diff --git a/Cases/IOCs/.keep b/Cases/IOCs/.keep deleted file mode 100644 index e69de29..0000000 diff --git a/VolWeb/settings.py b/VolWeb/settings.py index a439543..d6f3989 100755 --- a/VolWeb/settings.py +++ b/VolWeb/settings.py @@ -26,7 +26,6 @@ 'windows_engine.apps.WindowsEngineConfig', 'dashboard.apps.DashboardConfig', 'investigations.apps.InvestigationsConfig', - 'iocs.apps.IocsConfig', 'symbols.apps.SymbolsConfig', 'django.contrib.admin', 'django.contrib.auth', diff --git a/VolWeb/urls.py b/VolWeb/urls.py index 39fdeed..3004151 100755 --- a/VolWeb/urls.py +++ b/VolWeb/urls.py @@ -24,7 +24,6 @@ path('login/', auth_views.LogoutView.as_view(template_name='dashboard/login.html'), name='logout'), path('', include('dashboard.urls')), path('investigations/', include('investigations.urls')), - path('iocs/', include('iocs.urls')), path('symbols/', include('symbols.urls')), path('win/', include('windows_engine.urls')), path('lin/', include('linux_engine.urls')), diff --git a/dashboard/static/css/styles.css b/dashboard/static/css/styles.css index 4c64c4a..06c470c 100644 --- a/dashboard/static/css/styles.css +++ b/dashboard/static/css/styles.css @@ -92,6 +92,10 @@ text-align: left; } +.table-responsive { + overflow: inherit; +} + .overlay { display: none; position: fixed; @@ -204,6 +208,16 @@ thead, tbody { margin: -25px 0 0 -25px; } +.spinner-timeline { + z-index: 2; + position: absolute; + top: 15%; + left: 55%; + margin: -25px 0 0 -25px; +} + + + .open-menu { padding-top: 10px; diff --git a/dashboard/static/js/bs-init.js b/dashboard/static/js/bs-init.js index a703025..ad79084 100644 --- a/dashboard/static/js/bs-init.js +++ b/dashboard/static/js/bs-init.js @@ -49,14 +49,6 @@ if (document.getElementById('memcount')) { } else { console.error(countUp.error); } - } -if (document.getElementById('indcount')) { - const countUp = new CountUp('indcount', document.getElementById("indcount").getAttribute("countToind")); - if (!countUp.error) { - countUp.start(); - } else { - console.error(countUp.error); - } } if (document.getElementById('symcount')) { diff --git a/dashboard/static/js/investigations.js b/dashboard/static/js/investigations.js index a502f9c..92bdb58 100644 --- a/dashboard/static/js/investigations.js +++ b/dashboard/static/js/investigations.js @@ -225,7 +225,7 @@ if (sidebar) { } if (response['message'] == "error") { - $('#proc-error-message').html("Something went wrong getting the linked iocs."); + $('#proc-error-message').html("Something went wrong getting the case."); $('.toast-proc-error').toast('show'); } $('.invest-details').show(); diff --git a/dashboard/static/js/iocs.js b/dashboard/static/js/iocs.js deleted file mode 100644 index 92746bc..0000000 --- a/dashboard/static/js/iocs.js +++ /dev/null @@ -1,32 +0,0 @@ -$("#searchbar").on("keyup", function () { - var value = $(this).val().toLowerCase(); - $('div[data-role="iocs"]').filter(function () { - $(this).toggle($(this).find('span').text().toLowerCase().indexOf(value) > -1) - }); -}); -//Ask for IOC deletion -function DeleteIOC(id) { - const csrf = document.getElementsByName('csrfmiddlewaretoken'); - const fd = new FormData(); - var url = $('div[data-role="iocs"]').attr('data-url'); - fd.append('csrfmiddlewaretoken', csrf[0].value); - fd.append('ioc_id', id); - $.ajax({ - type: 'POST', - url: url, - enctype: 'multipart/form-data', - data: fd, - beforeSend: function () { - }, - success: function (response) { - location.reload(); - }, - error: function (error) { - - }, - cache: false, - contentType: false, - processData: false - }); -} - diff --git a/dashboard/static/js/linux.js b/dashboard/static/js/linux.js index 40a19c9..aeedd94 100644 --- a/dashboard/static/js/linux.js +++ b/dashboard/static/js/linux.js @@ -1,4 +1,5 @@ -function Tag(url, plugin_name, artifact_id, status){ +function Tag(plugin_name, artifact_id, status){ + var url = $("#tabs").attr("data-url"); const csrf = document.getElementsByName('csrfmiddlewaretoken'); const fd = new FormData(); fd.append('csrfmiddlewaretoken', csrf[0].value); @@ -104,3 +105,756 @@ $("#searchTtyCheck").on("keyup", function() { $(this).toggle($(this).text().toLowerCase().indexOf(value) > -1) }); }); + + +function DisplayArtifacts(collapse, process, case_id) { + const span_loading = document.createElement("span"); + span_loading.setAttribute('class','spinner-border spinner-border-sm'); + span_loading.setAttribute('role','status'); + $("#procmaps_btn").removeClass("d-none"); + const procmaps_btn = document.getElementById("procmaps_btn"); + procmaps_btn.textContent = "Click here to compute ProcMaps for PID " + process; + procmaps_btn.addEventListener('click', function (e) { + $("#processHandles").textContent = ""; + procmaps_btn.textContent = ""; + procmaps_btn.appendChild(span_loading); + ComputeProcMaps(process, case_id); + }); + + + + if ($('#' + collapse).attr("aria-expanded") == "true") { + $('#Bash').empty(); + $('#Elfs').empty(); + $('#Lsof').empty(); + $('#PsAux').empty(); + $('#processMaps').empty(); + + $('.spinner-review').removeClass("d-none"); + var url = $("#" + collapse).attr('data-url'); + $.get(url, { 'case': case_id, 'pid': process }, // url + function (response, textStatus, jqXHR) { // success callback + if (textStatus == "success") { + if (response['message'] == "success") { + FillPsAux(JSON.parse(response['artifacts']['PsAux'])); + FillBash(JSON.parse(response['artifacts']['Bash'])); + FillElfs(JSON.parse(response['artifacts']['Elfs'])); + FillLsof(JSON.parse(response['artifacts']['Lsof'])); + FillProcMaps(JSON.parse(response['artifacts']['ProcMaps'])); + $('#Bash').removeClass('d-none'); + $('#Elfs').removeClass('d-none'); + $('#Lsof').removeClass('d-none'); + $('#PsAux').removeClass('d-none'); + $('#processMaps').removeClass('d-none'); + + $('.processes_tab').removeClass('d-none'); + $('.default-td').removeClass('d-none'); + $('.spinner-review').addClass("d-none"); + } + if (response['message'] == "error") { + $('#proc-error-message').html("Something went wrong."); + $('.toast-proc-error').toast('show'); + } + } + }); + } +} + +function ComputeProcMaps(process, case_id){ + var url = $("#procmaps_btn").attr("data-url"); + $.get(url, { 'case': case_id, 'pid': process }, // url + function (response, textStatus, jqXHR) { // success callback + if (textStatus == "success") { + if (response['message'] == "success") { + FillProcMaps(JSON.parse(response['artifacts']['ProcMaps'])); + $("#procmaps_btn").addClass("d-none"); + } + if (response['message'] == "error") { + $('#proc-error-message').html("Something went wrong."); + $('.toast-proc-error').toast('show'); + } + } + }); + +} + + + +function FillPsAux(artifacts) { + // Create the html elements for each line + $('#PsAux').empty(); + $.each(artifacts, function (i, item) { + var tbody = document.getElementById('PsAux'); + const tr = document.createElement('tr'); + const td_1 = document.createElement('td'); + const td_2 = document.createElement('td'); + const td_3 = document.createElement('td'); + const td_4 = document.createElement('td'); + const td_5 = document.createElement('td'); + + td_1.textContent = item.fields.PID; + td_2.textContent = item.fields.PPID; + td_3.textContent = item.fields.COMM; + td_4.textContent = item.fields.ARGS; + + // Tag conditions and system + const dropdown = document.createElement('div'); + dropdown.setAttribute('class', 'dropdown no-arrow'); + + const button = document.createElement('button'); + button.setAttribute('class', 'btn btn-link btn-sm dropdown-toggle'); + + button.setAttribute('aria-expanded', 'true'); + button.setAttribute('data-bs-toggle', 'dropdown'); + button.setAttribute('type', 'button'); + + const dots = document.createElement('i'); + dots.setAttribute('class', 'fas fa-ellipsis-v text-gray-400'); + button.appendChild(dots); + + const dropdown_menu = document.createElement('div'); + dropdown_menu.setAttribute('class', 'dropdown-menu shadow dropdown-menu-end animated--fade-in'); + const tagm = document.createElement('p'); + tagm.setAttribute('class', 'text-center dropdown-header'); + tagm.textContent = "Tag as"; + + + const span_suspicious = document.createElement('span'); + span_suspicious.textContent = " Suspicious"; + + const span_evidence = document.createElement('span'); + span_evidence.textContent = " Evidence"; + + const badge_suspicious = document.createElement('a'); + badge_suspicious.setAttribute('class', 'dropdown-item'); + badge_suspicious.setAttribute('href', '#'); + badge_suspicious.addEventListener('click', function (e) { + Tag('PsAux', item.pk, "Suspicious"); + }); + + const pill_orange = document.createElement('strong'); + pill_orange.setAttribute('class', 'badge bg-warning text-wrap text-warning'); + pill_orange.textContent = ' '; + badge_suspicious.appendChild(pill_orange); + badge_suspicious.appendChild(span_suspicious); + + + const badge_evidence = document.createElement('a'); + badge_evidence.setAttribute('class', 'dropdown-item'); + badge_evidence.setAttribute('href', '#'); + badge_evidence.addEventListener('click', function (e) { + Tag('PsAux', item.pk, "Evidence"); + }); + + const pill_red = document.createElement('strong'); + pill_red.setAttribute('class', 'badge bg-danger text-wrap text-danger'); + pill_red.textContent = ' ' + + badge_evidence.appendChild(pill_red); + badge_evidence.appendChild(span_evidence); + + + const divider = document.createElement('div'); + divider.setAttribute('class', 'dropdown-divider'); + + const badge_clear = document.createElement('a'); + badge_clear.setAttribute('class', 'dropdown-item'); + badge_clear.setAttribute('href', '#'); + badge_clear.addEventListener('click', function (e) { + Tag('PsAux', item.pk, "Clear"); + }); + badge_clear.textContent = " Clear tag"; + + + const tag_evidence = document.createElement('strong'); + const tag_suspicious = document.createElement('strong'); + + if (item.fields.Tag == "Evidence") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap tag_evidence_' + item.pk + '_PsAux'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_PsAux'); + } + + else if (item.fields.Tag == "Suspicious") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_PsAux'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap tag_suspicious_' + item.pk + '_PsAux'); + } + + else { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_PsAux'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_PsAux'); + } + + tag_evidence.textContent = "Evidence"; + tag_suspicious.textContent = "Suspicious"; + + dropdown_menu.appendChild(tagm); + dropdown_menu.appendChild(badge_suspicious); + dropdown_menu.appendChild(badge_evidence); + dropdown_menu.appendChild(divider); + dropdown_menu.appendChild(badge_clear); + + button.appendChild(dots); + dropdown.appendChild(button); + dropdown.appendChild(tag_evidence); + dropdown.appendChild(tag_suspicious); + dropdown.appendChild(dropdown_menu); + td_5.appendChild(dropdown); + + tr.appendChild(td_1); + tr.appendChild(td_2); + tr.appendChild(td_3); + tr.appendChild(td_4); + tr.appendChild(td_5); + + tbody.appendChild(tr); + }); +} + +function FillBash(artifacts) { + // Create the html elements for each line + $('#Bash').empty(); + $.each(artifacts, function (i, item) { + var tbody = document.getElementById('Bash'); + const tr = document.createElement('tr'); + const td_1 = document.createElement('td'); + const td_2 = document.createElement('td'); + const td_3 = document.createElement('td'); + const td_4 = document.createElement('td'); + const td_5 = document.createElement('td'); + + td_1.textContent = item.fields.PID; + td_2.textContent = item.fields.Process; + td_3.textContent = item.fields.CommandTime; + td_4.textContent = item.fields.Command; + + // Tag conditions and system + const dropdown = document.createElement('div'); + dropdown.setAttribute('class', 'dropdown no-arrow'); + + const button = document.createElement('button'); + button.setAttribute('class', 'btn btn-link btn-sm dropdown-toggle'); + + button.setAttribute('aria-expanded', 'true'); + button.setAttribute('data-bs-toggle', 'dropdown'); + button.setAttribute('type', 'button'); + + const dots = document.createElement('i'); + dots.setAttribute('class', 'fas fa-ellipsis-v text-gray-400'); + button.appendChild(dots); + + const dropdown_menu = document.createElement('div'); + dropdown_menu.setAttribute('class', 'dropdown-menu shadow dropdown-menu-end animated--fade-in'); + const tagm = document.createElement('p'); + tagm.setAttribute('class', 'text-center dropdown-header'); + tagm.textContent = "Tag as"; + + + const span_suspicious = document.createElement('span'); + span_suspicious.textContent = " Suspicious"; + + const span_evidence = document.createElement('span'); + span_evidence.textContent = " Evidence"; + + const badge_suspicious = document.createElement('a'); + badge_suspicious.setAttribute('class', 'dropdown-item'); + badge_suspicious.setAttribute('href', '#'); + badge_suspicious.addEventListener('click', function (e) { + Tag('Bash', item.pk, "Suspicious"); + }); + + const pill_orange = document.createElement('strong'); + pill_orange.setAttribute('class', 'badge bg-warning text-wrap text-warning'); + pill_orange.textContent = ' '; + badge_suspicious.appendChild(pill_orange); + badge_suspicious.appendChild(span_suspicious); + + + const badge_evidence = document.createElement('a'); + badge_evidence.setAttribute('class', 'dropdown-item'); + badge_evidence.setAttribute('href', '#'); + badge_evidence.addEventListener('click', function (e) { + Tag('Bash', item.pk, "Evidence"); + }); + + + const pill_red = document.createElement('strong'); + pill_red.setAttribute('class', 'badge bg-danger text-wrap text-danger'); + pill_red.textContent = ' ' + + badge_evidence.appendChild(pill_red); + badge_evidence.appendChild(span_evidence); + + + const divider = document.createElement('div'); + divider.setAttribute('class', 'dropdown-divider'); + + const badge_clear = document.createElement('a'); + badge_clear.setAttribute('class', 'dropdown-item'); + badge_clear.setAttribute('href', '#'); + badge_clear.addEventListener('click', function (e) { + Tag('Bash', item.pk, "Clear"); + }); + badge_clear.textContent = " Clear tag"; + + + const tag_evidence = document.createElement('strong'); + const tag_suspicious = document.createElement('strong'); + + if (item.fields.Tag == "Evidence") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap tag_evidence_' + item.pk + '_Bash'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_Bash'); + } + + else if (item.fields.Tag == "Suspicious") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_Bash'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap tag_suspicious_' + item.pk + '_Bash'); + } + + else { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_Bash'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_Bash'); + } + + tag_evidence.textContent = "Evidence"; + tag_suspicious.textContent = "Suspicious"; + + dropdown_menu.appendChild(tagm); + dropdown_menu.appendChild(badge_suspicious); + dropdown_menu.appendChild(badge_evidence); + dropdown_menu.appendChild(divider); + dropdown_menu.appendChild(badge_clear); + + button.appendChild(dots); + dropdown.appendChild(button); + dropdown.appendChild(tag_evidence); + dropdown.appendChild(tag_suspicious); + dropdown.appendChild(dropdown_menu); + td_5.appendChild(dropdown); + + tr.appendChild(td_1); + tr.appendChild(td_2); + tr.appendChild(td_3); + tr.appendChild(td_4); + tr.appendChild(td_5); + + tbody.appendChild(tr); + }); +} + +function FillElfs(artifacts) { + // Create the html elements for each line + $('#Elfs').empty(); + $.each(artifacts, function (i, item) { + var tbody = document.getElementById('Elfs'); + const tr = document.createElement('tr'); + const td_1 = document.createElement('td'); + const td_2 = document.createElement('td'); + const td_3 = document.createElement('td'); + const td_4 = document.createElement('td'); + const td_5 = document.createElement('td'); + const td_6 = document.createElement('td'); + + td_1.textContent = item.fields.Start; + td_2.textContent = item.fields.End; + td_3.textContent = item.fields.FilePath; + td_4.textContent = item.fields.Process; + td_5.textContent = item.fields.PID; + + + // Tag conditions and system + const dropdown = document.createElement('div'); + dropdown.setAttribute('class', 'dropdown no-arrow'); + + const button = document.createElement('button'); + button.setAttribute('class', 'btn btn-link btn-sm dropdown-toggle'); + + button.setAttribute('aria-expanded', 'true'); + button.setAttribute('data-bs-toggle', 'dropdown'); + button.setAttribute('type', 'button'); + + const dots = document.createElement('i'); + dots.setAttribute('class', 'fas fa-ellipsis-v text-gray-400'); + button.appendChild(dots); + + const dropdown_menu = document.createElement('div'); + dropdown_menu.setAttribute('class', 'dropdown-menu shadow dropdown-menu-end animated--fade-in'); + const tagm = document.createElement('p'); + tagm.setAttribute('class', 'text-center dropdown-header'); + tagm.textContent = "Tag as"; + + + const span_suspicious = document.createElement('span'); + span_suspicious.textContent = " Suspicious"; + + const span_evidence = document.createElement('span'); + span_evidence.textContent = " Evidence"; + + const badge_suspicious = document.createElement('a'); + badge_suspicious.setAttribute('class', 'dropdown-item'); + badge_suspicious.setAttribute('href', '#'); + badge_suspicious.addEventListener('click', function (e) { + Tag('Elfs', item.pk, "Suspicious"); + }); + + const pill_orange = document.createElement('strong'); + pill_orange.setAttribute('class', 'badge bg-warning text-wrap text-warning'); + pill_orange.textContent = ' '; + badge_suspicious.appendChild(pill_orange); + badge_suspicious.appendChild(span_suspicious); + + + const badge_evidence = document.createElement('a'); + badge_evidence.setAttribute('class', 'dropdown-item'); + badge_evidence.setAttribute('href', '#'); + badge_evidence.addEventListener('click', function (e) { + Tag('Elfs', item.pk, "Evidence"); + }); + + + const pill_red = document.createElement('strong'); + pill_red.setAttribute('class', 'badge bg-danger text-wrap text-danger'); + pill_red.textContent = ' ' + + badge_evidence.appendChild(pill_red); + badge_evidence.appendChild(span_evidence); + + + const divider = document.createElement('div'); + divider.setAttribute('class', 'dropdown-divider'); + + const badge_clear = document.createElement('a'); + badge_clear.setAttribute('class', 'dropdown-item'); + badge_clear.setAttribute('href', '#'); + badge_clear.addEventListener('click', function (e) { + Tag('Elfs', item.pk, "Clear"); + }); + badge_clear.textContent = " Clear tag"; + + + const tag_evidence = document.createElement('strong'); + const tag_suspicious = document.createElement('strong'); + + if (item.fields.Tag == "Evidence") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap tag_evidence_' + item.pk + '_Elfs'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_Elfs'); + } + + else if (item.fields.Tag == "Suspicious") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_Elfs'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap tag_suspicious_' + item.pk + '_Elfs'); + } + + else { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_Elfs'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_Elfs'); + } + + tag_evidence.textContent = "Evidence"; + tag_suspicious.textContent = "Suspicious"; + + dropdown_menu.appendChild(tagm); + dropdown_menu.appendChild(badge_suspicious); + dropdown_menu.appendChild(badge_evidence); + dropdown_menu.appendChild(divider); + dropdown_menu.appendChild(badge_clear); + + button.appendChild(dots); + dropdown.appendChild(button); + dropdown.appendChild(tag_evidence); + dropdown.appendChild(tag_suspicious); + dropdown.appendChild(dropdown_menu); + td_6.appendChild(dropdown); + + tr.appendChild(td_1); + tr.appendChild(td_2); + tr.appendChild(td_3); + tr.appendChild(td_4); + tr.appendChild(td_5); + tr.appendChild(td_6); + + tbody.appendChild(tr); + }); +} + +function FillLsof(artifacts) { + // Create the html elements for each line + $('#Lsof').empty(); + $.each(artifacts, function (i, item) { + var tbody = document.getElementById('Lsof'); + const tr = document.createElement('tr'); + const td_1 = document.createElement('td'); + const td_2 = document.createElement('td'); + const td_3 = document.createElement('td'); + const td_4 = document.createElement('td'); + const td_5 = document.createElement('td'); + + td_1.textContent = item.fields.FD; + td_2.textContent = item.fields.PID; + td_3.textContent = item.fields.Path; + td_4.textContent = item.fields.Process; + + + // Tag conditions and system + const dropdown = document.createElement('div'); + dropdown.setAttribute('class', 'dropdown no-arrow'); + + const button = document.createElement('button'); + button.setAttribute('class', 'btn btn-link btn-sm dropdown-toggle'); + + button.setAttribute('aria-expanded', 'true'); + button.setAttribute('data-bs-toggle', 'dropdown'); + button.setAttribute('type', 'button'); + + const dots = document.createElement('i'); + dots.setAttribute('class', 'fas fa-ellipsis-v text-gray-400'); + button.appendChild(dots); + + const dropdown_menu = document.createElement('div'); + dropdown_menu.setAttribute('class', 'dropdown-menu shadow dropdown-menu-end animated--fade-in'); + const tagm = document.createElement('p'); + tagm.setAttribute('class', 'text-center dropdown-header'); + tagm.textContent = "Tag as"; + + + const span_suspicious = document.createElement('span'); + span_suspicious.textContent = " Suspicious"; + + const span_evidence = document.createElement('span'); + span_evidence.textContent = " Evidence"; + + const badge_suspicious = document.createElement('a'); + badge_suspicious.setAttribute('class', 'dropdown-item'); + badge_suspicious.setAttribute('href', '#'); + badge_suspicious.addEventListener('click', function (e) { + Tag('Lsof', item.pk, "Suspicious"); + }); + + const pill_orange = document.createElement('strong'); + pill_orange.setAttribute('class', 'badge bg-warning text-wrap text-warning'); + pill_orange.textContent = ' '; + badge_suspicious.appendChild(pill_orange); + badge_suspicious.appendChild(span_suspicious); + + + const badge_evidence = document.createElement('a'); + badge_evidence.setAttribute('class', 'dropdown-item'); + badge_evidence.setAttribute('href', '#'); + badge_evidence.addEventListener('click', function (e) { + Tag('Lsof', item.pk, "Evidence"); + }); + + + const pill_red = document.createElement('strong'); + pill_red.setAttribute('class', 'badge bg-danger text-wrap text-danger'); + pill_red.textContent = ' ' + + badge_evidence.appendChild(pill_red); + badge_evidence.appendChild(span_evidence); + + + const divider = document.createElement('div'); + divider.setAttribute('class', 'dropdown-divider'); + + const badge_clear = document.createElement('a'); + badge_clear.setAttribute('class', 'dropdown-item'); + badge_clear.setAttribute('href', '#'); + badge_clear.addEventListener('click', function (e) { + Tag('Lsof', item.pk, "Clear"); + }); + badge_clear.textContent = " Clear tag"; + + + const tag_evidence = document.createElement('strong'); + const tag_suspicious = document.createElement('strong'); + + if (item.fields.Tag == "Evidence") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap tag_evidence_' + item.pk + '_Lsof'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_Lsof'); + } + + else if (item.fields.Tag == "Suspicious") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_Lsof'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap tag_suspicious_' + item.pk + '_Lsof'); + } + + else { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_Lsof'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_Lsof'); + } + + tag_evidence.textContent = "Evidence"; + tag_suspicious.textContent = "Suspicious"; + + dropdown_menu.appendChild(tagm); + dropdown_menu.appendChild(badge_suspicious); + dropdown_menu.appendChild(badge_evidence); + dropdown_menu.appendChild(divider); + dropdown_menu.appendChild(badge_clear); + + button.appendChild(dots); + dropdown.appendChild(button); + dropdown.appendChild(tag_evidence); + dropdown.appendChild(tag_suspicious); + dropdown.appendChild(dropdown_menu); + td_5.appendChild(dropdown); + + tr.appendChild(td_1); + tr.appendChild(td_2); + tr.appendChild(td_3); + tr.appendChild(td_4); + tr.appendChild(td_5); + + tbody.appendChild(tr); + }); +} + +function FillProcMaps(artifacts) { + // Create the html elements for each line + $('#processMaps').empty(); + $.each(artifacts, function (i, item) { + var tbody = document.getElementById('processMaps'); + const tr = document.createElement('tr'); + const td_1 = document.createElement('td'); + const td_2 = document.createElement('td'); + const td_3 = document.createElement('td'); + const td_4 = document.createElement('td'); + const td_5 = document.createElement('td'); + const td_6 = document.createElement('td'); + const td_7 = document.createElement('td'); + const td_8 = document.createElement('td'); + const td_9 = document.createElement('td'); + const td_10 = document.createElement('td'); + const td_11 = document.createElement('td'); + + td_1.textContent = item.fields.Start; + td_2.textContent = item.fields.End; + td_3.textContent = item.fields.FilePath; + td_4.textContent = item.fields.Flags; + td_5.textContent = item.fields.Inode; + td_6.textContent = item.fields.Major; + td_7.textContent = item.fields.Minor; + td_8.textContent = item.fields.PID; + td_9.textContent = item.fields.PgOff; + td_10.textContent = item.fields.Process; + + + + // Tag conditions and system + const dropdown = document.createElement('div'); + dropdown.setAttribute('class', 'dropdown no-arrow'); + + const button = document.createElement('button'); + button.setAttribute('class', 'btn btn-link btn-sm dropdown-toggle'); + + button.setAttribute('aria-expanded', 'true'); + button.setAttribute('data-bs-toggle', 'dropdown'); + button.setAttribute('type', 'button'); + + const dots = document.createElement('i'); + dots.setAttribute('class', 'fas fa-ellipsis-v text-gray-400'); + button.appendChild(dots); + + const dropdown_menu = document.createElement('div'); + dropdown_menu.setAttribute('class', 'dropdown-menu shadow dropdown-menu-end animated--fade-in'); + const tagm = document.createElement('p'); + tagm.setAttribute('class', 'text-center dropdown-header'); + tagm.textContent = "Tag as"; + + + const span_suspicious = document.createElement('span'); + span_suspicious.textContent = " Suspicious"; + + const span_evidence = document.createElement('span'); + span_evidence.textContent = " Evidence"; + + const badge_suspicious = document.createElement('a'); + badge_suspicious.setAttribute('class', 'dropdown-item'); + badge_suspicious.setAttribute('href', '#'); + badge_suspicious.addEventListener('click', function (e) { + Tag('ProcMaps', item.pk, "Suspicious"); + }); + + const pill_orange = document.createElement('strong'); + pill_orange.setAttribute('class', 'badge bg-warning text-wrap text-warning'); + pill_orange.textContent = ' '; + badge_suspicious.appendChild(pill_orange); + badge_suspicious.appendChild(span_suspicious); + + + const badge_evidence = document.createElement('a'); + badge_evidence.setAttribute('class', 'dropdown-item'); + badge_evidence.setAttribute('href', '#'); + badge_evidence.addEventListener('click', function (e) { + Tag('ProcMaps', item.pk, "Evidence"); + }); + + + const pill_red = document.createElement('strong'); + pill_red.setAttribute('class', 'badge bg-danger text-wrap text-danger'); + pill_red.textContent = ' ' + + badge_evidence.appendChild(pill_red); + badge_evidence.appendChild(span_evidence); + + + const divider = document.createElement('div'); + divider.setAttribute('class', 'dropdown-divider'); + + const badge_clear = document.createElement('a'); + badge_clear.setAttribute('class', 'dropdown-item'); + badge_clear.setAttribute('href', '#'); + badge_clear.addEventListener('click', function (e) { + Tag('ProcMaps', item.pk, "Clear"); + }); + badge_clear.textContent = " Clear tag"; + + + const tag_evidence = document.createElement('strong'); + const tag_suspicious = document.createElement('strong'); + + if (item.fields.Tag == "Evidence") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap tag_evidence_' + item.pk + '_ProcMaps'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_ProcMaps'); + } + + else if (item.fields.Tag == "Suspicious") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_ProcMaps'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap tag_suspicious_' + item.pk + '_ProcMaps'); + } + + else { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_ProcMaps'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_ProcMaps'); + } + + tag_evidence.textContent = "Evidence"; + tag_suspicious.textContent = "Suspicious"; + + dropdown_menu.appendChild(tagm); + dropdown_menu.appendChild(badge_suspicious); + dropdown_menu.appendChild(badge_evidence); + dropdown_menu.appendChild(divider); + dropdown_menu.appendChild(badge_clear); + + button.appendChild(dots); + dropdown.appendChild(button); + dropdown.appendChild(tag_evidence); + dropdown.appendChild(tag_suspicious); + dropdown.appendChild(dropdown_menu); + td_11.appendChild(dropdown); + + tr.appendChild(td_1); + tr.appendChild(td_2); + tr.appendChild(td_3); + tr.appendChild(td_4); + tr.appendChild(td_5); + tr.appendChild(td_6); + tr.appendChild(td_7); + tr.appendChild(td_8); + tr.appendChild(td_9); + tr.appendChild(td_10); + tr.appendChild(td_11); + + tbody.appendChild(tr); + }); +} \ No newline at end of file diff --git a/dashboard/static/js/review.js b/dashboard/static/js/review.js index c1e7536..5a2ce9c 100644 --- a/dashboard/static/js/review.js +++ b/dashboard/static/js/review.js @@ -63,36 +63,6 @@ function DemandProcDump(pid, case_id) { }); } -function DisplayArtifacts(collapse, process) { - - if ($('#' + collapse).attr("aria-expanded") == "true") { - $('.pid').addClass('d-none'); - $('.default-td').addClass('d-none'); - $('.spinner-review').removeClass("d-none"); - setTimeout(function () { - $('.processes_tab').removeClass('d-none'); - $('.' + process).removeClass('d-none'); - $('.default-td').removeClass('d-none'); - $('.spinner-review').addClass("d-none"); - }, 2000); - } -} - -function DisplayAll() { - - if ($('#collapse_default').attr("aria-expanded") == "true") { - $('.pid').addClass('d-none'); - $('.spinner-review').removeClass("d-none"); - setTimeout(function () { - $('.processes_tab').removeClass('d-none'); - $('.pid').removeClass('d-none'); - $('.spinner-review').addClass("d-none"); - - - }, 2000); - } -} - function copy(text, target) { $(target).attr("title", "Copied!"); $(target).tooltip('dispose') diff --git a/dashboard/static/js/windows.js b/dashboard/static/js/windows.js index 2f997b9..2da07b1 100644 --- a/dashboard/static/js/windows.js +++ b/dashboard/static/js/windows.js @@ -1,4 +1,5 @@ -function Tag(url, plugin_name, artifact_id, status){ +function Tag(plugin_name, artifact_id, status) { + var url = $("#tabs").attr("data-url"); const csrf = document.getElementsByName('csrfmiddlewaretoken'); const fd = new FormData(); fd.append('csrfmiddlewaretoken', csrf[0].value); @@ -6,71 +7,1569 @@ function Tag(url, plugin_name, artifact_id, status){ fd.append('artifact_id', artifact_id); fd.append('status', status); $.ajax({ - type:'POST', + type: 'POST', url: url, enctype: 'multipart/form-data', data: fd, - beforeSend: function(){ - - }, - success: function(data){ - if(status == "Evidence"){ - $('.tag_evidence_'+artifact_id+"_"+plugin_name).removeClass("d-none"); - $('.tag_suspicious_'+artifact_id+"_"+plugin_name).addClass("d-none"); + success: function (data) { + if (status == "Evidence") { + $('.tag_evidence_' + artifact_id + "_" + plugin_name).removeClass("d-none"); + $('.tag_suspicious_' + artifact_id + "_" + plugin_name).addClass("d-none"); } - if(status == "Suspicious"){ - $('.tag_suspicious_'+artifact_id+"_"+plugin_name).removeClass("d-none"); - $('.tag_evidence_'+artifact_id+"_"+plugin_name).addClass("d-none"); + if (status == "Suspicious") { + $('.tag_suspicious_' + artifact_id + "_" + plugin_name).removeClass("d-none"); + $('.tag_evidence_' + artifact_id + "_" + plugin_name).addClass("d-none"); } - if(status == "Clear"){ - $('.tag_suspicious_'+artifact_id+"_"+plugin_name).addClass("d-none"); - $('.tag_evidence_'+artifact_id+"_"+plugin_name).addClass("d-none"); + if (status == "Clear") { + $('.tag_suspicious_' + artifact_id + "_" + plugin_name).addClass("d-none"); + $('.tag_evidence_' + artifact_id + "_" + plugin_name).addClass("d-none"); } }, - error: function(error){ + error: function (error) { $('#proc-error-message').html("Could not tag the artifact."); $('.toast-proc-error').toast('show'); }, cache: false, - contentType : false, + contentType: false, processData: false }); event.preventDefault(); } -function GetReport(url, case_id){ +function GetReport(url, case_id) { const csrf = document.getElementsByName('csrfmiddlewaretoken'); const fd = new FormData(); fd.append('csrfmiddlewaretoken', csrf[0].value); fd.append('case_id', case_id); $.ajax({ - type:'POST', + type: 'POST', url: url, enctype: 'multipart/form-data', data: fd, - beforeSend: function(){ + beforeSend: function () { }, - success: function(data){ - $('#report_content_html').html(data['html']) - $('#report_content_text').html(data['text']) - //We add style to the table - $('#report_content_html table').addClass('table table-sm table-dark') - $('#report_content_text').addClass('d-none') - $('#report_content_html').removeClass('d-none') + success: function (data) { + $('#report_content_html').html(data['html']) + $('#report_content_text').html(data['text']) + //We add style to the table + $('#report_content_html table').addClass('table table-sm table-dark') + $('#report_content_text').addClass('d-none') + $('#report_content_html').removeClass('d-none') }, - error: function(error){ + error: function (error) { $('#proc-error-message').html("Could not generate report."); $('.toast-proc-error').toast('show'); }, cache: false, - contentType : false, + contentType: false, processData: false }); } +function DisplayArtifacts(collapse, process, case_id) { + const span_loading = document.createElement("span"); + span_loading.setAttribute('class','spinner-border spinner-border-sm'); + span_loading.setAttribute('role','status'); + $("#handles_btn").removeClass("d-none"); + const handles_btn = document.getElementById("handles_btn"); + handles_btn.textContent = "Click here to compute Handles for PID " + process; + handles_btn.addEventListener('click', function (e) { + $("#processHandles").textContent = ""; + handles_btn.textContent = ""; + handles_btn.appendChild(span_loading); + ComputeHandles(process, case_id); + }); + if ($('#' + collapse).attr("aria-expanded") == "true") { + $('#cmdline').addClass('d-none'); + $('#processPriv').addClass('d-none'); + $('#processEnv').addClass('d-none'); + $('#dlllist').addClass('d-none'); + $('#ldrmodules').addClass('d-none'); + + $('#netstat').addClass('d-none'); + $('#netscan').addClass('d-none'); + $('#sessions').addClass('d-none'); + $('#processHandles').addClass('d-none'); + $('.spinner-review').removeClass("d-none"); + var url = $("#" + collapse).attr('data-url'); + $.get(url, { 'case': case_id, 'pid': process }, // url + function (response, textStatus, jqXHR) { // success callback + if (textStatus == "success") { + if (response['message'] == "success") { + FillCmdLine(JSON.parse(response['artifacts']['CmdLine'])); + FillPrivileges(JSON.parse(response['artifacts']['Privs'])); + FillEnvars(JSON.parse(response['artifacts']['Envars'])); + FillDlls(JSON.parse(response['artifacts']['DllList'])); + FillLdr(JSON.parse(response['artifacts']['LdrModules'])); + FillNetStat(JSON.parse(response['artifacts']['NetStat'])); + FillNetScan(JSON.parse(response['artifacts']['NetScan'])); + FillSessions(JSON.parse(response['artifacts']['Sessions'])); + FillHandles(JSON.parse(response['artifacts']['Handles'])); + $('#cmdline').removeClass('d-none'); + $('#processPriv').removeClass('d-none'); + $('#processEnv').removeClass('d-none'); + $('#dlllist').removeClass('d-none'); + $('#ldrmodules').removeClass('d-none'); + $('#netstat').removeClass('d-none'); + $('#netscan').removeClass('d-none'); + $('#sessions').removeClass('d-none'); + $('.processes_tab').removeClass('d-none'); + $('.default-td').removeClass('d-none'); + $('.spinner-review').addClass("d-none"); + } + if (response['message'] == "error") { + $('#proc-error-message').html("Something went wrong."); + $('.toast-proc-error').toast('show'); + } + } + }); + + } +} + +function DisplayTimeline(case_id, date) { + $('.spinner-review').removeClass("d-none"); + $('#TimelineTab').addClass('d-none'); + var url = $("#TimelineTab").attr('data-url'); + var date = date.toString(); + $.get(url, { 'case': case_id, 'date': date }, // url + function (response, textStatus, jqXHR) { // success callback + if (textStatus == "success") { + if (response['message'] == "success") { + FillTimeline(JSON.parse(response['artifacts']['Timeliner'])); + $('#TimelineTab').removeClass('d-none'); + $('.spinner-review').addClass("d-none"); + } + if (response['message'] == "error") { + $('#proc-error-message').html("Something went wrong."); + $('.toast-proc-error').toast('show'); + } + } + }); +} + +function ComputeHandles(process, case_id){ + + $('#processHandles').addClass('d-none'); + var url = $("#handles_btn").attr("data-url"); + $.get(url, { 'case': case_id, 'pid': process }, // url + function (response, textStatus, jqXHR) { // success callback + if (textStatus == "success") { + if (response['message'] == "success") { + FillHandles(JSON.parse(response['artifacts']['Handles'])); + $("#handles_btn").addClass("d-none"); + } + if (response['message'] == "error") { + $('#proc-error-message').html("Something went wrong."); + $('.toast-proc-error').toast('show'); + } + } + }); + +} + +function FillCmdLine(artifacts) { + // Create the html elements for each line + $('#cmdline').empty(); + $.each(artifacts, function (i, item) { + var tbody = document.getElementById('cmdline'); + const tr = document.createElement('tr'); + const td_1 = document.createElement('td'); + const td_2 = document.createElement('td'); + const td_3 = document.createElement('td'); + const td_4 = document.createElement('td'); + td_1.textContent = item.fields.PID; + td_2.textContent = item.fields.Process; + td_3.textContent = item.fields.Args; + td_3.setAttribute('class', 'w-50'); + + // Tag conditions and system + const dropdown = document.createElement('div'); + dropdown.setAttribute('class', 'dropdown no-arrow'); + + const button = document.createElement('button'); + button.setAttribute('class', 'btn btn-link btn-sm dropdown-toggle'); + + button.setAttribute('aria-expanded', 'true'); + button.setAttribute('data-bs-toggle', 'dropdown'); + button.setAttribute('type', 'button'); + + const dots = document.createElement('i'); + dots.setAttribute('class', 'fas fa-ellipsis-v text-gray-400'); + button.appendChild(dots); + + const dropdown_menu = document.createElement('div'); + dropdown_menu.setAttribute('class', 'dropdown-menu shadow dropdown-menu-end animated--fade-in'); + const tagm = document.createElement('p'); + tagm.setAttribute('class', 'text-center dropdown-header'); + tagm.textContent = "Tag as"; + + + const span_suspicious = document.createElement('span'); + span_suspicious.textContent = " Suspicious"; + + const span_evidence = document.createElement('span'); + span_evidence.textContent = " Evidence"; + + const badge_suspicious = document.createElement('a'); + badge_suspicious.setAttribute('class', 'dropdown-item'); + badge_suspicious.setAttribute('href', '#'); + badge_suspicious.addEventListener('click', function (e) { + Tag('CmdLine', item.pk, "Suspicious"); + }); + + const pill_orange = document.createElement('strong'); + pill_orange.setAttribute('class', 'badge bg-warning text-wrap text-warning'); + pill_orange.textContent = ' '; + badge_suspicious.appendChild(pill_orange); + badge_suspicious.appendChild(span_suspicious); + + + const badge_evidence = document.createElement('a'); + badge_evidence.setAttribute('class', 'dropdown-item'); + badge_evidence.setAttribute('href', '#'); + badge_evidence.addEventListener('click', function (e) { + Tag('CmdLine', item.pk, "Evidence"); + }); + + + const pill_red = document.createElement('strong'); + pill_red.setAttribute('class', 'badge bg-danger text-wrap text-danger'); + pill_red.textContent = ' ' + + badge_evidence.appendChild(pill_red); + badge_evidence.appendChild(span_evidence); + + + const divider = document.createElement('div'); + divider.setAttribute('class', 'dropdown-divider'); + + const badge_clear = document.createElement('a'); + badge_clear.setAttribute('class', 'dropdown-item'); + badge_clear.setAttribute('href', '#'); + badge_clear.addEventListener('click', function (e) { + Tag('CmdLine', item.pk, "Clear"); + }); + badge_clear.textContent = " Clear tag"; + + + const tag_evidence = document.createElement('strong'); + const tag_suspicious = document.createElement('strong'); + + if (item.fields.Tag == "Evidence") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap tag_evidence_' + item.pk + '_CmdLine'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_CmdLine'); + } + + else if (item.fields.Tag == "Suspicious") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_CmdLine'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap tag_suspicious_' + item.pk + '_CmdLine'); + } + + else { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_CmdLine'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_CmdLine'); + } + + tag_evidence.textContent = "Evidence"; + tag_suspicious.textContent = "Suspicious"; + + dropdown_menu.appendChild(tagm); + dropdown_menu.appendChild(badge_suspicious); + dropdown_menu.appendChild(badge_evidence); + dropdown_menu.appendChild(divider); + dropdown_menu.appendChild(badge_clear); + + button.appendChild(dots); + dropdown.appendChild(button); + dropdown.appendChild(tag_evidence); + dropdown.appendChild(tag_suspicious); + dropdown.appendChild(dropdown_menu); + td_4.appendChild(dropdown); + + tr.appendChild(td_1); + tr.appendChild(td_2); + tr.appendChild(td_3); + tr.appendChild(td_4); + + tbody.appendChild(tr); + }); +} + +function FillPrivileges(artifacts) { + // Create the html elements for each line + $('#processPriv').empty(); + $.each(artifacts, function (i, item) { + var tbody = document.getElementById('processPriv'); + const tr = document.createElement('tr'); + const td_1 = document.createElement('td'); + const td_2 = document.createElement('td'); + const td_3 = document.createElement('td'); + const td_4 = document.createElement('td'); + const td_5 = document.createElement('td'); + const td_6 = document.createElement('td'); + const td_7 = document.createElement('td'); + td_1.textContent = item.fields.PID; + td_2.textContent = item.fields.Process; + td_3.textContent = item.fields.Privilege; + td_4.textContent = item.fields.Attributes; + td_5.textContent = item.fields.Description; + td_6.textContent = item.fields.Value; + + // Tag conditions and system + const dropdown = document.createElement('div'); + dropdown.setAttribute('class', 'dropdown no-arrow'); + + const button = document.createElement('button'); + button.setAttribute('class', 'btn btn-link btn-sm dropdown-toggle'); + + button.setAttribute('aria-expanded', 'true'); + button.setAttribute('data-bs-toggle', 'dropdown'); + button.setAttribute('type', 'button'); + + const dots = document.createElement('i'); + dots.setAttribute('class', 'fas fa-ellipsis-v text-gray-400'); + button.appendChild(dots); + + const dropdown_menu = document.createElement('div'); + dropdown_menu.setAttribute('class', 'dropdown-menu shadow dropdown-menu-end animated--fade-in'); + const tagm = document.createElement('p'); + tagm.setAttribute('class', 'text-center dropdown-header'); + tagm.textContent = "Tag as"; + + + const span_suspicious = document.createElement('span'); + span_suspicious.textContent = " Suspicious"; + + const span_evidence = document.createElement('span'); + span_evidence.textContent = " Evidence"; + + const badge_suspicious = document.createElement('a'); + badge_suspicious.setAttribute('class', 'dropdown-item'); + badge_suspicious.setAttribute('href', '#'); + badge_suspicious.addEventListener('click', function (e) { + Tag('Privs', item.pk, "Suspicious"); + }); + + const pill_orange = document.createElement('strong'); + pill_orange.setAttribute('class', 'badge bg-warning text-wrap text-warning'); + pill_orange.textContent = ' '; + badge_suspicious.appendChild(pill_orange); + badge_suspicious.appendChild(span_suspicious); + + + const badge_evidence = document.createElement('a'); + badge_evidence.setAttribute('class', 'dropdown-item'); + badge_evidence.setAttribute('href', '#'); + badge_evidence.addEventListener('click', function (e) { + Tag('Privs', item.pk, "Evidence"); + }); + + + const pill_red = document.createElement('strong'); + pill_red.setAttribute('class', 'badge bg-danger text-wrap text-danger'); + pill_red.textContent = ' '; + + badge_evidence.appendChild(pill_red); + badge_evidence.appendChild(span_evidence); + + + const divider = document.createElement('div'); + divider.setAttribute('class', 'dropdown-divider'); + + const badge_clear = document.createElement('a'); + badge_clear.setAttribute('class', 'dropdown-item'); + badge_clear.setAttribute('href', '#'); + badge_clear.addEventListener('click', function (e) { + Tag('Privs', item.pk, "Clear"); + }); + badge_clear.textContent = " Clear tag"; + + + const tag_evidence = document.createElement('strong'); + const tag_suspicious = document.createElement('strong'); + + if (item.fields.Tag == "Evidence") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap tag_evidence_' + item.pk + '_Privs'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_Privs'); + } + + else if (item.fields.Tag == "Suspicious") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_Privs'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap tag_suspicious_' + item.pk + '_Privs'); + } + + else { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_Privs'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_Privs'); + } + + tag_evidence.textContent = "Evidence"; + tag_suspicious.textContent = "Suspicious"; + + dropdown_menu.appendChild(tagm); + dropdown_menu.appendChild(badge_suspicious); + dropdown_menu.appendChild(badge_evidence); + dropdown_menu.appendChild(divider); + dropdown_menu.appendChild(badge_clear); + + button.appendChild(dots); + dropdown.appendChild(button); + dropdown.appendChild(tag_evidence); + dropdown.appendChild(tag_suspicious); + dropdown.appendChild(dropdown_menu); + td_7.appendChild(dropdown); + + tr.appendChild(td_1); + tr.appendChild(td_2); + tr.appendChild(td_3); + tr.appendChild(td_4); + tr.appendChild(td_5); + tr.appendChild(td_6); + tr.appendChild(td_7); + tbody.appendChild(tr); + }); +} + +function FillEnvars(artifacts) { + // Create the html elements for each line + $('#processEnv').empty(); + $.each(artifacts, function (i, item) { + var tbody = document.getElementById('processEnv'); + const tr = document.createElement('tr'); + const td_1 = document.createElement('td'); + const td_2 = document.createElement('td'); + const td_3 = document.createElement('td'); + const td_4 = document.createElement('td'); + const td_5 = document.createElement('td'); + td_5.setAttribute('class', 'w-50 text-break'); + const td_6 = document.createElement('td'); + td_6.setAttribute('class', 'w-10'); + + td_1.textContent = item.fields.Block; + td_2.textContent = item.fields.PID; + td_3.textContent = item.fields.Process; + td_4.textContent = item.fields.Variable; + td_5.textContent = item.fields.Value; + + // Tag conditions and system + const dropdown = document.createElement('div'); + dropdown.setAttribute('class', 'dropdown no-arrow'); + + const button = document.createElement('button'); + button.setAttribute('class', 'btn btn-link btn-sm dropdown-toggle'); + + button.setAttribute('aria-expanded', 'true'); + button.setAttribute('data-bs-toggle', 'dropdown'); + button.setAttribute('type', 'button'); + + const dots = document.createElement('i'); + dots.setAttribute('class', 'fas fa-ellipsis-v text-gray-400'); + button.appendChild(dots); + + const dropdown_menu = document.createElement('div'); + dropdown_menu.setAttribute('class', 'dropdown-menu shadow dropdown-menu-end animated--fade-in'); + const tagm = document.createElement('p'); + tagm.setAttribute('class', 'text-center dropdown-header'); + tagm.textContent = "Tag as"; + + + const span_suspicious = document.createElement('span'); + span_suspicious.textContent = " Suspicious"; + + const span_evidence = document.createElement('span'); + span_evidence.textContent = " Evidence"; + + const badge_suspicious = document.createElement('a'); + badge_suspicious.setAttribute('class', 'dropdown-item'); + badge_suspicious.setAttribute('href', '#'); + badge_suspicious.addEventListener('click', function (e) { + Tag('Envars', item.pk, "Suspicious"); + }); + + const pill_orange = document.createElement('strong'); + pill_orange.setAttribute('class', 'badge bg-warning text-wrap text-warning'); + pill_orange.textContent = ' '; + badge_suspicious.appendChild(pill_orange); + badge_suspicious.appendChild(span_suspicious); + + + const badge_evidence = document.createElement('a'); + badge_evidence.setAttribute('class', 'dropdown-item'); + badge_evidence.setAttribute('href', '#'); + badge_evidence.addEventListener('click', function (e) { + Tag('Envars', item.pk, "Evidence"); + }); + + + const pill_red = document.createElement('strong'); + pill_red.setAttribute('class', 'badge bg-danger text-wrap text-danger'); + pill_red.textContent = ' '; + + badge_evidence.appendChild(pill_red); + badge_evidence.appendChild(span_evidence); + + + const divider = document.createElement('div'); + divider.setAttribute('class', 'dropdown-divider'); + + const badge_clear = document.createElement('a'); + badge_clear.setAttribute('class', 'dropdown-item'); + badge_clear.setAttribute('href', '#'); + badge_clear.addEventListener('click', function (e) { + Tag('Envars', item.pk, "Clear"); + }); + badge_clear.textContent = " Clear tag"; + + + const tag_evidence = document.createElement('strong'); + const tag_suspicious = document.createElement('strong'); + + if (item.fields.Tag == "Evidence") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap tag_evidence_' + item.pk + '_Envars'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_Envars'); + } + + else if (item.fields.Tag == "Suspicious") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_Envars'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap tag_suspicious_' + item.pk + '_Envars'); + } + + else { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_Envars'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_Envars'); + } + + tag_evidence.textContent = "Evidence"; + tag_suspicious.textContent = "Suspicious"; + + dropdown_menu.appendChild(tagm); + dropdown_menu.appendChild(badge_suspicious); + dropdown_menu.appendChild(badge_evidence); + dropdown_menu.appendChild(divider); + dropdown_menu.appendChild(badge_clear); + + button.appendChild(dots); + dropdown.appendChild(button); + dropdown.appendChild(tag_evidence); + dropdown.appendChild(tag_suspicious); + dropdown.appendChild(dropdown_menu); + td_6.appendChild(dropdown); + + tr.appendChild(td_1); + tr.appendChild(td_2); + tr.appendChild(td_3); + tr.appendChild(td_4); + tr.appendChild(td_5); + tr.appendChild(td_6); + tbody.appendChild(tr); + }); +} + +function FillDlls(artifacts) { + // Create the html elements for each line + $('#dlllist').empty(); + $.each(artifacts, function (i, item) { + var tbody = document.getElementById('dlllist'); + const tr = document.createElement('tr'); + const td_1 = document.createElement('td'); + const td_2 = document.createElement('td'); + const td_3 = document.createElement('td'); + const td_4 = document.createElement('td'); + const td_5 = document.createElement('td'); + td_5.setAttribute('class', 'w-25 text-break'); + const td_6 = document.createElement('td'); + const td_7 = document.createElement('td'); + const td_8 = document.createElement('td'); + const td_9 = document.createElement('td'); + td_9.setAttribute('class', 'w-10'); + + td_1.textContent = item.fields.Process; + td_2.textContent = item.fields.PID; + td_3.textContent = item.fields.Base; + td_4.textContent = item.fields.Name; + td_5.textContent = item.fields.Path; + td_6.textContent = item.fields.Size; + td_7.textContent = item.fields.LoadTime; + td_8.textContent = item.fields.Fileouput; + + // Tag conditions and system + const dropdown = document.createElement('div'); + dropdown.setAttribute('class', 'dropdown no-arrow'); + + const button = document.createElement('button'); + button.setAttribute('class', 'btn btn-link btn-sm dropdown-toggle'); + + button.setAttribute('aria-expanded', 'true'); + button.setAttribute('data-bs-toggle', 'dropdown'); + button.setAttribute('type', 'button'); + + const dots = document.createElement('i'); + dots.setAttribute('class', 'fas fa-ellipsis-v text-gray-400'); + button.appendChild(dots); + + const dropdown_menu = document.createElement('div'); + dropdown_menu.setAttribute('class', 'dropdown-menu shadow dropdown-menu-end animated--fade-in'); + const tagm = document.createElement('p'); + tagm.setAttribute('class', 'text-center dropdown-header'); + tagm.textContent = "Tag as"; + + + const span_suspicious = document.createElement('span'); + span_suspicious.textContent = " Suspicious"; + + const span_evidence = document.createElement('span'); + span_evidence.textContent = " Evidence"; + + const badge_suspicious = document.createElement('a'); + badge_suspicious.setAttribute('class', 'dropdown-item'); + badge_suspicious.setAttribute('href', '#'); + badge_suspicious.addEventListener('click', function (e) { + Tag('DllList', item.pk, "Suspicious"); + }); + + const pill_orange = document.createElement('strong'); + pill_orange.setAttribute('class', 'badge bg-warning text-wrap text-warning'); + pill_orange.textContent = ' '; + badge_suspicious.appendChild(pill_orange); + badge_suspicious.appendChild(span_suspicious); + + + const badge_evidence = document.createElement('a'); + badge_evidence.setAttribute('class', 'dropdown-item'); + badge_evidence.setAttribute('href', '#'); + badge_evidence.addEventListener('click', function (e) { + Tag('DllList', item.pk, "Evidence"); + }); + + + const pill_red = document.createElement('strong'); + pill_red.setAttribute('class', 'badge bg-danger text-wrap text-danger'); + pill_red.textContent = ' '; + + badge_evidence.appendChild(pill_red); + badge_evidence.appendChild(span_evidence); + + + const divider = document.createElement('div'); + divider.setAttribute('class', 'dropdown-divider'); + + const badge_clear = document.createElement('a'); + badge_clear.setAttribute('class', 'dropdown-item'); + badge_clear.setAttribute('href', '#'); + badge_clear.addEventListener('click', function (e) { + Tag('DllList', item.pk, "Clear"); + }); + badge_clear.textContent = " Clear tag"; + + + const tag_evidence = document.createElement('strong'); + const tag_suspicious = document.createElement('strong'); + + if (item.fields.Tag == "Evidence") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap tag_evidence_' + item.pk + '_DllList'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_DllList'); + } + + else if (item.fields.Tag == "Suspicious") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_DllList'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap tag_suspicious_' + item.pk + '_DllList'); + } + + else { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_DllList'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_DllList'); + } + + tag_evidence.textContent = "Evidence"; + tag_suspicious.textContent = "Suspicious"; + + dropdown_menu.appendChild(tagm); + dropdown_menu.appendChild(badge_suspicious); + dropdown_menu.appendChild(badge_evidence); + dropdown_menu.appendChild(divider); + dropdown_menu.appendChild(badge_clear); + + button.appendChild(dots); + dropdown.appendChild(button); + dropdown.appendChild(tag_evidence); + dropdown.appendChild(tag_suspicious); + dropdown.appendChild(dropdown_menu); + td_9.appendChild(dropdown); + + tr.appendChild(td_1); + tr.appendChild(td_2); + tr.appendChild(td_3); + tr.appendChild(td_4); + tr.appendChild(td_5); + tr.appendChild(td_6); + tr.appendChild(td_7); + tr.appendChild(td_8); + tr.appendChild(td_9); + tbody.appendChild(tr); + }); +} + +function FillLdr(artifacts) { + // Create the html elements for each line + $('#ldrmodules').empty(); + $.each(artifacts, function (i, item) { + var tbody = document.getElementById('ldrmodules'); + const tr = document.createElement('tr'); + const td_1 = document.createElement('td'); + const td_2 = document.createElement('td'); + const td_3 = document.createElement('td'); + const td_4 = document.createElement('td'); + const td_5 = document.createElement('td'); + const td_6 = document.createElement('td'); + const td_7 = document.createElement('td'); + td_7.setAttribute('class', 'w-25 text-break'); + + const td_8 = document.createElement('td'); + + td_1.textContent = item.fields.Pid; + td_2.textContent = item.fields.Process; + td_3.textContent = item.fields.Base; + td_4.textContent = item.fields.InInit; + td_5.textContent = item.fields.InLoad; + td_6.textContent = item.fields.InMem; + td_7.textContent = item.fields.MappedPath; + + // Tag conditions and system + const dropdown = document.createElement('div'); + dropdown.setAttribute('class', 'dropdown no-arrow'); + + const button = document.createElement('button'); + button.setAttribute('class', 'btn btn-link btn-sm dropdown-toggle'); + + button.setAttribute('aria-expanded', 'true'); + button.setAttribute('data-bs-toggle', 'dropdown'); + button.setAttribute('type', 'button'); + + const dots = document.createElement('i'); + dots.setAttribute('class', 'fas fa-ellipsis-v text-gray-400'); + button.appendChild(dots); + + const dropdown_menu = document.createElement('div'); + dropdown_menu.setAttribute('class', 'dropdown-menu shadow dropdown-menu-end animated--fade-in'); + const tagm = document.createElement('p'); + tagm.setAttribute('class', 'text-center dropdown-header'); + tagm.textContent = "Tag as"; + + + const span_suspicious = document.createElement('span'); + span_suspicious.textContent = " Suspicious"; + + const span_evidence = document.createElement('span'); + span_evidence.textContent = " Evidence"; + + const badge_suspicious = document.createElement('a'); + badge_suspicious.setAttribute('class', 'dropdown-item'); + badge_suspicious.setAttribute('href', '#'); + badge_suspicious.addEventListener('click', function (e) { + Tag('Ldrmodules', item.pk, "Suspicious"); + }); + + const pill_orange = document.createElement('strong'); + pill_orange.setAttribute('class', 'badge bg-warning text-wrap text-warning'); + pill_orange.textContent = ' '; + badge_suspicious.appendChild(pill_orange); + badge_suspicious.appendChild(span_suspicious); + + + const badge_evidence = document.createElement('a'); + badge_evidence.setAttribute('class', 'dropdown-item'); + badge_evidence.setAttribute('href', '#'); + badge_evidence.addEventListener('click', function (e) { + Tag('Ldrmodules', item.pk, "Evidence"); + }); + + + const pill_red = document.createElement('strong'); + pill_red.setAttribute('class', 'badge bg-danger text-wrap text-danger'); + pill_red.textContent = ' '; + + badge_evidence.appendChild(pill_red); + badge_evidence.appendChild(span_evidence); + + + const divider = document.createElement('div'); + divider.setAttribute('class', 'dropdown-divider'); + + const badge_clear = document.createElement('a'); + badge_clear.setAttribute('class', 'dropdown-item'); + badge_clear.setAttribute('href', '#'); + badge_clear.addEventListener('click', function (e) { + Tag('Ldrmodules', item.pk, "Clear"); + }); + badge_clear.textContent = " Clear tag"; + + + const tag_evidence = document.createElement('strong'); + const tag_suspicious = document.createElement('strong'); + + if (item.fields.Tag == "Evidence") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap tag_evidence_' + item.pk + '_Ldrmodules'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_Ldrmodules'); + } + + else if (item.fields.Tag == "Suspicious") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_Ldrmodules'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap tag_suspicious_' + item.pk + '_Ldrmodules'); + } + + else { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_Ldrmodules'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_Ldrmodules'); + } + + tag_evidence.textContent = "Evidence"; + tag_suspicious.textContent = "Suspicious"; + + dropdown_menu.appendChild(tagm); + dropdown_menu.appendChild(badge_suspicious); + dropdown_menu.appendChild(badge_evidence); + dropdown_menu.appendChild(divider); + dropdown_menu.appendChild(badge_clear); + + button.appendChild(dots); + dropdown.appendChild(button); + dropdown.appendChild(tag_evidence); + dropdown.appendChild(tag_suspicious); + dropdown.appendChild(dropdown_menu); + td_8.appendChild(dropdown); + + tr.appendChild(td_1); + tr.appendChild(td_2); + tr.appendChild(td_3); + tr.appendChild(td_4); + tr.appendChild(td_5); + tr.appendChild(td_6); + tr.appendChild(td_7); + tr.appendChild(td_8); + tbody.appendChild(tr); + }); +} + +function FillSessions(artifacts) { + // Create the html elements for each line + $('#sessions').empty(); + $.each(artifacts, function (i, item) { + var tbody = document.getElementById('sessions'); + const tr = document.createElement('tr'); + const td_1 = document.createElement('td'); + const td_2 = document.createElement('td'); + const td_3 = document.createElement('td'); + const td_4 = document.createElement('td'); + const td_5 = document.createElement('td'); + const td_6 = document.createElement('td'); + const td_7 = document.createElement('td'); + + td_1.textContent = item.fields.ProcessID; + td_2.textContent = item.fields.Process; + td_3.textContent = item.fields.SessionID; + td_4.textContent = item.fields.SessionType; + td_5.textContent = item.fields.UserName; + td_6.textContent = item.fields.CreateTime; + // Tag conditions and system + const dropdown = document.createElement('div'); + dropdown.setAttribute('class', 'dropdown no-arrow'); + + const button = document.createElement('button'); + button.setAttribute('class', 'btn btn-link btn-sm dropdown-toggle'); + + button.setAttribute('aria-expanded', 'true'); + button.setAttribute('data-bs-toggle', 'dropdown'); + button.setAttribute('type', 'button'); + + const dots = document.createElement('i'); + dots.setAttribute('class', 'fas fa-ellipsis-v text-gray-400'); + button.appendChild(dots); + + const dropdown_menu = document.createElement('div'); + dropdown_menu.setAttribute('class', 'dropdown-menu shadow dropdown-menu-end animated--fade-in'); + const tagm = document.createElement('p'); + tagm.setAttribute('class', 'text-center dropdown-header'); + tagm.textContent = "Tag as"; + + + const span_suspicious = document.createElement('span'); + span_suspicious.textContent = " Suspicious"; + + const span_evidence = document.createElement('span'); + span_evidence.textContent = " Evidence"; + + const badge_suspicious = document.createElement('a'); + badge_suspicious.setAttribute('class', 'dropdown-item'); + badge_suspicious.setAttribute('href', '#'); + badge_suspicious.addEventListener('click', function (e) { + Tag('Sessions', item.pk, "Suspicious"); + }); + + const pill_orange = document.createElement('strong'); + pill_orange.setAttribute('class', 'badge bg-warning text-wrap text-warning'); + pill_orange.textContent = ' '; + badge_suspicious.appendChild(pill_orange); + badge_suspicious.appendChild(span_suspicious); + + + const badge_evidence = document.createElement('a'); + badge_evidence.setAttribute('class', 'dropdown-item'); + badge_evidence.setAttribute('href', '#'); + badge_evidence.addEventListener('click', function (e) { + Tag('Sessions', item.pk, "Evidence"); + }); + + + const pill_red = document.createElement('strong'); + pill_red.setAttribute('class', 'badge bg-danger text-wrap text-danger'); + pill_red.textContent = ' '; + + badge_evidence.appendChild(pill_red); + badge_evidence.appendChild(span_evidence); + + + const divider = document.createElement('div'); + divider.setAttribute('class', 'dropdown-divider'); + + const badge_clear = document.createElement('a'); + badge_clear.setAttribute('class', 'dropdown-item'); + badge_clear.setAttribute('href', '#'); + badge_clear.addEventListener('click', function (e) { + Tag('Sessions', item.pk, "Clear"); + }); + badge_clear.textContent = " Clear tag"; + + + const tag_evidence = document.createElement('strong'); + const tag_suspicious = document.createElement('strong'); + + if (item.fields.Tag == "Evidence") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap tag_evidence_' + item.pk + '_Sessions'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_Sessions'); + } + + else if (item.fields.Tag == "Suspicious") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_Sessions'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap tag_suspicious_' + item.pk + '_Sessions'); + } + + else { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_Sessions'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_Sessions'); + } + + tag_evidence.textContent = "Evidence"; + tag_suspicious.textContent = "Suspicious"; + + dropdown_menu.appendChild(tagm); + dropdown_menu.appendChild(badge_suspicious); + dropdown_menu.appendChild(badge_evidence); + dropdown_menu.appendChild(divider); + dropdown_menu.appendChild(badge_clear); + + button.appendChild(dots); + dropdown.appendChild(button); + dropdown.appendChild(tag_evidence); + dropdown.appendChild(tag_suspicious); + dropdown.appendChild(dropdown_menu); + td_7.appendChild(dropdown); + + tr.appendChild(td_1); + tr.appendChild(td_2); + tr.appendChild(td_3); + tr.appendChild(td_4); + tr.appendChild(td_5); + tr.appendChild(td_6); + tr.appendChild(td_7); + tbody.appendChild(tr); + }); +} + +function FillNetStat(artifacts) { + // Create the html elements for each line + $('#netstat').empty(); + $.each(artifacts, function (i, item) { + var tbody = document.getElementById('netstat'); + const tr = document.createElement('tr'); + const td_1 = document.createElement('td'); + const td_2 = document.createElement('td'); + const td_3 = document.createElement('td'); + const td_4 = document.createElement('td'); + const td_5 = document.createElement('td'); + const td_6 = document.createElement('td'); + const td_7 = document.createElement('td'); + const td_8 = document.createElement('td'); + const td_9 = document.createElement('td'); + const td_10 = document.createElement('td'); + const td_11 = document.createElement('td'); + td_11.setAttribute('class', 'w-10'); + + td_1.textContent = item.fields.Created; + td_2.textContent = item.fields.Offset; + td_3.textContent = item.fields.Owner; + td_4.textContent = item.fields.Proto; + td_5.textContent = item.fields.LocalAddr; + td_6.textContent = item.fields.LocalPort; + td_7.textContent = item.fields.ForeignAddr; + td_8.textContent = item.fields.ForeignPort; + td_9.textContent = item.fields.State; + td_10.textContent = item.fields.PID; + + + // Tag conditions and system + const dropdown = document.createElement('div'); + dropdown.setAttribute('class', 'dropdown no-arrow'); + + const button = document.createElement('button'); + button.setAttribute('class', 'btn btn-link btn-sm dropdown-toggle'); + + button.setAttribute('aria-expanded', 'true'); + button.setAttribute('data-bs-toggle', 'dropdown'); + button.setAttribute('type', 'button'); + + const dots = document.createElement('i'); + dots.setAttribute('class', 'fas fa-ellipsis-v text-gray-400'); + button.appendChild(dots); + + const dropdown_menu = document.createElement('div'); + dropdown_menu.setAttribute('class', 'dropdown-menu shadow dropdown-menu-end animated--fade-in'); + const tagm = document.createElement('p'); + tagm.setAttribute('class', 'text-center dropdown-header'); + tagm.textContent = "Tag as"; + + + const span_suspicious = document.createElement('span'); + span_suspicious.textContent = " Suspicious"; + + const span_evidence = document.createElement('span'); + span_evidence.textContent = " Evidence"; + + const badge_suspicious = document.createElement('a'); + badge_suspicious.setAttribute('class', 'dropdown-item'); + badge_suspicious.setAttribute('href', '#'); + badge_suspicious.addEventListener('click', function (e) { + Tag('NetStat', item.pk, "Suspicious"); + }); + + const pill_orange = document.createElement('strong'); + pill_orange.setAttribute('class', 'badge bg-warning text-wrap text-warning'); + pill_orange.textContent = ' '; + badge_suspicious.appendChild(pill_orange); + badge_suspicious.appendChild(span_suspicious); + + + const badge_evidence = document.createElement('a'); + badge_evidence.setAttribute('class', 'dropdown-item'); + badge_evidence.setAttribute('href', '#'); + badge_evidence.addEventListener('click', function (e) { + Tag('NetStat', item.pk, "Evidence"); + }); + + + const pill_red = document.createElement('strong'); + pill_red.setAttribute('class', 'badge bg-danger text-wrap text-danger'); + pill_red.textContent = ' '; + + badge_evidence.appendChild(pill_red); + badge_evidence.appendChild(span_evidence); + + + const divider = document.createElement('div'); + divider.setAttribute('class', 'dropdown-divider'); + + const badge_clear = document.createElement('a'); + badge_clear.setAttribute('class', 'dropdown-item'); + badge_clear.setAttribute('href', '#'); + badge_clear.addEventListener('click', function (e) { + Tag('NetStat', item.pk, "Clear"); + }); + badge_clear.textContent = " Clear tag"; + + + const tag_evidence = document.createElement('strong'); + const tag_suspicious = document.createElement('strong'); + + if (item.fields.Tag == "Evidence") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap tag_evidence_' + item.pk + '_NetStat'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_NetStat'); + } + + else if (item.fields.Tag == "Suspicious") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_NetStat'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap tag_suspicious_' + item.pk + '_NetStat'); + } + + else { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_NetStat'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_NetStat'); + } + + tag_evidence.textContent = "Evidence"; + tag_suspicious.textContent = "Suspicious"; + + dropdown_menu.appendChild(tagm); + dropdown_menu.appendChild(badge_suspicious); + dropdown_menu.appendChild(badge_evidence); + dropdown_menu.appendChild(divider); + dropdown_menu.appendChild(badge_clear); + + button.appendChild(dots); + dropdown.appendChild(button); + dropdown.appendChild(tag_evidence); + dropdown.appendChild(tag_suspicious); + dropdown.appendChild(dropdown_menu); + td_11.appendChild(dropdown); + + tr.appendChild(td_1); + tr.appendChild(td_2); + tr.appendChild(td_3); + tr.appendChild(td_4); + tr.appendChild(td_5); + tr.appendChild(td_6); + tr.appendChild(td_7); + tr.appendChild(td_8); + tr.appendChild(td_9); + tr.appendChild(td_10); + tr.appendChild(td_11); + tbody.appendChild(tr); + }); +} + +function FillNetScan(artifacts) { + // Create the html elements for each line + $('#netscan').empty(); + $.each(artifacts, function (i, item) { + var tbody = document.getElementById('netscan'); + const tr = document.createElement('tr'); + const td_1 = document.createElement('td'); + const td_2 = document.createElement('td'); + const td_3 = document.createElement('td'); + const td_4 = document.createElement('td'); + const td_5 = document.createElement('td'); + const td_6 = document.createElement('td'); + const td_7 = document.createElement('td'); + const td_8 = document.createElement('td'); + const td_9 = document.createElement('td'); + const td_10 = document.createElement('td'); + const td_11 = document.createElement('td'); + td_11.setAttribute('class', 'w-10'); + + td_1.textContent = item.fields.Created; + td_2.textContent = item.fields.Offset; + td_3.textContent = item.fields.Owner; + td_4.textContent = item.fields.Proto; + td_5.textContent = item.fields.LocalAddr; + td_6.textContent = item.fields.LocalPort; + td_7.textContent = item.fields.ForeignAddr; + td_8.textContent = item.fields.ForeignPort; + td_9.textContent = item.fields.State; + td_10.textContent = item.fields.PID; + + + // Tag conditions and system + const dropdown = document.createElement('div'); + dropdown.setAttribute('class', 'dropdown no-arrow'); + + const button = document.createElement('button'); + button.setAttribute('class', 'btn btn-link btn-sm dropdown-toggle'); + + button.setAttribute('aria-expanded', 'true'); + button.setAttribute('data-bs-toggle', 'dropdown'); + button.setAttribute('type', 'button'); + + const dots = document.createElement('i'); + dots.setAttribute('class', 'fas fa-ellipsis-v text-gray-400'); + button.appendChild(dots); + + const dropdown_menu = document.createElement('div'); + dropdown_menu.setAttribute('class', 'dropdown-menu shadow dropdown-menu-end animated--fade-in'); + const tagm = document.createElement('p'); + tagm.setAttribute('class', 'text-center dropdown-header'); + tagm.textContent = "Tag as"; + + + const span_suspicious = document.createElement('span'); + span_suspicious.textContent = " Suspicious"; + + const span_evidence = document.createElement('span'); + span_evidence.textContent = " Evidence"; + + const badge_suspicious = document.createElement('a'); + badge_suspicious.setAttribute('class', 'dropdown-item'); + badge_suspicious.setAttribute('href', '#'); + badge_suspicious.addEventListener('click', function (e) { + Tag('NetScan', item.pk, "Suspicious"); + }); + + const pill_orange = document.createElement('strong'); + pill_orange.setAttribute('class', 'badge bg-warning text-wrap text-warning'); + pill_orange.textContent = ' '; + badge_suspicious.appendChild(pill_orange); + badge_suspicious.appendChild(span_suspicious); + + + const badge_evidence = document.createElement('a'); + badge_evidence.setAttribute('class', 'dropdown-item'); + badge_evidence.setAttribute('href', '#'); + badge_evidence.addEventListener('click', function (e) { + Tag('NetScan', item.pk, "Evidence"); + }); + + + const pill_red = document.createElement('strong'); + pill_red.setAttribute('class', 'badge bg-danger text-wrap text-danger'); + pill_red.textContent = ' '; + + badge_evidence.appendChild(pill_red); + badge_evidence.appendChild(span_evidence); + + + const divider = document.createElement('div'); + divider.setAttribute('class', 'dropdown-divider'); + + const badge_clear = document.createElement('a'); + badge_clear.setAttribute('class', 'dropdown-item'); + badge_clear.setAttribute('href', '#'); + badge_clear.addEventListener('click', function (e) { + Tag('NetScan', item.pk, "Clear"); + }); + badge_clear.textContent = " Clear tag"; + + + const tag_evidence = document.createElement('strong'); + const tag_suspicious = document.createElement('strong'); + + if (item.fields.Tag == "Evidence") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap tag_evidence_' + item.pk + '_NetScan'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_NetScan'); + } + + else if (item.fields.Tag == "Suspicious") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_NetScan'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap tag_suspicious_' + item.pk + '_NetScan'); + } + + else { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_NetScan'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_NetScan'); + } + + tag_evidence.textContent = "Evidence"; + tag_suspicious.textContent = "Suspicious"; + + dropdown_menu.appendChild(tagm); + dropdown_menu.appendChild(badge_suspicious); + dropdown_menu.appendChild(badge_evidence); + dropdown_menu.appendChild(divider); + dropdown_menu.appendChild(badge_clear); + + button.appendChild(dots); + dropdown.appendChild(button); + dropdown.appendChild(tag_evidence); + dropdown.appendChild(tag_suspicious); + dropdown.appendChild(dropdown_menu); + td_11.appendChild(dropdown); + + tr.appendChild(td_1); + tr.appendChild(td_2); + tr.appendChild(td_3); + tr.appendChild(td_4); + tr.appendChild(td_5); + tr.appendChild(td_6); + tr.appendChild(td_7); + tr.appendChild(td_8); + tr.appendChild(td_9); + tr.appendChild(td_10); + tr.appendChild(td_11); + tbody.appendChild(tr); + }); +} + +function FillTimeline(artifacts) { + // Create the html elements for each line + $('#TimelineTab').empty(); + $.each(artifacts, function (i, item) { + + var tbody = document.getElementById('TimelineTab'); + const tr = document.createElement('tr'); + const td_1 = document.createElement('td'); + const td_2 = document.createElement('td'); + const td_3 = document.createElement('td'); + const td_4 = document.createElement('td'); + const td_5 = document.createElement('td'); + const td_6 = document.createElement('td'); + const td_7 = document.createElement('td'); + td_7.setAttribute('class', 'w-10'); + + td_1.textContent = item.fields.CreatedDate; + td_2.textContent = item.fields.ChangedDate; + td_3.textContent = item.fields.AccessedDate; + td_4.textContent = item.fields.Description; + td_5.textContent = item.fields.ModifiedDate; + td_6.textContent = item.fields.Plugin; + + + // Tag conditions and system + const dropdown = document.createElement('div'); + dropdown.setAttribute('class', 'dropdown no-arrow'); + + const button = document.createElement('button'); + button.setAttribute('class', 'btn btn-link btn-sm dropdown-toggle'); + + button.setAttribute('aria-expanded', 'true'); + button.setAttribute('data-bs-toggle', 'dropdown'); + button.setAttribute('type', 'button'); + + const dots = document.createElement('i'); + dots.setAttribute('class', 'fas fa-ellipsis-v text-gray-400'); + button.appendChild(dots); + + const dropdown_menu = document.createElement('div'); + dropdown_menu.setAttribute('class', 'dropdown-menu shadow dropdown-menu-end animated--fade-in'); + const tagm = document.createElement('p'); + tagm.setAttribute('class', 'text-center dropdown-header'); + tagm.textContent = "Tag as"; + + + const span_suspicious = document.createElement('span'); + span_suspicious.textContent = " Suspicious"; + + const span_evidence = document.createElement('span'); + span_evidence.textContent = " Evidence"; + + const badge_suspicious = document.createElement('a'); + badge_suspicious.setAttribute('class', 'dropdown-item'); + badge_suspicious.setAttribute('href', '#'); + badge_suspicious.addEventListener('click', function (e) { + Tag('Timeliner', item.pk, "Suspicious"); + }); + + const pill_orange = document.createElement('strong'); + pill_orange.setAttribute('class', 'badge bg-warning text-wrap text-warning'); + pill_orange.textContent = ' '; + badge_suspicious.appendChild(pill_orange); + badge_suspicious.appendChild(span_suspicious); + + + const badge_evidence = document.createElement('a'); + badge_evidence.setAttribute('class', 'dropdown-item'); + badge_evidence.setAttribute('href', '#'); + badge_evidence.addEventListener('click', function (e) { + Tag('Timeliner', item.pk, "Evidence"); + }); + + + const pill_red = document.createElement('strong'); + pill_red.setAttribute('class', 'badge bg-danger text-wrap text-danger'); + pill_red.textContent = ' '; + + badge_evidence.appendChild(pill_red); + badge_evidence.appendChild(span_evidence); + + + const divider = document.createElement('div'); + divider.setAttribute('class', 'dropdown-divider'); + + const badge_clear = document.createElement('a'); + badge_clear.setAttribute('class', 'dropdown-item'); + badge_clear.setAttribute('href', '#'); + badge_clear.addEventListener('click', function (e) { + Tag('Timeliner', item.pk, "Clear"); + }); + badge_clear.textContent = " Clear tag"; + + + const tag_evidence = document.createElement('strong'); + const tag_suspicious = document.createElement('strong'); + + if (item.fields.Tag == "Evidence") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap tag_evidence_' + item.pk + '_Timeliner'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_Timeliner'); + } + + else if (item.fields.Tag == "Suspicious") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_Timeliner'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap tag_suspicious_' + item.pk + '_Timeliner'); + } + + else { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_Timeliner'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_Timeliner'); + } + + tag_evidence.textContent = "Evidence"; + tag_suspicious.textContent = "Suspicious"; + + dropdown_menu.appendChild(tagm); + dropdown_menu.appendChild(badge_suspicious); + dropdown_menu.appendChild(badge_evidence); + dropdown_menu.appendChild(divider); + dropdown_menu.appendChild(badge_clear); + + button.appendChild(dots); + dropdown.appendChild(button); + dropdown.appendChild(tag_evidence); + dropdown.appendChild(tag_suspicious); + dropdown.appendChild(dropdown_menu); + td_7.appendChild(dropdown); + + tr.appendChild(td_1); + tr.appendChild(td_2); + tr.appendChild(td_3); + tr.appendChild(td_4); + tr.appendChild(td_5); + tr.appendChild(td_6); + tr.appendChild(td_7); + tbody.appendChild(tr); + }); +} + +function FillHandles(artifacts) { + // Create the html elements for each line + $('#processHandles').empty(); + $.each(artifacts, function (i, item) { + + var tbody = document.getElementById('processHandles'); + const tr = document.createElement('tr'); + const td_1 = document.createElement('td'); + const td_2 = document.createElement('td'); + const td_3 = document.createElement('td'); + const td_4 = document.createElement('td'); + td_4.setAttribute('class', 'w-25 text-break'); + const td_5 = document.createElement('td'); + const td_6 = document.createElement('td'); + const td_7 = document.createElement('td'); + const td_8 = document.createElement('td'); + td_8.setAttribute('class', 'w-10'); + + td_1.textContent = item.fields.Process; + td_2.textContent = item.fields.PID; + td_3.textContent = item.fields.Offset; + td_4.textContent = item.fields.Name; + td_5.textContent = item.fields.HandleValue; + td_6.textContent = item.fields.GrantedAccess; + td_7.textContent = item.fields.Type; + + // Tag conditions and system + const dropdown = document.createElement('div'); + dropdown.setAttribute('class', 'dropdown no-arrow'); + + const button = document.createElement('button'); + button.setAttribute('class', 'btn btn-link btn-sm dropdown-toggle'); + + button.setAttribute('aria-expanded', 'true'); + button.setAttribute('data-bs-toggle', 'dropdown'); + button.setAttribute('type', 'button'); + + const dots = document.createElement('i'); + dots.setAttribute('class', 'fas fa-ellipsis-v text-gray-400'); + button.appendChild(dots); + + const dropdown_menu = document.createElement('div'); + dropdown_menu.setAttribute('class', 'dropdown-menu shadow dropdown-menu-end animated--fade-in'); + const tagm = document.createElement('p'); + tagm.setAttribute('class', 'text-center dropdown-header'); + tagm.textContent = "Tag as"; + + + const span_suspicious = document.createElement('span'); + span_suspicious.textContent = " Suspicious"; + + const span_evidence = document.createElement('span'); + span_evidence.textContent = " Evidence"; + + const badge_suspicious = document.createElement('a'); + badge_suspicious.setAttribute('class', 'dropdown-item'); + badge_suspicious.setAttribute('href', '#'); + badge_suspicious.addEventListener('click', function (e) { + Tag('Handles', item.pk, "Suspicious"); + }); + + const pill_orange = document.createElement('strong'); + pill_orange.setAttribute('class', 'badge bg-warning text-wrap text-warning'); + pill_orange.textContent = ' '; + badge_suspicious.appendChild(pill_orange); + badge_suspicious.appendChild(span_suspicious); + + + const badge_evidence = document.createElement('a'); + badge_evidence.setAttribute('class', 'dropdown-item'); + badge_evidence.setAttribute('href', '#'); + badge_evidence.addEventListener('click', function (e) { + Tag('Handles', item.pk, "Evidence"); + }); + + + const pill_red = document.createElement('strong'); + pill_red.setAttribute('class', 'badge bg-danger text-wrap text-danger'); + pill_red.textContent = ' '; + + badge_evidence.appendChild(pill_red); + badge_evidence.appendChild(span_evidence); -$(document).ready(function(){ + + const divider = document.createElement('div'); + divider.setAttribute('class', 'dropdown-divider'); + + const badge_clear = document.createElement('a'); + badge_clear.setAttribute('class', 'dropdown-item'); + badge_clear.setAttribute('href', '#'); + badge_clear.addEventListener('click', function (e) { + Tag('Handles', item.pk, "Clear"); + }); + badge_clear.textContent = " Clear tag"; + + + const tag_evidence = document.createElement('strong'); + const tag_suspicious = document.createElement('strong'); + + if (item.fields.Tag == "Evidence") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap tag_evidence_' + item.pk + '_Handles'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_Handles'); + } + + else if (item.fields.Tag == "Suspicious") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_Handles'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap tag_suspicious_' + item.pk + '_Handles'); + } + + else { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_Handles'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_Handles'); + } + + tag_evidence.textContent = "Evidence"; + tag_suspicious.textContent = "Suspicious"; + + dropdown_menu.appendChild(tagm); + dropdown_menu.appendChild(badge_suspicious); + dropdown_menu.appendChild(badge_evidence); + dropdown_menu.appendChild(divider); + dropdown_menu.appendChild(badge_clear); + + button.appendChild(dots); + dropdown.appendChild(button); + dropdown.appendChild(tag_evidence); + dropdown.appendChild(tag_suspicious); + dropdown.appendChild(dropdown_menu); + td_8.appendChild(dropdown); + + tr.appendChild(td_1); + tr.appendChild(td_2); + tr.appendChild(td_3); + tr.appendChild(td_4); + tr.appendChild(td_5); + tr.appendChild(td_6); + tr.appendChild(td_7); + tr.appendChild(td_8); + tbody.appendChild(tr); + $('#processHandles').removeClass('d-none'); + }); +} + +$(document).ready(function () { $('.plugin').hide(); $('.toast-other').toast('show'); @@ -81,59 +1580,59 @@ $(document).ready(function(){ /* ################################ REGISTRY SCRIPTS ################################ */ - $("#search_registry").on("keyup", function() { + $("#search_registry").on("keyup", function () { var value = $(this).val().toLowerCase(); - $("#UserAssist tr").filter(function() { + $("#UserAssist tr").filter(function () { $(this).toggle($(this).text().toLowerCase().indexOf(value) > -1) }); }); //TimeLine SearchBar - $("#searchTimeline").on("keyup", function() { + $("#searchTimeline").on("keyup", function () { var value = $(this).val().toLowerCase(); - $("#TimelineTab tr").filter(function() { + $("#TimelineTab tr").filter(function () { $(this).toggle($(this).text().toLowerCase().indexOf(value) !== -1) }) }); //FileScan SearchBar - $("#search_files").on("keyup", function() { + $("#search_files").on("keyup", function () { var value = $(this).val().toLowerCase(); - $("#FileScanTab tr").filter(function() { + $("#FileScanTab tr").filter(function () { $(this).toggle($(this).text().toLowerCase().indexOf(value) > -1) }); }); //CmdLine SearchBar - $("#searchCmdLine").on("keyup", function() { + $("#searchCmdLine").on("keyup", function () { var value = $(this).val().toLowerCase(); - $("#cmdline tr").filter(function() { + $("#cmdline tr").filter(function () { $(this).toggle($(this).text().toLowerCase().indexOf(value) > -1) }); }); //CmdLine SearchBar - $("#searchDllList").on("keyup", function() { + $("#searchDllList").on("keyup", function () { var value = $(this).val().toLowerCase(); - $("#dlllist tr").filter(function() { + $("#dlllist tr").filter(function () { $(this).toggle($(this).text().toLowerCase().indexOf(value) > -1) }); }); //Privileges SearchBar - $("#searchPriv").on("keyup", function() { + $("#searchPriv").on("keyup", function () { var value = $(this).val().toLowerCase(); - $("#processPriv tr").filter(function() { + $("#processPriv tr").filter(function () { $(this).toggle($(this).text().toLowerCase().indexOf(value) > -1) }); }); //Process Env SearchBar - $("#searchEnv").on("keyup", function() { + $("#searchEnv").on("keyup", function () { var value = $(this).val().toLowerCase(); - $("#processEnv tr").filter(function() { + $("#processEnv tr").filter(function () { $(this).toggle($(this).text().toLowerCase().indexOf(value) > -1) }); }); @@ -141,28 +1640,28 @@ $(document).ready(function(){ //Process Handles SearchBar - $("#searchHandles").on("keyup", function() { + $("#searchHandles").on("keyup", function () { var value = $(this).val().toLowerCase(); - $("#processHandles tr").filter(function() { + $("#processHandles tr").filter(function () { $(this).toggle($(this).text().toLowerCase().indexOf(value) > -1) }); }); //NetStat Search funtion - $("#searchNetworkStat").on("keyup", function() { - var value = $(this).val().toLowerCase(); - $("#netstat tr").filter(function() { - $(this).toggle($(this).text().toLowerCase().indexOf(value) > -1) - }); + $("#searchNetworkStat").on("keyup", function () { + var value = $(this).val().toLowerCase(); + $("#netstat tr").filter(function () { + $(this).toggle($(this).text().toLowerCase().indexOf(value) > -1) }); + }); //NetStat Search funtion - $("#searchNetworkScan").on("keyup", function() { - var value = $(this).val().toLowerCase(); - $("#netscan tr").filter(function() { - $(this).toggle($(this).text().toLowerCase().indexOf(value) > -1) - }); + $("#searchNetworkScan").on("keyup", function () { + var value = $(this).val().toLowerCase(); + $("#netscan tr").filter(function () { + $(this).toggle($(this).text().toLowerCase().indexOf(value) > -1) }); + }); }); diff --git a/dashboard/templates/dashboard/base.html b/dashboard/templates/dashboard/base.html index 9e68481..0dcea43 100644 --- a/dashboard/templates/dashboard/base.html +++ b/dashboard/templates/dashboard/base.html @@ -57,11 +57,7 @@ {% endif %} " href="{% url 'symbols' %}">Symbols -
  • IOCs +
  • Investigat
    -
    +
    @@ -30,7 +30,7 @@
    Investigat
    -
    +
    @@ -43,20 +43,7 @@
    Investigat
    -
    -
    -
    -
    -
    -
    String based IOCs
    -
    -
    -
    -
    -
    -
    -
    -
    +
    diff --git a/dashboard/views.py b/dashboard/views.py index ba89afe..89df58c 100755 --- a/dashboard/views.py +++ b/dashboard/views.py @@ -1,13 +1,12 @@ from django.shortcuts import render from django.contrib.auth.decorators import login_required from investigations.models import UploadInvestigation, Activity -from iocs.models import IOC from symbols.models import Symbols from django.contrib.auth import get_user_model from django.core import serializers -# Dashboard view : Return the dashboard with the latest IOCs and Investigations +# Dashboard view : Return the dashboard with the latest Investigations @login_required def dashboard(request): """Load the dashboard @@ -16,7 +15,7 @@ def dashboard(request): request : http request object Comments: - Display the dashboard and pass the users/activities/analysis/iocs + Display the dashboard and pass the users/activities/analysis/ """ User = get_user_model() activity = serializers.serialize("json", Activity.objects.all(), fields=("date", "count")) @@ -24,7 +23,6 @@ def dashboard(request): { 'Activity': activity, 'Users': User.objects.filter(is_superuser=False), 'investigations': UploadInvestigation.objects.all().count(), - 'iocs': IOC.objects.all().count(), 'symbols': Symbols.objects.all().count(), 'team': User.objects.all().count() }) diff --git a/docker/Dockerfile b/docker/Dockerfile index f29b6f6..6f9f38c 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -22,7 +22,7 @@ RUN mkdir -p $APP_HOME/staticfiles WORKDIR $APP_HOME USER app -RUN pip install 'volatility3==2.0.1' +RUN pip install 'volatility3==2.4.0' USER root COPY requirements.txt $APP_HOME RUN pip install --upgrade pip diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml index 8829409..b5ef0ad 100755 --- a/docker/docker-compose.yml +++ b/docker/docker-compose.yml @@ -41,7 +41,6 @@ services: - ./nginx:/etc/nginx/conf.d - ./nginx/ssl/:/etc/nginx/certs/ - staticfiles:/home/app/web/staticfiles - - ./nginx/log/:/var/log/nginx/ depends_on: - web diff --git a/docker/nginx/nginx.conf b/docker/nginx/nginx.conf index a629e6a..63dc71d 100644 --- a/docker/nginx/nginx.conf +++ b/docker/nginx/nginx.conf @@ -37,7 +37,7 @@ server { ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; ssl_buffer_size 4k; - client_max_body_size 64G; + client_max_body_size 1G; location / { proxy_pass http://volweb; add_header Strict-Transport-Security "max-age=31536000"; diff --git a/investigations/tasks.py b/investigations/tasks.py index 1af35bb..a0bbb44 100644 --- a/investigations/tasks.py +++ b/investigations/tasks.py @@ -1,12 +1,9 @@ from investigations.models import * -from iocs.models import IOC from investigations.celery import app from windows_engine.vol_windows import * from linux_engine.vol_linux import * """Windows Memory analysis""" - - def windows_memory_analysis(dump_path, case): partial_results = run_volweb_routine_windows(dump_path, case.id, case) case.percentage = "100" @@ -17,10 +14,7 @@ def windows_memory_analysis(dump_path, case): case.save() return - """Linux Memory Analysis""" - - def linux_memory_analysis(dump_path, case): partial_results = run_volweb_routine_linux(dump_path, case.id, case) case.percentage = "100" @@ -31,10 +25,7 @@ def linux_memory_analysis(dump_path, case): case.save() return - """Main Task""" - - @app.task(name="start_memory_analysis") def start_memory_analysis(dump_path, id): case = UploadInvestigation.objects.get(pk=id) diff --git a/investigations/templates/investigations/investigations.html b/investigations/templates/investigations/investigations.html index f94f6ca..1d849e5 100644 --- a/investigations/templates/investigations/investigations.html +++ b/investigations/templates/investigations/investigations.html @@ -75,7 +75,7 @@

     Invest {% elif i.status == '4' %}
    Partial results
    + class="invest-header" style="color: var(--bs-purple);">Partial results

    {% elif i.status == '2' %}
    Ready
    diff --git a/investigations/templates/investigations/linux/others/mountinfo.html b/investigations/templates/investigations/linux/others/mountinfo.html new file mode 100644 index 0000000..f0c5cec --- /dev/null +++ b/investigations/templates/investigations/linux/others/mountinfo.html @@ -0,0 +1,74 @@ + +
    +
    + + + + + + + + + + + + + + + + + + + {% for entry in MountInfo %} + + + + + + + + + + + + + + + {% endfor %} + +
    FIELDSFSTYPEMAJOR:MINORMNT_NS_IDMOUNT IDMOUNT_OPTIONSMOUNT_POINTMOUNT_SRCPARENT_IDROOTSB_OPTIONS
    {{entry.FIELDS}}{{entry.FSTYPE}}{{entry.MAJOR_MINOR}}{{entry.MNT_NS_ID}}{{entry.MOUNTID}}{{entry.MOUNT_OPTIONS}}{{entry.MOUNT_POINT}}{{entry.MOUNT_SRC}}{{entry.PARENT_ID}}{{entry.ROOT}}{{entry.SB_OPTIONS}} +
    + {% if entry.Tag == "Evidence"%} + Evidence + Suspicious + {% elif entry.Tag == "Suspicious" %} + Suspicious + Evidence + {% else %} + Evidence + Suspicious + {% endif %} + +
    +

    Tag as

    + +   +  Suspicious + + +   +  Evidence + +
    +
    +  Clear tag +
    +
    +
    +
    +
    diff --git a/investigations/templates/investigations/linux/others/tty_check.html b/investigations/templates/investigations/linux/others/tty_check.html index 62a0454..737f0e6 100644 --- a/investigations/templates/investigations/linux/others/tty_check.html +++ b/investigations/templates/investigations/linux/others/tty_check.html @@ -41,17 +41,17 @@

    Tag as

    - +    Suspicious -     +    Evidence
    -  Clear tag +  Clear tag
    diff --git a/investigations/templates/investigations/linux/processes/bash.html b/investigations/templates/investigations/linux/processes/bash.html index f40b832..fac0197 100644 --- a/investigations/templates/investigations/linux/processes/bash.html +++ b/investigations/templates/investigations/linux/processes/bash.html @@ -20,43 +20,6 @@ - {% for entry in Bash %} - - {{entry.PID}} - {{entry.Process}} - {{entry.CommandTime}} - {{entry.Command}} - -
    - {% if process.Tag == "Evidence"%} - Evidence - Suspicious - {% elif process.Tag == "Suspicious" %} - Suspicious - Evidence - {% else %} - Evidence - Suspicious - {% endif %} - -
    -

    Tag as

    - -   -  Suspicious - - -   -  Evidence - -
    -
    -  Clear tag -
    -
    - - - {% endfor %}
    diff --git a/investigations/templates/investigations/linux/processes/elfs.html b/investigations/templates/investigations/linux/processes/elfs.html index ca5a466..30a9e32 100644 --- a/investigations/templates/investigations/linux/processes/elfs.html +++ b/investigations/templates/investigations/linux/processes/elfs.html @@ -4,7 +4,7 @@ Description : Included in the "review_invest.html", this file represent the "ELFs" tab. ---> -
    +
    @@ -21,44 +21,6 @@ - {% for process in Elfs %} - - {{process.Start}} - {{process.End}} - {{process.FilePath}} - {{process.Process}} - {{process.PID}} - -
    - {% if process.Tag == "Evidence"%} - Evidence - Suspicious - {% elif process.Tag == "Suspicious" %} - Suspicious - Evidence - {% else %} - Evidence - Suspicious - {% endif %} - -
    -

    Tag as

    - -   -  Suspicious - - -   -  Evidence - -
    -
    -  Clear tag -
    -
    - - - {% endfor %}
    diff --git a/investigations/templates/investigations/linux/processes/lsof.html b/investigations/templates/investigations/linux/processes/lsof.html index 16645e2..7c6e426 100644 --- a/investigations/templates/investigations/linux/processes/lsof.html +++ b/investigations/templates/investigations/linux/processes/lsof.html @@ -20,43 +20,6 @@ - {% for entry in Lsof %} - - {{entry.FD}} - {{entry.PID}} - {{entry.Path}} - {{entry.Process}} - -
    - {% if process.Tag == "Evidence"%} - Evidence - Suspicious - {% elif process.Tag == "Suspicious" %} - Suspicious - Evidence - {% else %} - Evidence - Suspicious - {% endif %} - -
    -

    Tag as

    - -   -  Suspicious - - -   -  Evidence - -
    -
    -  Clear tag -
    -
    - - - {% endfor %}
    diff --git a/investigations/templates/investigations/linux/processes/maps.html b/investigations/templates/investigations/linux/processes/maps.html index 048103e..649220d 100644 --- a/investigations/templates/investigations/linux/processes/maps.html +++ b/investigations/templates/investigations/linux/processes/maps.html @@ -5,6 +5,10 @@ Included in the "review_invest.html", this file represent the "Maps" tab. --->
    +
    + +
    +
    @@ -26,49 +30,6 @@ - {% for process in ProcMaps %} - - {{process.Start}} - {{process.End}} - {{process.FilePath}} - {{process.Flags}} - {{process.Inode}} - {{process.Major}} - {{process.Minor}} - {{process.PID}} - {{process.PgOff}} - {{process.Process}} - -
    - {% if process.Tag == "Evidence"%} - Evidence - Suspicious - {% elif process.Tag == "Suspicious" %} - Suspicious - Evidence - {% else %} - Evidence - Suspicious - {% endif %} - -
    -

    Tag as

    - -   -  Suspicious - - -   -  Evidence - -
    -
    -  Clear tag -
    -
    - - - {% endfor %}
    diff --git a/investigations/templates/investigations/linux/processes/psaux.html b/investigations/templates/investigations/linux/processes/psaux.html new file mode 100644 index 0000000..ca619b7 --- /dev/null +++ b/investigations/templates/investigations/linux/processes/psaux.html @@ -0,0 +1,23 @@ + +
    +
    + + + + + + + + + + + + +
    PIDPPIDCOMMArgs
    +
    +
    diff --git a/investigations/templates/investigations/review_invest.html b/investigations/templates/investigations/review_invest.html index 15caa11..38103f0 100644 --- a/investigations/templates/investigations/review_invest.html +++ b/investigations/templates/investigations/review_invest.html @@ -103,7 +103,7 @@
    {{case.title}}
    {% if case.os_version == "Linux" %} -
    +
    -
    +
    -
    -
    - -
    -
    -
    -
    -
    - {% for process in PsList %}
    -
    + {% include "investigations/linux/processes/psaux.html" %} {% include "investigations/linux/processes/elfs.html" %} {% include "investigations/linux/processes/maps.html" %} {% include "investigations/linux/processes/lsof.html" %} @@ -249,6 +242,7 @@
    {{case.title}}
    {% include "investigations/linux/processes/tree.html" %} {% include "investigations/linux/others/tty_check.html" %} + {% include "investigations/linux/others/mountinfo.html" %} {% include "investigations/linux/report.html" %} @@ -272,6 +266,8 @@
    {{case.title}}
    href="#tab-1"> Processes
    • + - -
    +
    -
    - -
    -
    -
    -
    -
    - - {% for process in PsScan %}
    - + + href="#tab-6">DllList + -
    +
    {% include "investigations/windows/processes/privileges.html" %} + {% include "investigations/windows/processes/sessions.html" %} {% include "investigations/windows/processes/cmdline.html" %} {% include "investigations/windows/processes/envars.html" %} {% include "investigations/windows/processes/dlllist.html" %} + {% include "investigations/windows/processes/ldrmodules.html" %} {% include "investigations/windows/processes/handles.html" %} {% include "investigations/windows/processes/network.html" %} {% include "investigations/windows/processes/malfind.html" %} @@ -448,11 +433,11 @@
    {{case.title}}
    {% include "investigations/windows/processes/tree.html" %} + {% include "investigations/windows/processes/devicetree.html" %} {% include "investigations/windows/processes/netgraph.html" %} {% include "investigations/windows/registry/registry.html" %} {% include "investigations/windows/cryptography/cryptography.html" %} {% include "investigations/windows/timeline/timeline.html" %} - {% include "investigations/windows/iocs/iocs.html" %} {% include "investigations/windows/files/files.html" %} {% include "investigations/windows/report.html" %} @@ -473,15 +458,18 @@
    {{case.title}}
    {% else %} +
    + {% csrf_token %} +
    {% endif %} {% endblock content %} \ No newline at end of file diff --git a/investigations/templates/investigations/windows/cryptography/cryptography.html b/investigations/templates/investigations/windows/cryptography/cryptography.html index d8d2931..4fcfc37 100644 --- a/investigations/templates/investigations/windows/cryptography/cryptography.html +++ b/investigations/templates/investigations/windows/cryptography/cryptography.html @@ -153,17 +153,17 @@

    Skeleton Key Check

    Tag as

    - +    Suspicious - +    Evidence
    -  Clear tag +  Clear tag
    diff --git a/investigations/templates/investigations/windows/files/files.html b/investigations/templates/investigations/windows/files/files.html index a71bdfd..e7c285f 100644 --- a/investigations/templates/investigations/windows/files/files.html +++ b/investigations/templates/investigations/windows/files/files.html @@ -55,17 +55,17 @@

    Tag as

    - +    Suspicious - +    Evidence
    -  Clear tag +  Clear tag
    diff --git a/investigations/templates/investigations/windows/iocs/iocs.html b/investigations/templates/investigations/windows/iocs/iocs.html deleted file mode 100644 index d94c51f..0000000 --- a/investigations/templates/investigations/windows/iocs/iocs.html +++ /dev/null @@ -1,64 +0,0 @@ - - - -
    -
    -
    -
    - - - - - - - - - - - {% for match in Strings %} - - - - - - - {% endfor %} - -
    Physical AddressLinked ProcessMatch String
    {{match.PhysicalAddress}}{{match.Result}}{{match.String}} -
    - {% if match.Tag == "Evidence"%} - Evidence - Suspicious - {% elif match.Tag == "Suspicious" %} - Suspicious - Evidence - {% else %} - Evidence - Suspicious - {% endif %} - -
    -

    Tag as

    - -   -  Suspicious - - -   -  Evidence - -
    -
    -  Clear tag -
    -
    -
    -
    -
    -
    -
    diff --git a/investigations/templates/investigations/windows/processes/cmdline.html b/investigations/templates/investigations/windows/processes/cmdline.html index 325c94e..0e0de58 100644 --- a/investigations/templates/investigations/windows/processes/cmdline.html +++ b/investigations/templates/investigations/windows/processes/cmdline.html @@ -2,8 +2,7 @@ Filename : cmdline.html Analysis type : Windows Description : -Included in the "review_invest.html", this file represent the "Network" tab. -Using anychart, we display the combined results of netstat and netscan in raw format. +Included in the "review_invest.html", this file represent the "Cmdline" tab. --->
    @@ -20,42 +19,6 @@ - {% for process in CmdLine %} - - {{process.PID }} - {{process.Process}} - {{process.Args}} - -
    - {% if process.Tag == "Evidence"%} - Evidence - Suspicious - {% elif process.Tag == "Suspicious" %} - Suspicious - Evidence - {% else %} - Evidence - Suspicious - {% endif %} - -
    -

    Tag as

    - -   -  Suspicious - - -   -  Evidence - -
    -
    -  Clear tag -
    -
    - - - {% endfor %}
    diff --git a/investigations/templates/investigations/windows/processes/devicetree.html b/investigations/templates/investigations/windows/processes/devicetree.html new file mode 100644 index 0000000..9358fc2 --- /dev/null +++ b/investigations/templates/investigations/windows/processes/devicetree.html @@ -0,0 +1,33 @@ + +
    +
    + +
    diff --git a/investigations/templates/investigations/windows/processes/dlllist.html b/investigations/templates/investigations/windows/processes/dlllist.html index c4a8fdd..aec52ce 100644 --- a/investigations/templates/investigations/windows/processes/dlllist.html +++ b/investigations/templates/investigations/windows/processes/dlllist.html @@ -25,50 +25,6 @@ - {% for process in DllList %} - - {{process.Process}} - {{process.PID}} - {{process.Base}} - {{process.Name}} - {{process.Path}} - {{process.Size}} - {{process.LoadTime}} - {{process.Fileoutput}} - -
    - {% if process.Tag == "Evidence"%} - Evidence - Suspicious - {% elif process.Tag == "Suspicious" %} - Suspicious - Evidence - {% else %} - Evidence - Suspicious - {% endif %} - -
    -

    Tag as

    - -   -  Suspicious - - -   -  Evidence - -
    -
    -  Clear tag -
    -
    - - - {% endfor %} - - Nothing was found -
    diff --git a/investigations/templates/investigations/windows/processes/envars.html b/investigations/templates/investigations/windows/processes/envars.html index f2d9e06..b7be02d 100644 --- a/investigations/templates/investigations/windows/processes/envars.html +++ b/investigations/templates/investigations/windows/processes/envars.html @@ -21,47 +21,6 @@ - {% for process in Envars %} - - {{process.Block}} - {{process.PID}} - {{process.Process}} - {{process.Variable}} - {{process.Value}} - -
    - {% if process.Tag == "Evidence"%} - Evidence - Suspicious - {% elif process.Tag == "Suspicious" %} - Suspicious - Evidence - {% else %} - Evidence - Suspicious - {% endif %} - -
    -

    Tag as

    - -   -  Suspicious - - -   -  Evidence - -
    -
    -  Clear tag -
    -
    - - - {% endfor %} - - Nothing was found -
    diff --git a/investigations/templates/investigations/windows/processes/handles.html b/investigations/templates/investigations/windows/processes/handles.html index a3fb77c..12769f7 100644 --- a/investigations/templates/investigations/windows/processes/handles.html +++ b/investigations/templates/investigations/windows/processes/handles.html @@ -5,6 +5,10 @@ Included in the "review_invest.html", this file represent the "Handles" tab. --->
    +
    + +
    +
    @@ -22,51 +26,9 @@ + - {% for process in Handles %} - - {{process.Process}} - {{process.PID}} - {{process.Offset}} - {{process.Name}} - {{process.HandleValue}} - {{process.GrantedAccess}} - {{process.Type}} - -
    - {% if process.Tag == "Evidence"%} - Evidence - Suspicious - {% elif process.Tag == "Suspicious" %} - Suspicious - Evidence - {% else %} - Evidence - Suspicious - {% endif %} - -
    -

    Tag as

    - -   -  Suspicious - - -   -  Evidence - -
    -
    -  Clear tag -
    -
    - - - {% endfor %} - - Nothing was found -
    diff --git a/investigations/templates/investigations/windows/processes/ldrmodules.html b/investigations/templates/investigations/windows/processes/ldrmodules.html new file mode 100644 index 0000000..c130ec1 --- /dev/null +++ b/investigations/templates/investigations/windows/processes/ldrmodules.html @@ -0,0 +1,27 @@ + +
    +
    + + + + + + + + + + + + + + + + +
    PIDProcessBaseInInitInLoadInMemMappedPath
    +
    +
    diff --git a/investigations/templates/investigations/windows/processes/malfind.html b/investigations/templates/investigations/windows/processes/malfind.html index 14c6572..a23aff4 100644 --- a/investigations/templates/investigations/windows/processes/malfind.html +++ b/investigations/templates/investigations/windows/processes/malfind.html @@ -19,7 +19,7 @@ {% for matches in Malfind %} -
    +
    {{matches.PID}} - {{matches.Process}}
    diff --git a/investigations/templates/investigations/windows/processes/network.html b/investigations/templates/investigations/windows/processes/network.html index a602ab8..e78160e 100644 --- a/investigations/templates/investigations/windows/processes/network.html +++ b/investigations/templates/investigations/windows/processes/network.html @@ -33,49 +33,6 @@

    NetStat

    - {% for process in NetStat %} - - {{process.Created}} - {{process.Offset}} - {{process.Owner}} - {{process.Proto}} - {{process.LocalAddr}} - {{process.LocalPort}} - {{process.ForeignAddr}} - {{process.ForeignPort}} - {{process.State}} - {{process.PID}} - -
    - {% if process.Tag == "Evidence"%} - Evidence - Suspicious - {% elif process.Tag == "Suspicious" %} - Suspicious - Evidence - {% else %} - Evidence - Suspicious - {% endif %} - -
    -

    Tag as

    - -   -  Suspicious - - -   -  Evidence - -
    -
    -  Clear tag -
    -
    - - - {% endfor %}
    @@ -109,49 +66,6 @@

    NetScan

    - {% for process in NetScan %} - - {{process.Created}} - {{process.Offset}} - {{process.Owner}} - {{process.Proto}} - {{process.LocalAddr}} - {{process.LocalPort}} - {{process.ForeignAddr}} - {{process.ForeignPort}} - {{process.State}} - {{process.PID}} - -
    - {% if process.Tag == "Evidence"%} - Evidence - Suspicious - {% elif process.Tag == "Suspicious" %} - Suspicious - Evidence - {% else %} - Evidence - Suspicious - {% endif %} - -
    -

    Tag as

    - -   -  Suspicious - - -   -  Evidence - -
    -
    -  Clear tag -
    -
    - - - {% endfor %}
    diff --git a/investigations/templates/investigations/windows/processes/privileges.html b/investigations/templates/investigations/windows/processes/privileges.html index 52ee675..ee85ac3 100644 --- a/investigations/templates/investigations/windows/processes/privileges.html +++ b/investigations/templates/investigations/windows/processes/privileges.html @@ -13,7 +13,7 @@ PID - Process Value + Process Privilege Attributes Description @@ -22,49 +22,6 @@ - {% for process in Privs %} - - {{process.PID}} - {{process.Process}} - {{process.Privilege}} - {{process.Attributes}} - {{process.Description}} - {{process.Value}} - -
    - {% if process.Tag == "Evidence"%} - Evidence - Suspicious - {% elif process.Tag == "Suspicious" %} - Suspicious - Evidence - - {% else %} - Evidence - Suspicious - {% endif %} - -
    -

    Tag as

    - -   -  Suspicious - - -   -  Evidence - -
    -
    -  Clear tag -
    -
    - - - {% endfor %} - - Nothing was found -
    diff --git a/investigations/templates/investigations/windows/processes/sessions.html b/investigations/templates/investigations/windows/processes/sessions.html new file mode 100644 index 0000000..28c6ce5 --- /dev/null +++ b/investigations/templates/investigations/windows/processes/sessions.html @@ -0,0 +1,26 @@ + +
    +
    + + + + + + + + + + + + + + + +
    Process IDProcessSession IDSession TypeUser NameCreate Time
    +
    +
    diff --git a/investigations/templates/investigations/windows/processes/tree.html b/investigations/templates/investigations/windows/processes/tree.html index 24d876e..464712d 100644 --- a/investigations/templates/investigations/windows/processes/tree.html +++ b/investigations/templates/investigations/windows/processes/tree.html @@ -28,7 +28,7 @@ treechart.tooltip().format("{%name}\n\n \ pid: {%PID}\n \ Create Time : {%CreateTime}\n \ - Exite Time : {%ExitTime}\n \ + Exit Time : {%ExitTime}\n \ Threads : {%Threads}"); treechart.draw(); diff --git a/investigations/templates/investigations/windows/timeline/timeline.html b/investigations/templates/investigations/windows/timeline/timeline.html index b3ae129..9357f78 100644 --- a/investigations/templates/investigations/windows/timeline/timeline.html +++ b/investigations/templates/investigations/windows/timeline/timeline.html @@ -17,55 +17,16 @@ + - - - {% for event in Timeliner %} - - - - - - - - - - {% endfor %} +
    Created Date Accessed Date Changed DateCreated Date Description Modified Date Pluging
    {{event.AccessedDate}}{{event.ChangedDate}}{{event.CreatedDate}}{{event.Description}}{{event.ModifiedDate}}{{event.Plugin}} -
    - {% if event.Tag == "Evidence"%} - Evidence - Suspicious - {% elif event.Tag == "Suspicious" %} - Suspicious - Evidence - {% else %} - Evidence - Suspicious - {% endif %} - -
    -

    Tag as

    - -   -  Suspicious - - -   -  Evidence - -
    -
    -  Clear tag -
    -
    -
    @@ -73,11 +34,8 @@
    + -{% endblock content %} diff --git a/iocs/templates/iocs/iocs.html b/iocs/templates/iocs/iocs.html deleted file mode 100644 index f510686..0000000 --- a/iocs/templates/iocs/iocs.html +++ /dev/null @@ -1,66 +0,0 @@ -{% extends "dashboard/base.html" %} -{% load static %} -{% block content%} -
    -
    -
    -

     String based IOCs

    + Add new IOC -
    -
    -
    -
    -
    -
    -
    -
     Name
    -
     Context
    -
     Value
    -
    Linked Investigation
    -
    Actions
    -
    -
    - {% if iocs %} - {% for ioc in iocs %} -
    -
    -
    - {{ioc.name}}
    -
    - {{ioc.context}}
    -
    - {{ioc.value}}
    -
    {{ioc.linkedInvestigation.title}}
    -
    -
    - -
    - -
    -     - -
    -
    - {% endfor %} - {% endif %} - -
    - -
    - {% csrf_token %} -
    - - -{% endblock content %} \ No newline at end of file diff --git a/iocs/templates/iocs/new_ioc.html b/iocs/templates/iocs/new_ioc.html deleted file mode 100644 index 5d2e1b3..0000000 --- a/iocs/templates/iocs/new_ioc.html +++ /dev/null @@ -1,60 +0,0 @@ -{% extends "dashboard/base.html" %} -{% block content %} - -
     Back -
    -

    New string based IOC

    -
    -
    - {% csrf_token %} -
    -
    -

    Fill in the required fields *

    -
    -
    -
    -
    -
    {{form.name}} -
    -
    -
    -
    {{form.context}}
    -
    -
    -
    {{form.value}}
    -
    -
    - {{form.linkedInvestigation}} -
    -
    -
    -
    -
    -
    -
    - - -{% endblock content %} \ No newline at end of file diff --git a/iocs/tests.py b/iocs/tests.py deleted file mode 100644 index 7ce503c..0000000 --- a/iocs/tests.py +++ /dev/null @@ -1,3 +0,0 @@ -from django.test import TestCase - -# Create your tests here. diff --git a/iocs/urls.py b/iocs/urls.py deleted file mode 100644 index 9f02542..0000000 --- a/iocs/urls.py +++ /dev/null @@ -1,9 +0,0 @@ -from django.urls import path -from . import views - -urlpatterns = [ - path('', views.iocs, name='iocs'), - path('new_ioc', views.new_ioc, name='new_ioc'), - path('custom_ioc//', views.custom_ioc, name='custom_ioc'), - path('delete_ioc', views.delete_ioc, name='delete_ioc'), -] diff --git a/iocs/views.py b/iocs/views.py deleted file mode 100644 index e8e5088..0000000 --- a/iocs/views.py +++ /dev/null @@ -1,87 +0,0 @@ -from django.shortcuts import render, redirect -from investigations.models import UploadInvestigation -from django.contrib.auth.decorators import login_required -from .forms import * -from .models import IOC -from django.http import JsonResponse - -customize_context = {} - - -@login_required -def iocs(request): - """The string based iocs dashboard - - Arguments: - request : http request object - - Comment: Display all the string based iocs - """ - return render(request, 'iocs/iocs.html', - {'iocs': IOC.objects.all(), 'investigations': UploadInvestigation.objects.all()}) - - -@login_required -def new_ioc(request): - """Create a new string base IOC - - Arguments: - request : http request object - - Comment: Create a new IOC if the form is correct. - """ - if request.method == "POST": - form = IOCForm(request.POST) - if form.is_valid(): - form.save() - return redirect('/iocs/') - form = IOCForm() - return render(request, 'iocs/new_ioc.html', {'form': form, 'investigations': UploadInvestigation.objects.all()}) - - -@login_required -def custom_ioc(request, pk): - """Modify an ioc - - Arguments: - request : http request object - - Comments: - GET : Load the form page with instanced fields. - POST : Apply the modifications - """ - ioc_record = IOC.objects.get(pk=pk) - if request.method == 'GET': - custom_form = IOCForm(instance=ioc_record) - if request.method == 'POST': - form = IOCForm(request.POST, instance=ioc_record) - if form.is_valid(): - ioc_record.save() - return redirect('/iocs/') - return render(request, 'iocs/custom_ioc.html', - {'form': custom_form, 'investigations': UploadInvestigation.objects.all()}) - - -@login_required -def delete_ioc(request): - """Delete an ioc - - Arguments: - request : http request object - - Comments: - Delete the IOC selected by the user. - """ - if request.method == "POST": - form = ManageIOC(request.POST) - if form.is_valid(): - id = form.cleaned_data['ioc_id'] - # Delete the ioc - ioc = IOC.objects.get(pk=id) - ioc.delete() - return redirect('/iocs/') - else: - # Return a django error message (need to set up toast) - form = NewIOCForm() - return render(request, 'iocs/new_ioc.html', - {'form': form, 'investigations': UploadInvestigation.objects.all()}) diff --git a/linux_engine/forms.py b/linux_engine/forms.py index e281cad..b9547b7 100644 --- a/linux_engine/forms.py +++ b/linux_engine/forms.py @@ -10,3 +10,7 @@ class Tag(forms.Form): class ReportForm(forms.Form): case_id = forms.ModelChoiceField(queryset=UploadInvestigation.objects.all()) + +class GetArtifacts(forms.Form): + case = forms.ModelChoiceField(queryset=UploadInvestigation.objects.all()) + pid = forms.IntegerField() \ No newline at end of file diff --git a/linux_engine/migrations/0009_pslist_tid.py b/linux_engine/migrations/0009_pslist_tid.py new file mode 100644 index 0000000..3a10900 --- /dev/null +++ b/linux_engine/migrations/0009_pslist_tid.py @@ -0,0 +1,18 @@ +# Generated by Django 3.2.15 on 2022-12-27 16:32 + +from django.db import migrations, models + + +class Migration(migrations.Migration): + + dependencies = [ + ('linux_engine', '0008_auto_20220917_2020'), + ] + + operations = [ + migrations.AddField( + model_name='pslist', + name='TID', + field=models.BigIntegerField(null=True), + ), + ] diff --git a/linux_engine/migrations/0010_pslist_offset.py b/linux_engine/migrations/0010_pslist_offset.py new file mode 100644 index 0000000..41ee131 --- /dev/null +++ b/linux_engine/migrations/0010_pslist_offset.py @@ -0,0 +1,18 @@ +# Generated by Django 3.2.15 on 2022-12-27 16:39 + +from django.db import migrations, models + + +class Migration(migrations.Migration): + + dependencies = [ + ('linux_engine', '0009_pslist_tid'), + ] + + operations = [ + migrations.AddField( + model_name='pslist', + name='Offset', + field=models.BigIntegerField(null=True), + ), + ] diff --git a/linux_engine/migrations/0011_auto_20221227_1801.py b/linux_engine/migrations/0011_auto_20221227_1801.py new file mode 100644 index 0000000..ff6c60e --- /dev/null +++ b/linux_engine/migrations/0011_auto_20221227_1801.py @@ -0,0 +1,81 @@ +# Generated by Django 3.2.15 on 2022-12-27 18:01 + +from django.db import migrations, models +import django.db.models.deletion + + +class Migration(migrations.Migration): + + dependencies = [ + ('investigations', '0001_initial'), + ('linux_engine', '0010_pslist_offset'), + ] + + operations = [ + migrations.AlterField( + model_name='bash', + name='CommandTime', + field=models.TextField(null=True), + ), + migrations.AlterField( + model_name='bash', + name='Process', + field=models.TextField(null=True), + ), + migrations.AlterField( + model_name='elfs', + name='FilePath', + field=models.TextField(null=True), + ), + migrations.AlterField( + model_name='elfs', + name='Process', + field=models.TextField(null=True), + ), + migrations.AlterField( + model_name='lsof', + name='Path', + field=models.TextField(null=True), + ), + migrations.AlterField( + model_name='procmaps', + name='FilePath', + field=models.TextField(null=True), + ), + migrations.AlterField( + model_name='procmaps', + name='Process', + field=models.TextField(null=True), + ), + migrations.AlterField( + model_name='pslist', + name='COMM', + field=models.TextField(null=True), + ), + migrations.AlterField( + model_name='ttycheck', + name='Module', + field=models.TextField(null=True), + ), + migrations.AlterField( + model_name='ttycheck', + name='Name', + field=models.TextField(null=True), + ), + migrations.AlterField( + model_name='ttycheck', + name='Symbol', + field=models.TextField(null=True), + ), + migrations.CreateModel( + name='PsAux', + fields=[ + ('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')), + ('ARGS', models.TextField(null=True)), + ('COMM', models.BigIntegerField(null=True)), + ('PID', models.BigIntegerField(null=True)), + ('PPID', models.BigIntegerField(null=True)), + ('investigation', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='linux_psaux_investigation', to='investigations.uploadinvestigation')), + ], + ), + ] diff --git a/linux_engine/migrations/0012_alter_psaux_comm.py b/linux_engine/migrations/0012_alter_psaux_comm.py new file mode 100644 index 0000000..d80eaef --- /dev/null +++ b/linux_engine/migrations/0012_alter_psaux_comm.py @@ -0,0 +1,18 @@ +# Generated by Django 3.2.15 on 2022-12-27 18:03 + +from django.db import migrations, models + + +class Migration(migrations.Migration): + + dependencies = [ + ('linux_engine', '0011_auto_20221227_1801'), + ] + + operations = [ + migrations.AlterField( + model_name='psaux', + name='COMM', + field=models.TextField(null=True), + ), + ] diff --git a/linux_engine/migrations/0013_mountinfo.py b/linux_engine/migrations/0013_mountinfo.py new file mode 100644 index 0000000..9d03890 --- /dev/null +++ b/linux_engine/migrations/0013_mountinfo.py @@ -0,0 +1,34 @@ +# Generated by Django 3.2.15 on 2022-12-27 18:22 + +from django.db import migrations, models +import django.db.models.deletion + + +class Migration(migrations.Migration): + + dependencies = [ + ('investigations', '0001_initial'), + ('linux_engine', '0012_alter_psaux_comm'), + ] + + operations = [ + migrations.CreateModel( + name='MountInfo', + fields=[ + ('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')), + ('FIELDS', models.TextField(null=True)), + ('FSTYPE', models.TextField(null=True)), + ('MAJOR_MINOR', models.TextField(max_length=20, null=True)), + ('MNT_NS_ID', models.TextField(max_length=500, null=True)), + ('MOUNTID', models.BigIntegerField(null=True)), + ('MOUNT_OPTIONS', models.TextField(null=True)), + ('MOUNT_POINT', models.TextField(null=True)), + ('MOUNT_SRC', models.TextField(null=True)), + ('PARENT_ID', models.BigIntegerField(null=True)), + ('ROOT', models.TextField(null=True)), + ('SB_OPTIONS', models.TextField(null=True)), + ('Tag', models.CharField(choices=[('Evidence', 'Evidence'), ('Suspicious', 'Suspicious')], max_length=11, null=True)), + ('investigation', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='linux_mountinfo_investigation', to='investigations.uploadinvestigation')), + ], + ), + ] diff --git a/linux_engine/migrations/0014_psaux_tag.py b/linux_engine/migrations/0014_psaux_tag.py new file mode 100644 index 0000000..a637908 --- /dev/null +++ b/linux_engine/migrations/0014_psaux_tag.py @@ -0,0 +1,18 @@ +# Generated by Django 3.2.15 on 2022-12-27 19:03 + +from django.db import migrations, models + + +class Migration(migrations.Migration): + + dependencies = [ + ('linux_engine', '0013_mountinfo'), + ] + + operations = [ + migrations.AddField( + model_name='psaux', + name='Tag', + field=models.CharField(choices=[('Evidence', 'Evidence'), ('Suspicious', 'Suspicious')], max_length=11, null=True), + ), + ] diff --git a/linux_engine/models.py b/linux_engine/models.py index 3f0fedf..996878d 100644 --- a/linux_engine/models.py +++ b/linux_engine/models.py @@ -22,9 +22,23 @@ class PsList(models.Model): on_delete=models.CASCADE, related_name="linux_pslist_investigation" ) - COMM = models.CharField(max_length=255, null=True) + COMM = models.TextField(null=True) + Offset = models.BigIntegerField(null=True) PID = models.BigIntegerField(null=True) PPID = models.BigIntegerField(null=True) + TID = models.BigIntegerField(null=True) + +class PsAux(models.Model): + investigation = models.ForeignKey( + UploadInvestigation, + on_delete=models.CASCADE, + related_name="linux_psaux_investigation" + ) + ARGS = models.TextField(null=True) + COMM = models.TextField(null=True) + PID = models.BigIntegerField(null=True) + PPID = models.BigIntegerField(null=True) + Tag = models.CharField(null=True, max_length=11, choices=TAGS) class Bash(models.Model): @@ -34,8 +48,8 @@ class Bash(models.Model): related_name="linux_bash_investigation" ) PID = models.BigIntegerField(null=True) - Process = models.CharField(max_length=255, null=True) - CommandTime = models.CharField(max_length=255, null=True) + Process = models.TextField(null=True) + CommandTime = models.TextField(null=True) Command = models.CharField(max_length=500, null=True) Tag = models.CharField(null=True, max_length=11, choices=TAGS) @@ -47,7 +61,7 @@ class ProcMaps(models.Model): related_name="linux_procmaps_investigation" ) End = models.BigIntegerField(null=True) - FilePath = models.CharField(max_length=255, null=True) + FilePath = models.TextField(null=True) Flags = models.CharField(max_length=20, null=True) Command = models.CharField(max_length=500, null=True) Inode = models.BigIntegerField(null=True) @@ -55,7 +69,7 @@ class ProcMaps(models.Model): Minor = models.BigIntegerField(null=True) PID = models.BigIntegerField(null=True) PgOff = models.BigIntegerField(null=True) - Process = models.CharField(max_length=255, null=True) + Process = models.TextField(null=True) Start = models.BigIntegerField(null=True) Tag = models.CharField(null=True, max_length=11, choices=TAGS) @@ -68,7 +82,7 @@ class Lsof(models.Model): ) FD = models.BigIntegerField(null=True) PID = models.BigIntegerField(null=True) - Path = models.CharField(max_length=255, null=True) + Path = models.TextField(null=True) Process = models.CharField(max_length=500, null=True) Tag = models.CharField(null=True, max_length=11, choices=TAGS) @@ -80,9 +94,9 @@ class TtyCheck(models.Model): related_name="linux_ttycheck_investigation" ) Address = models.BigIntegerField(null=True) - Module = models.CharField(max_length=255, null=True) - Name = models.CharField(max_length=255, null=True) - Symbol = models.CharField(max_length=255, null=True) + Module = models.TextField(null=True) + Name = models.TextField(null=True) + Symbol = models.TextField(null=True) Tag = models.CharField(null=True, max_length=11, choices=TAGS) @@ -93,8 +107,28 @@ class Elfs(models.Model): related_name="linux_elfs_investigation" ) End = models.BigIntegerField(null=True) - FilePath = models.CharField(max_length=255, null=True) + FilePath = models.TextField(null=True) PID = models.BigIntegerField(null=True) - Process = models.CharField(max_length=255, null=True) + Process = models.TextField(null=True) Start = models.BigIntegerField(null=True) Tag = models.CharField(null=True, max_length=11, choices=TAGS) + + +class MountInfo(models.Model): + investigation = models.ForeignKey( + UploadInvestigation, + on_delete=models.CASCADE, + related_name="linux_mountinfo_investigation" + ) + FIELDS = models.TextField(null=True) + FSTYPE = models.TextField(null=True) + MAJOR_MINOR = models.TextField(max_length=20, null=True) + MNT_NS_ID = models.TextField(max_length=500, null=True) + MOUNTID = models.BigIntegerField(null=True) + MOUNT_OPTIONS = models.TextField(null=True) + MOUNT_POINT = models.TextField(null=True) + MOUNT_SRC = models.TextField(null=True) + PARENT_ID = models.BigIntegerField(null=True) + ROOT = models.TextField(null=True) + SB_OPTIONS = models.TextField(null=True) + Tag = models.CharField(null=True, max_length=11, choices=TAGS) \ No newline at end of file diff --git a/linux_engine/report.py b/linux_engine/report.py index 43918e0..fec3bb4 100644 --- a/linux_engine/report.py +++ b/linux_engine/report.py @@ -22,6 +22,13 @@ def report(case): procmaps_suspicious = ProcMaps.objects.filter(investigation=case, Tag="Suspicious") procmaps_evidence = ProcMaps.objects.filter(investigation=case, Tag="Evidence") + psaux_suspicious = PsAux.objects.filter(investigation=case, Tag="Suspicious") + psaux_evidence = PsAux.objects.filter(investigation=case, Tag="Evidence") + + mountinfo_suspicious = MountInfo.objects.filter(investigation=case, Tag="Suspicious") + mountinfo_evidence = MountInfo.objects.filter(investigation=case, Tag="Evidence") + + # BEGIN HEADER# html = markdown.markdown("# 📄 Investigation report : " + case.title) text = "# 📄 Investigation report : " + case.title + "\n" @@ -80,6 +87,13 @@ def report(case): html += markdown.markdown(table, extensions=['tables']) text += table + if psaux_evidence: + table = "PID | PPID | COMM | Args | \n ------------- | ------------- | ------------- | -------------\n" + for process in psaux_evidence: + table += f" {process.PID} | {process.PPID} | {process.COMM} | {process.ARGS} | \n" + html += markdown.markdown(table, extensions=['tables']) + text += table + if lsof_evidence: table = "FD | PID | Path | Process | \n ------------- | ------------- | ------------- | -------------\n" for process in lsof_evidence: @@ -93,6 +107,14 @@ def report(case): table += f" {process.Start} | {process.End} | {process.FilePath} | {process.Flags} | {process.Inode} | {process.Major} | {process.PID} | {process.Minor} | {process.PgOff} | {process.Process} | \n" html += markdown.markdown(table, extensions=['tables']) text += table + + if mountinfo_evidence: + table = "FIELDS | FSTYPE | MAJOR_MINOR | MNT_NS_ID | MOUNTID | MOUNT_OPTIONS | MOUNT_POINT | MOUNT_SRC | PARENT_ID | ROOT | SB_OPTIONS | \n ------------- | ------------- | ------------- | ------------- | -------------| -------------| -------------| -------------| ------------- | ------------- | -------------\n" + for process in mountinfo_evidence: + table += f" {process.FIELDS} | {process.FSTYPE} | {process.MAJOR_MINOR} | {process.MNT_NS_ID} | {process.MOUNTID} | {process.MOUNT_OPTIONS} | {process.MOUNT_POINT} | {process.MOUNT_SRC} | {process.PARENT_ID} | {process.ROOT} | SB_OPTIONS | \n" + html += markdown.markdown(table, extensions=['tables']) + text += table + # END EVIDENCE ITEMS # # BEGIN SUSPICIOUS ITEMS # @@ -124,6 +146,13 @@ def report(case): html += markdown.markdown(table, extensions=['tables']) text += table + if psaux_suspicious: + table = "PID | PPID | COMM | Args | \n ------------- | ------------- | ------------- | -------------\n" + for process in psaux_suspicious: + table += f" {process.PID} | {process.PPID} | {process.COMM} | {process.ARGS} | \n" + html += markdown.markdown(table, extensions=['tables']) + text += table + if lsof_suspicious: table = "FD | PID | Path | Process | \n ------------- | ------------- | ------------- | -------------\n" for process in lsof_suspicious: @@ -137,6 +166,13 @@ def report(case): table += f" {process.Start} | {process.End} | {process.FilePath} | {process.Flags} | {process.Inode} | {process.Major} | {process.PID} | {process.Minor} | {process.PgOff} | {process.Process} | \n" html += markdown.markdown(table, extensions=['tables']) text += table + + if mountinfo_suspicious: + table = "FIELDS | FSTYPE | MAJOR_MINOR | MNT_NS_ID | MOUNTID | MOUNT_OPTIONS | MOUNT_POINT | MOUNT_SRC | PARENT_ID | ROOT | SB_OPTIONS | \n ------------- | ------------- | ------------- | ------------- | -------------| -------------| -------------| -------------| ------------- | ------------- | -------------\n" + for process in mountinfo_suspicious: + table += f" {process.FIELDS} | {process.FSTYPE} | {process.MAJOR_MINOR} | {process.MNT_NS_ID} | {process.MOUNTID} | {process.MOUNT_OPTIONS} | {process.MOUNT_POINT} | {process.MOUNT_SRC} | {process.PARENT_ID} | {process.ROOT} | SB_OPTIONS | \n" + html += markdown.markdown(table, extensions=['tables']) + text += table # END SUSPICIOUS ITEMS # return html, text diff --git a/linux_engine/tasks.py b/linux_engine/tasks.py new file mode 100644 index 0000000..79c5c79 --- /dev/null +++ b/linux_engine/tasks.py @@ -0,0 +1,12 @@ +from investigations.celery import app +from investigations.models import UploadInvestigation +from .vol_linux import get_procmaps + + +@app.task(name="compute_procmaps") +def compute_procmaps(case_id, pid): + """Compute Handles for a specific PID""" + case = UploadInvestigation.objects.get(pk=case_id) + dump_path = "Cases/" + case.name + result = get_procmaps(dump_path, pid, case) + return result \ No newline at end of file diff --git a/linux_engine/urls.py b/linux_engine/urls.py index 1967d0d..0c24f46 100644 --- a/linux_engine/urls.py +++ b/linux_engine/urls.py @@ -4,4 +4,7 @@ urlpatterns = [ path('lin_tag', views.lin_tag, name='lin_tag'), path('lin_report', views.lin_report, name='lin_report'), + path('get_l_artifacts', views.get_l_artifacts, name='get_l_artifacts'), + path('get_procmaps', views.get_procmaps, name='get_procmaps'), + ] diff --git a/linux_engine/views.py b/linux_engine/views.py index f03078e..bdc9f72 100644 --- a/linux_engine/views.py +++ b/linux_engine/views.py @@ -1,11 +1,56 @@ from django.shortcuts import render from django.contrib.auth.decorators import login_required from django.http import JsonResponse, HttpResponse +from django.core.serializers import json from django.apps import apps +from .models import * +from .tasks import compute_procmaps from .forms import * from .report import report + +@login_required +def get_procmaps(request): + """Get ProcMaps from a PID + + Arguments: + request : http request object + + Comment: + The user requested to watch the ProcMaps linked to a process. + If the ProcMaps are already calculated, then the result is fetch + Else, volatility3 will calculate them using celery. + """ + if request.method == 'GET': + + form = GetArtifacts(request.GET) + if form.is_valid(): + case = form.cleaned_data['case'] + id = case.id + pid = form.cleaned_data['pid'] + json_serializer = json.Serializer() + # Check if the ProcMaps are not already computed + procmaps = ProcMaps.objects.filter(investigation_id=id, PID=pid) + if len(procmaps)>0: + #Already computed we display the result + artifacts = { + 'ProcMaps': json_serializer.serialize(procmaps), + } + else: + #start a task with celery to compute the procmaps and send the result. + task_res = compute_procmaps.delay(str(id), str(pid)) + res = task_res.get() + if res != "OK": + return JsonResponse({'message': "error"}) + else: + artifacts = { + 'ProcMaps': json_serializer.serialize(ProcMaps.objects.filter(investigation_id=id, PID=pid)), + } + return JsonResponse({'message': "success", 'artifacts': artifacts}) + + return JsonResponse({'message': "error"}) + @login_required def lin_report(request): """ @@ -40,3 +85,34 @@ def lin_tag(request): return JsonResponse({'message': "success"}) else: return JsonResponse({'message': "error"}) + + +@login_required +def get_l_artifacts(request): + """Get artifacts related to all process related volatility3 plugins + + Arguments: + request : http request object + + Comment: + The user requested to watch the artifacts linked the process. + """ + if request.method == 'GET': + form = GetArtifacts(request.GET) + if form.is_valid(): + case = form.cleaned_data['case'] + pid = form.cleaned_data['pid'] + id = case.id + json_serializer = json.Serializer() + # Request the appropriate artifacts + artifacts = { + 'Bash': json_serializer.serialize(Bash.objects.filter(investigation_id=id, PID=pid)), + 'Elfs': json_serializer.serialize(Elfs.objects.filter(investigation_id=id, PID=pid)), + 'Lsof': json_serializer.serialize(Lsof.objects.filter(investigation_id=id, PID=pid)), + 'ProcMaps': json_serializer.serialize(ProcMaps.objects.filter(investigation_id=id, PID=pid)), + 'PsAux': json_serializer.serialize(PsAux.objects.filter(investigation_id=id, PID=pid)), + } + return JsonResponse({'message': "success", 'artifacts': artifacts}) + return JsonResponse({'message': "error"}) + + diff --git a/linux_engine/vol_linux.py b/linux_engine/vol_linux.py index 8f0904e..1adafce 100644 --- a/linux_engine/vol_linux.py +++ b/linux_engine/vol_linux.py @@ -1,14 +1,14 @@ -import logging +import logging, jsonschema from investigations.models import * -from iocs.models import * +from .models import * from django.apps import apps from VolWeb.voltools import * +from volatility3.cli import MuteProgress from volatility3.framework.exceptions import * logging.basicConfig(level=logging.INFO) logger = logging.getLogger(__name__) - def build_context(dump_path, context, base_config_path, plugin, output_path): """This function is used to buid the context and construct each plugin Return : The contructed plugin. @@ -18,14 +18,47 @@ def build_context(dump_path, context, base_config_path, plugin, output_path): automagics = automagic.choose_automagic(available_automagics, plugin) context.config['automagic.LayerStacker.stackers'] = automagic.stacker.choose_os_stackers(plugin) context.config['automagic.LayerStacker.single_location'] = "file://" + os.getcwd() + "/" + dump_path - constructed = construct_plugin(context, automagics, plugin, base_config_path, None, file_handler(output_path)) + constructed = construct_plugin(context, automagics, plugin, base_config_path, MuteProgress(), file_handler(output_path)) return constructed +def get_procmaps(dump_path, pid, case): + """Compute ProcMaps for a specific PID""" + volatility3.framework.require_interface_version(2, 0, 0) + """ISF Binding""" + if case.linked_isf: + path = os.sep.join(case.linked_isf.symbols_file.name.split(os.sep)[:-2]) + volatility3.symbols.__path__.append(os.path.abspath(path)) + failures = volatility3.framework.import_files(plugins, True) + if failures: + logger.info(f"Some volatility3 plugin couldn't be loaded : {failures}") + else: + logger.info(f"Plugins are loaded without failure") + plugin_list = volatility3.framework.list_plugins() + base_config_path = "plugins" + context = contexts.Context() + context.config['plugins.Maps.pid'] = [int(pid)] + constructed = build_context(dump_path, context, base_config_path, plugin_list['linux.proc.Maps'], output_path=None) + if constructed: + result = DictRenderer().render(constructed.run()) + else: + logger.info("Error the procMaps could not be computed") + return "KO" + for artifact in result: + artifact = {x.translate({32: None}): y + for x, y in artifact.items()} + del (artifact['__children']) + ProcMaps(investigation_id=case.id, **artifact).save() + return "OK" + + + + def run_volweb_routine_linux(dump_path, case_id, case): partial_results = False logger.info('Starting VolWeb Engine') volatility3.framework.require_interface_version(2, 0, 0) + """ISF Binding""" if case.linked_isf: path = os.sep.join(case.linked_isf.symbols_file.name.split(os.sep)[:-2]) volatility3.symbols.__path__.append(os.path.abspath(path)) @@ -43,21 +76,22 @@ def run_volweb_routine_linux(dump_path, case_id, case): volweb_knowledge_base = { # Process 'PsList': {'plugin': plugin_list['linux.pslist.PsList']}, + 'PsAux': {'plugin': plugin_list['linux.psaux.PsAux']}, 'PsTree': {'plugin': plugin_list['linux.pstree.PsTree']}, - 'ProcMaps': {'plugin': plugin_list['linux.proc.Maps']}, - - # Malware analysis 'Bash': {'plugin': plugin_list['linux.bash.Bash']}, 'Lsof': {'plugin': plugin_list['linux.lsof.Lsof']}, - 'TtyCheck': {'plugin': plugin_list['linux.tty_check.tty_check']}, 'Elfs': {'plugin': plugin_list['linux.elfs.Elfs']}, + + # Malware analysis + 'TtyCheck': {'plugin': plugin_list['linux.tty_check.tty_check']}, + 'MountInfo': {'plugin': plugin_list['linux.mountinfo.MountInfo']}, } """Progress Function""" def update_progress(case): - MODULES_TO_RUN = len(volweb_knowledge_base) + 2 - percentage = str(format(float(case.percentage) + float(100 / MODULES_TO_RUN), '.2f')) + MODULES_TO_RUN = len(volweb_knowledge_base) * 2 + percentage = str(format(float(case.percentage) + float(100 / MODULES_TO_RUN), '.0f')) logger.info(f"Status : {percentage} %") case.percentage = percentage case.save() @@ -67,38 +101,44 @@ def update_progress(case): ImageSignature.objects.filter(investigation_id=case_id).delete() signatures = memory_image_hash(dump_path) ImageSignature(investigation_id=case_id, **signatures).save() - update_progress(case) """STEP 1 : Clean database and build the basic context for each plugin""" for runable in volweb_knowledge_base: apps.get_model("linux_engine", runable).objects.filter(investigation_id=case_id).delete() context = contexts.Context() logger.info(f"Constructing context for {runable} ") - """Add pluging argument for hivelist""" try: volweb_knowledge_base[runable]['constructed'] = build_context(dump_path, context, base_config_path, - volweb_knowledge_base[runable]['plugin'], - "Cases/files") + volweb_knowledge_base[runable]['plugin'],output_path=None) except VolatilityException: partial_results = True volweb_knowledge_base[runable]['constructed'] = [] + except: + logger.info(f"Could not build context for {runable}" ) + partial_results = True + volweb_knowledge_base[runable]['constructed'] = [] + update_progress(case) + """STEP 2.1 : For each constructed plugin's context, we render the result and save it.""" for runable in volweb_knowledge_base: if volweb_knowledge_base[runable]['constructed']: logger.info(f"Running plugin : {runable}") try: - volweb_knowledge_base[runable]['result'] = DictRenderer().render( - volweb_knowledge_base[runable]['constructed'].run()) + volweb_knowledge_base[runable]['result'] = DictRenderer().render(volweb_knowledge_base[runable]['constructed'].run()) except VolatilityException: partial_results = True volweb_knowledge_base[runable]['result'] = [] - update_progress(case) + except: + logger.info(f"Could not run {runable}" ) + partial_results = True + volweb_knowledge_base[runable]['result'] = [] else: volweb_knowledge_base[runable]['result'] = [] - update_progress(case) + update_progress(case) + - """STEP 3.1 : We can now inject the results inside the django database""" + """STEP 3.1 : We can now inject the results inside the database""" for runable in volweb_knowledge_base: if runable != 'PsTree': for artifact in volweb_knowledge_base[runable]['result']: @@ -106,9 +146,13 @@ def update_progress(case): for x, y in artifact.items()} if '__children' in artifact: del (artifact['__children']) - if 'Offset(V)' in artifact: - artifact['Offset'] = artifact['Offset(V)'] - del (artifact['Offset(V)']) + if 'OFFSET(V)' in artifact: + artifact['Offset'] = artifact['OFFSET(V)'] + del (artifact['OFFSET(V)']) + if "MAJOR:MINOR" in artifact: + artifact['MAJOR_MINOR'] = artifact['MAJOR:MINOR'] + del (artifact['MAJOR:MINOR']) + apps.get_model("linux_engine", runable)(investigation_id=case_id, **artifact).save() """STEP 3.2 : Contruct and inject the graphs""" diff --git a/requirements.txt b/requirements.txt index 561f364..40b4282 100644 --- a/requirements.txt +++ b/requirements.txt @@ -3,9 +3,9 @@ gunicorn==20.1.0 psycopg2==2.9.3 bcrypt==3.2.0 cryptography==3.4.7 -Django==3.2.15 +Django==3.2.16 django-crispy-forms==1.12.0 -volatility3==2.0.1 +volatility3==2.4.0 yara-python==4.1.3 pycryptodome pefile==2021.9.3 @@ -14,3 +14,4 @@ django-cookiebanner==0.2.5 markdown==3.4.1 vt-py==0.17.1 fontawesomefree==6.2.0 +jsonschema==4.17.3 \ No newline at end of file diff --git a/symbols/forms.py b/symbols/forms.py index a070b9d..9169402 100644 --- a/symbols/forms.py +++ b/symbols/forms.py @@ -4,7 +4,7 @@ from django.forms import ModelForm, TextInput, Textarea, Select, FileInput -# This ModelForm is made to create a new IOC +# This ModelForm is made to import a new ISF class SymbolsForm(forms.ModelForm): class Meta: model = Symbols diff --git a/windows_engine/forms.py b/windows_engine/forms.py index 89fbd1e..89f6a35 100644 --- a/windows_engine/forms.py +++ b/windows_engine/forms.py @@ -14,6 +14,14 @@ class Meta: } +class GetArtifacts(forms.Form): + case = forms.ModelChoiceField(queryset=UploadInvestigation.objects.all()) + pid = forms.IntegerField() + +class GetInverval(forms.Form): + case = forms.ModelChoiceField(queryset=UploadInvestigation.objects.all()) + date = forms.CharField() + class DumpFile(forms.ModelForm): class Meta: model = FileDump diff --git a/windows_engine/migrations/0017_sessions.py b/windows_engine/migrations/0017_sessions.py new file mode 100644 index 0000000..7e4f881 --- /dev/null +++ b/windows_engine/migrations/0017_sessions.py @@ -0,0 +1,29 @@ +# Generated by Django 3.2.15 on 2022-12-27 10:48 + +from django.db import migrations, models +import django.db.models.deletion + + +class Migration(migrations.Migration): + + dependencies = [ + ('investigations', '0001_initial'), + ('windows_engine', '0016_filescan_tag'), + ] + + operations = [ + migrations.CreateModel( + name='Sessions', + fields=[ + ('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')), + ('CreateTime', models.TextField(null=True)), + ('Process', models.TextField(null=True)), + ('ProcessID', models.IntegerField(null=True)), + ('SessionID', models.IntegerField(null=True)), + ('SessionType', models.TextField(null=True)), + ('UserName', models.TextField(null=True)), + ('Tag', models.CharField(choices=[('Evidence', 'Evidence'), ('Suspicious', 'Suspicious')], max_length=11, null=True)), + ('investigation', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='windows_sessions_investigation', to='investigations.uploadinvestigation')), + ], + ), + ] diff --git a/windows_engine/migrations/0018_ldrmodules.py b/windows_engine/migrations/0018_ldrmodules.py new file mode 100644 index 0000000..57623a5 --- /dev/null +++ b/windows_engine/migrations/0018_ldrmodules.py @@ -0,0 +1,29 @@ +# Generated by Django 3.2.15 on 2022-12-27 13:17 + +from django.db import migrations, models +import django.db.models.deletion + + +class Migration(migrations.Migration): + + dependencies = [ + ('investigations', '0001_initial'), + ('windows_engine', '0017_sessions'), + ] + + operations = [ + migrations.CreateModel( + name='LdrModules', + fields=[ + ('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')), + ('Base', models.BigIntegerField(null=True)), + ('InInit', models.TextField(null=True)), + ('InLoad', models.TextField(null=True)), + ('InMem', models.TextField(null=True)), + ('MappedPath', models.TextField(null=True)), + ('Pid', models.IntegerField(null=True)), + ('Process', models.CharField(choices=[('Evidence', 'Evidence'), ('Suspicious', 'Suspicious')], max_length=11, null=True)), + ('investigation', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='windows_ldrmodules_investigation', to='investigations.uploadinvestigation')), + ], + ), + ] diff --git a/windows_engine/migrations/0019_auto_20221227_1321.py b/windows_engine/migrations/0019_auto_20221227_1321.py new file mode 100644 index 0000000..7177868 --- /dev/null +++ b/windows_engine/migrations/0019_auto_20221227_1321.py @@ -0,0 +1,23 @@ +# Generated by Django 3.2.15 on 2022-12-27 13:21 + +from django.db import migrations, models + + +class Migration(migrations.Migration): + + dependencies = [ + ('windows_engine', '0018_ldrmodules'), + ] + + operations = [ + migrations.AddField( + model_name='ldrmodules', + name='Tag', + field=models.CharField(choices=[('Evidence', 'Evidence'), ('Suspicious', 'Suspicious')], max_length=11, null=True), + ), + migrations.AlterField( + model_name='ldrmodules', + name='Process', + field=models.TextField(null=True), + ), + ] diff --git a/windows_engine/migrations/0020_devicetree.py b/windows_engine/migrations/0020_devicetree.py new file mode 100644 index 0000000..5e44142 --- /dev/null +++ b/windows_engine/migrations/0020_devicetree.py @@ -0,0 +1,23 @@ +# Generated by Django 3.2.15 on 2022-12-27 14:07 + +from django.db import migrations, models +import django.db.models.deletion + + +class Migration(migrations.Migration): + + dependencies = [ + ('investigations', '0001_initial'), + ('windows_engine', '0019_auto_20221227_1321'), + ] + + operations = [ + migrations.CreateModel( + name='DeviceTree', + fields=[ + ('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')), + ('graph', models.JSONField(null=True)), + ('investigation', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='windows_devicetree_investigation', to='investigations.uploadinvestigation')), + ], + ), + ] diff --git a/windows_engine/models.py b/windows_engine/models.py index 1486b36..ac72dda 100644 --- a/windows_engine/models.py +++ b/windows_engine/models.py @@ -40,6 +40,16 @@ class PsTree(models.Model): graph = models.JSONField(null=True) +class DeviceTree(models.Model): + investigation = models.ForeignKey( + UploadInvestigation, + on_delete=models.CASCADE, + related_name="windows_devicetree_investigation" + + ) + graph = models.JSONField(null=True) + + class NetGraph(models.Model): investigation = models.ForeignKey( UploadInvestigation, @@ -104,6 +114,35 @@ class Privs(models.Model): Description = models.TextField(null=True) Tag = models.CharField(null=True, max_length=11, choices=TAGS) +class Sessions(models.Model): + investigation = models.ForeignKey( + UploadInvestigation, + on_delete=models.CASCADE, + related_name="windows_sessions_investigation" + ) + CreateTime = models.TextField(null=True) + Process = models.TextField(null=True) + ProcessID = models.IntegerField(null=True) + SessionID = models.IntegerField(null=True) + SessionType = models.TextField(null=True) + UserName = models.TextField(null=True) + Tag = models.CharField(null=True, max_length=11, choices=TAGS) + +class LdrModules(models.Model): + investigation = models.ForeignKey( + UploadInvestigation, + on_delete=models.CASCADE, + related_name="windows_ldrmodules_investigation" + ) + Base = models.BigIntegerField(null=True) + InInit = models.TextField(null=True) + InLoad = models.TextField(null=True) + InMem = models.TextField(null=True) + MappedPath = models.TextField(null=True) + Pid = models.IntegerField(null=True) + Process = models.TextField(null=True) + Tag = models.CharField(null=True, max_length=11, choices=TAGS) + class Envars(models.Model): investigation = models.ForeignKey( diff --git a/windows_engine/report.py b/windows_engine/report.py index 146452e..f67e9ad 100644 --- a/windows_engine/report.py +++ b/windows_engine/report.py @@ -13,12 +13,21 @@ def report(case): privs_suspicious = Privs.objects.filter(investigation=case, Tag="Suspicious") privs_evidence = Privs.objects.filter(investigation=case, Tag="Evidence") + sessions_suspicious = Sessions.objects.filter(investigation=case, Tag="Suspicious") + sessions_evidence = Sessions.objects.filter(investigation=case, Tag="Evidence") + envars_suspicious = Envars.objects.filter(investigation=case, Tag="Suspicious") envars_evidence = Envars.objects.filter(investigation=case, Tag="Evidence") dlllist_suspicious = DllList.objects.filter(investigation=case, Tag="Suspicious") dlllist_evidence = DllList.objects.filter(investigation=case, Tag="Evidence") + ldrmodules_suspicious = LdrModules.objects.filter(investigation=case, Tag="Suspicious") + ldrmodules_evidence = LdrModules.objects.filter(investigation=case, Tag="Evidence") + + skeleton_suspicious = SkeletonKeyCheck.objects.filter(investigation=case, Tag="Suspicious") + skeleton_evidence = SkeletonKeyCheck.objects.filter(investigation=case, Tag="Evidence") + handles_suspicious = Handles.objects.filter(investigation=case, Tag="Suspicious") handles_evidence = Handles.objects.filter(investigation=case, Tag="Evidence") @@ -91,6 +100,13 @@ def report(case): html += markdown.markdown(table, extensions=['tables']) text += table + if sessions_evidence: + table = "Process ID | Process | Session ID | Session Type | User Name | Create Time | Source \n ------------- | ------------- | ------------- | ------------- | ------------- | ------------- | -------------\n" + for process in sessions_evidence: + table += f" {process.ProcessID} | {process.Process} | {process.SessionID} | {process.SessionType} | {process.UserName} | {process.CreateTime} | Sessions \n" + html += markdown.markdown(table, extensions=['tables']) + text += table + if privs_evidence: table = "PID | Process Value | Privilege | Attributes | Description | Value | Source | \n ------------- | ------------- | ------------- | ------------- | ------------- | ------------- | -------------\n" @@ -99,6 +115,14 @@ def report(case): html += markdown.markdown(table, extensions=['tables']) text += table + if skeleton_evidence: + table = "PID | Process | Skeleton Key Found | rc4HmacInitialize | rc4HmacDecrypt | Source | \n ------------- | ------------- | ------------- | ------------- | ------------- | -------------\n" + + for process in skeleton_evidence: + table += f"{process.PID} | {process.Process} | {process.SkeletonKeyFound} | {process.rc4HmacInitialize} | {process.rc4HmacDecrypt} | SkeletonKeyCheck \n" + html += markdown.markdown(table, extensions=['tables']) + text += table + if envars_evidence: table = "Block | PID | Process | Variable | Value | Source |\n ------------- | ------------- | ------------- | ------------- | ------------- | -------------\n" for process in envars_evidence: @@ -113,6 +137,13 @@ def report(case): html += markdown.markdown(table, extensions=['tables']) text += table + if ldrmodules_evidence: + table = "Process | PID | Base | Name | Path | Size | Source \n ------------- | ------------- | ------------- | ------------- | ------------- | ------------- | -------------\n" + for process in ldrmodules_evidence: + table += f"{process.Process} | {process.Pid} | {process.Base} | {process.InInit} | {process.InLoad} | {process.InLoad} | {process.MappedPath} | LdrModules \n" + html += markdown.markdown(table, extensions=['tables']) + text += table + if handles_evidence: table = "Process | PID | Offset | Name | Handle Value | Granted Access | Type | Source \n ------------- | ------------- | ------------- | ------------- | ------------- | ------------- | ------------- | -------------\n" for process in handles_evidence: @@ -174,6 +205,13 @@ def report(case): html += markdown.markdown(table, extensions=['tables']) text += table + if sessions_suspicious: + table = "Process ID | Process | Session ID | Session Type | User Name | Create Time | Source \n ------------- | ------------- | ------------- | ------------- | ------------- | ------------- | -------------\n" + for process in sessions_suspicious: + table += f" {process.ProcessID} | {process.Process} | {process.SessionID} | {process.SessionType} | {process.UserName} | {process.CreateTime} | Sessions \n" + html += markdown.markdown(table, extensions=['tables']) + text += table + if privs_suspicious: table = "PID | Process Value | Privilege | Attributes | Description | Value | Source | \n ------------- | ------------- | ------------- | ------------- | ------------- | ------------- | -------------\n" for process in privs_suspicious: @@ -181,6 +219,14 @@ def report(case): html += markdown.markdown(table, extensions=['tables']) text += table + if skeleton_suspicious: + table = "PID | Process | Skeleton Key Found | rc4HmacInitialize | rc4HmacDecrypt | Source | \n ------------- | ------------- | ------------- | ------------- | ------------- | -------------\n" + + for process in skeleton_suspicious: + table += f"{process.PID} | {process.Process} | {process.SkeletonKeyFound} | {process.rc4HmacInitialize} | {process.rc4HmacDecrypt} | SkeletonKeyCheck \n" + html += markdown.markdown(table, extensions=['tables']) + text += table + if envars_suspicious: table = "Block | PID | Process | Variable | Value | Source |\n ------------- | ------------- | ------------- | ------------- | ------------- | -------------\n" for process in envars_suspicious: @@ -195,6 +241,13 @@ def report(case): html += markdown.markdown(table, extensions=['tables']) text += table + if ldrmodules_suspicious: + table = "Process | PID | Base | Name | Path | Size | Source \n ------------- | ------------- | ------------- | ------------- | ------------- | ------------- | -------------\n" + for process in ldrmodules_suspicious: + table += f"{process.Process} | {process.Pid} | {process.Base} | {process.InInit} | {process.InLoad} | {process.InLoad} | {process.MappedPath} | LdrModules \n" + html += markdown.markdown(table, extensions=['tables']) + text += table + if handles_suspicious: table = "Process | PID | Offset | Name | Handle Value | Granted Access | Type | Source \n ------------- | ------------- | ------------- | ------------- | ------------- | ------------- | ------------- | -------------\n" for process in handles_suspicious: diff --git a/windows_engine/tasks.py b/windows_engine/tasks.py index a8e24c3..a075be4 100644 --- a/windows_engine/tasks.py +++ b/windows_engine/tasks.py @@ -1,7 +1,7 @@ from investigations.celery import app from investigations.models import UploadInvestigation import subprocess -from .vol_windows import dump_process, dump_file +from .vol_windows import dump_process, dump_file, get_handles @app.task(name="dump_memory_pid") @@ -37,3 +37,12 @@ def dump_memory_file(case_id, offset): return result else: return "ERROR" + + +@app.task(name="compute_handles") +def compute_handles(case_id, pid): + """Compute Handles for a specific PID""" + case = UploadInvestigation.objects.get(pk=case_id) + dump_path = "Cases/" + case.name + result = get_handles(dump_path, pid, case_id) + return result diff --git a/windows_engine/urls.py b/windows_engine/urls.py index 13dc038..1ea7045 100644 --- a/windows_engine/urls.py +++ b/windows_engine/urls.py @@ -10,4 +10,8 @@ path('download_hive/', views.download_hive, name='download_hive'), path('win_tag', views.win_tag, name='win_tag'), path('win_report', views.win_report, name='win_report'), + path('get_w_artifacts', views.get_w_artifacts, name='get_w_artifacts'), + path('get_interval', views.get_interval, name='get_interval'), + path('get_handles', views.get_handles, name='get_handles'), + ] diff --git a/windows_engine/views.py b/windows_engine/views.py index f3e8d47..9598f2e 100644 --- a/windows_engine/views.py +++ b/windows_engine/views.py @@ -1,15 +1,119 @@ from django.shortcuts import render from VolWeb.voltools import file_sha256, vt_check_file_hash +from .models import * +from django.core.serializers import json from django.contrib.auth.decorators import login_required -from windows_engine.tasks import dump_memory_pid, app, dump_memory_file +from windows_engine.tasks import dump_memory_pid, app, dump_memory_file, compute_handles from django.apps import apps from django.http import JsonResponse, HttpResponse from .forms import * -import os, uuid, subprocess, mimetypes +import os, uuid, mimetypes from zipfile import ZipFile from .report import report + +@login_required +def get_handles(request): + """Get handles from a PID + + Arguments: + request : http request object + + Comment: + The user requested to watch the handles linked to a process. + If the handles are already calculated, then the result is fetch + Else, volatility3 will calculate them using celery. + """ + if request.method == 'GET': + + form = GetArtifacts(request.GET) + if form.is_valid(): + case = form.cleaned_data['case'] + id = case.id + pid = form.cleaned_data['pid'] + json_serializer = json.Serializer() + # Check if the Handles are not already computed + handles = Handles.objects.filter(investigation_id=id, PID=pid) + if len(handles)>0: + #Already computed we display the result + artifacts = { + 'Handles': json_serializer.serialize(handles), + } + else: + #start a task with celery to compute the handles and send the result. + task_res = compute_handles.delay(str(id), str(pid)) + res = task_res.get() + if res != "OK": + return JsonResponse({'message': "error"}) + else: + artifacts = { + 'Handles': json_serializer.serialize(Handles.objects.filter(investigation_id=id, PID=pid)), + } + return JsonResponse({'message': "success", 'artifacts': artifacts}) + + return JsonResponse({'message': "error"}) + + + +@login_required +def get_interval(request): + """Get artifacts for a specific timestamp + + Arguments: + request : http request object + + Comment: + The user requested to watch the artifacts linked to a specific timestamp. + """ + if request.method == 'GET': + form = GetInverval(request.GET) + if form.is_valid(): + case = form.cleaned_data['case'] + date = form.cleaned_data['date'] + id = case.id + json_serializer = json.Serializer() + # Request the appropriate artifacts + artifacts = { + 'Timeliner': json_serializer.serialize(Timeliner.objects.filter(investigation_id=id,CreatedDate=date)), + } + return JsonResponse({'message': "success", 'artifacts': artifacts}) + + return JsonResponse({'message': "error"}) + + +@login_required +def get_w_artifacts(request): + """Get artifacts related to all process related volatility3 plugins + + Arguments: + request : http request object + + Comment: + The user requested to watch the artifacts linked the process. + """ + if request.method == 'GET': + form = GetArtifacts(request.GET) + if form.is_valid(): + case = form.cleaned_data['case'] + pid = form.cleaned_data['pid'] + id = case.id + json_serializer = json.Serializer() + # Request the appropriate artifacts + artifacts = { + 'CmdLine': json_serializer.serialize(CmdLine.objects.filter(investigation_id=id, PID=pid)), + 'DllList': json_serializer.serialize(DllList.objects.filter(investigation_id=id, PID=pid)), + 'Privs': json_serializer.serialize(Privs.objects.filter(investigation_id=id, PID=pid)), + 'Handles': json_serializer.serialize(Handles.objects.filter(investigation_id=id, PID=pid)), + 'Envars': json_serializer.serialize(Envars.objects.filter(investigation_id=id, PID=pid)), + 'NetScan': json_serializer.serialize(NetScan.objects.filter(investigation_id=id, PID=pid)), + 'NetStat': json_serializer.serialize(NetStat.objects.filter(investigation_id=id, PID=pid)), + 'Sessions': json_serializer.serialize(Sessions.objects.filter(investigation_id=id, ProcessID=pid)), + 'LdrModules': json_serializer.serialize(LdrModules.objects.filter(investigation_id=id, Pid=pid)), + } + return JsonResponse({'message': "success", 'artifacts': artifacts}) + return JsonResponse({'message': "error"}) + @login_required def win_report(request): """ @@ -80,6 +184,7 @@ def dump_process(request): return JsonResponse({'message': "failed"}) else: return JsonResponse({'message': "error"}) + return JsonResponse({'message': "error"}) @login_required diff --git a/windows_engine/vol_windows.py b/windows_engine/vol_windows.py index a008d26..85d7395 100755 --- a/windows_engine/vol_windows.py +++ b/windows_engine/vol_windows.py @@ -1,15 +1,15 @@ -import logging +import logging, jsonschema from investigations.models import * from windows_engine.models import * -from iocs.models import * from django.apps import apps from VolWeb.voltools import * from volatility3.framework.exceptions import * - +from volatility3.cli import MuteProgress logging.basicConfig(level=logging.INFO) logger = logging.getLogger(__name__) + def build_context(dump_path, context, base_config_path, plugin, output_path): """This function is used to buid the context and construct each plugin Return : The contructed plugin. @@ -19,45 +19,11 @@ def build_context(dump_path, context, base_config_path, plugin, output_path): automagics = automagic.choose_automagic(available_automagics, plugin) context.config['automagic.LayerStacker.stackers'] = automagic.stacker.choose_os_stackers(plugin) context.config['automagic.LayerStacker.single_location'] = "file://" + os.getcwd() + "/" + dump_path - constructed = construct_plugin(context, automagics, plugin, base_config_path, None, file_handler(output_path)) + constructed = construct_plugin(context, automagics, plugin, base_config_path, MuteProgress(), file_handler(output_path)) return constructed - -def collect_user_iocs(case, dump_path): - """This function is used to look for string based iocs using the volatility3 strings module. - """ - logger.info("Collecting IOCs from user's string based IOCs") - iocs = IOC.objects.all() - - terms = "" - ioc_result_name = "Cases/IOCs/iocs_invest_" + str(case.id) - strings_output_file = "Cases/IOCs/output_" + str(case.id) - with open(ioc_result_name, 'w') as fout: - fout.write('') - fout.close() - - for ioc in iocs: - if case.id == ioc.linkedInvestigation.id: - terms = terms + ioc.value + "|" - if terms != "": - with open(strings_output_file, 'w') as fout: - try: - fout.write(subprocess.check_output(['strings', '-t', 'd', dump_path]).decode()) - except subprocess.CalledProcessError as e: - logger.info("Could not execute the strings command : ", e.output) - fout.close() - with open(ioc_result_name, 'w') as fout: - try: - fout.write( - subprocess.check_output(['grep', '-E', terms[:len(terms) - 1], strings_output_file]).decode()) - except subprocess.CalledProcessError as e: - logger.info("No IOCs found : ", e.output) - fout.close() - f_len = os.path.getsize(ioc_result_name) - if f_len <= 1: - result = {} - Strings(investigation_id=case.id, **result).save() - return +def dump_process(dump_path, pid, output_path): + """Dump the process requested by the user""" volatility3.framework.require_interface_version(2, 0, 0) failures = volatility3.framework.import_files(plugins, True) if failures: @@ -67,20 +33,22 @@ def collect_user_iocs(case, dump_path): plugin_list = volatility3.framework.list_plugins() base_config_path = "plugins" context = contexts.Context() - context.config['plugins.Strings.strings_file'] = "file://" + os.getcwd() + "/" + ioc_result_name - constructed = build_context(dump_path, context, base_config_path, plugin_list['windows.strings.Strings'], - output_path=None) + context.config['plugins.Memmap.pid'] = int(pid) + context.config['plugins.Memmap.dump'] = True + + constructed = build_context(dump_path, context, base_config_path, plugin_list['windows.memmap.Memmap'], output_path) if constructed: result = DictRenderer().render(constructed.run()) - for artifact in result: - artifact = {x.translate({32: None}): y - for x, y in artifact.items()} - del (artifact['__children']) - Strings(investigation_id=case.id, **artifact).save() + else: + logger.info("Error") + artifact = {x.translate({32: None}): y + for x, y in result[0].items()} + return artifact['Fileoutput'] -def dump_process(dump_path, pid, output_path): - """Dump the process requested by the user""" + +def get_handles(dump_path, pid, case_id): + """Compute Handles for a specific PID""" volatility3.framework.require_interface_version(2, 0, 0) failures = volatility3.framework.import_files(plugins, True) if failures: @@ -90,17 +58,19 @@ def dump_process(dump_path, pid, output_path): plugin_list = volatility3.framework.list_plugins() base_config_path = "plugins" context = contexts.Context() - context.config['plugins.PsList.pid'] = [int(pid)] - context.config['plugins.PsList.dump'] = True - constructed = build_context(dump_path, context, base_config_path, plugin_list['windows.pslist.PsList'], output_path) + context.config['plugins.Handles.pid'] = [int(pid)] + constructed = build_context(dump_path, context, base_config_path, plugin_list['windows.handles.Handles'], output_path=None) if constructed: result = DictRenderer().render(constructed.run()) else: - logger.info("Error") + logger.info("Error the handles could not be computed") + return "KO" for artifact in result: artifact = {x.translate({32: None}): y for x, y in artifact.items()} - return artifact['Fileoutput'] + del (artifact['__children']) + Handles(investigation_id=case_id, **artifact).save() + return "OK" def dump_file(dump_path, offset, output_path): @@ -155,11 +125,13 @@ def run_volweb_routine_windows(dump_path, case_id, case): # Process 'PsScan': {'plugin': plugin_list['windows.psscan.PsScan']}, 'PsTree': {'plugin': plugin_list['windows.pstree.PsTree']}, + 'DeviceTree': {'plugin': plugin_list['windows.devicetree.DeviceTree']}, 'CmdLine': {'plugin': plugin_list['windows.cmdline.CmdLine']}, + 'Sessions': {'plugin': plugin_list['windows.sessions.Sessions']}, 'Privs': {'plugin': plugin_list['windows.privileges.Privs']}, 'Envars': {'plugin': plugin_list['windows.envars.Envars']}, 'DllList': {'plugin': plugin_list['windows.dlllist.DllList']}, - 'Handles': {'plugin': plugin_list['windows.handles.Handles']}, + 'LdrModules': {'plugin': plugin_list['windows.ldrmodules.LdrModules']}, # Network 'NetScan': {'plugin': plugin_list['windows.netstat.NetStat']}, 'NetStat': {'plugin': plugin_list['windows.netscan.NetScan']}, @@ -179,12 +151,11 @@ def run_volweb_routine_windows(dump_path, case_id, case): 'SkeletonKeyCheck': {'plugin': plugin_list['windows.skeleton_key_check.Skeleton_Key_Check']}, 'FileScan': {'plugin': plugin_list['windows.filescan.FileScan']}, } + """Progress Function""" - def update_progress(case): - MODULES_TO_RUN = len(volweb_knowledge_base) + 2 - percentage = str(format(float(case.percentage) + float(100 / MODULES_TO_RUN), '.0f')) - logger.info(f"Status : {percentage} %") + MODULES_TO_RUN = len(volweb_knowledge_base) * 2 + percentage = str(format(float(case.percentage) + float(100 / MODULES_TO_RUN), '.0f')) case.percentage = percentage case.save() @@ -193,12 +164,10 @@ def update_progress(case): ImageSignature.objects.filter(investigation_id=case_id).delete() signatures = memory_image_hash(dump_path) ImageSignature(investigation_id=case_id, **signatures).save() - update_progress(case) """STEP 1 : Clean database and build the basic context for each plugin""" NetGraph.objects.filter(investigation_id=case_id).delete() TimeLineChart.objects.filter(investigation_id=case_id).delete() - Strings.objects.filter(investigation_id=case_id).delete() for runable in volweb_knowledge_base: apps.get_model("windows_engine", runable).objects.filter(investigation_id=case_id).delete() context = contexts.Context() @@ -211,8 +180,10 @@ def update_progress(case): volweb_knowledge_base[runable]['plugin'], "Cases/files") except VolatilityException: - partial_results = True volweb_knowledge_base[runable]['constructed'] = [] + except: + logger.info(f"Could not build context for {runable}" ) + update_progress(case) """STEP 2.1 : For each constructed plugin's context, we render the result and save it.""" for runable in volweb_knowledge_base: @@ -224,18 +195,17 @@ def update_progress(case): except VolatilityException: partial_results = True volweb_knowledge_base[runable]['result'] = [] - update_progress(case) + except: + logger.info(f"Could not run {runable}" ) + partial_results = True + volweb_knowledge_base[runable]['result'] = [] else: volweb_knowledge_base[runable]['result'] = [] - update_progress(case) - - """STEP 2.2 : Look for string based iocs""" - collect_user_iocs(case, dump_path) - update_progress(case) + update_progress(case) - """STEP 3.1 : We can now inject the results inside the django database""" + """STEP 3.1 : We can now inject the results inside the database""" for runable in volweb_knowledge_base: - if runable != 'PsTree' and runable != 'UserAssist': + if runable != 'PsTree' and runable != 'UserAssist' and runable != 'DeviceTree': for artifact in volweb_knowledge_base[runable]['result']: artifact = {x.translate({32: None}): y for x, y in artifact.items()} @@ -249,7 +219,7 @@ def update_progress(case): """STEP 3.2 : Construct and inject the graphs""" - def rename(node): + def rename_pstree(node): if len(node['__children']) == 0: node['children'] = node['__children'] node['name'] = node['ImageFileName'] @@ -261,17 +231,53 @@ def rename(node): del (node['__children']) del (node['ImageFileName']) for children in node['children']: - rename(children) + rename_pstree(children) + + def rename_devicetree(node): + if len(node['__children']) == 0: + node['children'] = node['__children'] + + node['name'] = "" + + if node['DeviceName']: + node['name'] += node['DeviceName'] + if node['DeviceType']: + node['name'] += "/" + node['DeviceType'] + if node['DriverName']: + node['name'] += "/" + node['DriverName'] + del (node['__children']) + else: + node['children'] = node['__children'] + + node['name'] = "" + + if node['DeviceName']: + node['name'] += node['DeviceName'] + if node['DeviceType']: + node['name'] += "/" + node['DeviceType'] + if node['DriverName']: + node['name'] += "/" + node['DriverName'] + + del (node['__children']) + for children in node['children']: + rename_devicetree(children) json_pstree_artifact = [] + json_devicetree_artifact = [] json_netgraph_artifact = [] json_timeline_graph_artifact = [] if volweb_knowledge_base['PsTree']['result']: pstree_artifact = volweb_knowledge_base['PsTree']['result'] for tree in pstree_artifact: - rename(tree) + rename_pstree(tree) json_pstree_artifact = json.dumps(pstree_artifact) + if volweb_knowledge_base['DeviceTree']['result']: + devicetree_artifact = volweb_knowledge_base['DeviceTree']['result'] + for tree in devicetree_artifact: + rename_devicetree(tree) + json_devicetree_artifact = json.dumps(devicetree_artifact) + if volweb_knowledge_base['NetScan']['result'] or volweb_knowledge_base['NetStat']['result']: json_netgraph_artifact = json.dumps(generate_network_graph( volweb_knowledge_base['NetScan']['result'] + volweb_knowledge_base['NetStat']['result'])) @@ -280,6 +286,7 @@ def rename(node): json_timeline_graph_artifact = json.dumps(build_timeline(volweb_knowledge_base['Timeliner']['result'])) PsTree(investigation_id=case_id, graph=json_pstree_artifact).save() + DeviceTree(investigation_id=case_id, graph=json_devicetree_artifact).save() NetGraph(investigation_id=case_id, graph=json_netgraph_artifact).save() TimeLineChart(investigation_id=case_id, graph=json_timeline_graph_artifact).save() @@ -305,5 +312,4 @@ def fill_userassist(list, case_id): if volweb_knowledge_base['UserAssist']['result']: fill_userassist(volweb_knowledge_base['UserAssist']['result'], case_id) - return partial_results