Skip to content

Commit

Permalink
Create volatile profiles (#108)
Browse files Browse the repository at this point in the history 
(DIS-2555)
  • Loading branch information
@Miauwkeru
Miauwkeru authored Nov 21, 2023
1 parent dd51ce5 commit 1a82af7
Show file tree
Hide file tree
Showing 4 changed files with 196 additions and 169 deletions.
332 changes: 173 additions & 159 deletions acquire/acquire.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1813,6 +1813,21 @@ def acquire_target_targetd(target: Target, args: argparse.Namespace, output_ts:
return files


def _add_modules_for_profile(choice: str, operating_system: str, profile: dict, msg: str) -> Optional[dict]:
modules_selected = dict()

if choice and choice != "none":
profile_dict = profile[choice]
if operating_system not in profile_dict:
log.error(msg, operating_system, choice)
return None

for mod in profile_dict[operating_system]:
modules_selected[mod.__modname__] = mod

return modules_selected


def acquire_target_regular(target: Target, args: argparse.Namespace, output_ts: Optional[str] = None) -> list[str]:
files = []
output_ts = output_ts or get_utc_now_str()
Expand Down Expand Up @@ -1880,13 +1895,18 @@ def acquire_target_regular(target: Target, args: argparse.Namespace, output_ts:
profile = "default"
log.info("")

if profile and profile != "none":
if target.os not in PROFILES[profile]:
log.error("No collection set for OS %s with profile %s", target.os, profile)
return files
profile_modules = _add_modules_for_profile(
profile, target.os, PROFILES, "No collection set for OS %s with profile %s"
)
volatile_modules = _add_modules_for_profile(
args.volatile_profile, target.os, VOLATILE, "No collection set for OS %s with volatile profile %s"
)

for mod in PROFILES[profile][target.os]:
modules_selected[mod.__modname__] = mod
if (profile_modules or volatile_modules) is None:
return files

modules_selected.update(profile_modules)
modules_selected.update(volatile_modules)

log.info("Modules selected: %s", ", ".join(sorted(modules_selected)))

Expand Down Expand Up @@ -2021,171 +2041,165 @@ def upload_files(paths: list[Path], upload_plugin: UploaderPlugin, no_proxy: boo
log.exception("")


class WindowsProfile:
MINIMAL = [
NTFS,
EventLogs,
Registry,
Tasks,
PowerShell,
Prefetch,
Appcompat,
PCA,
Misc,
]
DEFAULT = [
*MINIMAL,
ETL,
Recents,
RecycleBin,
Drivers,
Syscache,
WBEM,
AV,
BITS,
DHCP,
DNS,
ActiveDirectory,
RemoteAccess,
ActivitiesCache,
]
FULL = [
*DEFAULT,
History,
NTDS,
QuarantinedFiles,
WindowsNotifications,
SSH,
IIS,
]


class LinuxProfile:
MINIMAL = [
Etc,
Boot,
Home,
SSH,
Var,
]
DEFAULT = MINIMAL
FULL = [
*DEFAULT,
History,
WebHosting,
]


class BsdProfile:
MINIMAL = [
Etc,
Boot,
Home,
SSH,
Var,
BSD,
]
DEFAULT = MINIMAL
FULL = MINIMAL


class ESXiProfile:
MINIMAL = [
Bootbanks,
ESXi,
SSH,
]
DEFAULT = [
*MINIMAL,
VMFS,
]
FULL = DEFAULT


class OSXProfile:
MINIMAL = [
Etc,
Home,
Var,
OSX,
OSXApplicationsInfo,
]
DEFAULT = MINIMAL
FULL = [
*DEFAULT,
History,
SSH,
]


PROFILES = {
"full": {
"windows": [
NTFS,
EventLogs,
Registry,
Tasks,
ETL,
Recents,
RecycleBin,
Drivers,
PowerShell,
Prefetch,
Appcompat,
PCA,
Syscache,
WBEM,
AV,
ActivitiesCache,
BITS,
DHCP,
DNS,
History,
Misc,
NTDS,
ActiveDirectory,
QuarantinedFiles,
RemoteAccess,
WindowsNotifications,
SSH,
IIS,
],
"linux": [
Etc,
Boot,
Home,
History,
SSH,
Var,
WebHosting,
],
"bsd": [
Etc,
Boot,
SSH,
Home,
Var,
BSD,
],
"esxi": [
Bootbanks,
ESXi,
VMFS,
SSH,
],
"osx": [
Etc,
Home,
Var,
OSX,
OSXApplicationsInfo,
History,
SSH,
],
"windows": WindowsProfile.FULL,
"linux": LinuxProfile.FULL,
"bsd": BsdProfile.FULL,
"esxi": ESXiProfile.FULL,
"osx": OSXProfile.FULL,
},
"default": {
"windows": [
NTFS,
EventLogs,
Registry,
Tasks,
ETL,
Recents,
RecycleBin,
Drivers,
PowerShell,
Prefetch,
Appcompat,
PCA,
Syscache,
WBEM,
AV,
BITS,
DHCP,
DNS,
Misc,
ActiveDirectory,
RemoteAccess,
ActivitiesCache,
],
"linux": [
Etc,
Boot,
Home,
SSH,
Var,
],
"bsd": [
Etc,
Boot,
Home,
SSH,
Var,
BSD,
],
"esxi": [
Bootbanks,
ESXi,
VMFS,
SSH,
],
"osx": [
Etc,
Home,
Var,
OSX,
OSXApplicationsInfo,
],
"windows": WindowsProfile.DEFAULT,
"linux": LinuxProfile.DEFAULT,
"bsd": BsdProfile.DEFAULT,
"esxi": ESXiProfile.DEFAULT,
"osx": OSXProfile.DEFAULT,
},
"minimal": {
"windows": [
NTFS,
EventLogs,
Registry,
Tasks,
PowerShell,
Prefetch,
Appcompat,
PCA,
Misc,
],
"linux": [
Etc,
Boot,
Home,
SSH,
Var,
],
"bsd": [
Etc,
Boot,
Home,
SSH,
Var,
BSD,
],
"esxi": [
Bootbanks,
ESXi,
SSH,
],
"osx": [
Etc,
Home,
Var,
OSX,
OSXApplicationsInfo,
],
"windows": WindowsProfile.MINIMAL,
"linux": LinuxProfile.MINIMAL,
"bsd": BsdProfile.MINIMAL,
"esxi": ESXiProfile.MINIMAL,
"osx": OSXProfile.MINIMAL,
},
"none": None,
}


class VolatileProfile:
DEFAULT = [
Netstat,
WinProcesses,
WinProcEnv,
WinArpCache,
WinRDPSessions,
WinDnsClientCache,
]
EXTENSIVE = [
Proc,
Sys,
]


VOLATILE = {
"default": {
"windows": VolatileProfile.DEFAULT,
"linux": [],
"bsd": [],
"esxi": [],
"osx": [],
},
"extensive": {
"windows": VolatileProfile.DEFAULT,
"linux": VolatileProfile.EXTENSIVE,
"bsd": VolatileProfile.EXTENSIVE,
"esxi": VolatileProfile.EXTENSIVE,
"osx": [],
},
"none": None,
}


def main() -> None:
parser = create_argument_parser(PROFILES, MODULES)
parser = create_argument_parser(PROFILES, VOLATILE, MODULES)
args = parse_acquire_args(parser, config=CONFIG)

try:
Expand Down
Loading

0 comments on commit 1a82af7

Please sign in to comment.