PyPI - dissect.target - Versions diffs - 3.19.dev13__tar.gz → 3.19.dev14__tar.gz - Mend

dissect.target 3.19.dev13tar.gz → 3.19.dev14tar.gz

Files changed (593) hide show

{dissect_target-3.19.dev13/dissect.target.egg-info → dissect_target-3.19.dev14}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: dissect.target
-Version: 3.19.dev13
+Version: 3.19.dev14
 Summary: This module ties all other Dissect modules together, it provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets)
 Author-email: Dissect Team <dissect@fox-it.com>
 License: Affero General Public License v3

dissect_target-3.19.dev14/dissect/target/plugins/apps/remoteaccess/anydesk.py ADDED Viewed

@@ -0,0 +1,111 @@
+import re
+from datetime import datetime, timezone
+from typing import Iterator
+from dissect.target.exceptions import UnsupportedPluginError
+from dissect.target.helpers.descriptor_extensions import UserRecordDescriptorExtension
+from dissect.target.helpers.fsutil import TargetPath
+from dissect.target.helpers.record import create_extended_descriptor
+from dissect.target.plugin import export
+from dissect.target.plugins.apps.remoteaccess.remoteaccess import (
+    GENERIC_LOG_RECORD_FIELDS,
+    RemoteAccessPlugin,
+)
+from dissect.target.plugins.general.users import UserDetails
+class AnydeskPlugin(RemoteAccessPlugin):
+    """Anydesk plugin."""
+    __namespace__ = "anydesk"
+    # Anydesk logs when installed as a service
+    SERVICE_GLOBS = [
+        # Standard client >= Windows 7
+        "sysvol/ProgramData/AnyDesk/*.trace",
+        # Custom client >= Windows 7
+        "sysvol/ProgramData/AnyDesk/ad_*/*.trace",
+        # Windows XP / 2003
+        "sysvol/Documents and Settings/Public/AnyDesk/*.trace",
+        "sysvol/Documents and Settings/Public/AnyDesk/ad_*/*.trace",
+        # Standard/Custom client Linux/MacOS
+        "var/log/anydesk*/*.trace",
+    ]
+    # User specific Anydesk logs
+    USER_GLOBS = [
+        # Standard client Windows
+        "AppData/Roaming/AnyDesk/*.trace",
+        # Custom client Windows
+        "AppData/Roaming/AnyDesk/ad_*/*.trace",
+        # Windows XP / 2003
+        "AppData/AnyDesk/*.trace",
+        # Standard client Linux/MacOS
+        ".anydesk/*.trace",
+        # Custom client Linux/MacOS
+        ".anydesk_ad_*/*.trace",
+    ]
+    RemoteAccessLogRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
+        "remoteaccess/anydesk/log", GENERIC_LOG_RECORD_FIELDS
+    )
+    def __init__(self, target):
+        super().__init__(target)
+        self.trace_files: set[tuple[TargetPath, UserDetails]] = set()
+        # Service globs
+        user = None
+        for trace_glob in self.SERVICE_GLOBS:
+            for trace_file in self.target.fs.path().glob(trace_glob):
+                self.trace_files.add((trace_file, user))
+        # User globs
+        for user_details in self.target.user_details.all_with_home():
+            for trace_glob in self.USER_GLOBS:
+                for trace_file in user_details.home_path.glob(trace_glob):
+                    self.trace_files.add((trace_file, user_details.user))
+    def check_compatible(self) -> None:
+        if not self.trace_files:
+            raise UnsupportedPluginError("No Anydesk trace files found on target")
+    @export(record=RemoteAccessLogRecord)
+    def logs(self) -> Iterator[RemoteAccessLogRecord]:
+        """Parse AnyDesk trace files.
+        AnyDesk is a remote desktop application and can be used by adversaries to get (persistent) access to a machine.
+        Log files (.trace files) can be stored on various locations, based on target OS and client type.
+        Timestamps in trace files do not carry a time zone designator (TZD) but are in fact UTC.
+        References:
+            - https://www.inversecos.com/2021/02/forensic-analysis-of-anydesk-logs.html
+            - https://support.anydesk.com/knowledge/trace-files#trace-file-locations
+        """
+        for trace_file, user in self.trace_files:
+            for line in trace_file.open("rt", errors="backslashreplace"):
+                line = line.strip()
+                if not line or "* * * * * * * * * * * * * *" in line:
+                    continue
+                try:
+                    level, ts_date, ts_time, message = line.split(" ", 3)
+                    timestamp = datetime.strptime(f"{ts_date} {ts_time}", "%Y-%m-%d %H:%M:%S.%f").replace(
+                        tzinfo=timezone.utc
+                    )
+                    message = re.sub(r"\s\s+", " ", f"{level} {message}")
+                    yield self.RemoteAccessLogRecord(
+                        ts=timestamp,
+                        message=message,
+                        source=trace_file,
+                        _target=self.target,
+                        _user=user,
+                    )
+                except ValueError as e:
+                    self.target.log.warning("Could not parse log line in file %s: '%s'", trace_file, line)
+                    self.target.log.debug("", exc_info=e)

{dissect_target-3.19.dev13 → dissect_target-3.19.dev14}/dissect/target/plugins/apps/remoteaccess/remoteaccess.py RENAMED Viewed

@@ -2,14 +2,14 @@ from dissect.target.helpers.descriptor_extensions import UserRecordDescriptorExt
 from dissect.target.helpers.record import create_extended_descriptor
 from dissect.target.plugin import NamespacePlugin
-RemoteAccessRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
-    "application/log/remoteaccess",
-    [
-        ("datetime", "ts"),
-        ("string", "tool"),
-        ("path", "logfile"),
-        ("string", "description"),
-    ],
+GENERIC_LOG_RECORD_FIELDS = [
+    ("datetime", "ts"),
+    ("string", "message"),
+    ("path", "source"),
+]
+RemoteAccessLogRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
+    "remoteaccess/log", GENERIC_LOG_RECORD_FIELDS
 )

{dissect_target-3.19.dev13 → dissect_target-3.19.dev14}/dissect/target/plugins/apps/remoteaccess/teamviewer.py RENAMED Viewed

@@ -1,60 +1,72 @@
 import re
-from datetime import datetime
+from datetime import datetime, timezone
+from typing import Iterator
 from dissect.target.exceptions import UnsupportedPluginError
+from dissect.target.helpers.descriptor_extensions import UserRecordDescriptorExtension
+from dissect.target.helpers.fsutil import TargetPath
+from dissect.target.helpers.record import create_extended_descriptor
 from dissect.target.plugin import export
 from dissect.target.plugins.apps.remoteaccess.remoteaccess import (
+    GENERIC_LOG_RECORD_FIELDS,
     RemoteAccessPlugin,
-    RemoteAccessRecord,
 )
+from dissect.target.plugins.general.users import UserDetails
 START_PATTERN = re.compile(r"^(\d{2}|\d{4})/")
-class TeamviewerPlugin(RemoteAccessPlugin):
-    """
-    Teamviewer plugin.
+class TeamViewerPlugin(RemoteAccessPlugin):
+    """TeamViewer client plugin.
+    Resources:
+        - https://teamviewer.com/en/global/support/knowledge-base/teamviewer-classic/contact-support/find-your-log-files
+        - https://www.systoolsgroup.com/forensics/teamviewer/
+        - https://benleeyr.wordpress.com/2020/05/19/teamviewer-forensics-tested-on-v15/
     """
     __namespace__ = "teamviewer"
-    # Teamviewer log when service (Windows)
-    GLOBS = [
+    SYSTEM_GLOBS = [
         "sysvol/Program Files/TeamViewer/*.log",
         "sysvol/Program Files (x86)/TeamViewer/*.log",
     ]
+    USER_GLOBS = [
+        "AppData/Roaming/TeamViewer/teamviewer*_logfile.log",
+    ]
+    RemoteAccessLogRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
+        "remoteaccess/teamviewer/log", GENERIC_LOG_RECORD_FIELDS
+    )
     def __init__(self, target):
         super().__init__(target)
-        self.logfiles = []
+        self.logfiles: list[list[TargetPath, UserDetails]] = []
-        # Check service globs
-        user = None
-        for log_glob in self.GLOBS:
+        # Find system service log files.
+        for log_glob in self.SYSTEM_GLOBS:
             for logfile in self.target.fs.glob(log_glob):
-                self.logfiles.append([logfile, user])
+                self.logfiles.append([logfile, None])
-        # Teamviewer logs when as user (Windows)
+        # Find user log files.
         for user_details in self.target.user_details.all_with_home():
-            for logfile in user_details.home_path.glob("appdata/roaming/teamviewer/teamviewer*_logfile.log"):
-                self.logfiles.append([logfile, user_details.user])
+            for log_glob in self.USER_GLOBS:
+                for logfile in user_details.home_path.glob(log_glob):
+                    self.logfiles.append([logfile, user_details])
     def check_compatible(self) -> None:
         if not len(self.logfiles):
             raise UnsupportedPluginError("No Teamviewer logs found")
-    @export(record=RemoteAccessRecord)
-    def logs(self):
-        """Return the content of the TeamViewer logs.
-        TeamViewer is a commercial remote desktop application. An adversary may use it to gain persistence on a
-        system.
+    @export(record=RemoteAccessLogRecord)
+    def logs(self) -> Iterator[RemoteAccessLogRecord]:
+        """Yield TeamViewer client logs.
-        References:
-            - https://www.teamviewer.com/nl/
+        TeamViewer is a commercial remote desktop application. An adversary may use it to gain persistence on a system.
         """
-        for logfile, user in self.logfiles:
+        for logfile, user_details in self.logfiles:
             logfile = self.target.fs.path(logfile)
             start_date = None
@@ -83,7 +95,7 @@ class TeamviewerPlugin(RemoteAccessPlugin):
                     if not re.match(START_PATTERN, line):
                         continue
-                    ts_day, ts_time, description = line.split(" ", 2)
+                    ts_day, ts_time, message = line.split(" ", 2)
                     ts_time = ts_time.split(".")[0]
                     # Correct for use of : as millisecond separator
@@ -99,13 +111,14 @@ class TeamviewerPlugin(RemoteAccessPlugin):
                     if ts_day.count("/") == 2 and len(ts_day.split("/")[0]) == 2:
                         ts_day = "20" + ts_day
-                    timestamp = datetime.strptime(f"{ts_day} {ts_time}", "%Y/%m/%d %H:%M:%S")
+                    timestamp = datetime.strptime(f"{ts_day} {ts_time}", "%Y/%m/%d %H:%M:%S").replace(
+                        tzinfo=timezone.utc
+                    )
-                    yield RemoteAccessRecord(
-                        tool="teamviewer",
+                    yield self.RemoteAccessLogRecord(
                         ts=timestamp,
-                        logfile=str(logfile),
-                        description=description,
+                        message=message,
+                        source=logfile,
                         _target=self.target,
-                        _user=user,
+                        _user=user_details.user if user_details else None,
                     )

{dissect_target-3.19.dev13 → dissect_target-3.19.dev14/dissect.target.egg-info}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: dissect.target
-Version: 3.19.dev13
+Version: 3.19.dev14
 Summary: This module ties all other Dissect modules together, it provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets)
 Author-email: Dissect Team <dissect@fox-it.com>
 License: Affero General Public License v3

dissect_target-3.19.dev14/tests/plugins/apps/remoteaccess/test_anydesk.py ADDED Viewed

@@ -0,0 +1,84 @@
+import operator
+import uuid
+from datetime import datetime, timezone
+from dissect.target.filesystem import VirtualFilesystem
+from dissect.target.plugins.apps.remoteaccess.anydesk import AnydeskPlugin
+from dissect.target.target import Target
+from tests._utils import absolute_path
+def test_anydesk_plugin_log(target_win_users: Target, fs_win: VirtualFilesystem) -> None:
+    fs_win.map_file(
+        "ProgramData/AnyDesk/TestAnydesk.trace",
+        absolute_path("_data/plugins/apps/remoteaccess/anydesk/TestAnydesk.trace"),
+    )
+    target_win_users.add_plugin(AnydeskPlugin)
+    records = list(target_win_users.anydesk.logs())
+    assert len(records) == 1
+    assert records[0].ts == datetime(2021, 11, 11, 12, 34, 56, 789000, tzinfo=timezone.utc)
+    assert records[0].message == "LEVEL Strip the headers, trace the source!"
+    assert records[0].source == "sysvol/ProgramData/AnyDesk/TestAnydesk.trace"
+    assert records[0].username is None
+    assert records[0].user_id is None
+    assert records[0].user_home is None
+def test_anydesk_plugin_user_log(target_win_users: Target, fs_win: VirtualFilesystem) -> None:
+    fs_win.map_file(
+        "Users/John/AppData/Roaming/AnyDesk/TestAnydesk.trace",
+        absolute_path("_data/plugins/apps/remoteaccess/anydesk/TestAnydesk.trace"),
+    )
+    target_win_users.add_plugin(AnydeskPlugin)
+    records = list(target_win_users.anydesk.logs())
+    records.sort(key=operator.attrgetter("source"))
+    assert len(records) == 1
+    user_details = target_win_users.user_details.find(username="John")
+    assert records[0].ts == datetime(2021, 11, 11, 12, 34, 56, 789000, tzinfo=timezone.utc)
+    assert records[0].message == "LEVEL Strip the headers, trace the source!"
+    assert records[0].source == "C:/Users/John/AppData/Roaming/AnyDesk/TestAnydesk.trace"
+    assert records[0].username == user_details.user.name
+    assert records[0].user_id == user_details.user.sid
+    assert records[0].user_home == user_details.user.home
+def test_anydesk_plugin_multiple_trace_files(target_win_users: Target, fs_win: VirtualFilesystem) -> None:
+    trace_file = absolute_path("_data/plugins/apps/remoteaccess/anydesk/Another.trace")
+    trace_files = 0
+    for str_path in AnydeskPlugin.SERVICE_GLOBS:
+        if "var/log/" in str_path:
+            continue
+        fs_win.map_file(str_path.replace("sysvol/", "").replace("*", uuid.uuid4().hex[:6]), trace_file)
+        trace_files += 1
+    for str_path in AnydeskPlugin.USER_GLOBS:
+        if str_path.startswith(".anydesk"):
+            continue
+        fs_win.map_file("Users\\John\\" + str_path.replace("*", uuid.uuid4().hex[:6]), trace_file)
+        trace_files += 1
+    target_win_users.add_plugin(AnydeskPlugin)
+    records = list(target_win_users.anydesk.logs())
+    assert len(target_win_users.anydesk.trace_files) == trace_files
+    assert len(records) == trace_files * 419
+def test_anydesk_unix(target_unix_users: Target, fs_unix: VirtualFilesystem) -> None:
+    trace_file = absolute_path("_data/plugins/apps/remoteaccess/anydesk/Another.trace")
+    fs_unix.map_file("/var/log/anydesk/1337.trace", trace_file)
+    fs_unix.map_file("/root/.anydesk/1337.trace", trace_file)
+    fs_unix.map_file("/root/.anydesk_ad_1337/1337.trace", trace_file)
+    target_unix_users.add_plugin(AnydeskPlugin)
+    records = list(target_unix_users.anydesk.logs())
+    assert len(target_unix_users.anydesk.trace_files) == 3
+    assert len(records) == 3 * 419

{dissect_target-3.19.dev13 → dissect_target-3.19.dev14}/tests/plugins/apps/remoteaccess/test_teamviewer.py RENAMED Viewed

@@ -1,6 +1,6 @@
 from datetime import datetime, timezone
-from dissect.target.plugins.apps.remoteaccess.teamviewer import TeamviewerPlugin
+from dissect.target.plugins.apps.remoteaccess.teamviewer import TeamViewerPlugin
 from tests._utils import absolute_path
@@ -11,15 +11,15 @@ def test_teamviewer_plugin_global_log(target_win_users, fs_win):
     _, _, map_path = target_logfile_name.partition("sysvol/")
     fs_win.map_file(map_path, teamviewer_logfile)
-    tvp = TeamviewerPlugin(target_win_users)
+    tvp = TeamViewerPlugin(target_win_users)
     records = list(tvp.logs())
     assert len(records) == 4
     record = records[0]
     assert record.ts == datetime(2021, 11, 11, 12, 34, 56, tzinfo=timezone.utc)
-    assert record.description == "Strip the headers, trace the source!"
-    assert record.logfile == target_logfile_name
+    assert record.message == "Strip the headers, trace the source!"
+    assert record.source == target_logfile_name
     assert record.username is None
     assert record.user_id is None
     assert record.user_home is None
@@ -33,15 +33,15 @@ def test_teamviewer_plugin_user_log(target_win_users, fs_win):
     _, _, map_path = target_logfile_name.partition("C:/")
     fs_win.map_file(map_path, teamviewer_logfile)
-    tvp = TeamviewerPlugin(target_win_users)
+    tvp = TeamViewerPlugin(target_win_users)
     records = list(tvp.logs())
     assert len(records) == 4
     record = records[0]
     assert record.ts == datetime(2021, 11, 11, 12, 34, 56, tzinfo=timezone.utc)
-    assert record.description == "Strip the headers, trace the source!"
-    assert record.logfile == target_logfile_name
+    assert record.message == "Strip the headers, trace the source!"
+    assert record.source == target_logfile_name
     assert record.username == user_details.user.name
     assert record.user_id == user_details.user.sid
     assert record.user_home == user_details.user.home
@@ -55,19 +55,19 @@ def test_teamviewer_plugin_special_date_parsing(target_win_users, fs_win):
     _, _, map_path = target_logfile_name.partition("C:/")
     fs_win.map_file(map_path, teamviewer_logfile)
-    tvp = TeamviewerPlugin(target_win_users)
+    tvp = TeamViewerPlugin(target_win_users)
     records = list(tvp.logs())
     assert len(records) == 4
     record_2 = records[1]
     assert record_2.ts == datetime(2021, 11, 11, 12, 35, 55, tzinfo=timezone.utc)
-    assert record_2.description == "Should be year 2021"
+    assert record_2.message == "Should be year 2021"
     record_3 = records[2]
     assert record_3.ts == datetime(2021, 11, 11, 12, 36, 11, tzinfo=timezone.utc)
-    assert record_3.description == "Should discard the milliseconds properly"
+    assert record_3.message == "Should discard the milliseconds properly"
     record_4 = records[3]
     assert record_4.ts == datetime(2021, 11, 11, 12, 37, 00, tzinfo=timezone.utc)
-    assert record_4.description == "Should be year 2021"
+    assert record_4.message == "Should be year 2021"

dissect_target-3.19.dev13/dissect/target/plugins/apps/remoteaccess/anydesk.py DELETED Viewed

@@ -1,91 +0,0 @@
-from datetime import datetime
-from dissect.target.exceptions import UnsupportedPluginError
-from dissect.target.plugin import export
-from dissect.target.plugins.apps.remoteaccess.remoteaccess import (
-    RemoteAccessPlugin,
-    RemoteAccessRecord,
-)
-class AnydeskPlugin(RemoteAccessPlugin):
-    """
-    Anydesk plugin.
-    """
-    __namespace__ = "anydesk"
-    # Anydesk logs when installed as a service
-    SERVICE_GLOBS = [
-        "/sysvol/ProgramData/AnyDesk/*.trace",  # Standard client >= Windows 7
-        "/sysvol/ProgramData/AnyDesk/ad_*/*.trace",  # Custom client >= Windows 7
-        "/var/log/anydesk*.trace",  # Standard/Custom client Linux/MacOS
-    ]
-    # User specific Anydesk logs
-    USER_GLOBS = [
-        "appdata/roaming/AnyDesk/*.trace",  # Standard client Windows
-        "appdata/roaming/AnyDesk/ad_*/*.trace",  # Custom client Windows
-        ".anydesk/*.trace",  # Standard client Linux/MacOS
-        ".anydesk_ad_*/*.trace",  # Custom client Linux/MacOS
-    ]
-    def __init__(self, target):
-        super().__init__(target)
-        self.logfiles = []
-        # Check service globs
-        user = None
-        for log_glob in self.SERVICE_GLOBS:
-            for logfile in self.target.fs.glob(log_glob):
-                self.logfiles.append([logfile, user])
-        # Anydesk logs when as user
-        for user_details in self.target.user_details.all_with_home():
-            for log_glob in self.USER_GLOBS:
-                for logfile in user_details.home_path.glob(log_glob):
-                    self.logfiles.append([logfile, user_details.user])
-    def check_compatible(self) -> None:
-        if not (len(self.logfiles)):
-            raise UnsupportedPluginError("No Anydesk logs found")
-    @export(record=RemoteAccessRecord)
-    def logs(self):
-        """Return the content of the AnyDesk logs.
-        AnyDesk is a remote desktop application and can be used by adversaries to get (persistent) access to a machine.
-        Log files (.trace files) are retrieved from various location based on OS and client type.
-        References:
-            - https://www.inversecos.com/2021/02/forensic-analysis-of-anydesk-logs.html
-            - https://support.anydesk.com/knowledge/trace-files#trace-file-locations
-        """
-        for logfile, user in self.logfiles:
-            logfile = self.target.fs.path(logfile)
-            for line in logfile.open("rt"):
-                line = line.strip()
-                # Skip empty lines
-                if not line:
-                    continue
-                if "* * * * * * * * * * * * * *" in line:
-                    continue
-                level, ts_day, ts_time, description = line.split(" ", 3)
-                description = f"{level} {description}"
-                ts_time = ts_time.split(".")[0]
-                timestamp = datetime.strptime(f"{ts_day} {ts_time}", "%Y-%m-%d %H:%M:%S")
-                yield RemoteAccessRecord(
-                    ts=timestamp,
-                    tool="anydesk",
-                    logfile=str(logfile),
-                    description=description,
-                    _target=self.target,
-                    _user=user,
-                )

dissect_target-3.19.dev13/tests/plugins/apps/remoteaccess/test_anydesk.py DELETED Viewed

@@ -1,47 +0,0 @@
-from datetime import datetime, timezone
-from dissect.target.plugins.apps.remoteaccess.anydesk import AnydeskPlugin
-from tests._utils import absolute_path
-def test_anydesk_plugin_global_log(target_win_users, fs_win):
-    anydesk_logfile = absolute_path("_data/plugins/apps/remoteaccess/anydesk/TestAnydesk.trace")
-    target_logfile_name = "/sysvol/ProgramData/AnyDesk/TestAnydesk.trace"
-    _, _, map_path = target_logfile_name.partition("sysvol/")
-    fs_win.map_file(map_path, anydesk_logfile)
-    adp = AnydeskPlugin(target_win_users)
-    records = list(adp.logs())
-    assert len(records) == 1
-    record = records[0]
-    assert record.ts == datetime(2021, 11, 11, 12, 34, 56, tzinfo=timezone.utc)
-    assert record.description == "LEVEL Strip the headers, trace the source!"
-    assert record.logfile == target_logfile_name
-    assert record.username is None
-    assert record.user_id is None
-    assert record.user_home is None
-def test_anydesk_plugin_user_log(target_win_users, fs_win):
-    anydesk_logfile = absolute_path("_data/plugins/apps/remoteaccess/anydesk/TestAnydesk.trace")
-    user_details = target_win_users.user_details.find(username="John")
-    target_logfile_name = f"{user_details.home_path}/appdata/roaming/AnyDesk/TestAnydesk.trace"
-    _, _, map_path = target_logfile_name.partition("C:/")
-    fs_win.map_file(map_path, anydesk_logfile)
-    adp = AnydeskPlugin(target_win_users)
-    records = list(adp.logs())
-    assert len(records) == 1
-    record = records[0]
-    assert record.ts == datetime(2021, 11, 11, 12, 34, 56, tzinfo=timezone.utc)
-    assert record.description == "LEVEL Strip the headers, trace the source!"
-    assert record.logfile == target_logfile_name
-    assert record.username == user_details.user.name
-    assert record.user_id == user_details.user.sid
-    assert record.user_home == user_details.user.home