78 lines
No EOL
4.9 KiB
Python
78 lines
No EOL
4.9 KiB
Python
|
|
from optparse import OptionParser
|
|
import datetime
|
|
import traceback
|
|
import os.path
|
|
import dsz
|
|
import ops, ops.survey
|
|
import ops.cmd
|
|
import ops.project
|
|
import ops.system.registry
|
|
import ops.files.dirs
|
|
import ops.system.environment
|
|
|
|
def main():
|
|
parser = OptionParser()
|
|
parser.add_option('--maxage', dest='maxage', default='3600', help='Maximum age of information to use before re-running commands for this module', type='int')
|
|
(options, args) = parser.parse_args()
|
|
maxage = datetime.timedelta(seconds=options.maxage)
|
|
ops.survey.print_header('Persistence checks')
|
|
vallist = [{'keyname': 'system\\currentcontrolset\\Services\\tcpip\\Parameters\\Winsock', 'vallist': ['HelperDllName'], 'cachetag': 'OPS_PERSIST_WINSOCKHELPER', 'knowngoods': [['wshtcpip.dll', '%%SystemRoot%%\\System32\\wshtcpip.dll']], 'isuser': False}, {'keyname': 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows', 'vallist': ['AppInit_Dlls'], 'cachetag': 'OPS_PERSIST_APPINITDLLS', 'knowngoods': [['']], 'isuser': False}, {'keyname': 'Software\\Microsoft\\Windows NT\\CurrentVersion\\winlogon', 'vallist': ['Shell', 'Userinit'], 'cachetag': 'OPS_PERSIST_WINLOGON', 'knowngoods': [['explorer.exe'], ['C:\\Windows\\system32\\userinit.exe,']], 'isuser': False}]
|
|
keylist = [{'keyname': 'Software\\Microsoft\\Windows\\CurrentVersion\\Run', 'cachetag': 'OPS_PERSIST_RUN', 'knownvals': {'VMware Tools': '"C:\\Program Files\\VMware\\VMware Tools\\VMwareTray.exe"', 'VMware User Process': '"C:\\Program Files\\VMware\\VMware Tools\\VMwareUser.exe"'}, 'isuser': False}, {'keyname': 'Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce', 'cachetag': 'OPS_PERSIST_RUNONCE', 'knownvals': {}, 'isuser': False}, {'keyname': 'Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx', 'cachetag': 'OPS_PERSIST_RUNONCEEX', 'knownvals': {}, 'isuser': False}, {'keyname': 'Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom', 'cachetag': 'OPS_PERSIST_APPCOMPAT_REG', 'knownvals': {}, 'isuser': False}]
|
|
winroot = ops.env.get('OPS_WINDOWSDIR')
|
|
sysroot = ops.env.get('OPS_SYSTEMDIR')
|
|
programdata = ops.system.environment.get_environment_var('ALLUSERSPROFILE', maxage=datetime.timedelta(seconds=14400)).value
|
|
progfiles = ops.system.environment.get_environment_var('PROGRAMFILES', maxage=datetime.timedelta(seconds=14400)).value
|
|
userprofiles = ops.system.get_userprofiles_dir()
|
|
dirlist = [{'path': os.path.join(sysroot, 'AppPatch', 'Custom'), 'cachetag': 'OPS_PERSIST_APPCOMPAT_DIR', 'knownfiles': {}, 'isuser': False}]
|
|
displays = list()
|
|
codes = list()
|
|
for pair in vallist:
|
|
try:
|
|
if (not pair['isuser']):
|
|
keyval = ops.system.registry.get_registrykey('L', pair['keyname'], cache_tag=pair['cachetag'], cache_size=2, maxage=maxage)
|
|
for i in range(len(pair['vallist'])):
|
|
valuename = pair['vallist'][i]
|
|
displays.append({'keydir': pair['keyname'], 'valfile': valuename, 'value': keyval.key[0][valuename].value})
|
|
if (keyval.key[0][valuename].value in pair['knowngoods'][i]):
|
|
codes.append(dsz.GOOD)
|
|
else:
|
|
codes.append(dsz.WARNING)
|
|
else:
|
|
pass
|
|
except:
|
|
pass
|
|
for pair in keylist:
|
|
try:
|
|
if (not pair['isuser']):
|
|
keyval = ops.system.registry.get_registrykey('L', pair['keyname'], cache_tag=pair['cachetag'], cache_size=2, maxage=maxage)
|
|
for val in keyval.key[0].value:
|
|
if (val.name in pair['knownvals']):
|
|
if (pair['knownvals'][val.name] == val.value):
|
|
codes.append(dsz.GOOD)
|
|
else:
|
|
codes.append(dsz.ERROR)
|
|
else:
|
|
codes.append(dsz.DEFAULT)
|
|
displays.append({'keydir': pair['keyname'], 'valfile': val.name, 'value': val.value})
|
|
else:
|
|
pass
|
|
except:
|
|
pass
|
|
for pair in dirlist:
|
|
try:
|
|
if (not pair['isuser']):
|
|
dirval = ops.files.dirs.get_dirlisting(path=pair['path'], mask='*', cache_tag=pair['cachetag'], cache_size=2, maxage=maxage)
|
|
for fileitem in dirval.diritem[0].fileitem:
|
|
displays.append({'keydir': pair['path'], 'valfile': fileitem.fullpath, 'value': ''})
|
|
if (fileitem.name in pair['knownfiles']):
|
|
codes.append(dsz.GOOD)
|
|
else:
|
|
codes.append(dsz.WARNING)
|
|
else:
|
|
pass
|
|
except:
|
|
pass
|
|
ops.pprint.pprint(displays, echocodes=codes, dictorder=['keydir', 'valfile', 'value'], header=['Path/Key', 'File/Value', 'Data'])
|
|
if ((__name__ == '__main__') or (__name__ == ops.survey.PLUGIN)):
|
|
main() |