From afc7054ca4437f542ba55a11739051bdce64be9e Mon Sep 17 00:00:00 2001 From: Ian Hellen Date: Fri, 19 May 2023 15:12:15 -0700 Subject: [PATCH 1/5] Adding Velociraptor provider for local logs --- docs/source/DataAcquisition.rst | 1 + ...data.drivers.local_velociraptor_driver.rst | 7 + docs/source/api/msticpy.data.drivers.rst | 1 + docs/source/api/msticpy.init.mp_plugins.rst | 7 + .../data_acquisition/DataProv-OSQuery.rst | 4 +- .../DataProv-Velociraptor.rst | 152 ++++++++++++ msticpy/data/core/query_defns.py | 4 + msticpy/data/drivers/__init__.py | 4 + .../data/drivers/local_velociraptor_driver.py | 222 ++++++++++++++++++ .../data/drivers/test_velociraptor_driver.py | 59 +++++ .../velociraptor/Windows.Forensics.Lnk.json | 10 + .../Windows.Forensics.ProcessInfo.json | 10 + .../velociraptor/Windows.Forensics.Usn.json | 10 + .../Windows.Memory.Acquisition.json | 10 + .../Windows.Network.ArpCache.json | 10 + .../Windows.Network.InterfaceAddresses.json | 5 + .../Windows.Network.ListeningPorts.json | 10 + .../velociraptor/Windows.Network.Netstat.json | 10 + .../velociraptor/Windows.Sys.Users.json | 7 + .../Windows.Sysinternals.Autoruns.json | 10 + .../velociraptor/Windows.System.DNSCache.json | 10 + .../velociraptor/Windows.System.Pslist.json | 10 + 22 files changed, 571 insertions(+), 2 deletions(-) create mode 100644 docs/source/api/msticpy.data.drivers.local_velociraptor_driver.rst create mode 100644 docs/source/api/msticpy.init.mp_plugins.rst create mode 100644 docs/source/data_acquisition/DataProv-Velociraptor.rst create mode 100644 msticpy/data/drivers/local_velociraptor_driver.py create mode 100644 tests/data/drivers/test_velociraptor_driver.py create mode 100644 tests/testdata/velociraptor/Windows.Forensics.Lnk.json create mode 100644 tests/testdata/velociraptor/Windows.Forensics.ProcessInfo.json create mode 100644 tests/testdata/velociraptor/Windows.Forensics.Usn.json create mode 100644 tests/testdata/velociraptor/Windows.Memory.Acquisition.json create mode 100644 tests/testdata/velociraptor/Windows.Network.ArpCache.json create mode 100644 tests/testdata/velociraptor/Windows.Network.InterfaceAddresses.json create mode 100644 tests/testdata/velociraptor/Windows.Network.ListeningPorts.json create mode 100644 tests/testdata/velociraptor/Windows.Network.Netstat.json create mode 100644 tests/testdata/velociraptor/Windows.Sys.Users.json create mode 100644 tests/testdata/velociraptor/Windows.Sysinternals.Autoruns.json create mode 100644 tests/testdata/velociraptor/Windows.System.DNSCache.json create mode 100644 tests/testdata/velociraptor/Windows.System.Pslist.json diff --git a/docs/source/DataAcquisition.rst b/docs/source/DataAcquisition.rst index 8837d0cfc..d46944771 100644 --- a/docs/source/DataAcquisition.rst +++ b/docs/source/DataAcquisition.rst @@ -29,6 +29,7 @@ Individual Data Environments data_acquisition/DataProv-Kusto-New data_acquisition/DataProv-Cybereason data_acquisition/DataProv-OSQuery + data_acquisition/DataProv-Velociraptor Built-in Data Queries diff --git a/docs/source/api/msticpy.data.drivers.local_velociraptor_driver.rst b/docs/source/api/msticpy.data.drivers.local_velociraptor_driver.rst new file mode 100644 index 000000000..af10e49e0 --- /dev/null +++ b/docs/source/api/msticpy.data.drivers.local_velociraptor_driver.rst @@ -0,0 +1,7 @@ +msticpy.data.drivers.local\_velociraptor\_driver module +======================================================= + +.. automodule:: msticpy.data.drivers.local_velociraptor_driver + :members: + :undoc-members: + :show-inheritance: diff --git a/docs/source/api/msticpy.data.drivers.rst b/docs/source/api/msticpy.data.drivers.rst index 4bf42fe41..d60239fd3 100644 --- a/docs/source/api/msticpy.data.drivers.rst +++ b/docs/source/api/msticpy.data.drivers.rst @@ -21,6 +21,7 @@ Submodules msticpy.data.drivers.kusto_driver msticpy.data.drivers.local_data_driver msticpy.data.drivers.local_osquery_driver + msticpy.data.drivers.local_velociraptor_driver msticpy.data.drivers.mdatp_driver msticpy.data.drivers.mordor_driver msticpy.data.drivers.odata_driver diff --git a/docs/source/api/msticpy.init.mp_plugins.rst b/docs/source/api/msticpy.init.mp_plugins.rst new file mode 100644 index 000000000..932af5ded --- /dev/null +++ b/docs/source/api/msticpy.init.mp_plugins.rst @@ -0,0 +1,7 @@ +msticpy.init.mp\_plugins module +=============================== + +.. automodule:: msticpy.init.mp_plugins + :members: + :undoc-members: + :show-inheritance: diff --git a/docs/source/data_acquisition/DataProv-OSQuery.rst b/docs/source/data_acquisition/DataProv-OSQuery.rst index a91164503..4f17b0d79 100644 --- a/docs/source/data_acquisition/DataProv-OSQuery.rst +++ b/docs/source/data_acquisition/DataProv-OSQuery.rst @@ -7,7 +7,7 @@ The ``OSQuery`` data provider can read OSQuery log files and provide convenient query functions for each OSQuery "table" (or event type) contained in the logs. -The provide can read in one or more log files, or multiple log files +The provider can read in one or more log files, or multiple log files in multiple folders. The files are read, converted to pandas DataFrames and grouped by table/event. In addition, date fields within the data are converted to pandas Timestamp format. @@ -16,7 +16,7 @@ within the data are converted to pandas Timestamp format. qry_prov = mp.QueryProvider("OSQueryLogs", data_paths=["~/my_logs"]) qry_prov.connect() - df_processes = qry_prov.processes() + df_processes = qry_prov.os_query.processes() The query provider query functions will ignore parameters and do no further filtering. You can use pandas to do additional filtering diff --git a/docs/source/data_acquisition/DataProv-Velociraptor.rst b/docs/source/data_acquisition/DataProv-Velociraptor.rst new file mode 100644 index 000000000..e5db5468a --- /dev/null +++ b/docs/source/data_acquisition/DataProv-Velociraptor.rst @@ -0,0 +1,152 @@ +The Velociraptor provider +========================= + +:py:mod:`Velociraptor driver documentation` + +The ``Velociraptor`` data provider can read Velociraptor log files +and provide convenient query functions for each data set +in the output logs. + +The provider can read files from one or more hosts, stored in +in separate folders. The files are read, converted to pandas +DataFrames and grouped by table/event. Multiple log files of the +same type (when reading in data from multiple hosts) are concatenated +into a single DataFrame. + +.. code::ipython3 + + qry_prov = mp.QueryProvider("Velociraptor", data_paths=["~/my_logs"]) + qry_prov.connect() + df_processes = qry_prov.velociraptor.Windows_Forensics_ProcessInfo() + +The query provider query functions will ignore parameters and do +no further filtering. You can use pandas to do additional filtering +and sorting of the data, or use it directly with other MSTICPy +functionality. + +Velociraptor Configuration +-------------------------- + +You can (optionally) store your connection details in *msticpyconfig.yaml*, +instead of supplying the ``data_paths`` parameter to +the ``QueryProvider`` class. + +For more information on using and configuring *msticpyconfig.yaml* see +:doc:`msticpy Package Configuration <../getting_started/msticpyconfig>` +and :doc:`MSTICPy Settings Editor<../getting_started/SettingsEditor>` + +The Velociraptor settings in the file should look like the following: + +.. code:: yaml + + DataProviders: + ... + Velociraptor: + data_paths: + - /home/user1/sample_data + - /home/shared/sample_data + + +Expected log file format +------------------------ + +The log file format must be a text file of JSON records. An example +is shown below + +.. parsed-literal:: + + {"Pid":1664,"Ppid":540,"Name":"spoolsv.exe","Path":"C:\\Windows\\System32\\spoolsv.exe","CommandLine":"C:\\Windows\\System32\\spoolsv.exe","Hash":{"MD5":"c111e3d38c71808a8289b0e49db40c96","SHA1":"e56df979d776fe9e8c3b84e6fef8559d6811898d","SHA256":"0ed0c6f4ddc620039f05719d783585d69f03d950be97b49149d4addf23609902"},"Username":"NT AUTHORITY\\SYSTEM","Authenticode":{"Filename":"C:\\Windows\\System32\\spoolsv.exe","ProgramName":"Microsoft Windows","PublisherLink":null,"MoreInfoLink":"http://www.microsoft.com/windows","SerialNumber":"33000002ed2c45e4c145cf48440000000002ed","IssuerName":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011","SubjectName":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows","Timestamp":null,"Trusted":"trusted","_ExtraInfo":{"Catalog":"C:\\Windows\\system32\\CatRoot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\Package_6350_for_KB5007192~31bf3856ad364e35~amd64~~10.0.1.8.cat"}},"Family":"IPv4","Type":"TCP","Status":"LISTEN","Laddr.IP":"0.0.0.0","Laddr.Port":49697,"Raddr.IP":"0.0.0.0","Raddr.Port":0,"Timestamp":"2022-02-12T19:35:45Z"} + {"Pid":548,"Ppid":416,"Name":"lsass.exe","Path":"C:\\Windows\\System32\\lsass.exe","CommandLine":"C:\\Windows\\system32\\lsass.exe","Hash":{"MD5":"93212fd52a9cd5addad2fd2a779355d2","SHA1":"49a814f72292082a1cfdf602b5e4689b0f942703","SHA256":"95888daefd187fac9c979387f75ff3628548e7ddf5d70ad489cf996b9cad7193"},"Username":"NT AUTHORITY\\SYSTEM","Authenticode":{"Filename":"C:\\Windows\\System32\\lsass.exe","ProgramName":"Microsoft Windows","PublisherLink":null,"MoreInfoLink":"http://www.microsoft.com/windows","SerialNumber":"33000002f49e469c54137b85e00000000002f4","IssuerName":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011","SubjectName":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Publisher","Timestamp":null,"Trusted":"trusted","_ExtraInfo":null},"Family":"IPv4","Type":"TCP","Status":"LISTEN","Laddr.IP":"0.0.0.0","Laddr.Port":49722,"Raddr.IP":"0.0.0.0","Raddr.Port":0,"Timestamp":"2022-02-12T19:35:54Z"} + {"Pid":540,"Ppid":416,"Name":"services.exe","Path":"C:\\Windows\\System32\\services.exe","CommandLine":"C:\\Windows\\system32\\services.exe","Hash":{"MD5":"fefc26105685c70d7260170489b5b520","SHA1":"d9b2cb9bf9d4789636b5fcdef0fdbb9d8bc0fb52","SHA256":"930f44f9a599937bdb23cf0c7ea4d158991b837d2a0975c15686cdd4198808e8"},"Username":"NT AUTHORITY\\SYSTEM","Authenticode":{"Filename":"C:\\Windows\\System32\\services.exe","ProgramName":"Microsoft Windows","PublisherLink":null,"MoreInfoLink":"http://www.microsoft.com/windows","SerialNumber":"33000002a5e1a081b7c895c0ed0000000002a5","IssuerName":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011","SubjectName":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Publisher","Timestamp":null,"Trusted":"trusted","_ExtraInfo":null},"Family":"IPv4","Type":"TCP","Status":"LISTEN","Laddr.IP":"0.0.0.0","Laddr.Port":49728,"Raddr.IP":"0.0.0.0","Raddr.Port":0,"Timestamp":"2022-02-12T19:35:57Z"} + + +The columns in each JSON will be used to create the pandas DataFrame columns. + + +Using the Velociraptor provider +------------------------------- + +To use the Velociraptor provider you need to create an QueryProvider +instance, passing the string "VelociraptorLogs" as the ``data_environment`` +parameter. If you have not configured ``data_paths`` in msticpyconfig.yaml, +you also need to add the ``data_paths`` parameter to specify +specific folders or files that you want to read. + +.. code::ipython3 + + qry_prov = mp.QueryProvider("VelociraptorLogs", data_paths=["~/my_logs"]) + +Calling the ``connect`` method triggers the provider to read the +log files. + +.. code::ipython3 + + qry_prov.connect() + +.. parsed-literal:: + + 100%|██████████| 2/2 [00:00<00:00, 25.01it/s] + Data loaded. + + +Listing Velociraptor tables +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. code:: ipython3 + + qry_prov.list_queries() + +.. parsed-literal:: + + ['velociraptor.Custom_Windows_NetBIOS', + 'velociraptor.Custom_Windows_Patches', + 'velociraptor.Custom_Windows_Sysinternals_PSInfo', + 'velociraptor.Custom_Windows_Sysinternals_PSLoggedOn', + 'velociraptor.Custom_Windows_System_Services', + 'velociraptor.Windows_Applications_Chrome_Cookies', + 'velociraptor.Windows_Applications_Chrome_Extensions', + 'velociraptor.Windows_Applications_Chrome_History', + 'velociraptor.Windows_Applications_Edge_History', + 'velociraptor.Windows_Forensics_Lnk', + 'velociraptor.Windows_Forensics_Prefetch', + 'velociraptor.Windows_Forensics_ProcessInfo', + 'velociraptor.Windows_Forensics_Usn', + ...] + +Querying Velociraptor table schema +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. code:: ipython3 + + vc_prov.schema["Windows_Network_InterfaceAddresses"] + +.. parsed-literal:: + + {'Index': 'int64', + 'MTU': 'int64', + 'Name': 'object', + 'HardwareAddr': 'object', + 'Flags': 'int64', + 'IP': 'object', + 'Mask': 'object'} + +Running a Velociraptor query +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Each query returns the table of event types retrieved +from the logs. + +.. code:: python3 + + qry_prov.vc_prov.velociraptor.Windows_Forensics_ProcessInfo() + + +==== =========== ================ ===== =============================== ================================================================ ==================== =================================== + .. Name PebBaseAddress Pid ImagePathName CommandLine CurrentDirectory Env +==== =========== ================ ===== =============================== ================================================================ ==================== =================================== + 10 LogonUI.exe 0x95bd3d2000 804 C:\Windows\system32\LogonUI.exe "LogonUI.exe" /flags:0x2 /state0:0xa3b92855 /state1:0x41c64e6d C:\Windows\system32\ {'ALLUSERSPROFILE': 'C:\\ProgramD.. + 11 dwm.exe 0x6cf4351000 848 C:\Windows\system32\dwm.exe "dwm.exe" C:\Windows\system32\ {'ALLUSERSPROFILE': 'C:\\ProgramD.. + 12 svchost.exe 0x6cd64d000 872 C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k termsvcs C:\Windows\system32\ {'ALLUSERSPROFILE': 'C:\\ProgramD.. + 13 svchost.exe 0x7d18e99000 912 C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\system32\ {'ALLUSERSPROFILE': 'C:\\ProgramD.. + 14 svchost.exe 0x5c762eb000 920 C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\ {'ALLUSERSPROFILE': 'C:\\ProgramD.. +==== =========== ================ ===== =============================== ================================================================ ==================== =================================== diff --git a/msticpy/data/core/query_defns.py b/msticpy/data/core/query_defns.py index a42626e7d..87e16c949 100644 --- a/msticpy/data/core/query_defns.py +++ b/msticpy/data/core/query_defns.py @@ -91,6 +91,7 @@ class DataEnvironment(Enum): AzureSentinel = 1 # alias of LogAnalytics LogAnalytics = 1 Kusto = 2 + AzureDataExplorer = 2 # alias of Kusto AzureSecurityCenter = 3 MSGraph = 4 SecurityGraph = 4 @@ -106,8 +107,11 @@ class DataEnvironment(Enum): Cybereason = 12 Elastic = 14 OSQueryLogs = 15 + OSQuery = 15 MSSentinel_New = 16 Kusto_New = 17 + VelociraptorLogs = 18 + Velociraptor = 18 @classmethod def parse(cls, value: Union[str, int]) -> "DataEnvironment": diff --git a/msticpy/data/drivers/__init__.py b/msticpy/data/drivers/__init__.py index 3115ab0a5..6e934677f 100644 --- a/msticpy/data/drivers/__init__.py +++ b/msticpy/data/drivers/__init__.py @@ -34,6 +34,10 @@ DataEnvironment.Elastic: ("elastic_driver", "ElasticDriver"), DataEnvironment.MSSentinel_New: ("azure_monitor_driver", "AzureMonitorDriver"), DataEnvironment.Kusto_New: ("azure_kusto_driver", "AzureKustoDriver"), + DataEnvironment.VelociraptorLogs: ( + "local_velociraptor_driver", + "VelociraptorLogDriver", + ), } CUSTOM_PROVIDERS: Dict[str, type] = {} diff --git a/msticpy/data/drivers/local_velociraptor_driver.py b/msticpy/data/drivers/local_velociraptor_driver.py new file mode 100644 index 000000000..eb0a84b62 --- /dev/null +++ b/msticpy/data/drivers/local_velociraptor_driver.py @@ -0,0 +1,222 @@ +# ------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for +# license information. +# -------------------------------------------------------------------------- +"""Local Velociraptor Data Driver class.""" +import logging +from collections import defaultdict +from functools import lru_cache +from pathlib import Path +from typing import Any, Dict, List, Optional, Union + +import pandas as pd +from tqdm.auto import tqdm + +from ..._version import VERSION +from ...common.exceptions import MsticpyDataQueryError +from ...common.provider_settings import get_provider_settings +from ...common.utility import export, valid_pyname +from .driver_base import DriverBase, QuerySource + +__version__ = VERSION +__author__ = "ianhelle" + +logger = logging.getLogger(__name__) + + +# pylint: disable=too-many-instance-attributes +@export +class VelociraptorLogDriver(DriverBase): + """OSQueryLogDriver class to execute kql queries.""" + + OS_QUERY_DATEIME_COLS = { + "unixTime", + "columns_time", + "columns_atime", + "columns_ctime", + "columns_mtime", + } + + def __init__(self, connection_str: Optional[str] = None, **kwargs): + """ + Instantiate OSQueryLogDriver and optionally connect. + + Parameters + ---------- + connection_str : str, optional + Connection string (not used) + data_paths : List[str], optional + Paths from which to load data files + progress : bool, optional + Show progress with tqdm, by default, True + + """ + del connection_str + if kwargs.get("debug", False): + logger.setLevel(logging.DEBUG) + super().__init__() + + self._paths: List[str] = ["."] + # If data paths specified, use these + # from kwargs or settings + if data_paths := kwargs.get("data_paths"): + self._paths = [path.strip() for path in data_paths] + logger.info("data paths read from param %s", str(self._paths)) + else: + prov_settings = get_provider_settings(config_section="DataProviders").get( + "VelociraptorLogs" + ) + if prov_settings: + self._paths = prov_settings.args.get("data_paths", []) or self._paths + logger.info("data paths read from config %s", str(self._paths)) + + self.data_files: Dict[str, List[Path]] = {} + self._schema: Dict[str, Any] = {} + self._query_map: Dict[str, List[str]] + self._progress = kwargs.pop("progress", True) + self._loaded = True + self.has_driver_queries = True + logger.info("data files to read %s", ",".join(self.data_files)) + + def connect(self, connection_str: Optional[str] = None, **kwargs): + """ + Connect to data source. + + Parameters + ---------- + connection_str : str + Connect to a data source + + """ + del connection_str + self.data_files = self._get_logfile_paths() + self._connected = True + + @property + def schema(self) -> Dict[str, Dict]: + """ + Return current data schema of connection. + + Returns + ------- + Dict[str, Dict] + Data schema of current connection. + + """ + if not self._schema: + if not self.data_files: + self.connect() + # read the first row of each file to get the schema + iter_data_files = ( + tqdm(self.data_files.items()) + if self._progress + else self.data_files.items() + ) + for table, files in iter_data_files: + if not files: + continue + sample_df = pd.read_json(files[0], lines=True, nrows=1) + self._schema[table] = { + col: dtype.name for col, dtype in sample_df.dtypes.to_dict().items() + } + logger.info("Reading schema for %d tables", len(self.data_files)) + + return self._schema + + def query( + self, query: str, query_source: Optional[QuerySource] = None, **kwargs + ) -> Union[pd.DataFrame, Any]: + """ + Execute query string and return DataFrame of results. + + Parameters + ---------- + query : str + The query to execute + query_source : QuerySource + The query definition object + + Returns + ------- + Union[pd.DataFrame, results.ResultSet] + A DataFrame (if successful) or + the underlying provider result if an error. + + """ + del kwargs + if not self.data_files: + self.connect() + + if query not in self.data_files: + raise MsticpyDataQueryError( + f"No data loaded for query {query}.", + "Please check that the data loaded from the log paths", + "has this data type.", + ) + return self._cached_query(query) + + @lru_cache(maxsize=256) + def _cached_query(self, query: str) -> pd.DataFrame: + iter_data_files = ( + tqdm(self.data_files[query]) if self._progress else self.data_files[query] + ) + dfs = [pd.read_json(file, lines=True) for file in iter_data_files] + query_df = pd.concat(dfs) + + logger.info("Query %s, returned %d rows", query, len(query_df)) + return query_df + + def query_with_results(self, query, **kwargs): + """Return query with fake results.""" + return self.query(query, **kwargs), "OK" + + @property + def driver_queries(self) -> List[Dict[str, Any]]: + """ + Return dynamic queries available on connection to data. + + Returns + ------- + List[Dict[str, Any]] + List of queries with properties: "name", "query", "container" + and (optionally) "description" + + Raises + ------ + MsticpyNotConnectedError + If called before driver is connected. + + """ + if not self.connected: + self.connect() + if self.data_files: + return [ + { + "name": query, + "query": query, + "query_paths": "velociraptor", + "description": f"Velociraptor {query} table.", + } + for query in self.data_files + ] + return [] + + def _get_logfile_paths(self) -> Dict[str, List[Path]]: + """Read files in data paths.""" + data_files: Dict[str, List[Path]] = defaultdict(list) + + for input_path in (Path(path_str) for path_str in self._paths): + files = { + file.relative_to(input_path): file + for file in input_path.rglob("*.json") + } + + file_names = [valid_pyname(str(file.with_suffix(""))) for file in files] + path_files = dict(zip(file_names, files.values())) + for file_name, file_path in path_files.items(): + data_files[file_name].append(file_path) + + logger.info("Found %d data file types", len(data_files)) + logger.info("Total data files: %d", sum(len(v) for v in data_files.values())) + return data_files diff --git a/tests/data/drivers/test_velociraptor_driver.py b/tests/data/drivers/test_velociraptor_driver.py new file mode 100644 index 000000000..bbe2b25b5 --- /dev/null +++ b/tests/data/drivers/test_velociraptor_driver.py @@ -0,0 +1,59 @@ +# ------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for +# license information. +# -------------------------------------------------------------------------- +"""Module docstring.""" +import pandas as pd +import pytest +import pytest_check as check + +from msticpy.data.core.data_providers import QueryProvider +from msticpy.data.drivers.local_velociraptor_driver import VelociraptorLogDriver + +from ...unit_test_lib import get_test_data_path + +__author__ = "Ian Hellen" + +# pylint: disable=redefined-outer-name, protected-access + + +# change this for actual data + +_VR_LOG_PATH = "velociraptor" + +_EXPECTED_TABLES = [ + "Windows_Forensics_Lnk", + "Windows_Forensics_ProcessInfo", + "Windows_Forensics_Usn", + "Windows_Memory_Acquisition", + "Windows_Network_ArpCache", + "Windows_Network_InterfaceAddresses", + "Windows_Network_ListeningPorts", + "Windows_Network_Netstat", + "Windows_Sys_Users", + "Windows_Sysinternals_Autoruns", + "Windows_System_DNSCache", + "Windows_System_Pslist", +] + + +def test_read_log_files(): + """Test reading Velociraptor logs.""" + query_path = str(get_test_data_path().joinpath(_VR_LOG_PATH)) + vr_driver = VelociraptorLogDriver(data_paths=[query_path]) + + vr_driver.connect() + check.equal(len(vr_driver.data_files), len(_EXPECTED_TABLES)) + check.equal(len(vr_driver.schema), len(_EXPECTED_TABLES)) + + +def test_vr_query(): + """Test loading and querying velociraptor data.""" + os_query_path = str(get_test_data_path().joinpath(_VR_LOG_PATH)) + qry_prov = QueryProvider("Velociraptor", data_paths=[os_query_path]) + qry_prov.connect() + check.equal(len(qry_prov.velociraptor), len(_EXPECTED_TABLES)) + check.equal(len(qry_prov.velociraptor.Windows_Forensics_Lnk()), 10) + check.equal(len(qry_prov.velociraptor.Windows_Forensics_ProcessInfo()), 10) + check.equal(len(qry_prov.velociraptor.Windows_Sys_Users()), 7) diff --git a/tests/testdata/velociraptor/Windows.Forensics.Lnk.json b/tests/testdata/velociraptor/Windows.Forensics.Lnk.json new file mode 100644 index 000000000..df9137d88 --- /dev/null +++ b/tests/testdata/velociraptor/Windows.Forensics.Lnk.json @@ -0,0 +1,10 @@ +{"FullPath":"C:\\Users\\domi.nusvir\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AWS.EC2.WindowsUpdate (2).lnk","_Parsed":{"HeaderSize":76,"LinkClsID":"0114020000000000c000000000000046","LinkFlags":["DisableKnownFolderTracking","HasLinkInfo","HasLinkTargetIDList","HasRelativePath","IsUnicode"],"FileAttributes":["FILE_ATTRIBUTE_DIRECTORY"],"CreationTime":"2017-06-15T17:00:11Z","AccessTime":"2017-06-15T17:00:11Z","WriteTime":"2017-06-15T17:00:11Z","FileSize":0,"IconIndex":0,"ShowCommand":1,"HotKey":0,"LinkTargetIDList":{"IDListSize":443,"IDList":[{"ItemIDSize":20,"Offset":78,"Type":16,"Subtype":1,"ShellBag":{"Description":{"ShortName":"My Computer","Type":"Root"}}},{"ItemIDSize":25,"Offset":98,"Type":32,"Subtype":1,"ShellBag":{"Name":"C:\\","Description":{"LongName":"C:\\","ShortName":"C:\\","Type":"Volume"}}},{"ItemIDSize":96,"Offset":123,"Type":48,"Subtype":1,"ShellBag":{"Size":96,"Type":49,"SubType":["Directory","Unicode"],"LastModificationTime":"2016-11-24T00:19:30Z","ShortName":"PROGRA~3","Extension":{"Size":72,"Version":9,"Signature":"0xbeef0004","CreateDate":"2016-07-16T13:23:22Z","LastAccessed":"2016-11-24T00:19:30Z","MFTReference":{"MFTID":377,"SequenceNumber":281474976710656},"LongName":"ProgramData"},"Description":{"Type":["Directory","Unicode"],"Modified":"2016-11-24T00:19:30Z","LastAccessed":"2016-11-24T00:19:30Z","CreateDate":"2016-07-16T13:23:22Z","ShortName":"PROGRA~3","LongName":"ProgramData","MFTID":377,"MFTSeq":281474976710656}}},{"ItemIDSize":84,"Offset":219,"Type":48,"Subtype":1,"ShellBag":{"Size":84,"Type":49,"SubType":["Directory","Unicode"],"LastModificationTime":"2016-10-18T02:51:34Z","ShortName":"Amazon","Extension":{"Size":62,"Version":9,"Signature":"0xbeef0004","CreateDate":"2016-10-18T00:07:46Z","LastAccessed":"2016-10-18T02:51:34Z","MFTReference":{"MFTID":378,"SequenceNumber":281474976710656},"LongName":"Amazon"},"Description":{"Type":["Directory","Unicode"],"Modified":"2016-10-18T02:51:34Z","LastAccessed":"2016-10-18T02:51:34Z","CreateDate":"2016-10-18T00:07:46Z","ShortName":"Amazon","LongName":"Amazon","MFTID":378,"MFTSeq":281474976710656}}},{"ItemIDSize":96,"Offset":303,"Type":48,"Subtype":1,"ShellBag":{"Size":96,"Type":49,"SubType":["Directory","Unicode"],"LastModificationTime":"2017-05-19T21:37:18Z","ShortName":"EC2-WI~1","Extension":{"Size":72,"Version":9,"Signature":"0xbeef0004","CreateDate":"2016-10-18T00:07:46Z","LastAccessed":"2017-05-19T21:37:18Z","MFTReference":{"MFTID":379,"SequenceNumber":281474976710656},"LongName":"EC2-Windows"},"Description":{"Type":["Directory","Unicode"],"Modified":"2017-05-19T21:37:18Z","LastAccessed":"2017-05-19T21:37:18Z","CreateDate":"2016-10-18T00:07:46Z","ShortName":"EC2-WI~1","LongName":"EC2-Windows","MFTID":379,"MFTSeq":281474976710656}}},{"ItemIDSize":120,"Offset":399,"Type":48,"Subtype":1,"ShellBag":{"Size":120,"Type":49,"SubType":["Directory","Unicode"],"LastModificationTime":"2017-06-15T17:00:12Z","ShortName":"AWSEC2~1.WIN","Extension":{"Size":92,"Version":9,"Signature":"0xbeef0004","CreateDate":"2017-06-15T17:00:12Z","LastAccessed":"2017-06-15T17:00:12Z","MFTReference":{"MFTID":156684,"SequenceNumber":281474976710656},"LongName":"AWS.EC2.WindowsUpdate"},"Description":{"Type":["Directory","Unicode"],"Modified":"2017-06-15T17:00:12Z","LastAccessed":"2017-06-15T17:00:12Z","CreateDate":"2017-06-15T17:00:12Z","ShortName":"AWSEC2~1.WIN","LongName":"AWS.EC2.WindowsUpdate","MFTID":156684,"MFTSeq":281474976710656}}}]},"LinkInfo":{"Offset":521,"LinkInfoSize":109,"LinkInfoFlags":["VolumeIDAndLocalBasePath"],"Target":{"path":"C:\\ProgramData\\Amazon\\EC2-Windows\\AWS.EC2.WindowsUpdate","volume_info":{"DriveType":"DRIVE_FIXED","DriveSerialNumber":1982990285,"VolumeLabel":"Windows"}}},"NameInfo":{},"RelativePathInfo":{"Offset":630,"RelativePathInfoSize":146,"RelativePath":"..\\..\\..\\..\\..\\..\\..\\ProgramData\\Amazon\\EC2-Windows\\AWS.EC2.WindowsUpdate"},"WorkingDirInfo":{},"ArgumentInfo":{},"IconInfo":{}},"Mtime":"2017-06-15T19:16:55.502978Z","Atime":"2022-02-12T18:53:53.7569849Z","Ctime":"2017-06-15T19:16:55.502978Z","_TargetIDInfo":[{"ShortName":"My Computer","Type":"Root"},{"LongName":"C:\\","ShortName":"C:\\","Type":"Volume"},{"Type":["Directory","Unicode"],"Modified":"2016-11-24T00:19:30Z","LastAccessed":"2016-11-24T00:19:30Z","CreateDate":"2016-07-16T13:23:22Z","ShortName":"PROGRA~3","LongName":"ProgramData","MFTID":377,"MFTSeq":281474976710656},{"Type":["Directory","Unicode"],"Modified":"2016-10-18T02:51:34Z","LastAccessed":"2016-10-18T02:51:34Z","CreateDate":"2016-10-18T00:07:46Z","ShortName":"Amazon","LongName":"Amazon","MFTID":378,"MFTSeq":281474976710656},{"Type":["Directory","Unicode"],"Modified":"2017-05-19T21:37:18Z","LastAccessed":"2017-05-19T21:37:18Z","CreateDate":"2016-10-18T00:07:46Z","ShortName":"EC2-WI~1","LongName":"EC2-Windows","MFTID":379,"MFTSeq":281474976710656},{"Type":["Directory","Unicode"],"Modified":"2017-06-15T17:00:12Z","LastAccessed":"2017-06-15T17:00:12Z","CreateDate":"2017-06-15T17:00:12Z","ShortName":"AWSEC2~1.WIN","LongName":"AWS.EC2.WindowsUpdate","MFTID":156684,"MFTSeq":281474976710656}],"HeaderCreationTime":"2017-06-15T17:00:11Z","HeaderAccessTime":"2017-06-15T17:00:11Z","HeaderWriteTime":"2017-06-15T17:00:11Z","FileSize":0,"Target":{"path":"C:\\ProgramData\\Amazon\\EC2-Windows\\AWS.EC2.WindowsUpdate","volume_info":{"DriveType":"DRIVE_FIXED","DriveSerialNumber":1982990285,"VolumeLabel":"Windows"}},"Name":null,"RelativePath":"..\\..\\..\\..\\..\\..\\..\\ProgramData\\Amazon\\EC2-Windows\\AWS.EC2.WindowsUpdate","WorkingDir":null,"Arguments":null,"Icons":null,"Upload":null} +{"FullPath":"C:\\Users\\domi.nusvir\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AWS.EC2.WindowsUpdate.lnk","_Parsed":{"HeaderSize":76,"LinkClsID":"0114020000000000c000000000000046","LinkFlags":["DisableKnownFolderTracking","HasLinkInfo","HasLinkTargetIDList","HasRelativePath","HasWorkingDir","IsUnicode"],"FileAttributes":["FILE_ATTRIBUTE_ARCHIVE"],"CreationTime":"2017-06-15T17:00:11Z","AccessTime":"2017-06-15T17:00:11Z","WriteTime":"2017-06-15T17:44:50Z","FileSize":11098,"IconIndex":0,"ShowCommand":1,"HotKey":0,"LinkTargetIDList":{"IDListSize":571,"IDList":[{"ItemIDSize":20,"Offset":78,"Type":16,"Subtype":1,"ShellBag":{"Description":{"ShortName":"My Computer","Type":"Root"}}},{"ItemIDSize":25,"Offset":98,"Type":32,"Subtype":1,"ShellBag":{"Name":"C:\\","Description":{"LongName":"C:\\","ShortName":"C:\\","Type":"Volume"}}},{"ItemIDSize":96,"Offset":123,"Type":48,"Subtype":1,"ShellBag":{"Size":96,"Type":49,"SubType":["Directory","Unicode"],"LastModificationTime":"2016-11-24T00:19:30Z","ShortName":"PROGRA~3","Extension":{"Size":72,"Version":9,"Signature":"0xbeef0004","CreateDate":"2016-07-16T13:23:22Z","LastAccessed":"2016-11-24T00:19:30Z","MFTReference":{"MFTID":377,"SequenceNumber":281474976710656},"LongName":"ProgramData"},"Description":{"Type":["Directory","Unicode"],"Modified":"2016-11-24T00:19:30Z","LastAccessed":"2016-11-24T00:19:30Z","CreateDate":"2016-07-16T13:23:22Z","ShortName":"PROGRA~3","LongName":"ProgramData","MFTID":377,"MFTSeq":281474976710656}}},{"ItemIDSize":84,"Offset":219,"Type":48,"Subtype":1,"ShellBag":{"Size":84,"Type":49,"SubType":["Directory","Unicode"],"LastModificationTime":"2016-10-18T02:51:34Z","ShortName":"Amazon","Extension":{"Size":62,"Version":9,"Signature":"0xbeef0004","CreateDate":"2016-10-18T00:07:46Z","LastAccessed":"2016-10-18T02:51:34Z","MFTReference":{"MFTID":378,"SequenceNumber":281474976710656},"LongName":"Amazon"},"Description":{"Type":["Directory","Unicode"],"Modified":"2016-10-18T02:51:34Z","LastAccessed":"2016-10-18T02:51:34Z","CreateDate":"2016-10-18T00:07:46Z","ShortName":"Amazon","LongName":"Amazon","MFTID":378,"MFTSeq":281474976710656}}},{"ItemIDSize":96,"Offset":303,"Type":48,"Subtype":1,"ShellBag":{"Size":96,"Type":49,"SubType":["Directory","Unicode"],"LastModificationTime":"2017-05-19T21:37:18Z","ShortName":"EC2-WI~1","Extension":{"Size":72,"Version":9,"Signature":"0xbeef0004","CreateDate":"2016-10-18T00:07:46Z","LastAccessed":"2017-05-19T21:37:18Z","MFTReference":{"MFTID":379,"SequenceNumber":281474976710656},"LongName":"EC2-Windows"},"Description":{"Type":["Directory","Unicode"],"Modified":"2017-05-19T21:37:18Z","LastAccessed":"2017-05-19T21:37:18Z","CreateDate":"2016-10-18T00:07:46Z","ShortName":"EC2-WI~1","LongName":"EC2-Windows","MFTID":379,"MFTSeq":281474976710656}}},{"ItemIDSize":120,"Offset":399,"Type":48,"Subtype":1,"ShellBag":{"Size":120,"Type":49,"SubType":["Directory","Unicode"],"LastModificationTime":"2017-06-15T17:00:12Z","ShortName":"AWSEC2~1.WIN","Extension":{"Size":92,"Version":9,"Signature":"0xbeef0004","CreateDate":"2017-06-15T17:00:12Z","LastAccessed":"2017-06-15T17:00:12Z","MFTReference":{"MFTID":156684,"SequenceNumber":281474976710656},"LongName":"AWS.EC2.WindowsUpdate"},"Description":{"Type":["Directory","Unicode"],"Modified":"2017-06-15T17:00:12Z","LastAccessed":"2017-06-15T17:00:12Z","CreateDate":"2017-06-15T17:00:12Z","ShortName":"AWSEC2~1.WIN","LongName":"AWS.EC2.WindowsUpdate","MFTID":156684,"MFTSeq":281474976710656}}},{"ItemIDSize":128,"Offset":519,"Type":48,"Subtype":0,"ShellBag":{"Size":128,"Type":50,"SubType":["File","Unicode"],"LastModificationTime":"2017-06-15T17:44:52Z","ShortName":"AWSEC2~1.LOG","Extension":{"Size":100,"Version":9,"Signature":"0xbeef0004","CreateDate":"2017-06-15T17:00:12Z","LastAccessed":"2017-06-15T17:00:12Z","MFTReference":{"MFTID":156686,"SequenceNumber":281474976710656},"LongName":"AWS.EC2.WindowsUpdate.log"},"Description":{"Type":["File","Unicode"],"Modified":"2017-06-15T17:44:52Z","LastAccessed":"2017-06-15T17:00:12Z","CreateDate":"2017-06-15T17:00:12Z","ShortName":"AWSEC2~1.LOG","LongName":"AWS.EC2.WindowsUpdate.log","MFTID":156686,"MFTSeq":281474976710656}}}]},"LinkInfo":{"Offset":649,"LinkInfoSize":135,"LinkInfoFlags":["VolumeIDAndLocalBasePath"],"Target":{"path":"C:\\ProgramData\\Amazon\\EC2-Windows\\AWS.EC2.WindowsUpdate\\AWS.EC2.WindowsUpdate.log","volume_info":{"DriveType":"DRIVE_FIXED","DriveSerialNumber":1982990285,"VolumeLabel":"Windows"}}},"NameInfo":{},"RelativePathInfo":{"Offset":784,"RelativePathInfoSize":198,"RelativePath":"..\\..\\..\\..\\..\\..\\..\\ProgramData\\Amazon\\EC2-Windows\\AWS.EC2.WindowsUpdate\\AWS.EC2.WindowsUpdate.log"},"WorkingDirInfo":{"Offset":984,"WorkingDirInfoSize":110,"WorkingDir":"C:\\ProgramData\\Amazon\\EC2-Windows\\AWS.EC2.WindowsUpdate"},"ArgumentInfo":{},"IconInfo":{}},"Mtime":"2017-06-15T19:16:55.4717422Z","Atime":"2022-02-12T18:53:53.7413598Z","Ctime":"2017-06-15T19:16:55.4717422Z","_TargetIDInfo":[{"ShortName":"My Computer","Type":"Root"},{"LongName":"C:\\","ShortName":"C:\\","Type":"Volume"},{"Type":["Directory","Unicode"],"Modified":"2016-11-24T00:19:30Z","LastAccessed":"2016-11-24T00:19:30Z","CreateDate":"2016-07-16T13:23:22Z","ShortName":"PROGRA~3","LongName":"ProgramData","MFTID":377,"MFTSeq":281474976710656},{"Type":["Directory","Unicode"],"Modified":"2016-10-18T02:51:34Z","LastAccessed":"2016-10-18T02:51:34Z","CreateDate":"2016-10-18T00:07:46Z","ShortName":"Amazon","LongName":"Amazon","MFTID":378,"MFTSeq":281474976710656},{"Type":["Directory","Unicode"],"Modified":"2017-05-19T21:37:18Z","LastAccessed":"2017-05-19T21:37:18Z","CreateDate":"2016-10-18T00:07:46Z","ShortName":"EC2-WI~1","LongName":"EC2-Windows","MFTID":379,"MFTSeq":281474976710656},{"Type":["Directory","Unicode"],"Modified":"2017-06-15T17:00:12Z","LastAccessed":"2017-06-15T17:00:12Z","CreateDate":"2017-06-15T17:00:12Z","ShortName":"AWSEC2~1.WIN","LongName":"AWS.EC2.WindowsUpdate","MFTID":156684,"MFTSeq":281474976710656},{"Type":["File","Unicode"],"Modified":"2017-06-15T17:44:52Z","LastAccessed":"2017-06-15T17:00:12Z","CreateDate":"2017-06-15T17:00:12Z","ShortName":"AWSEC2~1.LOG","LongName":"AWS.EC2.WindowsUpdate.log","MFTID":156686,"MFTSeq":281474976710656}],"HeaderCreationTime":"2017-06-15T17:00:11Z","HeaderAccessTime":"2017-06-15T17:00:11Z","HeaderWriteTime":"2017-06-15T17:44:50Z","FileSize":11098,"Target":{"path":"C:\\ProgramData\\Amazon\\EC2-Windows\\AWS.EC2.WindowsUpdate\\AWS.EC2.WindowsUpdate.log","volume_info":{"DriveType":"DRIVE_FIXED","DriveSerialNumber":1982990285,"VolumeLabel":"Windows"}},"Name":null,"RelativePath":"..\\..\\..\\..\\..\\..\\..\\ProgramData\\Amazon\\EC2-Windows\\AWS.EC2.WindowsUpdate\\AWS.EC2.WindowsUpdate.log","WorkingDir":"C:\\ProgramData\\Amazon\\EC2-Windows\\AWS.EC2.WindowsUpdate","Arguments":null,"Icons":null,"Upload":null} +{"FullPath":"C:\\Users\\domi.nusvir\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\All Tasks.lnk","_Parsed":{"HeaderSize":76,"LinkClsID":"0114020000000000c000000000000046","LinkFlags":["DisableKnownFolderTracking","HasLinkTargetIDList","IsUnicode"],"FileAttributes":[],"CreationTime":"1601-01-01T00:00:00Z","AccessTime":"1601-01-01T00:00:00Z","WriteTime":"1601-01-01T00:00:00Z","FileSize":0,"IconIndex":0,"ShowCommand":1,"HotKey":0,"LinkTargetIDList":{"IDListSize":22,"IDList":[{"ItemIDSize":20,"Offset":78,"Type":16,"Subtype":1,"ShellBag":{"Description":{"ShortName":"My Computer","Type":"Root"}}}]},"LinkInfo":{},"NameInfo":{},"RelativePathInfo":{},"WorkingDirInfo":{},"ArgumentInfo":{},"IconInfo":{}},"Mtime":"2017-05-19T20:56:39.7146821Z","Atime":"2022-02-12T18:53:53.8507453Z","Ctime":"2017-05-19T20:56:39.7146821Z","_TargetIDInfo":[{"ShortName":"My Computer","Type":"Root"}],"HeaderCreationTime":"1601-01-01T00:00:00Z","HeaderAccessTime":"1601-01-01T00:00:00Z","HeaderWriteTime":"1601-01-01T00:00:00Z","FileSize":0,"Target":null,"Name":null,"RelativePath":null,"WorkingDir":null,"Arguments":null,"Icons":null,"Upload":null} +{"FullPath":"C:\\Users\\domi.nusvir\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\Internet Options.lnk","_Parsed":{"HeaderSize":76,"LinkClsID":"0114020000000000c000000000000046","LinkFlags":["DisableKnownFolderTracking","HasLinkTargetIDList","IsUnicode"],"FileAttributes":[],"CreationTime":"1601-01-01T00:00:00Z","AccessTime":"1601-01-01T00:00:00Z","WriteTime":"1601-01-01T00:00:00Z","FileSize":0,"IconIndex":0,"ShowCommand":1,"HotKey":0,"LinkTargetIDList":{"IDListSize":64,"IDList":[{"ItemIDSize":20,"Offset":78,"Type":16,"Subtype":1,"ShellBag":{"Description":{"ShortName":"My Computer","Type":"Root"}}},{"ItemIDSize":12,"Offset":98,"Type":0,"Subtype":1,"ShellBag":null},{"ItemIDSize":30,"Offset":110,"Type":112,"Subtype":1,"ShellBag":null}]},"LinkInfo":{},"NameInfo":{},"RelativePathInfo":{},"WorkingDirInfo":{},"ArgumentInfo":{},"IconInfo":{}},"Mtime":"2022-02-12T00:32:57.8617334Z","Atime":"2022-02-12T18:53:53.6632322Z","Ctime":"2022-02-12T00:32:57.8617334Z","_TargetIDInfo":[{"ShortName":"My Computer","Type":"Root"},null,null],"HeaderCreationTime":"1601-01-01T00:00:00Z","HeaderAccessTime":"1601-01-01T00:00:00Z","HeaderWriteTime":"1601-01-01T00:00:00Z","FileSize":0,"Target":null,"Name":null,"RelativePath":null,"WorkingDir":null,"Arguments":null,"Icons":null,"Upload":null} +{"FullPath":"C:\\Users\\domi.nusvir\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\Uninstall a program.lnk","_Parsed":{"HeaderSize":76,"LinkClsID":"0114020000000000c000000000000046","LinkFlags":["DisableKnownFolderTracking","HasLinkTargetIDList","IsUnicode"],"FileAttributes":[],"CreationTime":"1601-01-01T00:00:00Z","AccessTime":"1601-01-01T00:00:00Z","WriteTime":"1601-01-01T00:00:00Z","FileSize":0,"IconIndex":0,"ShowCommand":1,"HotKey":0,"LinkTargetIDList":{"IDListSize":366,"IDList":[{"ItemIDSize":20,"Offset":78,"Type":16,"Subtype":1,"ShellBag":{"Description":{"ShortName":"My Computer","Type":"Root"}}},{"ItemIDSize":344,"Offset":98,"Type":0,"Subtype":0,"ShellBag":null}]},"LinkInfo":{},"NameInfo":{},"RelativePathInfo":{},"WorkingDirInfo":{},"ArgumentInfo":{},"IconInfo":{}},"Mtime":"2017-05-19T20:56:39.6487129Z","Atime":"2022-02-12T18:53:53.6632322Z","Ctime":"2017-05-19T20:56:39.6487129Z","_TargetIDInfo":[{"ShortName":"My Computer","Type":"Root"},null],"HeaderCreationTime":"1601-01-01T00:00:00Z","HeaderAccessTime":"1601-01-01T00:00:00Z","HeaderWriteTime":"1601-01-01T00:00:00Z","FileSize":0,"Target":null,"Name":null,"RelativePath":null,"WorkingDir":null,"Arguments":null,"Icons":null,"Upload":null} +{"FullPath":"C:\\Users\\domi.nusvir\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\WindowsUpdate.lnk","_Parsed":{"HeaderSize":76,"LinkClsID":"0114020000000000c000000000000046","LinkFlags":["DisableKnownFolderTracking","HasLinkInfo","HasLinkTargetIDList","HasRelativePath","HasWorkingDir","IsUnicode"],"FileAttributes":["FILE_ATTRIBUTE_ARCHIVE"],"CreationTime":"2017-05-12T00:37:56Z","AccessTime":"2017-05-12T00:37:56Z","WriteTime":"2017-05-12T00:53:10Z","FileSize":194617,"IconIndex":0,"ShowCommand":1,"HotKey":0,"LinkTargetIDList":{"IDListSize":114,"IDList":[{"ItemIDSize":112,"Offset":78,"Type":48,"Subtype":0,"ShellBag":{"Size":112,"Type":50,"SubType":["File","Unicode"],"LastModificationTime":"2017-05-12T00:53:12Z","ShortName":"WINDOW~1.LOG","Extension":{"Size":84,"Version":9,"Signature":"0xbeef0004","CreateDate":"2017-05-12T00:37:58Z","LastAccessed":"2017-05-12T00:37:58Z","MFTReference":{"MFTID":153408,"SequenceNumber":562949953421312},"LongName":"WindowsUpdate.log"},"Description":{"Type":["File","Unicode"],"Modified":"2017-05-12T00:53:12Z","LastAccessed":"2017-05-12T00:37:58Z","CreateDate":"2017-05-12T00:37:58Z","ShortName":"WINDOW~1.LOG","LongName":"WindowsUpdate.log","MFTID":153408,"MFTSeq":562949953421312}}}]},"LinkInfo":{"Offset":192,"LinkInfoSize":102,"LinkInfoFlags":["VolumeIDAndLocalBasePath"],"Target":{"path":"C:\\Users\\Administrator\\Desktop\\WindowsUpdate.log","volume_info":{"DriveType":"DRIVE_FIXED","DriveSerialNumber":808864001,"VolumeLabel":"Windows"}}},"NameInfo":{},"RelativePathInfo":{"Offset":294,"RelativePathInfoSize":80,"RelativePath":"..\\..\\..\\..\\..\\Desktop\\WindowsUpdate.log"},"WorkingDirInfo":{"Offset":376,"WorkingDirInfoSize":60,"WorkingDir":"C:\\Users\\Administrator\\Desktop"},"ArgumentInfo":{},"IconInfo":{}},"Mtime":"2017-05-12T00:53:13.6114769Z","Atime":"2022-02-12T18:53:53.6632322Z","Ctime":"2017-05-12T00:53:13.6114769Z","_TargetIDInfo":[{"Type":["File","Unicode"],"Modified":"2017-05-12T00:53:12Z","LastAccessed":"2017-05-12T00:37:58Z","CreateDate":"2017-05-12T00:37:58Z","ShortName":"WINDOW~1.LOG","LongName":"WindowsUpdate.log","MFTID":153408,"MFTSeq":562949953421312}],"HeaderCreationTime":"2017-05-12T00:37:56Z","HeaderAccessTime":"2017-05-12T00:37:56Z","HeaderWriteTime":"2017-05-12T00:53:10Z","FileSize":194617,"Target":{"path":"C:\\Users\\Administrator\\Desktop\\WindowsUpdate.log","volume_info":{"DriveType":"DRIVE_FIXED","DriveSerialNumber":808864001,"VolumeLabel":"Windows"}},"Name":null,"RelativePath":"..\\..\\..\\..\\..\\Desktop\\WindowsUpdate.log","WorkingDir":"C:\\Users\\Administrator\\Desktop","Arguments":null,"Icons":null,"Upload":null} +{"FullPath":"C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AWS.EC2.WindowsUpdate (2).lnk","_Parsed":{"HeaderSize":76,"LinkClsID":"0114020000000000c000000000000046","LinkFlags":["DisableKnownFolderTracking","HasLinkInfo","HasLinkTargetIDList","HasRelativePath","IsUnicode"],"FileAttributes":["FILE_ATTRIBUTE_DIRECTORY"],"CreationTime":"2017-06-15T17:00:11Z","AccessTime":"2017-06-15T17:00:11Z","WriteTime":"2017-06-15T17:00:11Z","FileSize":0,"IconIndex":0,"ShowCommand":1,"HotKey":0,"LinkTargetIDList":{"IDListSize":443,"IDList":[{"ItemIDSize":20,"Offset":78,"Type":16,"Subtype":1,"ShellBag":{"Description":{"ShortName":"My Computer","Type":"Root"}}},{"ItemIDSize":25,"Offset":98,"Type":32,"Subtype":1,"ShellBag":{"Name":"C:\\","Description":{"LongName":"C:\\","ShortName":"C:\\","Type":"Volume"}}},{"ItemIDSize":96,"Offset":123,"Type":48,"Subtype":1,"ShellBag":{"Size":96,"Type":49,"SubType":["Directory","Unicode"],"LastModificationTime":"2016-11-24T00:19:30Z","ShortName":"PROGRA~3","Extension":{"Size":72,"Version":9,"Signature":"0xbeef0004","CreateDate":"2016-07-16T13:23:22Z","LastAccessed":"2016-11-24T00:19:30Z","MFTReference":{"MFTID":377,"SequenceNumber":281474976710656},"LongName":"ProgramData"},"Description":{"Type":["Directory","Unicode"],"Modified":"2016-11-24T00:19:30Z","LastAccessed":"2016-11-24T00:19:30Z","CreateDate":"2016-07-16T13:23:22Z","ShortName":"PROGRA~3","LongName":"ProgramData","MFTID":377,"MFTSeq":281474976710656}}},{"ItemIDSize":84,"Offset":219,"Type":48,"Subtype":1,"ShellBag":{"Size":84,"Type":49,"SubType":["Directory","Unicode"],"LastModificationTime":"2016-10-18T02:51:34Z","ShortName":"Amazon","Extension":{"Size":62,"Version":9,"Signature":"0xbeef0004","CreateDate":"2016-10-18T00:07:46Z","LastAccessed":"2016-10-18T02:51:34Z","MFTReference":{"MFTID":378,"SequenceNumber":281474976710656},"LongName":"Amazon"},"Description":{"Type":["Directory","Unicode"],"Modified":"2016-10-18T02:51:34Z","LastAccessed":"2016-10-18T02:51:34Z","CreateDate":"2016-10-18T00:07:46Z","ShortName":"Amazon","LongName":"Amazon","MFTID":378,"MFTSeq":281474976710656}}},{"ItemIDSize":96,"Offset":303,"Type":48,"Subtype":1,"ShellBag":{"Size":96,"Type":49,"SubType":["Directory","Unicode"],"LastModificationTime":"2017-05-19T21:37:18Z","ShortName":"EC2-WI~1","Extension":{"Size":72,"Version":9,"Signature":"0xbeef0004","CreateDate":"2016-10-18T00:07:46Z","LastAccessed":"2017-05-19T21:37:18Z","MFTReference":{"MFTID":379,"SequenceNumber":281474976710656},"LongName":"EC2-Windows"},"Description":{"Type":["Directory","Unicode"],"Modified":"2017-05-19T21:37:18Z","LastAccessed":"2017-05-19T21:37:18Z","CreateDate":"2016-10-18T00:07:46Z","ShortName":"EC2-WI~1","LongName":"EC2-Windows","MFTID":379,"MFTSeq":281474976710656}}},{"ItemIDSize":120,"Offset":399,"Type":48,"Subtype":1,"ShellBag":{"Size":120,"Type":49,"SubType":["Directory","Unicode"],"LastModificationTime":"2017-06-15T17:00:12Z","ShortName":"AWSEC2~1.WIN","Extension":{"Size":92,"Version":9,"Signature":"0xbeef0004","CreateDate":"2017-06-15T17:00:12Z","LastAccessed":"2017-06-15T17:00:12Z","MFTReference":{"MFTID":156684,"SequenceNumber":281474976710656},"LongName":"AWS.EC2.WindowsUpdate"},"Description":{"Type":["Directory","Unicode"],"Modified":"2017-06-15T17:00:12Z","LastAccessed":"2017-06-15T17:00:12Z","CreateDate":"2017-06-15T17:00:12Z","ShortName":"AWSEC2~1.WIN","LongName":"AWS.EC2.WindowsUpdate","MFTID":156684,"MFTSeq":281474976710656}}}]},"LinkInfo":{"Offset":521,"LinkInfoSize":109,"LinkInfoFlags":["VolumeIDAndLocalBasePath"],"Target":{"path":"C:\\ProgramData\\Amazon\\EC2-Windows\\AWS.EC2.WindowsUpdate","volume_info":{"DriveType":"DRIVE_FIXED","DriveSerialNumber":1982990285,"VolumeLabel":"Windows"}}},"NameInfo":{},"RelativePathInfo":{"Offset":630,"RelativePathInfoSize":146,"RelativePath":"..\\..\\..\\..\\..\\..\\..\\ProgramData\\Amazon\\EC2-Windows\\AWS.EC2.WindowsUpdate"},"WorkingDirInfo":{},"ArgumentInfo":{},"IconInfo":{}},"Mtime":"2017-06-15T19:16:55.502978Z","Atime":"2022-02-12T01:17:15.156236Z","Ctime":"2017-06-15T19:16:55.502978Z","_TargetIDInfo":[{"ShortName":"My Computer","Type":"Root"},{"LongName":"C:\\","ShortName":"C:\\","Type":"Volume"},{"Type":["Directory","Unicode"],"Modified":"2016-11-24T00:19:30Z","LastAccessed":"2016-11-24T00:19:30Z","CreateDate":"2016-07-16T13:23:22Z","ShortName":"PROGRA~3","LongName":"ProgramData","MFTID":377,"MFTSeq":281474976710656},{"Type":["Directory","Unicode"],"Modified":"2016-10-18T02:51:34Z","LastAccessed":"2016-10-18T02:51:34Z","CreateDate":"2016-10-18T00:07:46Z","ShortName":"Amazon","LongName":"Amazon","MFTID":378,"MFTSeq":281474976710656},{"Type":["Directory","Unicode"],"Modified":"2017-05-19T21:37:18Z","LastAccessed":"2017-05-19T21:37:18Z","CreateDate":"2016-10-18T00:07:46Z","ShortName":"EC2-WI~1","LongName":"EC2-Windows","MFTID":379,"MFTSeq":281474976710656},{"Type":["Directory","Unicode"],"Modified":"2017-06-15T17:00:12Z","LastAccessed":"2017-06-15T17:00:12Z","CreateDate":"2017-06-15T17:00:12Z","ShortName":"AWSEC2~1.WIN","LongName":"AWS.EC2.WindowsUpdate","MFTID":156684,"MFTSeq":281474976710656}],"HeaderCreationTime":"2017-06-15T17:00:11Z","HeaderAccessTime":"2017-06-15T17:00:11Z","HeaderWriteTime":"2017-06-15T17:00:11Z","FileSize":0,"Target":{"path":"C:\\ProgramData\\Amazon\\EC2-Windows\\AWS.EC2.WindowsUpdate","volume_info":{"DriveType":"DRIVE_FIXED","DriveSerialNumber":1982990285,"VolumeLabel":"Windows"}},"Name":null,"RelativePath":"..\\..\\..\\..\\..\\..\\..\\ProgramData\\Amazon\\EC2-Windows\\AWS.EC2.WindowsUpdate","WorkingDir":null,"Arguments":null,"Icons":null,"Upload":null} +{"FullPath":"C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AWS.EC2.WindowsUpdate.lnk","_Parsed":{"HeaderSize":76,"LinkClsID":"0114020000000000c000000000000046","LinkFlags":["DisableKnownFolderTracking","HasLinkInfo","HasLinkTargetIDList","HasRelativePath","HasWorkingDir","IsUnicode"],"FileAttributes":["FILE_ATTRIBUTE_ARCHIVE"],"CreationTime":"2017-06-15T17:00:11Z","AccessTime":"2017-06-15T17:00:11Z","WriteTime":"2017-06-15T17:44:50Z","FileSize":11098,"IconIndex":0,"ShowCommand":1,"HotKey":0,"LinkTargetIDList":{"IDListSize":571,"IDList":[{"ItemIDSize":20,"Offset":78,"Type":16,"Subtype":1,"ShellBag":{"Description":{"ShortName":"My Computer","Type":"Root"}}},{"ItemIDSize":25,"Offset":98,"Type":32,"Subtype":1,"ShellBag":{"Name":"C:\\","Description":{"LongName":"C:\\","ShortName":"C:\\","Type":"Volume"}}},{"ItemIDSize":96,"Offset":123,"Type":48,"Subtype":1,"ShellBag":{"Size":96,"Type":49,"SubType":["Directory","Unicode"],"LastModificationTime":"2016-11-24T00:19:30Z","ShortName":"PROGRA~3","Extension":{"Size":72,"Version":9,"Signature":"0xbeef0004","CreateDate":"2016-07-16T13:23:22Z","LastAccessed":"2016-11-24T00:19:30Z","MFTReference":{"MFTID":377,"SequenceNumber":281474976710656},"LongName":"ProgramData"},"Description":{"Type":["Directory","Unicode"],"Modified":"2016-11-24T00:19:30Z","LastAccessed":"2016-11-24T00:19:30Z","CreateDate":"2016-07-16T13:23:22Z","ShortName":"PROGRA~3","LongName":"ProgramData","MFTID":377,"MFTSeq":281474976710656}}},{"ItemIDSize":84,"Offset":219,"Type":48,"Subtype":1,"ShellBag":{"Size":84,"Type":49,"SubType":["Directory","Unicode"],"LastModificationTime":"2016-10-18T02:51:34Z","ShortName":"Amazon","Extension":{"Size":62,"Version":9,"Signature":"0xbeef0004","CreateDate":"2016-10-18T00:07:46Z","LastAccessed":"2016-10-18T02:51:34Z","MFTReference":{"MFTID":378,"SequenceNumber":281474976710656},"LongName":"Amazon"},"Description":{"Type":["Directory","Unicode"],"Modified":"2016-10-18T02:51:34Z","LastAccessed":"2016-10-18T02:51:34Z","CreateDate":"2016-10-18T00:07:46Z","ShortName":"Amazon","LongName":"Amazon","MFTID":378,"MFTSeq":281474976710656}}},{"ItemIDSize":96,"Offset":303,"Type":48,"Subtype":1,"ShellBag":{"Size":96,"Type":49,"SubType":["Directory","Unicode"],"LastModificationTime":"2017-05-19T21:37:18Z","ShortName":"EC2-WI~1","Extension":{"Size":72,"Version":9,"Signature":"0xbeef0004","CreateDate":"2016-10-18T00:07:46Z","LastAccessed":"2017-05-19T21:37:18Z","MFTReference":{"MFTID":379,"SequenceNumber":281474976710656},"LongName":"EC2-Windows"},"Description":{"Type":["Directory","Unicode"],"Modified":"2017-05-19T21:37:18Z","LastAccessed":"2017-05-19T21:37:18Z","CreateDate":"2016-10-18T00:07:46Z","ShortName":"EC2-WI~1","LongName":"EC2-Windows","MFTID":379,"MFTSeq":281474976710656}}},{"ItemIDSize":120,"Offset":399,"Type":48,"Subtype":1,"ShellBag":{"Size":120,"Type":49,"SubType":["Directory","Unicode"],"LastModificationTime":"2017-06-15T17:00:12Z","ShortName":"AWSEC2~1.WIN","Extension":{"Size":92,"Version":9,"Signature":"0xbeef0004","CreateDate":"2017-06-15T17:00:12Z","LastAccessed":"2017-06-15T17:00:12Z","MFTReference":{"MFTID":156684,"SequenceNumber":281474976710656},"LongName":"AWS.EC2.WindowsUpdate"},"Description":{"Type":["Directory","Unicode"],"Modified":"2017-06-15T17:00:12Z","LastAccessed":"2017-06-15T17:00:12Z","CreateDate":"2017-06-15T17:00:12Z","ShortName":"AWSEC2~1.WIN","LongName":"AWS.EC2.WindowsUpdate","MFTID":156684,"MFTSeq":281474976710656}}},{"ItemIDSize":128,"Offset":519,"Type":48,"Subtype":0,"ShellBag":{"Size":128,"Type":50,"SubType":["File","Unicode"],"LastModificationTime":"2017-06-15T17:44:52Z","ShortName":"AWSEC2~1.LOG","Extension":{"Size":100,"Version":9,"Signature":"0xbeef0004","CreateDate":"2017-06-15T17:00:12Z","LastAccessed":"2017-06-15T17:00:12Z","MFTReference":{"MFTID":156686,"SequenceNumber":281474976710656},"LongName":"AWS.EC2.WindowsUpdate.log"},"Description":{"Type":["File","Unicode"],"Modified":"2017-06-15T17:44:52Z","LastAccessed":"2017-06-15T17:00:12Z","CreateDate":"2017-06-15T17:00:12Z","ShortName":"AWSEC2~1.LOG","LongName":"AWS.EC2.WindowsUpdate.log","MFTID":156686,"MFTSeq":281474976710656}}}]},"LinkInfo":{"Offset":649,"LinkInfoSize":135,"LinkInfoFlags":["VolumeIDAndLocalBasePath"],"Target":{"path":"C:\\ProgramData\\Amazon\\EC2-Windows\\AWS.EC2.WindowsUpdate\\AWS.EC2.WindowsUpdate.log","volume_info":{"DriveType":"DRIVE_FIXED","DriveSerialNumber":1982990285,"VolumeLabel":"Windows"}}},"NameInfo":{},"RelativePathInfo":{"Offset":784,"RelativePathInfoSize":198,"RelativePath":"..\\..\\..\\..\\..\\..\\..\\ProgramData\\Amazon\\EC2-Windows\\AWS.EC2.WindowsUpdate\\AWS.EC2.WindowsUpdate.log"},"WorkingDirInfo":{"Offset":984,"WorkingDirInfoSize":110,"WorkingDir":"C:\\ProgramData\\Amazon\\EC2-Windows\\AWS.EC2.WindowsUpdate"},"ArgumentInfo":{},"IconInfo":{}},"Mtime":"2017-06-15T19:16:55.4717422Z","Atime":"2022-02-12T01:17:15.1552287Z","Ctime":"2017-06-15T19:16:55.4717422Z","_TargetIDInfo":[{"ShortName":"My Computer","Type":"Root"},{"LongName":"C:\\","ShortName":"C:\\","Type":"Volume"},{"Type":["Directory","Unicode"],"Modified":"2016-11-24T00:19:30Z","LastAccessed":"2016-11-24T00:19:30Z","CreateDate":"2016-07-16T13:23:22Z","ShortName":"PROGRA~3","LongName":"ProgramData","MFTID":377,"MFTSeq":281474976710656},{"Type":["Directory","Unicode"],"Modified":"2016-10-18T02:51:34Z","LastAccessed":"2016-10-18T02:51:34Z","CreateDate":"2016-10-18T00:07:46Z","ShortName":"Amazon","LongName":"Amazon","MFTID":378,"MFTSeq":281474976710656},{"Type":["Directory","Unicode"],"Modified":"2017-05-19T21:37:18Z","LastAccessed":"2017-05-19T21:37:18Z","CreateDate":"2016-10-18T00:07:46Z","ShortName":"EC2-WI~1","LongName":"EC2-Windows","MFTID":379,"MFTSeq":281474976710656},{"Type":["Directory","Unicode"],"Modified":"2017-06-15T17:00:12Z","LastAccessed":"2017-06-15T17:00:12Z","CreateDate":"2017-06-15T17:00:12Z","ShortName":"AWSEC2~1.WIN","LongName":"AWS.EC2.WindowsUpdate","MFTID":156684,"MFTSeq":281474976710656},{"Type":["File","Unicode"],"Modified":"2017-06-15T17:44:52Z","LastAccessed":"2017-06-15T17:00:12Z","CreateDate":"2017-06-15T17:00:12Z","ShortName":"AWSEC2~1.LOG","LongName":"AWS.EC2.WindowsUpdate.log","MFTID":156686,"MFTSeq":281474976710656}],"HeaderCreationTime":"2017-06-15T17:00:11Z","HeaderAccessTime":"2017-06-15T17:00:11Z","HeaderWriteTime":"2017-06-15T17:44:50Z","FileSize":11098,"Target":{"path":"C:\\ProgramData\\Amazon\\EC2-Windows\\AWS.EC2.WindowsUpdate\\AWS.EC2.WindowsUpdate.log","volume_info":{"DriveType":"DRIVE_FIXED","DriveSerialNumber":1982990285,"VolumeLabel":"Windows"}},"Name":null,"RelativePath":"..\\..\\..\\..\\..\\..\\..\\ProgramData\\Amazon\\EC2-Windows\\AWS.EC2.WindowsUpdate\\AWS.EC2.WindowsUpdate.log","WorkingDir":"C:\\ProgramData\\Amazon\\EC2-Windows\\AWS.EC2.WindowsUpdate","Arguments":null,"Icons":null,"Upload":null} +{"FullPath":"C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\All Tasks.lnk","_Parsed":{"HeaderSize":76,"LinkClsID":"0114020000000000c000000000000046","LinkFlags":["DisableKnownFolderTracking","HasLinkTargetIDList","IsUnicode"],"FileAttributes":[],"CreationTime":"1601-01-01T00:00:00Z","AccessTime":"1601-01-01T00:00:00Z","WriteTime":"1601-01-01T00:00:00Z","FileSize":0,"IconIndex":0,"ShowCommand":1,"HotKey":0,"LinkTargetIDList":{"IDListSize":22,"IDList":[{"ItemIDSize":20,"Offset":78,"Type":16,"Subtype":1,"ShellBag":{"Description":{"ShortName":"My Computer","Type":"Root"}}}]},"LinkInfo":{},"NameInfo":{},"RelativePathInfo":{},"WorkingDirInfo":{},"ArgumentInfo":{},"IconInfo":{}},"Mtime":"2017-05-19T20:56:39.7146821Z","Atime":"2022-02-12T01:17:15.2156524Z","Ctime":"2017-05-19T20:56:39.7146821Z","_TargetIDInfo":[{"ShortName":"My Computer","Type":"Root"}],"HeaderCreationTime":"1601-01-01T00:00:00Z","HeaderAccessTime":"1601-01-01T00:00:00Z","HeaderWriteTime":"1601-01-01T00:00:00Z","FileSize":0,"Target":null,"Name":null,"RelativePath":null,"WorkingDir":null,"Arguments":null,"Icons":null,"Upload":null} +{"FullPath":"C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\Internet Options.lnk","_Parsed":{"HeaderSize":76,"LinkClsID":"0114020000000000c000000000000046","LinkFlags":["DisableKnownFolderTracking","HasLinkTargetIDList","IsUnicode"],"FileAttributes":[],"CreationTime":"1601-01-01T00:00:00Z","AccessTime":"1601-01-01T00:00:00Z","WriteTime":"1601-01-01T00:00:00Z","FileSize":0,"IconIndex":0,"ShowCommand":1,"HotKey":0,"LinkTargetIDList":{"IDListSize":64,"IDList":[{"ItemIDSize":20,"Offset":78,"Type":16,"Subtype":1,"ShellBag":{"Description":{"ShortName":"My Computer","Type":"Root"}}},{"ItemIDSize":12,"Offset":98,"Type":0,"Subtype":1,"ShellBag":null},{"ItemIDSize":30,"Offset":110,"Type":112,"Subtype":1,"ShellBag":null}]},"LinkInfo":{},"NameInfo":{},"RelativePathInfo":{},"WorkingDirInfo":{},"ArgumentInfo":{},"IconInfo":{}},"Mtime":"2022-02-12T00:32:57.8617334Z","Atime":"2022-02-12T01:17:15.1058888Z","Ctime":"2022-02-12T00:32:57.8617334Z","_TargetIDInfo":[{"ShortName":"My Computer","Type":"Root"},null,null],"HeaderCreationTime":"1601-01-01T00:00:00Z","HeaderAccessTime":"1601-01-01T00:00:00Z","HeaderWriteTime":"1601-01-01T00:00:00Z","FileSize":0,"Target":null,"Name":null,"RelativePath":null,"WorkingDir":null,"Arguments":null,"Icons":null,"Upload":null} \ No newline at end of file diff --git a/tests/testdata/velociraptor/Windows.Forensics.ProcessInfo.json b/tests/testdata/velociraptor/Windows.Forensics.ProcessInfo.json new file mode 100644 index 000000000..36c3c271e --- /dev/null +++ b/tests/testdata/velociraptor/Windows.Forensics.ProcessInfo.json @@ -0,0 +1,10 @@ +{"Name":"System","PebBaseAddress":"0x0","Pid":4,"ImagePathName":null,"CommandLine":null,"CurrentDirectory":null,"Env":{}} +{"Name":"smss.exe","PebBaseAddress":"0x5b6ea41000","Pid":268,"ImagePathName":null,"CommandLine":null,"CurrentDirectory":null,"Env":{}} +{"Name":"csrss.exe","PebBaseAddress":"0x91fdbd0000","Pid":348,"ImagePathName":null,"CommandLine":null,"CurrentDirectory":null,"Env":{}} +{"Name":"wininit.exe","PebBaseAddress":"0xc5f8d8e000","Pid":416,"ImagePathName":null,"CommandLine":null,"CurrentDirectory":null,"Env":{}} +{"Name":"csrss.exe","PebBaseAddress":"0x65715c4000","Pid":424,"ImagePathName":null,"CommandLine":null,"CurrentDirectory":null,"Env":{}} +{"Name":"winlogon.exe","PebBaseAddress":"0xaa675e0000","Pid":492,"ImagePathName":"C:\\Windows\\system32\\winlogon.exe","CommandLine":"winlogon.exe","CurrentDirectory":"C:\\Windows\\system32\\","Env":{"ALLUSERSPROFILE":"C:\\ProgramData","ChocolateyInstall":"C:\\ProgramData\\chocolatey","CommonProgramFiles":"C:\\Program Files\\Common Files","CommonProgramFiles(x86)":"C:\\Program Files (x86)\\Common Files","CommonProgramW6432":"C:\\Program Files\\Common Files","COMPUTERNAME":"WKST01","ComSpec":"C:\\Windows\\system32\\cmd.exe","NUMBER_OF_PROCESSORS":"2","OS":"Windows_NT","Path":"C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files\\Amazon\\cfn-bootstrap\\;C:\\ProgramData\\chocolatey\\bin;;C:\\Program Files\\Microsoft VS Code\\bin","PATHEXT":".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC","PROCESSOR_ARCHITECTURE":"AMD64","PROCESSOR_IDENTIFIER":"Intel64 Family 6 Model 85 Stepping 7, GenuineIntel","PROCESSOR_LEVEL":"6","PROCESSOR_REVISION":"5507","ProgramData":"C:\\ProgramData","ProgramFiles":"C:\\Program Files","ProgramFiles(x86)":"C:\\Program Files (x86)","ProgramW6432":"C:\\Program Files","PSModulePath":"%ProgramFiles%\\WindowsPowerShell\\Modules;C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules;C:\\Program Files (x86)\\AWS Tools\\PowerShell\\","PUBLIC":"C:\\Users\\Public","SystemDrive":"C:","SystemRoot":"C:\\Windows","TEMP":"C:\\Windows\\TEMP","TMP":"C:\\Windows\\TEMP","USERNAME":"SYSTEM","USERPROFILE":"C:\\Windows\\system32\\config\\systemprofile","windir":"C:\\Windows"}} +{"Name":"services.exe","PebBaseAddress":"0x3917899000","Pid":540,"ImagePathName":null,"CommandLine":null,"CurrentDirectory":null,"Env":{}} +{"Name":"lsass.exe","PebBaseAddress":"0x7c55f75000","Pid":548,"ImagePathName":"C:\\Windows\\system32\\lsass.exe","CommandLine":"C:\\Windows\\system32\\lsass.exe","CurrentDirectory":"C:\\Windows\\system32\\","Env":{"ALLUSERSPROFILE":"C:\\ProgramData","ChocolateyInstall":"C:\\ProgramData\\chocolatey","CommonProgramFiles":"C:\\Program Files\\Common Files","CommonProgramFiles(x86)":"C:\\Program Files (x86)\\Common Files","CommonProgramW6432":"C:\\Program Files\\Common Files","COMPUTERNAME":"WKST01","ComSpec":"C:\\Windows\\system32\\cmd.exe","NUMBER_OF_PROCESSORS":"2","OS":"Windows_NT","Path":"C:\\Windows\\System32","PATHEXT":".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC","PROCESSOR_ARCHITECTURE":"AMD64","PROCESSOR_IDENTIFIER":"Intel64 Family 6 Model 85 Stepping 7, GenuineIntel","PROCESSOR_LEVEL":"6","PROCESSOR_REVISION":"5507","ProgramData":"C:\\ProgramData","ProgramFiles":"C:\\Program Files","ProgramFiles(x86)":"C:\\Program Files (x86)","ProgramW6432":"C:\\Program Files","PSModulePath":"%ProgramFiles%\\WindowsPowerShell\\Modules;C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules;C:\\Program Files (x86)\\AWS Tools\\PowerShell\\","PUBLIC":"C:\\Users\\Public","SystemDrive":"C:","SystemRoot":"C:\\Windows","TEMP":"C:\\Windows\\TEMP","TMP":"C:\\Windows\\TEMP","USERNAME":"SYSTEM","USERPROFILE":"C:\\Windows\\system32\\config\\systemprofile","windir":"C:\\Windows"}} +{"Name":"svchost.exe","PebBaseAddress":"0x1b865e5000","Pid":636,"ImagePathName":"C:\\Windows\\system32\\svchost.exe","CommandLine":"C:\\Windows\\system32\\svchost.exe -k DcomLaunch","CurrentDirectory":"C:\\Windows\\system32\\","Env":{"ALLUSERSPROFILE":"C:\\ProgramData","APPDATA":"C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming","ChocolateyInstall":"C:\\ProgramData\\chocolatey","CommonProgramFiles":"C:\\Program Files\\Common Files","CommonProgramFiles(x86)":"C:\\Program Files (x86)\\Common Files","CommonProgramW6432":"C:\\Program Files\\Common Files","COMPUTERNAME":"WKST01","ComSpec":"C:\\Windows\\system32\\cmd.exe","LOCALAPPDATA":"C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local","NUMBER_OF_PROCESSORS":"2","OS":"Windows_NT","Path":"C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files\\Amazon\\cfn-bootstrap\\;C:\\ProgramData\\chocolatey\\bin;;C:\\Program Files\\Microsoft VS Code\\bin;C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\WindowsApps","PATHEXT":".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC","PROCESSOR_ARCHITECTURE":"AMD64","PROCESSOR_IDENTIFIER":"Intel64 Family 6 Model 85 Stepping 7, GenuineIntel","PROCESSOR_LEVEL":"6","PROCESSOR_REVISION":"5507","ProgramData":"C:\\ProgramData","ProgramFiles":"C:\\Program Files","ProgramFiles(x86)":"C:\\Program Files (x86)","ProgramW6432":"C:\\Program Files","PSModulePath":"%ProgramFiles%\\WindowsPowerShell\\Modules;C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules;C:\\Program Files (x86)\\AWS Tools\\PowerShell\\","PUBLIC":"C:\\Users\\Public","SystemDrive":"C:","SystemRoot":"C:\\Windows","TEMP":"C:\\Windows\\TEMP","TMP":"C:\\Windows\\TEMP","USERDOMAIN":"MAGNUMTEMPUS","USERNAME":"WKST01$","USERPROFILE":"C:\\Windows\\system32\\config\\systemprofile","windir":"C:\\Windows"}} +{"Name":"svchost.exe","PebBaseAddress":"0xe60fe88000","Pid":692,"ImagePathName":"C:\\Windows\\system32\\svchost.exe","CommandLine":"C:\\Windows\\system32\\svchost.exe -k RPCSS","CurrentDirectory":"C:\\Windows\\system32\\","Env":{"ALLUSERSPROFILE":"C:\\ProgramData","APPDATA":"C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Roaming","ChocolateyInstall":"C:\\ProgramData\\chocolatey","CommonProgramFiles":"C:\\Program Files\\Common Files","CommonProgramFiles(x86)":"C:\\Program Files (x86)\\Common Files","CommonProgramW6432":"C:\\Program Files\\Common Files","COMPUTERNAME":"WKST01","ComSpec":"C:\\Windows\\system32\\cmd.exe","LOCALAPPDATA":"C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local","NUMBER_OF_PROCESSORS":"2","OS":"Windows_NT","Path":"C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files\\Amazon\\cfn-bootstrap\\;C:\\ProgramData\\chocolatey\\bin;;C:\\Program Files\\Microsoft VS Code\\bin;C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Microsoft\\WindowsApps","PATHEXT":".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC","PROCESSOR_ARCHITECTURE":"AMD64","PROCESSOR_IDENTIFIER":"Intel64 Family 6 Model 85 Stepping 7, GenuineIntel","PROCESSOR_LEVEL":"6","PROCESSOR_REVISION":"5507","ProgramData":"C:\\ProgramData","ProgramFiles":"C:\\Program Files","ProgramFiles(x86)":"C:\\Program Files (x86)","ProgramW6432":"C:\\Program Files","PSModulePath":"%ProgramFiles%\\WindowsPowerShell\\Modules;C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules;C:\\Program Files (x86)\\AWS Tools\\PowerShell\\","PUBLIC":"C:\\Users\\Public","SystemDrive":"C:","SystemRoot":"C:\\Windows","TEMP":"C:\\Windows\\SERVIC~2\\NETWOR~1\\AppData\\Local\\Temp","TMP":"C:\\Windows\\SERVIC~2\\NETWOR~1\\AppData\\Local\\Temp","USERDOMAIN":"MAGNUMTEMPUS","USERNAME":"WKST01$","USERPROFILE":"C:\\Windows\\ServiceProfiles\\NetworkService","windir":"C:\\Windows"}} \ No newline at end of file diff --git a/tests/testdata/velociraptor/Windows.Forensics.Usn.json b/tests/testdata/velociraptor/Windows.Forensics.Usn.json new file mode 100644 index 000000000..090efa0fd --- /dev/null +++ b/tests/testdata/velociraptor/Windows.Forensics.Usn.json @@ -0,0 +1,10 @@ +{"Usn":25165824,"Timestamp":"2022-02-12T00:36:43.7895496Z","Filename":"setupapi.dev.log","FullPath":"Windows/INF/setupapi.dev.log","FileAttributes":["ARCHIVE"],"Reason":["DATA_EXTEND","DATA_TRUNCATION"],"SourceInfo":["ARCHIVE"],"_FileMFTID":1128,"_FileMFTSequence":3,"_ParentMFTID":3403,"_ParentMFTSequence":1} +{"Usn":25165920,"Timestamp":"2022-02-12T00:36:43.7895496Z","Filename":"setupapi.dev.log","FullPath":"Windows/INF/setupapi.dev.log","FileAttributes":["ARCHIVE"],"Reason":["DATA_EXTEND","DATA_TRUNCATION","CLOSE"],"SourceInfo":["ARCHIVE"],"_FileMFTID":1128,"_FileMFTSequence":3,"_ParentMFTID":3403,"_ParentMFTSequence":1} +{"Usn":25166016,"Timestamp":"2022-02-12T00:36:43.7895496Z","Filename":"setupapi.dev.log","FullPath":"Windows/INF/setupapi.dev.log","FileAttributes":["ARCHIVE"],"Reason":["DATA_EXTEND"],"SourceInfo":["ARCHIVE"],"_FileMFTID":1128,"_FileMFTSequence":3,"_ParentMFTID":3403,"_ParentMFTSequence":1} +{"Usn":25166112,"Timestamp":"2022-02-12T00:36:43.7895496Z","Filename":"setupapi.dev.log","FullPath":"Windows/INF/setupapi.dev.log","FileAttributes":["ARCHIVE"],"Reason":["DATA_EXTEND","DATA_TRUNCATION"],"SourceInfo":["ARCHIVE"],"_FileMFTID":1128,"_FileMFTSequence":3,"_ParentMFTID":3403,"_ParentMFTSequence":1} +{"Usn":25166208,"Timestamp":"2022-02-12T00:36:43.7895496Z","Filename":"setupapi.dev.log","FullPath":"Windows/INF/setupapi.dev.log","FileAttributes":["ARCHIVE"],"Reason":["DATA_EXTEND","DATA_TRUNCATION","CLOSE"],"SourceInfo":["ARCHIVE"],"_FileMFTID":1128,"_FileMFTSequence":3,"_ParentMFTID":3403,"_ParentMFTSequence":1} +{"Usn":25166304,"Timestamp":"2022-02-12T00:36:43.7895496Z","Filename":"setupapi.dev.log","FullPath":"Windows/INF/setupapi.dev.log","FileAttributes":["ARCHIVE"],"Reason":["DATA_EXTEND"],"SourceInfo":["ARCHIVE"],"_FileMFTID":1128,"_FileMFTSequence":3,"_ParentMFTID":3403,"_ParentMFTSequence":1} +{"Usn":25166400,"Timestamp":"2022-02-12T00:36:43.7895496Z","Filename":"setupapi.dev.log","FullPath":"Windows/INF/setupapi.dev.log","FileAttributes":["ARCHIVE"],"Reason":["DATA_EXTEND","DATA_TRUNCATION"],"SourceInfo":["ARCHIVE"],"_FileMFTID":1128,"_FileMFTSequence":3,"_ParentMFTID":3403,"_ParentMFTSequence":1} +{"Usn":25166496,"Timestamp":"2022-02-12T00:36:43.7895496Z","Filename":"setupapi.dev.log","FullPath":"Windows/INF/setupapi.dev.log","FileAttributes":["ARCHIVE"],"Reason":["DATA_EXTEND","DATA_TRUNCATION","CLOSE"],"SourceInfo":["ARCHIVE"],"_FileMFTID":1128,"_FileMFTSequence":3,"_ParentMFTID":3403,"_ParentMFTSequence":1} +{"Usn":25166592,"Timestamp":"2022-02-12T00:36:43.7895496Z","Filename":"setupapi.dev.log","FullPath":"Windows/INF/setupapi.dev.log","FileAttributes":["ARCHIVE"],"Reason":["DATA_EXTEND"],"SourceInfo":["ARCHIVE"],"_FileMFTID":1128,"_FileMFTSequence":3,"_ParentMFTID":3403,"_ParentMFTSequence":1} +{"Usn":25166688,"Timestamp":"2022-02-12T00:36:43.7895496Z","Filename":"setupapi.dev.log","FullPath":"Windows/INF/setupapi.dev.log","FileAttributes":["ARCHIVE"],"Reason":["DATA_EXTEND","DATA_TRUNCATION"],"SourceInfo":["ARCHIVE"],"_FileMFTID":1128,"_FileMFTSequence":3,"_ParentMFTID":3403,"_ParentMFTSequence":1} \ No newline at end of file diff --git a/tests/testdata/velociraptor/Windows.Memory.Acquisition.json b/tests/testdata/velociraptor/Windows.Memory.Acquisition.json new file mode 100644 index 000000000..8250c19ed --- /dev/null +++ b/tests/testdata/velociraptor/Windows.Memory.Acquisition.json @@ -0,0 +1,10 @@ +{"Stdout":"WinPmem64","Stderr":"","Upload":null} +{"Stdout":"Extracting driver to C:\\Users\\ADMINI~1.MAG\\AppData\\Local\\Temp\\pmeCEC5.tmp","Stderr":"","Upload":null} +{"Stdout":"Driver Unloaded.","Stderr":"","Upload":null} +{"Stdout":"Loaded Driver C:\\Users\\ADMINI~1.MAG\\AppData\\Local\\Temp\\pmeCEC5.tmp.","Stderr":"","Upload":null} +{"Stdout":"Deleting C:\\Users\\ADMINI~1.MAG\\AppData\\Local\\Temp\\pmeCEC5.tmp","Stderr":"","Upload":null} +{"Stdout":"The system time is: 23:59:48","Stderr":"","Upload":null} +{"Stdout":"Will generate a RAW image ","Stderr":"","Upload":null} +{"Stdout":" - buffer_size_: 0x1000","Stderr":"","Upload":null} +{"Stdout":"CR3: 0x00001AA002","Stderr":"","Upload":null} +{"Stdout":" 4 memory ranges:","Stderr":"","Upload":null} \ No newline at end of file diff --git a/tests/testdata/velociraptor/Windows.Network.ArpCache.json b/tests/testdata/velociraptor/Windows.Network.ArpCache.json new file mode 100644 index 000000000..5b677e2d7 --- /dev/null +++ b/tests/testdata/velociraptor/Windows.Network.ArpCache.json @@ -0,0 +1,10 @@ +{"AddressFamily":"IPv6","Store":"Active","State":"Permanent","InterfaceIndex":2,"LocalAddress":"fe80::89af:1f88:9430:707","HardwareAddr":"06:f7:47:22:b0:c6","RemoteAddress":"ff02::1:ff30:707","InterfaceAlias":"Ethernet 2","RemoteMACAddress":"33-33-FF-30-07-07"} +{"AddressFamily":"IPv6","Store":"Active","State":"Permanent","InterfaceIndex":2,"LocalAddress":"172.16.50.130","HardwareAddr":"06:f7:47:22:b0:c6","RemoteAddress":"ff02::1:ff30:707","InterfaceAlias":"Ethernet 2","RemoteMACAddress":"33-33-FF-30-07-07"} +{"AddressFamily":"IPv6","Store":"Active","State":"Permanent","InterfaceIndex":2,"LocalAddress":"fe80::89af:1f88:9430:707","HardwareAddr":"06:f7:47:22:b0:c6","RemoteAddress":"ff02::1:3","InterfaceAlias":"Ethernet 2","RemoteMACAddress":"33-33-00-01-00-03"} +{"AddressFamily":"IPv6","Store":"Active","State":"Permanent","InterfaceIndex":2,"LocalAddress":"172.16.50.130","HardwareAddr":"06:f7:47:22:b0:c6","RemoteAddress":"ff02::1:3","InterfaceAlias":"Ethernet 2","RemoteMACAddress":"33-33-00-01-00-03"} +{"AddressFamily":"IPv6","Store":"Active","State":"Permanent","InterfaceIndex":2,"LocalAddress":"fe80::89af:1f88:9430:707","HardwareAddr":"06:f7:47:22:b0:c6","RemoteAddress":"ff02::1:2","InterfaceAlias":"Ethernet 2","RemoteMACAddress":"33-33-00-01-00-02"} +{"AddressFamily":"IPv6","Store":"Active","State":"Permanent","InterfaceIndex":2,"LocalAddress":"172.16.50.130","HardwareAddr":"06:f7:47:22:b0:c6","RemoteAddress":"ff02::1:2","InterfaceAlias":"Ethernet 2","RemoteMACAddress":"33-33-00-01-00-02"} +{"AddressFamily":"IPv6","Store":"Active","State":"Permanent","InterfaceIndex":2,"LocalAddress":"fe80::89af:1f88:9430:707","HardwareAddr":"06:f7:47:22:b0:c6","RemoteAddress":"ff02::fb","InterfaceAlias":"Ethernet 2","RemoteMACAddress":"33-33-00-00-00-FB"} +{"AddressFamily":"IPv6","Store":"Active","State":"Permanent","InterfaceIndex":2,"LocalAddress":"172.16.50.130","HardwareAddr":"06:f7:47:22:b0:c6","RemoteAddress":"ff02::fb","InterfaceAlias":"Ethernet 2","RemoteMACAddress":"33-33-00-00-00-FB"} +{"AddressFamily":"IPv6","Store":"Active","State":"Permanent","InterfaceIndex":2,"LocalAddress":"fe80::89af:1f88:9430:707","HardwareAddr":"06:f7:47:22:b0:c6","RemoteAddress":"ff02::16","InterfaceAlias":"Ethernet 2","RemoteMACAddress":"33-33-00-00-00-16"} +{"AddressFamily":"IPv6","Store":"Active","State":"Permanent","InterfaceIndex":2,"LocalAddress":"172.16.50.130","HardwareAddr":"06:f7:47:22:b0:c6","RemoteAddress":"ff02::16","InterfaceAlias":"Ethernet 2","RemoteMACAddress":"33-33-00-00-00-16"} \ No newline at end of file diff --git a/tests/testdata/velociraptor/Windows.Network.InterfaceAddresses.json b/tests/testdata/velociraptor/Windows.Network.InterfaceAddresses.json new file mode 100644 index 000000000..890fba1d3 --- /dev/null +++ b/tests/testdata/velociraptor/Windows.Network.InterfaceAddresses.json @@ -0,0 +1,5 @@ +{"Index":2,"MTU":1500,"Name":"Ethernet 2","HardwareAddr":"06:f7:47:22:b0:c6","Flags":19,"IP":"fe80::89af:1f88:9430:707","Mask":"ffffffffffffffff0000000000000000"} +{"Index":2,"MTU":1500,"Name":"Ethernet 2","HardwareAddr":"06:f7:47:22:b0:c6","Flags":19,"IP":"172.16.50.130","Mask":"ffffff00"} +{"Index":1,"MTU":-1,"Name":"Loopback Pseudo-Interface 1","HardwareAddr":null,"Flags":21,"IP":"::1","Mask":"ffffffffffffffffffffffffffffffff"} +{"Index":1,"MTU":-1,"Name":"Loopback Pseudo-Interface 1","HardwareAddr":null,"Flags":21,"IP":"127.0.0.1","Mask":"ff000000"} +{"Index":7,"MTU":1280,"Name":"isatap.us-east-2.compute.internal","HardwareAddr":"00:00:00:00:00:00:00:e0","Flags":24,"IP":"fe80::5efe:ac10:3282","Mask":"ffffffffffffffffffffffffffffffff"} diff --git a/tests/testdata/velociraptor/Windows.Network.ListeningPorts.json b/tests/testdata/velociraptor/Windows.Network.ListeningPorts.json new file mode 100644 index 000000000..38501bcdf --- /dev/null +++ b/tests/testdata/velociraptor/Windows.Network.ListeningPorts.json @@ -0,0 +1,10 @@ +{"Pid":692,"Name":"svchost.exe","Port":135,"Protocol":"TCP","Family":"IPv4","Address":"0.0.0.0"} +{"Pid":4,"Name":"System","Port":139,"Protocol":"TCP","Family":"IPv4","Address":"172.16.50.130"} +{"Pid":872,"Name":"svchost.exe","Port":3389,"Protocol":"TCP","Family":"IPv4","Address":"0.0.0.0"} +{"Pid":416,"Name":"wininit.exe","Port":49664,"Protocol":"TCP","Family":"IPv4","Address":"0.0.0.0"} +{"Pid":912,"Name":"svchost.exe","Port":49665,"Protocol":"TCP","Family":"IPv4","Address":"0.0.0.0"} +{"Pid":1284,"Name":"svchost.exe","Port":49667,"Protocol":"TCP","Family":"IPv4","Address":"0.0.0.0"} +{"Pid":548,"Name":"lsass.exe","Port":49669,"Protocol":"TCP","Family":"IPv4","Address":"0.0.0.0"} +{"Pid":1664,"Name":"spoolsv.exe","Port":49697,"Protocol":"TCP","Family":"IPv4","Address":"0.0.0.0"} +{"Pid":548,"Name":"lsass.exe","Port":49722,"Protocol":"TCP","Family":"IPv4","Address":"0.0.0.0"} +{"Pid":540,"Name":"services.exe","Port":49728,"Protocol":"TCP","Family":"IPv4","Address":"0.0.0.0"} \ No newline at end of file diff --git a/tests/testdata/velociraptor/Windows.Network.Netstat.json b/tests/testdata/velociraptor/Windows.Network.Netstat.json new file mode 100644 index 000000000..3c8afdd97 --- /dev/null +++ b/tests/testdata/velociraptor/Windows.Network.Netstat.json @@ -0,0 +1,10 @@ +{"Pid":692,"Name":"svchost.exe","Family":"IPv4","Type":"TCP","Status":"LISTEN","Laddr.IP":"0.0.0.0","Laddr.Port":135,"Raddr.IP":"0.0.0.0","Raddr.Port":0,"Timestamp":"2022-02-12T19:35:44Z"} +{"Pid":4,"Name":"System","Family":"IPv4","Type":"TCP","Status":"LISTEN","Laddr.IP":"172.16.50.130","Laddr.Port":139,"Raddr.IP":"0.0.0.0","Raddr.Port":0,"Timestamp":"2022-02-12T19:35:44Z"} +{"Pid":872,"Name":"svchost.exe","Family":"IPv4","Type":"TCP","Status":"LISTEN","Laddr.IP":"0.0.0.0","Laddr.Port":3389,"Raddr.IP":"0.0.0.0","Raddr.Port":0,"Timestamp":"2022-02-12T19:35:45Z"} +{"Pid":872,"Name":"svchost.exe","Family":"IPv4","Type":"TCP","Status":"ESTAB","Laddr.IP":"172.16.50.130","Laddr.Port":3389,"Raddr.IP":"172.16.21.100","Raddr.Port":51588,"Timestamp":"2022-02-12T23:57:49Z"} +{"Pid":2288,"Name":"windows_exporter.exe","Family":"IPv4","Type":"TCP","Status":"ESTAB","Laddr.IP":"172.16.50.130","Laddr.Port":9100,"Raddr.IP":"172.16.10.100","Raddr.Port":39806,"Timestamp":"2022-02-12T19:35:58Z"} +{"Pid":416,"Name":"wininit.exe","Family":"IPv4","Type":"TCP","Status":"LISTEN","Laddr.IP":"0.0.0.0","Laddr.Port":49664,"Raddr.IP":"0.0.0.0","Raddr.Port":0,"Timestamp":"2022-02-12T19:35:44Z"} +{"Pid":912,"Name":"svchost.exe","Family":"IPv4","Type":"TCP","Status":"LISTEN","Laddr.IP":"0.0.0.0","Laddr.Port":49665,"Raddr.IP":"0.0.0.0","Raddr.Port":0,"Timestamp":"2022-02-12T19:35:44Z"} +{"Pid":1284,"Name":"svchost.exe","Family":"IPv4","Type":"TCP","Status":"LISTEN","Laddr.IP":"0.0.0.0","Laddr.Port":49667,"Raddr.IP":"0.0.0.0","Raddr.Port":0,"Timestamp":"2022-02-12T19:35:45Z"} +{"Pid":548,"Name":"lsass.exe","Family":"IPv4","Type":"TCP","Status":"LISTEN","Laddr.IP":"0.0.0.0","Laddr.Port":49669,"Raddr.IP":"0.0.0.0","Raddr.Port":0,"Timestamp":"2022-02-12T19:35:45Z"} +{"Pid":1664,"Name":"spoolsv.exe","Family":"IPv4","Type":"TCP","Status":"LISTEN","Laddr.IP":"0.0.0.0","Laddr.Port":49697,"Raddr.IP":"0.0.0.0","Raddr.Port":0,"Timestamp":"2022-02-12T19:35:45Z"} \ No newline at end of file diff --git a/tests/testdata/velociraptor/Windows.Sys.Users.json b/tests/testdata/velociraptor/Windows.Sys.Users.json new file mode 100644 index 000000000..2c9a73780 --- /dev/null +++ b/tests/testdata/velociraptor/Windows.Sys.Users.json @@ -0,0 +1,7 @@ +{"Uid":500,"Gid":513,"Name":"Administrator","Description":"Built-in account for administering the computer/domain","Directory":"C:\\Users\\Administrator","UUID":"S-1-5-21-2205072431-2485292186-3246622615-500","Mtime":"2022-02-12T18:50:11.0557956Z","Type":"local"} +{"Uid":503,"Gid":513,"Name":"DefaultAccount","Description":"A user account managed by the system.","Directory":null,"UUID":"S-1-5-21-2205072431-2485292186-3246622615-503","Mtime":null,"Type":"local"} +{"Uid":501,"Gid":513,"Name":"Guest","Description":"Built-in account for guest access to the computer/domain","Directory":null,"UUID":"S-1-5-21-2205072431-2485292186-3246622615-501","Mtime":null,"Type":"local"} +{"Uid":"","Gid":"","Name":"SYSTEM","Description":"\\HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-18","Directory":"%systemroot%\\system32\\config\\systemprofile","UUID":"S-1-5-18","Mtime":"2016-07-16T13:24:47.6485195Z","Type":"roaming"} +{"Uid":"","Gid":"","Name":"LOCAL SERVICE","Description":"\\HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-19","Directory":"C:\\Windows\\ServiceProfiles\\LocalService","UUID":"S-1-5-19","Mtime":"2016-09-12T11:33:51.7795967Z","Type":"roaming"} +{"Uid":"","Gid":"","Name":"NETWORK SERVICE","Description":"\\HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-20","Directory":"C:\\Windows\\ServiceProfiles\\NetworkService","UUID":"S-1-5-20","Mtime":"2016-09-12T11:33:50.8358761Z","Type":"roaming"} +{"Uid":"","Gid":"","Name":"Administrator","Description":"\\HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-2370586174-1517003462-1142029260-500","Directory":"C:\\Users\\Administrator.MAGNUMTEMPUS","UUID":"S-1-5-21-2370586174-1517003462-1142029260-500","Mtime":"2022-02-12T23:59:46.1745774Z","Type":"roaming"} diff --git a/tests/testdata/velociraptor/Windows.Sysinternals.Autoruns.json b/tests/testdata/velociraptor/Windows.Sysinternals.Autoruns.json new file mode 100644 index 000000000..429445550 --- /dev/null +++ b/tests/testdata/velociraptor/Windows.Sysinternals.Autoruns.json @@ -0,0 +1,10 @@ +{"Time":"20220212-203745","Entry Location":"HKLM\\System\\CurrentControlSet\\Control\\Session Manager\\BootExecute","Entry":"","Enabled":"","Category":"Boot Execute","Profile":"System-wide","Description":"","Company":"","Image Path":"","Version":"","Launch String":"","MD5":"","SHA-1":"","PESHA-1":"","PESHA-256":"","SHA-256":"","IMP":""} +{"Time":"20210408-073952","Entry Location":"HKLM\\System\\CurrentControlSet\\Control\\Session Manager\\BootExecute","Entry":"autocheck autochk /q /v *","Enabled":"enabled","Category":"Boot Execute","Profile":"System-wide","Description":"Auto Check Utility","Company":"Microsoft Corporation","Image Path":"c:\\windows\\system32\\autochk.exe","Version":"10.0.14393.4350","Launch String":"autocheck autochk /q /v *","MD5":"A512733E2C767F87A8029400B4A48CD0","SHA-1":"E20DD6960F5EFB37D147D26910FF239D57EFFC06","PESHA-1":"FDE685A5880D3EF3A5DE738FBADB91480A8A8315","PESHA-256":"E746C91AB4AF82B5EF60792A6388793EB2ED6E32C919E5A428BAC9F515513C19","SHA-256":"1ED75EB59C2897304E0160E0605071178418802C31910D78A2076B0414047875","IMP":"1BF5E4792E849FE3BCFE23E7C1B21A3F"} +{"Time":"20220212-002036","Entry Location":"HKLM\\Software\\Microsoft\\Office\\Outlook\\Addins","Entry":"","Enabled":"","Category":"Office Addins","Profile":"System-wide","Description":"","Company":"","Image Path":"","Version":"","Launch String":"","MD5":"","SHA-1":"","PESHA-1":"","PESHA-256":"","SHA-256":"","IMP":""} +{"Time":"20210605-043306","Entry Location":"HKLM\\Software\\Microsoft\\Office\\Outlook\\Addins","Entry":"Windows_Search_OutlookToolbar","Enabled":"disabled","Category":"Office Addins","Profile":"System-wide","Description":"Outlook MSSearch Connector","Company":"Microsoft Corporation","Image Path":"c:\\windows\\system32\\mssphtb.dll","Version":"7.0.14393.4467","Launch String":"HKCR\\CLSID\\{F37AFD4F-E736-4980-8650-A486B1F2DF25}","MD5":"05BD2C094A2B52481554F6841149345D","SHA-1":"A3EAB25EE07AE1D9700C3CEDEEA588D66A8E49EF","PESHA-1":"E3013E221F9F6E24AB1BA8591C973540BD8D210B","PESHA-256":"71EE77030DF5F89D89B13DED3B65A1BB10B87FE227A186B33554450878B469F0","SHA-256":"6144C47A4F28EF44150E19E986F0B5FA1D28E5AA553EDC143DC23A8B50010082","IMP":"DBA3AD1CA0A0E7F336F8C0911CFC3BA8"} +{"Time":"20211231-082038","Entry Location":"HKLM\\Software\\Microsoft\\Office\\Outlook\\Addins","Entry":"LyncAddin Class","Enabled":"enabled","Category":"Office Addins","Profile":"System-wide","Description":"Skype for Business","Company":"Microsoft Corporation","Image Path":"c:\\program files\\microsoft office\\root\\office16\\ucaddin.dll","Version":"16.0.14827.20024","Launch String":"HKCR\\CLSID\\{a6a2383f-ad50-4d52-8110-3508275e77f7}","MD5":"792A6D548120A7C829E57BCF132446F9","SHA-1":"861CDF3C15ECC3562CA2C61BBD4317F6F56E20B3","PESHA-1":"47FA36A117350E465EBC80C9251616E76E68FBAD","PESHA-256":"38998B4C0F4470C005FBE7A347F14042854344E00BE5C5ECC3437615917B7D80","SHA-256":"B9554A476B88D77351369BBB2B1FC3A6D91F06FC8677AB0B2E9ACC289FAE4DE4","IMP":"52EE43B6C8076104B51CE3CC035CF7DA"} +{"Time":"20160716-132407","Entry Location":"HKLM\\Software\\Wow6432Node\\Microsoft\\Office\\Outlook\\Addins","Entry":"","Enabled":"","Category":"Office Addins","Profile":"System-wide","Description":"","Company":"","Image Path":"","Version":"","Launch String":"","MD5":"","SHA-1":"","PESHA-1":"","PESHA-256":"","SHA-256":"","IMP":""} +{"Time":"20210605-043226","Entry Location":"HKLM\\Software\\Wow6432Node\\Microsoft\\Office\\Outlook\\Addins","Entry":"Windows_Search_OutlookToolbar","Enabled":"enabled","Category":"Office Addins","Profile":"System-wide","Description":"Outlook MSSearch Connector","Company":"Microsoft Corporation","Image Path":"c:\\windows\\syswow64\\mssphtb.dll","Version":"7.0.14393.4467","Launch String":"HKCR\\CLSID\\{F37AFD4F-E736-4980-8650-A486B1F2DF25}","MD5":"2230582AABCA7A403368FBD1C37FF8A8","SHA-1":"AC123FA4906CB8BEFA060007E0A312E589FD16BC","PESHA-1":"6AA58860FF74584FB486CA1F857AB4C188281B02","PESHA-256":"1ABF1D4078AA35C8C33583F0B01BF55495C238DFCFA979AEF2A7B03186BAE450","SHA-256":"0549064689A3C2FA5862D4263F88F5179B766FB31896E6E208001F870AE89AAF","IMP":"22D2796DD696B78C9F461093647A54C1"} +{"Time":"20160912-113332","Entry Location":"HKLM\\SOFTWARE\\Classes\\Htmlfile\\Shell\\Open\\Command\\(Default)","Entry":"","Enabled":"","Category":"Hijacks","Profile":"System-wide","Description":"","Company":"","Image Path":"","Version":"","Launch String":"","MD5":"","SHA-1":"","PESHA-1":"","PESHA-256":"","SHA-256":"","IMP":""} +{"Time":"20180101-044027","Entry Location":"HKLM\\SOFTWARE\\Classes\\Htmlfile\\Shell\\Open\\Command\\(Default)","Entry":"C:\\Program Files\\Internet Explorer\\iexplore.exe","Enabled":"enabled","Category":"Hijacks","Profile":"System-wide","Description":"Internet Explorer","Company":"Microsoft Corporation","Image Path":"c:\\program files\\internet explorer\\iexplore.exe","Version":"11.0.14393.2007","Launch String":"","MD5":"DED3D744D46A5CE7965CE2B75B54958A","SHA-1":"D4ABAC114DBE28BAD8855C10D37F2B727177C9CA","PESHA-1":"C870605936B2E6D2CB2383CE4B856449FF93D09B","PESHA-256":"C656C4A4179CA12CF6F78FDA6D97BA00B575F9066B6E7A579B63BC41CCD76E50","SHA-256":"70C9616C026266BB3A1213BCC50E3A9A24238703FB7745746628D11163905D2F","IMP":"9BB01C801600CEBDCA166D0534E98CE6"} +{"Time":"20220212-235948","Entry Location":"HKLM\\System\\CurrentControlSet\\Services","Entry":"","Enabled":"","Category":"Services","Profile":"System-wide","Description":"","Company":"","Image Path":"","Version":"","Launch String":"","MD5":"","SHA-1":"","PESHA-1":"","PESHA-256":"","SHA-256":"","IMP":""} \ No newline at end of file diff --git a/tests/testdata/velociraptor/Windows.System.DNSCache.json b/tests/testdata/velociraptor/Windows.System.DNSCache.json new file mode 100644 index 000000000..ab227b297 --- /dev/null +++ b/tests/testdata/velociraptor/Windows.System.DNSCache.json @@ -0,0 +1,10 @@ +{"Name":"tr.blismedia.com","RecordType":1,"TTL":38407,"Type":"Answer","A":"34.96.105.8"} +{"Name":"nexusrules.officeapps.live.com","RecordType":5,"TTL":228,"Type":"Answer","A":"prod.nexusrules.live.com.akadns.net"} +{"Name":"cdn4.mxpnl.com","RecordType":1,"TTL":329,"Type":"Answer","A":"130.211.5.208"} +{"Name":"cdn.mxpnl.com","RecordType":1,"TTL":36989,"Type":"Answer","A":"130.211.5.208"} +{"Name":"openx.adhaven.com","RecordType":1,"TTL":36983,"Type":"Answer","A":"35.244.216.234"} +{"Name":"dev.visualwebsiteoptimizer.com","RecordType":1,"TTL":25331,"Type":"Answer","A":"34.96.102.137"} +{"Name":"dc.magnumtempus.financial","RecordType":1,"TTL":584,"Type":"Answer","A":"172.16.50.100"} +{"Name":"www.lucyinthesky.com","RecordType":5,"TTL":3503,"Type":"Answer","A":"lucyinthesky.com"} +{"Name":"free-website-translation.com","RecordType":1,"TTL":1592,"Type":"Answer","A":"109.239.60.158"} +{"Name":"velociraptor.magnumtempusfinancial.com","RecordType":1,"TTL":2183,"Type":"Answer","A":"18.188.230.95"} \ No newline at end of file diff --git a/tests/testdata/velociraptor/Windows.System.Pslist.json b/tests/testdata/velociraptor/Windows.System.Pslist.json new file mode 100644 index 000000000..e5b8d3acd --- /dev/null +++ b/tests/testdata/velociraptor/Windows.System.Pslist.json @@ -0,0 +1,10 @@ +{"Pid":4,"Ppid":0,"TokenIsElevated":false,"Name":"System","CommandLine":"","Exe":"","Hash":null,"Authenticode":null,"Username":"","WorkingSetSize":143360} +{"Pid":268,"Ppid":4,"TokenIsElevated":true,"Name":"smss.exe","CommandLine":"\\SystemRoot\\System32\\smss.exe","Exe":"C:\\Windows\\System32\\smss.exe","Hash":{"MD5":"725ec50d4b0f607bf5b45b5e0115770b","SHA1":"c9c133660468fd1d9905f598f5052dbb01f42eea","SHA256":"56881bcaeac350107a6453f38f020fe0e284dbe2e8a6f37ed482985e0dd98ea7"},"Authenticode":{"Filename":"C:\\Windows\\System32\\smss.exe","ProgramName":"Microsoft Windows","PublisherLink":null,"MoreInfoLink":"http://www.microsoft.com/windows","SerialNumber":"33000001affae16562041426770000000001af","IssuerName":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011","SubjectName":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Publisher","Timestamp":null,"Trusted":"trusted","_ExtraInfo":null},"Username":"NT AUTHORITY\\SYSTEM","WorkingSetSize":1277952} +{"Pid":348,"Ppid":340,"TokenIsElevated":true,"Name":"csrss.exe","CommandLine":"%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16","Exe":"C:\\Windows\\System32\\csrss.exe","Hash":{"MD5":"955e9227aa30a08b7465c109b863b886","SHA1":"563338b189de230aedf51b69e6d1601fba40292d","SHA256":"d896480bc8523fad3ae152c81a2b572022c3778a34a6d85e089d150a68e9165e"},"Authenticode":{"Filename":"C:\\Windows\\System32\\csrss.exe","ProgramName":"Microsoft Windows","PublisherLink":null,"MoreInfoLink":"http://www.microsoft.com/windows","SerialNumber":"33000001affae16562041426770000000001af","IssuerName":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011","SubjectName":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Publisher","Timestamp":null,"Trusted":"trusted","_ExtraInfo":null},"Username":"NT AUTHORITY\\SYSTEM","WorkingSetSize":4292608} +{"Pid":416,"Ppid":340,"TokenIsElevated":true,"Name":"wininit.exe","CommandLine":"wininit.exe","Exe":"C:\\Windows\\System32\\wininit.exe","Hash":{"MD5":"5a998f811d7805b79b8e769027f62fd2","SHA1":"46bbe99e579e9cae86a249b556243c5cbbcd00b4","SHA256":"8694c5732d26921eea29589a9fa4182139ef3d9ea6b6d0acca8994b4aa5defe5"},"Authenticode":{"Filename":"C:\\Windows\\System32\\wininit.exe","ProgramName":"Microsoft Windows","PublisherLink":null,"MoreInfoLink":"http://www.microsoft.com/windows","SerialNumber":"330000016b5af7a2a57141582700000000016b","IssuerName":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011","SubjectName":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Publisher","Timestamp":null,"Trusted":"trusted","_ExtraInfo":null},"Username":"NT AUTHORITY\\SYSTEM","WorkingSetSize":5050368} +{"Pid":424,"Ppid":408,"TokenIsElevated":true,"Name":"csrss.exe","CommandLine":"%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16","Exe":"C:\\Windows\\System32\\csrss.exe","Hash":{"MD5":"955e9227aa30a08b7465c109b863b886","SHA1":"563338b189de230aedf51b69e6d1601fba40292d","SHA256":"d896480bc8523fad3ae152c81a2b572022c3778a34a6d85e089d150a68e9165e"},"Authenticode":{"Filename":"C:\\Windows\\System32\\csrss.exe","ProgramName":"Microsoft Windows","PublisherLink":null,"MoreInfoLink":"http://www.microsoft.com/windows","SerialNumber":"33000001affae16562041426770000000001af","IssuerName":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011","SubjectName":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Publisher","Timestamp":null,"Trusted":"trusted","_ExtraInfo":null},"Username":"NT AUTHORITY\\SYSTEM","WorkingSetSize":3760128} +{"Pid":492,"Ppid":408,"TokenIsElevated":true,"Name":"winlogon.exe","CommandLine":"winlogon.exe","Exe":"C:\\Windows\\System32\\winlogon.exe","Hash":{"MD5":"dea4ce12f24601830083126e18a2c7c9","SHA1":"39a7038115ad1e578b15dd9fcb7772c1a83a898e","SHA256":"f002f8c2ea49d21f242996e3d57f5fdd7995fe6db524bb69bbd7f190cc0211a9"},"Authenticode":{"Filename":"C:\\Windows\\System32\\winlogon.exe","ProgramName":"Microsoft Windows","PublisherLink":null,"MoreInfoLink":"http://www.microsoft.com/windows","SerialNumber":"33000002ed2c45e4c145cf48440000000002ed","IssuerName":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011","SubjectName":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows","Timestamp":null,"Trusted":"trusted","_ExtraInfo":{"Catalog":"C:\\Windows\\system32\\CatRoot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\Package_2212_for_KB5007192~31bf3856ad364e35~amd64~~10.0.1.8.cat"}},"Username":"NT AUTHORITY\\SYSTEM","WorkingSetSize":8302592} +{"Pid":540,"Ppid":416,"TokenIsElevated":true,"Name":"services.exe","CommandLine":"C:\\Windows\\system32\\services.exe","Exe":"C:\\Windows\\System32\\services.exe","Hash":{"MD5":"fefc26105685c70d7260170489b5b520","SHA1":"d9b2cb9bf9d4789636b5fcdef0fdbb9d8bc0fb52","SHA256":"930f44f9a599937bdb23cf0c7ea4d158991b837d2a0975c15686cdd4198808e8"},"Authenticode":{"Filename":"C:\\Windows\\System32\\services.exe","ProgramName":"Microsoft Windows","PublisherLink":null,"MoreInfoLink":"http://www.microsoft.com/windows","SerialNumber":"33000002a5e1a081b7c895c0ed0000000002a5","IssuerName":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011","SubjectName":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Publisher","Timestamp":null,"Trusted":"trusted","_ExtraInfo":null},"Username":"NT AUTHORITY\\SYSTEM","WorkingSetSize":8151040} +{"Pid":548,"Ppid":416,"TokenIsElevated":true,"Name":"lsass.exe","CommandLine":"C:\\Windows\\system32\\lsass.exe","Exe":"C:\\Windows\\System32\\lsass.exe","Hash":{"MD5":"93212fd52a9cd5addad2fd2a779355d2","SHA1":"49a814f72292082a1cfdf602b5e4689b0f942703","SHA256":"95888daefd187fac9c979387f75ff3628548e7ddf5d70ad489cf996b9cad7193"},"Authenticode":{"Filename":"C:\\Windows\\System32\\lsass.exe","ProgramName":"Microsoft Windows","PublisherLink":null,"MoreInfoLink":"http://www.microsoft.com/windows","SerialNumber":"33000002f49e469c54137b85e00000000002f4","IssuerName":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011","SubjectName":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Publisher","Timestamp":null,"Trusted":"trusted","_ExtraInfo":null},"Username":"NT AUTHORITY\\SYSTEM","WorkingSetSize":26480640} +{"Pid":636,"Ppid":540,"TokenIsElevated":true,"Name":"svchost.exe","CommandLine":"C:\\Windows\\system32\\svchost.exe -k DcomLaunch","Exe":"C:\\Windows\\System32\\svchost.exe","Hash":{"MD5":"36f670d89040709013f6a460176767ec","SHA1":"0dac68816ae7c09efc24d11c27c3274dfd147dee","SHA256":"438b6ccd84f4dd32d9684ed7d58fd7d1e5a75fe3f3d12ab6c788e6bb0ffad5e7"},"Authenticode":{"Filename":"C:\\Windows\\System32\\svchost.exe","ProgramName":"Microsoft Windows","PublisherLink":null,"MoreInfoLink":"http://www.microsoft.com/windows","SerialNumber":"33000000cc4ee86d1a15af49950000000000cc","IssuerName":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011","SubjectName":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Publisher","Timestamp":null,"Trusted":"trusted","_ExtraInfo":null},"Username":"NT AUTHORITY\\SYSTEM","WorkingSetSize":21061632} +{"Pid":692,"Ppid":540,"TokenIsElevated":true,"Name":"svchost.exe","CommandLine":"C:\\Windows\\system32\\svchost.exe -k RPCSS","Exe":"C:\\Windows\\System32\\svchost.exe","Hash":{"MD5":"36f670d89040709013f6a460176767ec","SHA1":"0dac68816ae7c09efc24d11c27c3274dfd147dee","SHA256":"438b6ccd84f4dd32d9684ed7d58fd7d1e5a75fe3f3d12ab6c788e6bb0ffad5e7"},"Authenticode":{"Filename":"C:\\Windows\\System32\\svchost.exe","ProgramName":"Microsoft Windows","PublisherLink":null,"MoreInfoLink":"http://www.microsoft.com/windows","SerialNumber":"33000000cc4ee86d1a15af49950000000000cc","IssuerName":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011","SubjectName":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Publisher","Timestamp":null,"Trusted":"trusted","_ExtraInfo":null},"Username":"NT AUTHORITY\\NETWORK SERVICE","WorkingSetSize":11083776} \ No newline at end of file From 2e7488218871764044d76c96dd505a424643ab68 Mon Sep 17 00:00:00 2001 From: Ian Hellen Date: Fri, 19 May 2023 15:13:21 -0700 Subject: [PATCH 2/5] Format of cluster name has changed in new KustoClient. Fixing test cases to allow for old and new format. --- tests/data/drivers/test_azure_kusto_driver.py | 27 +++++++++---------- 1 file changed, 12 insertions(+), 15 deletions(-) diff --git a/tests/data/drivers/test_azure_kusto_driver.py b/tests/data/drivers/test_azure_kusto_driver.py index 2a405a4b8..db8e8f0e1 100644 --- a/tests/data/drivers/test_azure_kusto_driver.py +++ b/tests/data/drivers/test_azure_kusto_driver.py @@ -204,8 +204,9 @@ class ConnectTest(NamedTuple): init_args={"connection_str": "https://test1.kusto.windows.net"}, connect_args={"connection_str": "https://test.kusto.windows.net"}, tests=[ - lambda driver: driver.client._kusto_cluster - == "https://test.kusto.windows.net" + lambda driver: driver.client._kusto_cluster.startswith( + "https://test.kusto.windows.net" + ) ], ), ConnectTest( @@ -213,8 +214,6 @@ class ConnectTest(NamedTuple): init_args={}, connect_args={"cluster": "https://test.kusto.windows.net"}, tests=[ - lambda driver: driver.client._kusto_cluster - == "https://test.kusto.windows.net", lambda driver: driver._current_config.cluster == "https://test.kusto.windows.net", ], @@ -230,8 +229,6 @@ class ConnectTest(NamedTuple): "tenant_id": "test_tenant_id", }, tests=[ - lambda driver: driver.client._kusto_cluster - == "https://help.kusto.windows.net", lambda driver: driver._current_config.cluster == "https://help.kusto.windows.net", lambda driver: driver._az_tenant_id == "test_tenant_id", @@ -250,8 +247,6 @@ class ConnectTest(NamedTuple): "database": "test_db", }, tests=[ - lambda driver: driver.client._kusto_cluster - == "https://help.kusto.windows.net", lambda driver: driver._current_config.cluster == "https://help.kusto.windows.net", lambda driver: driver._az_tenant_id == "test_tenant_id", @@ -324,8 +319,9 @@ class ConnectTest(NamedTuple): init_args={}, connect_args={"connection_str": "https://test.kusto.windows.net"}, tests=[ - lambda driver: driver.client._kusto_cluster - == "https://test.kusto.windows.net", + lambda driver: driver.client._kusto_cluster.startswith( + "https://test.kusto.windows.net" + ), lambda driver: driver.client._proxy_url == "https://test.com", ], additional_config={ @@ -337,8 +333,9 @@ class ConnectTest(NamedTuple): init_args={}, connect_args={"cluster": "https://random.kusto.windows.net"}, tests=[ - lambda driver: driver.client._kusto_cluster - == "https://random.kusto.windows.net" + lambda driver: driver.client._kusto_cluster.startswith( + "https://random.kusto.windows.net" + ) ], ), ConnectTest( @@ -382,9 +379,9 @@ def test_kusto_connect(test_config, monkeypatch): driver.connect(**(test_config.connect_args)) return driver.connect(**(test_config.connect_args)) - for test in test_config.tests: + for idx, test in enumerate(test_config.tests): print( - "Testcase:", + f"Testcase [{idx}]:", test_config.name, test.__code__.co_filename, "line:", @@ -402,7 +399,7 @@ def test_kusto_connect(test_config, monkeypatch): exp_cluster = cluster_name else: exp_cluster = f"https://{cluster_name.casefold()}.kusto.windows.net" - check.equal(driver.client._kusto_cluster, exp_cluster) + check.is_true(driver.client._kusto_cluster.startswith(exp_cluster)) class KustoResponseDataSet: From 1efb48eb2793074ad4c4e1cad793dac66c620464 Mon Sep 17 00:00:00 2001 From: Ian Hellen Date: Fri, 19 May 2023 15:45:43 -0700 Subject: [PATCH 3/5] Minor updates for DataProv-Velociraptor.rst --- .../DataProv-Velociraptor.rst | 21 ++++++++++++------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/docs/source/data_acquisition/DataProv-Velociraptor.rst b/docs/source/data_acquisition/DataProv-Velociraptor.rst index e5db5468a..e65138c14 100644 --- a/docs/source/data_acquisition/DataProv-Velociraptor.rst +++ b/docs/source/data_acquisition/DataProv-Velociraptor.rst @@ -76,22 +76,22 @@ specific folders or files that you want to read. qry_prov = mp.QueryProvider("VelociraptorLogs", data_paths=["~/my_logs"]) -Calling the ``connect`` method triggers the provider to read the -log files. +Calling the ``connect`` method triggers the provider to register the paths of the +log files to be read (although the log files are not read and parsed +until the related query is run - see below). .. code::ipython3 qry_prov.connect() -.. parsed-literal:: - - 100%|██████████| 2/2 [00:00<00:00, 25.01it/s] - Data loaded. Listing Velociraptor tables ~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Until you run ``connect`` no queries will be available. After running +``connect`` you can list the available queries using the ``list_queries`` + .. code:: ipython3 qry_prov.list_queries() @@ -116,6 +116,10 @@ Listing Velociraptor tables Querying Velociraptor table schema ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +The schema of the log tables is built by sampling the first record +from each log file type, so is relatively fast to retrieve even +if you have large numbers and sizes of logs. + .. code:: ipython3 vc_prov.schema["Windows_Network_InterfaceAddresses"] @@ -133,8 +137,9 @@ Querying Velociraptor table schema Running a Velociraptor query ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Each query returns the table of event types retrieved -from the logs. +Each query returns a pandas DataFrame retrieved +from the logs of that type (potentially containing records from +multiple hosts depending on the ``data_paths`` you specified). .. code:: python3 From e4a92889d544e48b276bffb8645455683afdcda0 Mon Sep 17 00:00:00 2001 From: Ian Hellen Date: Tue, 13 Jun 2023 14:21:40 -0700 Subject: [PATCH 4/5] Fixing comments in PR. Fixed bug in azure_kusto_driver and test_azure_kusto_driver Fixed some doc references. --- .../DataProv-Velociraptor.rst | 3 ++- .../source/data_acquisition/DataProviders.rst | 6 ++--- msticpy/data/drivers/azure_kusto_driver.py | 15 ++++++++++- .../data/drivers/local_velociraptor_driver.py | 26 +++++++++++-------- tests/data/drivers/test_azure_kusto_driver.py | 4 ++- 5 files changed, 37 insertions(+), 17 deletions(-) diff --git a/docs/source/data_acquisition/DataProv-Velociraptor.rst b/docs/source/data_acquisition/DataProv-Velociraptor.rst index e65138c14..76339ee4e 100644 --- a/docs/source/data_acquisition/DataProv-Velociraptor.rst +++ b/docs/source/data_acquisition/DataProv-Velociraptor.rst @@ -3,7 +3,8 @@ The Velociraptor provider :py:mod:`Velociraptor driver documentation` -The ``Velociraptor`` data provider can read Velociraptor log files +The ``Velociraptor`` data provider can read Velociraptor +offline collection log files (see `Velociraptor Offline Collection `_) and provide convenient query functions for each data set in the output logs. diff --git a/docs/source/data_acquisition/DataProviders.rst b/docs/source/data_acquisition/DataProviders.rst index c1f07a903..ddd229f6c 100644 --- a/docs/source/data_acquisition/DataProviders.rst +++ b/docs/source/data_acquisition/DataProviders.rst @@ -85,7 +85,7 @@ would only use this parameter if you were building your own data driver backend, which is not common. 2. You can choose to import additional queries from a custom -query directory (see `Creating new queries`_ for more +query directory (see :doc:`../extending/Queries` for more details) with: .. code:: ipython3 @@ -494,7 +494,7 @@ for Timedelta in the .. warning:: There are some important caveats to this feature. 1. It currently only works with pre-defined queries (including ones - that you may create and add yourself, see `Creating new queries`_ + that you may create and add yourself, see :doc:`../extending/Queries` below). It does not work with `Running an ad hoc query`_ 2. If the query contains joins, the joins will only happen within the time ranges of each subquery. @@ -512,7 +512,7 @@ Dynamically adding new queries You can use the :py:meth:`msticpy.data.core.data_providers.QueryProvider.add_query` to add parameterized queries from a notebook or script. This let you use temporary parameterized queries without having to -add them to a YAML file (as described in `Creating new queries`_). +add them to a YAML file (as described in :doc:`../extending/Queries`). get_host_events diff --git a/msticpy/data/drivers/azure_kusto_driver.py b/msticpy/data/drivers/azure_kusto_driver.py index e67ddccda..815787a69 100644 --- a/msticpy/data/drivers/azure_kusto_driver.py +++ b/msticpy/data/drivers/azure_kusto_driver.py @@ -162,7 +162,7 @@ def __init__(self, connection_str: Optional[str] = None, **kwargs): self._strict_query_match = kwargs.get("strict_query_match", False) self._kusto_settings: Dict[str, Dict[str, KustoConfig]] = _get_kusto_settings() self._default_database: Optional[str] = None - self.current_connection: Optional[str] = connection_str + self._current_connection: Optional[str] = connection_str self._current_config: Optional[KustoConfig] = None self.client: Optional[KustoClient] = None self._az_auth_types: Optional[List[str]] = None @@ -189,6 +189,18 @@ def _set_public_attribs(self): "set_database": self.set_database, } + @property + def current_connection(self) -> Optional[str]: + """Return current connection string or URI.""" + if self._current_connection: + return self._current_connection + return self.cluster_uri + + @current_connection.setter + def current_connection(self, value: str): + """Set current connection string or URI.""" + self._current_connection = value + @property def cluster_uri(self) -> str: """Return current cluster URI.""" @@ -318,6 +330,7 @@ def connect(self, connection_str: Optional[str] = None, **kwargs): kusto_cs = self._get_connection_string_for_cluster(self._current_config) else: logger.info("Using connection string %s", connection_str) + self._current_connection = connection_str kusto_cs = connection_str self.client = KustoClient(kusto_cs) diff --git a/msticpy/data/drivers/local_velociraptor_driver.py b/msticpy/data/drivers/local_velociraptor_driver.py index eb0a84b62..a8e8af90f 100644 --- a/msticpy/data/drivers/local_velociraptor_driver.py +++ b/msticpy/data/drivers/local_velociraptor_driver.py @@ -24,23 +24,20 @@ logger = logging.getLogger(__name__) +_VELOCIRATOR_DOC_URL = ( + "https://msticpy.readthedocs.io/en/latest/data_acquisition/" + "DataProv-Velociraptor.html" +) + # pylint: disable=too-many-instance-attributes @export class VelociraptorLogDriver(DriverBase): - """OSQueryLogDriver class to execute kql queries.""" - - OS_QUERY_DATEIME_COLS = { - "unixTime", - "columns_time", - "columns_atime", - "columns_ctime", - "columns_mtime", - } + """Velociraptor driver class to ingest log data.""" def __init__(self, connection_str: Optional[str] = None, **kwargs): """ - Instantiate OSQueryLogDriver and optionally connect. + Instantiate Velociraptor driver and optionally connect. Parameters ---------- @@ -162,7 +159,7 @@ def _cached_query(self, query: str) -> pd.DataFrame: tqdm(self.data_files[query]) if self._progress else self.data_files[query] ) dfs = [pd.read_json(file, lines=True) for file in iter_data_files] - query_df = pd.concat(dfs) + query_df = pd.concat(dfs, ignore_index=True) logger.info("Query %s, returned %d rows", query, len(query_df)) return query_df @@ -219,4 +216,11 @@ def _get_logfile_paths(self) -> Dict[str, List[Path]]: logger.info("Found %d data file types", len(data_files)) logger.info("Total data files: %d", sum(len(v) for v in data_files.values())) + if not data_files: + raise MsticpyDataQueryError( + "No usable data files found in supplied paths.", + f"Data paths supplied: {', '.join(self._paths)}", + title="No data files found", + help_uri=_VELOCIRATOR_DOC_URL, + ) return data_files diff --git a/tests/data/drivers/test_azure_kusto_driver.py b/tests/data/drivers/test_azure_kusto_driver.py index db8e8f0e1..832afee72 100644 --- a/tests/data/drivers/test_azure_kusto_driver.py +++ b/tests/data/drivers/test_azure_kusto_driver.py @@ -206,7 +206,9 @@ class ConnectTest(NamedTuple): tests=[ lambda driver: driver.client._kusto_cluster.startswith( "https://test.kusto.windows.net" - ) + ), + lambda driver: driver.current_connection + == "https://test.kusto.windows.net", ], ), ConnectTest( From 3cfca136f7281fbd1b519d9ca7e70cce23e8b12b Mon Sep 17 00:00:00 2001 From: Ian Hellen Date: Mon, 3 Jul 2023 11:10:43 -0700 Subject: [PATCH 5/5] Adding acknowledgement of Blue Team Village data --- .../source/data_acquisition/DataProv-Velociraptor.rst | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/docs/source/data_acquisition/DataProv-Velociraptor.rst b/docs/source/data_acquisition/DataProv-Velociraptor.rst index 76339ee4e..3f084f085 100644 --- a/docs/source/data_acquisition/DataProv-Velociraptor.rst +++ b/docs/source/data_acquisition/DataProv-Velociraptor.rst @@ -4,7 +4,8 @@ The Velociraptor provider :py:mod:`Velociraptor driver documentation` The ``Velociraptor`` data provider can read Velociraptor -offline collection log files (see `Velociraptor Offline Collection `_) +offline collection log files (see +`Velociraptor Offline Collection `__) and provide convenient query functions for each data set in the output logs. @@ -25,6 +26,14 @@ no further filtering. You can use pandas to do additional filtering and sorting of the data, or use it directly with other MSTICPy functionality. +.. note:: The examples used in this document were from data + provided by Blue Team Village at Defcon 30. You can find + this data at the + `Project-Obsidian-DC30 GitHub `__ + and more about + `Project Obsidian `__ + here. + Velociraptor Configuration --------------------------