dissect.target 3.17.dev36__py3-none-any.whl → 3.18__py3-none-any.whl
Sign up to get free protection for your applications and to get access to all the features.
- dissect/target/exceptions.py +4 -0
- dissect/target/filesystem.py +0 -10
- dissect/target/helpers/cache.py +3 -1
- dissect/target/helpers/hashutil.py +0 -40
- dissect/target/helpers/protobuf.py +6 -10
- dissect/target/helpers/record_modifier.py +4 -1
- dissect/target/helpers/ssh.py +3 -4
- dissect/target/loaders/mqtt.py +147 -2
- dissect/target/loaders/raw.py +7 -0
- dissect/target/plugins/apps/av/mcafee.py +3 -0
- dissect/target/plugins/apps/av/sophos.py +6 -0
- dissect/target/plugins/apps/av/symantec.py +6 -0
- dissect/target/plugins/apps/av/trendmicro.py +8 -3
- dissect/target/plugins/apps/browser/chromium.py +12 -0
- dissect/target/plugins/apps/browser/firefox.py +13 -1
- dissect/target/plugins/apps/browser/iexplore.py +6 -0
- dissect/target/plugins/apps/container/docker.py +1 -1
- dissect/target/plugins/os/unix/etc/__init__.py +0 -0
- dissect/target/plugins/os/unix/etc/etc.py +77 -0
- dissect/target/plugins/os/unix/history.py +1 -1
- dissect/target/plugins/os/unix/linux/cmdline.py +3 -0
- dissect/target/plugins/os/unix/linux/environ.py +3 -0
- dissect/target/plugins/os/unix/linux/processes.py +3 -0
- dissect/target/plugins/os/unix/linux/sockets.py +15 -0
- dissect/target/plugins/os/unix/locate/gnulocate.py +1 -2
- dissect/target/plugins/os/unix/locate/mlocate.py +3 -4
- dissect/target/plugins/os/unix/locate/plocate.py +34 -25
- dissect/target/plugins/os/unix/log/atop.py +6 -4
- dissect/target/plugins/os/unix/log/journal.py +5 -4
- dissect/target/plugins/os/unix/log/lastlog.py +2 -3
- dissect/target/plugins/os/unix/log/utmp.py +6 -7
- dissect/target/plugins/os/windows/_os.py +17 -6
- dissect/target/plugins/os/windows/activitiescache.py +3 -0
- dissect/target/plugins/os/windows/adpolicy.py +3 -4
- dissect/target/plugins/os/windows/catroot.py +6 -0
- dissect/target/plugins/os/windows/credhist.py +1 -2
- dissect/target/plugins/os/windows/datetime.py +3 -4
- dissect/target/plugins/os/windows/defender.py +221 -5
- dissect/target/plugins/os/windows/defender_helpers/__init__.py +0 -0
- dissect/target/plugins/os/windows/defender_helpers/defender_patterns.py +282 -0
- dissect/target/plugins/os/windows/defender_helpers/defender_records.py +191 -0
- dissect/target/plugins/os/windows/dpapi/blob.py +1 -2
- dissect/target/plugins/os/windows/dpapi/master_key.py +2 -3
- dissect/target/plugins/os/windows/lnk.py +3 -0
- dissect/target/plugins/os/windows/log/etl.py +9 -0
- dissect/target/plugins/os/windows/log/evt.py +3 -0
- dissect/target/plugins/os/windows/log/evtx.py +3 -0
- dissect/target/plugins/os/windows/log/pfro.py +3 -0
- dissect/target/plugins/os/windows/log/schedlgu.py +5 -2
- dissect/target/plugins/os/windows/notifications.py +1 -2
- dissect/target/plugins/os/windows/prefetch.py +32 -27
- dissect/target/plugins/os/windows/recyclebin.py +13 -8
- dissect/target/plugins/os/windows/regf/appxdebugkeys.py +3 -0
- dissect/target/plugins/os/windows/regf/auditpol.py +4 -5
- dissect/target/plugins/os/windows/regf/bam.py +5 -3
- dissect/target/plugins/os/windows/regf/cit.py +1 -2
- dissect/target/plugins/os/windows/regf/clsid.py +3 -0
- dissect/target/plugins/os/windows/regf/firewall.py +3 -0
- dissect/target/plugins/os/windows/regf/muicache.py +3 -0
- dissect/target/plugins/os/windows/regf/recentfilecache.py +6 -4
- dissect/target/plugins/os/windows/regf/regf.py +6 -0
- dissect/target/plugins/os/windows/regf/runkeys.py +9 -4
- dissect/target/plugins/os/windows/regf/shellbags.py +9 -7
- dissect/target/plugins/os/windows/regf/shimcache.py +5 -3
- dissect/target/plugins/os/windows/regf/trusteddocs.py +3 -0
- dissect/target/plugins/os/windows/regf/usb.py +3 -0
- dissect/target/plugins/os/windows/regf/userassist.py +8 -6
- dissect/target/plugins/os/windows/sam.py +7 -5
- dissect/target/plugins/os/windows/services.py +3 -0
- dissect/target/plugins/os/windows/task_helpers/tasks_job.py +3 -4
- dissect/target/plugins/os/windows/wer.py +3 -0
- dissect/target/target.py +6 -1
- dissect/target/tools/shell.py +30 -19
- {dissect.target-3.17.dev36.dist-info → dissect.target-3.18.dist-info}/METADATA +50 -25
- {dissect.target-3.17.dev36.dist-info → dissect.target-3.18.dist-info}/RECORD +80 -75
- {dissect.target-3.17.dev36.dist-info → dissect.target-3.18.dist-info}/WHEEL +1 -1
- {dissect.target-3.17.dev36.dist-info → dissect.target-3.18.dist-info}/COPYRIGHT +0 -0
- {dissect.target-3.17.dev36.dist-info → dissect.target-3.18.dist-info}/LICENSE +0 -0
- {dissect.target-3.17.dev36.dist-info → dissect.target-3.18.dist-info}/entry_points.txt +0 -0
- {dissect.target-3.17.dev36.dist-info → dissect.target-3.18.dist-info}/top_level.txt +0 -0
@@ -0,0 +1,191 @@
|
|
1
|
+
from dissect.target.helpers.record import TargetRecordDescriptor
|
2
|
+
|
3
|
+
DefenderMPLogProcessImageRecord = TargetRecordDescriptor(
|
4
|
+
"windows/defender/mplog/processimage",
|
5
|
+
[
|
6
|
+
("datetime", "ts"),
|
7
|
+
("path", "source_log"),
|
8
|
+
("string", "process_image_name"),
|
9
|
+
("varint", "pid"),
|
10
|
+
("varint", "total_time"),
|
11
|
+
("varint", "count"),
|
12
|
+
("varint", "max_time"),
|
13
|
+
("string", "max_time_file"),
|
14
|
+
("varint", "estimated_impact"),
|
15
|
+
],
|
16
|
+
)
|
17
|
+
|
18
|
+
DefenderMPLogMinFilUSSRecord = TargetRecordDescriptor(
|
19
|
+
"windows/defender/mplog/minfiluss",
|
20
|
+
[
|
21
|
+
("datetime", "ts"),
|
22
|
+
("path", "source_log"),
|
23
|
+
("path", "path"),
|
24
|
+
("string", "process"),
|
25
|
+
("string", "status"),
|
26
|
+
("string", "state"),
|
27
|
+
("string", "scan_request"),
|
28
|
+
("string", "file_id"),
|
29
|
+
("string", "reason"),
|
30
|
+
("string", "io_status_block_for_new_file"),
|
31
|
+
("string", "desired_access"),
|
32
|
+
("string", "file_attributes"),
|
33
|
+
("string", "scan_attributes"),
|
34
|
+
("string", "access_state_flags"),
|
35
|
+
("string", "backing_file_info"),
|
36
|
+
],
|
37
|
+
)
|
38
|
+
|
39
|
+
DefenderMPLogMinFilBlockedFileRecord = TargetRecordDescriptor(
|
40
|
+
"windows/defender/mplog/blockedfile",
|
41
|
+
[
|
42
|
+
("datetime", "ts"),
|
43
|
+
("path", "source_log"),
|
44
|
+
("string", "blocked_file"),
|
45
|
+
("string", "process"),
|
46
|
+
("string", "status"),
|
47
|
+
("string", "state"),
|
48
|
+
("string", "scan_request"),
|
49
|
+
("string", "file_id"),
|
50
|
+
("string", "reason"),
|
51
|
+
("string", "io_status_block_for_new_file"),
|
52
|
+
("string", "desired_access"),
|
53
|
+
("string", "file_attributes"),
|
54
|
+
("string", "scan_attributes"),
|
55
|
+
("string", "access_state_flags"),
|
56
|
+
("string", "backing_file_info"),
|
57
|
+
],
|
58
|
+
)
|
59
|
+
|
60
|
+
|
61
|
+
DefenderMPLogBMTelemetryRecord = TargetRecordDescriptor(
|
62
|
+
"windows/defender/mplog/bmtelemetry",
|
63
|
+
[
|
64
|
+
("datetime", "ts"),
|
65
|
+
("path", "source_log"),
|
66
|
+
("string", "guid"),
|
67
|
+
("varint", "signature_id"),
|
68
|
+
("string", "sigsha"),
|
69
|
+
("varint", "threat_level"),
|
70
|
+
("varint", "process_id"),
|
71
|
+
("varint", "process_creation_time"),
|
72
|
+
("varint", "session_id"),
|
73
|
+
("path", "image_path"),
|
74
|
+
("string", "taint_info"),
|
75
|
+
("string", "operations"),
|
76
|
+
],
|
77
|
+
)
|
78
|
+
|
79
|
+
DefenderMPLogEMSRecord = TargetRecordDescriptor(
|
80
|
+
"windows/defender/mplog/ems",
|
81
|
+
[
|
82
|
+
("datetime", "ts"),
|
83
|
+
("path", "source_log"),
|
84
|
+
("string", "process"),
|
85
|
+
("varint", "pid"),
|
86
|
+
("string", "sigseq"),
|
87
|
+
("varint", "send_memory_scan_report"),
|
88
|
+
("varint", "source"),
|
89
|
+
],
|
90
|
+
)
|
91
|
+
|
92
|
+
DefenderMPLogOriginalFileNameRecord = TargetRecordDescriptor(
|
93
|
+
"windows/defender/mplog/originalfilename",
|
94
|
+
[
|
95
|
+
("datetime", "ts"),
|
96
|
+
("path", "source_log"),
|
97
|
+
("string", "original_file_name"),
|
98
|
+
("path", "full_path"),
|
99
|
+
("string", "hr"),
|
100
|
+
],
|
101
|
+
)
|
102
|
+
|
103
|
+
DefenderMPLogExclusionRecord = TargetRecordDescriptor(
|
104
|
+
"windows/defender/mplog/exclusion",
|
105
|
+
[
|
106
|
+
("datetime", "ts"),
|
107
|
+
("path", "source_log"),
|
108
|
+
("path", "full_path_with_drive_letter"),
|
109
|
+
("path", "full_path_with_device_path"),
|
110
|
+
],
|
111
|
+
)
|
112
|
+
|
113
|
+
DefenderMPLogLowfiRecord = TargetRecordDescriptor(
|
114
|
+
"windows/defender/mplog/lowfi",
|
115
|
+
[
|
116
|
+
("datetime", "ts"),
|
117
|
+
("path", "source_log"),
|
118
|
+
("command", "lowfi"),
|
119
|
+
],
|
120
|
+
)
|
121
|
+
|
122
|
+
DefenderMPLogDetectionAddRecord = TargetRecordDescriptor(
|
123
|
+
"windows/defender/mplog/detectionadd",
|
124
|
+
[
|
125
|
+
("datetime", "ts"),
|
126
|
+
("path", "source_log"),
|
127
|
+
("string", "detection"),
|
128
|
+
],
|
129
|
+
)
|
130
|
+
|
131
|
+
|
132
|
+
DefenderMPLogThreatRecord = TargetRecordDescriptor(
|
133
|
+
"windows/defender/mplog/threat",
|
134
|
+
[
|
135
|
+
("datetime", "ts"),
|
136
|
+
("path", "source_log"),
|
137
|
+
("command", "threat"),
|
138
|
+
],
|
139
|
+
)
|
140
|
+
|
141
|
+
DefenderMPLogDetectionEventRecord = TargetRecordDescriptor(
|
142
|
+
"windows/defender/mplog/detectionevent",
|
143
|
+
[
|
144
|
+
("datetime", "ts"),
|
145
|
+
("path", "source_log"),
|
146
|
+
("string", "threat_type"),
|
147
|
+
("command", "command"),
|
148
|
+
],
|
149
|
+
)
|
150
|
+
|
151
|
+
DefenderMPLogResourceScanRecord = TargetRecordDescriptor(
|
152
|
+
"windows/defender/mplog/resourcescan",
|
153
|
+
[
|
154
|
+
("datetime", "ts"),
|
155
|
+
("path", "source_log"),
|
156
|
+
("string", "scan_id"),
|
157
|
+
("varint", "scan_source"),
|
158
|
+
("datetime", "start_time"),
|
159
|
+
("datetime", "end_time"),
|
160
|
+
("string", "resource_schema"),
|
161
|
+
("path", "resource_path"),
|
162
|
+
("varint", "result_count"),
|
163
|
+
("string[]", "threats"),
|
164
|
+
("path[]", "resources"),
|
165
|
+
],
|
166
|
+
)
|
167
|
+
|
168
|
+
DefenderMPLogThreatActionRecord = TargetRecordDescriptor(
|
169
|
+
"windows/defender/mplog/threataction",
|
170
|
+
[
|
171
|
+
("datetime", "ts"),
|
172
|
+
("path", "source_log"),
|
173
|
+
("string[]", "threats"),
|
174
|
+
("path[]", "resources"),
|
175
|
+
("string[]", "actions"),
|
176
|
+
],
|
177
|
+
)
|
178
|
+
|
179
|
+
DefenderMPLogRTPRecord = TargetRecordDescriptor(
|
180
|
+
"windows/defender/mplog/rtp_log",
|
181
|
+
[
|
182
|
+
("datetime", "ts"),
|
183
|
+
("path", "source_log"),
|
184
|
+
("datetime", "last_perf"),
|
185
|
+
("datetime", "first_rtp_scan"),
|
186
|
+
("string", "plugin_states"),
|
187
|
+
("path[]", "process_exclusions"),
|
188
|
+
("path[]", "path_exclusions"),
|
189
|
+
("string[]", "ext_exclusions"),
|
190
|
+
],
|
191
|
+
)
|
@@ -29,7 +29,7 @@ struct DomainKey {
|
|
29
29
|
DWORD accessCheckLen;
|
30
30
|
char guid[16];
|
31
31
|
char encryptedSecret[secretLen];
|
32
|
-
char
|
32
|
+
char accessCheck[accessCheckLen];
|
33
33
|
};
|
34
34
|
|
35
35
|
struct CredHist {
|
@@ -66,8 +66,7 @@ struct MasterKeyFileHeader {
|
|
66
66
|
QWORD qwDomainKeySize;
|
67
67
|
};
|
68
68
|
"""
|
69
|
-
c_master_key = cstruct()
|
70
|
-
c_master_key.load(master_key_def)
|
69
|
+
c_master_key = cstruct().load(master_key_def)
|
71
70
|
|
72
71
|
|
73
72
|
class MasterKey:
|
@@ -51,6 +51,9 @@ class LnkPlugin(Plugin):
|
|
51
51
|
"""Parse all .lnk files in /ProgramData, /Users, and /Windows or from a specified path in record format.
|
52
52
|
|
53
53
|
Yields a LnkRecord record with the following fields:
|
54
|
+
|
55
|
+
.. code-block:: text
|
56
|
+
|
54
57
|
lnk_path (path): Path of the link (.lnk) file.
|
55
58
|
lnk_name (string): Name of the link (.lnk) file.
|
56
59
|
lnk_mtime (datetime): Modification time of the link (.lnk) file.
|
@@ -122,6 +122,9 @@ class EtlPlugin(Plugin):
|
|
122
122
|
|
123
123
|
Yields dynamically created records based on the fields inside an ETL event.
|
124
124
|
At least contains the following fields:
|
125
|
+
|
126
|
+
.. code-block:: text
|
127
|
+
|
125
128
|
hostname (string): The target hostname.
|
126
129
|
domain (string): The target domain.
|
127
130
|
ts (datetime): The TimeCreated_SystemTime field of the event.
|
@@ -140,6 +143,9 @@ class EtlPlugin(Plugin):
|
|
140
143
|
|
141
144
|
Yields dynamically created records based on the fields inside an ETL event.
|
142
145
|
At least contains the following fields:
|
146
|
+
|
147
|
+
.. code-block:: text
|
148
|
+
|
143
149
|
hostname (string): The target hostname.
|
144
150
|
domain (string): The target domain.
|
145
151
|
ts (datetime): The TimeCreated_SystemTime field of the event.
|
@@ -157,6 +163,9 @@ class EtlPlugin(Plugin):
|
|
157
163
|
|
158
164
|
Yields dynamically created records based on the fields inside an ETL event.
|
159
165
|
At least contains the following fields:
|
166
|
+
|
167
|
+
.. code-block:: text
|
168
|
+
|
160
169
|
hostname (string): The target hostname.
|
161
170
|
domain (string): The target domain.
|
162
171
|
ts (datetime): The TimeCreated_SystemTime field of the event.
|
@@ -125,6 +125,9 @@ class EvtPlugin(WindowsEventlogsMixin, plugin.Plugin):
|
|
125
125
|
|
126
126
|
Yields dynamically created records based on the fields in the event.
|
127
127
|
At least contains the following fields:
|
128
|
+
|
129
|
+
.. code-block:: text
|
130
|
+
|
128
131
|
hostname (string): The target hostname.
|
129
132
|
domain (string): The target domain.
|
130
133
|
ts (datetime): The TimeCreated_SystemTime field of the event.
|
@@ -47,6 +47,9 @@ class EvtxPlugin(WindowsEventlogsMixin, plugin.Plugin):
|
|
47
47
|
|
48
48
|
Yields dynamically created records based on the fields in the event.
|
49
49
|
At least contains the following fields:
|
50
|
+
|
51
|
+
.. code-block:: text
|
52
|
+
|
50
53
|
hostname (string): The target hostname.
|
51
54
|
domain (string): The target domain.
|
52
55
|
ts (datetime): The TimeCreated_SystemTime field of the event.
|
@@ -41,6 +41,9 @@ class PfroPlugin(Plugin):
|
|
41
41
|
- https://community.ccleaner.com/topic/49106-pending-file-rename-operations-log/
|
42
42
|
|
43
43
|
Yields PfroRecords with fields:
|
44
|
+
|
45
|
+
.. code-block:: text
|
46
|
+
|
44
47
|
hostname (string): The target hostname.
|
45
48
|
domain (string): The target domain.
|
46
49
|
ts (datetime): The parsed timestamp.
|
@@ -129,9 +129,12 @@ class SchedLgUPlugin(Plugin):
|
|
129
129
|
|
130
130
|
Adversaries may use malicious ``.job`` files to gain persistence on a system.
|
131
131
|
|
132
|
-
|
132
|
+
Yields SchedLgURecord with fields:
|
133
|
+
|
134
|
+
.. code-block:: text
|
135
|
+
|
133
136
|
ts (datetime): The timestamp of the event.
|
134
|
-
job (str): The name of the
|
137
|
+
job (str): The name of the .job file.
|
135
138
|
command (str): The command executed.
|
136
139
|
status (str): The status of the event (finished, completed, exited, stopped).
|
137
140
|
exit_code (int): The exit code of the event.
|
@@ -1,6 +1,6 @@
|
|
1
1
|
from io import BytesIO
|
2
2
|
|
3
|
-
from dissect import cstruct
|
3
|
+
from dissect.cstruct import cstruct
|
4
4
|
from dissect.util import lzxpress_huffman
|
5
5
|
from dissect.util.ts import wintimestamp
|
6
6
|
|
@@ -33,7 +33,7 @@ GroupedPrefetchRecord = TargetRecordDescriptor(
|
|
33
33
|
)
|
34
34
|
|
35
35
|
|
36
|
-
|
36
|
+
prefetch_def = """
|
37
37
|
struct PREFETCH_HEADER_DETECT {
|
38
38
|
char signature[4];
|
39
39
|
uint32 size;
|
@@ -59,14 +59,14 @@ c_prefetch = """
|
|
59
59
|
uint32 volumes_information_offset;
|
60
60
|
uint32 number_of_volumes;
|
61
61
|
uint32 volumes_information_size;
|
62
|
-
uint32
|
62
|
+
uint32 unknown0[2];
|
63
63
|
uint64 last_run_time;
|
64
64
|
uint64 last_run_remains[7];
|
65
|
-
uint64
|
65
|
+
uint64 unknown1[2];
|
66
66
|
uint32 run_count;
|
67
|
-
uint32
|
68
|
-
uint32
|
69
|
-
char
|
67
|
+
uint32 unknown2;
|
68
|
+
uint32 unknown3;
|
69
|
+
char unknown4[88];
|
70
70
|
};
|
71
71
|
|
72
72
|
struct FILE_INFORMATION_17 {
|
@@ -80,9 +80,9 @@ c_prefetch = """
|
|
80
80
|
uint32 number_of_volumes;
|
81
81
|
uint32 volumes_information_size;
|
82
82
|
uint32 last_run_time;
|
83
|
-
uint32
|
83
|
+
uint32 unknown0;
|
84
84
|
uint32 run_count;
|
85
|
-
uint32
|
85
|
+
uint32 unknown1;
|
86
86
|
};
|
87
87
|
|
88
88
|
struct FILE_INFORMATION_23 {
|
@@ -99,9 +99,9 @@ c_prefetch = """
|
|
99
99
|
uint64 last_run_time;
|
100
100
|
uint64 last_run_remains[2];
|
101
101
|
uint32 run_count;
|
102
|
-
uint32
|
103
|
-
uint32
|
104
|
-
char
|
102
|
+
uint32 unknown0;
|
103
|
+
uint32 unknown1;
|
104
|
+
char unknown2[80];
|
105
105
|
};
|
106
106
|
|
107
107
|
struct VOLUME_INFORMATION_17 {
|
@@ -125,19 +125,19 @@ c_prefetch = """
|
|
125
125
|
uint32 file_reference_size;
|
126
126
|
uint32 directory_strings_array_offset;
|
127
127
|
uint32 number_of_directory_strings;
|
128
|
-
char
|
129
|
-
char
|
130
|
-
char
|
131
|
-
char
|
132
|
-
char
|
128
|
+
char unknown0[4];
|
129
|
+
char unknown1[24];
|
130
|
+
char unknown2[4];
|
131
|
+
char unknown3[24];
|
132
|
+
char unknown4[4];
|
133
133
|
};
|
134
134
|
|
135
135
|
struct TRACE_CHAIN_ARRAY_ENTRY_17 {
|
136
136
|
uint32 next_array_entry_index;
|
137
137
|
uint32 total_block_load_count;
|
138
|
-
uint32
|
139
|
-
uint32
|
140
|
-
uint32
|
138
|
+
uint32 unknown0;
|
139
|
+
uint32 unknown1;
|
140
|
+
uint32 unknown2;
|
141
141
|
};
|
142
142
|
|
143
143
|
struct FILE_METRICS_ARRAY_ENTRY_17 {
|
@@ -158,25 +158,24 @@ c_prefetch = """
|
|
158
158
|
uint64 ntfs_reference;
|
159
159
|
};
|
160
160
|
"""
|
161
|
-
|
162
|
-
prefetch.load(c_prefetch)
|
161
|
+
c_prefetch = cstruct().load(prefetch_def)
|
163
162
|
|
164
163
|
prefetch_version_structs = {
|
165
|
-
17: (
|
166
|
-
23: (
|
167
|
-
30: (
|
164
|
+
17: (c_prefetch.FILE_INFORMATION_17, c_prefetch.FILE_METRICS_ARRAY_ENTRY_17),
|
165
|
+
23: (c_prefetch.FILE_INFORMATION_23, c_prefetch.FILE_METRICS_ARRAY_ENTRY_23),
|
166
|
+
30: (c_prefetch.FILE_INFORMATION_26, c_prefetch.FILE_METRICS_ARRAY_ENTRY_23),
|
168
167
|
}
|
169
168
|
|
170
169
|
|
171
170
|
class Prefetch:
|
172
171
|
def __init__(self, fh):
|
173
|
-
header_detect =
|
172
|
+
header_detect = c_prefetch.PREFETCH_HEADER_DETECT(fh.read(8))
|
174
173
|
if header_detect.signature == b"MAM\x04":
|
175
174
|
fh = BytesIO(lzxpress_huffman.decompress(fh))
|
176
175
|
|
177
176
|
self.fh = fh
|
178
177
|
self.fh.seek(0)
|
179
|
-
self.header =
|
178
|
+
self.header = c_prefetch.PREFETCH_HEADER(self.fh)
|
180
179
|
self.version = self.identify()
|
181
180
|
self.volumes = None
|
182
181
|
self.metrics = None
|
@@ -258,6 +257,9 @@ class PrefetchPlugin(Plugin):
|
|
258
257
|
- https://www.geeksforgeeks.org/prefetch-files-in-windows/
|
259
258
|
|
260
259
|
Yields PrefetchRecords with fields:
|
260
|
+
|
261
|
+
.. code-block:: text
|
262
|
+
|
261
263
|
hostname (string): The target hostname.
|
262
264
|
domain (string): The target domain.
|
263
265
|
ts (datetime): Run timestamp.
|
@@ -269,6 +271,9 @@ class PrefetchPlugin(Plugin):
|
|
269
271
|
with --grouped:
|
270
272
|
|
271
273
|
Yields PrefetchRecords with fields:
|
274
|
+
|
275
|
+
.. code-block:: text
|
276
|
+
|
272
277
|
hostname (string): The target hostname.
|
273
278
|
domain (string): The target domain.
|
274
279
|
ts (datetime): Run timestamp.
|
@@ -1,6 +1,8 @@
|
|
1
|
+
from __future__ import annotations
|
2
|
+
|
1
3
|
from typing import Generator
|
2
4
|
|
3
|
-
from dissect import cstruct
|
5
|
+
from dissect.cstruct import cstruct
|
4
6
|
from dissect.util.ts import wintimestamp
|
5
7
|
|
6
8
|
from dissect.target import Target
|
@@ -21,7 +23,7 @@ RecycleBinRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
|
|
21
23
|
],
|
22
24
|
)
|
23
25
|
|
24
|
-
|
26
|
+
recyclebin_def = """
|
25
27
|
struct header_v1 {
|
26
28
|
int64 version;
|
27
29
|
int64 file_size;
|
@@ -37,14 +39,14 @@ struct header_v2 {
|
|
37
39
|
};
|
38
40
|
"""
|
39
41
|
|
42
|
+
c_recyclebin = cstruct().load(recyclebin_def)
|
43
|
+
|
40
44
|
|
41
45
|
class RecyclebinPlugin(Plugin):
|
42
46
|
"""Recyclebin plugin."""
|
43
47
|
|
44
48
|
def __init__(self, target: Target) -> None:
|
45
49
|
super().__init__(target)
|
46
|
-
self.recyclebin_parser = cstruct.cstruct()
|
47
|
-
self.recyclebin_parser.load(c_recyclebin_i)
|
48
50
|
|
49
51
|
def check_compatible(self) -> None:
|
50
52
|
for fs_entry in self.target.fs.path("/").iterdir():
|
@@ -66,6 +68,9 @@ class RecyclebinPlugin(Plugin):
|
|
66
68
|
Return files located in the recycle bin ($Recycle.Bin).
|
67
69
|
|
68
70
|
Yields RecycleBinRecords with fields:
|
71
|
+
|
72
|
+
.. code-block:: text
|
73
|
+
|
69
74
|
hostname (string): The target hostname
|
70
75
|
domain (string): The target domain
|
71
76
|
ts (datetime): The time of deletion
|
@@ -128,11 +133,11 @@ class RecyclebinPlugin(Plugin):
|
|
128
133
|
return "unknown"
|
129
134
|
return parent_path.name
|
130
135
|
|
131
|
-
def select_header(self, data: bytes) ->
|
136
|
+
def select_header(self, data: bytes) -> c_recyclebin.header_v1 | c_recyclebin.header_v2:
|
132
137
|
"""Selects the correct header based on the version field in the header"""
|
133
138
|
|
134
|
-
header_version =
|
139
|
+
header_version = c_recyclebin.uint64(data[:8])
|
135
140
|
if header_version == 2:
|
136
|
-
return
|
141
|
+
return c_recyclebin.header_v2
|
137
142
|
else:
|
138
|
-
return
|
143
|
+
return c_recyclebin.header_v1
|
@@ -86,6 +86,9 @@ class AppxDebugKeysPlugin(Plugin):
|
|
86
86
|
- https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/
|
87
87
|
|
88
88
|
Yields AppXDebugKeyRecords with fields:
|
89
|
+
|
90
|
+
.. code-block:: text
|
91
|
+
|
89
92
|
hostname (string): The target hostname.
|
90
93
|
domain (string): The target domain.
|
91
94
|
ts (datetime): The registry key last modified timestamp.
|
@@ -1,14 +1,12 @@
|
|
1
1
|
import io
|
2
2
|
|
3
|
-
from dissect import cstruct
|
3
|
+
from dissect.cstruct import cstruct
|
4
4
|
|
5
5
|
from dissect.target.exceptions import UnsupportedPluginError
|
6
6
|
from dissect.target.helpers.record import TargetRecordDescriptor
|
7
7
|
from dissect.target.plugin import Plugin, export
|
8
8
|
|
9
|
-
|
10
|
-
c_adtev.load(
|
11
|
-
"""
|
9
|
+
adtev_def = """
|
12
10
|
struct header {
|
13
11
|
uint16 unk0;
|
14
12
|
uint16 unk1;
|
@@ -18,7 +16,8 @@ struct header {
|
|
18
16
|
uint16 unk3;
|
19
17
|
};
|
20
18
|
"""
|
21
|
-
|
19
|
+
|
20
|
+
c_adtev = cstruct().load(adtev_def)
|
22
21
|
|
23
22
|
POLICY_CATEGORIES = [
|
24
23
|
"System",
|
@@ -5,13 +5,12 @@ from dissect.target.exceptions import UnsupportedPluginError
|
|
5
5
|
from dissect.target.helpers.record import TargetRecordDescriptor
|
6
6
|
from dissect.target.plugin import Plugin, export
|
7
7
|
|
8
|
-
|
8
|
+
bam_def = """
|
9
9
|
struct entry {
|
10
10
|
uint64 ts;
|
11
11
|
};
|
12
12
|
"""
|
13
|
-
c_bam = cstruct()
|
14
|
-
c_bam.load(c_bamdef)
|
13
|
+
c_bam = cstruct().load(bam_def)
|
15
14
|
|
16
15
|
BamDamRecord = TargetRecordDescriptor(
|
17
16
|
"windows/registry/bam",
|
@@ -41,6 +40,9 @@ class BamDamPlugin(Plugin):
|
|
41
40
|
"""Parse bam and dam registry keys.
|
42
41
|
|
43
42
|
Yields BamDamRecords with fields:
|
43
|
+
|
44
|
+
.. code-block:: text
|
45
|
+
|
44
46
|
hostname (string): The target hostname.
|
45
47
|
domain (string): The target domain.
|
46
48
|
ts (datetime): The parsed timestamp.
|
@@ -55,6 +55,9 @@ class CLSIDPlugin(Plugin):
|
|
55
55
|
HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID.
|
56
56
|
|
57
57
|
Yields CLSIDRecords with fields:
|
58
|
+
|
59
|
+
.. code-block:: text
|
60
|
+
|
58
61
|
hostname (string): The target hostname.
|
59
62
|
domain (string): The target domain.
|
60
63
|
ts (datetime): Last modified timestamp of the registry key.
|
@@ -26,6 +26,9 @@ class FirewallPlugin(Plugin):
|
|
26
26
|
HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules registry key.
|
27
27
|
|
28
28
|
Yields dynamic records with usually the following fields:
|
29
|
+
|
30
|
+
.. code-block:: text
|
31
|
+
|
29
32
|
hostname (string): The target hostname.
|
30
33
|
domain (string): The target domain.
|
31
34
|
key (string): The rule key name.
|
@@ -48,6 +48,9 @@ class MuiCachePlugin(Plugin):
|
|
48
48
|
- https://forensafe.com/blogs/muicache.html
|
49
49
|
|
50
50
|
Yields MuiCacheRecords with fields:
|
51
|
+
|
52
|
+
.. code-block:: text
|
53
|
+
|
51
54
|
hostname (string): The target hostname.
|
52
55
|
domain (string): The target domain.
|
53
56
|
index (varint): The index of the entry.
|
@@ -1,10 +1,10 @@
|
|
1
|
-
from dissect import cstruct
|
1
|
+
from dissect.cstruct import cstruct
|
2
2
|
|
3
3
|
from dissect.target.exceptions import UnsupportedPluginError
|
4
4
|
from dissect.target.helpers.record import TargetRecordDescriptor
|
5
5
|
from dissect.target.plugin import Plugin, export
|
6
6
|
|
7
|
-
|
7
|
+
recent_files_def = """
|
8
8
|
struct header {
|
9
9
|
uint32 magic;
|
10
10
|
uint32 unk0;
|
@@ -18,8 +18,7 @@ c_recent_files_def = """
|
|
18
18
|
wchar path[length + 1];
|
19
19
|
};
|
20
20
|
"""
|
21
|
-
c_recent_files = cstruct.
|
22
|
-
c_recent_files.load(c_recent_files_def)
|
21
|
+
c_recent_files = cstruct().load(recent_files_def)
|
23
22
|
|
24
23
|
RecentFileCacheRecord = TargetRecordDescriptor(
|
25
24
|
"windows/recentfilecache",
|
@@ -45,6 +44,9 @@ class RecentFileCachePlugin(Plugin):
|
|
45
44
|
"""Parse RecentFileCache.bcf.
|
46
45
|
|
47
46
|
Yields RecentFileCacheRecords with fields:
|
47
|
+
|
48
|
+
.. code-block:: text
|
49
|
+
|
48
50
|
hostname (string): The target hostname.
|
49
51
|
domain (string): The target domain.
|
50
52
|
path (uri): The parsed path.
|