From 6bc26078b1daf7dbdcc18c65f48a7f6b0a84bef5 Mon Sep 17 00:00:00 2001 From: Joachim Metz Date: Sun, 10 Jul 2022 08:36:28 +0200 Subject: [PATCH] Removed support for conditions (#515) --- artifacts/__init__.py | 2 +- artifacts/artifact.py | 6 ----- artifacts/definitions.py | 1 + artifacts/reader.py | 4 --- config/dpkg/changelog | 4 +-- data/windows.yaml | 27 +------------------- data/wmi.yaml | 13 ---------- docs/sources/Format-specification.md | 37 +++++++++------------------- docs/sources/background/Stats.md | 16 ++++++------ test_data/definitions.json | 2 +- test_data/definitions.yaml | 1 - tests/reader_test.py | 4 --- tests/registry_test.py | 1 - 13 files changed, 26 insertions(+), 92 deletions(-) diff --git a/artifacts/__init__.py b/artifacts/__init__.py index 4a788ffd..f0e4bf41 100644 --- a/artifacts/__init__.py +++ b/artifacts/__init__.py @@ -1,4 +1,4 @@ # -*- coding: utf-8 -*- """ForensicArtifacts.com Artifact Repository.""" -__version__ = '20220615' +__version__ = '20220710' diff --git a/artifacts/artifact.py b/artifacts/artifact.py index e469059c..702d96bc 100644 --- a/artifacts/artifact.py +++ b/artifacts/artifact.py @@ -10,7 +10,6 @@ class ArtifactDefinition(object): Attributes: aliases (list[str]): aliases that identify the artifact definition. - conditions (list[str]): conditions. description (str): description. name (str): name that uniquely identifiers the artifact definition. provides (list[str]): hints to what information the artifact definition @@ -30,7 +29,6 @@ def __init__(self, name, aliases=None, description=None): """ super(ArtifactDefinition, self).__init__() self.aliases = aliases or [] - self.conditions = [] self.description = description self.name = name self.provides = [] @@ -85,8 +83,6 @@ def AsDict(self): } if source.supported_os: source_definition['supported_os'] = source.supported_os - if source.conditions: - source_definition['conditions'] = source.conditions sources.append(source_definition) artifact_definition = { @@ -100,8 +96,6 @@ def AsDict(self): artifact_definition['supported_os'] = self.supported_os if self.provides: artifact_definition['provides'] = self.provides - if self.conditions: - artifact_definition['conditions'] = self.conditions if self.urls: artifact_definition['urls'] = self.urls return artifact_definition diff --git a/artifacts/definitions.py b/artifacts/definitions.py index 3bd290a4..5d459e83 100644 --- a/artifacts/definitions.py +++ b/artifacts/definitions.py @@ -21,6 +21,7 @@ TOP_LEVEL_KEYS = frozenset([ 'aliases', + # conditions have been deprecated as of version 20220710. 'conditions', 'doc', # labels have been deprecated as of version 20220311. diff --git a/artifacts/reader.py b/artifacts/reader.py index 77a8c638..e38e594c 100644 --- a/artifacts/reader.py +++ b/artifacts/reader.py @@ -167,7 +167,6 @@ def _ReadSources(self, artifact_definition_values, artifact_definition, name): 'Invalid artifact definition: {0:s} returned_types no longer ' 'supported.').format(name)) - source_type.conditions = source.get('conditions', []) self._ReadSupportedOS(source, source_type, name) if set(source_type.supported_os) - set( artifact_definition.supported_os): @@ -225,9 +224,6 @@ def ReadArtifactDefinitionValues(self, artifact_definition_values): 'Invalid artifact definition: {0:s} urls is not a list.'.format( name)) - # TODO: check conditions. - artifact_definition.conditions = artifact_definition_values.get( - 'conditions', []) artifact_definition.provides = artifact_definition_values.get( 'provides', []) self._ReadSupportedOS(artifact_definition_values, artifact_definition, name) diff --git a/config/dpkg/changelog b/config/dpkg/changelog index 9c421ef9..8bcac105 100644 --- a/config/dpkg/changelog +++ b/config/dpkg/changelog @@ -1,5 +1,5 @@ -artifacts (20220615-1) unstable; urgency=low +artifacts (20220710-1) unstable; urgency=low * Auto-generated - -- Forensic artifacts Wed, 15 Jun 2022 19:16:45 +0200 + -- Forensic artifacts Sun, 10 Jul 2022 07:24:54 +0200 diff --git a/data/windows.yaml b/data/windows.yaml index 2ae4204d..7a0afb71 100644 --- a/data/windows.yaml +++ b/data/windows.yaml @@ -8,7 +8,6 @@ sources: keys: - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Desktop\Components\*' - 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Internet Explorer\Desktop\General' -conditions: [os_major_version < 6] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/ActiveDesktop.html'] --- @@ -46,7 +45,6 @@ sources: - '%%environ_systemroot%%\AppCompat\Programs\Amcache.hve.LOG1' - '%%environ_systemroot%%\AppCompat\Programs\Amcache.hve.LOG2' separator: '\' -conditions: [os_major_version >= 6 AND os_minor_version >= 1] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/AMCache.html'] --- @@ -203,7 +201,6 @@ sources: - '%%environ_systemroot%%\System32\WindowsPowerShell\v1.0\WinAppXRT.dll' separator: '\' supported_os: [Windows] -conditions: [os_major_version >= 6 AND os_minor_version >= 2] urls: ['http://www.hexacorn.com/blog/2014/08/31/beyond-good-ol-run-key-part-17/'] --- name: WindowsAutoexecBat @@ -627,7 +624,6 @@ sources: - '%%environ_systemroot%%\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\*' - '%%users.userprofile%%\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\*' separator: '\' -conditions: [os_major_version >= 6] supported_os: [Windows] urls: ['https://forensicswiki.xyz/wiki/index.php?title=Windows#Cryptnet_URL_Cache'] --- @@ -646,7 +642,6 @@ sources: - '%%environ_systemroot%%\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\*' - '%%users.userprofile%%\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\*' separator: '\' -conditions: [os_major_version >= 6] supported_os: [Windows] urls: ['https://forensicswiki.xyz/wiki/index.php?title=Windows#Cryptnet_URL_Cache'] --- @@ -740,7 +735,6 @@ sources: key_value_pairs: - {key: 'HKEY_USERS\%%users.sid%%\Environment', value: 'APPX_PROCESS'} supported_os: [Windows] -conditions: [os_major_version >= 6 AND os_minor_version >= 2] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] --- name: WindowsEnvironmentVariableCommonProgramFiles @@ -785,7 +779,6 @@ sources: - {key: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment', value: 'DriverData'} provides: [environ_driverdata] supported_os: [Windows] -conditions: [os_major_version >= 10] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html'] --- name: WindowsEnvironmentVariablePath @@ -925,7 +918,6 @@ sources: attributes: paths: ['%%environ_systemroot%%\System32\config\AppEvent.evt'] separator: '\' -conditions: [os_major_version < 6] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html'] --- @@ -957,7 +949,6 @@ sources: attributes: paths: ['%%environ_systemroot%%\System32\config\SecEvent.evt'] separator: '\' -conditions: [os_major_version < 6] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html'] --- @@ -978,7 +969,6 @@ sources: attributes: paths: ['%%environ_systemroot%%\System32\config\SysEvent.evt'] separator: '\' -conditions: [os_major_version < 6] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html'] --- @@ -1009,7 +999,6 @@ sources: - '%%environ_systemroot%%\System32\WDI\LogFiles\*.etl.0*' - '%%environ_systemroot%%\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\*\*.etl' separator: '\' -conditions: [os_major_version >= 6] supported_os: [Windows] urls: ['https://forensicswiki.xyz/wiki/index.php?title=Event_Tracing_for_Windows_(ETW)'] --- @@ -1486,7 +1475,6 @@ sources: - type: REGISTRY_KEY attributes: keys: ['HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDIg32\OpenSaveMRU\*\*'] -conditions: [os_major_version < 6] supported_os: [Windows] urls: - 'https://forensicswiki.xyz/wiki/index.php?title=OpenSaveMRU' @@ -1498,7 +1486,6 @@ sources: - type: REGISTRY_KEY attributes: keys: ['HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\*\*'] -conditions: [os_major_version >= 6] supported_os: [Windows] urls: - 'https://digital-forensics.sans.org/blog/2010/04/02/openrunsavemru-lastvisitedmru' @@ -1793,7 +1780,6 @@ sources: attributes: paths: ['%%environ_systemroot%%\AppCompat\Programs\RecentFileCache.bcf'] separator: '\' -conditions: [os_major_version >= 6 AND os_minor_version >= 1] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/RecentFileCache.html'] --- @@ -1903,7 +1889,6 @@ sources: - type: REGISTRY_VALUE attributes: {key_value_pairs: [{key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: 'RunGrpConv'}]} supported_os: [Windows] -conditions: [os_major_version <= 5] urls: - 'http://www.hexacorn.com/blog/2014/06/18/beyond-good-ol-run-key-part-13/' - 'http://www.exploit-id.com/local-exploits/windows-xp-sp2-grpconv-exe' @@ -2701,19 +2686,14 @@ urls: ['http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx? name: WindowsSetupApiLogs doc: Windows setup API logs. sources: -- type: FILE - attributes: - paths: ['%%environ_systemroot%%\setupapi.log'] - separator: '\' - conditions: [os_major_version < 6] - type: FILE attributes: paths: + - '%%environ_systemroot%%\setupapi.log' - '%%environ_systemroot%%\inf\setupapi.app.log' - '%%environ_systemroot%%\inf\setupapi.dev.log' - '%%environ_systemroot%%\inf\setupapi.offline.log' separator: '\' - conditions: [os_major_version >= 6] supported_os: [Windows] urls: ['https://forensicswiki.xyz/wiki/index.php?title=Setup_API_Logs'] --- @@ -3364,7 +3344,6 @@ sources: attributes: paths: ['%%environ_systemroot%%\System32\winevt\Logs\Application.evtx'] separator: '\' -conditions: [os_major_version >= 6] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html'] --- @@ -3375,7 +3354,6 @@ sources: attributes: paths: ['%%environ_systemroot%%\System32\winevt\Logs\Security.evtx'] separator: '\' -conditions: [os_major_version >= 6] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html'] --- @@ -3396,7 +3374,6 @@ sources: attributes: paths: ['%%environ_systemroot%%\System32\winevt\Logs\System.evtx'] separator: '\' -conditions: [os_major_version >= 6] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html'] --- @@ -3407,7 +3384,6 @@ sources: attributes: paths: ['%%environ_systemroot%%\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx'] separator: '\' -conditions: [os_major_version >= 6] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html'] --- @@ -3465,7 +3441,6 @@ sources: attributes: paths: ['%%environ_systemroot%%\System32\WDI\LogFiles\StartupInfo\*.xml'] separator: '\' -conditions: [os_major_version >= 6 AND os_minor_version >= 2] supported_os: [Windows] urls: ['https://forensicswiki.xyz/wiki/index.php?title=Windows#Startup_info'] --- diff --git a/data/wmi.yaml b/data/wmi.yaml index 3957e236..cc44fe82 100644 --- a/data/wmi.yaml +++ b/data/wmi.yaml @@ -40,7 +40,6 @@ doc: DNS client cache via Windows Management Instrumentation (WMI). sources: - type: WMI attributes: {query: SELECT * from MSFT_DNSClientCache, base_object: 'winmgmts:\root\StandardCimv2'} -conditions: [os_major_version >= 6 AND os_minor_version >= 2] supported_os: [Windows] urls: ['https://docs.microsoft.com/en-us/previous-versions/windows/desktop/dnsclientcimprov/msft-dnsclientcache'] --- @@ -49,7 +48,6 @@ doc: Installed drivers via Windows Management Instrumentation (WMI). sources: - type: WMI attributes: {query: 'SELECT DisplayName, Description, InstallDate, Name, PathName, Status, State, ServiceType from Win32_SystemDriver'} -conditions: [os_major_version >= 6] supported_os: [Windows] --- name: WMIEnumerateASEC @@ -71,7 +69,6 @@ doc: Installed hotfixes via Windows Management Instrumentation (WMI). sources: - type: WMI attributes: {query: SELECT * from Win32_QuickFixEngineering} -conditions: [os_major_version >= 6] supported_os: [Windows] --- name: WMIInstalledSoftware @@ -79,7 +76,6 @@ doc: Installed software via Windows Management Instrumentation (WMI). sources: - type: WMI attributes: {query: 'SELECT Name, Vendor, Description, InstallDate, InstallDate2, Version from Win32_Product'} -conditions: [os_major_version >= 6] supported_os: [Windows] --- name: WMILastBootupTime @@ -121,7 +117,6 @@ doc: | sources: - type: WMI attributes: {query: SELECT * from Win32_GroupUser where Name = "login_users"} -conditions: [os_major_version >= 6] supported_os: [Windows] --- name: WMINetNeighbors @@ -129,7 +124,6 @@ doc: TCP/IP neighbors via Windows Management Instrumentation (WMI). sources: - type: WMI attributes: {query: SELECT * from MSFT_NetNeighbor, base_object: 'winmgmts:\root\StandardCimv2'} -conditions: [os_major_version >= 6 AND os_minor_version >= 2] supported_os: [Windows] urls: ['https://docs.microsoft.com/en-us/previous-versions/windows/desktop/nettcpipprov/msft-netneighbor'] --- @@ -138,7 +132,6 @@ doc: TCP connections via Windows Management Instrumentation (WMI). sources: - type: WMI attributes: {query: SELECT * from MSFT_NetTCPConnection, base_object: 'winmgmts:\root\StandardCimv2'} -conditions: [os_major_version >= 6 AND os_minor_version >= 2] supported_os: [Windows] urls: ['https://docs.microsoft.com/en-us/previous-versions/windows/desktop/nettcpipprov/msft-nettcpconnection'] --- @@ -147,7 +140,6 @@ doc: UDP endpoints via Windows Management Instrumentation (WMI). sources: - type: WMI attributes: {query: SELECT * from MSFT_NetUDPEndpoint, base_object: 'winmgmts:\root\StandardCimv2'} -conditions: [os_major_version >= 6 AND os_minor_version >= 2] supported_os: [Windows] urls: ['https://docs.microsoft.com/en-us/previous-versions/windows/desktop/nettcpipprov/msft-netudpendpoint'] --- @@ -156,7 +148,6 @@ doc: Operating system installed on the computer via Windows Management Instrumen sources: - type: WMI attributes: {query: SELECT * from Win32_OperatingSystem} -conditions: [os_major_version >= 6] supported_os: [Windows] urls: ['https://docs.microsoft.com/en-us/windows/desktop/cimwin32prov/win32-operatingsystem'] --- @@ -165,7 +156,6 @@ doc: Physical memory information via Windows Management Instrumentation (WMI). sources: - type: WMI attributes: {query: SELECT * from Win32_PhysicalMemory} -conditions: [os_major_version >= 6] supported_os: [Windows] urls: ["http://msdn.microsoft.com/en-us/library/aa394347%28v=vs.85%29.aspx"] --- @@ -174,7 +164,6 @@ doc: Process listing via Windows Management Instrumentation (WMI). sources: - type: WMI attributes: {query: SELECT * from Win32_Process} -conditions: [os_major_version >= 6] supported_os: [Windows] --- name: WMIProfileUsersHomeDir @@ -196,7 +185,6 @@ doc: Scheduled tasks that are registered on the computer via Windows Management sources: - type: WMI attributes: {query: SELECT * from MSFT_ScheduledTask, base_object: 'winmgmts:\root\Microsoft\Windows\TaskScheduler'} -conditions: [os_major_version >= 6 AND os_minor_version >= 2] supported_os: [Windows] urls: ['https://wutils.com/wmi/root/microsoft/windows/taskscheduler/msft_scheduledtask/'] --- @@ -212,7 +200,6 @@ doc: Commands that run automatically when a user logs onto the computer system v sources: - type: WMI attributes: {query: SELECT * from Win32_StartupCommand} -conditions: [os_major_version >= 6] supported_os: [Windows] urls: ['https://docs.microsoft.com/en-us/windows/desktop/cimwin32prov/win32-startupcommand'] --- diff --git a/docs/sources/Format-specification.md b/docs/sources/Format-specification.md index 741badbc..4a5967b3 100644 --- a/docs/sources/Format-specification.md +++ b/docs/sources/Format-specification.md @@ -10,7 +10,6 @@ doc: Windows System Event log for Vista or later systems. sources: - type: FILE attributes: {paths: ['%%environ_systemroot%%\System32\winevt\Logs\System.evtx']} -conditions: [os_major_version >= 6] supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html'] ``` @@ -20,7 +19,6 @@ The artifact definition can have the following values: Value | Description --- | --- aliases | Optional list of alternate names to identify the artifact definition. Also see: See section: [Name](#name). -conditions | Optional list of conditions that describe when the artifact definition should apply. See section: [Conditions](#conditions). doc | The description (or documentation). A human readable string that describes the artifact definition. See section: [Description](#description). name | The name. An unique string that identifies the artifact definition. See section: [Name](#name). provides | Optional list of *TODO* @@ -32,6 +30,7 @@ urls | Optional list of URLs with more contextual information. Ideally the artif Value | Description --- | --- +conditions | Optional list of conditions that describe when the artifact definition should apply. Note that conditions have been deprecated as of version 20220710. labels | Optional list of predefined labels. Note that labels have been deprecated as of version 20220311. ## Name @@ -129,9 +128,14 @@ Value | Description --- | --- attributes | A dictionary of keyword attributes specific to the type of source definition. type | The source type. -conditions | Optional list of conditions to when the artifact definition should apply. See section: [Conditions](#conditions). supported_os | Optional list that indicates which operating systems the artifact definition applies to. See section: [Supported operating system](#supported-operating-system). +## Deprecated values + +Value | Description +--- | --- +conditions | Optional list of conditions to when the artifact definition should apply. See section: Note that conditions have been deprecated as of version 20220710. + ### Source types Currently the following different source types are defined: @@ -276,28 +280,11 @@ Value | Description base_object | Optional WMI base object e.g. `winmgmts:\root\SecurityCenter2` query | The Windows Management Instrumentation (WMI) query. The query can use parameter expansion e.g. `%%users.username%%`. See section: [Parameter expansion and globs](parameter-expansion-and-globs). -## Conditions - -*TODO: work is in progress to move this out of GRR into something more portable.* - -Artifact conditions are currently implemented using the -link:https://github.com/google/objectfilter[objectfilter] system that allows -you to apply complex conditions to the attributes of an object. Artifacts can -apply conditions to any of the Knowledge Base object attributes as defined in -the GRR link:https://github.com/google/grr/blob/master/proto/knowledge_base.proto[knowledge_base.proto]. - -**Style note**: single quotes should be used for strings when writing conditions. - -```yaml -conditions: [os_major_version >= 6 and time_zone == 'America/Los_Angeles'] -``` - ## Supported operating system -Since operating system (OS) conditions are a very common constraint, this has -been provided as a separate option "supported_os" to simplify syntax. For -supported_os no quotes are required. The currently supported operating systems -are: +Since operating system (OS) are a very common constraint, this has been provided +as a separate option "supported_os" to simplify syntax. For supported_os no +quotes are required. The currently supported operating systems are: * Darwin (also used for Mac OS X) * Linux @@ -461,8 +448,8 @@ content_regex_list: ["^%%users.username%%:[^:]*\n"] ### Minimize the number of definitions by using multiple sources To minimize the number of artifacts in the list, combine them using the -supported_os and conditions attributes where it makes sense. e.g. rather than -having FirefoxHistoryWindows, FirefoxHistoryLinux, FirefoxHistoryDarwin, do: +supported_os attributes where it makes sense. e.g. rather than having +FirefoxHistoryWindows, FirefoxHistoryLinux, FirefoxHistoryDarwin, do: ```yaml name: FirefoxHistory diff --git a/docs/sources/background/Stats.md b/docs/sources/background/Stats.md index 916d5052..d2823204 100644 --- a/docs/sources/background/Stats.md +++ b/docs/sources/background/Stats.md @@ -3,12 +3,12 @@ The artifact definitions can be found in the [data directory](https://github.com/ForensicArtifacts/artifacts/tree/main/data) and the format is described in detail in the [Style Guide](https://artifacts.readthedocs.io/en/latest/sources/Format-specification.html). -Status of the repository as of 2022-06-15 +Status of the repository as of 2022-07-10 Description | Number --- | --- -Number of artifact definitions: | 651 -Number of file paths: | 1654 +Number of artifact definitions: | 698 +Number of file paths: | 1790 Number of Windows Registry key paths: | 671 ### Artifact definition source types @@ -17,8 +17,8 @@ Identifier | Number --- | --- ARTIFACT_GROUP | 38 COMMAND | 10 -FILE | 384 -PATH | 22 +FILE | 430 +PATH | 23 REGISTRY_KEY | 54 REGISTRY_VALUE | 116 WMI | 27 @@ -27,7 +27,7 @@ WMI | 27 Identifier | Number --- | --- -Darwin | 67 -Linux | 49 -Windows | 47 +Darwin | 69 +Linux | 52 +Windows | 49 diff --git a/test_data/definitions.json b/test_data/definitions.json index 9866a3ca..54c8b1cb 100644 --- a/test_data/definitions.json +++ b/test_data/definitions.json @@ -1 +1 @@ -[{"conditions": ["os_major_version >= 6"], "name": "SecurityEventLogEvtx", "sources": [{"attributes": {"paths": ["%%environ_systemroot%%\\System32\\winevt\\Logs\\Security.evtx"]}, "type": "FILE"}], "supported_os": ["Windows"], "doc": "Windows Security Event log for Vista or later systems.", "urls": ["http://www.forensicswiki.org/wiki/Windows_XML_Event_Log_(EVTX)"]}, {"name": "AllUsersProfileEnvironmentVariable", "sources": [{"attributes": {"keys": ["HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\ProfilesDirectory", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\AllUsersProfile"]}, "type": "REGISTRY_KEY"}], "provides": ["environ_allusersprofile"], "supported_os": ["Windows"], "doc": "The %AllUsersProfile% environment variable.", "urls": ["http://support.microsoft.com/kb//214653"]}, {"name": "CurrentControlSet", "sources": [{"attributes": {"key_value_pairs": [{"value": "Current", "key": "HKEY_LOCAL_MACHINE\\SYSTEM\\Select"}]}, "type": "REGISTRY_VALUE"}], "provides": ["current_control_set"], "supported_os": ["Windows"], "doc": "The control set the system is currently using.", "urls": ["https://code.google.com/p/winreg-kb/wiki/SystemKeys"]}, {"name": "WMIProfileUsersHomeDir", "sources": [{"attributes": {"query": "SELECT * FROM Win32_UserProfile WHERE SID='%%users.sid%%'"}, "type": "WMI"}], "provides": ["users.homedir"], "supported_os": ["Windows"], "doc": "Get user homedir from Win32_UserProfile based on a known user's SID.\n\nThis artifact relies on having the SID field users.sid populated in the knowledge\nbase. We expect it to be collected with WindowsRegistryProfiles to\nsupply the rest of the user information.\n", "urls": ["http://msdn.microsoft.com/en-us/library/windows/desktop/ee886409(v=vs.85).aspx"]}, {"name": "EventLogs", "sources": [{"attributes": {"names": ["ApplicationEventLog", "ApplicationEventLogEvtx", "SecurityEventLog", "SecurityEventLogEvtx", "SystemEventLog", "SystemEventLogEvtx"]}, "type": "ARTIFACT_GROUP"}], "doc": "Windows Event logs.", "supported_os": ["Windows"]}, {"name": "RedhatPackagesList", "sources": [{"attributes": {"args": ["-qa"], "cmd": "/bin/rpm"}, "type": "COMMAND"}], "doc": "Linux output of rpm -qa.", "supported_os": ["Linux"]}, {"name": "OSXLoadedKexts", "sources": [{"attributes": {"args": [], "cmd": "/usr/sbin/kextstat"}, "type": "COMMAND"}], "doc": "Mac OS X Loaded Kernel Extensions.", "supported_os": ["Darwin"]}] +[{"name": "SecurityEventLogEvtx", "sources": [{"attributes": {"paths": ["%%environ_systemroot%%\\System32\\winevt\\Logs\\Security.evtx"]}, "type": "FILE"}], "supported_os": ["Windows"], "doc": "Windows Security Event log for Vista or later systems.", "urls": ["http://www.forensicswiki.org/wiki/Windows_XML_Event_Log_(EVTX)"]}, {"name": "AllUsersProfileEnvironmentVariable", "sources": [{"attributes": {"keys": ["HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\ProfilesDirectory", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\AllUsersProfile"]}, "type": "REGISTRY_KEY"}], "provides": ["environ_allusersprofile"], "supported_os": ["Windows"], "doc": "The %AllUsersProfile% environment variable.", "urls": ["http://support.microsoft.com/kb//214653"]}, {"name": "CurrentControlSet", "sources": [{"attributes": {"key_value_pairs": [{"value": "Current", "key": "HKEY_LOCAL_MACHINE\\SYSTEM\\Select"}]}, "type": "REGISTRY_VALUE"}], "provides": ["current_control_set"], "supported_os": ["Windows"], "doc": "The control set the system is currently using.", "urls": ["https://code.google.com/p/winreg-kb/wiki/SystemKeys"]}, {"name": "WMIProfileUsersHomeDir", "sources": [{"attributes": {"query": "SELECT * FROM Win32_UserProfile WHERE SID='%%users.sid%%'"}, "type": "WMI"}], "provides": ["users.homedir"], "supported_os": ["Windows"], "doc": "Get user homedir from Win32_UserProfile based on a known user's SID.\n\nThis artifact relies on having the SID field users.sid populated in the knowledge\nbase. We expect it to be collected with WindowsRegistryProfiles to\nsupply the rest of the user information.\n", "urls": ["http://msdn.microsoft.com/en-us/library/windows/desktop/ee886409(v=vs.85).aspx"]}, {"name": "EventLogs", "sources": [{"attributes": {"names": ["ApplicationEventLog", "ApplicationEventLogEvtx", "SecurityEventLog", "SecurityEventLogEvtx", "SystemEventLog", "SystemEventLogEvtx"]}, "type": "ARTIFACT_GROUP"}], "doc": "Windows Event logs.", "supported_os": ["Windows"]}, {"name": "RedhatPackagesList", "sources": [{"attributes": {"args": ["-qa"], "cmd": "/bin/rpm"}, "type": "COMMAND"}], "doc": "Linux output of rpm -qa.", "supported_os": ["Linux"]}, {"name": "OSXLoadedKexts", "sources": [{"attributes": {"args": [], "cmd": "/usr/sbin/kextstat"}, "type": "COMMAND"}], "doc": "Mac OS X Loaded Kernel Extensions.", "supported_os": ["Darwin"]}] diff --git a/test_data/definitions.yaml b/test_data/definitions.yaml index bf276fb4..cd1a2ce2 100644 --- a/test_data/definitions.yaml +++ b/test_data/definitions.yaml @@ -6,7 +6,6 @@ doc: Windows Security Event log for Vista or later systems. sources: - type: FILE attributes: {paths: ['%%environ_systemroot%%\System32\winevt\Logs\Security.evtx']} -conditions: [os_major_version >= 6] supported_os: [Windows] urls: ['http://www.forensicswiki.org/wiki/Windows_XML_Event_Log_(EVTX)'] --- diff --git a/tests/reader_test.py b/tests/reader_test.py index eda55bad..99dd62a5 100644 --- a/tests/reader_test.py +++ b/tests/reader_test.py @@ -126,10 +126,6 @@ def testReadFileObject(self): ] self.assertEqual(sorted(source_type.paths), sorted(expected_paths)) - self.assertEqual(len(artifact_definition.conditions), 1) - expected_condition = 'os_major_version >= 6' - self.assertEqual(artifact_definition.conditions[0], expected_condition) - self.assertEqual(len(artifact_definition.supported_os), 1) self.assertEqual(artifact_definition.supported_os[0], 'Windows') diff --git a/tests/registry_test.py b/tests/registry_test.py index b0c22814..008ff57d 100644 --- a/tests/registry_test.py +++ b/tests/registry_test.py @@ -95,7 +95,6 @@ def testArtifactDefinitionsRegistry(self): b'- type: FILE\n' b' attributes: {broken: [\'%%environ_systemroot%%\\System32\\' b'winevt\\Logs\\Security.evtx\']}\n' - b'conditions: [os_major_version >= 6]\n' b'supported_os: [Windows]\n' b'urls: [\'http://www.forensicswiki.org/wiki/\n' b'Windows_XML_Event_Log_(EVTX)\']\n')