RADAR - Evidence of Execution

plaso/data/formatters/windows.yaml

@@ -462,6 +462,16 @@ short_source: 'REG'
 source: 'Registry Key'
 ---
 type: 'conditional'
+data_type: 'windows:registry:diagnosed_applications'
+message:
+- 'Process Name: {process_name}'
+- 'Last Detection Time: {last_detection_time}'
+- 'Origin: {key_path}'
+short_message: 'Process Name: {process_name}'
+short_source: 'REG'
+source: 'Registry Key'
+---
+type: 'conditional'
 data_type: 'windows:registry:explorer:programcache'
 message:
 - 'Key: {key_path}'

plaso/data/timeliner.yaml

@@ -1505,6 +1505,12 @@ attribute_mappings:
   description: 'Content Modification Time'
 place_holder_event: true
 ---
+data_type: 'windows:registry:diagnosed_applications'
+attribute_mappings:
+- name: 'last_written_time'
+  description: 'Content Modification Time'
+place_holder_event: false
+---
 data_type: 'windows:registry:explorer:programcache'
 attribute_mappings:
 - name: 'last_written_time'

plaso/parsers/winreg_plugins/__init__.py

@@ -7,6 +7,7 @@
 from plaso.parsers.winreg_plugins import bam
 from plaso.parsers.winreg_plugins import ccleaner
 from plaso.parsers.winreg_plugins import default
+from plaso.parsers.winreg_plugins import diagnosed_applications
 from plaso.parsers.winreg_plugins import lfu
 from plaso.parsers.winreg_plugins import motherboard_info
 from plaso.parsers.winreg_plugins import mountpoints

plaso/parsers/winreg_plugins/diagnosed_applications.py

@@ -0,0 +1,107 @@
+# -*- coding: utf-8 -*-
+"""Plug-in to collect evidence of execution from RADAR HeapLeakDetection
+Diagnosed Applications."""
+
+from os.path import dirname, join
+
+from dfdatetime import filetime as dfdatetime_filetime
+from dfdatetime import semantic_time as dfdatetime_semantic_time
+
+from plaso.containers import events
+from plaso.lib import dtfabric_helper
+from plaso.lib import errors
+from plaso.parsers import winreg_parser
+from plaso.parsers.winreg_plugins import interface
+
+
+class WindowsRegistryDiagnosedApplicationsEventData(events.EventData):
+  """Windows Diagnosed Application event data attribute container.
+
+  Attributes:
+    process_name (str): Name of the process diagnosed by RADAR.
+    last_detection_time (dfdatetime.DateTimeValues): process last
+        detected by RADAR date and time.
+    key_path (str): Windows Registry key path.
+    last_written_time (dfdatetime.DateTimeValues): entry last written date
+        and time.
+  """
+
+  DATA_TYPE = 'windows:registry:diagnosed_applications'
+
+  def __init__(self):
+    """Initializes event data."""
+    super(WindowsRegistryDiagnosedApplicationsEventData, self).__init__(
+        data_type=self.DATA_TYPE)
+    self.process_name = None
+    self.last_detection_time = None
+    self.key_path = None
+    self.last_written_time = None
+
+
+class DiagnosedApplicationsPlugin(
+    interface.WindowsRegistryPlugin, dtfabric_helper.DtFabricHelper):
+  """Plug-in to collect information about the Motherboard and BIOS."""
+
+  NAME = 'diagnosed_applications'
+  DATA_FORMAT = 'Diagnosed Applications Registry data'
+
+  FILTERS = frozenset([
+    interface.WindowsRegistryKeyPathFilter(
+      'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\RADAR\\HeapLeakDetection\\'
+      'DiagnosedApplications')])
+  _DEFINITION_FILE = join(
+    dirname(__file__), 'filetime.yaml')
+
+  def _ParseFiletime(self, byte_stream):
+    """Parses a FILETIME date and time value from a byte stream.
+
+    Args:
+      byte_stream (bytes): byte stream.
+
+    Returns:
+      dfdatetime.DateTimeValues: a FILETIME date and time values or a semantic
+        date and time values if the FILETIME date and time value is not set.
+
+    Raises:
+      ParseError: if the FILETIME could not be parsed.
+    """
+    filetime_map = self._GetDataTypeMap('filetime')
+
+    try:
+      filetime = self._ReadStructureFromByteStream(
+          byte_stream, 0, filetime_map)
+    except (ValueError, errors.ParseError) as exception:
+      raise errors.ParseError(
+          f'Unable to parse FILETIME value with error: {exception!s}')
+
+    if filetime == 0:
+      return dfdatetime_semantic_time.NotSet()
+
+    try:
+      return dfdatetime_filetime.Filetime(timestamp=filetime)
+    except ValueError:
+      raise errors.ParseError(f'Invalid FILETIME value: 0x{filetime:08x}')
+
+  def ExtractEvents(self, parser_mediator, registry_key, **kwargs):
+    """Extracts events from a Windows Registry key.
+
+    Args:
+      parser_mediator (ParserMediator): mediates interactions between parsers
+          and other components, such as storage and dfVFS.
+      registry_key (dfwinreg.WinRegistryKey): Windows Registry key.
+    """
+    for subkey in registry_key.GetSubkeys():
+      event_data = WindowsRegistryDiagnosedApplicationsEventData()
+
+      event_data.process_name = subkey.name
+      event_data.last_detection_time = self._ParseFiletime(
+        subkey.GetValueByName(
+          "LastDetectionTime"
+        ).data
+      )
+      event_data.key_path = subkey.path
+      event_data.last_written_time = subkey.last_written_time
+      parser_mediator.ProduceEventData(event_data)
+
+
+winreg_parser.WinRegistryParser.RegisterPlugin(DiagnosedApplicationsPlugin)

tests/parsers/winreg_plugins/diagnosed_applications.py

@@ -0,0 +1,57 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+"""Tests for the Diagnosed Applications Windows Registry plugin."""
+
+import unittest
+
+from plaso.parsers.winreg_plugins import diagnosed_applications
+
+from tests.parsers.winreg_plugins import test_lib
+
+
+class WindowsRegistryDiagnosedApplicationsPluginTest(
+    test_lib.RegistryPluginTestCase):
+  """Tests for the Diagnosed Applications Windows Registry plugin."""
+
+  def testProcessValue(self):
+    """Tests the Process function for Diagnosed Applications data."""
+    test_file_entry = self._GetTestFileEntry(['SOFTWARE'])
+    key_path = ('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\RADAR\\'
+                'HeapLeakDetection\\DiagnosedApplications')
+
+    win_registry = self._GetWinRegistryFromFileEntry(test_file_entry)
+    registry_key = win_registry.GetKeyByPath(key_path)
+    plugin = diagnosed_applications.DiagnosedApplicationsPlugin()
+    storage_writer = self._ParseKeyWithPlugin(
+      registry_key=registry_key,
+      plugin=plugin
+    )
+
+    number_of_event_data = storage_writer.GetNumberOfAttributeContainers(
+        'event_data')
+    self.assertEqual(number_of_event_data, 1)
+
+    number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
+        'extraction_warning')
+    self.assertEqual(number_of_warnings, 0)
+
+    number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
+        'recovery_warning')
+    self.assertEqual(number_of_warnings, 0)
+
+    expected_event_values = {
+      'process_name': 'TrustedInstaller.exe',
+      'last_detection_time': '2011-09-17T13:21:44.0776364+00:00',
+      'data_type': 'windows:registry:diagnosed_applications',
+      'key_path': (
+          'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\RADAR\\HeapLeakDetection'
+          '\\DiagnosedApplications\\TrustedInstaller.exe'),
+      'last_written_time': '2011-09-17T13:21:44.0776364+00:00'
+    }
+
+    event_data = storage_writer.GetAttributeContainerByIndex('event_data', 0)
+    self.CheckEventData(event_data, expected_event_values)
+
+
+if __name__ == '__main__':
+  unittest.main()