Releases: orlikoski/CyLR
CyLR 3.0
What's New
This version includes numerous modifications and introduction of new features,
highlighted below:
Added
- Logging is available, to destinations including the console, a log file, and
embedded within the resulting archive. The log name is specified with-l
and verbosity is adjusted with-v
to increase or-q
to silence. - Added
CUSTOM_PATH_TEMPLATE.txt
with documentation on how to specify custom
paths for collection. - Implemented enumeration of files system contents in the same manner cross
platform - Through new FS enumeration, eliminated extra scanning/duplicate collection
of data within symbolic link directories. Eliminated dependency on the
find
binary. - Enabled the use of globbing patterns within paths. This includes patterns
such as:**/*.plist
/home/*/.*sh_history
\Windows\Temp\[a-z0-9][a-z0-9][a-z0-9][a-z0-9]\*
**/Library/*Support/Google/Chrome/Default/History*
- Enabled the use of regular expressions within paths. This includes full line
and substring patterns, such as:.*mawlare.*
^C:\Windows\Temp\[A-Za-z0-9]{8}\.*$
^C:\Windows\System32\Config\(SOFTWARE|SYSTEM|SAM|SECURITY).*$
- Added functionality to allow the user to select whether the existence of a
custom collection list (-c
) should be in addition to versus in place of
the default artifact list. Continues to default to the replacement option
where it will only collect specified files. - Modified config file to support specification of path pattern type. Can be
one ofstatic
,glob
, orregex
. Format should be a tab delimited text
file with one pattern type and path per line. A line starting with a pound
character will be ignored. - Provided status messages to summarize the number of files scanned and paths
staged for collection. - Increased documentation of source code.
Removed
- Removed collection of Windows Search path due to large size on some systems
(%PROGRAMDATA%\Microsoft\Search\Data\Applications\Windows
).
Please use-c
to re-include as needed.
Changed
- Edited build scripts to point to C:\Program Files\7z instead of x86 folder
- Improved the default collection paths for Linux platforms.
- Modified the USNJrnl collection argument to default to disabled collection.
- Improved SFTP handling to collect to a local zip file and attempt the
upload three times, with a 30 second delay between attempts. - Semantic changes to packaging and build scripts to avoid alias use.
- Added packaging script check to see if packaging tool was local before
re-downloading. - Updated argument usage information.
- Added tests to increase coverage of Arguments.cs
- Updated to use travis-ci.com
CyLR 2.1.0
What's new
- Updated the dotnet to 2.2.104
- Updated wrapper to 0.3.0
- Created Single Binary for Windows-x64
CyLR 2.0.2
What's New?
Fixed Collection Issues
- Fixed an issue with the Chrome History collection on Windows endpoints
- Fixed an issue with duplicate collections of NTUSER.DAT and UsrClass.dat
CyLR 2.0.1
What's New?
Collect UsnJrnl Added
The $UsnJrnl file is now collected by default. There was a new option --no-usnjrnl
added that will skip that file during collection. This was done due to the amount of time it takes to collect that single file.
Thanks to @davidrudduck for finding the solution to this
CyLR 2.0.0
What's New?
Converted to .Net Core!!
Removed the dependence on .NET Framework, for Windows, or Mono, for Linux and MacOS, to execute CyLR on endpoints.
CyLR now consists of multiple downloadable versions, per release, that are native to each OS. These are all self contained and portable binary packages with no external dependencies.
These portable, self contained applications are included in this release.
- Windows x86
- Windows x64
- Linux x64
- MacOS x64
MacOS and Linux are single binary files named, "CyLR
", while the Windows version contains the binary file, "CyLR.exe
", along with multiple supporting files required to run.
NOTE ON WINDOWS VERSION
The flexibility provided by the removal of the .NET Framework requirement offsets the negative aspect of the multiple files required. That said, the development team is actively pursuing a single binary file Windows solution that will be added once the CoreRT project supports all the libraries used by CyLR
CyLR 1.5.0
What's New
- Windows Default Collection Improvements
- SANS FOR500 recommended Windows artifacts
- Now collects standard list of artifacts from User folders
New Default Windows Artifacts
- System Level Artifacts
- %SYSTEMROOT%\SchedLgU.Txt
- %SYSTEMROOT%\Tasks
- %SYSTEMROOT%\Prefetch
- %SYSTEMROOT%\inf\setupapi.dev.log
- %SYSTEMROOT%\Appcompat\Programs
- %SYSTEMROOT%\System32\drivers\etc\hosts
- %SYSTEMROOT%\System32\sru
- %SYSTEMROOT%\System32\winevt\logs
- %SYSTEMROOT%\System32\Tasks
- %SYSTEMROOT%\System32\LogFiles\W3SVC1
- %SYSTEMROOT%\System32\config\SAM
- %SYSTEMROOT%\System32\config\SYSTEM
- %SYSTEMROOT%\System32\config\SOFTWARE
- %SYSTEMROOT%\System32\config\SECURITY
- %SYSTEMROOT%\System32\config\SAM.LOG1
- %SYSTEMROOT%\System32\config\SYSTEM.LOG1
- %SYSTEMROOT%\System32\config\SOFTWARE.LOG1
- %SYSTEMROOT%\System32\config\SECURITY.LOG1
- %SYSTEMROOT%\System32\config\SAM.LOG2
- %SYSTEMROOT%\System32\config\SYSTEM.LOG2
- %SYSTEMROOT%\System32\config\SOFTWARE.LOG2
- %SYSTEMROOT%\System32\config\SECURITY.LOG2
- %PROGRAMDATA%\Microsoft\Search\Data\Applications\Windows
- %PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup
- %SystemDrive%$Recycle.Bin
- %SystemDrive%$LogFile
- %SystemDrive%$MFT
- Artifacts For All Users
- {user.ProfilePath}\NTUSER.DAT
- {user.ProfilePath}\AppData\Local\Microsoft\Windows\UsrClass.dat
- {user.ProfilePath}\AppData\Roaming\Microsoft\Windows\Recent
- {user.ProfilePath}\NTUSER.DAT
- {user.ProfilePath}\NTUSER.DAT.LOG1
- {user.ProfilePath}\NTUSER.DAT.LOG2
- {user.ProfilePath}\AppData\Local\Microsoft\Windows\UsrClass.dat
- {user.ProfilePath}\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1
- {user.ProfilePath}\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2
- {user.ProfilePath}\AppData\Local\Microsoft\Windows\Explorer
- {user.ProfilePath}\AppData\Local\Google\Chrome\User Data\Default\History\
- {user.ProfilePath}\AppData\Local\Microsoft\Windows\WebCache\
- {user.ProfilePath}\AppData\Local\ConnectedDevicesPlatform
- {user.ProfilePath}\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\
- {user.ProfilePath}\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline
- {user.ProfilePath}\AppData\Roaming\Mozilla\Firefox\Profiles\
CyLR 1.4.0
What's New
- Updated default collection items and aligned with Skadi 2018.1
CyLR 1.3.6
What's New
Improved Mac and Linux default collection list
- Added /etc/rc.d to default collection
CyLR 1.3.5
What's New
Improved Mac and Linux default collection list
- Added Chrome and Firefox Browser and Downloads artifacts
- Optimized collection which significantly reduced the time needed to collect default artifacts
Safari artifacts were already collected and did not need to be added
CyLR v1.3.4
What's New
Significantly improved Mac and Linux default collection list to the following
- "/var/log",
- "/private/var/log/",
- "/.fseventsd",
- "/etc/hosts.allow",
- "/etc/hosts.deny",
- "/etc/hosts",
- "/System/Library/StartupItems",
- "/System/Library/LaunchAgents",
- "/System/Library/LaunchDaemons",
- "/Library/LaunchAgents",
- "/Library/LaunchDaemons",
- "/Library/StartupItems",
- "/etc/passwd",
- "/etc/group"
- All plist files
- All .bash_history files
- All .sh_history files