mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-12 16:06:15 +00:00
Code Issues Packages Projects Releases Wiki Activity
autopsy-flatpak/thirdparty/rr-full/plugins/auditpol.pl
U-BASIS\zhaohui 7c9a7026c5 3386: Update the files permission from 755 to 644
2018-01-03 14:43:27 -05:00

268 lines
13 KiB
Perl
Raw Blame History

#-----------------------------------------------------------
# auditpol
# Get the audit policy from the Security hive file (Win7+)
# *Works for Win7 and Win10 at the moment
#
# History
# 20151202 - created
#
# Ref:
# http://www.kazamiya.net/structure/poladtev
# http://www.kazamiya.net/en/poladtev
# http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx
#
# Equiv: auditpol /get /category:*
#
# copyright 2015 Quantum Analytics Research, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package auditpol;
use strict;
my %config = (hive => "Security",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20151202);
sub getConfig{return %config}
sub getShortDescr {
return "Get audit policy from the Security hive file";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
my %audit = (0 => "N",
1 => "S",
2 => "F",
3 => "S/F");
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching auditpol v.".$VERSION);
::rptMsg("auditpol v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Policy\\PolAdtEv";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("auditpol");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my $data;
my @policy;
eval {
$data = $key->get_value("")->get_data();
# ::rptMsg("Length of data: ".length($data)." bytes.");
my $id = unpack("v",substr($data,8,2));
# ::rptMsg(sprintf "Offset value is: 0x%x",$id);
if (length($data) == 148 && $id == 0x82) {
@policy = processWin10($data)
}
elsif (length($data) == 138 && $id == 0x78) {
@policy = processWin7($data);
}
else {
my @d = printData($data);
foreach (0..(scalar(@d) - 1)) {
::rptMsg($d[$_]);
}
}
foreach (0..((scalar @policy) - 1)) {
my ($aud,$pol) = split(/;/,$policy[$_],2);
::rptMsg(sprintf "%-50s %-5s",$aud,$audit{$pol});
}
};
}
else {
::rptMsg($key_path." not found.");
}
}
sub processWin10 {
my $data = shift;
my @win = ("System:Security State Change;".unpack("v",substr($data,0x0c,2)),
"System:Security System Extension;".unpack("v",substr($data,0x0e,2)),
"System:System Integrity;".unpack("v",substr($data,0x10,2)),
"System:IPsec Driver;".unpack("v",substr($data,0x12,2)),
"System:Other System Events;".unpack("v",substr($data,0x14,2)),
"Logon/Logoff:Logon;".unpack("v",substr($data,0x16,2)),
"Logon/Logoff:Logoff;".unpack("v",substr($data,0x18,2)),
"Logon/Logoff:Account Lockout;".unpack("v",substr($data,0x1a,2)),
"Logon/Logoff:IPsec Main Mode;".unpack("v",substr($data,0x1c,2)),
"Logon/Logoff:IPsec Quick Mode;".unpack("v",substr($data,0x1e,2)),
"Logon/Logoff:IPsec Extended Mode;".unpack("v",substr($data,0x20,2)),
"Logon/Logoff:Special Logon;".unpack("v",substr($data,0x22,2)),
"Logon/Logoff:Other Logon/Logoff Events;".unpack("v",substr($data,0x24,2)),
"Logon/Logoff:Network Policy Server;".unpack("v",substr($data,0x26,2)),
"Logon/Logoff:User Device Claims;".unpack("v",substr($data,0x28,2)),
"Logon/Logoff:Group Membership;".unpack("v",substr($data,0x2a,2)),
"Object Access:File System;".unpack("v",substr($data,0x2c,2)),
"Object Access:Registry;".unpack("v",substr($data,0x2e,2)),
"Object Access:Kernel Object;".unpack("v",substr($data,0x30,2)),
"Object Access:SAM;".unpack("v",substr($data,0x32,2)),
"Object Access:Certification Services;".unpack("v",substr($data,0x34,2)),
"Object Access:Application Generated;".unpack("v",substr($data,0x36,2)),
"Object Access:Handle Manipulation;".unpack("v",substr($data,0x38,2)),
"Object Access:File Share;".unpack("v",substr($data,0x3a,2)),
"Object Access:Filtering Platform Packet Drop;".unpack("v",substr($data,0x3c,2)),
"Object Access:Filtering Platform Connection;".unpack("v",substr($data,0x3e,2)),
"Object Access:Other Object Access Events;".unpack("v",substr($data,0x40,2)),
"Object Access:Detailed File Share;".unpack("v",substr($data,0x42,2)),
"Object Access:Removable Storage;".unpack("v",substr($data,0x44,2)),
"Object Access:Central Policy Staging;".unpack("v",substr($data,0x46,2)),
"Privilege Use:Sensitive Privilege Use;".unpack("v",substr($data,0x48,2)),
"Privilege Use:Non Sensitive Privilege Use;".unpack("v",substr($data,0x4a,2)),
"Privilege Use:Other Privilege Use Events;".unpack("v",substr($data,0x4c,2)),
"Detailed Tracking:Process Creation;".unpack("v",substr($data,0x4e,2)),
"Detailed Tracking:Process Termination;".unpack("v",substr($data,0x50,2)),
"Detailed Tracking:DPAPI Activity;".unpack("v",substr($data,0x52,2)),
"Detailed Tracking:RPC Events;".unpack("v",substr($data,0x54,2)),
"Detailed Tracking:Plug and Play Events;".unpack("v",substr($data,0x56,2)),
"Policy Change:Audit Policy Change;".unpack("v",substr($data,0x58,2)),
"Policy Change:Authentication Policy Change;".unpack("v",substr($data,0x5a,2)),
"Policy Change:Authorization Policy Change;".unpack("v",substr($data,0x5c,2)),
"Policy Change:MPSSVC Rule-Level Policy Change;".unpack("v",substr($data,0x5e,2)),
"Policy Change:Filtering Platform Policy Change;".unpack("v",substr($data,0x60,2)),
"Policy Change:Other Policy Change Events;".unpack("v",substr($data,0x62,2)),
"Account Management:User Account Management;".unpack("v",substr($data,0x64,2)),
"Account Management:Computer Account Management;".unpack("v",substr($data,0x66,2)),
"Account Management:Security Group Management;".unpack("v",substr($data,0x68,2)),
"Account Management:Distribution Group Management;".unpack("v",substr($data,0x6a,2)),
"Account Management:Application Group Management;".unpack("v",substr($data,0x6c,2)),
"Account Management:Other Account Management Events;".unpack("v",substr($data,0x6e,2)),
"DS Access:Directory Service Access;".unpack("v",substr($data,0x70,2)),
"DS Access:Directory Service Changes;".unpack("v",substr($data,0x72,2)),
"DS Access:Directory Service Replication;".unpack("v",substr($data,0x74,2)),
"DS Access:Detailed Directory Service Replication;".unpack("v",substr($data,0x76,2)),
"Account Logon:Credential Validation;".unpack("v",substr($data,0x78,2)),
"Account Logon:Kerberos Service Ticket Operations;".unpack("v",substr($data,0x7a,2)),
"Account Logon:Other Account Logon Events;".unpack("v",substr($data,0x7c,2)),
"Account Logon:Kerberos Authentication Service;".unpack("v",substr($data,0x7e,2)));
return @win;
}
sub processWin7 {
my $data = shift;
my @win = ("System:Security State Change;".unpack("v",substr($data,0x0c,2)),
"System:Security System Extension;".unpack("v",substr($data,0x0e,2)),
"System:System Integrity;".unpack("v",substr($data,0x10,2)),
"System:IPsec Driver;".unpack("v",substr($data,0x12,2)),
"System:Other System Events;".unpack("v",substr($data,0x14,2)),
"Logon/Logoff:Logon;".unpack("v",substr($data,0x16,2)),
"Logon/Logoff:Logoff;".unpack("v",substr($data,0x18,2)),
"Logon/Logoff:Account Lockout;".unpack("v",substr($data,0x1a,2)),
"Logon/Logoff:IPsec Main Mode;".unpack("v",substr($data,0x1c,2)),
"Logon/Logoff:IPsec Quick Mode;".unpack("v",substr($data,0x1e,2)),
"Logon/Logoff:IPsec Extended Mode;".unpack("v",substr($data,0x20,2)),
"Logon/Logoff:Special Logon;".unpack("v",substr($data,0x22,2)),
"Logon/Logoff:Other Logon/Logoff Events;".unpack("v",substr($data,0x24,2)),
"Logon/Logoff:Network Policy Server;".unpack("v",substr($data,0x26,2)),
"Object Access:File System;".unpack("v",substr($data,0x28,2)),
"Object Access:Registry;".unpack("v",substr($data,0x2a,2)),
"Object Access:Kernel Object;".unpack("v",substr($data,0x2c,2)),
"Object Access:SAM;".unpack("v",substr($data,0x2e,2)),
"Object Access:Other Object Access Events;".unpack("v",substr($data,0x30,2)),
"Object Access:Certification Services;".unpack("v",substr($data,0x32,2)),
"Object Access:Application Generated;".unpack("v",substr($data,0x34,2)),
"Object Access:Handle Manipulation;".unpack("v",substr($data,0x36,2)),
"Object Access:File Share;".unpack("v",substr($data,0x38,2)),
"Object Access:Filtering Platform Packet Drop;".unpack("v",substr($data,0x3a,2)),
"Object Access:Filtering Platform Connection;".unpack("v",substr($data,0x3c,2)),
"Object Access:Detailed File Share;".unpack("v",substr($data,0x3e,2)),
"Privilege Use:Sensitive Privilege Use;".unpack("v",substr($data,0x40,2)),
"Privilege Use:Non Sensitive Privilege Use;".unpack("v",substr($data,0x42,2)),
"Privilege Use:Other Privilege Use Events;".unpack("v",substr($data,0x44,2)),
"Detailed Tracking:Process Creation;".unpack("v",substr($data,0x46,2)),
"Detailed Tracking:Process Termination;".unpack("v",substr($data,0x48,2)),
"Detailed Tracking:DPAPI Activity;".unpack("v",substr($data,0x4a,2)),
"Detailed Tracking:RPC Events;".unpack("v",substr($data,0x4c,2)),
"Policy Change:Audit Policy Change;".unpack("v",substr($data,0x4e,2)),
"Policy Change:Authentication Policy Change;".unpack("v",substr($data,0x50,2)),
"Policy Change:Authorization Policy Change;".unpack("v",substr($data,0x52,2)),
"Policy Change:MPSSVC Rule-Level Policy Change;".unpack("v",substr($data,0x54,2)),
"Policy Change:Filtering Platform Policy Change;".unpack("v",substr($data,0x56,2)),
"Policy Change:Other Policy Change Events;".unpack("v",substr($data,0x58,2)),
"Account Management:User Account Management;".unpack("v",substr($data,0x5a,2)),
"Account Management:Computer Account Management;".unpack("v",substr($data,0x5c,2)),
"Account Management:Security Group Management;".unpack("v",substr($data,0x5e,2)),
"Account Management:Distribution Group Management;".unpack("v",substr($data,0x60,2)),
"Account Management:Application Group Management;".unpack("v",substr($data,0x62,2)),
"Account Management:Other Account Management Events;".unpack("v",substr($data,0x64,2)),
"DS Access:Directory Service Access;".unpack("v",substr($data,0x66,2)),
"DS Access:Directory Service Changes;".unpack("v",substr($data,0x68,2)),
"DS Access:Directory Service Replication;".unpack("v",substr($data,0x6a,2)),
"DS Access:Detailed Directory Service Replication;".unpack("v",substr($data,0x6c,2)),
"Account Logon:Credential Validation;".unpack("v",substr($data,0x6e,2)),
"Account Logon:Kerberos Service Ticket Operations;".unpack("v",substr($data,0x70,2)),
"Account Logon:Other Account Logon Events;".unpack("v",substr($data,0x72,2)),
"Account Logon:Kerberos Authentication Service;".unpack("v",substr($data,0x74,2)));
return @win;
}
#-----------------------------------------------------------
# printData()
# subroutine used primarily for debugging; takes an arbitrary
# length of binary data, prints it out in hex editor-style
# format for easy debugging
#
# my @d = printData($data);
# foreach (0..(scalar(@d) - 1)) {
# ::rptMsg($d[$_]);
# }
#-----------------------------------------------------------
sub printData {
my $data = shift;
my $len = length($data);
my $tag = 1;
my $cnt = 0;
my @display = ();
my $loop = $len/16;
$loop++ if ($len%16);
foreach my $cnt (0..($loop - 1)) {
# while ($tag) {
my $left = $len - ($cnt * 16);
my $n;
($left < 16) ? ($n = $left) : ($n = 16);
my $seg = substr($data,$cnt * 16,$n);
my @str1 = split(//,unpack("H*",$seg));
my @s3;
my $str = "";
foreach my $i (0..($n - 1)) {
$s3[$i] = $str1[$i * 2].$str1[($i * 2) + 1];
if (hex($s3[$i]) > 0x1f && hex($s3[$i]) < 0x7f) {
$str .= chr(hex($s3[$i]));
}
else {
$str .= "\.";
}
}
my $h = join(' ',@s3);
# ::rptMsg(sprintf "0x%08x: %-47s ".$str,($cnt * 16),$h);
$display[$cnt] = sprintf "0x%08x: %-47s ".$str,($cnt * 16),$h;
}
return @display;
}
1;
Reference in New Issue View Git Blame Copy Permalink