public static void InsertRun(AsaRun run) { if (run == null) { return; } if (MainConnection != null) { using var cmd = new SqliteCommand(SQL_INSERT_RUN, MainConnection.Connection, MainConnection.Transaction); cmd.Parameters.AddWithValue("@run_id", run.RunId); cmd.Parameters.AddWithValue("@type", run.Type); cmd.Parameters.AddWithValue("@serialized", JsonConvert.SerializeObject(run)); try { cmd.ExecuteNonQuery(); } catch (SqliteException e) { Log.Warning(e.StackTrace); Log.Warning(e.Message); AsaTelemetry.TrackTrace(Microsoft.ApplicationInsights.DataContracts.SeverityLevel.Error, e); } } else { Log.Debug("Failed to InsertRun because MainConnection is null."); } }
public static void InsertRun(string runId, Dictionary <RESULT_TYPE, bool> dictionary) { if (dictionary == null) { return; } string INSERT_RUN = "insert into runs (run_id, file_system, ports, users, services, registry, certificates, firewall, comobjects, eventlogs, type, timestamp, version, platform) values (@run_id, @file_system, @ports, @users, @services, @registry, @certificates, @firewall, @comobjects, @eventlogs, @type, @timestamp, @version, @platform)"; using var cmd = new SQLiteCommand(INSERT_RUN, Connection, Transaction); cmd.Parameters.AddWithValue("@run_id", runId); cmd.Parameters.AddWithValue("@file_system", (dictionary.ContainsKey(RESULT_TYPE.FILE) && dictionary[RESULT_TYPE.FILE]) || (dictionary.ContainsKey(RESULT_TYPE.FILEMONITOR) && dictionary[RESULT_TYPE.FILEMONITOR])); cmd.Parameters.AddWithValue("@ports", (dictionary.ContainsKey(RESULT_TYPE.PORT) && dictionary[RESULT_TYPE.PORT])); cmd.Parameters.AddWithValue("@users", (dictionary.ContainsKey(RESULT_TYPE.USER) && dictionary[RESULT_TYPE.USER])); cmd.Parameters.AddWithValue("@services", (dictionary.ContainsKey(RESULT_TYPE.SERVICE) && dictionary[RESULT_TYPE.SERVICE])); cmd.Parameters.AddWithValue("@registry", (dictionary.ContainsKey(RESULT_TYPE.REGISTRY) && dictionary[RESULT_TYPE.REGISTRY])); cmd.Parameters.AddWithValue("@certificates", (dictionary.ContainsKey(RESULT_TYPE.CERTIFICATE) && dictionary[RESULT_TYPE.CERTIFICATE])); cmd.Parameters.AddWithValue("@firewall", (dictionary.ContainsKey(RESULT_TYPE.FIREWALL) && dictionary[RESULT_TYPE.FIREWALL])); cmd.Parameters.AddWithValue("@comobjects", (dictionary.ContainsKey(RESULT_TYPE.COM) && dictionary[RESULT_TYPE.COM])); cmd.Parameters.AddWithValue("@eventlogs", (dictionary.ContainsKey(RESULT_TYPE.LOG) && dictionary[RESULT_TYPE.LOG])); cmd.Parameters.AddWithValue("@type", (dictionary.ContainsKey(RESULT_TYPE.FILEMONITOR) && dictionary[RESULT_TYPE.FILEMONITOR]) ? "monitor" : "collect"); cmd.Parameters.AddWithValue("@timestamp", DateTime.Now.ToString("o", CultureInfo.InvariantCulture)); cmd.Parameters.AddWithValue("@version", AsaHelpers.GetVersionString()); cmd.Parameters.AddWithValue("@platform", AsaHelpers.GetPlatformString()); try { cmd.ExecuteNonQuery(); Commit(); } catch (SQLiteException e) { Log.Warning(e.StackTrace); Log.Warning(e.Message); AsaTelemetry.TrackTrace(Microsoft.ApplicationInsights.DataContracts.SeverityLevel.Error, e); } }
public static IEnumerable <RegistryObject> WalkHive(RegistryHive Hive, string startingKey = null) { Stack <RegistryKey> keys = new Stack <RegistryKey>(); RegistryKey x86_View = RegistryKey.OpenBaseKey(Hive, RegistryView.Registry32); if (startingKey != null) { x86_View = x86_View.OpenSubKey(startingKey); } keys.Push(x86_View); RegistryKey x64_View = RegistryKey.OpenBaseKey(Hive, RegistryView.Registry64); if (startingKey != null) { x64_View = x64_View.OpenSubKey(startingKey); } keys.Push(x64_View); while (keys.Count > 0) { RegistryKey currentKey = keys.Pop(); if (currentKey == null) { continue; } if (Filter.IsFiltered(AsaHelpers.GetPlatformString(), "Scan", "Registry", "Key", currentKey.Name)) { continue; } // First push all the new subkeys onto our stack. foreach (string key in currentKey.GetSubKeyNames()) { try { var next = currentKey.OpenSubKey(name: key, writable: false); keys.Push(next); } // These are expected as we are running as administrator, not System. catch (System.Security.SecurityException e) { Log.Verbose(e, "Permission Denied: {0}", currentKey.Name); } // There seem to be some keys which are listed as existing by the APIs but don't actually exist. // Unclear if these are just super transient keys or what the other cause might be. // Since this isn't user actionable, also just supress these to the verbose stream. catch (System.IO.IOException e) { Log.Verbose(e, "Error Reading: {0}", currentKey.Name); } catch (Exception e) { Log.Information(e, "Unexpected error when parsing {0}:", currentKey.Name); AsaTelemetry.TrackTrace(Microsoft.ApplicationInsights.DataContracts.SeverityLevel.Error, e); } } var regObj = RegistryKeyToRegistryObject(currentKey); if (regObj != null) { yield return(regObj); } } x86_View.Dispose(); x64_View.Dispose(); }
/// <summary> /// This method distills the output from netstat -a -n -o into a list of ProcessPorts that provide a mapping between /// the process (name and id) and the ports that the process is using. /// </summary> /// <returns></returns> private static List <ProcessPort> GetNetStatPorts() { List <ProcessPort> ProcessPorts = new List <ProcessPort>(); try { using (Process Proc = new Process()) { ProcessStartInfo StartInfo = new ProcessStartInfo() { FileName = "netstat.exe", Arguments = "-a -n -o", WindowStyle = ProcessWindowStyle.Hidden, UseShellExecute = false, RedirectStandardInput = true, RedirectStandardOutput = true, RedirectStandardError = true }; Proc.StartInfo = StartInfo; Proc.Start(); StreamReader StandardOutput = Proc.StandardOutput; StreamReader StandardError = Proc.StandardError; string NetStatContent = StandardOutput.ReadToEnd() + StandardError.ReadToEnd(); if (Proc.ExitCode != 0) { Log.Error("Unable to run netstat.exe. Open ports will not be available."); return(ProcessPorts); } string[] NetStatRows = Regex.Split(NetStatContent, "\r\n"); foreach (var _outputLine in NetStatRows) { if (_outputLine == null) { continue; } var outputLine = _outputLine.Trim(); string[] Tokens = Regex.Split(outputLine, @"\s+"); try { if (Tokens.Length < 4) { continue; } string IpAddress = Regex.Replace(Tokens[1], @"\[(.*?)\]", "1.1.1.1"); if (Tokens.Length > 4 && Tokens[0].Equals("TCP")) { if (!Tokens[3].Equals("LISTENING")) { continue; } ProcessPorts.Add(new ProcessPort( GetProcessName(Convert.ToInt32(Tokens[4], CultureInfo.InvariantCulture)), Convert.ToInt32(Tokens[4], CultureInfo.InvariantCulture), IpAddress.Contains("1.1.1.1") ? $"{Tokens[1]}v6" : $"{Tokens[1]}v4", Convert.ToInt32(IpAddress.Split(':')[1], CultureInfo.InvariantCulture) )); } else if (Tokens.Length == 4 && (Tokens[0].Equals("UDP"))) { ProcessPorts.Add(new ProcessPort( GetProcessName(Convert.ToInt32(Tokens[3], CultureInfo.InvariantCulture)), Convert.ToInt32(Tokens[3], CultureInfo.InvariantCulture), IpAddress.Contains("1.1.1.1") ? $"{Tokens[1]}v6" : $"{Tokens[1]}v4", Convert.ToInt32(IpAddress.Split(':')[1], CultureInfo.InvariantCulture) )); } else { if (!outputLine.StartsWith("Proto") && !outputLine.StartsWith("Active") && !String.IsNullOrWhiteSpace(outputLine)) { Log.Warning("Primary Parsing error when processing netstat.exe output: {0}", outputLine); } } } catch (Exception e) { Log.Warning("Secondary Parsing error when processing netstat.exe output: {0}", outputLine); AsaTelemetry.TrackTrace(Microsoft.ApplicationInsights.DataContracts.SeverityLevel.Error, e); } } } } catch (Exception ex) { Log.Warning("Error processing open ports: {0}", ex.Message); } return(ProcessPorts); }
public static IEnumerable <RegistryKey> WalkHive(RegistryHive Hive, RegistryView View, string startingKey = "") { Stack <RegistryKey> keys = new Stack <RegistryKey>(); RegistryKey?BaseKey = null; try { BaseKey = RegistryKey.OpenBaseKey(Hive, View); } catch (Exception e) when( e is IOException || e is ArgumentException || e is UnauthorizedAccessException || e is System.Security.SecurityException) { Log.Debug($"Failed to open Hive {Hive} for walking."); } if (BaseKey != null) { if (startingKey != null) { BaseKey = BaseKey.OpenSubKey(startingKey, writable: false); } keys.Push(BaseKey); } while (keys.Count > 0) { RegistryKey currentKey = keys.Pop(); if (currentKey == null) { continue; } // First push all the new subkeys onto our stack. foreach (string key in currentKey.GetSubKeyNames()) { try { var next = currentKey.OpenSubKey(name: key, writable: false); keys.Push(next); } // TODO: Capture that these keys exist but we couldn't access them in the results // These are expected as we are running as administrator, not System. catch (System.Security.SecurityException) { Log.Debug("Permission Denied Opening Subkey: {0}\\{1}", currentKey.Name, key); } // There seem to be some keys which are listed as existing by the APIs but don't actually exist. // Unclear if these are just super transient keys or what the other cause might be. // Since this isn't user actionable, also just supress these to the verbose stream. catch (System.IO.IOException) { Log.Debug("IOError Reading: {0}\\{1}", currentKey.Name, key); } catch (Exception e) { Log.Information(e, "Unexpected error when parsing {0}\\{1}", currentKey.Name, key); AsaTelemetry.TrackTrace(Microsoft.ApplicationInsights.DataContracts.SeverityLevel.Error, e); } } yield return(currentKey); } BaseKey?.Dispose(); }