:py:mod:`dissect.target.plugins.os.windows.generic` =================================================== .. py:module:: dissect.target.plugins.os.windows.generic Module Contents --------------- Classes ~~~~~~~ .. autoapisummary:: dissect.target.plugins.os.windows.generic.GenericPlugin Attributes ~~~~~~~~~~ .. autoapisummary:: dissect.target.plugins.os.windows.generic.UserRegistryRecordDescriptor dissect.target.plugins.os.windows.generic.AppInitRecord dissect.target.plugins.os.windows.generic.KnownDllRecord dissect.target.plugins.os.windows.generic.SessionManagerRecord dissect.target.plugins.os.windows.generic.NullSessionPipeRecord dissect.target.plugins.os.windows.generic.NdisRecord dissect.target.plugins.os.windows.generic.CommandProcAutoRunRecord dissect.target.plugins.os.windows.generic.AlternateShellRecord dissect.target.plugins.os.windows.generic.BootShellRecord dissect.target.plugins.os.windows.generic.FileRenameOperationRecord dissect.target.plugins.os.windows.generic.WinRarRecord dissect.target.plugins.os.windows.generic.WinSockNamespaceProviderRecord .. py:data:: UserRegistryRecordDescriptor .. py:data:: AppInitRecord .. py:data:: KnownDllRecord .. py:data:: SessionManagerRecord .. py:data:: NullSessionPipeRecord .. py:data:: NdisRecord .. py:data:: CommandProcAutoRunRecord .. py:data:: AlternateShellRecord .. py:data:: BootShellRecord .. py:data:: FileRenameOperationRecord .. py:data:: WinRarRecord .. py:data:: WinSockNamespaceProviderRecord .. py:class:: GenericPlugin(target: dissect.target.Target) Bases: :py:obj:`dissect.target.plugin.Plugin` Generic Windows plugin. Provides some plugins that don't fit in a separate plugin. .. py:method:: check_compatible() -> None Perform a compatibility check with the target. This function should return ``None`` if the plugin is compatible with the current target (``self.target``). For example, check if a certain file exists. Otherwise it should raise an ``UnsupportedPluginError``. :raises UnsupportedPluginError: If the plugin could not be loaded. .. py:method:: ntversion() Return the Windows NT version. .. py:method:: pathenvironment() Return the content of the Windows PATH environment variable. PATH is an environment variable on an operating system that specifies a set of directories where executable programs are located. Adversaries may add the directories in which they have stored their (malicious) binaries. .. rubric:: References - https://en.wikipedia.org/wiki/PATH_%28variable%29 .. py:method:: domain() Return the domain name. Corporate Windows systems are usually connected to a domain (active directory). .. rubric:: References - https://en.wikipedia.org/wiki/Active_Directory .. py:method:: activity() -> Optional[datetime.datetime] Return last seen activity based on filesystem timestamps. .. py:method:: install_date() -> Optional[datetime.datetime] Returns the install date of the system. The value of the registry key is stored as a Unix epoch timestamp. .. rubric:: References - https://winreg-kb.readthedocs.io/en/latest/_modules/winregrc/sysinfo.html?highlight=_ParseInstallDate - https://www.forensics-matters.com/2018/09/15/find-out-windows-installation-date/ .. py:method:: appinit() Return all available Application Initial (AppInit) DLLs registry key values. AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded into each user mode process on the system. It can be used as a persistence mechanism and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. DLLs that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows or HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll. .. rubric:: References - https://attack.mitre.org/techniques/T1546/010/ - https://docs.microsoft.com/en-us/windows/win32/win7appqual/appinit-dlls-in-windows-7-and-windows-server-2008-r2?redirectedfrom=MSDN - https://docs.microsoft.com/en-US/windows/win32/dlls/secure-boot-and-appinit-dlls .. py:method:: knowndlls() Return all available KnownDLLs registry key values. The KnownDLLs registry key values are used to cache frequently used system DLLs. Initially, it was added to accelerate application loading, but also it can be considered as a security mechanism, as it prevents malware from putting Trojan versions of system DLLs to the application folders (as all main DLLs belong to KnownDLLs, the version from the application folder will be ignored). However, these registry keys can still be leveraged to perform DLL injection. .. rubric:: References - https://www.apriorit.com/dev-blog/257-dll-injection .. py:method:: sessionmanager() Return interesting Session Manager (Smss.exe) registry key entries. Session Manager (Smss.exe) is the first user-mode process started by the kernel and performs several tasks, such as creating environment variables, starts the Windows Logon Manager (winlogon.exe), etc. The BootExecute registry key holds the Windows tasks that cannot be performed when Windows is running, the Execute registry key should never be populated when Windows is installed. Can be leveraged as persistence mechanisms. .. rubric:: References - https://en.wikipedia.org/wiki/Session_Manager_Subsystem - https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2 .. py:method:: nullsessionpipes() Return the NullSessionPipes registry key value. The NullSessionPipes registry key value specifies server pipes and shared folders that are excluded from the policy that does not allow null session access. A null session implies that access to a network resource, most commonly the IPC$ "Windows Named Pipe" share, was granted without authentication. Also known as anonymous or guest access. These can thus be accessed without authentication and can be leveraged for latteral movement and/or privilege escalation. .. rubric:: References - https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares .. py:method:: ndis() Return network registry key entries. .. py:method:: commandprocautorun() Return all available Command Processor (cmd.exe) AutoRun registry key values. The Command Processor AutoRun registry key values contain commands that are run each time the Command Processor (cmd.exe) is started. Since these commands are not shown to the user in the Command Processor, it can be exploited by an adversary to hide malicious commands or leverage as a persistence mechanism .. rubric:: References - https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433 - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc779439%28v=ws.10%29?redirectedfrom=MSDN .. py:method:: alternateshell() Return the AlternateShell registry key value. The AlternateShell registry key, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot, specifies the shell that is used when a Windows system is started in "Safe Mode with Command Prompt". Can be leveraged as a persistence mechanism. .. rubric:: References - https://technet.microsoft.com/en-us/library/cc976124.aspx .. py:method:: bootshell() Return the BootShell registry key entry. Usually contains a path to bootim.exe which is Windows's recovery menu. This registry key can be used as a persistence mechanism. .. py:method:: filerenameop() Return all pending file rename operations. The PendingFileRenameOperations registry key value contains information about files that will be renamed on reboot. Can be used to hunt for malicious binaries. .. rubric:: References - https://forensicatorj.wordpress.com/2014/06/25/interpreting-the-pendingfilerenameoperations-registry-key-for-forensics/ - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241%28v=technet.10%29?redirectedfrom=MSDN - https://qtechbabble.wordpress.com/2020/06/26/use-pendingfilerenameoperations-registry-key-to-automatically-delete-a-file-on-reboot/ .. py:method:: winrar() Return all available WinRAR history registry key values. .. py:method:: winsocknamespaceprovider() Return available protocols stored in the Winsock catalog database. .. rubric:: References - https://docs.microsoft.com/en-us/windows/win32/winsock/name-space-service-providers-2?redirectedfrom=MSDN .. py:method:: codepage() -> Optional[str] Returns the current active codepage on the system.