File: definitions.yaml

package info (click to toggle)
forensic-artifacts 20161022-1
  • links: PTS, VCS
  • area: main
  • in suites: stretch
  • size: 572 kB
  • ctags: 189
  • sloc: python: 1,165; makefile: 50; sh: 47
file content (84 lines) | stat: -rw-r--r-- 2,409 bytes parent folder | download | duplicates (4) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
 
# Test artifact definitions.

name: SecurityEventLogEvtx
doc: Windows Security Event log for Vista or later systems.
sources:
- type: FILE
  attributes: {paths: ['%%environ_systemroot%%\System32\winevt\Logs\Security.evtx']}
conditions: [os_major_version >= 6]
labels: [Logs]
supported_os: [Windows]
urls: ['http://www.forensicswiki.org/wiki/Windows_XML_Event_Log_(EVTX)']
---
name: AllUsersProfileEnvironmentVariable
doc: The %AllUsersProfile% environment variable.
sources:
- type: REGISTRY_KEY
  attributes:
    keys:
      - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\ProfilesDirectory'
      - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\AllUsersProfile'
provides: [environ_allusersprofile]
supported_os: [Windows]
urls: ['http://support.microsoft.com/kb//214653']
---
name: CurrentControlSet
doc: The control set the system is currently using.
sources:
- type: REGISTRY_VALUE
  attributes:
    key_value_pairs:
      - {key: 'HKEY_LOCAL_MACHINE\SYSTEM\Select', value: 'Current'}
provides: [current_control_set]
supported_os: [Windows]
urls: ['https://code.google.com/p/winreg-kb/wiki/SystemKeys']
---
name: WMIProfileUsersHomeDir
doc: |
  Get user homedir from Win32_UserProfile based on a known user's SID.

  This artifact relies on having the SID field users.sid populated in the knowledge
  base. We expect it to be collected with WindowsRegistryProfiles to
  supply the rest of the user information.
sources:
- type: WMI
  attributes: {query: SELECT * FROM Win32_UserProfile WHERE SID='%%users.sid%%'}
labels: [Users]
provides: [users.homedir]
supported_os: [Windows]
urls: ['http://msdn.microsoft.com/en-us/library/windows/desktop/ee886409(v=vs.85).aspx']
---
name: EventLogs
doc: Windows Event logs.
sources:
- type: ARTIFACT_GROUP
  attributes:
    names:
      - 'ApplicationEventLog'
      - 'ApplicationEventLogEvtx'
      - 'SecurityEventLog'
      - 'SecurityEventLogEvtx'
      - 'SystemEventLog'
      - 'SystemEventLogEvtx'
labels: [Logs]
supported_os: [Windows]
---
name: RedhatPackagesList
doc: Linux output of rpm -qa.
sources:
- type: COMMAND
  attributes:
    args: [-qa]
    cmd: /bin/rpm
labels: [Software]
supported_os: [Linux]
---
name: OSXLoadedKexts
doc: Mac OS X Loaded Kernel Extensions.
sources:
- type: COMMAND
  attributes:
    args: []
    cmd: /usr/sbin/kextstat
labels: [System]
supported_os: [Darwin]