Permalink
Browse files

Improved validator and clean up of definitions (#306)

  • Loading branch information...
joachimmetz committed Feb 5, 2019
1 parent b4a8b0c commit 65a407f6cdffba44b6d3c37c127e5a6887252e8c
Showing with 134 additions and 40 deletions.
  1. +2 −3 data/java.yaml
  2. +1 −0 data/kaspersky_careto.yaml
  3. +7 −7 data/webbrowser.yaml
  4. +34 −20 data/windows.yaml
  5. +90 −10 tools/validator.py
@@ -12,9 +12,8 @@ sources:
- type: FILE
attributes:
paths:
- '%%users.localappdata_low%%\Sun\Java\Deployment\cache\**'
- '%%users.homedir%%\AppData\LocalLow\Sun\Java\Deployment\cache\**'
- '%%users.homedir%%\Application Data\Sun\Java\Deployment\cache\**'
- '%%users.appdata%%\Sun\Java\Deployment\cache\**'
- '%%users.userprofile%%\AppData\LocalLow\Sun\Java\Deployment\cache\**'
separator: '\'
supported_os: [Windows]
supported_os: [Windows, Linux, Darwin]
@@ -82,6 +82,7 @@ sources:
- '%%users.appdata%%\microsoft\c_27803.nls'
- '%%users.appdata%%\microsoft\objframe.dll'
- '%%users.appdata%%\microsoft\shmgr.dll'
separator: '\'
supported_os: [Windows]
urls: ['http://www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf']
---
@@ -348,14 +348,14 @@ sources:
- type: FILE
attributes:
paths:
- '%%users.localappdata%%\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat'
- '%%users.localappdata%%\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat'
- '%%users.localappdata%%\Microsoft\Windows\History\History.IE5\index.dat'
- '%%users.localappdata%%\Microsoft\Windows\History\Low\History.IE5\index.dat'
- '%%users.appdata%%\Microsoft\Windows\IEDownloadHistory\index.dat'
- '%%users.localappdata%%\Microsoft\Feeds Cache\index.dat'
- '%%users.localappdata%%\Microsoft\Windows\History\History.IE5\*\index.dat'
- '%%users.localappdata%%\Microsoft\Windows\History\History.IE5\index.dat'
- '%%users.localappdata%%\Microsoft\Windows\History\Low\History.IE5\*\index.dat'
- '%%users.userprofile%%\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat'
- '%%users.appdata%%\Microsoft\Windows\IEDownloadHistory\index.dat'
- '%%users.localappdata%%\Microsoft\Windows\History\Low\History.IE5\index.dat'
- '%%users.localappdata%%\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat'
- '%%users.localappdata%%\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat'
- '%%users.localappdata%%\Microsoft\Windows\WebCache\WebCacheV*.dat'
separator: '\'
labels: [Browser]
@@ -457,7 +457,7 @@ name: OperaHistory
doc: Opera browser history (global_history.dat).
sources:
- type: FILE
attributes: {paths: ['%%users.homedir%%/Library/Opera//global_history.dat']}
attributes: {paths: ['%%users.homedir%%/Library/Opera/global_history.dat']}
supported_os: [Darwin]
- type: FILE
attributes: {paths: ['%%users.homedir%%/.opera/global_history.dat']}
@@ -23,7 +23,7 @@ doc: |
sources:
- type: FILE
attributes:
paths: ['%%users.homedir%%\AppData\Local\ConnectedDevicesPlatform\L.%%users.username%%\ActivitiesCache.db']
paths: ['%%users.localappdata%%\ConnectedDevicesPlatform\L.%%users.username%%\ActivitiesCache.db']
separator: '\'
labels: [Users]
supported_os: [Windows]
@@ -119,6 +119,7 @@ sources:
- '%%environ_systemroot%%\WinAppXRT.dll'
- '%%environ_systemroot%%\System32\Wbem\WinAppXRT.dll'
- '%%environ_systemroot%%\System32\WindowsPowerShell\v1.0\WinAppXRT.dll'
separator: '\'
supported_os: [Windows]
conditions: [os_major_version >= 6 AND os_minor_version >= 2]
urls: ['http://www.hexacorn.com/blog/2014/08/31/beyond-good-ol-run-key-part-17/']
@@ -177,8 +178,8 @@ doc: Databases that contain the Windows BITS jobs definition and state.
sources:
- type: FILE
attributes:
paths:
- '%%environ_allusersprofile%%\Microsoft\Network\Downloader\qmgr*.dat'
paths: ['%%environ_allusersprofile%%\Microsoft\Network\Downloader\qmgr*.dat']
separator: '\'
supported_os: [Windows]
urls: ['http://dfrws.org/2015/proceedings/presentations/DFRWS2015-pres3.pdf']
---
@@ -1054,7 +1055,9 @@ name: WindowsMetroApplicationCache
doc: Windows Metro application cache.
sources:
- type: FILE
attributes: {paths: ['%%users.homedir%%\AppData\Local\Packages\*\AC\INetCache']}
attributes:
paths: ['%%users.localappdata%%\Packages\*\AC\INetCache']
separator: '\'
supported_os: [Windows]
urls:
- 'http://www.forensicmag.com/article/2012/09/microsoft-windows-8-forensic-first-look'
@@ -1063,7 +1066,9 @@ name: WindowsMetroApplicationCookies
doc: Windows Metro application cookies.
sources:
- type: FILE
attributes: {paths: ['%%users.homedir%%\AppData\Local\Packages\*\AC\INetCookies']}
attributes:
paths: ['%%users.localappdata%%\Packages\*\AC\INetCookies']
separator: '\'
supported_os: [Windows]
urls:
- 'http://www.forensicmag.com/article/2012/09/microsoft-windows-8-forensic-first-look'
@@ -1072,7 +1077,9 @@ name: WindowsMetroApplicationHistory
doc: Windows Metro application history.
sources:
- type: FILE
attributes: {paths: ['%%users.homedir%%\AppData\Local\Packages\*\AC\INetHistory']}
attributes:
paths: ['%%users.localappdata%%\Packages\*\AC\INetHistory']
separator: '\'
supported_os: [Windows]
urls:
- 'http://www.forensicmag.com/article/2012/09/microsoft-windows-8-forensic-first-look'
@@ -1081,7 +1088,9 @@ name: WindowsMetroUserPinnedFavoriteTiles
doc: Windows Metro user-pinned favorite tiles.
sources:
- type: FILE
attributes: {paths: ['%%users.homedir%%\AppData\Local\Microsoft\Windows\RoamingTiles']}
attributes:
paths: ['%%users.localappdata%%\Microsoft\Windows\RoamingTiles']
separator: '\'
supported_os: [Windows]
urls:
- 'http://www.forensicmag.com/article/2012/09/microsoft-windows-8-forensic-first-look'
@@ -1271,8 +1280,9 @@ sources:
paths:
- '%%environ_systemroot%%\system32\Windows­PowerShell\v1.0\profile.ps1'
- '%%environ_systemroot%%\system32\Windows­PowerShell\v1.0\Microsoft.PowerShell_profile.ps1'
- '%%users.homedir%%\Documents\WindowsPowerShell\profile.ps1'
- '%%users.homedir%%\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1'
- '%%users.userprofile%%\Documents\WindowsPowerShell\profile.ps1'
- '%%users.userprofile%%\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1'
separator: '\'
supported_os: [Windows]
urls:
- 'https://technet.microsoft.com/en-us/magazine/2008.10.windowspowershell.aspx#id0190010'
@@ -1436,7 +1446,9 @@ doc: |
userinit.exe will load this file and call its RunMonitor export.
sources:
- type: FILE
attributes: {paths: ['%%environ_systemroot%%\System32\rover.dll']}
attributes:
paths: ['%%environ_systemroot%%\System32\rover.dll']
separator: '\'
supported_os: [Windows]
urls: ['http://www.hexacorn.com/blog/2014/05/21/beyond-good-ol-run-key-part-12/']
---
@@ -1789,7 +1801,9 @@ name: WindowsSetupApiLogs
doc: Windows setup API logs.
sources:
- type: FILE
attributes: {paths: ['%%environ_systemroot%%\setupapi.log']}
attributes:
paths: ['%%environ_systemroot%%\setupapi.log']
separator: '\'
conditions: [os_major_version < 6]
- type: FILE
attributes:
@@ -1843,10 +1857,10 @@ sources:
- type: FILE
attributes:
paths:
- '%%users.homedir%%\Start Menu\Programs\Startup\*'
- '%%environ_allusersprofile%%\Start Menu\Programs\Startup\*'
- '%%users.homedir%%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*'
- '%%environ_allusersprofile%%\Microsoft\Windows\Start Menu\Programs\Startup\*'
- '%%environ_allusersprofile%%\Start Menu\Programs\Startup\*'
- '%%users.appdata%%\Microsoft\Windows\Start Menu\Programs\Startup\*'
- '%%users.userprofile%%\Start Menu\Programs\Startup\*'
separator: '\'
supported_os: [Windows]
---
@@ -2120,7 +2134,7 @@ doc: User downloads directory
sources:
- type: DIRECTORY
attributes:
paths: ['%%users.homedir%%\Downloads\*']
paths: ['%%users.userprofile%%\Downloads\*']
separator: '\'
labels: [Users]
supported_os: [Windows]
@@ -2143,8 +2157,8 @@ sources:
- type: FILE
attributes:
paths:
- '%%users.homedir%%\NTUSER.DAT'
- '%%users.homedir%%\NTUSER.MAN'
- '%%users.userprofile%%\NTUSER.DAT'
- '%%users.userprofile%%\NTUSER.MAN'
- '%%users.localappdata%%\Microsoft\Windows\UsrClass.dat'
separator: '\'
labels: [Users]
@@ -2157,9 +2171,9 @@ sources:
- type: FILE
attributes:
paths:
- '%%users.homedir%%\NTUSER.DAT.LOG'
- '%%users.homedir%%\NTUSER.DAT.LOG1'
- '%%users.homedir%%\NTUSER.DAT.LOG2'
- '%%users.userprofile%%\NTUSER.DAT.LOG'
- '%%users.userprofile%%\NTUSER.DAT.LOG1'
- '%%users.userprofile%%\NTUSER.DAT.LOG2'
- '%%users.localappdata%%\Microsoft\Windows\UsrClass.dat.LOG'
- '%%users.localappdata%%\Microsoft\Windows\UsrClass.dat.LOG1'
- '%%users.localappdata%%\Microsoft\Windows\UsrClass.dat.LOG2'
@@ -52,6 +52,88 @@ def _CheckRegistryKeyPath(self, filename, artifact_definition, key_path):

return result

def _CheckWindowsPath(self, filename, artifact_definition, source, path):
"""Checks if a path is a valid Windows path.
Args:
filename (str): name of the artifacts definition file.
artifact_definition (ArtifactDefinition): artifact definition.
source (SourceType): source definition.
path (str): path to validate.
Returns:
bool: True if the Windows path is valid.
"""
result = True

number_of_forward_slashes = path.count('/')
number_of_backslashes = path.count('\\')
if (number_of_forward_slashes < number_of_backslashes and
source.separator != '\\'):
logging.warning((
'Incorrect path separator: {0:s} in path: {1:s} defined '
'by artifact definition: {2:s} in file: {3:s}').format(
source.separator, path, artifact_definition.name,
filename))
result = False

if source.separator != '\\':
return result

path_lower = path.lower()
path_segments = path_lower.split(source.separator)

if path_segments[0].startswith('%%users.') and path_segments[0] not in (
'%%users.appdata%%', '%%users.homedir%%', '%%users.localappdata%%',
'%%users.temp%%', '%%users.username%%', '%%users.userprofile%%'):
logging.warning((
'Unsupported "{0:s}" in path: {1:s} defined by artifact '
'definition: {2:s} in file: {3:s}').format(
path_segments[0], path, artifact_definition.name, filename))
result = False

elif path_segments[0] == '%%users.homedir%%':
logging.warning((
'Replace "%%users.homedir%%" by "%%users.userprofile%%" in path: '
'{0:s} defined by artifact definition: {1:s} in file: '
'{2:s}').format(path, artifact_definition.name, filename))
result = False

elif path_lower.startswith('%%users.userprofile%%\\appdata\\local\\'):
logging.warning((
'Replace "%%users.userprofile%%\\AppData\\Local" by '
'"%%users.localappdata%%" in path: {0:s} defined by artifact '
'definition: {1:s} in file: {2:s}').format(
path, artifact_definition.name, filename))
result = False

elif path_lower.startswith('%%users.userprofile%%\\appdata\\roaming\\'):
logging.warning((
'Replace "%%users.userprofile%%\\AppData\\Roaming" by '
'"%%users.appdata%%" in path: {0:s} defined by artifact '
'definition: {1:s} in file: {2:s}').format(
path, artifact_definition.name, filename))
result = False

elif path_lower.startswith('%%users.userprofile%%\\application data\\'):
logging.warning((
'Replace "%%users.userprofile%%\\Application Data" by '
'"%%users.appdata%%" in path: {0:s} defined by artifact '
'definition: {1:s} in file: {2:s}').format(
path, artifact_definition.name, filename))
result = False

elif path_lower.startswith(
'%%users.userprofile%%\\local settings\\application data\\'):
logging.warning((
'Replace "%%users.userprofile%%\\Local Settings\\Application Data" '
'by "%%users.localappdata%%" in path: {0:s} defined by artifact '
'definition: {1:s} in file: {2:s}').format(
path, artifact_definition.name, filename))
result = False

return result

def _HasDuplicateRegistryKeyPaths(
self, filename, artifact_definition, source):
"""Checks if Registry key paths are not already defined by other artifacts.
@@ -104,20 +186,18 @@ def CheckFile(self, filename):
artifact_definition.name, filename))
result = False

artifact_definition_supports_windows = (
definitions.SUPPORTED_OS_WINDOWS in (
artifact_definition.supported_os))

for source in artifact_definition.sources:
if source.type_indicator in (
definitions.TYPE_INDICATOR_FILE, definitions.TYPE_INDICATOR_PATH):
if definitions.SUPPORTED_OS_WINDOWS in source.supported_os:
if (artifact_definition_supports_windows or
definitions.SUPPORTED_OS_WINDOWS in source.supported_os):
for path in source.paths:
number_of_forward_slashes = path.count('/')
number_of_backslashes = path.count('\\')
if (number_of_forward_slashes < number_of_backslashes and
source.separator != '\\'):
logging.warning((
'Incorrect path separator: {0:s} in path: {1:s} defined '
'by artifact definition: {2:s} in file: {3:s}').format(
source.separator, path, artifact_definition.name,
filename))
if not self._CheckWindowsPath(
filename, artifact_definition, source, path):
result = False

elif source.type_indicator == (

0 comments on commit 65a407f

Please sign in to comment.