private JObject GetAssessedUser(JObject gppUser)
{
//set base interest level
int interestLevel = 3;
JToken gppUserProps = gppUser["Properties"];
// check what the entry is doing to the user and turn it into real word
string userAction = gppUserProps["@action"].ToString();
userAction = JUtil.GetActionString(userAction);
string cpassword = "";
string decryptedCpassword = "";
// check for cpasswords
if (gppUserProps["@cpassword"] != null)
{
cpassword = gppUserProps["@cpassword"].ToString();
if (cpassword.Length > 0)
{
decryptedCpassword = Util.DecryptCpassword(cpassword);
interestLevel = 10;
}
}
List <JToken> userProps = new List <JToken>
{
JUtil.GetSafeJProp("Name", gppUser, "@name"),
JUtil.GetSafeJProp("Changed", gppUser, "@changed"),
JUtil.GetSafeJProp("User Name", gppUserProps, "@userName"),
JUtil.GetSafeJProp("cPassword", cpassword),
JUtil.GetSafeJProp("Decrypted Password", decryptedCpassword),
JUtil.GetSafeJProp("Account Disabled", gppUserProps, "@acctDisabled"),
JUtil.GetSafeJProp("Password Never Expires", gppUserProps, "@neverExpires"),
JUtil.GetSafeJProp("Description", gppUserProps, "@description"),
JUtil.GetSafeJProp("Full Name", gppUserProps, "@fullName"),
JUtil.GetSafeJProp("New Name", gppUserProps, "@newName"),
JUtil.GetSafeJProp("Action", userAction),
};
JObject assessedUser = new JObject();
foreach (JToken userProp in userProps)
{
if (userProp != null)
{
assessedUser.Add(userProp);
}
}
// if it's too boring to be worth showing, return an empty jobj.
if (interestLevel < GlobalVar.IntLevelToShow)
{
return(null);
}
//Utility.Output.DebugWrite(assessedUser.ToString());
return(assessedUser);
}
static JProperty AssessGppEv(JToken gppEv)
{
JObject assessedGppEv = new JObject
{
{ "Name", JUtil.GetSafeString(gppEv, "@name") },
{ "Status", JUtil.GetSafeString(gppEv, "@status") },
{ "Changed", JUtil.GetSafeString(gppEv, "@changed") },
{ "Action", JUtil.GetActionString(gppEv["Properties"]["@action"].ToString()) }
};
return(new JProperty(JUtil.GetSafeString(gppEv, "@uid"), assessedGppEv));
}
private JObject GetAssessedFile(JObject gppFile)
{
int interestLevel = 3;
JObject assessedFile = new JObject();
JToken gppFileProps = gppFile["Properties"];
assessedFile.Add("Name", gppFile["@name"].ToString());
assessedFile.Add("Status", gppFile["@status"].ToString());
assessedFile.Add("Changed", gppFile["@changed"].ToString());
string gppFileAction = JUtil.GetActionString(gppFileProps["@action"].ToString());
assessedFile.Add("Action", gppFileAction);
JToken targetPathJToken = gppFileProps["@targetPath"];
if (targetPathJToken != null)
{
assessedFile.Add("Target Path", gppFileProps["@targetPath"].ToString());
}
JToken fromPathJToken = gppFileProps["@fromPath"];
if (fromPathJToken != null)
{
string fromPath = gppFileProps["@fromPath"].ToString();
if (fromPath.Length > 0)
{
JObject assessedPath = FileSystem.InvestigatePath(gppFileProps["@fromPath"].ToString());
if (assessedPath != null)
{
assessedFile.Add("From Path", assessedPath);
if (assessedPath["InterestLevel"] != null)
{
int pathInterest = (int)assessedPath["InterestLevel"];
interestLevel = interestLevel + pathInterest;
}
}
}
else
{
assessedFile.Add("From Path", fromPath);
}
}
// if it's too boring to be worth showing, return an empty jobj.
if (interestLevel <= GlobalVar.IntLevelToShow)
{
return(null);
}
return(assessedFile);
}
static JProperty AssessGppDataSource(JToken gppDataSource)
{
int interestLevel = 1;
string gppDataSourceUid = JUtil.GetSafeString(gppDataSource, "@uid");
string gppDataSourceName = JUtil.GetSafeString(gppDataSource, "@name");
string gppDataSourceChanged = JUtil.GetSafeString(gppDataSource, "@changed");
JToken gppDataSourceProps = gppDataSource["Properties"];
string gppDataSourceAction = JUtil.GetActionString(gppDataSourceProps["@action"].ToString());
string gppDataSourceUserName = JUtil.GetSafeString(gppDataSourceProps, "@username");
string gppDataSourcecPassword = JUtil.GetSafeString(gppDataSourceProps, "@cpassword");
string gppDataSourcePassword = "";
if (gppDataSourcecPassword.Length > 0)
{
gppDataSourcePassword = Util.DecryptCpassword(gppDataSourcecPassword);
interestLevel = 10;
}
string gppDataSourceDsn = JUtil.GetSafeString(gppDataSourceProps, "@dsn");
string gppDataSourceDriver = JUtil.GetSafeString(gppDataSourceProps, "@driver");
string gppDataSourceDescription = JUtil.GetSafeString(gppDataSourceProps, "@description");
JToken gppDataSourceAttributes = gppDataSourceProps["Attributes"];
if (interestLevel >= GlobalVar.IntLevelToShow)
{
JObject assessedGppDataSource = new JObject
{
{ "Name", gppDataSourceName },
{ "Changed", gppDataSourceChanged },
{ "Action", gppDataSourceAction },
{ "Username", gppDataSourceUserName }
};
if (gppDataSourcecPassword.Length > 0)
{
assessedGppDataSource.Add("cPassword", gppDataSourcecPassword);
assessedGppDataSource.Add("Decrypted Password", gppDataSourcePassword);
}
assessedGppDataSource.Add("DSN", gppDataSourceDsn);
assessedGppDataSource.Add("Driver", gppDataSourceDriver);
assessedGppDataSource.Add("Description", gppDataSourceDescription);
if ((gppDataSourceAttributes != null) && (gppDataSourceAttributes.HasValues))
{
assessedGppDataSource.Add("Attributes", gppDataSourceAttributes);
}
return(new JProperty(gppDataSourceUid, assessedGppDataSource));
}
return(null);
}
static JProperty AssessGppIni(JToken gppIni)
{
int interestLevel = 1;
string gppIniUid = JUtil.GetSafeString(gppIni, "@uid");
string gppIniName = JUtil.GetSafeString(gppIni, "@name");
string gppIniChanged = JUtil.GetSafeString(gppIni, "@changed");
string gppIniStatus = JUtil.GetSafeString(gppIni, "@status");
JToken gppIniProps = gppIni["Properties"];
string gppIniAction = JUtil.GetActionString(gppIniProps["@action"].ToString());
JToken gppIniPath = FileSystem.InvestigatePath(JUtil.GetSafeString(gppIniProps, "@path"));
JToken gppIniSection = FileSystem.InvestigateString(JUtil.GetSafeString(gppIniProps, "@section"));
JToken gppIniValue = FileSystem.InvestigateString(JUtil.GetSafeString(gppIniProps, "@value"));
JToken gppIniProperty = FileSystem.InvestigateString(JUtil.GetSafeString(gppIniProps, "@property"));
// check each of our potentially interesting values to see if it raises our overall interest level
JToken[] valuesWithInterest = { gppIniPath, gppIniSection, gppIniValue, gppIniProperty };
foreach (JToken val in valuesWithInterest)
{
if ((val != null) && (val["InterestLevel"] != null))
{
int valInterestLevel = int.Parse(val["InterestLevel"].ToString());
if (valInterestLevel > interestLevel)
{
interestLevel = valInterestLevel;
}
}
}
if (interestLevel >= GlobalVar.IntLevelToShow)
{
JObject assessedGppIni = new JObject
{
{ "Name", gppIniName },
{ "Changed", gppIniChanged },
{ "Path", gppIniPath },
{ "Action", gppIniAction },
{ "Status", gppIniStatus },
{ "Section", gppIniSection },
{ "Value", gppIniValue },
{ "Property", gppIniProperty }
};
return(new JProperty(gppIniUid, assessedGppIni));
}
return(null);
}
private JProperty GetAssessedNetworkShare(JToken netShare)
{
int interestLevel = 2;
JObject assessedGppNetShare = new JObject
{
{ "Name", JUtil.GetSafeString(netShare, "@name") },
{ "Changed", JUtil.GetSafeString(netShare, "@changed") },
{ "Action", JUtil.GetActionString(netShare["Properties"]["@action"].ToString()) }
};
assessedGppNetShare.Add("Path", JUtil.GetSafeString(netShare["Properties"], "@path"));
assessedGppNetShare.Add("Comment", JUtil.GetSafeString(netShare["Properties"], "@comment"));
// removed InvestigatePath because it's a network share, it's literally always going to be local and therefore not super interesting.
if (interestLevel >= GlobalVar.IntLevelToShow)
{
return(new JProperty(netShare["@uid"].ToString(), assessedGppNetShare));
}
return(null);
}
static JProperty AssessGppPrinter(JToken gppPrinter)
{
int interestLevel = 1;
string gppPrinterUid = JUtil.GetSafeString(gppPrinter, "@uid");
string gppPrinterName = JUtil.GetSafeString(gppPrinter, "@name");
string gppPrinterChanged = JUtil.GetSafeString(gppPrinter, "@changed");
JToken gppPrinterProps = gppPrinter["Properties"];
string gppPrinterAction = JUtil.GetActionString(gppPrinterProps["@action"].ToString());
string gppPrinterUsername = JUtil.GetSafeString(gppPrinterProps, "@username");
string gppPrintercPassword = JUtil.GetSafeString(gppPrinterProps, "@cpassword");
string gppPrinterPassword = "";
if (gppPrintercPassword.Length > 0)
{
gppPrinterPassword = Util.DecryptCpassword(gppPrintercPassword);
interestLevel = 10;
}
string gppPrinterAddress = JUtil.GetSafeString(gppPrinterProps, "@ipAddress");
string gppPrinterLocalName = JUtil.GetSafeString(gppPrinterProps, "@localName");
string gppPrinterSnmpCommString = JUtil.GetSafeString(gppPrinterProps, "@snmpCommunity");
if (gppPrinterSnmpCommString.Length > 1)
{
interestLevel = 7;
}
JToken gppPrinterPath = FileSystem.InvestigatePath(JUtil.GetSafeString(gppPrinterProps, "@path"));
JToken gppPrinterComment = FileSystem.InvestigateString(JUtil.GetSafeString(gppPrinterProps, "@comment"));
JToken gppPrinterLocation = FileSystem.InvestigateString(JUtil.GetSafeString(gppPrinterProps, "@location"));
// check each of our potentially interesting values to see if it raises our overall interest level
JToken[] valuesWithInterest = { gppPrinterPath, gppPrinterComment, gppPrinterLocation, };
foreach (JToken val in valuesWithInterest)
{
if ((val != null) && (val["InterestLevel"] != null))
{
int valInterestLevel = int.Parse(val["InterestLevel"].ToString());
if (valInterestLevel > interestLevel)
{
interestLevel = valInterestLevel;
}
}
}
if (interestLevel >= GlobalVar.IntLevelToShow)
{
JObject assessedGppPrinter = new JObject
{
{ "Name", gppPrinterName },
{ "Changed", gppPrinterChanged },
{ "Action", gppPrinterAction }
};
if (gppPrintercPassword.Length > 0)
{
assessedGppPrinter.Add("Username", gppPrinterUsername);
assessedGppPrinter.Add("cPassword", gppPrintercPassword);
assessedGppPrinter.Add("Decrypted Password", gppPrinterPassword);
}
assessedGppPrinter.Add("Local Name", gppPrinterLocalName);
assessedGppPrinter.Add("Address", gppPrinterAddress);
assessedGppPrinter.Add("Path", gppPrinterPath);
assessedGppPrinter.Add("SNMP Community String", gppPrinterSnmpCommString);
assessedGppPrinter.Add("Comment", gppPrinterComment);
assessedGppPrinter.Add("Location", gppPrinterLocation);
return(new JProperty(gppPrinterUid, assessedGppPrinter));
}
return(null);
}
static JProperty AssessGppDrive(JToken gppDrive)
{
int interestLevel = 1;
string gppDriveUid = JUtil.GetSafeString(gppDrive, "@uid");
string gppDriveName = JUtil.GetSafeString(gppDrive, "@name");
string gppDriveChanged = JUtil.GetSafeString(gppDrive, "@changed");
string gppDriveAction = JUtil.GetActionString(gppDrive["Properties"]["@action"].ToString());
string gppDriveUserName = JUtil.GetSafeString(gppDrive["Properties"], "@userName");
string gppDrivecPassword = JUtil.GetSafeString(gppDrive["Properties"], "@cpassword");
string gppDrivePassword = "";
if (gppDrivecPassword.Length > 0)
{
gppDrivePassword = Util.DecryptCpassword(gppDrivecPassword);
interestLevel = 10;
}
string gppDriveLetter = "";
if (gppDrive["Properties"]["@useLetter"] != null)
{
if (gppDrive["Properties"]["@useLetter"].ToString() == "1")
{
gppDriveLetter = JUtil.GetSafeString(gppDrive["Properties"], "@letter");
}
else if (gppDrive["Properties"]["@useLetter"].ToString() == "0")
{
gppDriveLetter = "First letter available, starting at " +
JUtil.GetSafeString(gppDrive["Properties"], "@letter");
}
}
string gppDriveLabel = JUtil.GetSafeString(gppDrive["Properties"], "@label");
JObject gppDrivePath = FileSystem.InvestigatePath(gppDrive["Properties"]["@path"].ToString());
if (gppDrivePath != null)
{
if (gppDrivePath["InterestLevel"] != null)
{
int pathInterestLevel = int.Parse(gppDrivePath["InterestLevel"].ToString());
if (pathInterestLevel > interestLevel)
{
interestLevel = pathInterestLevel;
}
}
}
if (interestLevel >= GlobalVar.IntLevelToShow)
{
JObject assessedGppDrive = new JObject
{
{ "Name", gppDriveName },
{ "Action", gppDriveAction },
{ "Changed", gppDriveChanged },
{ "Drive Letter", gppDriveLetter },
{ "Label", gppDriveLabel }
};
if (gppDrivecPassword.Length > 0)
{
assessedGppDrive.Add("Username", gppDriveUserName);
assessedGppDrive.Add("cPassword", gppDrivecPassword);
assessedGppDrive.Add("Decrypted Password", gppDrivePassword);
}
if (gppDrivePath != null)
{
assessedGppDrive.Add("Path", gppDrivePath);
}
return(new JProperty(gppDriveUid, assessedGppDrive));
}
return(null);
}
private JObject GetAssessedShortcut(JObject gppShortcut)
{
int interestLevel = 3;
JObject assessedShortcut = new JObject();
JToken gppShortcutProps = gppShortcut["Properties"];
assessedShortcut.Add("Name", JUtil.GetSafeString(gppShortcut, "@name"));
assessedShortcut.Add("Status", JUtil.GetSafeString(gppShortcut, "@status"));
assessedShortcut.Add("Changed", JUtil.GetSafeString(gppShortcut, "@changed"));
string gppShortcutAction = JUtil.GetActionString(gppShortcutProps["@action"].ToString());
assessedShortcut.Add("Action", gppShortcutAction);
assessedShortcut.Add("Target Type", JUtil.GetSafeString(gppShortcutProps, "@targetType"));
string arguments = JUtil.GetSafeString(gppShortcutProps, "@arguments");
if (arguments != null)
{
JToken investigatedArguments = FileSystem.InvestigateString(arguments);
assessedShortcut.Add("Arguments", arguments);
if (investigatedArguments["InterestLevel"] != null)
{
if ((int)investigatedArguments["InterestLevel"] > interestLevel)
{
interestLevel = (int)investigatedArguments["InterestLevel"];
}
}
}
string iconPath = JUtil.GetSafeString(gppShortcutProps, "@iconPath");
JObject investigatedIconPath = FileSystem.InvestigatePath(iconPath);
if ((investigatedIconPath != null) && (investigatedIconPath["InterestLevel"] != null))
{
if ((int)investigatedIconPath["InterestLevel"] > interestLevel)
{
interestLevel = (int)investigatedIconPath["InterestLevel"];
}
}
assessedShortcut.Add("Icon Path", investigatedIconPath);
assessedShortcut.Add("Icon Index", JUtil.GetSafeString(gppShortcutProps, "@iconIndex"));
string workingDir = JUtil.GetSafeString(gppShortcutProps, "@startIn");
if (workingDir != null)
{
JToken assessedWorkingDir = FileSystem.InvestigatePath(workingDir);
if (assessedWorkingDir != null)
{
assessedShortcut.Add("Working Directory", assessedWorkingDir);
}
}
assessedShortcut.Add("Comment", JUtil.GetSafeString(gppShortcutProps, "@comment"));
string shortcutPath = JUtil.GetSafeString(gppShortcutProps, "@shortcutPath");
JObject investigatedShortcutPath = FileSystem.InvestigatePath(shortcutPath);
if (investigatedShortcutPath["InterestLevel"] != null)
{
if ((int)investigatedShortcutPath["InterestLevel"] > interestLevel)
{
interestLevel = (int)investigatedShortcutPath["InterestLevel"];
}
}
string targetPath = JUtil.GetSafeString(gppShortcutProps, "@targetPath");
JObject investigatedTargetPath = FileSystem.InvestigatePath(targetPath);
if ((investigatedTargetPath != null) && (investigatedTargetPath["InterestLevel"] != null))
{
if ((int)investigatedTargetPath["InterestLevel"] > interestLevel)
{
interestLevel = (int)investigatedTargetPath["InterestLevel"];
}
}
assessedShortcut.Add("Shortcut Path", investigatedShortcutPath);
assessedShortcut.Add("Target Path", investigatedTargetPath);
// if it's too boring to be worth showing, return an empty jobj.
if (interestLevel < GlobalVar.IntLevelToShow)
{
return(null);
}
return(assessedShortcut);
}
private JObject GetAssessedScheduledTask(JToken scheduledTask, string schedTaskType)
{
int interestLevel = 4;
JObject assessedScheduledTask = new JObject
{
{ "Name", scheduledTask["@name"].ToString() },
{ "UID", scheduledTask["@uid"].ToString() },
{ "Type", schedTaskType },
{ "Changed", scheduledTask["@changed"].ToString() }
};
if (scheduledTask["Properties"]["@runAs"] != null)
{
assessedScheduledTask.Add("Run As", JUtil.GetSafeString(scheduledTask["Properties"], "@runAs"));
}
string cPassword = JUtil.GetSafeString(scheduledTask["Properties"], "@cpassword");
if (cPassword.Length > 1)
{
assessedScheduledTask.Add("Encrypted Password",
JUtil.GetSafeString(scheduledTask["Properties"], "@cpassword"));
assessedScheduledTask.Add("Decrypted Password", Util.DecryptCpassword(cPassword));
interestLevel = 10;
}
if (scheduledTask["Properties"]["@logonType"] != null)
{
assessedScheduledTask.Add("Logon Type",
JUtil.GetSafeString(scheduledTask["Properties"], "@logonType"));
}
// handle the entries that are specific to some task types but not others
// both taskv2 and immediatetaskv2 have the same rough structure
if (schedTaskType.EndsWith("V2"))
{
assessedScheduledTask.Add("Action",
JUtil.GetActionString(scheduledTask["Properties"]["@action"].ToString()));
assessedScheduledTask.Add("Description", JUtil.GetSafeString(scheduledTask, "@desc"));
assessedScheduledTask.Add("Enabled",
JUtil.GetSafeString(scheduledTask["Properties"]["Task"]["Settings"], "Enabled"));
// just adding the Triggers info raw, there are way too many options.
assessedScheduledTask.Add("Triggers", scheduledTask["Properties"]["Task"]["Triggers"]);
if (scheduledTask["Properties"]["Task"]["Actions"]["ShowMessage"] != null)
{
assessedScheduledTask.Add(
new JProperty("Action - Show Message", new JObject(
new JProperty("Title",
JUtil.GetSafeString(scheduledTask["Properties"]["Task"]["Actions"]["ShowMessage"],
"Title")),
new JProperty("Body",
JUtil.GetSafeString(scheduledTask["Properties"]["Task"]["Actions"]["ShowMessage"],
"Body"))
)
)
);
}
if (scheduledTask["Properties"]["Task"]["Actions"]["Exec"] != null)
{
// do we have an array of Command?
if (scheduledTask["Properties"]["Task"]["Actions"]["Exec"].Type == JTokenType.Array)
{
int i = 1;
foreach (JToken item in scheduledTask["Properties"]["Task"]["Actions"]["Exec"])
{
assessedScheduledTask.Add(ExtractCommandFromScheduledTask(item, ref interestLevel, i));
i++;
}
}
else
{
// or just one?
assessedScheduledTask.Add(ExtractCommandFromScheduledTask(scheduledTask["Properties"]["Task"]["Actions"]["Exec"], ref interestLevel));
}
}
if (scheduledTask["Properties"]["Task"]["Actions"]["SendEmail"] != null)
{
string attachmentString =
JUtil.GetSafeString(
scheduledTask["Properties"]["Task"]["Actions"]["SendEmail"]["Attachments"], "File");
JObject attachment = new JObject(new JProperty("Attachment", attachmentString));
if (GlobalVar.OnlineChecks)
{
attachment = FileSystem.InvestigateString(attachmentString);
if (attachment["InterestLevel"] != null)
{
int attachmentInterest = (int)attachment["InterestLevel"];
interestLevel = interestLevel + attachmentInterest;
}
}
assessedScheduledTask.Add(
new JProperty("Action - Send Email", new JObject(
new JProperty("From",
JUtil.GetSafeString(scheduledTask["Properties"]["Task"]["Actions"]["SendEmail"],
"From")),
new JProperty("To",
JUtil.GetSafeString(scheduledTask["Properties"]["Task"]["Actions"]["SendEmail"],
"To")),
new JProperty("Subject",
JUtil.GetSafeString(scheduledTask["Properties"]["Task"]["Actions"]["SendEmail"],
"Subject")),
new JProperty("Body",
JUtil.GetSafeString(scheduledTask["Properties"]["Task"]["Actions"]["SendEmail"],
"Body")),
new JProperty("Header Fields",
JUtil.GetSafeString(scheduledTask["Properties"]["Task"]["Actions"]["SendEmail"],
"HeaderFields")),
new JProperty("Attachment", attachment),
new JProperty("Server",
JUtil.GetSafeString(scheduledTask["Properties"]["Task"]["Actions"]["SendEmail"],
"Server"))
)
)
);
}
}
if (schedTaskType == "Task")
{
string commandString = JUtil.GetSafeString(scheduledTask["Properties"], "@appname");
string argumentsString = JUtil.GetSafeString(scheduledTask["Properties"], "@args");
JObject command = new JObject(new JProperty("Command", commandString));
JObject arguments = new JObject(new JProperty("Arguments", argumentsString));
command = FileSystem.InvestigatePath(commandString);
arguments = FileSystem.InvestigateString(argumentsString);
if ((arguments != null) && (arguments["InterestLevel"] != null))
{
int argumentInterest = (int)arguments["InterestLevel"];
interestLevel = interestLevel + argumentInterest;
}
if ((command != null) && (command["InterestLevel"] != null))
{
int commandInterest = (int)command["InterestLevel"];
interestLevel = interestLevel + commandInterest;
}
assessedScheduledTask.Add("Action",
JUtil.GetActionString(scheduledTask["Properties"]["@action"].ToString()));
assessedScheduledTask.Add("Command", command);
assessedScheduledTask.Add("Args", arguments);
JObject assessedWorkingDir =
FileSystem.InvestigatePath(JUtil.GetSafeString(scheduledTask["Properties"], "@startIn"));
if ((assessedWorkingDir != null) && assessedWorkingDir.HasValues)
{
assessedScheduledTask.Add("Working Dir", assessedWorkingDir);
}
if (scheduledTask["Properties"]["Triggers"] != null)
{
assessedScheduledTask.Add("Triggers", scheduledTask["Properties"]["Triggers"]);
}
}
if (schedTaskType == "ImmediateTask")
{
string argumentsString = JUtil.GetSafeString(scheduledTask["Properties"], "@args");
string commandString = JUtil.GetSafeString(scheduledTask["Properties"], "@appName");
JObject command = new JObject(new JProperty("Command", commandString));
JObject arguments = new JObject(new JProperty("Arguments", argumentsString));
command = FileSystem.InvestigatePath(commandString);
arguments = FileSystem.InvestigateString(argumentsString);
if ((arguments != null) && (arguments["InterestLevel"] != null))
{
int argumentInterest = (int)arguments["InterestLevel"];
interestLevel = interestLevel + argumentInterest;
}
if ((command != null) && (command["InterestLevel"] != null))
{
int commandInterest = (int)command["InterestLevel"];
interestLevel = interestLevel + commandInterest;
}
assessedScheduledTask.Add("Command", command);
assessedScheduledTask.Add("Arguments", arguments);
JObject assessedWorkingDir =
FileSystem.InvestigatePath(JUtil.GetSafeString(scheduledTask["Properties"], "@startIn"));
if ((assessedWorkingDir != null) && assessedWorkingDir.HasValues)
{
assessedScheduledTask.Add("Working Dir", assessedWorkingDir);
}
assessedScheduledTask.Add("Comment", JUtil.GetSafeString(scheduledTask["Properties"], "@comment"));
}
if (interestLevel < GlobalVar.IntLevelToShow)
{
return(null);
}
return(assessedScheduledTask);
}
private JObject GetAssessedGroup(JObject gppGroup)
{
int interestLevel = 3;
JToken gppGroupProps = gppGroup["Properties"];
// check what the entry is doing to the group and turn it into real word
string groupAction = JUtil.GetActionString(gppGroupProps["@action"].ToString());
//TODO if the name is an interesting group, make the finding more interesting.
JArray gppGroupMemberJArray = new JArray();
string membersString = "";
if (gppGroupProps["Members"] != null)
{
if (!(gppGroupProps["Members"] is JValue))
{
if (gppGroupProps["Members"]["Member"] != null)
{
JToken members = gppGroupProps["Members"]["Member"];
string membersType = members.Type.ToString();
if (membersType == "Array")
{
foreach (JToken member in members.Children())
{
gppGroupMemberJArray.Add(GetAssessedGroupMember(member));
}
}
else if (membersType == "Object")
{
gppGroupMemberJArray.Add(GetAssessedGroupMember(members));
}
else
{
Output.DebugWrite("Something went squirrely with Group Memberships");
Output.DebugWrite(members.Type.ToString());
Output.DebugWrite(" " + membersType + " ");
Output.DebugWrite(members.ToString());
}
}
}
// munge jarray string to make it tidier.
membersString = gppGroupMemberJArray.ToString();
membersString = membersString.Replace("\"", "");
membersString = membersString.Replace(",", "");
membersString = membersString.Replace("[", "");
membersString = membersString.Replace("]", "");
membersString = membersString.Replace("{", "");
membersString = membersString.Replace("}", "");
membersString = membersString.Replace(" ", "");
membersString = membersString.Replace("\r\n \r\n \r\n", "\r\n\r\n");
membersString = membersString.Trim();
}
List <JToken> groupProps = new List <JToken>
{
JUtil.GetSafeJProp("Name", gppGroup, "@name"),
JUtil.GetSafeJProp("Description", gppGroup, "@description"),
JUtil.GetSafeJProp("New Name", gppGroupProps, "@newName"),
JUtil.GetSafeJProp("Delete All Users", gppGroupProps, "@deleteAllUsers"),
JUtil.GetSafeJProp("Delete All Groups", gppGroupProps, "@deleteAllGroups"),
JUtil.GetSafeJProp("Remove Accounts", gppGroupProps, "@removeAccounts"),
JUtil.GetSafeJProp("Action", groupAction),
JUtil.GetSafeJProp("Members", membersString)
};
JObject assessedGroup = new JObject();
foreach (JProperty groupProp in groupProps)
{
if (groupProp != null)
{
assessedGroup.Add(groupProp);
}
}
if ((interestLevel > GlobalVar.IntLevelToShow) && (assessedGroup.HasValues))
{
return(assessedGroup);
}
return(null);
}
private JObject GetAssessedRegistrySetting(JToken gppRegSetting)
{
JObject jankyDb = JankyDb.Instance;
// get our data about what regkeys are interesting
JArray intRegKeysData = (JArray)jankyDb["regKeys"];
JObject assessedRegistrySetting = new JObject();
assessedRegistrySetting.Add("Display Name", JUtil.GetSafeString(gppRegSetting, "@name"));
assessedRegistrySetting.Add("Status", JUtil.GetSafeString(gppRegSetting, "@status"));
assessedRegistrySetting.Add("Changed", JUtil.GetSafeString(gppRegSetting, "@changed"));
assessedRegistrySetting.Add("Action", JUtil.GetActionString(gppRegSetting["Properties"]["@action"].ToString()));
assessedRegistrySetting.Add("Default", JUtil.GetSafeString(gppRegSetting["Properties"], "@default"));
assessedRegistrySetting.Add("Hive", JUtil.GetSafeString(gppRegSetting["Properties"], "@hive"));
string key = JUtil.GetSafeString(gppRegSetting["Properties"], "@key");
int interestLevel = 1;
foreach (JToken intRegKey in intRegKeysData)
{
if (key.ToLower().Contains(intRegKey["regKey"].ToString().ToLower()))
{
// get the name
string interestLevelString = intRegKey["intLevel"].ToString();
// if it matches at all it's a 1.
// if we can get the interest level from it, do so, otherwise throw an error that we need to fix something.
if (!int.TryParse(interestLevelString, out interestLevel))
{
Utility.Output.DebugWrite(intRegKey["regKey"].ToString() +
" in jankydb doesn't have an interest level assigned.");
}
}
}
JObject investigatedKey = FileSystem.InvestigateString(key);
if ((int)investigatedKey["InterestLevel"] >= interestLevel)
{
interestLevel = (int)investigatedKey["InterestLevel"];
}
assessedRegistrySetting.Add("Key", investigatedKey);
string name = JUtil.GetSafeString(gppRegSetting["Properties"], "@name");
JObject investigatedName = FileSystem.InvestigateString(name);
if ((int)investigatedName["InterestLevel"] >= interestLevel)
{
interestLevel = (int)investigatedKey["InterestLevel"];
}
assessedRegistrySetting.Add("Name", investigatedName);
assessedRegistrySetting.Add("Type", JUtil.GetSafeString(gppRegSetting["Properties"], "@type"));
string value = JUtil.GetSafeString(gppRegSetting["Properties"], "@value");
JObject investigatedValue = FileSystem.InvestigateString(value);
if ((int)investigatedValue["InterestLevel"] >= interestLevel)
{
interestLevel = (int)investigatedKey["InterestLevel"];
}
assessedRegistrySetting.Add("Value", investigatedValue);
if (interestLevel >= GlobalVar.IntLevelToShow)
{
return(new JObject(assessedRegistrySetting));
}
else
{
return(null);
}
}