separator: '\' supported_os: [Windows] supported_os: [Linux, Windows] --- name: NginxErrorLogs doc: Location where nginx error logs are stored sources: - type: FILE attributes: {paths: ['/var/log/nginx/error.log*']} supported_os: [Linux] --- name: WordpressConfigFile doc: WordPress configuration file sources: - type: FILE attributes: paths: - '/private/var/www/**/wp-config.php' - '/private/var/www/wp-config.php' - '/var/www/**/wp-config.php' - '/var/www/wp-config.php' - '/wp/wp-config.php' supported_os: [Linux, Darwin] --- name: MicrosoftIISLogs doc: Internet Information Services (IIS) web server's log files. sources: - type: FILE attributes: paths: - '%%environ_systemroot%%\System32\LogFiles\W3SVC*\*.log' - '%%environ_systemdrive%%\inetpub\logs\LogFiles\*.log' - '%%environ_systemdrive%%\Resources\Directory\*\LogFiles\Web\W3SVC*\*.log' separator: '\' supported_os: [Windows] artifacts-20230928/data/windows.yaml000066400000000000000000005102731450527130400172450ustar00rootroot00000000000000# Windows specific artifacts. --- name: WindowsActiveDesktop doc: Windows Active Desktop settings and components. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Desktop\Components\*' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Desktop\General' supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/ActiveDesktop.html'] --- name: WindowsActiveDirectoryDatabase doc: Windows Active Directory data store file. sources: - type: FILE attributes: paths: ['%%environ_systemroot%%\ntds\ntds.dit'] separator: '\' supported_os: [Windows] urls: ['https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc772829(v=ws.10)'] --- name: WindowsActivitiesCacheDatabase doc: SQLite database containing the Windows activities cache. sources: - type: FILE attributes: paths: ['%%users.localappdata%%\ConnectedDevicesPlatform\L.%%users.username%%\ActivitiesCache.db'] separator: '\' supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/ActivitiesCacheDatabase.html'] --- name: WindowsAlternateShell doc: Alternate Shell to be run via Userinit. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot', value: 'AlternateShell'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option', value: 'UseAlternateShell'} supported_os: [Windows] urls: - 'https://www.microsoftpressstore.com/articles/article.aspx' - 'https://technet.microsoft.com/en-us/library/cc976124.aspx' - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' --- name: WindowsAMCacheHveFile doc: The AMCache file, stored in the Windows NT Registry file format. sources: - type: FILE attributes: paths: - '%%environ_systemroot%%\AppCompat\Programs\Amcache.hve' - '%%environ_systemroot%%\AppCompat\Programs\Amcache.hve.LOG1' - '%%environ_systemroot%%\AppCompat\Programs\Amcache.hve.LOG2' separator: '\' supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/AMCache.html'] --- name: WindowsAppCertDLLs doc: Windows AppCertDLLs persistence. sources: - type: REGISTRY_KEY attributes: keys: ['HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDLLs'] supported_os: [Windows] urls: ['http://blogs.technet.com/b/mmpc/archive/2011/03/19/how-to-defang-the-fake-defragmenter.aspx'] --- name: WindowsAppCompatCache doc: Windows Application Compatibility Cache sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility', value: 'AppCompatCache'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatCache', value: 'AppCompatCache'} supported_os: [Windows] urls: ['https://github.com/libyal/winreg-kb/blob/main/documentation/Application%20Compatibility%20Cache%20key.asciidoc'] --- name: WindowsAppInitDLLs doc: | Windows Application Initial (AppInit) DLLs persistence. AppInit DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded into each user mode process on the system. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows', value: 'AppInit_DLLs'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows', value: 'AppInit_DLLs'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Windows', value: 'AppInit_DLLs'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows', value: 'AppInit_DLLs'} supported_os: [Windows] urls: - 'https://msdn.microsoft.com/en-us/library/windows/desktop/dd744762(v=vs.85).aspx' - 'https://support.microsoft.com/en-us/kb/197571' --- name: WindowsApplicationRegistration doc: Windows Application Registration (AppPath) Registry keys. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\*' supported_os: [Windows] urls: - 'https://github.com/keydet89/RegRipper2.8/blob/master/plugins/apppaths.pl' - 'http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/' - 'https://msdn.microsoft.com/en-us/library/windows/desktop/ee872121(v=vs.85).aspx' --- name: WindowsApplicationCompatibilityInstalledShimDatabases doc: | Windows Application Compatibility Installed Shim Databases. drvmain.sdb, frxmain.sdb, msimain.sdb, pcamain.sdb, and sysmain.sdb are shim database files (SDB files) that are provided by Windows, and contain many predefined shims that address known application compatibility issues. Note that these database files are not signed. Windows also supports custom shim database. These are typically installed by the sdbinst.exe utility. Note, that shim database files can also exist elsewhere in the file system. Windows application shims provide a way for the operating system to apply patches to executables before they are run, ultimately providing a lightweight mechanism for applying hot fixes and making modifications to ensure compatibility across the various versions of Windows. This functionality can also be leveraged maliciously to change how certain programs operate, or to provide capabilities to malware, such as the ability to bypass UAC, gain persistence by injecting loading into legitimate processes, or avoid detection by disabling anti-virus software. sources: - type: FILE attributes: paths: - '%%environ_windir%%\AppPatch\drvmain.sdb' - '%%environ_windir%%\AppPatch\frxmain.sdb' - '%%environ_windir%%\AppPatch\msimain.sdb' - '%%environ_windir%%\AppPatch\pcamain.sdb' - '%%environ_windir%%\AppPatch\sysmain.sdb' - '%%environ_windir%%\AppPatch\AppPatch64\Custom\*' - '%%environ_windir%%\AppPatch\Custom\*' - '%%environ_windir%%\AppPatch\Custom\Custom64\*' - '%%environ_windir%%\AppPatch\CustomSDB\*' separator: '\' supported_os: [Windows] urls: - 'https://attack.mitre.org/techniques/T1138/' - 'https://countercept.com/blog/hunting-for-application-shim-databases/' - 'http://files.brucon.org/2015/Tomczak_and_Ballenthin_Shims_for_the_Win.pdf' - 'https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf' --- name: WindowsApplicationCompatibilityShimDatabaseMappings doc: | Windows Application Compatibility Shim Database Mappings. Mappings between the Windows Application Compatibility shim database files and the programs that they apply to. Windows allows for custom application shims to be installed via the sdbinst.exe application. For example a mapping for 'notepad.exe': Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\notepad.exe Value: {00000000-1111-2222-3333-444444444444}.sdb = 0 Key: AppCompatFlags\InstalledSDB\{00000000-1111-2222-3333-444444444444} Value: DatabasePath = "C:\Windows\AppPatch\Custom\{00000000-1111-2222-3333-444444444444}.sdb" Windows application shims provide a way for the operating system to apply patches to executables before they are run, ultimately providing a lightweight mechanism for applying hot fixes and making modifications to ensure compatibility across the various versions of Windows. This functionality can also be leveraged maliciously to change how certain programs operate, or to provide capabilities to malware, such as the ability to bypass UAC, gain persistence by injecting loading into legitimate processes, or avoid detection by disabling anti-virus software. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\*', value: 'DatabaseDescription'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\*', value: 'DatabasePath'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\*', value: '*'} supported_os: [Windows] urls: - 'https://attack.mitre.org/techniques/T1138/' - 'https://countercept.com/blog/hunting-for-application-shim-databases/' --- name: WindowsApplicationCompatibilityShims doc: Windows Application Compatibility Shim Database Files and Application Mappings sources: - type: ARTIFACT_GROUP attributes: names: - 'WindowsApplicationCompatibilityInstalledShimDatabases' - 'WindowsApplicationCompatibilityShimDatabaseMappings' supported_os: [Windows] --- name: WinAppXRT doc: WinAppXRT DLL loaded by .Net applications when the APPX_PROCESS environment variable is set. sources: - type: FILE attributes: paths: - '%%environ_systemroot%%\system32\WinAppXRT.dll' - '%%environ_systemroot%%\WinAppXRT.dll' - '%%environ_systemroot%%\System32\Wbem\WinAppXRT.dll' - '%%environ_systemroot%%\System32\WindowsPowerShell\v1.0\WinAppXRT.dll' separator: '\' supported_os: [Windows] urls: ['http://www.hexacorn.com/blog/2014/08/31/beyond-good-ol-run-key-part-17/'] --- name: WindowsAutoexecBat doc: Windows autoexec.bat file sources: - type: FILE attributes: paths: - '%%environ_systemdrive%%\autoexec.bat' - '%%environ_windir%%\autoexec.nt' separator: '\' supported_os: [Windows] --- name: WindowsAutomaticDebugging doc: Windows automatic debugging (Aedebug) sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug', value: 'Debugger'} supported_os: [Windows] urls: - 'https://msdn.microsoft.com/en-us/library/windows/desktop/bb204634(v=vs.85).aspx' - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' --- name: WindowsAutomaticDebuggingExclusionList doc: Windows automatic debugging (Aedebug) exclusion list sources: - type: REGISTRY_KEY attributes: keys: ['HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AutoExclusionList\*'] supported_os: [Windows] urls: ['https://msdn.microsoft.com/en-us/library/windows/desktop/bb204634(v=vs.85).aspx'] --- name: WindowsAutorun doc: Filebased Tests. sources: - type: FILE attributes: paths: ['%%environ_systemdrive%%\autorun.inf'] separator: '\' supported_os: [Windows] --- name: WindowsAvailableTimeZones doc: Timezones available on a Windows system. sources: - type: REGISTRY_KEY attributes: {keys: ['HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Time Zones\*']} supported_os: [Windows] urls: ['https://github.com/libyal/winreg-kb/blob/main/documentation/Time%20zone%20keys.asciidoc'] --- name: WindowsBackgroundActivityModeratorKeys doc: Windows Background Activity Moderator (BAM) and Desktop Activity Moderator (DAM) registry keys. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\UserSettings\*' - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\*' - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\dam\UserSettings\*' - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\dam\State\UserSettings\*' supported_os: [Windows] urls: - 'https://dfir.ru/2020/04/08/bam-internals/' - 'https://notes.qazeer.io/dfir/windows/_artefacts_overview' --- name: WindowsBITSQueueManagerDatabases doc: Databases that contain the Windows BITS jobs definition and state. sources: - type: FILE attributes: paths: - '%%environ_allusersprofile%%\Microsoft\Network\Downloader\qmgr*.dat' - '%%environ_allusersprofile%%\Microsoft\Network\Downloader\qmgr.db' separator: '\' supported_os: [Windows] urls: ['http://dfrws.org/2015/proceedings/presentations/DFRWS2015-pres3.pdf'] --- name: WindowsBootConfigurationDataRegistryFiles doc: Boot Configuration Data (BCD) Windows Registry files. sources: - type: FILE attributes: paths: - '\Boot\BCD' - '\Boot\BCD.LOG' - '\Boot\BCD.LOG1' - '\Boot\BCD.LOG2' - '\EFI\Microsoft\Boot\BCD' - '\EFI\Microsoft\Boot\BCD.LOG' - '\EFI\Microsoft\Boot\BCD.LOG1' - '\EFI\Microsoft\Boot\BCD.LOG2' - '\EFI\Microsoft\Recovery\BCD' - '\EFI\Microsoft\Recovery\BCD.LOG' - '\EFI\Microsoft\Recovery\BCD.LOG1' - '\EFI\Microsoft\Recovery\BCD.LOG2' separator: '\' supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RegistryFiles.html'] --- name: WindowsBootVerificationProgram doc: Path to custom startup verification program. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\BootVerificationProgram', value: 'ImagePath'}] supported_os: [Windows] urls: - 'https://technet.microsoft.com/en-us/library/cc786702(WS.10).aspx' - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' --- name: WindowsCIMRepositoryFiles doc: | Windows Common Information Model (CIM) repository. Persistent database that holds the schema, also called the object repository or class store, that models the managed environment and defines every piece of data exposed by WMI. This definition does not specify the copies of the CIM repository that are stored in system restore points. sources: - type: FILE attributes: paths: # Windows 95 OSR 2.5, 98, Millennium Edition (Me) - '%%environ_windir%%\System\Wbem\Repository\cim.rep' # Windows NT4 and 2000 - '%%environ_systemroot%%\System32\wbem\Repository\CIM.REC' - '%%environ_systemroot%%\System32\wbem\Repository\CIM.REP' # Windows Vista and later - '%%environ_systemroot%%\System32\wbem\Repository\INDEX.BTR' - '%%environ_systemroot%%\System32\wbem\Repository\INDEX.MAP' - '%%environ_systemroot%%\System32\wbem\Repository\MAPPING.VER' - '%%environ_systemroot%%\System32\wbem\Repository\MAPPING[1-3].MAP' - '%%environ_systemroot%%\System32\wbem\Repository\OBJECTS.DATA' - '%%environ_systemroot%%\System32\wbem\Repository\OBJECTS.MAP' # Windows XP and Windows 2003 - '%%environ_systemroot%%\System32\wbem\Repository\FS\INDEX.BTR' - '%%environ_systemroot%%\System32\wbem\Repository\FS\INDEX.MAP' - '%%environ_systemroot%%\System32\wbem\Repository\FS\MAPPING.VER' - '%%environ_systemroot%%\System32\wbem\Repository\FS\MAPPING[1-2].MAP' - '%%environ_systemroot%%\System32\wbem\Repository\FS\OBJECTS.DATA' - '%%environ_systemroot%%\System32\wbem\Repository\FS\OBJECTS.MAP' # Copies from the system rebuild process - Windows Vista and later - '%%environ_systemroot%%\System32\wbem\Repository.00[1-9]\INDEX.BTR' - '%%environ_systemroot%%\System32\wbem\Repository.00[1-9]\INDEX.MAP' - '%%environ_systemroot%%\System32\wbem\Repository.00[1-9]\MAPPING.VER' - '%%environ_systemroot%%\System32\wbem\Repository.00[1-9]\MAPPING[1-3].MAP' - '%%environ_systemroot%%\System32\wbem\Repository.00[1-9]\OBJECTS.DATA' - '%%environ_systemroot%%\System32\wbem\Repository.00[1-9]\OBJECTS.MAP' # Copies from the system rebuild process - Windows XP and Windows 2003 - '%%environ_systemroot%%\System32\wbem\Repository.00[1-9]\FS\INDEX.BTR' - '%%environ_systemroot%%\System32\wbem\Repository.00[1-9]\FS\INDEX.MAP' - '%%environ_systemroot%%\System32\wbem\Repository.00[1-9]\FS\MAPPING.VER' - '%%environ_systemroot%%\System32\wbem\Repository.00[1-9]\FS\MAPPING[1-2].MAP' - '%%environ_systemroot%%\System32\wbem\Repository.00[1-9]\FS\OBJECTS.DATA' - '%%environ_systemroot%%\System32\wbem\Repository.00[1-9]\FS\OBJECTS.MAP' separator: '\' supported_os: [Windows] urls: - 'https://github.com/libyal/dtformats/blob/main/documentation/WMI%20repository%20file%20format.asciidoc' - 'https://forensics.wiki/wmi' --- name: WindowsCodePage aliases: [WinCodePage] doc: The system code page. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CodePage', value: 'ACP'} provides: [code_page] supported_os: [Windows] urls: ['https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/Codepage.html'] --- name: WindowsComputerName doc: The name of the system. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ComputerName', value: 'ComputerName'} supported_os: [Windows] --- name: WindowsCommandProcessorAutoRun doc: Commands that are run each time the Command Processor (Cmd.exe) is started. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor', value: 'AutoRun'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Command Processor', value: 'AutoRun'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Command Processor', value: 'AutoRun'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Command Processor', value: 'AutoRun'} supported_os: [Windows] urls: - 'https://technet.microsoft.com/en-us/library/cc779439(v=ws.10).aspx' - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'http://blogs.msdn.com/b/oldnewthing/archive/2007/11/21/6447771.aspx' - 'https://technet.microsoft.com/en-us/library/cc756720(v=ws.10).aspx' --- name: WindowsCOMInprocHandlers doc: Windows COM in-process handlers sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*', value: 'InprocHandler'} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*', value: 'InprocHandler32'} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*', value: 'InprocHandler'} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*', value: 'InprocHandler32'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*', value: 'InprocHandler'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*', value: 'InprocHandler32'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*', value: 'InprocHandler'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*', value: 'InprocHandler32'} supported_os: [Windows] urls: - 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms694515(v=vs.85).aspx' - 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms691354(v=vs.85).aspx' - 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms693485(v=vs.85).aspx' --- name: WindowsCOMInprocServers doc: Windows COM in-process servers sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\InprocServer', value: ''} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\InprocServer32', value: ''} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\InprocServer', value: ''} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\InprocServer32', value: ''} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*\InprocServer', value: ''} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*\InprocServer32', value: ''} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*\InprocServer', value: ''} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*\InprocServer32', value: ''} supported_os: [Windows] urls: - 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms694515(v=vs.85).aspx' - 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms682390(v=vs.85).aspx' - 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms694328(v=vs.85).aspx' --- name: WindowsCOMLocalServers doc: Windows COM local servers sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*', value: 'LocalServer'} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\LocalServer32', value: ''} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\LocalServer32', value: 'ServerExecutable'} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*', value: 'LocalServer'} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\LocalServer32', value: ''} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\LocalServer32', value: 'ServerExecutable'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*', value: 'LocalServer'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*\LocalServer32', value: ''} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*\LocalServer32', value: 'ServerExecutable'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*', value: 'LocalServer'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*\LocalServer32', value: ''} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*\LocalServer32', value: 'ServerExecutable'} supported_os: [Windows] urls: - 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms694515(v=vs.85).aspx' - 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms686595(v=vs.85).aspx' --- name: WindowsCommonFilePlacementAttacks doc: Common files associated with search order hijacking and other file placement attacks. sources: - type: FILE attributes: paths: - '%%environ_programfiles%%\Internet Explorer\sxs.dll' - '%%environ_programfilesx86%%\Internet Explorer\sxs.dll' - '%%environ_systemdrive%%\explorer.exe' - '%%environ_systemdrive%%\program.exe' - '%%environ_systemroot%%\linkinfo.dll' - '%%environ_systemroot%%\ntshrui.dll' - '%%environ_systemroot%%\System32\oci.dll' - '%%environ_systemroot%%\System32\sysprep\cryptbase.dll' - '%%environ_systemroot%%\SysWOW64\oci.dll' - '%%environ_systemroot%%\SysWOW64\sysprep\cryptbase.dll' separator: '\' supported_os: [Windows] urls: - 'http://web.cs.ucdavis.edu/~su/publications/issta10-loading.pdf' - 'https://www.mandiant.com/blog/fxsst/' --- name: WindowsCOMProperties doc: | Various properties of Windows COM Objects. These artifacts are meant to highlight properties of COM objects that, although legitimate, are known to be associated with persistence techniques or other capabilities that malware can leverage. ShellFolder\HideOnDesktop, ShellFolder\Attributes (specifically with value 0xf090013d), and InprocServer\LoadWithoutCOM are associated with a technique to cause iexplore or explorer to load a malicious DLL by registering a COM object and invoking it through the use of Junction Folders. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\ShellFolder', value: 'Attributes'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*\ShellFolder', value: 'Attributes'} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\ShellFolder', value: 'Attributes'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*\ShellFolder', value: 'Attributes'} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\ShellFolder', value: 'HideOnDesktop'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*\ShellFolder', value: 'HideOnDesktop'} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\ShellFolder', value: 'HideOnDesktop'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*\ShellFolder', value: 'HideOnDesktop'} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\InprocServer32', value: 'LoadWithoutCOM'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*\InprocServer32', value: 'LoadWithoutCOM'} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\InprocServer32', value: 'LoadWithoutCOM'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*\InprocServer32', value: 'LoadWithoutCOM'} supported_os: [Windows] urls: - 'https://ired.team/offensive-security/code-execution/forcing-iexplore.exe-to-load-a-malicious-dll-via-com-abuse' - 'https://labs.nettitude.com/blog/com-and-the-powerthief/' --- name: WindowsCOMRegisteredTypeLibraries doc: Windows COM registered type libraries sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Typelib\*\*\*\*', value: ''} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\Typelib\*\*\*\*', value: ''} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Typelib\*\*\*\*', value: ''} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\Typelib\*\*\*\*', value: ''} supported_os: [Windows] urls: ['https://github.com/libyal/winreg-kb/blob/main/documentation/Component%20Object%20Model%20keys.asciidoc#type-libraries-key'] --- name: WindowsConfigSys doc: Windows config.sys file sources: - type: FILE attributes: paths: - '%%environ_systemdrive%%\config.sys' - '%%environ_windir%%\config.nt' separator: '\' supported_os: [Windows] --- name: WindowsControlPanelFilePaths doc: DLLs listed here will be run when the user opens the Windows Control Panel. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Control Panel\CPLs' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Control Panel\CPLs' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Control Panel\CPLs' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Control Panel\CPLs' supported_os: [Windows] urls: - 'https://msdn.microsoft.com/en-us/library/windows/desktop/hh127454(v=vs.85).aspx' - 'http://www.geoffchappell.com/studies/windows/shell/shell32/classes/controlpanel.htm' - 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms683844(v=vs.85).aspx' --- name: WindowsCortanaDatabase doc: Windows Cortana database sources: - type: FILE attributes: paths: - '%%users.localappdata%%\Packages\Microsoft.Windows.Cortana_*\AppData\Indexed DB\IndexedDB.edb' - '%%users.localappdata%%\Packages\Microsoft.Windows.Cortana_*\LocalState\ESEDatabase_CortanaCoreInstance\CortanaCoreDb.dat' separator: '\' supported_os: [Windows] urls: ['https://forensics.wiki/cortana'] --- name: WindowsCrashDumps doc: | Windows Error Reporting (WER) files and crash dumps. The files include information about the crashed processes and potentially process dumps, whether auto-generated upon a crash or by a user. It's helpful to analyze them to identify unexpected process executions or exploitation attempts. sources: - type: FILE attributes: paths: - '%%environ_allusersprofile%%\Microsoft\Windows\WER\**' - '%%environ_systemroot%%\*.dmp' - '%%environ_systemroot%%\Minidump\*.dmp' - '%%environ_systemroot%%\ServiceProfiles\AppData\Local\CrashDumps\**' - '%%environ_systemroot%%\ServiceProfiles\AppData\Local\Temp\*.dmp' - '%%environ_systemroot%%\System32\config\systemprofile\AppData\Local\CrashDumps\**' - '%%environ_systemroot%%\System32\config\systemprofile\AppData\Local\Temp\*.dmp' - '%%environ_systemroot%%\Temp\*.dmp' - '%%users.localappdata%%\CrashDumps\**' - '%%users.localappdata%%\Microsoft\Windows\WER\**' - '%%users.localappdata%%\Temp\*.dmp' separator: '\' supported_os: [Windows] urls: ['https://forensics.wiki/windows#crash-and-minidumps'] --- name: WindowsCredentialProviderFilters doc: Windows Credential Provider Filters sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\*' supported_os: [Windows] urls: ['http://blog.leetsys.com/2012/01/02/capturing-windows-7-credentials-at-logon-using-custom-credential-provider/'] --- name: WindowsCredentialProviders doc: CLSIDs of applications to use as Credential Providers sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\*' supported_os: [Windows] urls: - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'http://blogs.technet.com/b/ad/archive/2009/05/26/thoughts-on-single-sign-on-and-credential-providers.aspx' - 'http://blog.leetsys.com/2012/01/02/capturing-windows-7-credentials-at-logon-using-custom-credential-provider/' - 'https://www.sophos.com/en-us/support/knowledgebase/114190.aspx' --- name: WindowsCryptnetUrlCacheMetadata doc: | Metadata of a Windows cache of files downloaded from the internet. Helpful when investigating the use of "Living of the Land" tools that allow attackers to download arbitrary files from the internet, such as "certutil.exe". sources: - type: FILE attributes: paths: - '%%environ_systemroot%%\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\*' - '%%environ_systemroot%%\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\*' - '%%users.userprofile%%\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\*' separator: '\' supported_os: [Windows] urls: ['https://forensics.wiki/windows#cryptnet-url-cache'] --- name: WindowsCryptnetUrlCacheContent doc: | Content of a Windows cache of files downloaded from the internet. Helpful when investigating the use of "Living of the Land" tools that allow attackers to download arbitrary files from the internet, such as "certutil.exe". sources: - type: FILE attributes: paths: - '%%environ_systemroot%%\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\*' - '%%environ_systemroot%%\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\*' - '%%users.userprofile%%\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\*' separator: '\' supported_os: [Windows] urls: ['https://forensics.wiki/windows#cryptnet-url-cache'] --- name: WindowsCurrentVersion doc: The Windows current version sources: - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion', value: 'CurrentVersion'}]} supported_os: [Windows] urls: ['https://github.com/libyal/winreg-kb/blob/main/documentation/System%20keys.asciidoc'] --- name: WindowsDebugger doc: Windows Debugger peristence or AV disable. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*', value: 'Debugger'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*', value: 'Debugger'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*', value: 'Debugger'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*', value: 'Debugger'} supported_os: [Windows] urls: ['https://msdn.microsoft.com/en-us/library/a329t4ed%28VS.71%29.aspx'] --- name: WindowsDNSSettings doc: Windows Registry Keys that contain DNS and DHCP settings. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters', value: 'NameServer'} - {key: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\*', value: 'NameServer'} - {key: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters', value: 'NameServer'} - {key: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\*', value: 'DhcpNameServer'} - {key: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\*', value: 'DhcpServer'} supported_os: [Windows] urls: ['https://technet.microsoft.com/en-us/library/dd197418(v=ws.10).aspx'] --- name: WindowsDomainCachedCredentials doc: Windows domain cached credentials sources: - type: REGISTRY_VALUE attributes: key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\Security\Cache', value: 'NL$*'}] supported_os: [Windows] urls: ['http://juggernaut.wikidot.com/cached-credentials'] --- name: WindowsDomainName doc: The domain the system is connected to. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters', value: 'Domain'} provides: [domain] supported_os: [Windows] --- name: WindowsEnvironmentUserLoginScripts doc: User login scripts configured via Windows environment variables. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_USERS\%%users.sid%%\Environment', value: 'UserInitLogonServer'} - {key: 'HKEY_USERS\%%users.sid%%\Environment', value: 'UserInitLogonScript'} - {key: 'HKEY_USERS\%%users.sid%%\Environment', value: 'UserInitMprLogonScript'} supported_os: [Windows] urls: - 'http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/' - 'https://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/cb6f1d6f-60a6-4369-803e-ec03d902e638/gina-how-to-run-domain-scripts-after-logon' --- name: WindowsEnvironmentVariableAllUsersProfile doc: The system-wide %AllUsersProfile% environment variable contains the path of the of the "All Users" or "Common" profile directory. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'AllUsersProfile'} provides: [environ_allusersprofile] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] --- name: WindowsEnvironmentVariableAppxProcess doc: | The user-specific %APPX_PROCESS% environment variable is used for .NET applications. If set, a .NET applications will attempt to load WinAppXRT.dll from %PATH%, which can be used as a persistence mechanism by malware. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_USERS\%%users.sid%%\Environment', value: 'APPX_PROCESS'} supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] --- name: WindowsEnvironmentVariableCommonProgramFiles doc: The %COMMONPROGRAMFILES% environment variable contains the path of the common program files folder. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion', value: 'CommonFilesDir'} provides: [environ_commonprogramfiles] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] --- name: WindowsEnvironmentVariableCommonProgramFilesX86 doc: The %COMMONPROGRAMFILES(X86)% environment variable contains the path of the 32-bit common program files folder on a 64-bit Windows installation. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion', value: 'CommonFilesDir (x86)'} provides: [environ_commonprogramfilesx86] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] --- name: WindowsEnvironmentVariableComSpec doc: The %ComSpec% environment variable contains the path of the command processor, typically "cmd.exe". sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment', value: 'ComSpec'} provides: [environ_comspec] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] --- name: WindowsEnvironmentVariableDriverData doc: The %DriverData% environment variable contains the path of the directory used for temporary state files of user-mode drivers. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment', value: 'DriverData'} provides: [environ_driverdata] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] --- name: WindowsEnvironmentVariablePath aliases: [WinPathEnvironmentVariable] doc: The %PATH% environment variable contains an ordered list of paths of directories that will be searched on execution request without a specific path. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment', value: 'Path'} provides: [environ_path] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] --- name: WindowsEnvironmentVariableProfilesDirectory doc: The %ProfilesDirectory% environment variable contain a path of a directory that contains the users' profile directories, typically "%SystemDrive%\Users". sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'ProfilesDirectory'} provides: [environ_profilesdirectory] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] --- name: WindowsEnvironmentVariableProgramData doc: The %ProgramData% environment variable contains a path of the "Program Data" directory. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList', value: 'ProgramData'} provides: [environ_programdata] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] --- name: WindowsEnvironmentVariableProgramFiles aliases: [ProgramFiles] doc: The %ProgramFiles% environment variable contains a path of the "Program Files" directory. sources: - type: PATH attributes: paths: ['\Program Files'] separator: '\' - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion', value: 'ProgramFilesDir'} provides: [environ_programfiles] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] --- name: WindowsEnvironmentVariableProgramFilesX86 aliases: [ProgramFilesx86] doc: The %ProgramFiles(x86)% environment variable contains a path of the 32-bit "Program Files" directory on a 64-bit Windows installation. sources: - type: PATH attributes: paths: ['\Program Files (x86)'] separator: '\' - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion', value: 'ProgramFilesDir (x86)'} provides: [environ_programfilesx86] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] --- name: WindowsEnvironmentVariableSystemDrive doc: | The %SystemDrive% environment variable contains the letter of the drive in which the system directory is located, typically "C:". This value is not present in the Windows Registry but can be derived from %SystemRoot%. sources: - type: ARTIFACT_GROUP attributes: {names: ['WindowsEnvironmentVariableSystemRoot']} provides: [environ_systemdrive] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] --- name: WindowsEnvironmentVariableSystemRoot aliases: [SystemRoot] doc: The %SystemRoot%, environment variable contains the path of the system directory, typically "C:\Windows". sources: - type: PATH attributes: paths: - '\Windows' - '\WinNT' - '\WINNT35' - '\WTSRV' separator: '\' - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion', value: 'SystemRoot'} provides: [environ_systemroot] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] --- name: WindowsEnvironmentVariableTemp aliases: [TempEnvironmentVariable] doc: The %TEMP% environment variable. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment', value: 'TEMP'} provides: [environ_temp] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] --- name: WindowsEnvironmentVariableWinDir aliases: [WinDirEnvironmentVariable] doc: The %WinDir%, environment variable contains the path of the Windows directory, typically "C:\Windows". sources: - type: PATH attributes: paths: - '\Windows' - '\WinNT' - '\WINNT35' - '\WTSRV' separator: '\' - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment', value: 'windir'} provides: [environ_windir] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] --- name: WindowsEventLogApplication doc: Application Windows Event Log. sources: - type: FILE attributes: paths: ['%%environ_systemroot%%\System32\config\AppEvent.evt'] separator: '\' supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html'] --- name: WindowsEventLogPublishers doc: Windows EventLog publishers (or providers) Registry keys. sources: - type: REGISTRY_KEY attributes: keys: ['HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\*'] supported_os: [Windows] urls: ['https://winreg-kb.readthedocs.io/en/latest/sources/EventLog-keys.html'] --- name: WindowsEventLogs doc: Windows Event logs. sources: - type: FILE attributes: paths: - '%%environ_systemroot%%\System32\config\*.evt' - '%%environ_systemroot%%\System32\winevt\Logs\*.evtx' separator: '\' supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html'] --- name: WindowsEventLogSecurity doc: Security Windows Event Log. sources: - type: FILE attributes: paths: ['%%environ_systemroot%%\System32\config\SecEvent.evt'] separator: '\' supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html'] --- name: WindowsEventLogSources aliases: [WindowsEventLogProviders] doc: Windows EventLog sources Registry keys. sources: - type: REGISTRY_KEY attributes: keys: ['HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\*\*'] supported_os: [Windows] urls: ['https://winreg-kb.readthedocs.io/en/latest/sources/EventLog-keys.html'] --- name: WindowsEventLogSystem doc: System Windows Event Log. sources: - type: FILE attributes: paths: ['%%environ_systemroot%%\System32\config\SysEvent.evt'] separator: '\' supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html'] --- name: WindowsEventTracingLogFiles doc: Event Tracing for Windows (ETW) log files. sources: - type: FILE attributes: paths: - '%%environ_allusersappdata%%\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\*.etl' - '%%environ_allusersappdata%%\Microsoft\DiagnosticLogCSP\Collectors\*.etl' - '%%environ_allusersappdata%%\Microsoft\Windows\wfp\*.etl' - '%%environ_allusersappdata%%\Microsoft\Windows Security Health\Logs\*.etl' - '%%environ_allusersappdata%%\USOShared\Logs\System\*.etl' - '%%users.localappdata%%\Microsoft\OneDrive\logs\Personal\*.etl' - '%%users.localappdata%%\Microsoft\Windows\Explorer\*.etl' - '%%users.localappdata%%\Packages\Microsoft.Windows.Photos_*\LocalState\*.etl' - '%%environ_systemroot%%\Logs\*\*.etl' - '%%environ_systemroot%%\Panther\*.etl' - '%%environ_systemroot%%\Security\Logs\*.etl' - '%%environ_systemroot%%\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\*.etl' - '%%environ_systemroot%%\System32\LogFiles\WMI\*.etl' - '%%environ_systemroot%%\System32\LogFiles\WMI\*.etl.0*' - '%%environ_systemroot%%\System32\LogFiles\WMI\RtBackup\*.etl' - '%%environ_systemroot%%\System32\SleepStudy\*.etl' - '%%environ_systemroot%%\System32\SleepStudy\ScreenOn\*.etl' - '%%environ_systemroot%%\System32\WDI\LogFiles\*.etl' - '%%environ_systemroot%%\System32\WDI\LogFiles\*.etl.0*' - '%%environ_systemroot%%\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\*\*.etl' separator: '\' supported_os: [Windows] urls: ['https://forensics.wiki/event_tracing_for_windows_(etw)'] --- name: WindowsExcludeFromKnownDLLs doc: ExcludeFromKnownDLLs can be used to bypass search order hijacking protection. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager', value: 'ExcludeFromKnownDLLs'}] supported_os: [Windows] urls: ['https://msdn.microsoft.com/en-us/library/windows/desktop/ms682586%28v=vs.85%29.aspx'] --- name: WindowsExplorerAppKey doc: Handlers for special keys on some keyboards (file path or CLSID). sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AppKey\*', value: 'ShellExecute'} supported_os: [Windows] urls: - 'http://answers.microsoft.com/en-us/windows/forum/windows_vista-hardware/assigning-the-special-keys-at-the-top-of-the/d1ab2e13-5297-457d-a8e8-bc2c883d8b58?db=5' - 'http://h30434.www3.hp.com/t5/Notebook-Hardware/How-do-I-customize-the-Action-Keys/td-p/379207' --- name: WindowsExplorerAutoplayHandlers doc: Handlers for autoplay events in Windows Explorer. sources: - type: REGISTRY_KEY attributes: keys: ['HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\*'] supported_os: [Windows] urls: - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'https://msdn.microsoft.com/en-us/library/windows/desktop/aa468474.aspx' --- name: WindowsExplorerContextMenuHandlers doc: Handlers for subcommands on context menu sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CommandStore\shell\*', value: 'CommandStateHandler'} - {key: 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CommandStore\shell\*', value: 'ExplorerCommandHandler'} - {key: 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CommandStore\shell\*', value: 'command'} - {key: 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CommandStore\shell\*\command', value: 'DelegateExecute'} supported_os: [Windows] urls: - 'https://msdn.microsoft.com/en-us/library/windows/desktop/hh127467(v=vs.85).aspx' - 'https://msdn.microsoft.com/en-us/library/windows/desktop/cc144171(v=vs.85).aspx' - 'http://www.windowrdb.com/w.php?w=hklm-software-microsoft-windows-currentversion-explorer-commandstore-shell-windows-closewindow' - 'http://www.checkfilename.com/view-details/Windows-7-Ultimate/RespageIndex/4/sTab/2/' --- name: WindowsExplorerNamespaceCommonPlaces doc: CLSIDs listed here are used to populate the Common Places items. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace\DelegateFolders' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\CommonPlaces\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\CommonPlaces\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\CommonPlaces\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\CommonPlaces\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\CommonPlaces\NameSpace\DelegateFolders' supported_os: [Windows] urls: - 'https://msdn.microsoft.com/en-us/library/windows/desktop/hh127450(v=vs.85).aspx' - 'http://www.geoffchappell.com/studies/windows/shell/shell32/classes/commonplacesfolder.htm' - 'http://www.windowrdb.com/w.php?w=hklm-software-microsoft-windows-currentversion-explorer-commonplaces' --- name: WindowsExplorerNamespaceControlPanel doc: CLSIDs listed here are used to populate the Control Panel items. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\ControlPanel\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\ControlPanel\NameSpace\DelegateFolders' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanelWOW64\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanelWOW64\NameSpace' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpaceWOW64\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanelWOW64\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\ControlPanelWOW64\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\ControlPanelWOW64\NameSpace\DelegateFolders' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\ControlPanel\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\ControlPanel\NameSpace\DelegateFolders' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ControlPanelWOW64\NameSpace' - 'HKEY_USERS\%%users.sid%%\Wow6432Node\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\ControlPanelWOW64\NameSpace\DelegateFolders' supported_os: [Windows] urls: - 'https://msdn.microsoft.com/en-us/library/windows/desktop/hh127450(v=vs.85).aspx' - 'http://www.geoffchappell.com/studies/windows/shell/shell32/classes/controlpanel.htm' --- name: WindowsExplorerNamespaceDesktop doc: CLSIDs listed here are used to populate the Desktop items. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\Desktop\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\Desktop\NameSpace\DelegateFolders' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Wow6432Node\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\Desktop\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\Desktop\NameSpace\DelegateFolders' supported_os: [Windows] urls: - 'https://social.technet.microsoft.com/Forums/windowsserver/en-US/2760309c-89d1-414c-a04c-ce4178e90787/hide-libraries-icon-from-desktop' - 'http://www.geoffchappell.com/studies/windows/shell/shell32/classes/regfolder.htm' - 'http://www.geoffchappell.com/notes/windows/shell/controlpanel/desktopicons.htm' - 'https://support.microsoft.com/en-us/kb/321777' --- name: WindowsExplorerNamespaceMyComputer doc: CLSIDs listed here are used to populate the MyComputer items. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\MyComputer\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\MyComputer\NameSpace\DelegateFolders' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Wow6432Node\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\MyComputer\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\MyComputer\NameSpace\DelegateFolders' supported_os: [Windows] urls: - 'http://www.geoffchappell.com/studies/windows/shell/shell32/classes/mycomputer.htm' - 'http://www.howtogeek.com/168081/how-to-remove-the-folders-from-my-computer-in-windows-8.1/' - 'http://answers.microsoft.com/en-us/windows/forum/windows8_1-files/how-to-remove-these-folders-from-windows-81/777c4ba3-7853-453e-bfa0-9a0f4245b9e1?db=5' --- name: WindowsExplorerNamespaceNetworkNeighborhood doc: CLSIDs listed here are used to populate the Network Neighborhood items. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\NetworkNeighborhood\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\NetworkNeighborhood\NameSpace\DelegateFolders' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\NetworkNeighborhood\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\NetworkNeighborhood\NameSpace\DelegateFolders' supported_os: [Windows] urls: - 'http://www.geoffchappell.com/studies/windows/shell/shell32/classes/regfolder.htm' - 'http://www.lavasoft.com/mylavasoft/rogues/secretservice' - 'http://www.wikihow.com/Manually-Remove-Macatte-Malware' --- name: WindowsExplorerNamespacePrintersAndFaxes doc: CLSIDs listed here are used to populate the Printer and Fax items. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\PrintersAndFaxes\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\PrintersAndFaxes\NameSpace\DelegateFolders' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\PrintersAndFaxes\NameSpace\DelegateFolders' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\PrintersAndFaxes\NameSpace' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\*\PrintersAndFaxes\NameSpace\DelegateFolders' supported_os: [Windows] urls: - 'http://www.geoffchappell.com/studies/windows/shell/shell32/classes/printers.htm' --- name: WindowsFileTypeAutorunAssociations doc: | Registry value for what application class identifier (CLSID) to launch for a file extension. Extension subkeys start with a dot. The '(Default)' value will be a ProgID, which points to another entry in HKCR specifying the command to run to open a file of the given type. The WindowsShellOpenCommand artifact is associated with these ProgID command invocations. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\.*', value: ''} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\.*', value: ''} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\.*', value: ''} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\.*', value: ''} supported_os: [Windows] urls: - 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms678415(v=vs.85).aspx' - 'https://docs.microsoft.com/en-us/windows/desktop/shell/fa-file-types' --- name: WindowsFirewallLogFile doc: Windows Firewall default logfile sources: - type: FILE attributes: paths: ['%%environ_systemroot%%\System32\logfiles\firewall\pfirewall.log'] separator: '\' supported_os: [Windows] urls: ['https://docs.microsoft.com/en-us/windows/access-protection/windows-firewall/configure-the-windows-firewall-log'] --- name: WindowsFirewallEnabledRules doc: Command to list the enabled Windows Firewall rules. sources: - type: COMMAND attributes: args: ["advfirewall", "monitor", "show", "firewall", "rule", "name=all"] cmd: netsh.exe supported_os: [Windows] --- name: WindowsFirewallRules doc: Command to list the configured Windows Firewall rules. sources: - type: COMMAND attributes: args: ["advfirewall", "firewall", "show", "rule", "name=all"] cmd: netsh.exe supported_os: [Windows] --- name: WindowsGroupPolicyScripts doc: Windows group policy scripts sources: - type: FILE attributes: paths: - '%%environ_systemroot%%\System32\GroupPolicy\User\Scripts\psscripts.ini' - '%%environ_systemroot%%\System32\GroupPolicy\User\Scripts\scripts.ini' - '%%environ_systemroot%%\System32\GroupPolicy\User\Scripts\Logoff\*' - '%%environ_systemroot%%\System32\GroupPolicy\User\Scripts\Logon\*' - '%%environ_systemroot%%\System32\GroupPolicy\Machine\Scripts\psscripts.ini' - '%%environ_systemroot%%\System32\GroupPolicy\Machine\Scripts\scripts.ini' - '%%environ_systemroot%%\System32\GroupPolicy\Machine\Scripts\Shutdown\*' - '%%environ_systemroot%%\System32\GroupPolicy\Machine\Scripts\Startup\*' separator: '\' supported_os: [Windows] --- name: WindowsHostsFiles doc: The Windows hosts and lmhosts file. sources: - type: FILE attributes: paths: - '%%environ_systemroot%%\System32\Drivers\etc\Lmhosts' - '%%environ_systemroot%%\System32\Drivers\etc\hosts' separator: '\' supported_os: [Windows] --- name: WindowsHotkeyReplacement doc: Hotkey executable replacement. sources: - type: FILE attributes: paths: - '%%environ_systemroot%%\System32\magnifier.exe' - '%%environ_systemroot%%\System32\sethc.exe' - '%%environ_systemroot%%\System32\utilman.exe' separator: '\' supported_os: [Windows] --- name: WindowsInstallationDateTime doc: Windows installation date and time sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion', value: 'InstallDate'} supported_os: [Windows] --- name: WindowsLanguage doc: The system language. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language', value: 'Default'} supported_os: [Windows] urls: ['https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/Language.html'] --- name: WindowsLogoffScript doc: Windows policy logoff script sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\Windows\System\Scripts', value: 'Logoff'} - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Scripts', value: 'Logoff'} supported_os: [Windows] urls: ['https://technet.microsoft.com/en-us/library/ff404236.aspx'] --- name: WindowsLogonScript doc: Windows policy logon script sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\Windows\System\Scripts', value: 'Logon'} - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Scripts', value: 'Logon'} supported_os: [Windows] urls: ['https://technet.microsoft.com/en-us/library/ff404236.aspx'] --- name: WindowsLSAAuthenticationPackages doc: Authentication Packages can be injected into LSASS. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa', value: 'Authentication Packages'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig', value: 'Authentication Packages'} supported_os: [Windows] urls: - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'https://technet.microsoft.com/en-us/library/cc963218.aspx' --- name: WindowsLSANotificationPackages doc: Notification Packages can be injected into LSASS. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa', value: 'Notification Packages'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig', value: 'Notification Packages'} supported_os: [Windows] urls: - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'https://technet.microsoft.com/en-us/library/cc963221.aspx' --- name: WindowsLSASecurityPackages doc: Security Packages can be injected into LSASS. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa', value: 'Security Packages'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig', value: 'Security Packages'} supported_os: [Windows] urls: - 'https://msdn.microsoft.com/en-us/library/windows/desktop/aa379392(v=vs.85).aspx' - 'https://dl.mandiant.com/EE/library/MIRcon2014/MIRcon_2014_IR_Track_Analysis_of_Malicious_SSP.pdf' --- name: WindowsMapNetworkDriveMRU doc: Recently mapped network shares. sources: - type: REGISTRY_KEY attributes: keys: ['HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU'] supported_os: [Windows] --- name: WindowsMetroApplicationCache doc: Windows Metro application cache. sources: - type: FILE attributes: paths: ['%%users.localappdata%%\Packages\*\AC\INetCache'] separator: '\' supported_os: [Windows] urls: ['http://www.forensicmag.com/article/2012/09/microsoft-windows-8-forensic-first-look'] --- name: WindowsMetroApplicationCookies doc: Windows Metro application cookies. sources: - type: FILE attributes: paths: ['%%users.localappdata%%\Packages\*\AC\INetCookies'] separator: '\' supported_os: [Windows] urls: ['http://www.forensicmag.com/article/2012/09/microsoft-windows-8-forensic-first-look'] --- name: WindowsMetroApplicationHistory doc: Windows Metro application history. sources: - type: FILE attributes: paths: ['%%users.localappdata%%\Packages\*\AC\INetHistory'] separator: '\' supported_os: [Windows] urls: ['http://www.forensicmag.com/article/2012/09/microsoft-windows-8-forensic-first-look'] --- name: WindowsMetroUserPinnedFavoriteTiles doc: Windows Metro user-pinned favorite tiles. sources: - type: FILE attributes: paths: ['%%users.localappdata%%\Microsoft\Windows\RoamingTiles'] separator: '\' supported_os: [Windows] urls: ['http://www.forensicmag.com/article/2012/09/microsoft-windows-8-forensic-first-look'] --- name: WindowsMostRecentApplication doc: Windows Most Recent Application name key sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\*\MostRecentApplication', value: 'Name'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\*\MostRecentApplication', value: 'Name'} supported_os: [Windows] urls: - 'http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_ransom.smc7' - 'https://www.symantec.com/security_response/writeup.jsp?docid=2014-092314-3644-99&tabid=2' --- name: WindowsMountedDevices doc: Windows mounted devices sources: - type: REGISTRY_KEY attributes: {keys: ['HKEY_LOCAL_MACHINE\System\MountedDevices']} supported_os: [Windows] urls: ['https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/Mounted-devices.html'] --- name: WindowsMSDTCDLLs doc: Windows MSDTC attempts to load these DLLs on start sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\MSDTC\MTxOCI\*' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\MSDTC\MTxOCI\*' supported_os: [Windows] urls: ['https://www.mandiant.com/blog/hikit-rootkit-advanced-persistent-attack-techniques-part-1-2/'] --- name: WindowsMultiMediaDrivers doc: Configured drivers for different multimedia filetypes. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\*' - 'HKEY_USERS\%%users.sid%%\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\*' - 'HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32\*' - 'HKEY_USERS\%%users.sid%%\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32\*' supported_os: [Windows] urls: - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'https://support.microsoft.com/en-us/kb/126054' - 'https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2' --- name: WindowsNetworkShellHelpers doc: Windows Network Shell (netsh) helpers are loaded on boot sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Netsh' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Netsh' supported_os: [Windows] urls: ['https://support.microsoft.com/en-us/kb/242468'] --- name: WindowsOpenSaveMRU doc: Information about files opened or saved in a Windows shell dialog. sources: - type: REGISTRY_KEY attributes: keys: ['HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDIg32\OpenSaveMRU\*\*'] supported_os: [Windows] urls: ['https://forensics.wiki/opensavemru'] --- name: WindowsOpenSavePidlMRU doc: Information about files opened or saved in a Windows shell dialog. sources: - type: REGISTRY_KEY attributes: keys: ['HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\*\*'] supported_os: [Windows] urls: ['https://forensics.wiki/opensavepidlmru'] --- name: WindowsPendingFileRenames doc: Windows Pending file renames on reboot sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager', value: 'PendingFileRenameOperations'} supported_os: [Windows] urls: ['https://technet.microsoft.com/en-us/library/cc960241.aspx'] --- name: WindowsPendingGPOs doc: | Windows Pending GPOs registry settings. This is a persistence mechanism known to be used by the Gootkit malware family. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\IEAK\GroupPolicy\PendingGPOs', value: 'Path1'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\IEAK\GroupPolicy\PendingGPOs', value: 'Path1'} supported_os: [Windows] urls: ['https://www.certego.net/en/news/malware-tales-gootkit/'] --- name: WindowsPersistenceMechanisms doc: Persistence mechanisms in Windows. sources: - type: ARTIFACT_GROUP attributes: names: - WindowsPersistenceRegistryKeys - WindowsPowerShellDefaultProfiles - WindowsServices supported_os: [Windows] --- name: WindowsPersistenceRegistryKeys doc: Windows Registry keys used for persistence. sources: - type: ARTIFACT_GROUP attributes: names: - InternetExplorerBrowserHelperObjects - WindowsActiveDesktop - WindowsActiveSyncAutoStart - WindowsAlternateShell - WindowsAppCertDLLs - WindowsAppInitDLLs - WindowsBootVerificationProgram - WindowsCommandProcessorAutoRun - WindowsCredentialProviderFilters - WindowsCredentialProviders - WindowsDebugger - WindowsEnvironmentUserLoginScripts - WindowsExplorerAutoplayHandlers - WindowsFileTypeAutorunAssociations - WindowsFontDrivers - WindowsIconServiceLib - WindowsLSAAuthenticationPackages - WindowsLSANotificationPackages - WindowsLSASecurityPackages - WindowsMSDTCDLLs - WindowsMultiMediaDrivers - WindowsNetworkShellHelpers - WindowsPendingGPOs - WindowsPLAPProviders - WindowsPrintMonitors - WindowsRunGrpConv - WindowsRunKeys - WindowsRunServices - WindowsScreenSaverExecutable - WindowsSearchFilterHandlers - WindowsSecurityProviders - WindowsServiceControlManagerExtension - WindowsSessionManagerBootExecute - WindowsSessionManagerExecute - WindowsSessionManagerS0InitialCommand - WindowsSessionManagerSetupExecute - WindowsSessionManagerSubSystems - WindowsSessionManagerWOWCommandLine - WindowsSetupCommandLine - WindowsSharedTaskScheduler - WindowsShellExecuteHooks - WindowsShellExtensions - WindowsShellIconOverlayIdentifiers - WindowsShellLoadAndRun - WindowsShellOpenCommand - WindowsShellRunasCommand - WindowsShellServiceObjects - WindowsStubPaths - WindowsSystemPolicyShell - WindowsTerminalServerInitialProgram - WindowsTerminalServerRunKeys - WindowsTerminalServerStartupPrograms - WindowsToolPaths - WindowsWinlogonAppSetup - WindowsWinlogonAvailableShells - WindowsWinlogonGinaDLL - WindowsWinlogonGPExtensions - WindowsWinlogonNotify - WindowsWinlogonShell - WindowsWinlogonSystem - WindowsWinlogonTaskman - WindowsWinlogonUiHost - WindowsWinlogonUserinit - WindowsWinlogonVMApplet - WinSock2LayeredServiceProviders - WinSock2NamespaceProviders supported_os: [Windows] --- name: WindowsPLAPProviders doc: Windows Pre-Logon Access Provider (PLAP) Providers sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\*' supported_os: [Windows] urls: ['https://msdn.microsoft.com/en-us/library/windows/desktop/bb530584(v=vs.85).aspx'] --- name: WindowsPolicyDisallowRun doc: Restrict users from running specific applications, typically used by malware to block AV. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\*' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\*' supported_os: [Windows] urls: - 'https://support.microsoft.com/en-us/kb/323525' - 'https://blog.malwarebytes.com/detections/pum-optional-disallowrun/' --- name: WindowsPortProxyConfiguration doc: Windows PortProxy registry keys (set by netsh portproxy command or manually). sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PortProxy\*\*\*' supported_os: [Windows] urls: - 'https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html' - 'https://adepts.of0x.cc/netsh-portproxy-code/' - 'https://www.dfirnotes.net/portproxy_detection/' --- name: WindowsPowerShellDefaultProfiles doc: Default PowerShell Profile files. These files are executed by default when PowerShell starts up. sources: - type: FILE attributes: paths: - '%%environ_systemroot%%\system32\WindowsPowerShell\v1.0\profile.ps1' - '%%environ_systemroot%%\system32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1' - '%%users.userprofile%%\Documents\WindowsPowerShell\profile.ps1' - '%%users.userprofile%%\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1' separator: '\' supported_os: [Windows] urls: - 'https://technet.microsoft.com/en-us/magazine/2008.10.windowspowershell.aspx#id0190010' - 'http://www.hexacorn.com/blog/2014/08/27/beyond-good-ol-run-key-part-16/' --- name: WindowsPowerShellEnableScripts doc: Registry keys that control whether PowerShell scripts can execute directly. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\Windows\PowerShell', value: 'EnableScripts'} - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell', value: 'EnableScripts'} supported_os: [Windows] urls: - 'https://technet.microsoft.com/library/hh847748.aspx' - 'http://www.hexacorn.com/blog/2014/08/27/beyond-good-ol-run-key-part-16/' --- name: WindowsPowerShellExecutionPolicies doc: PowerShell Script Execution Policies for all users, and the system. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\Windows\PowerShell', value: 'ExecutionPolicy'} - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell', value: 'ExecutionPolicy'} supported_os: [Windows] urls: - 'https://technet.microsoft.com/library/hh847748.aspx' - 'http://www.hexacorn.com/blog/2014/08/27/beyond-good-ol-run-key-part-16/' --- name: WindowsPowerShellHistory doc: History of commands executed in an interactive PowerShell session. sources: - type: FILE attributes: paths: ['%%users.appdata%%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt'] separator: '\' supported_os: [Windows] urls: - 'https://0xdf.gitlab.io/2018/11/08/powershell-history-file.html' - 'https://docs.microsoft.com/en-us/powershell/module/psreadline/get-psreadlineoption?view=powershell-7.1' --- name: WindowsPrefetchFiles doc: Windows Prefetch files. sources: - type: FILE attributes: paths: ['%%environ_systemroot%%\Prefetch\*.pf'] separator: '\' supported_os: [Windows] urls: ['https://forensics.wiki/prefetch'] --- name: WindowsPrintMonitors doc: Windows Print Monitor DLL config. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Monitors\*', value: 'Driver'}] supported_os: [Windows] urls: - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'https://support.microsoft.com/en-us/kb/102966' --- name: WindowsProductName doc: The Windows product name sources: - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion', value: 'ProductName'}]} supported_os: [Windows] urls: ['https://github.com/libyal/winreg-kb/blob/main/documentation/System%20keys.asciidoc'] --- name: WindowsProgramsCache doc: Windows Programs Cache sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage', value: 'ProgramsCache'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2', value: 'ProgramsCache'} supported_os: [Windows] urls: ['https://github.com/libyal/winreg-kb/blob/main/documentation/Programs%20Cache%20values.asciidoc'] --- name: WindowsProgramsCacheJumpLists doc: Windows Programs Cache Jump Lists sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2', value: 'ProgramsCacheSMP'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2', value: 'ProgramsCacheTBP'} supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/JumpLists.html'] --- name: WindowsProxyPACAutoConfigURL doc: Windows Proxy PAC AutoConfigURL. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Internet Settings', value: 'AutoConfigURL'} supported_os: [Windows] urls: ['https://blogs.msdn.microsoft.com/askie/2015/07/17/how-can-i-configure-proxy-autoconfigurl-setting-using-group-policy-preference-gpp/'] --- name: WindowsProxyServerSettings doc: | Windows Proxy Server Settings. Malware can modify these settings to redirect traffic through a malicious program running on the machine (for instance, by specifying 127.0.0.1 as the IP address of the proxy server to use) or to a malicious host on the local network or internet. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings', value: 'ProxyServer'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Internet Settings', value: 'ProxyServer'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings', value: 'ProxyServer'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings', value: 'ProxyServer'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet\ManualProxies', value: 'ProxyServer'} - {key: 'HKEY_USERS\%%users.sid%%\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet\ManualProxies', value: 'ProxyServer'} supported_os: [Windows] urls: ['https://blog.malwarebytes.com/detections/pum-optional-proxyhijacker/'] --- name: WindowsRecentFileCacheBCF doc: The RecentFileCache.bcf file. sources: - type: FILE attributes: paths: ['%%environ_systemroot%%\AppCompat\Programs\RecentFileCache.bcf'] separator: '\' supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RecentFileCache.html'] --- name: WindowsRecycleBin doc: Windows Recycle Bin (Recyler, $Recycle.Bin) files. sources: - type: FILE attributes: paths: - '\$Recycle.Bin\**' - '\Recycler\**' separator: '\' supported_os: [Windows] urls: ['https://forensics.wiki/windows#recycle-bin'] --- name: WindowsRecycleBinMetadata doc: Windows Recycle Bin (Recyler, $Recycle.Bin) metadata files only. sources: - type: FILE attributes: paths: - '\$Recycle.Bin\*\$I*' - '\Recycler\*\INFO2' separator: '\' supported_os: [Windows] urls: ['https://forensics.wiki/windows#recycle-bin'] --- name: WindowsRegistryCurrentControlSet aliases: [CurrentControlSet] doc: The current control set of the Windows Registry. sources: - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\Select', value: 'Current'}]} provides: [current_control_set] supported_os: [Windows] urls: ['https://github.com/libyal/winreg-kb/blob/main/documentation/System%20keys.asciidoc'] --- name: WindowsRegistryFilesAndTransactionLogs doc: Windows user and system Registry files and transaction logs. sources: - type: ARTIFACT_GROUP attributes: names: - 'WindowsSystemRegistryFiles' - 'WindowsSystemRegistryTransactionLogFiles' - 'WindowsUserRegistryFiles' - 'WindowsUserRegistryTransactionLogFiles' supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RegistryFiles.html'] --- name: WindowsRegistryProfiles doc: | Get SIDs for all users on the system with profiles present in the Registry. This looks in the Windows Registry where the profiles are stored and retrieves the paths for each profile. sources: - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\*', value: 'ProfileImagePath'}]} provides: [users.sid, users.userprofile, users.homedir, users.username] supported_os: [Windows] urls: ['http://msdn.microsoft.com/en-us/library/windows/desktop/bb776892(v=vs.85).aspx'] --- name: WindowsReleaseIdentifier doc: | The Windows 10 release identifier (or version number). This Windows Registry value contains the semi-annual Windows 10 version number. sources: - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion', value: 'ReleaseID'}]} supported_os: [Windows] urls: ['https://www.microsoft.com/en-us/itpro/windows-10/release-information'] --- name: WindowsRoverAutostartDLL doc: | Windows Rover autostart DLL. The DLL loaded via the Windows Rover autostart mechanism. If this file exists, and the Rover autostart Registry key is set, userinit.exe will load this file and call its RunMonitor export. sources: - type: FILE attributes: paths: ['%%environ_systemroot%%\System32\rover.dll'] separator: '\' supported_os: [Windows] urls: ['http://www.hexacorn.com/blog/2014/05/21/beyond-good-ol-run-key-part-12/'] --- name: WindowsRoverAutostartKey doc: | Windows Rover autostart Registry key. When set userinit.exe will load the DLL at %SystemRoot%\System32\rover.dll and call its RunMonitor export. sources: - type: REGISTRY_KEY attributes: {keys: ['HKEY_CLASSES_ROOT\CLSID\{16d12736-7a9e-4765-bec6-f301d679caaa}']} supported_os: [Windows] urls: ['http://www.hexacorn.com/blog/2014/05/21/beyond-good-ol-run-key-part-12/'] --- name: WindowsRunGrpConv doc: | The Windows RunGrpConv Registry value. When this Registry value is non-zero userinit.exe will launch grpconv.exe at user login. sources: - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'RunGrpConv'}]} supported_os: [Windows] urls: - 'http://www.hexacorn.com/blog/2014/06/18/beyond-good-ol-run-key-part-13/' - 'http://www.exploit-id.com/local-exploits/windows-xp-sp2-grpconv-exe' --- name: WindowsRunKeys doc: | Windows Run and RunOnce keys. Note users.sid will currently only expand to SIDs with profiles on the system, not all SIDs. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\*' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\*' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Run\*' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\RunOnce\*' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\*' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\*' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\*' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx\*' supported_os: [Windows] urls: - 'https://msdn.microsoft.com/en-us/library/windows/desktop/aa376977%28v=vs.85%29.aspx' - 'https://support.microsoft.com/en-us/kb/137367' - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'https://technet.microsoft.com/en-us/magazine/ee851671.aspx' --- name: WindowsRunServices doc: Windows Run Services. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\*' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\*' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\*' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\RunServices\*' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce\*' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\*' supported_os: [Windows] urls: - 'https://support.microsoft.com/en-us/kb/179365' - 'https://threatvector.cylance.com/en_us/home/windows-registry-persistence-part-2-the-run-keys-and-search-order.html' --- name: WindowsScheduledTasks doc: Windows Scheduled Tasks. sources: - type: FILE attributes: paths: - '%%environ_systemroot%%\Tasks\**10' - '%%environ_systemroot%%\System32\Tasks\**10' - '%%environ_systemroot%%\SysWow64\Tasks\**10' separator: '\' supported_os: [Windows] urls: ['https://forensics.wiki/windows#scheduled-tasks'] --- name: WindowsScreenSaverExecutable doc: ScreenSaver Executable sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\Windows\Control Panel\Desktop', value: 'scrnsave.exe'} - {key: 'HKEY_USERS\%%users.sid%%\Control Panel\Desktop', value: 'scrnsave.exe'} supported_os: [Windows] urls: - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'https://technet.microsoft.com/en-us/library/cc737855(v=ws.10).aspx' - 'https://technet.microsoft.com/en-us/library/cc957840.aspx' --- name: WindowsSearchDatabase doc: Windows Search database (Windows.edb). sources: - type: FILE attributes: paths: ['%%environ_allusersappdata%%\Microsoft\Search\Data\Applications\Windows\Windows.edb'] separator: '\' supported_os: [Windows] urls: ['https://forensics.wiki/windows_desktop_search'] --- name: WindowsSearchFilterHandlers doc: | Windows Search filter handlers configured for file types and applications. Windows Search loads DLLs that implement the IFilter interface in order to scan files for text and extract certain types of information. Malware can replace the filter handler for a given file type or CLSID with itself to gain execution when a search operation is performed on that file. Search operations can be performed indirectly in a number of cases; for instance, the .txt, .html, and .rtf filter handlers are invoked when indexing email message bodies. The filter handler to use is specified indirectly via a persistent handler. The persistent handler GUID is indicated via the PersistentHandler subkey for a file type or application GUID. The filter handler CLSID is indicated via the PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF} subkey under the persistent handler GUID key path. This artifact inspects both of these paths. NOTE: Only the HKEY_LOCAL_MACHINE root key needs be checked, because these are the only keys used. SearchFilterHost.exe runs under the SYSTEM account, which does not have access to HKEY_CURRENT_USER. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\*\PersistentHandler', value: ''} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\PersistentHandler', value: ''} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\PersistentHandler', value: ''} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\PersistentHandler', value: ''} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF}', value: ''} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF}', value: ''} supported_os: [Windows] urls: - 'https://docs.microsoft.com/en-us/windows/desktop/search/-search-ifilter-about' - 'https://docs.microsoft.com/en-us/windows/desktop/search/-search-ifilter-implementations' - 'https://docs.microsoft.com/en-us/windows/desktop/search/-search-ifilter-registering-filters' --- name: WindowsSecurityProviders doc: Security Providers DLLs sources: - type: REGISTRY_KEY attributes: keys: ['HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\*'] supported_os: [Windows] urls: - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'https://github.com/wmark/security-configuration/blob/master/Windows/disable-weak-ciphers-and-enable-TLS1.x.reg' --- name: WindowsServiceControlManagerExtension doc: Windows service control manager extension sources: - type: REGISTRY_VALUE attributes: key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control', value: 'ServiceControlManagerExtension'}] supported_os: [Windows] urls: - 'http://forum.sysinternals.com/autoruns-and-windows-7_topic19770.html' - 'https://support.microsoft.com/en-us/kb/102985' - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'http://www.silentrunners.org/Silent%20Runners.vbs' --- name: WindowsServices doc: Windows service and driver configurations. sources: - type: REGISTRY_KEY attributes: keys: ['HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\*'] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/ServicesAndDrivers.html'] --- name: WindowsActionCenterSettings doc: | Windows Action Center Settings Malware can modify these keys to disable notifications that occur when various security features are disabled. One malware family known to modify these keys is Kovter, a well-known trojan. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{e8433b72-5842-4d43-8645-bc2c35960837}.check.*', value: 'CheckSetting'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Action Center\Checks\{e8433b72-5842-4d43-8645-bc2c35960837}.check.*', value: 'CheckSetting'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance', value: 'Enabled'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance', value: 'Enabled'} supported_os: [Windows] urls: - 'https://winaero.com/blog/registry-tweak-to-disable-action-center-notifications-in-windows-7/' - 'https://blog.talosintelligence.com/2019/05/threat-roundup-0517-0524.html' - 'https://blogs.technet.microsoft.com/platforms_lync_cloud/2017/05/05/disabling-windows-10-action-center-notifications/' --- name: WindowsBootConfigurationSettings doc: Windows Boot Configuration Settings sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\BCD00000000\Objects\*\Elements\16000009', value: 'Element'} - {key: 'HKEY_LOCAL_MACHINE\BCD00000000\Objects\*\Elements\250000e0', value: 'Element'} supported_os: [Windows] urls: ['https://forensics.wiki/windows_boot_configuration_data'] --- name: WindowsDisallowedSystemCertificates doc: | Windows Disallowed System Certificates Malware can add code-signing certificates associated with antivirus programs to the disallowed list to prevent the AV programs from running. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates\*' - 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\Disallowed\Certificates\*' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\Disallowed\Certificates\*' supported_os: [Windows] urls: - 'https://blog.malwarebytes.com/detections/pum-optional-misplacedcertificate/' --- name: WindowsExplorerSettings doc: | Windows Explorer Settings Malware can modify these keys to make it more difficult for the user to detect and remove malicious software. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'Hidden'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'Hidden'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'Hidden'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'Hidden'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'HideFileExt'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'HideFileExt'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'HideFileExt'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'HideFileExt'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'ShowSuperHidden'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'ShowSuperHidden'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'ShowSuperHidden'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'ShowSuperHidden'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'HideSCAHealth'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'HideSCAHealth'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'HideSCAHealth'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'HideSCAHealth'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoControlPanel'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoControlPanel'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoControlPanel'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoControlPanel'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoFolderOptions'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoFolderOptions'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoFolderOptions'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoFolderOptions'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoRun'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoRun'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoRun'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoRun'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoViewContextMenu'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoViewContextMenu'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoViewContextMenu'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'NoViewContextMenu'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'ShowControlPanel'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'ShowControlPanel'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'ShowControlPanel'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'ShowControlPanel'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'TaskbarNoNotification'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'TaskbarNoNotification'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'TaskbarNoNotification'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer', value: 'TaskbarNoNotification'} supported_os: [Windows] urls: - 'https://www.sdkhere.com/2016/02/analysis-of-malware-using-wmi-query.html' - 'https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_mandrom.e' - 'https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_deleter.ah' - 'https://blog.malwarebytes.com/detections/pum-optional-disabledrightclick/' - 'https://blog.malwarebytes.com/detections/pum-optional-disableshowcontrolpanel/' --- name: WindowsSystemSettings doc: | Windows System Settings Malware can modify these keys to make it more difficult for the user to detect and remove malicious software. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System', value: 'DisableCAD'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\System', value: 'DisableCAD'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System', value: 'DisableCAD'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System', value: 'DisableCAD'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System', value: 'DisableRegistryTools'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\System', value: 'DisableRegistryTools'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System', value: 'DisableRegistryTools'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System', value: 'DisableRegistryTools'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System', value: 'DisableTaskMgr'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\System', value: 'DisableTaskMgr'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System', value: 'DisableTaskMgr'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System', value: 'DisableTaskMgr'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System', value: 'NoDispCPL'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Policies\System', value: 'NoDispCPL'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System', value: 'NoDispCPL'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System', value: 'NoDispCPL'} - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System', value: 'DisableCMD'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\Windows\System', value: 'DisableCMD'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Policies\Microsoft\Windows\System', value: 'DisableCMD'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Policies\Microsoft\Windows\System', value: 'DisableCMD'} supported_os: [Windows] urls: - 'https://www.sdkhere.com/2016/02/analysis-of-malware-using-wmi-query.html' - 'https://www.thewindowsclub.com/enable-disable-command-prompt-windows' - 'https://blog.malwarebytes.com/detections/pum-optional-disableregistrytools/' - 'https://blog.malwarebytes.com/detections/pum-optional-disabletaskmgr/' - 'https://www.stigviewer.com/stig/windows_7/2014-04-02/finding/V-1154' - 'https://blog.malwarebytes.com/detections/pum-optional-nodispcpl/' - 'https://blog.malwarebytes.com/detections/pum-optional-disablecmdprompt/' --- name: WindowsFirewallAuthorizedApplications doc: | Windows Firewall Authorized Applications Malware can add paths to this list to more easily communicate over the network on an infected machine. For instance, Emotet modifies some these settings after gaining execution. sources: - type: REGISTRY_KEY attributes: keys: # Windows XP and 2003 - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List\*' - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\StandardProfile\AuthorizedApplications\List\*' # Windows Vista and later - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\*' - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\AuthorizedApplications\List\*' - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\*' supported_os: [Windows] urls: - 'https://threatvector.cylance.com/en_us/home/threat-spotlight-eyepyramid-malware.html' - 'https://blog.talosintelligence.com/2019/05/threat-roundup-0524-0531.html' --- name: WindowsFirewallGloballyOpenPorts doc: | Windows Firewall Globally Open Ports Malware can add to the list of open ports to avoid having to create Windows Firewall exceptions tied to specific applications. sources: - type: REGISTRY_KEY attributes: keys: # Windows XP and 2003 - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List\*' - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\StandardProfile\GloballyOpenPorts\List\*' # Windows Vista and later - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\*' - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\GloballyOpenPorts\List\*' - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\*' supported_os: [Windows] urls: - 'https://qaforce.wordpress.com/2009/10/06/windows-firewall-registry-keys/' - 'https://github.com/steeve85/Malwares/wiki/Registry' --- name: WindowsFirewallPolicySettings doc: | Windows Firewall Policy Settings Malware can modify these settings to more easily communicate over the network on an infected machine. For instance, Emotet modifies some these settings after gaining execution. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile', value: 'EnableFirewall'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile', value: 'DisableNotifications'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile', value: 'DoNotAllowExceptions'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile', value: 'DefaultInboundAction'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile', value: 'DefaultOutboundAction'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile', value: 'EnableFirewall'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile', value: 'DisableNotifications'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile', value: 'DoNotAllowExceptions'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile', value: 'DefaultInboundAction'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile', value: 'DefaultOutboundAction'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile', value: 'EnableFirewall'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile', value: 'DisableNotifications'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile', value: 'DoNotAllowExceptions'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile', value: 'DefaultInboundAction'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile', value: 'DefaultOutboundAction'} supported_os: [Windows] urls: - 'https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/networking-mpssvc-svc-privateprofile-enablefirewall' - 'https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/networking-mpssvc-svc-privateprofile-disablenotifications' - 'https://blog.talosintelligence.com/2019/05/threat-roundup-0503-0510.html' --- name: WindowsSecurityCenterSettings doc: | Windows Security Center Settings Malware can modify these settings to avoid detection on an infected machine. For instance, Emotet modifies some of these settings after gaining execution. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center', value: 'AntiSpyWareDisableNotify'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Security Center', value: 'AntiSpyWareDisableNotify'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center', value: 'AntiVirusDisableNotify'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Security Center', value: 'AntiVirusDisableNotify'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center', value: 'AntiVirusOverride'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Security Center', value: 'AntiVirusOverride'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center', value: 'AutoUpdateDisableNotify'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Security Center', value: 'AutoUpdateDisableNotify'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center', value: 'FirewallDisableNotify'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Security Center', value: 'FirewallDisableNotify'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center', value: 'FirewallOverride'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Security Center', value: 'FirewallOverride'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center', value: 'UpdatesDisableNotify'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Security Center', value: 'UpdatesDisableNotify'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center', value: 'UpdatesOverride'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Security Center', value: 'UpdatesOverride'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center', value: 'UacDisableNotify'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Security Center', value: 'UacDisableNotify'} supported_os: [Windows] urls: - 'https://blog.talosintelligence.com/2019/05/threat-roundup-0503-0510.html' - 'https://blog.appriver.com/phorphiex/trik-botnet-campaign-leads-to-multiple-infections-ransomware-banking-trojan-cryptojacking' - 'https://ccm.net/faq/1446-disabling-security-alerts-under-vista' --- name: WindowsSystemRestoreSettings doc: | Windows System Restore Settings Some malware, especially ransomware, will disable system restore to make system recovery more difficult. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore', value: 'DisableConfig'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore', value: 'DisableConfig'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Policies\Microsoft\Windows NT\SystemRestore', value: 'DisableConfig'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\SystemRestore', value: 'DisableConfig'} - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore', value: 'DisableSR'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore', value: 'DisableSR'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Policies\Microsoft\Windows NT\SystemRestore', value: 'DisableSR'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\SystemRestore', value: 'DisableSR'} - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer', value: 'LimitSystemRestoreCheckpointing'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Policies\Microsoft\Windows\Installer', value: 'LimitSystemRestoreCheckpointing'} supported_os: [Windows] urls: - 'https://blog.talosintelligence.com/2019/05/threat-roundup-0503-0510.html' - 'https://www.windows-commandline.com/enable-disable-system-restore-service/' - 'https://docs.microsoft.com/en-us/windows/desktop/msi/limitsystemrestorecheckpointing' --- name: WindowsUserAccountControlSettings doc: | Windows User Account Control Settings Malware sometimes disables UAC to make it easier to perform actions on an infected machine. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System', value: 'EnableLUA'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System', value: 'EnableLUA'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System', value: 'ConsentPromptBehaviorAdmin'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System', value: 'ConsentPromptBehaviorAdmin'} supported_os: [Windows] urls: - 'https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpsb/958053ae-5397-4f96-977f-b7700ee461ec' - 'https://blog.talosintelligence.com/2019/05/threat-roundup-0503-0510.html' - 'https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpsb/341747f5-6b5d-4d30-85fc-fa1cc04038d4' --- name: WindowsUpgradeSettings doc: | Windows Upgrade Settings Malware sometimes disables a machine ability to upgrade from previous versions of Windows to Windows 10. One malware family known to modify these keys is Kovter, a well-known trojan. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate', value: 'DisableOSUpgrade'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Policies\Microsoft\Windows\WindowsUpdate', value: 'DisableOSUpgrade'} - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\OSUpgrade', value: 'ReservationsAllowed'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Policies\Microsoft\Windows\WindowsUpdate\OSUpgrade', value: 'ReservationsAllowed'} supported_os: [Windows] urls: - 'https://www.ghacks.net/2016/01/08/disableosupgrade-prevents-the-upgrade-to-windows-10/' - 'https://blog.talosintelligence.com/2019/05/threat-roundup-0517-0524.html' --- name: WindowsUpdateSettings doc: Windows Update Settings sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU', value: 'NoAutoUpdate'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Policies\Microsoft\Windows\WindowsUpdate\AU', value: 'NoAutoUpdate'} supported_os: [Windows] urls: - 'https://docs.microsoft.com/en-us/windows/deployment/update/waas-wu-settings' - 'https://blog.talosintelligence.com/2019/06/threat-roundup-0531-0607.html' --- name: WindowsFontDrivers doc: Windows font drivers from the Registry. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Font Drivers\*' supported_os: [Windows] urls: - 'https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2' --- name: WindowsSessionManagerBootExecute doc: Windows Session Manager BootExecute persistence. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager', value: 'BootExecute'}] supported_os: [Windows] urls: ['https://technet.microsoft.com/en-us/library/cc963230.aspx'] --- name: WindowsSessionManagerExecute doc: | Windows Session Manager Execute persistence This entry shouldn't be populated after Windows has been installed sources: - type: REGISTRY_VALUE attributes: key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager', value: 'Execute'}] supported_os: [Windows] urls: - 'https://technet.microsoft.com/en-us/library/cc976130.aspx' - 'https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2' --- name: WindowsSessionManagerS0InitialCommand doc: | Windows Session Manager S0InitialCommand persistence This entry shouldn't be populated after Windows has been installed sources: - type: REGISTRY_VALUE attributes: key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager', value: 'S0InitialCommand'}] supported_os: [Windows] urls: - 'https://msdn.microsoft.com/en-us/library/windows/desktop/dd392286%28v=vs.85%29.aspx' - 'https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2' --- name: WindowsSessionManagerSetupExecute doc: | Windows Session Manager SetupExecute persistence This entry shouldn't be populated after Windows has been installed sources: - type: REGISTRY_VALUE attributes: key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager', value: 'SetupExecute'}] supported_os: [Windows] urls: - 'https://msdn.microsoft.com/en-us/library/windows/desktop/dd392286%28v=vs.85%29.aspx' - 'https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2' --- name: WindowsSessionManagerSubSystems doc: Windows Session Manager SubSystems persistence sources: - type: REGISTRY_VALUE attributes: key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems', value: 'Windows'}] supported_os: [Windows] urls: - 'https://technet.microsoft.com/en-us/library/cc976130.aspx' - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' --- name: WindowsSessionManagerWOWCommandLine doc: Windows Session Manager Windows-on-Windows (WOW) command line sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\WOW', value: 'cmdline'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\WOW', value: 'wowcmdline'} supported_os: [Windows] urls: ['https://support.microsoft.com/en-us/kb/102986'] --- name: WindowsSetupCommandLine doc: Command line invocation used for custom setup and deployment tasks sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\Setup', value: 'CmdLine'} supported_os: [Windows] urls: ['https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2'] --- name: WindowsSharedTaskScheduler doc: Runs on windows boot. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\*' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\*' supported_os: [Windows] urls: - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'http://www.bleepingcomputer.com/tutorials/windows-program-automatic-startup-locations/' --- name: WindowsShellExecuteHooks doc: Shell execution hooks are called when ShellExecuteEx() is called. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\*' supported_os: [Windows] urls: - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'http://regenerus.com/malware-common-loadpoints/' - 'https://code.google.com/p/regripper/wiki/ASEPs' --- name: WindowsShellExtensions doc: Approved extensions to the Windows Shell (explorer.exe). sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved' supported_os: [Windows] urls: ['https://msdn.microsoft.com/en-us/library/windows/desktop/cc144110(v=vs.85).aspx'] --- name: WindowsShellHandlersRegistryKeys doc: | Windows registry values for shell handler artifacts. ContextMenuHandlers are added to right-click menus. CopyHookHandlers, DragDropHandlers, and ColumnHandlers are similar contextual settings to trigger on these actions. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Classes\*\ShellEx\ColumnHandlers\*' - 'HKEY_LOCAL_MACHINE\Software\Classes\*\ShellEx\ContextMenuHandlers\*' - 'HKEY_LOCAL_MACHINE\Software\Classes\*\ShellEx\CopyHookHandlers\*' - 'HKEY_LOCAL_MACHINE\Software\Classes\*\ShellEx\DragDropHandlers\*' - 'HKEY_LOCAL_MACHINE\Software\Classes\*\ShellEx\PropertySheetHandlers\*' - 'HKEY_LOCAL_MACHINE\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\*' - 'HKEY_LOCAL_MACHINE\Software\Classes\Directory\Background\ShellEx\CopyHookHandlers\*' - 'HKEY_LOCAL_MACHINE\Software\Classes\Directory\Background\ShellEx\DragDropHandlers\*' - 'HKEY_LOCAL_MACHINE\Software\Classes\Directory\Background\ShellEx\PropertySheetHandlers\*' - 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\ShellEx\ColumnHandlers\*' - 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\ShellEx\ContextMenuHandlers\*' - 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\ShellEx\CopyHookHandlers\*' - 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\ShellEx\DragDropHandlers\*' - 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\ShellEx\PropertySheetHandlers\*' - 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\Directory\Background\ShellEx\ContextMenuHandlers\*' - 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\Directory\Background\ShellEx\CopyHookHandlers\*' - 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\Directory\Background\ShellEx\DragDropHandlers\*' - 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\Directory\Background\ShellEx\PropertySheetHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\*\ShellEx\ColumnHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\*\ShellEx\ContextMenuHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\*\ShellEx\CopyHookHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\*\ShellEx\DragDropHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\*\ShellEx\PropertySheetHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\Directory\Background\ShellEx\CopyHookHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\Directory\Background\ShellEx\DragDropHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\Directory\Background\ShellEx\PropertySheetHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\*\ShellEx\ColumnHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\*\ShellEx\ContextMenuHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\*\ShellEx\CopyHookHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\*\ShellEx\DragDropHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\*\ShellEx\PropertySheetHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\Directory\Background\ShellEx\ContextMenuHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\Directory\Background\ShellEx\CopyHookHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\Directory\Background\ShellEx\DragDropHandlers\*' - 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\Directory\Background\ShellEx\PropertySheetHandlers\*' supported_os: [Windows] urls: - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'http://www.codeguru.com/cpp/com-tech/shell/article.php/c4515/Logging-the-Shell-Activity.htm' - 'http://www.trendmicro.com/vinfo/us/threat-encyclopedia/archive/malware/troj_qoolaid.r' --- name: WindowsShellIconOverlayIdentifiers doc: Called to display custom icons. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*' supported_os: [Windows] urls: - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'https://msdn.microsoft.com/en-us/library/windows/desktop/hh127455(v=vs.85).aspx' --- name: WindowsShellLoadAndRun doc: Windows Shell Load and Run values sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Windows', value: 'Load'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Windows', value: 'Run'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows', value: 'Load'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows', value: 'Run'} supported_os: [Windows] urls: ['https://support.microsoft.com/en-us/kb/103865'] --- name: WindowsIconServiceLib doc: | Windows Icon Service Library Name The value should default to 'IconCodecService.dll' sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows', value: 'IconServiceLib'} supported_os: [Windows] urls: ['https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2'] --- name: WindowsShellOpenCommand doc: Executed every time this file type is opened. For most file types, the value should be '"%1" %*'. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\*\shell\open\command', value: ''} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\*\shell\open\command', value: 'IsolatedCommand'} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\shell\open\command', value: ''} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\shell\open\command', value: 'IsolatedCommand'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\*\shell\open\command', value: ''} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\*\shell\open\command', value: 'IsolatedCommand'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\*\shell\open\command', value: ''} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\*\shell\open\command', value: 'IsolatedCommand'} supported_os: [Windows] urls: - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2' - 'https://pentestlab.blog/2017/06/09/uac-bypass-sdclt/' --- name: WindowsShellRunasCommand doc: | Executed every time an executable or script file type is run as administrator. For most file types, the value should be '"%1" %*' or something similar. Example file type subkeys include 'exefile', 'batfile', and 'cmdfile'. These keys can be modified by malware as a way to be periodically executed or to bypass UAC. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\*\shell\runas\command', value: ''} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\*\shell\runas\command', value: 'IsolatedCommand'} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\shell\runas\command', value: ''} - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\*\shell\runas\command', value: 'IsolatedCommand'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\*\shell\runas\command', value: ''} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\*\shell\runas\command', value: 'IsolatedCommand'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\*\shell\runas\command', value: ''} - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\*\shell\runas\command', value: 'IsolatedCommand'} supported_os: [Windows] urls: - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2' - 'https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/' --- name: WindowsShellServiceObjects doc: Windows Shell (explorer.exe) service objects delayed load. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad' supported_os: [Windows] urls: ['http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=TrojanClicker:Win32/Zirit.X#tab=2'] --- name: WindowsSetupApiLogs doc: Windows setup API logs. sources: - type: FILE attributes: paths: - '%%environ_systemroot%%\setupapi.log' - '%%environ_systemroot%%\inf\setupapi.app.log' - '%%environ_systemroot%%\inf\setupapi.dev.log' - '%%environ_systemroot%%\inf\setupapi.offline.log' separator: '\' supported_os: [Windows] urls: ['https://forensics.wiki/setup_api_logs'] --- name: WindowsShutdownScript doc: Windows policy shutdown script sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Scripts', value: 'Shutdown'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\*\*', value: 'Script'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\*\*', value: 'Parameters'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown\*\*', value: 'Script'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown\*\*', value: 'Parameters'} supported_os: [Windows] urls: - 'https://technet.microsoft.com/en-us/library/ff404236.aspx' - 'https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2' --- name: WindowsStartupFolderModification doc: Windows startup folder Registry values. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Common Startup'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Startup'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Common Startup'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Startup'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Common Startup'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Startup'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Common Startup'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Startup'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Common Startup'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Startup'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Common Startup'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Startup'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Common Startup'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', value: 'Startup'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Common Startup'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders', value: 'Startup'} supported_os: [Windows] --- name: WindowsStartupFolders doc: Windows startup folder persistence. sources: - type: FILE attributes: paths: - '%%environ_allusersprofile%%\Microsoft\Windows\Start Menu\Programs\Startup\*' - '%%environ_allusersprofile%%\Start Menu\Programs\Startup\*' - '%%users.appdata%%\Microsoft\Windows\Start Menu\Programs\Startup\*' - '%%users.userprofile%%\Start Menu\Programs\Startup\*' separator: '\' supported_os: [Windows] --- name: WindowsStartupScript doc: Windows policy startup script sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Scripts', value: 'Startup'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\*\*', value: 'Script'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\*\*', value: 'Parameters'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup\*\*', value: 'Script'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup\*\*', value: 'Parameters'} supported_os: [Windows] urls: - 'https://technet.microsoft.com/en-us/library/ff404236.aspx' - 'https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2' --- name: WindowsStubPaths doc: | Windows StubPath persistence. Each time a user logs in, the Active Setup Installed Components in HKLM are compared ot the ones in HKCU, and if any are missing, or if the associated version is less, the program is executed. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\*', value: 'StubPath'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\*', value: 'Version'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\*', value: 'StubPath'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\*', value: 'Version'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Active Setup\Installed Components\*', value: 'StubPath'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Active Setup\Installed Components\*', value: 'Version'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\*', value: 'StubPath'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\*', value: 'Version'} supported_os: [Windows] urls: - 'https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2' - 'http://bonemanblog.blogspot.com/2004/12/active-setup-registry-keys-and-their.html' --- name: WindowsSuperFetchFiles doc: Windows SuperFetch files. sources: - type: FILE attributes: paths: - '%%environ_systemroot%%\Prefetch\Ag*.db' - '%%environ_systemroot%%\Prefetch\Ag*.db.trx' separator: '\' supported_os: [Windows] urls: ['https://forensics.wiki/superfetch'] --- name: WindowsSystemIniFiles doc: Windows system ini files sources: - type: FILE attributes: paths: - '%%environ_systemdrive%%\system.ini' - '%%environ_windir%%\win.ini' - '%%environ_windir%%\wininit.ini' separator: '\' supported_os: [Windows] --- name: WindowsSystemPolicyShell doc: Windows System policy replacement shell (custom user interface). sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System', value: 'Shell'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System', value: 'Shell'} supported_os: [Windows] urls: ['https://technet.microsoft.com/en-us/library/cc728472(v=ws.10).aspx'] --- name: WindowsSystemRegistryFilesBackup doc: Backup of Windows system Registry files. sources: - type: FILE attributes: paths: - '%%environ_systemroot%%\System32\config\RegBack\SAM' - '%%environ_systemroot%%\System32\config\RegBack\SECURITY' - '%%environ_systemroot%%\System32\config\RegBack\SOFTWARE' - '%%environ_systemroot%%\System32\config\RegBack\SYSTEM' separator: '\' supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RegistryFiles.html'] --- name: WindowsSystemRegistryTransactionLogFilesBackup doc: | Backup of Windows system Registry transaction log files. These files have been observed to be typically 0 byte in size. sources: - type: FILE attributes: paths: - '%%environ_systemroot%%\System32\config\RegBack\SAM.LOG' - '%%environ_systemroot%%\System32\config\RegBack\SAM.LOG1' - '%%environ_systemroot%%\System32\config\RegBack\SAM.LOG2' - '%%environ_systemroot%%\System32\config\RegBack\SECURITY.LOG' - '%%environ_systemroot%%\System32\config\RegBack\SECURITY.LOG1' - '%%environ_systemroot%%\System32\config\RegBack\SECURITY.LOG2' - '%%environ_systemroot%%\System32\config\RegBack\SOFTWARE.LOG' - '%%environ_systemroot%%\System32\config\RegBack\SOFTWARE.LOG1' - '%%environ_systemroot%%\System32\config\RegBack\SOFTWARE.LOG2' - '%%environ_systemroot%%\System32\config\RegBack\SYSTEM.LOG' - '%%environ_systemroot%%\System32\config\RegBack\SYSTEM.LOG1' - '%%environ_systemroot%%\System32\config\RegBack\SYSTEM.LOG2' separator: '\' supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RegistryFiles.html'] --- name: WindowsSystemRegistryFilesAndTransactionLogsBackup doc: Backup of Windows system Registry files and transaction logs. sources: - type: ARTIFACT_GROUP attributes: names: - 'WindowsSystemRegistryFilesBackup' - 'WindowsSystemRegistryTransactionLogFilesBackup' supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RegistryFiles.html'] --- name: WindowsSystemRegistryFiles doc: Windows system Registry files. sources: - type: FILE attributes: paths: - '%%environ_systemdrive%%\System Volume Information\Syscache.hve' - '%%environ_systemroot%%\System32\config\SAM' - '%%environ_systemroot%%\System32\config\SECURITY' - '%%environ_systemroot%%\System32\config\SOFTWARE' - '%%environ_systemroot%%\System32\config\SYSTEM' separator: '\' supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RegistryFiles.html'] --- name: WindowsSystemRegistryTransactionLogFiles doc: Windows system Registry transaction log files. sources: - type: FILE attributes: paths: - '%%environ_systemroot%%\System32\config\SAM.LOG' - '%%environ_systemroot%%\System32\config\SAM.LOG1' - '%%environ_systemroot%%\System32\config\SAM.LOG2' - '%%environ_systemroot%%\System32\config\SECURITY.LOG' - '%%environ_systemroot%%\System32\config\SECURITY.LOG1' - '%%environ_systemroot%%\System32\config\SECURITY.LOG2' - '%%environ_systemroot%%\System32\config\SOFTWARE.LOG' - '%%environ_systemroot%%\System32\config\SOFTWARE.LOG1' - '%%environ_systemroot%%\System32\config\SOFTWARE.LOG2' - '%%environ_systemroot%%\System32\config\SYSTEM.LOG' - '%%environ_systemroot%%\System32\config\SYSTEM.LOG1' - '%%environ_systemroot%%\System32\config\SYSTEM.LOG2' separator: '\' supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RegistryFiles.html'] --- name: WindowsSystemRegistryFilesAndTransactionLogs doc: Windows system Registry files and transaction logs. sources: - type: ARTIFACT_GROUP attributes: names: - 'WindowsSystemRegistryFiles' - 'WindowsSystemRegistryTransactionLogFiles' supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RegistryFiles.html'] --- name: WindowsSystemResourceUsageMonitorDatabaseFile doc: Windows System Resource Usage Monitor (SRUM) database file. sources: - type: FILE attributes: paths: ['%%environ_systemroot%%\System32\sru\SRUDB.dat'] separator: '\' supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/SystemResourceUsageMonitor.html'] --- name: WindowsTempDirectories doc: Contents of the Windows temporary directories sources: - type: FILE attributes: paths: - '%%environ_systemdrive%%\Temp\*' - '%%environ_systemroot%%\Temp\*' - '%%users.localappdata%%\Temp\*' separator: '\' supported_os: [Windows] --- name: WindowsTerminalServerRunKeys doc: Windows Terminal Server Run keys sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce\*' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx\*' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\*' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce\*' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx\*' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\*' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce\*' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx\*' - 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\*' supported_os: [Windows] urls: ['http://gladiator-antivirus.com/forum/index.php?showtopic=24610'] --- name: WindowsTerminalServerStartupPrograms doc: Windows Terminal Server Startup Programs sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd', value: 'StartupPrograms'} supported_os: [Windows] urls: ['http://forum.sysinternals.com/rdpclip_topic4729.html'] --- name: WindowsTerminalServerInitialProgram doc: Windows Terminal Server Initial Program sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp', value: 'InitialProgram'} - {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services', value: 'InitialProgram'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Policies\Microsoft\Windows NT\Terminal Services', value: 'InitialProgram'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Policies\Microsoft\Windows NT\Terminal Services', value: 'InitialProgram'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Policies\Microsoft\Windows NT\Terminal Services', value: 'InitialProgram'} supported_os: [Windows] urls: ['https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2'] --- name: WindowsRDPClientBitmapCache doc: Artifacts of RDP connection contents sources: - type: FILE attributes: paths: ['%%users.localappdata%%\Microsoft\Terminal Server Client\Cache\*.*'] separator: '\' supported_os: [Windows] urls: ['https://forensics.wiki/windows#rdp-bitmap-cache'] --- name: WindowsActiveSyncAutoStart doc: Windows ActiveSync AutoStart entries sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows CE Services\AutoStartOnConnect\*' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows CE Services\AutoStartOnDisconnect\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows CE Services\AutoStartOnConnect\*' - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows CE Services\AutoStartOnDisconnect\*' supported_os: [Windows] urls: ['https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2'] --- name: WindowsTimezone aliases: [WinTimeZone] doc: The time zone of the system as a Windows time zone name or in MUI form. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation', value: 'StandardName'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation', value: 'TimeZoneKeyName'} provides: [time_zone] supported_os: [Windows] urls: ['https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/Time-zones.html'] --- name: WindowsToolPaths doc: Paths to windows tools such as defrag, chkdsk. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\BackupPath' - 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\ChkDskPath' - 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\cleanuppath' - 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\DefragPath' supported_os: [Windows] urls: - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'http://www.liutilities.com/products/registrybooster/tweaklibrary/tweaks/11118/' --- name: WindowsUninstallKeys doc: Uninstall Registry keys sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\*\*' - 'HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*\*' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Uninstall\*\*' supported_os: [Windows] urls: ['https://msdn.microsoft.com/en-us/library/aa372105(v=vs.85).aspx'] --- name: WindowsUpdateBuildRevision doc: | Windows kernel update build revision (UBR). This Windows Registry value contains the monthly rollup patch version. sources: - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion', value: 'UBR'}]} supported_os: [Windows] urls: ['https://social.technet.microsoft.com/Forums/en-US/cadee4de-24d0-403e-9f3e-75868abf8f34'] --- name: WindowsUpdateStatus doc: Windows auto update status. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Detect', value: 'LastError'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Detect', value: 'LastSuccessTime'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Download', value: 'LastError'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Download', value: 'LastSuccessTime'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install', value: 'LastError'} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install', value: 'LastSuccessTime'} supported_os: [Windows] urls: - 'https://forensics.wiki/windows_update' - 'http://blogs.msdn.com/b/aruns_blog/archive/2011/06/20/active-setup-registry-key-what-it-is-and-how-to-create-in-the-package-using-admin-studio-install-shield.aspx' --- name: WindowsUserAutomaticDestinationsJumpLists doc: Windows user AutomaticDestinations Jump Lists. sources: - type: FILE attributes: paths: ['%%users.appdata%%\Microsoft\Windows\Recent\AutomaticDestinations\*.automaticDestinations-ms'] separator: '\' supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/JumpLists.html'] --- name: WindowsUserCustomDestinationsJumpLists doc: Windows user CustomDestinations Jump Lists. sources: - type: FILE attributes: paths: ['%%users.appdata%%\Microsoft\Windows\Recent\CustomDestinations\*.customDestinations-ms'] separator: '\' supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/JumpLists.html'] --- name: WindowsUserJumpLists doc: Windows user Jump Lists. sources: - type: ARTIFACT_GROUP attributes: names: - 'WindowsProgramsCacheJumpLists' - 'WindowsUserAutomaticDestinationsJumpLists' - 'WindowsUserCustomDestinationsJumpLists' supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/JumpLists.html'] --- name: WindowsUserRecentFiles doc: Windows user specific recent files. sources: - type: FILE attributes: paths: - '%%users.appdata%%\Microsoft\Office\Recent\*' - '%%users.appdata%%\Microsoft\Windows\Recent\*' separator: '\' supported_os: [Windows] --- name: WindowsUserRegistryFiles doc: Windows user specific Registry files. sources: - type: FILE attributes: paths: - '%%users.userprofile%%\NTUSER.DAT' - '%%users.userprofile%%\NTUSER.MAN' - '%%users.localappdata%%\Microsoft\Windows\UsrClass.dat' separator: '\' supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RegistryFiles.html'] --- name: WindowsUserRegistryTransactionLogFiles doc: Windows user Registry transaction log files. sources: - type: FILE attributes: paths: - '%%users.userprofile%%\NTUSER.DAT.LOG' - '%%users.userprofile%%\NTUSER.DAT.LOG1' - '%%users.userprofile%%\NTUSER.DAT.LOG2' - '%%users.localappdata%%\Microsoft\Windows\UsrClass.dat.LOG' - '%%users.localappdata%%\Microsoft\Windows\UsrClass.dat.LOG1' - '%%users.localappdata%%\Microsoft\Windows\UsrClass.dat.LOG2' separator: '\' supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RegistryFiles.html'] --- name: WindowsUserRegistryFilesAndTransactionLogs doc: Windows user Registry files and transaction logs. sources: - type: ARTIFACT_GROUP attributes: names: - 'WindowsUserRegistryFiles' - 'WindowsUserRegistryTransactionLogFiles' supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RegistryFiles.html'] --- name: WindowsUserShellFolders doc: The Shell Folders information for Windows users. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\*' - 'HKEY_USERS\%%users.sid%%\Environment\*' - 'HKEY_USERS\%%users.sid%%\Volatile Environment\*' provides: - users.cookies - users.appdata - users.personal - users.startup - users.homedir - users.desktop - users.internet_cache - users.localappdata - users.localappdata_low - users.recent - users.userprofile - users.temp supported_os: [Windows] --- name: WindowsWinlogonGinaDLL doc: Windows Gina DLL replacement. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'GinaDLL'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'GinaDLL'} supported_os: [Windows] urls: ['https://technet.microsoft.com/en-us/library/cc939701.aspx'] --- name: WindowsWinlogonNotify doc: Windows Winlogon Notify DLL names. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\*', value: 'DLLName'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\*', value: 'DLLName'} supported_os: [Windows] urls: ['https://msdn.microsoft.com/en-us/library/windows/desktop/aa379402(v=vs.85).aspx'] --- name: WindowsWinlogonShell doc: Windows shell replacement. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Shell'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Shell'} supported_os: [Windows] urls: ['https://msdn.microsoft.com/en-us/library/ms838576%28v=winembedded.5%29.aspx'] --- name: WindowsWinlogonSystem doc: Applications launched by Winlogon in the system context during the system initialisation. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'System'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'System'} supported_os: [Windows] urls: - 'https://code.google.com/p/regripper/wiki/ASEPs' - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'http://regenerus.com/malware-common-loadpoints/' --- name: WindowsWinlogonTaskman doc: Windows Winlogon Taskman replacement. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Taskman'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Taskman'} supported_os: [Windows] urls: ['https://technet.microsoft.com/en-us/library/cc939701.aspx'] --- name: WindowsWinlogonUiHost doc: Windows Winlogon UI screen application sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'UiHost'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'UiHost'} supported_os: [Windows] urls: - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'http://www.bleepingcomputer.com/forums/t/14028/change-the-loginwelcome-screen/' --- name: WindowsWinlogonUserinit doc: Windows Winlogon Userinit replacement. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Userinit'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'Userinit'} supported_os: [Windows] urls: ['https://technet.microsoft.com/en-us/library/cc939862.aspx'] --- name: WindowsWinlogonAvailableShells doc: | Windows Server Winlogon Available Shells Used to specify an alternate shell application to be launched when logging into Windows Server 2012 and later. Legitimate keys under AvailableShells should just cause cmd.exe or explorer.exe to be executed, whereas malicious programs may create keys that cause malware to be run when a user logs in. sources: - type: REGISTRY_KEY attributes: keys: ['HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells\AvailableShells\*'] supported_os: [Windows] urls: - https://andymorgan.wordpress.com/2012/03/30/changing-the-default-shell-of-windows-server-8-core/ - https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2 --- name: WindowsWinlogonVMApplet doc: Windows VMApplet replacement. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'VMApplet'} - {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'VMApplet'} supported_os: [Windows] urls: ['https://technet.microsoft.com/en-us/library/cc939701.aspx'] --- name: WindowsWinstart doc: Windows winstart.bat file sources: - type: FILE attributes: paths: - '%%environ_windir%%\winstart.bat' - '%%environ_windir%%\dosstart.bat' separator: '\' supported_os: [Windows] --- name: WindowsWinlogonAppSetup doc: Windows Winlogon Appsetup sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'AppSetup'} supported_os: [Windows] urls: ['https://technet.microsoft.com/en-us/library/cc939701.aspx'] --- name: WindowsWinlogonGPExtensions doc: | Windows Winlogon Group Policy Extensions These keys specify DLLs that should be loaded when the group policy engine loads, and can act as a persistence mechanism for malware. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\*', value: ''} - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\*', value: 'DllName'} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\*', value: ''} - {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\*', value: 'DllName'} supported_os: [Windows] urls: ['https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2'] --- name: WindowsXMLEventLogApplication doc: Application Windows XML Event Log. sources: - type: FILE attributes: paths: ['%%environ_systemroot%%\System32\winevt\Logs\Application.evtx'] separator: '\' supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html'] --- name: WindowsXMLEventLogSecurity doc: Security Windows XML Event Log. sources: - type: FILE attributes: paths: ['%%environ_systemroot%%\System32\winevt\Logs\Security.evtx'] separator: '\' supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html'] --- name: WindowsXMLEventLogSysmon doc: Sysmon Windows XML Event Log. sources: - type: FILE attributes: paths: ['%%environ_systemroot%%\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx'] separator: '\' supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html'] --- name: WindowsXMLEventLogSystem doc: System Windows XML Event Log. sources: - type: FILE attributes: paths: ['%%environ_systemroot%%\System32\winevt\Logs\System.evtx'] separator: '\' supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html'] --- name: WindowsXMLEventLogTerminalServices doc: TerminalServices Windows XML Event Log. sources: - type: FILE attributes: paths: ['%%environ_systemroot%%\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx'] separator: '\' supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html'] --- name: WinSock2LayeredServiceProviders doc: Used to filter TCP/IP traffic through WinSock2. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\*' - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\*' supported_os: [Windows] urls: - 'http://gladiator-antivirus.com/forum/index.php?showtopic=24610' - 'https://en.wikipedia.org/wiki/Layered_Service_Provider' - 'https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2' --- name: WinSock2NamespaceProviders doc: Used to provide name-resolution services through WinSock2 sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\*', value: 'LibraryPath'} - {key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\*', value: 'LibraryPath'} supported_os: [Windows] urls: - 'https://www.symantec.com/security_response/writeup.jsp?docid=2012-020609-4221-99&tabid=2' - 'http://www.nirsoft.net/utils/winsock_service_providers.html' - 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms739923(v=vs.85).aspx' - 'https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2' --- name: WindowsSecuritySettingsDatabases doc: Windows security settings databases (secedit.sdb and spsecupd.sdb) sources: - type: FILE attributes: paths: - '%%environ_systemroot%%\security\Database\secedit.sdb' - '%%environ_systemroot%%\security\templates\spsecupd.sdb' separator: '\' supported_os: [Windows] --- name: WindowsStartupInfo doc: | StartupInfo XML files. The files include the user account's Security Identifier (SID) in the name and there could be up to 5 per user account. They contain a list of processes that were executed within the first 90 seconds from the time the user logged in. The info includes start time, the full command line and the parent process info, among other things. sources: - type: FILE attributes: paths: ['%%environ_systemroot%%\System32\WDI\LogFiles\StartupInfo\*.xml'] separator: '\' supported_os: [Windows] urls: ['https://forensics.wiki/windows#startup-info'] --- name: WindowsTileDataLayerDatabase doc: | Windows tile data layer database (vedatamodel.edb) The tile data layer database is used to store information about Start Tiles. sources: - type: FILE attributes: paths: ['%%users.localappdata%%\TileDataLayer\Database\vedatamodel.edb'] separator: '\' supported_os: [Windows] urls: ['https://forensics.wiki/extensible_storage_engine_(ese)_database_file_(edb)_format#tile-data-layer-database'] --- name: WindowsUpdateLogFile doc: Windows Update log files. sources: - type: FILE attributes: paths: - '%%environ_programdata%%\USOShared\Logs\System\*.etl' - '%%environ_systemroot%%\Logs\CBS\CBS*.log' - '%%environ_systemroot%%\Logs\WindowsUpdate\WindowsUpdate*.etl' separator: '\' supported_os: [Windows] urls: ['https://learn.microsoft.com/en-us/windows/deployment/update/windows-update-logs'] --- name: WindowsUserAccessLogging doc: | User Access Logging (UAL) databases. UAL is a local data aggregation feature (enabled by default) on Windows Servers 2012 and above, recording client usage by role and product on each system providing the resource. It's typically between 2 and 4 extensible storage engine (ESE) databases ("Current.mdb", "SystemIdentity.mdb, and ".mdb"). sources: - type: FILE attributes: paths: ['%%environ_systemroot%%\System32\LogFiles\SUM\*.mdb'] separator: '\' supported_os: [Windows] urls: ['https://forensics.wiki/windows#user-access-logging-ual'] --- name: WindowsWordWheelQueryRegistryKey doc: Keywords searched in from the Windows start menu, potentially resulting in files or folders access or program executions. sources: - type: REGISTRY_KEY attributes: keys: ['HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery\*'] supported_os: [Windows] artifacts-20230928/data/windows_dll_hijacking.yaml000066400000000000000000000140361450527130400221030ustar00rootroot00000000000000# DLL Hijack Locations --- name: DLLHijackLocations doc: DLL search order hijacking locations collected from base Windows 7. urls: ['https://www.fireeye.com/blog/threat-research/2010/07/malware-persistence-windows-registry.html'] sources: - type: FILE attributes: paths: - '%%environ_windir%%\EXPLORERFRAME.dll' - '%%environ_windir%%\DUser.dll' - '%%environ_windir%%\DUI70.dll' - '%%environ_windir%%\UxTheme.dll' - '%%environ_windir%%\POWRPROF.dll' - '%%environ_windir%%\dwmapi.dll' - '%%environ_windir%%\slc.dll' - '%%environ_windir%%\gdiplus.dll' - '%%environ_windir%%\Secur32.dll' - '%%environ_windir%%\SSPICLI.dll' - '%%environ_windir%%\PROPSYS.dll' - '%%environ_windir%%\WINSTA.dll' - '%%environ_windir%%\CRYPTBASE.dll' - '%%environ_windir%%\WindowsCodecs.dll' - '%%environ_windir%%\profapi.dll' - '%%environ_windir%%\apphelp.dll' - '%%environ_windir%%\EhStorShell.dll' - '%%environ_windir%%\cscui.dll' - '%%environ_windir%%\CSCDLL.dll' - '%%environ_windir%%\CSCAPI.dll' - '%%environ_windir%%\ntshrui.dll' - '%%environ_windir%%\srvcli.dll' - '%%environ_windir%%\IconCodecService.dll' - '%%environ_windir%%\CRYPTSP.dll' - '%%environ_windir%%\rsaenh.dll' - '%%environ_windir%%\RpcRtRemote.dll' - '%%environ_windir%%\SndVolSSO.dll' - '%%environ_windir%%\HID.dll' - '%%environ_windir%%\MMDevApi.dll' - '%%environ_windir%%\timedate.cpl' - '%%environ_windir%%\ATL.dll' - '%%environ_windir%%\actxprxy.dll' - '%%environ_windir%%\ntmarta.dll' - '%%environ_windir%%\shdocvw.dll' - '%%environ_windir%%\LINKINFO.dll' - '%%environ_windir%%\USERENV.dll' - '%%environ_windir%%\shacct.dll' - '%%environ_windir%%\gameux.dll' - '%%environ_windir%%\XmlLite.dll' - '%%environ_windir%%\wer.dll' - '%%environ_windir%%\SAMLIB.dll' - '%%environ_windir%%\msls31.dll' - '%%environ_windir%%\tiptsf.dll' - '%%environ_windir%%\authui.dll' - '%%environ_windir%%\CRYPTUI.dll' - '%%environ_windir%%\msiltcfg.dll' - '%%environ_windir%%\VERSION.dll' - '%%environ_windir%%\msi.dll' - '%%environ_windir%%\NetworkExplorer.dll' - '%%environ_windir%%\WINMM.dll' - '%%environ_windir%%\wdmaud.drv' - '%%environ_windir%%\ksuser.dll' - '%%environ_windir%%\AVRT.dll' - '%%environ_windir%%\AUDIOSES.dll' - '%%environ_windir%%\msacm32.drv' - '%%environ_windir%%\MSACM32.dll' - '%%environ_windir%%\midimap.dll' - '%%environ_windir%%\netutils.dll' - '%%environ_windir%%\stobject.dll' - '%%environ_windir%%\BatMeter.dll' - '%%environ_windir%%\WTSAPI32.dll' - '%%environ_windir%%\es.dll' - '%%environ_windir%%\prnfldr.dll' - '%%environ_windir%%\WINSPOOL.DRV' - '%%environ_windir%%\dxp.dll' - '%%environ_windir%%\Syncreg.dll' - '%%environ_windir%%\netshell.dll' - '%%environ_windir%%\IPHLPAPI.dll' - '%%environ_windir%%\WINNSI.dll' - '%%environ_windir%%\nlaapi.dll' - '%%environ_windir%%\AltTab.dll' - '%%environ_windir%%\pnidui.dll' - '%%environ_windir%%\QUtil.dll' - '%%environ_windir%%\wevtapi.dll' - '%%environ_windir%%\dhcpcsvc6.dll' - '%%environ_windir%%\dhcpcsvc.dll' - '%%environ_windir%%\credssp.dll' - '%%environ_windir%%\npmproxy.dll' - '%%environ_windir%%\cscobj.dll' - '%%environ_windir%%\Wlanapi.dll' - '%%environ_windir%%\wlanutil.dll' - '%%environ_windir%%\wwanapi.dll' - '%%environ_windir%%\wwapi.dll' - '%%environ_windir%%\QAgent.dll' - '%%environ_windir%%\srchadmin.dll' - '%%environ_windir%%\mssprxy.dll' - '%%environ_windir%%\bthprops.cpl' - '%%environ_windir%%\ieframe.dll' - '%%environ_windir%%\OLEACC.dll' - '%%environ_windir%%\SyncCenter.dll' - '%%environ_windir%%\Actioncenter.dll' - '%%environ_windir%%\imapi2.dll' - '%%environ_windir%%\SXS.dll' - '%%environ_windir%%\hgcpl.dll' - '%%environ_windir%%\provsvc.dll' - '%%environ_windir%%\wkscli.dll' - '%%environ_windir%%\fxsst.dll' - '%%environ_windir%%\FXSAPI.dll' - '%%environ_windir%%\FXSRESM.dll' - '%%environ_windir%%\ieproxy.dll' - '%%environ_windir%%\thumbcache.dll' - '%%environ_windir%%\rasadhlp.dll' - '%%environ_windir%%\MPR.dll' - '%%environ_windir%%\vmhgfs.dll' - '%%environ_windir%%\drprov.dll' - '%%environ_windir%%\ntlanman.dll' - '%%environ_windir%%\davclnt.dll' - '%%environ_windir%%\DAVHLPR.dll' - '%%environ_windir%%\StructuredQuery.dll' - '%%environ_windir%%\UIAnimation.dll' - '%%environ_windir%%\DEVRTL.dll' - '%%environ_windir%%\MLANG.dll' - '%%environ_windir%%\wscinterop.dll' - '%%environ_windir%%\WSCAPI.dll' - '%%environ_windir%%\wscui.cpl' - '%%environ_windir%%\werconcpl.dll' - '%%environ_windir%%\framedynos.dll' - '%%environ_windir%%\wercplsupport.dll' - '%%environ_windir%%\msxml6.dll' - '%%environ_windir%%\hcproviders.dll' - '%%environ_windir%%\zipfldr.dll' - '%%environ_windir%%\rarext.dll' - '%%environ_windir%%\7-zip.dll' - '%%environ_windir%%\twext.dll' - '%%environ_windir%%\WinCDEmuContextMenu.dll' - '%%environ_windir%%\syncui.dll' - '%%environ_windir%%\SYNCENG.dll' - '%%environ_windir%%\shlext010.dll' - '%%environ_windir%%\ATL90.dll' - '%%environ_windir%%\acppage.dll' - '%%environ_windir%%\sfc.dll' - '%%environ_windir%%\sfc_os.dll' - '%%environ_windir%%\dsrole.dll' - '%%environ_windir%%\ACLUI.dll' - '%%environ_windir%%\NTDSAPI.dll' - '%%environ_windir%%\PhotoBase.dll' - '%%environ_windir%%\sbdrop.dll' - '%%environ_windir%%\tquery.dll' - '%%environ_windir%%\EhStorAPI.dll' - '%%environ_windir%%\SearchFolder.dll' - '%%environ_windir%%\NaturalLanguage6.dll' - '%%environ_windir%%\NLSData0009.dll' - '%%environ_windir%%\NLSLexicons0009.dll' - '%%environ_windir%%\MsftEdit.dll' - '%%environ_windir%%\dnsapi.dll' - '%%environ_windir%%\RASAPI32.dll' - '%%environ_windir%%\rasman.dll' - '%%environ_windir%%\rtutils.dll' - '%%environ_windir%%\sensapi.dll' separator: '\' supported_os: [Windows] artifacts-20230928/data/wmi.yaml000066400000000000000000000205451450527130400163450ustar00rootroot00000000000000# WMI specific artifacts. --- name: WMIAccountUsersDomain doc: | Fill out user AD domain information based on username. We expect this artifact to be collected with WindowsRegistryProfiles to supply the rest of the user information. This artifact optimizes retrieval of user information by limiting the WMI query to users for which we have a username for. Specifically this solves the issue that in a domain setting, querying for all users via WMI will give you the list of all local and domain accounts which means a large data transfer from an Active Directory server. This artifact relies on having the users.username field populated in the knowledge base. Unfortunately even limiting by username this query can be slow, and this artifact runs it for each user present on the system. sources: - type: WMI attributes: {query: SELECT * FROM Win32_UserAccount WHERE name='%%users.username%%'} provides: [users.userdomain] supported_os: [Windows] urls: ['http://msdn.microsoft.com/en-us/library/windows/desktop/aa394507(v=vs.85).aspx'] --- name: WMIAntivirusProduct doc: Enumerate the registered antivirus. sources: - type: WMI attributes: {query: SELECT * FROM AntivirusProduct, base_object: 'winmgmts:\root\SecurityCenter2'} supported_os: [Windows] --- name: WMIComputerSystemProduct doc: Computer System Product including Identifiying number queried from WMI. sources: - type: WMI attributes: {query: SELECT * FROM Win32_ComputerSystemProduct} supported_os: [Windows] urls: ['http://msdn.microsoft.com/en-us/library/aa394105(v=vs.85).aspx'] --- name: WMIDNSClientCache doc: DNS client cache via Windows Management Instrumentation (WMI). sources: - type: WMI attributes: {query: SELECT * from MSFT_DNSClientCache, base_object: 'winmgmts:\root\StandardCimv2'} supported_os: [Windows] urls: ['https://docs.microsoft.com/en-us/previous-versions/windows/desktop/dnsclientcimprov/msft-dnsclientcache'] --- name: WMIDrivers doc: Installed drivers via Windows Management Instrumentation (WMI). sources: - type: WMI attributes: {query: 'SELECT DisplayName, Description, InstallDate, Name, PathName, Status, State, ServiceType from Win32_SystemDriver'} supported_os: [Windows] --- name: WMIEnumerateASEC doc: Enumerate instances of ActiveScriptEventConsumer. sources: - type: WMI attributes: {query: SELECT * FROM ActiveScriptEventConsumer, base_object: 'winmgmts:\root\subscription'} supported_os: [Windows] --- name: WMIEnumerateCLEC doc: Enumerate instances of CommandLineEventConsumer. sources: - type: WMI attributes: {query: SELECT * FROM CommandLineEventConsumer, base_object: 'winmgmts:\root\subscription'} supported_os: [Windows] --- name: WMIHotFixes doc: Installed hotfixes via Windows Management Instrumentation (WMI). sources: - type: WMI attributes: {query: SELECT * from Win32_QuickFixEngineering} supported_os: [Windows] --- name: WMIInstalledSoftware doc: Installed software via Windows Management Instrumentation (WMI). sources: - type: WMI attributes: {query: 'SELECT Name, Vendor, Description, InstallDate, InstallDate2, Version from Win32_Product'} supported_os: [Windows] --- name: WMILastBootupTime doc: Last system boot time (UTC) retrieved from WMI. sources: - type: WMI attributes: {query: SELECT LastBootUpTime FROM Win32_OperatingSystem} supported_os: [Windows] urls: ['https://msdn.microsoft.com/en-us/library/windows/desktop/aa394239(v=vs.85).aspx'] --- name: WMILogicalDisks doc: Disk information via Windows Management Instrumentation (WMI). sources: - type: WMI attributes: {query: SELECT * FROM Win32_LogicalDisk} supported_os: [Windows] urls: ['http://msdn.microsoft.com/en-us/library/aa394173(v=vs.85).aspx'] --- name: WMILoggedOnSessions doc: Logged on users queried from WMI. sources: - type: WMI attributes: {query: SELECT * FROM Win32_LogonSession} supported_os: [Windows] --- name: WMILoggedOnUsers doc: Logged on users queried from WMI. sources: - type: WMI attributes: {query: SELECT * FROM Win32_LoggedonUser} supported_os: [Windows] --- name: WMILoginUsers doc: | Login Users via Windows Management Instrumentation (WMI). This WMI query may take a long time to complete when run on a domain and will create load on a domain controller. sources: - type: WMI attributes: {query: SELECT * from Win32_GroupUser where Name = "login_users"} supported_os: [Windows] --- name: WMINetNeighbors doc: TCP/IP neighbors via Windows Management Instrumentation (WMI). sources: - type: WMI attributes: {query: SELECT * from MSFT_NetNeighbor, base_object: 'winmgmts:\root\StandardCimv2'} supported_os: [Windows] urls: ['https://docs.microsoft.com/en-us/previous-versions/windows/desktop/nettcpipprov/msft-netneighbor'] --- name: WMINetTCPConnections doc: TCP connections via Windows Management Instrumentation (WMI). sources: - type: WMI attributes: {query: SELECT * from MSFT_NetTCPConnection, base_object: 'winmgmts:\root\StandardCimv2'} supported_os: [Windows] urls: ['https://docs.microsoft.com/en-us/previous-versions/windows/desktop/nettcpipprov/msft-nettcpconnection'] --- name: WMINetUDPEndpoints doc: UDP endpoints via Windows Management Instrumentation (WMI). sources: - type: WMI attributes: {query: SELECT * from MSFT_NetUDPEndpoint, base_object: 'winmgmts:\root\StandardCimv2'} supported_os: [Windows] urls: ['https://docs.microsoft.com/en-us/previous-versions/windows/desktop/nettcpipprov/msft-netudpendpoint'] --- name: WMIOperatingSystem doc: Operating system installed on the computer via Windows Management Instrumentation (WMI). sources: - type: WMI attributes: {query: SELECT * from Win32_OperatingSystem} supported_os: [Windows] urls: ['https://docs.microsoft.com/en-us/windows/desktop/cimwin32prov/win32-operatingsystem'] --- name: WMIPhysicalMemory doc: Physical memory information via Windows Management Instrumentation (WMI). sources: - type: WMI attributes: {query: SELECT * from Win32_PhysicalMemory} supported_os: [Windows] urls: ["http://msdn.microsoft.com/en-us/library/aa394347%28v=vs.85%29.aspx"] --- name: WMIProcessList doc: Process listing via Windows Management Instrumentation (WMI). sources: - type: WMI attributes: {query: SELECT * from Win32_Process} supported_os: [Windows] --- name: WMIProfileUsersHomeDir doc: | Get user homedir from Win32_UserProfile based on a known user's SID. This artifact relies on having the SID field users.sid populated in the knowledge base. We expect it to be collected with WindowsRegistryProfiles to supply the rest of the user information. sources: - type: WMI attributes: {query: SELECT * FROM Win32_UserProfile WHERE SID='%%users.sid%%'} provides: [users.homedir] supported_os: [Windows] urls: ['http://msdn.microsoft.com/en-us/library/windows/desktop/ee886409(v=vs.85).aspx'] --- name: WMIScheduledTasks doc: Scheduled tasks that are registered on the computer via Windows Management Instrumentation (WMI). sources: - type: WMI attributes: {query: SELECT * from MSFT_ScheduledTask, base_object: 'winmgmts:\root\Microsoft\Windows\TaskScheduler'} supported_os: [Windows] urls: ['https://wutils.com/wmi/root/microsoft/windows/taskscheduler/msft_scheduledtask/'] --- name: WMIServices doc: Services queried from WMI. sources: - type: WMI attributes: {query: SELECT * FROM Win32_Service} supported_os: [Windows] --- name: WMIStartupCommands doc: Commands that run automatically when a user logs onto the computer system via Windows Management Instrumentation (WMI). sources: - type: WMI attributes: {query: SELECT * from Win32_StartupCommand} supported_os: [Windows] urls: ['https://docs.microsoft.com/en-us/windows/desktop/cimwin32prov/win32-startupcommand'] --- name: WMIUsers doc: | Users via Windows Management Instrumentation (WMI). Note that in a domain setup, this will probably return all users in the domain which will be expensive and slow. Consider limiting by SID like WMIProfileUsersHomeDir. sources: - type: WMI attributes: {query: SELECT * FROM Win32_UserAccount} supported_os: [Windows] urls: ['http://msdn.microsoft.com/en-us/library/windows/desktop/aa394507(v=vs.85).aspx'] --- name: WMIVolumeShadowCopies doc: A List of Volume Shadow Copies from WMI. sources: - type: WMI attributes: {query: SELECT * FROM Win32_ShadowCopy} supported_os: [Windows] --- name: WMICCMRUA doc: Enumerate instances of CCM_RecentlyUsedApps. sources: - type: WMI attributes: {query: SELECT * FROM CCM_RecentlyUsedApps, base_object: 'winmgmts:\root\ccm\SoftwareMeteringAgent'} supported_os: [Windows] urls: ['https://forensics.wiki/windows#ccm-recentlyusedapps'] artifacts-20230928/dependencies.ini000066400000000000000000000002261450527130400170750ustar00rootroot00000000000000[yaml] dpkg_name: python-yaml l2tbinaries_name: PyYAML minimum_version: 3.10 pypi_name: PyYAML rpm_name: python2-pyyaml version_property: __version__ artifacts-20230928/docs/000077500000000000000000000000001450527130400146765ustar00rootroot00000000000000artifacts-20230928/docs/Artifacts definition format and style guide.asciidoc000066400000000000000000000001301450527130400266140ustar00rootroot00000000000000Moved to: https://artifacts.readthedocs.io/en/latest/sources/Format-specification.html artifacts-20230928/docs/conf.py000066400000000000000000000120071450527130400161750ustar00rootroot00000000000000# -*- coding: utf-8 -*- """Sphinx build configuration file.""" import os import sys from sphinx.ext import apidoc from docutils import nodes from docutils import transforms # Change PYTHONPATH to include artifacts module and dependencies. sys.path.insert(0, os.path.abspath('..')) import artifacts # pylint: disable=wrong-import-position import utils.dependencies # pylint: disable=wrong-import-position # -- General configuration ------------------------------------------------ # If your documentation needs a minimal Sphinx version, state it here. needs_sphinx = '2.0.1' # Add any Sphinx extension module names here, as strings. They can be # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom # ones. extensions = [ 'recommonmark', 'sphinx.ext.autodoc', 'sphinx.ext.coverage', 'sphinx.ext.doctest', 'sphinx.ext.napoleon', 'sphinx.ext.viewcode', 'sphinx_markdown_tables', 'sphinx_rtd_theme', ] # We cannot install architecture dependent Python modules on readthedocs, # therefore we mock most imports. pip_installed_modules = set() dependency_helper = utils.dependencies.DependencyHelper( dependencies_file=os.path.join('..', 'dependencies.ini'), test_dependencies_file=os.path.join('..', 'test_dependencies.ini')) modules_to_mock = set(dependency_helper.dependencies.keys()) modules_to_mock = modules_to_mock.difference(pip_installed_modules) autodoc_mock_imports = sorted(modules_to_mock) # Options for the Sphinx Napoleon extension, which reads Google-style # docstrings. napoleon_google_docstring = True napoleon_numpy_docstring = False napoleon_include_private_with_doc = False napoleon_include_special_with_doc = True # General information about the project. # pylint: disable=redefined-builtin project = 'Digital Forensics Artifacts Repository' copyright = 'The Digital Forensics Artifacts Repository authors' version = artifacts.__version__ release = artifacts.__version__ # Add any paths that contain templates here, relative to this directory. templates_path = ['_templates'] # List of patterns, relative to source directory, that match files and # directories to ignore when looking for source files. exclude_patterns = ['_build'] # The master toctree document. master_doc = 'index' # The name of the Pygments (syntax highlighting) style to use. pygments_style = 'sphinx' # -- Options for HTML output ---------------------------------------------- # The theme to use for HTML and HTML Help pages. See the documentation for # a list of builtin themes. html_theme = 'sphinx_rtd_theme' # Output file base name for HTML help builder. htmlhelp_basename = 'artifactsdoc' # -- Options linkcheck ---------------------------------------------------- linkcheck_ignore = [ ] # -- Code to rewrite links for readthedocs -------------------------------- # This function is a Sphinx core event callback, the format of which is detailed # here: https://www.sphinx-doc.org/en/master/extdev/appapi.html#events # pylint: disable=unused-argument def RunSphinxAPIDoc(app): """Runs sphinx-apidoc to auto-generate documentation. Args: app (sphinx.application.Sphinx): Sphinx application. Required by the the Sphinx event callback API. """ current_directory = os.path.abspath(os.path.dirname(__file__)) module_path = os.path.join(current_directory, '..', 'artifacts') api_directory = os.path.join(current_directory, 'sources', 'api') apidoc.main(['-o', api_directory, module_path, '--force']) class MarkdownLinkFixer(transforms.Transform): """Transform definition to parse .md references to internal pages.""" default_priority = 1000 _URI_PREFIXES = [] def _FixLinks(self, node): """Corrects links to .md files not part of the documentation. Args: node (docutils.nodes.Node): docutils node. Returns: docutils.nodes.Node: docutils node, with correct URIs outside of Markdown pages outside the documentation. """ if isinstance(node, nodes.reference) and 'refuri' in node: reference_uri = node['refuri'] for uri_prefix in self._URI_PREFIXES: if (reference_uri.startswith(uri_prefix) and not ( reference_uri.endswith('.asciidoc') or reference_uri.endswith('.md'))): node['refuri'] = reference_uri + '.md' break return node def _Traverse(self, node): """Traverses the document tree rooted at node. Args: node (docutils.nodes.Node): docutils node. """ self._FixLinks(node) for child_node in node.children: self._Traverse(child_node) # pylint: disable=arguments-differ def apply(self): """Applies this transform on document tree.""" self._Traverse(self.document) # pylint: invalid-name def setup(app): """Called at Sphinx initialization. Args: app (sphinx.application.Sphinx): Sphinx application. """ # Triggers sphinx-apidoc to generate API documentation. app.connect('builder-inited', RunSphinxAPIDoc) app.add_config_value( 'recommonmark_config', {'enable_auto_toc_tree': True}, True) app.add_transform(MarkdownLinkFixer) artifacts-20230928/docs/index.rst000066400000000000000000000012411450527130400165350ustar00rootroot00000000000000Welcome to the Forensics Artifacts documentation ================================================ Digital Forensics Artifacts Repository, is a free, community-sourced, machine-readable knowledge base of digital forensic artifacts that the world can use both as an information source and within other tools. The source code is available from the `project page `__. .. toctree:: :maxdepth: 2 sources/user/index sources/background/index Format specification API documentation Indices and tables ================== * :ref:`genindex` * :ref:`modindex` artifacts-20230928/docs/requirements.txt000066400000000000000000000001401450527130400201550ustar00rootroot00000000000000docutils Markdown recommonmark sphinx >= 4.1.0 sphinx-markdown-tables sphinx-rtd-theme >= 0.5.1 artifacts-20230928/docs/sources/000077500000000000000000000000001450527130400163615ustar00rootroot00000000000000artifacts-20230928/docs/sources/Format-specification.md000066400000000000000000000370241450527130400227570ustar00rootroot00000000000000# Artifact definition format and style guide The best way to show what an artifact definition is, is by example. The following example is the artifact definition for the Windows EVTX System Event Logs. ```yaml name: WindowsSystemEventLogEvtx doc: Windows System Event log for Vista or later systems. sources: - type: FILE attributes: {paths: ['%%environ_systemroot%%\System32\winevt\Logs\System.evtx']} supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html'] ``` The artifact definition can have the following values: Value | Description --- | --- aliases | Optional list of alternate names to identify the artifact definition. Also see: See section: [Name](#name). doc | The description (or documentation). A human readable string that describes the artifact definition. See section: [Description](#description). name | The name. An unique string that identifies the artifact definition. See section: [Name](#name). provides | Optional list of *TODO* sources | A list of source definitions. See section: [Sources](#sources). supported_os | Optional list that indicates which operating systems the artifact definition applies to. See section: [Supported operating system](#supported-operating-system). urls | Optional list of URLs with more contextual information. Ideally the artifact definition links to an article that discusses the artifact in more depth for example on [Digital Forensics Artifact Knowledge Base](https://github.com/ForensicArtifacts/artifacts-kb). ## Deprecated values Value | Description --- | --- conditions | Optional list of conditions that describe when the artifact definition should apply. Note that conditions have been deprecated as of version 20220710. labels | Optional list of predefined labels. Note that labels have been deprecated as of version 20220311. ## Name The name of an artifact definition should be in CamelCase name without spaces. Prefix platform specific artifact definitions with the name of the operating system using "Linux", "MacOS" or "Windows". If not platform specific: * prefix with the application name, for example "ChromeHistory". * prefix with the name of the subsystem, for example "WMIComputerSystemProduct". Commonly used prefixes: Prefix | Description --- | --- Darwin | Mac OS (or Darwin) operating system specific artifact definition. Linux | Linux operating system specific artifact definition. Shell | Shell user-interface specific artifact definition. User | User specific artifact definition. Unix | Unix operating system (or POSIX) specific artifact definition. Windows | Windows operating system specific artifact definition. Suffix artifact definitions with the type of artifact, for example are files use "BrowserHistoryFile" instead of "BrowserHistory" to reduce ambiguity. Suffix | Description --- | --- ConfigurationFile | Contents of one or more configuration files. Directory | Contents of one or more directories. File | Contents of one or more files. LogFile | Contents of one or more log files. PlistFile | Contents of one or more property list (plist) files. SQLiteDatabaseFile | Contents of one or more SQLite database files. ## Description **Style note**: Typically one line description of the artifact, mentioning important caveats. If more than one line is necessary, use the multi-line YAML Literal Style as indicated by the `|` character. ```yaml doc: | The Windows run keys. Note users.sid will currently only expand to SIDs with profiles on the system, not all SIDs. ``` **Style note**: the short description (first line) and the longer portion are separated by an empty line. **Style note**: explicit newlines (\n) should not be used. ## Sources Every source definition starts with a `type` followed by arguments for example: ```yaml sources: - type: COMMAND attributes: args: [-qa] cmd: /bin/rpm ``` ```yaml sources: - type: FILE attributes: paths: - /root/.bashrc - /root/.cshrc - /root/.ksh - /root/.logout - /root/.profile - /root/.tcsh - /root/.zlogin - /root/.zlogout - /root/.zprofile - /root/.zprofile ``` **Style note**: where sources take a single argument with a single value, the one-line {} form should be used to save on line breaks as below: ```yaml - type: FILE attributes: {paths: ['%%environ_systemroot%%\System32\winevt\Logs\System.evtx']} ``` Value | Description --- | --- attributes | A dictionary of keyword attributes specific to the type of source definition. type | The source type. supported_os | Optional list that indicates which operating systems the artifact definition applies to. See section: [Supported operating system](#supported-operating-system). ## Deprecated values Value | Description --- | --- conditions | Optional list of conditions to when the artifact definition should apply. See section: Note that conditions have been deprecated as of version 20220710. ### Source types Currently the following different source types are defined: Value | Description --- | --- ARTIFACT_GROUP | A source that consists of a group of other artifacts. COMMAND | A source that consists of the output of a command. FILE | A source that consists of the contents of files. PATH | A source that consists of the contents of paths. REGISTRY_KEY | A source that consists of the contents of Windows Registry keys. REGISTRY_VALUE | A source that consists of the contents of Windows Registry values. WMI | A source that consists of the output of Windows Management Instrumentation (WMI) queries. The sources types are defined in [definitions.py](https://github.com/ForensicArtifacts/artifacts/blob/main/artifacts/definitions.py). as TYPE_INDICATOR constants. ### Artifact group source The artifact group source is a source that consists of a group of other artifacts e.g. ```yaml - type: ARTIFACT_GROUP attributes: names: - WindowsRunKeys - WindowsServices ``` Where `attributes` can contain the following values: Value | Description --- | --- names | A list of artifact definition names that make up this "composite" artifact. This can also be used to group multiple artifact definitions into one for convenience. ### Command source The command source is a source that consists of the output of a command e.g. ```yaml - type: COMMAND attributes: args: [-qa] cmd: /bin/rpm ``` Where `attributes` can contain the following values: Value | Description --- | --- args | A list arguments to pass to the command. cmd | The path of the command. ### File source The file source is a source that consists of the contents of files e.g. ```yaml - type: FILE attributes: paths: ['%%environ_systemroot%%\System32\winevt\Logs\System.evtx'] ``` Where `attributes` can contain the following values: Value | Description --- | --- paths | A list of file paths that can potentially be collected. The paths can use parameter expansion e.g. `%%environ_systemroot%%`. See section: [Parameter expansion and globs](parameter-expansion-and-globs). separator | Optional path segment separator e.g. '\' for Windows systems. When not specified the default path segment separator is '/'. ### Path source The path source is a source that consists of the contents of paths e.g. ```yaml - type: PATH attributes: paths: ['\Program Files'] separator: '\' ``` Where `attributes` can contain the following values: Value | Description --- | --- paths | A list of file paths that can potentially be collected. The paths can use parameter expansion e.g. `%%environ_systemroot%%`. See section: [Parameter expansion and globs](parameter-expansion-and-globs). separator | Optional path segment separator e.g. '\' for Windows systems. When not specified the default path segment separator is '/'. ### Windows Registry key source The Windows Registry key source is a source that consists of the contents of Windows Registry keys e.g. ```yaml sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\TypedURLs\*' ``` Where `attributes` can contain the following values: Value | Description --- | --- keys | A list of Windows Registry key paths that can potentially be collected. The paths can use parameter expansion e.g. `%%users.sid%%`. See section: [Parameter expansion and globs](parameter-expansion-and-globs). ### Windows Registry value source The Windows Registry value source is a source that consists of the contents of Windows Registry values e.g. ```yaml - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\WindowsUpdate', value: 'CISCNF4654'} ``` Where `attributes` can contain the following values: Value | Description --- | --- key_value_pairs | A list of Windows Registry key paths and value names that can potentially be collected. The key path can use parameter expansion e.g. `%%users.sid%%`. See section: [Parameter expansion and globs](parameter-expansion-and-globs). ### Windows Management Instrumentation (WMI) query source The Windows Management Instrumentation (WMI) query source is a source that consists of the output of Windows Management Instrumentation (WMI) queries e.g. ```yaml - type: WMI attributes: query: SELECT * FROM Win32_UserAccount WHERE name='%%users.username%%' ``` Where `attributes` can contain the following values: Value | Description --- | --- base_object | Optional WMI base object e.g. `winmgmts:\root\SecurityCenter2` query | The Windows Management Instrumentation (WMI) query. The query can use parameter expansion e.g. `%%users.username%%`. See section: [Parameter expansion and globs](parameter-expansion-and-globs). ## Supported operating system Since operating system (OS) are a very common constraint, this has been provided as a separate option "supported_os" to simplify syntax. For supported_os no quotes are required. The currently supported operating systems are: * Darwin (also used for Mac OS X) * Linux * Windows ```yaml supported_os: [Darwin, Linux, Windows] ``` This can be translated to objectfilter as: ```yaml ["os =='Darwin'" OR "os=='Linux'" OR "os == 'Windows'"] ``` ## Parameter expansion and globs Artifact definitions can use different types of parameters that need to be expanded at runtime, such as: * POSIX users variables, for example %%users.homedir%% * Windows evironment variables, for example %%environ_systemroot%% * Windows users variables, for example %%users.temp%% ### POSIX users variables Supported POSIX users variables are: Variable | Description --- | --- %%users.homedir%% | A user's home directory, for example '/home/username', '/root' or '/Users/username' #### Decomposition rules Note that the following decomposition rules are approximations based on common usage scenarios. %%users.homedir%% can be decomposed into: * '/Users/*' for Mac OS * '/home/*' and '/root' for Linux ### Windows evironment variables Supported Windows evironment variables are: Variable | Description --- | --- %%environ_allusersappdata%% | The %AllUsersAppData% environment variable, which should fallback to the %ProgramData% environment variable if not available. %%environ_allusersprofile%% | The %AllUsersProfile% environment variable. %%environ_programdata%% | The %ProgramData% environment variable, which should fallback to the %AllUsersAppData% environment variable or '%AllUsersProfile%\\Application Data' if not available. %%environ_programfiles%% | The %ProgramFiles% environment variable. %%environ_programfilesx86%% | The %ProgramFiles(x86)% environment variable. %%environ_systemdrive%% | The %SystemDrive% environment variable, for example 'C:' %%environ_systemroot%% | The %SystemRoot% environment variable, for example 'C:\\Windows' %%environ_windir%% | The %WinDir% environment variable, for example 'C:\\Windows' ### Windows users variables Supported Windows users variables are: Variable | Description --- | --- %%users.appdata%% | Windows version independent representation of a user specific %AppData% environment variable. %%users.localappdata%% | Windows version independent representation of a user specific %LocalAppData% environment variable. %%users.sid%% | A user's security identifier (SID) %%users.temp%% | A user's temporary files directory, comparable to the %TEMP% or %TMP% environment variables, for example '/Users/username/temp' %%users.username%% | A user's username, comparable to the %USERNAME% environment variable %%users.userprofile%% | A user's (local) profile directory, for example '/Users/username' #### Decomposition rules **TODO: add information about system accounts** Note that the following decomposition rules are approximations based on common usage scenarios. %%users.appdata%% can be decomposed into: * '%%users.userprofile%%\\AppData\\Roaming' for Windows Vista and later * '%%users.userprofile%%\\Application Data' %%users.localappdata%% can be decomposed into: * '%%users.userprofile%%\\AppData\\Local' for Windows Vista and later * '%%users.userprofile%%\\Local Settings\\Application Data' %%users.localappdata_low%% can be decomposed into: * '%%users.userprofile%%\\AppData\\LocalLow' for Windows Vista and later %%users.temp%% can be decomposed into: * '%%users.localappdata%%\\Temp' %%users.userprofile%% can be decomposed into: * 'Documents and Settings\\*' * 'Users\\*' for Windows Vista and later ## Additional style notes ### Artifact definition YAML files Artifact definition YAML filenames should be of the form: ``` $FILENAME.yaml ``` Where $FILENAME is name of the file e.g. windows.yaml. Each definition file should have a comment at the top of the file with a one-line summary describing the type of artifact definitions contained in the file e.g. ```yaml # Windows specific artifacts. ``` ### Lists Generally use the short `[]` format for single-item lists that fit inside 80 characters to save on unnecessary line breaks: ```yaml supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html'] ``` and the bulleted list form for multi-item lists or long lines: ```yaml paths: - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Run\*' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\RunOnce\*' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\*' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\*' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\*' ``` ### Quotes Quotes should not be used for doc strings, artifact names, and simple lists like supported_os. Paths and URLs should use single quotes to avoid the need for manual escaping. ```yaml paths: ['%%environ_temp%%\*.exe'] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html'] ``` Double quotes should be used where escaping causes problems, such as regular expressions: ```yaml content_regex_list: ["^%%users.username%%:[^:]*\n"] ``` ### Minimize the number of definitions by using multiple sources To minimize the number of artifacts in the list, combine them using the supported_os attributes where it makes sense. e.g. rather than having FirefoxHistoryWindows, FirefoxHistoryLinux, FirefoxHistoryDarwin, do: ```yaml name: FirefoxHistory doc: Firefox places.sqlite files. sources: - type: FILE attributes: paths: - %%users.localappdata%%\Mozilla\Firefox\Profiles\*\places.sqlite - %%users.appdata%%\Mozilla\Firefox\Profiles\*\places.sqlite supported_os: [Windows] - type: FILE attributes: paths: [%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/places.sqlite] supported_os: [Darwin] - type: FILE attributes: paths: ['%%users.homedir%%/.mozilla/firefox/*/places.sqlite'] supported_os: [Linux] supported_os: [Windows, Linux, Darwin] ``` artifacts-20230928/docs/sources/api/000077500000000000000000000000001450527130400171325ustar00rootroot00000000000000artifacts-20230928/docs/sources/api/artifacts.rst000066400000000000000000000022301450527130400216410ustar00rootroot00000000000000artifacts package ================= Submodules ---------- artifacts.artifact module ------------------------- .. automodule:: artifacts.artifact :members: :undoc-members: :show-inheritance: artifacts.definitions module ---------------------------- .. automodule:: artifacts.definitions :members: :undoc-members: :show-inheritance: artifacts.errors module ----------------------- .. automodule:: artifacts.errors :members: :undoc-members: :show-inheritance: artifacts.reader module ----------------------- .. automodule:: artifacts.reader :members: :undoc-members: :show-inheritance: artifacts.registry module ------------------------- .. automodule:: artifacts.registry :members: :undoc-members: :show-inheritance: artifacts.source\_type module ----------------------------- .. automodule:: artifacts.source_type :members: :undoc-members: :show-inheritance: artifacts.writer module ----------------------- .. automodule:: artifacts.writer :members: :undoc-members: :show-inheritance: Module contents --------------- .. automodule:: artifacts :members: :undoc-members: :show-inheritance: artifacts-20230928/docs/sources/api/modules.rst000066400000000000000000000001001450527130400213230ustar00rootroot00000000000000artifacts ========= .. toctree:: :maxdepth: 4 artifacts artifacts-20230928/docs/sources/background/000077500000000000000000000000001450527130400205005ustar00rootroot00000000000000artifacts-20230928/docs/sources/background/Stats.md000066400000000000000000000013431450527130400221210ustar00rootroot00000000000000## Statistics The artifact definitions can be found in the [data directory](https://github.com/ForensicArtifacts/artifacts/tree/main/data) and the format is described in detail in the [Style Guide](https://artifacts.readthedocs.io/en/latest/sources/Format-specification.html). Status of the repository as of 2023-09-28 Description | Number --- | --- Number of artifact definitions: | 801 Number of file paths: | 2047 Number of Windows Registry key paths: | 677 ### Artifact definition source types Identifier | Number --- | --- ARTIFACT_GROUP | 47 COMMAND | 10 FILE | 516 PATH | 28 REGISTRY_KEY | 57 REGISTRY_VALUE | 116 WMI | 27 ### Operating systems Identifier | Number --- | --- Darwin | 200 ESXi | 16 Linux | 243 Windows | 367 artifacts-20230928/docs/sources/background/Terminology.md000066400000000000000000000015511450527130400233340ustar00rootroot00000000000000# Terminology The term artifact (or artefact) is widely used within computer (or digital) forensics, though there is no official definition of this term. The definition closest to the meaning of the word within computer forensics is that of the word artifact within [archaeology](https://en.wikipedia.org/wiki/Artifact_(archaeology)). The term should not be confused with the word artifact used within [software development](https://en.wikipedia.org/wiki/Artifact_(software_development)). If archaeology defines an artifact as: ``` something made or given shape by man, such as a tool or a work of art, esp an object of archaeological interest ``` The definition of artifact within computer forensics could be: ``` An object of digital archaeological interest. ``` Where digital archaeology roughly refers to computer forensics without the forensic (legal) context. artifacts-20230928/docs/sources/background/index.rst000066400000000000000000000023741450527130400223470ustar00rootroot00000000000000########## Background ########## The first version of the artifact definitions originated from the `GRR project `__, where it is used to describe and quickly collect data of interest, for example specific files or Windows Registry keys. The goal of the format is to provide a tool independent way to describe the majority of forensic artifacts in a language that is readable by humans and machines. The format is designed to be simple and straight forward, so that a digital forensic analysist is able to quickly write artifact definitions during an investigation without having to rely on complex standards or tooling. The format is intended to describe forensically-relevant data on a machine, while being tool agnostic. In particular we intentionally avoided adding IOC-like logic, or describing how the data should be collected since this various between tools. For some background on the artifacts system and how we expect it to be used see `this Blackhat presentation `__ and `YouTube video `__ from the GRR team. .. toctree:: :maxdepth: 2 Terminology Statistics artifacts-20230928/docs/sources/user/000077500000000000000000000000001450527130400173375ustar00rootroot00000000000000artifacts-20230928/docs/sources/user/Installation-instructions.md000066400000000000000000000032471450527130400250720ustar00rootroot00000000000000# Installation instructions ## pip **Note that using pip outside virtualenv is not recommended since it ignores your systems package manager. If you aren't comfortable debugging package installation issues, this is not the option for you.** Create and activate a virtualenv: ```bash virtualenv artifactsenv cd artifactsenv source ./bin/activate ``` Upgrade pip and install Forensics Artifacts dependencies: ```bash pip install --upgrade pip pip install artifacts ``` To deactivate the virtualenv run: ```bash deactivate ``` ## Ubuntu 18.04 and 20.04 LTS To install Forensics Artifacts from the [GIFT Personal Package Archive (PPA)](https://launchpad.net/~gift): ```bash sudo add-apt-repository ppa:gift/stable ``` Update and install Forensics Artifacts: ```bash sudo apt-get update sudo apt-get install python3-artifacts ``` ## Windows The [l2tbinaries](https://github.com/log2timeline/l2tbinaries) contains the necessary packages for running Forensics Artifacts. l2tbinaries provides the following branches: * main; branch intended for the "packaged release" of Forensics Artifacts and dependencies; * dev; branch intended for the "development release" of Forensics Artifacts; * testing; branch intended for testing newly created packages. The l2tdevtools project provides [an update script](https://github.com/log2timeline/l2tdevtools/wiki/Update-script) to ease the process of keeping the dependencies up to date. The script requires [pywin32](https://github.com/mhammond/pywin32/releases) and [Python WMI](https://pypi.org/project/WMI/). To install the release versions of the dependencies run: ``` set PYTHONPATH=. C:\Python38\python.exe tools\update.py --preset artifacts ``` artifacts-20230928/docs/sources/user/index.rst000066400000000000000000000004671450527130400212070ustar00rootroot00000000000000############### Getting started ############### To be able to use Forensics Artifacts you first need to install it. There are multiple ways to install Forensics Artifacts, check the following instructions for more detail. .. toctree:: :maxdepth: 2 Installation instructions artifacts-20230928/requirements.txt000066400000000000000000000000341450527130400172270ustar00rootroot00000000000000pip >= 7.0.0 PyYAML >= 3.10 artifacts-20230928/run_tests.py000077500000000000000000000017721450527130400163600ustar00rootroot00000000000000#!/usr/bin/env python # -*- coding: utf-8 -*- """Script to run the tests.""" from __future__ import print_function import sys import unittest # Change PYTHONPATH to include dependencies. sys.path.insert(0, '.') import utils.dependencies # pylint: disable=wrong-import-position if __name__ == '__main__': print(f'Using Python version {sys.version!s}') fail_unless_has_test_file = '--fail-unless-has-test-file' in sys.argv setattr(unittest, 'fail_unless_has_test_file', fail_unless_has_test_file) if fail_unless_has_test_file: # Remove --fail-unless-has-test-file otherwise it will conflict with # the argparse tests. sys.argv.remove('--fail-unless-has-test-file') dependency_helper = utils.dependencies.DependencyHelper() if not dependency_helper.CheckTestDependencies(): sys.exit(1) test_suite = unittest.TestLoader().discover('tests', pattern='*.py') test_results = unittest.TextTestRunner(verbosity=2).run(test_suite) if not test_results.wasSuccessful(): sys.exit(1) artifacts-20230928/setup.cfg000066400000000000000000000004731450527130400155730ustar00rootroot00000000000000[metadata] license_files = LICENSE [bdist_rpm] release = 1 packager = Forensic artifacts doc_files = ACKNOWLEDGEMENTS AUTHORS LICENSE README build_requires = python3-setuptools requires = python3-pyyaml >= 3.10 [bdist_wheel] universal = 1 artifacts-20230928/setup.py000077500000000000000000000150561450527130400154720ustar00rootroot00000000000000#!/usr/bin/env python # -*- coding: utf-8 -*- """Installation and deployment script.""" import glob import os import pkg_resources import sys try: from setuptools import find_packages, setup except ImportError: from distutils.core import find_packages, setup try: from distutils.command.bdist_rpm import bdist_rpm except ImportError: bdist_rpm = None version_tuple = (sys.version_info[0], sys.version_info[1]) if version_tuple < (3, 7): print(f'Unsupported Python version: {sys.version:s}, version 3.7 or higher ' f'required.') sys.exit(1) # Change PYTHONPATH to include artifacts so that we can get the version. sys.path.insert(0, '.') import artifacts # pylint: disable=wrong-import-position if not bdist_rpm: BdistRPMCommand = None else: class BdistRPMCommand(bdist_rpm): """Custom handler for the bdist_rpm command.""" # pylint: disable=invalid-name def _make_spec_file(self): """Generates the text of an RPM spec file. Returns: list[str]: lines of the RPM spec file. """ # Note that bdist_rpm can be an old style class. if issubclass(BdistRPMCommand, object): spec_file = super(BdistRPMCommand, self)._make_spec_file() else: spec_file = bdist_rpm._make_spec_file(self) python_package = 'python3' description = [] requires = '' summary = '' in_description = False python_spec_file = [] for line in iter(spec_file): if line.startswith('Summary: '): summary = line[9:] elif line.startswith('BuildRequires: '): line = (f'BuildRequires: {python_package:s}-setuptools, ' f'{python_package:s}-devel') elif line.startswith('Requires: '): requires = line[10:] continue elif line.startswith('%description'): in_description = True elif line.startswith('python setup.py build'): if python_package == 'python3': line = '%py3_build' else: line = '%py2_build' elif line.startswith('python setup.py install'): if python_package == 'python3': line = '%py3_install' else: line = '%py2_install' elif line.startswith('%files'): lines = [ '%files -n %{name}-data', '%defattr(644,root,root,755)', '%license LICENSE', '%doc ACKNOWLEDGEMENTS AUTHORS README', '%{_datadir}/%{name}/*', '', f'%files -n {python_package:s}-%{{name}}', '%defattr(644,root,root,755)', '%license LICENSE', '%doc ACKNOWLEDGEMENTS AUTHORS README'] lines.extend([ '%{python3_sitelib}/artifacts/*.py', '%{python3_sitelib}/artifacts*.egg-info/*', '', '%exclude %{_prefix}/share/doc/*', '%exclude %{python3_sitelib}/artifacts/__pycache__/*']) python_spec_file.extend(lines) break elif line.startswith('%prep'): in_description = False python_spec_file.extend([ '%package -n %{name}-data', f'Summary: Data files for {summary:s}', '', '%description -n %{name}-data']) python_spec_file.extend(description) python_spec_file.append(f'%package -n {python_package:s}-%{{name}}') python_summary = f'Python 3 module of {summary:s}' python_spec_file.extend([ f'Requires: artifacts-data >= %{{version}} {requires:s}', f'Summary: {python_summary:s}', '', f'%description -n {python_package:s}-%{{name}}']) python_spec_file.extend(description) python_spec_file.extend([ '%package -n %{name}-tools', f'Requires: {python_package:s}-artifacts >= %{{version}}', f'Summary: Tools for {summary:s}', '', '%description -n %{name}-tools']) python_spec_file.extend(description) elif in_description: # Ignore leading white lines in the description. if not description and not line: continue description.append(line) python_spec_file.append(line) python_spec_file.extend([ '', '%files -n %{name}-tools', '%{_bindir}/*.py']) return python_spec_file def parse_requirements_from_file(path): """Parses requirements from a requirements file. Args: path (str): path to the requirements file. Returns: list[str]: name and optional version information of the required packages. """ requirements = [] if os.path.isfile(path): with open(path, 'r') as file_object: file_contents = file_object.read() for requirement in pkg_resources.parse_requirements(file_contents): try: name = str(requirement.req) except AttributeError: name = str(requirement) if not name.startswith('pip '): requirements.append(name) return requirements artifacts_description = ( 'ForensicArtifacts.com Artifact Repository.') artifacts_long_description = ( 'A free, community-sourced, machine-readable knowledge base of forensic ' 'artifacts that the world can use both as an information source and within' ' other tools.') command_classes = {} if BdistRPMCommand: command_classes['bdist_rpm'] = BdistRPMCommand setup( name='artifacts', version=artifacts.__version__, description=artifacts_description, long_description=artifacts_long_description, long_description_content_type='text/plain', license='Apache License, Version 2.0', url='https://github.com/ForensicArtifacts/artifacts', maintainer='Forensic artifacts', maintainer_email='forensicartifacts@googlegroups.com', cmdclass=command_classes, classifiers=[ 'Development Status :: 3 - Alpha', 'Environment :: Console', 'Operating System :: OS Independent', 'Programming Language :: Python', ], packages=find_packages('.', exclude=[ 'docs', 'tests', 'tests.*', 'tools', 'utils']), package_dir={ 'artifacts': 'artifacts' }, scripts=glob.glob(os.path.join('tools', '[a-z]*.py')), data_files=[ ('share/artifacts', glob.glob( os.path.join('data', '*'))), ('share/doc/artifacts', [ 'ACKNOWLEDGEMENTS', 'AUTHORS', 'LICENSE', 'README']), ], install_requires=parse_requirements_from_file('requirements.txt'), tests_require=parse_requirements_from_file('test_requirements.txt'), ) artifacts-20230928/test_data/000077500000000000000000000000001450527130400157165ustar00rootroot00000000000000artifacts-20230928/test_data/definitions.json000066400000000000000000000045661450527130400211370ustar00rootroot00000000000000[{"name": "SecurityEventLogEvtx", "sources": [{"attributes": {"paths": ["%%environ_systemroot%%\\System32\\winevt\\Logs\\Security.evtx"]}, "type": "FILE"}], "supported_os": ["Windows"], "doc": "Windows Security Event log for Vista or later systems.", "urls": ["http://www.forensicswiki.org/wiki/Windows_XML_Event_Log_(EVTX)"]}, {"name": "AllUsersProfileEnvironmentVariable", "sources": [{"attributes": {"keys": ["HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\ProfilesDirectory", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\AllUsersProfile"]}, "type": "REGISTRY_KEY"}], "provides": ["environ_allusersprofile"], "supported_os": ["Windows"], "doc": "The %AllUsersProfile% environment variable.", "urls": ["http://support.microsoft.com/kb//214653"]}, {"name": "CurrentControlSet", "sources": [{"attributes": {"key_value_pairs": [{"value": "Current", "key": "HKEY_LOCAL_MACHINE\\SYSTEM\\Select"}]}, "type": "REGISTRY_VALUE"}], "provides": ["current_control_set"], "supported_os": ["Windows"], "doc": "The control set the system is currently using.", "urls": ["https://code.google.com/p/winreg-kb/wiki/SystemKeys"]}, {"name": "WMIProfileUsersHomeDir", "sources": [{"attributes": {"query": "SELECT * FROM Win32_UserProfile WHERE SID='%%users.sid%%'"}, "type": "WMI"}], "provides": ["users.homedir"], "supported_os": ["Windows"], "doc": "Get user homedir from Win32_UserProfile based on a known user's SID.\n\nThis artifact relies on having the SID field users.sid populated in the knowledge\nbase. We expect it to be collected with WindowsRegistryProfiles to\nsupply the rest of the user information.\n", "urls": ["http://msdn.microsoft.com/en-us/library/windows/desktop/ee886409(v=vs.85).aspx"]}, {"name": "EventLogs", "sources": [{"attributes": {"names": ["ApplicationEventLog", "ApplicationEventLogEvtx", "SecurityEventLog", "SecurityEventLogEvtx", "SystemEventLog", "SystemEventLogEvtx"]}, "type": "ARTIFACT_GROUP"}], "doc": "Windows Event logs.", "supported_os": ["Windows"]}, {"name": "RedhatPackagesList", "sources": [{"attributes": {"args": ["-qa"], "cmd": "/bin/rpm"}, "type": "COMMAND"}], "doc": "Linux output of rpm -qa.", "supported_os": ["Linux"]}, {"name": "OSXLoadedKexts", "sources": [{"attributes": {"args": [], "cmd": "/usr/sbin/kextstat"}, "type": "COMMAND"}], "doc": "Mac OS X Loaded Kernel Extensions.", "supported_os": ["Darwin"]}] artifacts-20230928/test_data/definitions.yaml000066400000000000000000000044101450527130400211140ustar00rootroot00000000000000# Test artifact definitions. --- name: SecurityEventLogEvtxFile aliases: [SecurityEventLogEvtx] doc: Windows Security Event log for Vista or later systems. sources: - type: FILE attributes: {paths: ['%%environ_systemroot%%\System32\winevt\Logs\Security.evtx']} supported_os: [Windows] urls: ['http://www.forensicswiki.org/wiki/Windows_XML_Event_Log_(EVTX)'] --- name: AllUsersProfileEnvironmentVariable doc: The %AllUsersProfile% environment variable. sources: - type: REGISTRY_KEY attributes: keys: - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\ProfilesDirectory' - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\AllUsersProfile' provides: [environ_allusersprofile] supported_os: [Windows] urls: ['http://support.microsoft.com/kb//214653'] --- name: CurrentControlSet doc: The control set the system is currently using. sources: - type: REGISTRY_VALUE attributes: key_value_pairs: - {key: 'HKEY_LOCAL_MACHINE\SYSTEM\Select', value: 'Current'} provides: [current_control_set] supported_os: [Windows] urls: ['https://code.google.com/p/winreg-kb/wiki/SystemKeys'] --- name: WMIProfileUsersHomeDir doc: | Get user homedir from Win32_UserProfile based on a known user's SID. This artifact relies on having the SID field users.sid populated in the knowledge base. We expect it to be collected with WindowsRegistryProfiles to supply the rest of the user information. sources: - type: WMI attributes: {query: SELECT * FROM Win32_UserProfile WHERE SID='%%users.sid%%'} provides: [users.homedir] supported_os: [Windows] urls: ['http://msdn.microsoft.com/en-us/library/windows/desktop/ee886409(v=vs.85).aspx'] --- name: EventLogs doc: Windows Event logs. sources: - type: ARTIFACT_GROUP attributes: names: - 'ApplicationEventLog' - 'ApplicationEventLogEvtx' - 'SecurityEventLog' - 'SecurityEventLogEvtx' - 'SystemEventLog' - 'SystemEventLogEvtx' supported_os: [Windows] --- name: RedhatPackagesList doc: Linux output of rpm -qa. sources: - type: COMMAND attributes: args: [-qa] cmd: /bin/rpm supported_os: [Linux] --- name: OSXLoadedKexts doc: Mac OS X Loaded Kernel Extensions. sources: - type: COMMAND attributes: args: [] cmd: /usr/sbin/kextstat supported_os: [Darwin] artifacts-20230928/test_dependencies.ini000066400000000000000000000000001450527130400201220ustar00rootroot00000000000000artifacts-20230928/test_requirements.txt000066400000000000000000000000001450527130400202570ustar00rootroot00000000000000artifacts-20230928/tests/000077500000000000000000000000001450527130400151105ustar00rootroot00000000000000artifacts-20230928/tests/__init__.py000066400000000000000000000000301450527130400172120ustar00rootroot00000000000000# -*- coding: utf-8 -*- artifacts-20230928/tests/reader_test.py000066400000000000000000000272031450527130400177670ustar00rootroot00000000000000# -*- coding: utf-8 -*- """Tests for the artifact definitions readers.""" import io import unittest import yaml from artifacts import definitions from artifacts import errors from artifacts import reader from tests import test_lib class YamlArtifactsReaderTest(test_lib.BaseTestCase): """YAML artifacts reader tests.""" _DEFINITION_INVALID_SUPPORTED_OS_1 = """\ name: BadSupportedOS doc: supported_os should be an array of strings. sources: - type: ARTIFACT_GROUP attributes: names: - 'SystemEventLogEvtx' supported_os: Windows """ _DEFINITION_INVALID_SUPPORTED_OS_2 = """\ name: BadTopSupportedOS doc: Top supported_os should match supported_os from sources. sources: - type: ARTIFACT_GROUP attributes: names: - 'SystemEventLogEvtx' supported_os: [Windows] """ _DEFINITION_INVALID_URLS = """\ name: BadUrls doc: badurls. sources: - type: ARTIFACT_GROUP attributes: names: - 'SystemEventLogEvtx' supported_os: [Windows] urls: 'http://example.com' """ _DEFINITION_WITH_EXTRA_KEY = """\ name: WithExtraKey doc: definition with extra_key sources: - type: ARTIFACT_GROUP attributes: names: - 'SystemEventLogEvtx' extra_key: 'wrong' supported_os: [Windows] """ _DEFINITION_WITH_RETURN_TYPES = """\ name: WithReturnTypes doc: definition with return_types sources: - type: ARTIFACT_GROUP attributes: names: [WindowsRunKeys, WindowsServices] returned_types: [PersistenceFile] """ _DEFINITION_WITHOUT_DOC = """\ name: NoDoc sources: - type: ARTIFACT_GROUP attributes: names: - 'SystemEventLogEvtx' """ _DEFINITION_WITHOUT_NAME = """\ name: NoNames doc: Missing names attr. sources: - type: ARTIFACT_GROUP attributes: - 'SystemEventLogEvtx' """ _DEFINITION_WITHOUT_SOURCES = """\ name: BadSources doc: must have one sources. supported_os: [Windows] """ def testReadFileObject(self): """Tests the ReadFileObject function.""" test_file = self._GetTestFilePath(['definitions.yaml']) self._SkipIfPathNotExists(test_file) artifact_reader = reader.YamlArtifactsReader() with open(test_file, 'rb') as file_object: artifact_definitions = list(artifact_reader.ReadFileObject(file_object)) self.assertEqual(len(artifact_definitions), 7) # Artifact with file source type. artifact_definition = artifact_definitions[0] self.assertEqual(artifact_definition.name, 'SecurityEventLogEvtxFile') expected_description = ( 'Windows Security Event log for Vista or later systems.') self.assertEqual(artifact_definition.description, expected_description) self.assertEqual(len(artifact_definition.sources), 1) source_type = artifact_definition.sources[0] self.assertIsNotNone(source_type) self.assertEqual( source_type.type_indicator, definitions.TYPE_INDICATOR_FILE) expected_paths = [ '%%environ_systemroot%%\\System32\\winevt\\Logs\\Security.evtx' ] self.assertEqual(sorted(source_type.paths), sorted(expected_paths)) self.assertEqual(len(artifact_definition.supported_os), 1) self.assertEqual(artifact_definition.supported_os[0], 'Windows') self.assertEqual(len(artifact_definition.urls), 1) expected_url = ( 'http://www.forensicswiki.org/wiki/Windows_XML_Event_Log_(EVTX)') self.assertEqual(artifact_definition.urls[0], expected_url) # Artifact with Windows Registry key source type. artifact_definition = artifact_definitions[1] self.assertEqual( artifact_definition.name, 'AllUsersProfileEnvironmentVariable') self.assertEqual(len(artifact_definition.sources), 1) source_type = artifact_definition.sources[0] self.assertIsNotNone(source_type) self.assertEqual( source_type.type_indicator, definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY) expected_key1 = ( 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\' 'ProfileList\\ProfilesDirectory') expected_key2 = ( 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\' 'ProfileList\\AllUsersProfile') expected_keys = [expected_key1, expected_key2] self.assertEqual(sorted(source_type.keys), sorted(expected_keys)) # Artifact with Windows Registry value source type. artifact_definition = artifact_definitions[2] self.assertEqual(artifact_definition.name, 'CurrentControlSet') self.assertEqual(len(artifact_definition.sources), 1) source_type = artifact_definition.sources[0] self.assertIsNotNone(source_type) self.assertEqual( source_type.type_indicator, definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE) self.assertEqual(len(source_type.key_value_pairs), 1) key_value_pair = source_type.key_value_pairs[0] expected_key = 'HKEY_LOCAL_MACHINE\\SYSTEM\\Select' self.assertEqual(key_value_pair['key'], expected_key) self.assertEqual(key_value_pair['value'], 'Current') # Artifact with WMI query source type. artifact_definition = artifact_definitions[3] self.assertEqual(artifact_definition.name, 'WMIProfileUsersHomeDir') expected_provides = sorted(['users.homedir']) self.assertEqual(sorted(artifact_definition.provides), expected_provides) self.assertEqual(len(artifact_definition.sources), 1) source_type = artifact_definition.sources[0] self.assertIsNotNone(source_type) self.assertEqual( source_type.type_indicator, definitions.TYPE_INDICATOR_WMI_QUERY) expected_query = ( 'SELECT * FROM Win32_UserProfile WHERE SID=\'%%users.sid%%\'') self.assertEqual(source_type.query, expected_query) # Artifact with artifact definition source type. artifact_definition = artifact_definitions[4] self.assertEqual(artifact_definition.name, 'EventLogs') self.assertEqual(len(artifact_definition.sources), 1) source_type = artifact_definition.sources[0] self.assertIsNotNone(source_type) self.assertEqual( source_type.type_indicator, definitions.TYPE_INDICATOR_ARTIFACT_GROUP) # Artifact with command definition source type. artifact_definition = artifact_definitions[5] self.assertEqual(artifact_definition.name, 'RedhatPackagesList') self.assertEqual(len(artifact_definition.sources), 1) source_type = artifact_definition.sources[0] self.assertIsNotNone(source_type) self.assertEqual( source_type.type_indicator, definitions.TYPE_INDICATOR_COMMAND) # Artifact with COMMAND definition collector definition. artifact_definition = artifact_definitions[5] self.assertEqual(artifact_definition.name, 'RedhatPackagesList') self.assertEqual(len(artifact_definition.sources), 1) collector_definition = artifact_definition.sources[0] self.assertIsNotNone(collector_definition) self.assertEqual( collector_definition.type_indicator, definitions.TYPE_INDICATOR_COMMAND) def testReadFileObjectInvalidSupportedOS(self): """Tests the ReadFileObject function on an invalid supported_os.""" artifact_reader = reader.YamlArtifactsReader() file_object = io.StringIO( initial_value=self._DEFINITION_INVALID_SUPPORTED_OS_1) with self.assertRaises(errors.FormatError): _ = list(artifact_reader.ReadFileObject(file_object)) file_object = io.StringIO( initial_value=self._DEFINITION_INVALID_SUPPORTED_OS_2) with self.assertRaises(errors.FormatError): _ = list(artifact_reader.ReadFileObject(file_object)) def testReadFileObjectInvalidURLs(self): """Tests the ReadFileObject function on an invalid urls.""" artifact_reader = reader.YamlArtifactsReader() file_object = io.StringIO(initial_value=self._DEFINITION_INVALID_URLS) with self.assertRaises(errors.FormatError): _ = list(artifact_reader.ReadFileObject(file_object)) def testReadFileObjectWithExtraKey(self): """Tests the ReadFileObject function on a definition with extra key.""" artifact_reader = reader.YamlArtifactsReader() file_object = io.StringIO(initial_value=self._DEFINITION_WITH_EXTRA_KEY) with self.assertRaises(errors.FormatError): _ = list(artifact_reader.ReadFileObject(file_object)) def testReadFileObjectWithReturnTypes(self): """Tests the ReadFileObject function on a definition with return types.""" artifact_reader = reader.YamlArtifactsReader() file_object = io.StringIO(initial_value=self._DEFINITION_WITH_RETURN_TYPES) with self.assertRaises(errors.FormatError): _ = list(artifact_reader.ReadFileObject(file_object)) def testReadFileObjectWithoutDoc(self): """Tests the ReadFileObject function on a definition without doc.""" artifact_reader = reader.YamlArtifactsReader() file_object = io.StringIO(initial_value=self._DEFINITION_WITHOUT_DOC) with self.assertRaises(errors.FormatError): _ = list(artifact_reader.ReadFileObject(file_object)) def testReadFileObjectWithoutName(self): """Tests the ReadFileObject function on a definition without name.""" artifact_reader = reader.YamlArtifactsReader() file_object = io.StringIO(initial_value=self._DEFINITION_WITHOUT_NAME) with self.assertRaises(errors.FormatError): _ = list(artifact_reader.ReadFileObject(file_object)) def testReadFileObjectWithoutSources(self): """Tests the ReadFileObject function on a definition without sources.""" artifact_reader = reader.YamlArtifactsReader() file_object = io.StringIO(initial_value=self._DEFINITION_WITHOUT_SOURCES) with self.assertRaises(errors.FormatError): _ = list(artifact_reader.ReadFileObject(file_object)) def testReadYamlFile(self): """Tests the ReadFile function.""" test_file = self._GetTestFilePath(['definitions.yaml']) self._SkipIfPathNotExists(test_file) artifact_reader = reader.YamlArtifactsReader() artifact_definitions = list(artifact_reader.ReadFile(test_file)) self.assertEqual(len(artifact_definitions), 7) def testReadDirectory(self): """Tests the ReadDirectory function.""" artifact_reader = reader.YamlArtifactsReader() test_file = self._GetTestFilePath(['.']) artifact_definitions = list(artifact_reader.ReadDirectory(test_file)) self.assertEqual(len(artifact_definitions), 7) def testArtifactAsDict(self): """Tests the AsDict function.""" test_file = self._GetTestFilePath(['definitions.yaml']) self._SkipIfPathNotExists(test_file) artifact_reader = reader.YamlArtifactsReader() with open(test_file, 'r', encoding='utf-8') as file_object: for artifact_definition in yaml.safe_load_all(file_object): artifact_object = artifact_reader.ReadArtifactDefinitionValues( artifact_definition) self.assertEqual(artifact_definition, artifact_object.AsDict()) def testDefinitionsAsDict(self): """Tests the AsDict function.""" artifact_reader = reader.YamlArtifactsReader() artifact_definitions = list(artifact_reader.ReadDirectory('data')) last_artifact_definition = None for artifact in artifact_definitions: try: artifact_definition = artifact.AsDict() except errors.FormatError: error_location = 'At start' if last_artifact_definition: error_location = f'After: {last_artifact_definition.name:s}' self.fail(f'{error_location:s} failed to convert to dict') last_artifact_definition = artifact_definition class JsonArtifactsReaderTest(test_lib.BaseTestCase): """JSON artifacts reader tests.""" def testReadJsonFile(self): """Tests the ReadFile function.""" test_file = self._GetTestFilePath(['definitions.json']) self._SkipIfPathNotExists(test_file) artifact_reader = reader.JsonArtifactsReader() artifact_definitions = list(artifact_reader.ReadFile(test_file)) self.assertEqual(len(artifact_definitions), 7) if __name__ == '__main__': unittest.main() artifacts-20230928/tests/registry_test.py000066400000000000000000000114521450527130400203740ustar00rootroot00000000000000# -*- coding: utf-8 -*- """Tests for the artifact definitions registry.""" import io import unittest from artifacts import errors from artifacts import reader from artifacts import registry from artifacts import source_type from tests import test_lib class TestSourceType(source_type.SourceType): """Class that implements a test source type.""" TYPE_INDICATOR = 'test' def __init__(self, test=None): """Initializes the source type object. Args: test (Optional[str]): test string. Raises: FormatError: when test is not set. """ if not test: raise errors.FormatError('Missing test value.') super(TestSourceType, self).__init__() self.test = test def AsDict(self): """Represents a source type as a dictionary. Returns: dict[str, str]: source type attributes. """ return {'test': self.test} class ArtifactDefinitionsRegistryTest(test_lib.BaseTestCase): """Tests for the artifact definitions registry.""" # pylint: disable=protected-access def testArtifactDefinitionsRegistry(self): """Tests the ArtifactDefinitionsRegistry functions.""" test_file = self._GetTestFilePath(['definitions.yaml']) self._SkipIfPathNotExists(test_file) artifact_registry = registry.ArtifactDefinitionsRegistry() artifact_reader = reader.YamlArtifactsReader() for artifact_definition in artifact_reader.ReadFile(test_file): artifact_registry.RegisterDefinition(artifact_definition) # Make sure the test file got turned into artifacts. self.assertEqual(len(artifact_registry.GetDefinitions()), 7) artifact_definition = artifact_registry.GetDefinitionByName('EventLogs') self.assertIsNotNone(artifact_definition) # Try to register something already registered with self.assertRaises(KeyError): artifact_registry.RegisterDefinition(artifact_definition) # Deregister artifact_registry.DeregisterDefinition(artifact_definition) # Check it is gone with self.assertRaises(KeyError): artifact_registry.DeregisterDefinition(artifact_definition) self.assertEqual(len(artifact_registry.GetDefinitions()), 6) test_artifact_definition = artifact_registry.GetDefinitionByName( 'SecurityEventLogEvtxFile') self.assertIsNotNone(test_artifact_definition) self.assertEqual(test_artifact_definition.name, 'SecurityEventLogEvtxFile') self.assertEqual(test_artifact_definition.aliases, ['SecurityEventLogEvtx']) expected_description = ( 'Windows Security Event log for Vista or later systems.') self.assertEqual(test_artifact_definition.description, expected_description) bad_args = io.BytesIO( b'name: SecurityEventLogEvtx\n' b'doc: Windows Security Event log for Vista or later systems.\n' b'sources:\n' b'- type: FILE\n' b' attributes: {broken: [\'%%environ_systemroot%%\\System32\\' b'winevt\\Logs\\Security.evtx\']}\n' b'supported_os: [Windows]\n' b'urls: [\'http://www.forensicswiki.org/wiki/\n' b'Windows_XML_Event_Log_(EVTX)\']\n') generator = artifact_reader.ReadFileObject(bad_args) with self.assertRaises(errors.FormatError): next(generator) def testSourceTypeFunctions(self): """Tests the source type functions.""" number_of_source_types = len( registry.ArtifactDefinitionsRegistry._source_type_classes) registry.ArtifactDefinitionsRegistry.RegisterSourceType(TestSourceType) self.assertEqual( len(registry.ArtifactDefinitionsRegistry._source_type_classes), number_of_source_types + 1) with self.assertRaises(KeyError): registry.ArtifactDefinitionsRegistry.RegisterSourceType(TestSourceType) registry.ArtifactDefinitionsRegistry.DeregisterSourceType(TestSourceType) self.assertEqual( len(registry.ArtifactDefinitionsRegistry._source_type_classes), number_of_source_types) registry.ArtifactDefinitionsRegistry.RegisterSourceTypes([TestSourceType]) self.assertEqual( len(registry.ArtifactDefinitionsRegistry._source_type_classes), number_of_source_types + 1) with self.assertRaises(KeyError): registry.ArtifactDefinitionsRegistry.RegisterSourceTypes([TestSourceType]) source_object = registry.ArtifactDefinitionsRegistry.CreateSourceType( 'test', {'test': 'test123'}) self.assertIsNotNone(source_object) self.assertEqual(source_object.test, 'test123') with self.assertRaises(errors.FormatError): source_object = registry.ArtifactDefinitionsRegistry.CreateSourceType( 'test', {}) with self.assertRaises(errors.FormatError): source_object = registry.ArtifactDefinitionsRegistry.CreateSourceType( 'bogus', {}) registry.ArtifactDefinitionsRegistry.DeregisterSourceType(TestSourceType) if __name__ == '__main__': unittest.main() artifacts-20230928/tests/source_type_test.py000066400000000000000000000123651450527130400210710ustar00rootroot00000000000000# -*- coding: utf-8 -*- """Tests for the source type objects.""" import unittest from artifacts import errors from artifacts import source_type from tests import test_lib class TestSourceType(source_type.SourceType): """Class that implements a test source type.""" TYPE_INDICATOR = 'test' def __init__(self, test=None): """Initializes the source type object. Args: test (Optional[str]): test string. Raises: FormatError: when test is not set. """ if not test: raise errors.FormatError('Missing test value.') super(TestSourceType, self).__init__() self.test = test def AsDict(self): """Represents a source type as a dictionary. Returns: dict[str, str]: source type attributes. """ return {'test': self.test} class SourceTypeTest(test_lib.BaseTestCase): """Class to test the artifact source type.""" class ArtifactGroupSourceTypeTest(test_lib.BaseTestCase): """Class to test the artifact group source type.""" def testInitialize(self): """Tests the __init__ function.""" source_type.ArtifactGroupSourceType(names=['test']) class FileSourceTypeTest(test_lib.BaseTestCase): """Class to test the files source type.""" def testInitialize(self): """Tests the __init__ function.""" source_type.FileSourceType(paths=['test']) source_type.FileSourceType(paths=['test'], separator='\\') with self.assertRaises(errors.FormatError): source_type.FileSourceType() with self.assertRaises(errors.FormatError): source_type.FileSourceType(paths='test') class PathSourceTypeTest(test_lib.BaseTestCase): """Class to test the paths source type.""" def testInitialize(self): """Tests the __init__ function.""" source_type.PathSourceType(paths=['test']) source_type.PathSourceType(paths=['test'], separator='\\') with self.assertRaises(errors.FormatError): source_type.PathSourceType() with self.assertRaises(errors.FormatError): source_type.PathSourceType(paths='test') class WindowsRegistryKeySourceTypeTest(test_lib.BaseTestCase): """Class to test the Windows Registry keys source type.""" def testInitialize(self): """Tests the __init__ function.""" source_type.WindowsRegistryKeySourceType(keys=['HKEY_LOCAL_MACHINE\\test']) with self.assertRaises(errors.FormatError): source_type.WindowsRegistryKeySourceType(keys='HKEY_LOCAL_MACHINE\\test') class WindowsRegistryValueSourceTypeTest(test_lib.BaseTestCase): """Class to test the Windows Registry value source type.""" def testInitialize(self): """Tests the __init__ function.""" key_value_pair = {'key': 'HKEY_LOCAL_MACHINE\\test', 'value': 'test'} source_type.WindowsRegistryValueSourceType(key_value_pairs=[key_value_pair]) key_value_pair = {'bad': 'test', 'value': 'test'} with self.assertRaises(errors.FormatError): source_type.WindowsRegistryValueSourceType( key_value_pairs=[key_value_pair]) with self.assertRaises(errors.FormatError): source_type.WindowsRegistryValueSourceType(key_value_pairs=key_value_pair) class WMIQuerySourceTypeTest(test_lib.BaseTestCase): """Class to test the WMI query source type.""" def testInitialize(self): """Tests the __init__ function.""" source_type.WMIQuerySourceType(query='test') class SourceTypeFactoryTest(test_lib.BaseTestCase): """Class to test the source type factory.""" def testCreateSourceType(self): """Tests the source type creation.""" source_type.SourceTypeFactory.RegisterSourceTypes([TestSourceType]) with self.assertRaises(KeyError): source_type.SourceTypeFactory.RegisterSourceTypes([TestSourceType]) source_object = source_type.SourceTypeFactory.CreateSourceType( 'test', {'test': 'test123'}) self.assertIsNotNone(source_object) self.assertEqual(source_object.test, 'test123') with self.assertRaises(errors.FormatError): source_object = source_type.SourceTypeFactory.CreateSourceType( 'test', {}) with self.assertRaises(errors.FormatError): source_object = source_type.SourceTypeFactory.CreateSourceType( 'bogus', {}) source_type.SourceTypeFactory.DeregisterSourceType(TestSourceType) def testRegisterSourceType(self): """Tests the source type registration functions.""" expected_number_of_source_types = len( source_type.SourceTypeFactory.GetSourceTypes()) source_type.SourceTypeFactory.RegisterSourceType(TestSourceType) number_of_source_types = len(source_type.SourceTypeFactory.GetSourceTypes()) self.assertEqual( number_of_source_types, expected_number_of_source_types + 1) source_type.SourceTypeFactory.DeregisterSourceType(TestSourceType) number_of_source_types = len(source_type.SourceTypeFactory.GetSourceTypes()) self.assertEqual(number_of_source_types, expected_number_of_source_types) def testRegisterSourceTypeRaisesWhenAlreadyRegistered(self): """Tests the source type registration functions when already registered.""" source_type.SourceTypeFactory.RegisterSourceType(TestSourceType) with self.assertRaises(KeyError): source_type.SourceTypeFactory.RegisterSourceType(TestSourceType) source_type.SourceTypeFactory.DeregisterSourceType(TestSourceType) if __name__ == '__main__': unittest.main() artifacts-20230928/tests/test_lib.py000066400000000000000000000032701450527130400172710ustar00rootroot00000000000000# -*- coding: utf-8 -*- """Shared functions and classes for testing.""" import os import shutil import tempfile import unittest class BaseTestCase(unittest.TestCase): """The base test case.""" _DATA_PATH = os.path.join(os.getcwd(), 'data') _TEST_DATA_PATH = os.path.join(os.getcwd(), 'test_data') # Show full diff results, part of TestCase so does not follow our naming # conventions. maxDiff = None def _GetTestFilePath(self, path_segments): """Retrieves the path of a test file in the test data directory. Args: path_segments (list[str]): path segments inside the test data directory. Returns: str: path of the test file. """ # Note that we need to pass the individual path segments to os.path.join # and not a list. return os.path.join(self._TEST_DATA_PATH, *path_segments) def _SkipIfPathNotExists(self, path): """Skips the test if the path does not exist. Args: path (str): path of a test file. Raises: SkipTest: if the path path does not exist and the test should be skipped. """ if not os.path.exists(path): filename = os.path.basename(path) raise unittest.SkipTest(f'missing test file: {filename:s}') class TempDirectory(object): """Class that implements a temporary directory.""" def __init__(self): """Initializes a temporary directory.""" super(TempDirectory, self).__init__() self.name = '' def __enter__(self): """Make this work with the 'with' statement.""" self.name = tempfile.mkdtemp() return self.name def __exit__(self, unused_type, unused_value, unused_traceback): """Make this work with the 'with' statement.""" shutil.rmtree(self.name, True) artifacts-20230928/tests/validator_test.py000066400000000000000000000021571450527130400205130ustar00rootroot00000000000000#!/usr/bin/env python # -*- coding: utf-8 -*- """Tests for the artifact definitions validator.""" import glob import os import unittest from artifacts import errors from tools import validator from tests import test_lib class ArtifactDefinitionsValidatorTest(test_lib.BaseTestCase): """Class to test the validator.""" def testArtifactDefinitionsValidator(self): """Runs the validator over all the YAML artifact definitions files.""" validator_object = validator.ArtifactDefinitionsValidator() for definitions_file in glob.glob(os.path.join('data', '*.yaml')): result = validator_object.CheckFile(definitions_file) self.assertTrue( result, msg=f'in definitions file: {definitions_file:s}') undefined_artifacts = validator_object.GetUndefinedArtifacts() if undefined_artifacts: raise errors.MissingDependencyError(( f'Artifacts group referencing undefined artifacts: ' f'{undefined_artifacts:s}')) # TODO: add tests that deliberately provide invalid definitions to see # if the validator works correctly. if __name__ == '__main__': unittest.main() artifacts-20230928/tests/writer_test.py000066400000000000000000000034551450527130400200440ustar00rootroot00000000000000# -*- coding: utf-8 -*- """Tests for the artifact definitions readers.""" import os import unittest from artifacts import reader from artifacts import writer from tests import test_lib class ArtifactsWriterTest(test_lib.BaseTestCase): """Class to test the artifacts writer.""" def _TestArtifactsConversion( self, artifact_reader, artifact_writer, filename): """Tests artifacts conversion. Args: artifact_reader (ArtifactsReader): artifact reader. artifact_writer (ArtifactsWriter): artifact writer. filename (str): name of the file to convert. """ test_file = self._GetTestFilePath([filename]) self._SkipIfPathNotExists(test_file) artifact_definitions = list(artifact_reader.ReadFile(test_file)) with test_lib.TempDirectory() as temporary_directory: output_file = os.path.join(temporary_directory, filename) artifact_writer.WriteArtifactsFile(artifact_definitions, output_file) converted_artifact_definitions = list( artifact_reader.ReadFile(output_file)) self.assertListEqual( [artifact.AsDict() for artifact in artifact_definitions], [artifact.AsDict() for artifact in converted_artifact_definitions]) def testJsonWriter(self): """Tests conversion with the JsonArtifactsWriter.""" artifact_reader = reader.JsonArtifactsReader() artifact_writer = writer.JsonArtifactsWriter() self._TestArtifactsConversion( artifact_reader, artifact_writer, 'definitions.json') def testYamlWriter(self): """Tests conversion with the YamlArtifactsWriter.""" artifact_reader = reader.YamlArtifactsReader() artifact_writer = writer.YamlArtifactsWriter() self._TestArtifactsConversion( artifact_reader, artifact_writer, 'definitions.yaml') if __name__ == '__main__': unittest.main() artifacts-20230928/tools/000077500000000000000000000000001450527130400151065ustar00rootroot00000000000000artifacts-20230928/tools/__init__.py000066400000000000000000000000561450527130400172200ustar00rootroot00000000000000#!/usr/bin/env python # -*- coding: utf-8 -*- artifacts-20230928/tools/stats.py000077500000000000000000000077521450527130400166340ustar00rootroot00000000000000#!/usr/bin/env python # -*- coding: utf-8 -*- """Report statistics about the artifact collection.""" import collections import sys import time from artifacts import definitions from artifacts import reader class ArtifactStatistics(object): """Generate and print statistics about artifact definitions.""" def __init__(self): """Initializes artifact statistics.""" super(ArtifactStatistics, self).__init__() self._os_counts = collections.Counter() self._path_count = 0 self._reg_key_count = 0 self._source_type_counts = {} self._total_count = 0 def _PrintDictAsTable(self, title, src_dict): """Prints a table of artifact definitions. Args: title (str): title of the table. src_dict (dict[str, ArtifactDefinition]): artifact definitions by name. """ print(f'### {title:s}') print('') print('Identifier | Number') print('--- | ---') for key, value in sorted(src_dict.items()): print(f'{key:s} | {value:d}') print('') def PrintOSTable(self): """Prints a table of artifact definitions by operating system.""" self._PrintDictAsTable('Operating systems', self._os_counts) def PrintSourceTypeTable(self): """Prints a table of artifact definitions by source type.""" self._PrintDictAsTable( 'Artifact definition source types', self._source_type_counts) def PrintSummaryTable(self): """Prints a summary table.""" date_time_string = time.strftime('%Y-%m-%d') print(f"""Status of the repository as of {date_time_string:s} Description | Number --- | --- Number of artifact definitions: | {self._total_count:d} Number of file paths: | {self._path_count:d} Number of Windows Registry key paths: | {self._reg_key_count:d} """) def BuildStats(self): """Builds the statistics.""" artifact_reader = reader.YamlArtifactsReader() self._os_counts = collections.Counter() self._path_count = 0 self._reg_key_count = 0 self._source_type_counts = {} self._total_count = 0 for artifact_definition in artifact_reader.ReadDirectory('data'): sources_supported_os = set() for source in artifact_definition.sources: self._total_count += 1 source_type = source.type_indicator self._source_type_counts[source_type] = self._source_type_counts.get( source_type, 0) + 1 if source_type == definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY: self._reg_key_count += len(source.keys) elif source_type == definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE: self._reg_key_count += len(source.key_value_pairs) elif source_type in (definitions.TYPE_INDICATOR_FILE, definitions.TYPE_INDICATOR_DIRECTORY): self._path_count += len(source.paths) sources_supported_os.update(set(source.supported_os)) # Fallback to the supported_os defined at definition level if none # of the sources specified supported operating systems. if not sources_supported_os: sources_supported_os = set(artifact_definition.supported_os) for os_str in sources_supported_os: self._os_counts[os_str] += 1 def PrintStats(self): """Build stats and print in MarkDown format.""" data_directory_url = ( 'https://github.com/ForensicArtifacts/artifacts/tree/main/data') style_guide_url = ( 'https://artifacts.readthedocs.io/en/latest/sources/' 'Format-specification.html') print(f"""## Statistics The artifact definitions can be found in the [data directory]({data_directory_url:s}) and the format is described in detail in the [Style Guide]({style_guide_url:s}). """) self.BuildStats() self.PrintSummaryTable() self.PrintSourceTypeTable() self.PrintOSTable() def Main(): """The main program function. Returns: bool: True if successful or False if not. """ statsbuilder = ArtifactStatistics() statsbuilder.PrintStats() return True if __name__ == '__main__': if not Main(): sys.exit(1) else: sys.exit(0) artifacts-20230928/tools/validator.py000077500000000000000000000513621450527130400174570ustar00rootroot00000000000000#!/usr/bin/env python # -*- coding: utf-8 -*- """Tool to validate artifact definitions.""" import argparse import glob import logging import os import sys from artifacts import definitions from artifacts import errors from artifacts import reader from artifacts import registry class ArtifactDefinitionsValidator(object): """Artifact definitions validator.""" LEGACY_PATH = os.path.join('data', 'legacy.yaml') _MACOS_PRIVATE_SUB_PATHS = ('etc', 'tftpboot', 'tmp', 'var') _SUPPORTED_POSIX_USERS_VARIABLES = [ '%%users.homedir%%'] _SUPPORTED_WINDOWS_ENVIRONMENT_VARIABLES = [ '%%environ_allusersappdata%%', '%%environ_allusersprofile%%', '%%environ_programdata%%', '%%environ_programfiles%%', '%%environ_programfilesx86%%', '%%environ_systemdrive%%', '%%environ_systemroot%%', '%%environ_windir%%'] _SUPPORTED_WINDOWS_USERS_VARIABLES = [ '%%users.appdata%%', '%%users.localappdata%%', '%%users.sid%%', '%%users.temp%%', '%%users.username%%', '%%users.userprofile%%'] def __init__(self): """Initializes an artifact definitions validator.""" super(ArtifactDefinitionsValidator, self).__init__() self._artifact_registry = registry.ArtifactDefinitionsRegistry() self._artifact_registry_key_paths = set() def _CheckGlobstarInPathSegment( self, filename, artifact_definition, path, path_segment): """Checks if a globstar in a path segment is valid. Args: filename (str): name of the artifacts definition file. artifact_definition (ArtifactDefinition): artifact definition. path (str): path of which the path segment originated. path_segment (str): path segment to validate. Returns: bool: True if the globstar is valid. """ if not path_segment.startswith('**'): logging.warning(( f'Unuspported globstar with prefix: {path_segment:s} for path: ' f'{path:s} defined by artifact definition: ' f'{artifact_definition.name:s} in file: {filename:s}')) return False if len(path_segment) > 2: try: recursion_depth = int(path_segment[2:], 10) except (TypeError, ValueError): logging.warning(( f'Unuspported globstar with suffix: {path_segment:s} for path: ' f'{path:s} defined by artifact definition: ' f'{artifact_definition.name:s} in file: {filename:s}')) return False if recursion_depth <= 0 or recursion_depth > 10: logging.warning(( f'Globstar with unsupported recursion depth: {path_segment:s} for ' f'path: {path:s} defined by artifact definition: ' f'{artifact_definition.name:s} in file: {filename:s}')) return False return True def _CheckMacOSPaths(self, filename, artifact_definition, paths): """Checks if the paths are valid MacOS paths. Args: filename (str): name of the artifacts definition file. artifact_definition (ArtifactDefinition): artifact definition. paths (list[str]): paths to validate. Returns: bool: True if the MacOS paths is valid. """ result = True paths_with_private = [] paths_with_symbolic_link_to_private = [] for path in paths: path_lower = path.lower() path_segments = path_lower.split('/') if not path_segments: logging.warning(( f'Empty path defined by artifact definition: ' f'{artifact_definition.name:s} in file: {filename:s}')) result = False elif len(path_segments) == 1: continue elif path_segments[1] in self._MACOS_PRIVATE_SUB_PATHS: paths_with_symbolic_link_to_private.append(path) elif path_segments[1] == 'private' and len(path_segments) >= 2: if path_segments[2] in self._MACOS_PRIVATE_SUB_PATHS: paths_with_private.append(path) else: logging.warning(( f'Unsupported private path: {path:s} defined by artifact ' f'definition: {artifact_definition.name:s} in file: ' f'{filename:s}')) result = False has_globstar = False for path_segment in path_segments: if '**' in path_segment: if has_globstar: logging.warning(( f'Unsupported path: {path:s} with multiple globstars defined ' f'by artifact definition: {artifact_definition.name:s} in ' f'file: {filename:s}')) result = False break has_globstar = True if not self._CheckGlobstarInPathSegment( filename, artifact_definition, path, path_segment): result = False if has_globstar and path.endswith('/'): logging.warning(( f'Unsupported path: {path:s} with globstar and trailing path ' f'separator defined by artifact definition: ' f'{artifact_definition.name:s} in file: {filename:s}')) result = False for private_path in paths_with_private: symbolic_link = private_path[8:] if symbolic_link not in paths_with_symbolic_link_to_private: logging.warning(( f'Missing symbolic link: {symbolic_link:s} for path: ' f'{private_path:s} defined by artifact definition: ' f'{artifact_definition.name:s} in file: {filename:s}')) result = False for path in paths_with_symbolic_link_to_private: private_path = f'/private{path:s}' if private_path not in paths_with_private: logging.warning(( f'Missing path: {private_path:s} for symbolic link: {path:s} ' f'defined by artifact definition: {artifact_definition.name:s} in ' f'file: {filename:s}')) result = False return result def _CheckPath(self, filename, artifact_definition, source, path): """Checks if a path is valid. Args: filename (str): name of the artifacts definition file. artifact_definition (ArtifactDefinition): artifact definition. source (SourceType): source definition. path (str): path to validate. Returns: bool: True if the path is valid. """ result = True path_segments = path.split(source.separator) has_globstar = False for path_segment in path_segments: if '**' in path_segment: if has_globstar: logging.warning(( f'Unsupported path: {path:s} with multiple globstars defined by ' f'artifact definition: {artifact_definition.name:s} in file: ' f'{filename:s}')) result = False break has_globstar = True if not self._CheckGlobstarInPathSegment( filename, artifact_definition, path, path_segment): result = False if has_globstar and path.endswith(source.separator): logging.warning(( f'Unsupported path: {path:s} with globstar and trailing path ' f'separator defined by artifact definition: ' f'{artifact_definition.name:s} in file: {filename:s}')) result = False return result def _CheckWindowsPath(self, filename, artifact_definition, source, path): """Checks if a path is a valid Windows path. Args: filename (str): name of the artifacts definition file. artifact_definition (ArtifactDefinition): artifact definition. source (SourceType): source definition. path (str): path to validate. Returns: bool: True if the Windows path is valid. """ result = True number_of_forward_slashes = path.count('/') number_of_backslashes = path.count('\\') if (number_of_forward_slashes < number_of_backslashes and source.separator != '\\'): logging.warning(( f'Incorrect path separator: {source.separator:s} in path: {path:s} ' f'defined by artifact definition: {artifact_definition.name:s} in ' f'file: {filename:s}')) result = False if source.separator != '\\': return result path_lower = path.lower() path_segments = path_lower.split(source.separator) if not path_segments: logging.warning(( f'Empty path defined by artifact definition: ' f'{artifact_definition.name:s} in file: {filename:s}')) result = False elif path_segments[0].startswith('%%users.') and path_segments[0] not in ( '%%users.appdata%%', '%%users.homedir%%', '%%users.localappdata%%', '%%users.temp%%', '%%users.username%%', '%%users.userprofile%%'): logging.warning(( f'Unsupported "{path_segments[0]:s}" in path: {path:s} defined by ' f'artifact definition: {artifact_definition.name:s} in file: ' f'{filename:s}')) result = False elif path_segments[0] == '%%users.homedir%%': logging.warning(( f'Replace "%%users.homedir%%" by "%%users.userprofile%%" in path: ' f'{path:s} defined by artifact definition: ' f'{artifact_definition.name:s} in file: {filename:s}')) result = False elif path_lower.startswith('%%users.userprofile%%\\appdata\\local\\'): logging.warning(( f'Replace "%%users.userprofile%%\\AppData\\Local" by ' f'"%%users.localappdata%%" in path: {path:s} defined by artifact ' f'definition: {artifact_definition.name:s} in file: {filename:s}')) result = False elif path_lower.startswith('%%users.userprofile%%\\appdata\\roaming\\'): logging.warning(( f'Replace "%%users.userprofile%%\\AppData\\Roaming" by ' f'"%%users.appdata%%" in path: {path:s} defined by artifact ' f'definition: {artifact_definition.name:s} in file: {filename:s}')) result = False elif path_lower.startswith('%%users.userprofile%%\\application data\\'): logging.warning(( f'Replace "%%users.userprofile%%\\Application Data" by ' f'"%%users.appdata%%" in path: {path:s} defined by artifact ' f'definition: {artifact_definition.name:s} in file: {filename:s}')) result = False elif path_lower.startswith( '%%users.userprofile%%\\local settings\\application data\\'): logging.warning(( f'Replace "%%users.userprofile%%\\Local Settings\\Application Data" ' f'by "%%users.localappdata%%" in path: {path:s} defined by artifact ' f'definition: {artifact_definition.name:s} in file: {filename:s}')) result = False has_globstar = False for path_segment in path_segments: if path_segment.startswith('%%') and path_segment.endswith('%%'): if (path_segment.startswith('%%environ_') and path_segment not in self._SUPPORTED_WINDOWS_ENVIRONMENT_VARIABLES): result = False logging.warning(( f'Artifact definition: {artifact_definition.name:s} in file: ' f'{filename:s} contains Windows path that contains an ' f'unuspported environment variable: "{path_segment:s}".')) elif (path_segment.startswith('%%users.') and path_segment not in self._SUPPORTED_WINDOWS_USERS_VARIABLES): result = False logging.warning(( f'Artifact definition: {artifact_definition.name:s} in file: ' f'{filename:s} contains Windows path that contains an ' f'unsupported users variable: "{path_segment:s}". ')) elif '**' in path_segment: if has_globstar: logging.warning(( f'Unsupported path: {path:s} with multiple globstars defined by ' f'artifact definition: {artifact_definition.name:s} in file: ' f'{filename:s}')) result = False break has_globstar = True if not self._CheckGlobstarInPathSegment( filename, artifact_definition, path, path_segment): result = False if has_globstar and path.endswith(source.separator): logging.warning(( f'Unsupported path: {path:s} with globstar and trailing path ' f'separator defined by artifact definition: ' f'{artifact_definition.name:s} in file: {filename:s}')) result = False return result def _CheckWindowsRegistryKeyPath( self, filename, artifact_definition, key_path): """Checks if a path is a valid Windows Registry key path. Args: filename (str): name of the artifacts definition file. artifact_definition (ArtifactDefinition): artifact definition. key_path (str): Windows Registry key path to validate. Returns: bool: True if the Windows Registry key path is valid. """ result = True key_path_segments = key_path.lower().split('\\') if key_path_segments[0] == '%%current_control_set%%': result = False logging.warning(( f'Artifact definition: {artifact_definition.name:s} in file: ' f'{filename:s} contains Windows Registry key path that starts with ' f'%%CURRENT_CONTROL_SET%%. Replace %%CURRENT_CONTROL_SET%% with ' f'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet')) for segment_index, key_path_segment in enumerate(key_path_segments): if key_path_segment.startswith('%%') and key_path_segment.endswith('%%'): if (segment_index == 1 and key_path_segment == '%%users.sid%%' and key_path_segments[0] == 'hkey_users'): continue if key_path_segment.startswith('%%environ_'): result = False logging.warning(( f'Artifact definition: {artifact_definition.name:s} in file: ' f'{filename:s} contains Windows Registry key path that contains ' f'an environment variable: "{key_path_segment:s}". Usage of ' f'environment variables in key paths is not encouraged at this ' f'time.')) elif key_path_segment.startswith('%%users.'): result = False logging.warning(( f'Artifact definition: {artifact_definition.name:s} in file: ' f'{filename:s} contains Windows Registry key path that contains ' f'a users variable: "{key_path_segment:s}". Usage of users ' f'variables in key paths, except for ' f'"HKEY_USERS\\%%users.sid%%", is not encouraged at this time.')) return result def _HasDuplicateRegistryKeyPaths( self, filename, artifact_definition, source): """Checks if Registry key paths are not already defined by other artifacts. Note that at the moment this function will only find exact duplicate Registry key paths. Args: filename (str): name of the artifacts definition file. artifact_definition (ArtifactDefinition): artifact definition. source (SourceType): source definition. Returns: bool: True if the Registry key paths defined by the source type are used in other artifacts. """ result = False intersection = self._artifact_registry_key_paths.intersection( set(source.keys)) if intersection: duplicate_key_paths = '\n'.join(intersection) logging.warning(( f'Artifact definition: {artifact_definition.name:s} in file: ' f'{filename:s} has duplicate Registry key paths:\n' f'{duplicate_key_paths:s}')) result = True self._artifact_registry_key_paths.update(source.keys) return result def CheckDirectory(self, path): """Validates the artifacts definition in a specific directory. Args: path (str): path of the directory containing the artifacts definition files. Returns: bool: True if the file contains valid artifacts definitions. """ for filename in glob.glob(os.path.join(path, '*.yaml')): result = self.CheckFile(filename) if not result: break return result def CheckFile(self, filename): """Validates the artifacts definition in a specific file. Args: filename (str): name of the artifacts definition file. Returns: bool: True if the file contains valid artifacts definitions. """ result = True artifact_reader = reader.YamlArtifactsReader() try: for artifact_definition in artifact_reader.ReadFile(filename): try: self._artifact_registry.RegisterDefinition(artifact_definition) except KeyError: logging.warning(( f'Duplicate artifact definition: {artifact_definition.name:s} in ' f'file: {filename:s}')) result = False artifact_definition_supports_macos = ( definitions.SUPPORTED_OS_DARWIN in ( artifact_definition.supported_os)) artifact_definition_supports_windows = ( definitions.SUPPORTED_OS_WINDOWS in ( artifact_definition.supported_os)) macos_paths = [] for source in artifact_definition.sources: if source.type_indicator == definitions.TYPE_INDICATOR_DIRECTORY: logging.warning(( f'Use of deprecated source type: DIRECTORY in artifact ' f'definition: {artifact_definition.name:s} in file: ' f'{filename:s}')) if source.type_indicator in ( definitions.TYPE_INDICATOR_DIRECTORY, definitions.TYPE_INDICATOR_FILE, definitions.TYPE_INDICATOR_PATH): if (definitions.SUPPORTED_OS_DARWIN in source.supported_os or ( artifact_definition_supports_macos and not source.supported_os)): if source.separator != '/': logging.warning(( f'Use of unsupported path segment separator in artifact ' f'definition: {artifact_definition.name:s} in file: ' f'{filename:s}')) macos_paths.extend(source.paths) elif (artifact_definition_supports_windows or definitions.SUPPORTED_OS_WINDOWS in source.supported_os): for path in source.paths: if not self._CheckWindowsPath( filename, artifact_definition, source, path): result = False else: for path in source.paths: if not self._CheckPath( filename, artifact_definition, source, path): result = False elif source.type_indicator == ( definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY): # Exempt the legacy file from duplicate checking because it has # duplicates intentionally. if (filename != self.LEGACY_PATH and self._HasDuplicateRegistryKeyPaths( filename, artifact_definition, source)): result = False for key_path in source.keys: if not self._CheckWindowsRegistryKeyPath( filename, artifact_definition, key_path): result = False elif source.type_indicator == ( definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE): for key_value_pair in source.key_value_pairs: if not self._CheckWindowsRegistryKeyPath( filename, artifact_definition, key_value_pair['key']): result = False if macos_paths: if not self._CheckMacOSPaths( filename, artifact_definition, macos_paths): result = False except errors.FormatError as exception: logging.warning( f'Unable to validate file: {filename:s} with error: {exception!s}') result = False return result def GetUndefinedArtifacts(self): """Retrieves the names of undefined artifacts used by artifact groups. Returns: set[str]: undefined artifacts names. """ return self._artifact_registry.GetUndefinedArtifacts() def Main(): """The main program function. Returns: bool: True if successful or False if not. """ args_parser = argparse.ArgumentParser( description='Validates an artifact definitions file.') args_parser.add_argument( 'definitions', nargs='?', action='store', metavar='PATH', default=None, help=('path of the file or directory that contains the artifact ' 'definitions.')) options = args_parser.parse_args() if not options.definitions: print('Source value is missing.') print('') args_parser.print_help() print('') return False if not os.path.exists(options.definitions): print(f'No such file or directory: {options.definitions:s}') print('') return False validator = ArtifactDefinitionsValidator() if os.path.isdir(options.definitions): print(f'Validating definitions in: {options.definitions:s}/*.yaml') result = validator.CheckDirectory(options.definitions) elif os.path.isfile(options.definitions): print(f'Validating definitions in: {options.definitions:s}') result = validator.CheckFile(options.definitions) if not result: print('FAILURE') return False print('SUCCESS') return True if __name__ == '__main__': if not Main(): sys.exit(1) else: sys.exit(0) artifacts-20230928/tox.ini000066400000000000000000000020371450527130400152630ustar00rootroot00000000000000[tox] envlist = py3{7,8,9,10,11},coverage,docs,lint [testenv] allowlist_externals = ./run_tests.py pip_pre = True passenv = CFLAGS CPPFLAGS LDFLAGS setenv = PYTHONPATH = {toxinidir} deps = -rrequirements.txt -rtest_requirements.txt coverage: coverage commands = py3{7,8,9,10,11}: ./run_tests.py coverage: coverage erase coverage: coverage run --source=artifacts --omit="*_test*,*__init__*,*test_lib*" run_tests.py coverage: coverage xml [testenv:docs] usedevelop = True deps = -rdocs/requirements.txt commands = sphinx-build -b html -d build/doctrees docs dist/docs sphinx-build -b linkcheck docs dist/docs [testenv:lint] skipsdist = True pip_pre = True passenv = CFLAGS CPPFLAGS LDFLAGS setenv = PYTHONPATH = {toxinidir} deps = -rrequirements.txt -rtest_requirements.txt pylint >= 2.17.0, < 2.18.0 yamllint >= 1.26.0 commands = pylint --version yamllint -v pylint --rcfile=.pylintrc artifacts tests tools yamllint -c .yamllint.yaml data test_data artifacts-20230928/utils/000077500000000000000000000000001450527130400151065ustar00rootroot00000000000000artifacts-20230928/utils/__init__.py000066400000000000000000000000001450527130400172050ustar00rootroot00000000000000artifacts-20230928/utils/check_dependencies.py000077500000000000000000000006461450527130400212540ustar00rootroot00000000000000#!/usr/bin/env python # -*- coding: utf-8 -*- """Script to check for the availability and version of dependencies.""" import sys # Change PYTHONPATH to include dependencies. sys.path.insert(0, '.') import utils.dependencies # pylint: disable=wrong-import-position if __name__ == '__main__': dependency_helper = utils.dependencies.DependencyHelper() if not dependency_helper.CheckDependencies(): sys.exit(1) artifacts-20230928/utils/dependencies.py000066400000000000000000000264771450527130400201260ustar00rootroot00000000000000# -*- coding: utf-8 -*- """Helper to check for availability and version of dependencies.""" import configparser import os import re class DependencyDefinition(object): """Dependency definition. Attributes: dpkg_name (str): name of the dpkg package that provides the dependency. is_optional (bool): True if the dependency is optional. l2tbinaries_name (str): name of the l2tbinaries package that provides the dependency. maximum_version (str): maximum supported version, a greater or equal version is not supported. minimum_version (str): minimum supported version, a lesser version is not supported. name (str): name of (the Python module that provides) the dependency. pypi_name (str): name of the PyPI package that provides the dependency. python2_only (bool): True if the dependency is only supported by Python 2. python3_only (bool): True if the dependency is only supported by Python 3. rpm_name (str): name of the rpm package that provides the dependency. skip_check (bool): True if the dependency should be skipped by the CheckDependencies or CheckTestDependencies methods of DependencyHelper. skip_requires (bool): True if the dependency should be excluded from requirements.txt or setup.py install_requires. version_property (str): name of the version attribute or function. """ def __init__(self, name): """Initializes a dependency configuration. Args: name (str): name of the dependency. """ super(DependencyDefinition, self).__init__() self.dpkg_name = None self.is_optional = False self.l2tbinaries_name = None self.maximum_version = None self.minimum_version = None self.name = name self.pypi_name = None self.python2_only = False self.python3_only = False self.rpm_name = None self.skip_check = None self.skip_requires = None self.version_property = None class DependencyDefinitionReader(object): """Dependency definition reader.""" _VALUE_NAMES = frozenset([ 'dpkg_name', 'is_optional', 'l2tbinaries_name', 'maximum_version', 'minimum_version', 'pypi_name', 'python2_only', 'python3_only', 'rpm_name', 'skip_check', 'skip_requires', 'version_property']) def _GetConfigValue(self, config_parser, section_name, value_name): """Retrieves a value from the config parser. Args: config_parser (ConfigParser): configuration parser. section_name (str): name of the section that contains the value. value_name (str): name of the value. Returns: object: configuration value or None if the value does not exists. """ try: return config_parser.get(section_name, value_name) except configparser.NoOptionError: return None def Read(self, file_object): """Reads dependency definitions. Args: file_object (file): file-like object to read from. Yields: DependencyDefinition: dependency definition. """ config_parser = configparser.ConfigParser(interpolation=None) config_parser.read_file(file_object) for section_name in config_parser.sections(): dependency_definition = DependencyDefinition(section_name) for value_name in self._VALUE_NAMES: value = self._GetConfigValue(config_parser, section_name, value_name) setattr(dependency_definition, value_name, value) yield dependency_definition class DependencyHelper(object): """Dependency helper. Attributes: dependencies (dict[str, DependencyDefinition]): dependencies. """ _VERSION_NUMBERS_REGEX = re.compile(r'[0-9.]+') _VERSION_SPLIT_REGEX = re.compile(r'\.|\-') def __init__( self, dependencies_file='dependencies.ini', test_dependencies_file='test_dependencies.ini'): """Initializes a dependency helper. Args: dependencies_file (Optional[str]): path to the dependencies configuration file. test_dependencies_file (Optional[str]): path to the test dependencies configuration file. """ super(DependencyHelper, self).__init__() self._test_dependencies = {} self.dependencies = {} dependency_reader = DependencyDefinitionReader() with open(dependencies_file, 'r', encoding='utf-8') as file_object: for dependency in dependency_reader.Read(file_object): self.dependencies[dependency.name] = dependency if os.path.exists(test_dependencies_file): with open(test_dependencies_file, 'r', encoding='utf-8') as file_object: for dependency in dependency_reader.Read(file_object): self._test_dependencies[dependency.name] = dependency def _CheckPythonModule(self, dependency): """Checks the availability of a Python module. Args: dependency (DependencyDefinition): dependency definition. Returns: tuple: containing: bool: True if the Python module is available and conforms to the minimum required version, False otherwise. str: status message. """ module_object = self._ImportPythonModule(dependency.name) if not module_object: return False, f'missing: {dependency.name:s}' if not dependency.version_property: return True, dependency.name return self._CheckPythonModuleVersion( dependency.name, module_object, dependency.version_property, dependency.minimum_version, dependency.maximum_version) def _CheckPythonModuleVersion( self, module_name, module_object, version_property, minimum_version, maximum_version): """Checks the version of a Python module. Args: module_object (module): Python module. module_name (str): name of the Python module. version_property (str): version attribute or function. minimum_version (str): minimum version. maximum_version (str): maximum version. Returns: tuple: containing: bool: True if the Python module is available and conforms to the minimum required version, False otherwise. str: status message. """ module_version = None if not version_property.endswith('()'): module_version = getattr(module_object, version_property, None) else: version_method = getattr( module_object, version_property[:-2], None) if version_method: module_version = version_method() if not module_version: return False, ( f'unable to determine version information for: {module_name:s}') # Make sure the module version is a string. module_version = f'{module_version!s}' # Split the version string and convert every digit into an integer. # A string compare of both version strings will yield an incorrect result. # Strip any semantic suffixes such as a1, b1, pre, post, rc, dev. module_version = self._VERSION_NUMBERS_REGEX.findall(module_version)[0] if module_version[-1] == '.': module_version = module_version[:-1] try: module_version_map = list( map(int, self._VERSION_SPLIT_REGEX.split(module_version))) except ValueError: return False, ( f'unable to parse module version: {module_name:s} {module_version:s}') if minimum_version: try: minimum_version_map = list( map(int, self._VERSION_SPLIT_REGEX.split(minimum_version))) except ValueError: return False, ( f'unable to parse minimum version: {module_name:s} ' f'{minimum_version:s}') if module_version_map < minimum_version_map: return False, ( f'{module_name:s} version: {module_version!s} is too old, ' f'{minimum_version!s} or later required') if maximum_version: try: maximum_version_map = list( map(int, self._VERSION_SPLIT_REGEX.split(maximum_version))) except ValueError: return False, ( f'unable to parse maximum version: {module_name:s} ' f'{maximum_version:s}') if module_version_map > maximum_version_map: return False, ( f'{module_name:s} version: {module_version!s} is too recent, ' f'{maximum_version!s} or earlier required') return True, f'{module_name:s} version: {module_version!s}' def _ImportPythonModule(self, module_name): """Imports a Python module. Args: module_name (str): name of the module. Returns: module: Python module or None if the module cannot be imported. """ try: module_object = list(map(__import__, [module_name]))[0] except ImportError: return None # If the module name contains dots get the upper most module object. if '.' in module_name: for submodule_name in module_name.split('.')[1:]: module_object = getattr(module_object, submodule_name, None) return module_object def _PrintCheckDependencyStatus( self, dependency, result, status_message, verbose_output=True): """Prints the check dependency status. Args: dependency (DependencyDefinition): dependency definition. result (bool): True if the Python module is available and conforms to the minimum required version, False otherwise. status_message (str): status message. verbose_output (Optional[bool]): True if output should be verbose. """ if not result or dependency.is_optional: if dependency.is_optional: status_indicator = '[OPTIONAL]' else: status_indicator = '[FAILURE]' print(f'{status_indicator:s}\t{status_message:s}') elif verbose_output: print(f'[OK]\t\t{status_message:s}') def CheckDependencies(self, verbose_output=True): """Checks the availability of the dependencies. Args: verbose_output (Optional[bool]): True if output should be verbose. Returns: bool: True if the dependencies are available, False otherwise. """ print('Checking availability and versions of dependencies.') check_result = True for _, dependency in sorted(self.dependencies.items()): if dependency.skip_check: continue result, status_message = self._CheckPythonModule(dependency) if not result and not dependency.is_optional: check_result = False self._PrintCheckDependencyStatus( dependency, result, status_message, verbose_output=verbose_output) if check_result and not verbose_output: print('[OK]') print('') return check_result def CheckTestDependencies(self, verbose_output=True): """Checks the availability of the dependencies when running tests. Args: verbose_output (Optional[bool]): True if output should be verbose. Returns: bool: True if the dependencies are available, False otherwise. """ if not self.CheckDependencies(verbose_output=verbose_output): return False print('Checking availability and versions of test dependencies.') check_result = True for dependency in sorted( self._test_dependencies.values(), key=lambda dependency: dependency.name): if dependency.skip_check: continue result, status_message = self._CheckPythonModule(dependency) if not result and not dependency.is_optional: check_result = False self._PrintCheckDependencyStatus( dependency, result, status_message, verbose_output=verbose_output) if check_result and not verbose_output: print('[OK]') print('') return check_result artifacts-20230928/utils/pylintrc000066400000000000000000000215611450527130400167020ustar00rootroot00000000000000# File copied from: # http://src.chromium.org/chrome/trunk/tools/depot_tools/pylintrc # Date: 2013-06-29. [MASTER] # Specify a configuration file. #rcfile= # Python code to execute, usually for sys.path manipulation such as # pygtk.require(). #init-hook= # Profiled execution. profile=no # Add files or directories to the blacklist. They should be base names, not # paths. ignore=CVS # Pickle collected data for later comparisons. persistent=yes # List of plugins (as comma separated values of python modules names) to load, # usually to register additional checkers. load-plugins= [MESSAGES CONTROL] # Enable the message, report, category or checker with the given id(s). You can # either give multiple identifier separated by comma (,) or put this option # multiple time. #enable= # Disable the message, report, category or checker with the given id(s). You # can either give multiple identifier separated by comma (,) or put this option # multiple time (only on the command line, not in the configuration file where # it should appear only once). # CHANGED: # C0103: Invalid name "" # C0111: Missing docstring # C0302: Too many lines in module (N) # # F0401: Unable to import 'module' # pylint acting strangely: plaso/lib/event.py: F0401: 26,0: Unable to import 'google.protobuf' # # I0010: Unable to consider inline option '' # I0011: Locally disabling WNNNN # # R0201: Method could be a function # R0801: Similar lines in N files # R0901: Too many ancestors (8/7) # R0902: Too many instance attributes (N/7) # R0903: Too few public methods (N/2) # R0904: Too many public methods (N/20) # R0911: Too many return statements (N/6) # R0912: Too many branches (N/12) # R0913: Too many arguments (N/5) # R0914: Too many local variables (N/15) # R0915: Too many statements (N/50) # R0921: Abstract class not referenced # R0922: Abstract class is only referenced 1 times # W0122: Use of the exec statement # W0141: Used builtin function '' # W0142: Used * or ** magic # W0201: Variables defined initially outside the scope of __init__ (reconsider this, added by Kristinn). # W0212: Locally enabling protected-access # W0402: Uses of a deprecated module 'string' # W0404: 41: Reimport 'XX' (imported line NN) # W0511: TODO # W0603: Using the global statement # W0703: Catch "Exception" # W1201: Specify string format arguments as logging function parameters # W1202: Use % formatting in logging functions but pass the % parameters as arguments disable=C0103,C0111,C0302,F0401,I0010,I0011,R0201,R0801,R0901,R0902,R0903,R0904,R0911,R0912,R0913,R0914,R0915,R0921,R0922,W0122,W0141,W0142,W0201,W0212,W0402,W0404,W0511,W0603,W0703,W1201,W1202 [REPORTS] # Set the output format. Available formats are text, parseable, colorized, msvs # (visual studio) and html output-format=text # Put messages in a separate file for each module / package specified on the # command line instead of printing them on stdout. Reports (if any) will be # written in a file name "pylint_global.[txt|html]". files-output=no # Tells whether to display a full report or only the messages # CHANGED: reports=no # Python expression which should return a note less than 10 (10 is the highest # note). You have access to the variables errors warning, statement which # respectively contain the number of errors / warnings messages and the total # number of statements analyzed. This is used by the global evaluation report # (RP0004). evaluation=10.0 - ((float(5 * error + warning + refactor + convention) / statement) * 10) # Add a comment according to your evaluation note. This is used by the global # evaluation report (RP0004). comment=no [VARIABLES] # Tells whether we should check for unused import in __init__ files. init-import=no # A regular expression matching the beginning of the name of unused variables. # By default this is _ and dummy but we prefer _ and unused. dummy-variables-rgx=_|unused # List of additional names supposed to be defined in builtins. Remember that # you should avoid to define new builtins when possible. additional-builtins= [TYPECHECK] # Tells whether missing members accessed in mixin class should be ignored. A # mixin class is detected if its name ends with "mixin" (case insensitive). ignore-mixin-members=yes # List of classes names for which member attributes should not be checked # (useful for classes with attributes dynamically set). ignored-classes=SQLObject,twisted.internet.reactor,hashlib,google.appengine.api.memcache # When zope mode is activated, add a predefined set of Zope acquired attributes # to generated-members. zope=no # List of members which are set dynamically and missed by pylint inference # system, and so shouldn't trigger E0201 when accessed. Python regular # expressions are accepted. generated-members=REQUEST,acl_users,aq_parent,multiprocessing.managers.SyncManager [MISCELLANEOUS] # List of note tags to take in consideration, separated by a comma. notes=FIXME,XXX,TODO [SIMILARITIES] # Minimum lines number of a similarity. min-similarity-lines=4 # Ignore comments when computing similarities. ignore-comments=yes # Ignore docstrings when computing similarities. ignore-docstrings=yes [FORMAT] # Maximum number of characters on a single line. max-line-length=80 # Maximum number of lines in a module max-module-lines=1000 # String used as indentation unit. This is usually " " (4 spaces) or "\t" (1 # tab). # CHANGED: indent-string=' ' [BASIC] # Required attributes for module, separated by a comma required-attributes= # List of builtins function names that should not be used, separated by a comma bad-functions=map,filter,apply,input # Regular expression which should only match correct module names module-rgx=(([a-z_][a-z0-9_]*)|([A-Z][a-zA-Z0-9]+))$ # Regular expression which should only match correct module level names const-rgx=(([A-Z_][A-Z0-9_]*)|(__.*__))$ # Regular expression which should only match correct class names class-rgx=[A-Z_][a-zA-Z0-9]+$ # Regular expression which should only match correct function names function-rgx=[a-z_][a-z0-9_]{2,30}$ # Regular expression which should only match correct method names method-rgx=[a-z_][a-z0-9_]{2,30}$ # Regular expression which should only match correct instance attribute names attr-rgx=[a-z_][a-z0-9_]{2,30}$ # Regular expression which should only match correct argument names argument-rgx=[a-z_][a-z0-9_]{2,30}$ # Regular expression which should only match correct variable names variable-rgx=[a-z_][a-z0-9_]{2,30}$ # Regular expression which should only match correct list comprehension / # generator expression variable names inlinevar-rgx=[A-Za-z_][A-Za-z0-9_]*$ # Good variable names which should always be accepted, separated by a comma good-names=i,j,k,ex,Run,_ # Bad variable names which should always be refused, separated by a comma bad-names=foo,bar,baz,toto,tutu,tata # Regular expression which should only match functions or classes name which do # not require a docstring no-docstring-rgx=__.*__ [DESIGN] # Maximum number of arguments for function / method max-args=5 # Argument names that match this expression will be ignored. Default to name # with leading underscore ignored-argument-names=_.* # Maximum number of locals for function / method body max-locals=15 # Maximum number of return / yield for function / method body max-returns=6 # Maximum number of branch for function / method body max-branchs=12 # Maximum number of statements in function / method body max-statements=50 # Maximum number of parents for a class (see R0901). max-parents=7 # Maximum number of attributes for a class (see R0902). max-attributes=7 # Minimum number of public methods for a class (see R0903). min-public-methods=2 # Maximum number of public methods for a class (see R0904). max-public-methods=20 [CLASSES] # List of interface methods to ignore, separated by a comma. This is used for # instance to not check methods defines in Zope's Interface base class. ignore-iface-methods=isImplementedBy,deferred,extends,names,namesAndDescriptions,queryDescriptionFor,getBases,getDescriptionFor,getDoc,getName,getTaggedValue,getTaggedValueTags,isEqualOrExtendedBy,setTaggedValue,isImplementedByInstancesOf,adaptWith,is_implemented_by # List of method names used to declare (i.e. assign) instance attributes. defining-attr-methods=__init__,__new__,setUp # List of valid names for the first argument in a class method. valid-classmethod-first-arg=cls [IMPORTS] # Deprecated modules which should not be used, separated by a comma deprecated-modules=regsub,string,TERMIOS,Bastion,rexec # Create a graph of every (i.e. internal and external) dependencies in the # given file (report RP0402 must not be disabled) import-graph= # Create a graph of external dependencies in the given file (report RP0402 must # not be disabled) ext-import-graph= # Create a graph of internal dependencies in the given file (report RP0402 must # not be disabled) int-import-graph= [EXCEPTIONS] # Exceptions that will emit a warning when being caught. Defaults to # "Exception" overgeneral-exceptions=Exception artifacts-20230928/utils/update_release.sh000077500000000000000000000012431450527130400204270ustar00rootroot00000000000000#!/bin/bash # Script to update the version information. EXIT_FAILURE=1; EXIT_SUCCESS=0; VERSION=`date -u +"%Y%m%d"` DPKG_DATE=`date -R` # Update the Python module version. sed "s/__version__ = '[0-9]*'/__version__ = '${VERSION}'/" -i artifacts/__init__.py # Update the version in the dpkg configuration files. cat > config/dpkg/changelog << EOT artifacts (${VERSION}-1) unstable; urgency=low * Auto-generated -- Forensic artifacts ${DPKG_DATE} EOT # Regenerate the statistics documentation. PYTHONPATH=. ./tools/stats.py > docs/sources/background/Stats.md # Regenerate the API documentation. tox -edocs exit ${EXIT_SUCCESS};