Skip to content

Commit

Permalink
version v0.28.0
Browse files Browse the repository at this point in the history
  • Loading branch information
@cuhsat
cuhsat committed Jun 13, 2024
1 parent 108d5bd commit 034388b
Show file tree
Hide file tree
Showing 13 changed files with 325 additions and 160 deletions.
2 changes: 1 addition & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -104,8 +104,8 @@ Required system commands:
- [ ] [System Prefetch Files](https://forensics.wiki/prefetch/)
- [x] [System Event Logs](https://forensics.wiki/windows_event_log_%28evt%29/)
- [ ] [System AmCache](https://forensics.wiki/amcache/)
- [ ] [User ShellBags](https://forensics.wiki/shell_item/)
- [x] [User JumpLists](https://forensics.wiki/jump_lists/)
- [x] [User ShellBags](https://forensics.wiki/shell_item/)
- [ ] [User Browser Histories](https://forensics.wiki/google_chrome/)

## License
Expand Down
46 changes: 44 additions & 2 deletions internal/flog/ez.go → internal/flog/cmd.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,13 +2,15 @@
package flog

import (
"fmt"
"os"
"path/filepath"

"github.com/cuhsat/fact/internal/fact/ez"
"github.com/cuhsat/fact/internal/sys"
)

func EvtxeCmd(src, dir string) (log string, err error) {
func Evtxe(src, dir string) (log string, err error) {
cmd, err := ez.Path("EvtxECmd.dll")

if err != nil {
Expand All @@ -27,7 +29,7 @@ func EvtxeCmd(src, dir string) (log string, err error) {
return
}

func JleCmd(src, dir string) (log string, err error) {
func Jle(src, dir string) (log string, err error) {
cmd, err := ez.Path("JLECmd.dll")

if err != nil {
Expand All @@ -52,3 +54,43 @@ func JleCmd(src, dir string) (log string, err error) {

return
}

func Sbe(src, dir string) (log string, err error) {
cmd, err := ez.Path("SBECmd.dll")

if err != nil {
return
}

if len(dir) == 0 {
dir = filepath.Dir(src)
}

b := BaseFile(filepath.Base(src))

dst := "out.csv"
tmp := filepath.Join(dir, "tmp")
log = filepath.Join(dir, fmt.Sprintf("%s_%s", b, dst))

if err = os.MkdirAll(tmp, sys.MODE_DIR); err != nil {
return
}

if err = Copy(tmp, src); err != nil {
return
}

_, err = sys.StdCall("dotnet", cmd, "-d", tmp, "--csv", dir, "--csvf", dst)

if err != nil {
return
}

if err = os.Remove(filepath.Join(dir, "!SBECmd_Messages.txt")); err != nil {
return
}

err = os.RemoveAll(tmp)

return
}
18 changes: 18 additions & 0 deletions internal/flog/file.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,24 @@ func BaseFile(name string) string {
return strings.TrimSuffix(b, filepath.Ext(b))
}

func Copy(dir, src string) (err error) {
dst := filepath.Join(dir, filepath.Base(src))

b, err := os.ReadFile(src)

if err != nil {
return
}

err = os.WriteFile(dst, b, sys.MODE_FILE)

if os.IsNotExist(err) {
err = nil
}

return
}

func ConsumeJson(name string) (lines []string, err error) {
f, err := os.Open(name)

Expand Down
Binary file removed internal/testdata/windows/ms.zip
View file
Binary file not shown.
0 internal/testdata/windows/evtx.zip → internal/testdata/windows/system.zip
View file
File renamed without changes.
Binary file added internal/testdata/windows/user.zip
View file
Binary file not shown.
77 changes: 33 additions & 44 deletions pkg/ecs/event.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,6 @@
package ecs

import (
"time"

"github.com/cuhsat/fact/internal/flog"
)

Expand All @@ -14,48 +12,39 @@ func MapEvent(s, src string) (log *Log, err error) {
return
}

channel := m.GetString("Event/System/Channel")

timestamp := m.GetTime("Event/System/TimeCreated/@SystemTime")
timezone, _ := timestamp.Zone()
message := m.GetString("Event/EventData/Data/#text")

return NewLog(
src,
Base{
Timestamp: timestamp,
Message: message,
Tags: "EventLog",
Labels: map[string]interface{}{
"Channel": channel,
"Level": m.GetInt64("Event/System/Level"),
"Task": m.GetInt64("Event/System/Task"),
},
},
Evt{
Kind: "event",
Module: "EventLog",
Dataset: "EventLog." + channel,
Severity: m.GetInt64("Event/System/Level"),
ID: m.GetString("Event/System/EventRecordID"),
Code: m.GetString("Event/System/EventID/#text"),
Provider: m.GetString("Event/System/Provider/@Name"),
Timezone: timezone,
Created: timestamp,
Ingested: time.Now().UTC(),
Original: s,
Hash: GetHash(s),
},
Host{
Hostname: m.GetString("Event/System/Computer"),
Name: m.GetString("Event/System/Computer"),
log = NewLog(s, src, &Base{
Timestamp: m.GetTime("Event/System/TimeCreated/@SystemTime"),
Message: m.GetString("Event/EventData/Data/#text"),
Tags: "EventLog",
Labels: map[string]interface{}{
"Channel": m.GetString("Event/System/Channel"),
"Level": m.GetInt64("Event/System/Level"),
"Task": m.GetInt64("Event/System/Task"),
},
User{
ID: m.GetString("Event/System/Security/@UserID"),
},
Process{
PID: m.GetInt64("Event/System/Execution/@ProcessID"),
ThreadID: m.GetInt64("Event/System/Execution/@ThreadID"),
})

log.Event.Kind = "event"
log.Event.Module = "EventLog"
log.Event.Dataset = "EventLog." + log.Labels["Channel"].(string)
log.Event.Severity = m.GetInt64("Event/System/Level")
log.Event.ID = m.GetString("Event/System/EventRecordID")
log.Event.Code = m.GetString("Event/System/EventID/#text")
log.Event.Provider = m.GetString("Event/System/Provider/@Name")

log.Host = &Host{
Hostname: m.GetString("Event/System/Computer"),
}

log.User = &User{
ID: m.GetString("Event/System/Security/@UserID"),
}

log.Process = &Process{
PID: m.GetInt64("Event/System/Execution/@ProcessID"),
Thread: &Thread{
ID: m.GetInt64("Event/System/Execution/@ThreadID"),
},
), nil
}

return
}
78 changes: 30 additions & 48 deletions pkg/ecs/jumplist.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@ package ecs
import (
"path/filepath"
"strings"
"time"

"github.com/cuhsat/fact/internal/flog"
)
Expand All @@ -16,60 +15,43 @@ func MapJumpList(s, src string) (log *Log, err error) {
return
}

exec := m.GetString("LocalPath", "Path")
exe := m.GetString("LocalPath", "Path")
arg := m.GetString("Arguments")

log = NewLog(s, src, &Base{
Timestamp: m.GetTime("LastModified", "TargetAccessed"),
Message: strings.TrimSpace(exe + " " + arg),
Tags: "JumpList",
Labels: make(map[string]interface{}, 1),
})

if strings.Contains(s, "DestListVersion") {
log.Labels["Destination"] = "automatic"
} else {
log.Labels["Destination"] = "custom"
}

log.Host = &Host{
Hostname: m.GetString("Hostname", "MachineID"),
MAC: m.GetString("MacAddress", "MachineMACAddress"),
}

var args []string

if len(arg) > 0 {
args = strings.Split(arg, " ")
}

timestamp := m.GetTime("LastModified", "TargetAccessed")
timezone, _ := timestamp.Zone()
message := strings.TrimSpace(exec + " " + m.GetString("Arguments"))

return NewLog(
src,
Base{
Timestamp: timestamp,
Message: message,
Tags: "JumpList",
Labels: map[string]interface{}{
"Destination": target(s),
},
},
Evt{
Timezone: timezone,
Created: timestamp,
Ingested: time.Now().UTC(),
Original: s,
Hash: GetHash(s),
},
Host{
Hostname: m.GetString("Hostname", "MachineID"),
Name: m.GetString("Hostname", "MachineID"),
MAC: m.GetString("MacAddress", "MachineMACAddress"),
},
User{},
Process{
EntityID: m.GetString("AppId"),
Start: timestamp,
Name: filepath.Base(exec),
Title: m.GetString("AppIdDescription"),
Executable: exec,
Args: args,
ArgsCount: int64(len(args)),
CommandLine: message,
WorkingDirectory: m.GetString("WorkingDirectory"),
},
), nil
}

func target(log string) string {
if strings.Contains(log, "DestListVersion") {
return "automatic"
} else {
return "custom"
log.Process = &Process{
EntityID: m.GetString("AppId"),
Name: filepath.Base(exe),
Title: m.GetString("AppIdDescription"),
Executable: exe,
Args: args,
ArgsCount: int64(len(args)),
CommandLine: log.Message,
WorkingDirectory: m.GetString("WorkingDirectory"),
}

return
}
26 changes: 26 additions & 0 deletions pkg/ecs/shellbag.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
// ECS shellbag mapping functions.
package ecs

import (
"github.com/cuhsat/fact/internal/flog"
)

func MapShellBag(s, src string) (log *Log, err error) {
m, err := flog.NewMap(s)

if err != nil {
return
}

log = NewLog(s, src, &Base{
Timestamp: m.GetTime("LastInteracted", "LastWriteTime"),
Message: m.GetString("AbsolutePath"),
Tags: "ShellBag",
})

log.Registry = &Registry{
Hive: "HKU",
}

return
}

0 comments on commit 034388b

Please sign in to comment.
-