From 9e85f4ad4da6331936e6409b6390d64655c76d1b Mon Sep 17 00:00:00 2001 From: k1nd0ne Date: Mon, 26 Dec 2022 23:08:52 +0100 Subject: [PATCH 1/5] Fixing performance issues. jsonschema requirements. dynamic Handles. dynamic Timeline. volatility3 2.4.0. --- dashboard/static/css/styles.css | 14 + dashboard/static/js/investigations.js | 2 +- dashboard/static/js/review.js | 30 - dashboard/static/js/windows.js | 1326 ++++++++++++++++- docker/Dockerfile | 2 +- .../investigations/review_invest.html | 48 +- .../windows/processes/cmdline.html | 36 - .../windows/processes/dlllist.html | 44 - .../windows/processes/envars.html | 41 - .../windows/processes/handles.html | 49 +- .../windows/processes/malfind.html | 2 +- .../windows/processes/network.html | 86 -- .../windows/processes/privileges.html | 45 +- .../windows/processes/tree.html | 2 +- .../windows/timeline/timeline.html | 50 +- investigations/views.py | 8 - requirements.txt | 3 +- windows_engine/forms.py | 8 + windows_engine/tasks.py | 11 +- windows_engine/urls.py | 4 + windows_engine/views.py | 105 +- windows_engine/vol_windows.py | 30 +- 22 files changed, 1463 insertions(+), 483 deletions(-) diff --git a/dashboard/static/css/styles.css b/dashboard/static/css/styles.css index 4c64c4a..06c470c 100644 --- a/dashboard/static/css/styles.css +++ b/dashboard/static/css/styles.css @@ -92,6 +92,10 @@ text-align: left; } +.table-responsive { + overflow: inherit; +} + .overlay { display: none; position: fixed; @@ -204,6 +208,16 @@ thead, tbody { margin: -25px 0 0 -25px; } +.spinner-timeline { + z-index: 2; + position: absolute; + top: 15%; + left: 55%; + margin: -25px 0 0 -25px; +} + + + .open-menu { padding-top: 10px; diff --git a/dashboard/static/js/investigations.js b/dashboard/static/js/investigations.js index a502f9c..92bdb58 100644 --- a/dashboard/static/js/investigations.js +++ b/dashboard/static/js/investigations.js @@ -225,7 +225,7 @@ if (sidebar) { } if (response['message'] == "error") { - $('#proc-error-message').html("Something went wrong getting the linked iocs."); + $('#proc-error-message').html("Something went wrong getting the case."); $('.toast-proc-error').toast('show'); } $('.invest-details').show(); diff --git a/dashboard/static/js/review.js b/dashboard/static/js/review.js index c1e7536..5a2ce9c 100644 --- a/dashboard/static/js/review.js +++ b/dashboard/static/js/review.js @@ -63,36 +63,6 @@ function DemandProcDump(pid, case_id) { }); } -function DisplayArtifacts(collapse, process) { - - if ($('#' + collapse).attr("aria-expanded") == "true") { - $('.pid').addClass('d-none'); - $('.default-td').addClass('d-none'); - $('.spinner-review').removeClass("d-none"); - setTimeout(function () { - $('.processes_tab').removeClass('d-none'); - $('.' + process).removeClass('d-none'); - $('.default-td').removeClass('d-none'); - $('.spinner-review').addClass("d-none"); - }, 2000); - } -} - -function DisplayAll() { - - if ($('#collapse_default').attr("aria-expanded") == "true") { - $('.pid').addClass('d-none'); - $('.spinner-review').removeClass("d-none"); - setTimeout(function () { - $('.processes_tab').removeClass('d-none'); - $('.pid').removeClass('d-none'); - $('.spinner-review').addClass("d-none"); - - - }, 2000); - } -} - function copy(text, target) { $(target).attr("title", "Copied!"); $(target).tooltip('dispose') diff --git a/dashboard/static/js/windows.js b/dashboard/static/js/windows.js index 2f997b9..85ba2f3 100644 --- a/dashboard/static/js/windows.js +++ b/dashboard/static/js/windows.js @@ -1,4 +1,5 @@ -function Tag(url, plugin_name, artifact_id, status){ +function Tag(plugin_name, artifact_id, status) { + var url = $("#tabs").attr("data-url"); const csrf = document.getElementsByName('csrfmiddlewaretoken'); const fd = new FormData(); fd.append('csrfmiddlewaretoken', csrf[0].value); @@ -6,71 +7,68 @@ function Tag(url, plugin_name, artifact_id, status){ fd.append('artifact_id', artifact_id); fd.append('status', status); $.ajax({ - type:'POST', + type: 'POST', url: url, enctype: 'multipart/form-data', data: fd, - beforeSend: function(){ - - }, - success: function(data){ - if(status == "Evidence"){ - $('.tag_evidence_'+artifact_id+"_"+plugin_name).removeClass("d-none"); - $('.tag_suspicious_'+artifact_id+"_"+plugin_name).addClass("d-none"); + success: function (data) { + if (status == "Evidence") { + $('.tag_evidence_' + artifact_id + "_" + plugin_name).removeClass("d-none"); + $('.tag_suspicious_' + artifact_id + "_" + plugin_name).addClass("d-none"); } - if(status == "Suspicious"){ - $('.tag_suspicious_'+artifact_id+"_"+plugin_name).removeClass("d-none"); - $('.tag_evidence_'+artifact_id+"_"+plugin_name).addClass("d-none"); + if (status == "Suspicious") { + $('.tag_suspicious_' + artifact_id + "_" + plugin_name).removeClass("d-none"); + $('.tag_evidence_' + artifact_id + "_" + plugin_name).addClass("d-none"); } - if(status == "Clear"){ - $('.tag_suspicious_'+artifact_id+"_"+plugin_name).addClass("d-none"); - $('.tag_evidence_'+artifact_id+"_"+plugin_name).addClass("d-none"); + if (status == "Clear") { + $('.tag_suspicious_' + artifact_id + "_" + plugin_name).addClass("d-none"); + $('.tag_evidence_' + artifact_id + "_" + plugin_name).addClass("d-none"); } }, - error: function(error){ + error: function (error) { $('#proc-error-message').html("Could not tag the artifact."); $('.toast-proc-error').toast('show'); }, cache: false, - contentType : false, + contentType: false, processData: false }); event.preventDefault(); } -function GetReport(url, case_id){ +function GetReport(url, case_id) { const csrf = document.getElementsByName('csrfmiddlewaretoken'); const fd = new FormData(); fd.append('csrfmiddlewaretoken', csrf[0].value); fd.append('case_id', case_id); $.ajax({ - type:'POST', + type: 'POST', url: url, enctype: 'multipart/form-data', data: fd, - beforeSend: function(){ + beforeSend: function () { }, - success: function(data){ - $('#report_content_html').html(data['html']) - $('#report_content_text').html(data['text']) - //We add style to the table - $('#report_content_html table').addClass('table table-sm table-dark') - $('#report_content_text').addClass('d-none') - $('#report_content_html').removeClass('d-none') + success: function (data) { + $('#report_content_html').html(data['html']) + $('#report_content_text').html(data['text']) + //We add style to the table + $('#report_content_html table').addClass('table table-sm table-dark') + $('#report_content_text').addClass('d-none') + $('#report_content_html').removeClass('d-none') }, - error: function(error){ + error: function (error) { $('#proc-error-message').html("Could not generate report."); $('.toast-proc-error').toast('show'); }, cache: false, - contentType : false, + contentType: false, processData: false }); } -$(document).ready(function(){ +$(document).ready(function () { $('.plugin').hide(); $('.toast-other').toast('show'); @@ -81,59 +79,59 @@ $(document).ready(function(){ /* ################################ REGISTRY SCRIPTS ################################ */ - $("#search_registry").on("keyup", function() { + $("#search_registry").on("keyup", function () { var value = $(this).val().toLowerCase(); - $("#UserAssist tr").filter(function() { + $("#UserAssist tr").filter(function () { $(this).toggle($(this).text().toLowerCase().indexOf(value) > -1) }); }); //TimeLine SearchBar - $("#searchTimeline").on("keyup", function() { + $("#searchTimeline").on("keyup", function () { var value = $(this).val().toLowerCase(); - $("#TimelineTab tr").filter(function() { + $("#TimelineTab tr").filter(function () { $(this).toggle($(this).text().toLowerCase().indexOf(value) !== -1) }) }); //FileScan SearchBar - $("#search_files").on("keyup", function() { + $("#search_files").on("keyup", function () { var value = $(this).val().toLowerCase(); - $("#FileScanTab tr").filter(function() { + $("#FileScanTab tr").filter(function () { $(this).toggle($(this).text().toLowerCase().indexOf(value) > -1) }); }); //CmdLine SearchBar - $("#searchCmdLine").on("keyup", function() { + $("#searchCmdLine").on("keyup", function () { var value = $(this).val().toLowerCase(); - $("#cmdline tr").filter(function() { + $("#cmdline tr").filter(function () { $(this).toggle($(this).text().toLowerCase().indexOf(value) > -1) }); }); //CmdLine SearchBar - $("#searchDllList").on("keyup", function() { + $("#searchDllList").on("keyup", function () { var value = $(this).val().toLowerCase(); - $("#dlllist tr").filter(function() { + $("#dlllist tr").filter(function () { $(this).toggle($(this).text().toLowerCase().indexOf(value) > -1) }); }); //Privileges SearchBar - $("#searchPriv").on("keyup", function() { + $("#searchPriv").on("keyup", function () { var value = $(this).val().toLowerCase(); - $("#processPriv tr").filter(function() { + $("#processPriv tr").filter(function () { $(this).toggle($(this).text().toLowerCase().indexOf(value) > -1) }); }); //Process Env SearchBar - $("#searchEnv").on("keyup", function() { + $("#searchEnv").on("keyup", function () { var value = $(this).val().toLowerCase(); - $("#processEnv tr").filter(function() { + $("#processEnv tr").filter(function () { $(this).toggle($(this).text().toLowerCase().indexOf(value) > -1) }); }); @@ -141,28 +139,1244 @@ $(document).ready(function(){ //Process Handles SearchBar - $("#searchHandles").on("keyup", function() { + $("#searchHandles").on("keyup", function () { var value = $(this).val().toLowerCase(); - $("#processHandles tr").filter(function() { + $("#processHandles tr").filter(function () { $(this).toggle($(this).text().toLowerCase().indexOf(value) > -1) }); }); //NetStat Search funtion - $("#searchNetworkStat").on("keyup", function() { - var value = $(this).val().toLowerCase(); - $("#netstat tr").filter(function() { - $(this).toggle($(this).text().toLowerCase().indexOf(value) > -1) - }); + $("#searchNetworkStat").on("keyup", function () { + var value = $(this).val().toLowerCase(); + $("#netstat tr").filter(function () { + $(this).toggle($(this).text().toLowerCase().indexOf(value) > -1) }); + }); //NetStat Search funtion - $("#searchNetworkScan").on("keyup", function() { - var value = $(this).val().toLowerCase(); - $("#netscan tr").filter(function() { - $(this).toggle($(this).text().toLowerCase().indexOf(value) > -1) - }); + $("#searchNetworkScan").on("keyup", function () { + var value = $(this).val().toLowerCase(); + $("#netscan tr").filter(function () { + $(this).toggle($(this).text().toLowerCase().indexOf(value) > -1) }); + }); }); + +function DisplayArtifacts(collapse, process, case_id) { + if ($('#' + collapse).attr("aria-expanded") == "true") { + $('#cmdline').addClass('d-none'); + $('#processPriv').addClass('d-none'); + $('#processEnv').addClass('d-none'); + $('#dlllist').addClass('d-none'); + $('#netstat').addClass('d-none'); + $('#netscan').addClass('d-none'); + $('#processHandles').addClass('d-none'); + $('.spinner-review').removeClass("d-none"); + var url = $("#" + collapse).attr('data-url'); + $.get(url, { 'case': case_id, 'pid': process }, // url + function (response, textStatus, jqXHR) { // success callback + if (textStatus == "success") { + if (response['message'] == "success") { + FillCmdLine(JSON.parse(response['artifacts']['CmdLine'])); + FillPrivileges(JSON.parse(response['artifacts']['Privs'])); + FillEnvars(JSON.parse(response['artifacts']['Envars'])); + FillDlls(JSON.parse(response['artifacts']['DllList'])); + FillNetStat(JSON.parse(response['artifacts']['NetStat'])); + FillNetScan(JSON.parse(response['artifacts']['NetScan'])); + + $('#cmdline').removeClass('d-none'); + $('#processPriv').removeClass('d-none'); + $('#processEnv').removeClass('d-none'); + $('#dlllist').removeClass('d-none'); + $('#netstat').removeClass('d-none'); + $('#netscan').removeClass('d-none'); + $('.processes_tab').removeClass('d-none'); + $('.default-td').removeClass('d-none'); + $('.spinner-review').addClass("d-none"); + } + if (response['message'] == "error") { + $('#proc-error-message').html("Something went wrong."); + $('.toast-proc-error').toast('show'); + } + } + }); + + const span_loading = document.createElement("span"); + span_loading.setAttribute('class','spinner-border spinner-border-sm'); + span_loading.setAttribute('role','status'); + const handles_btn = document.getElementById("handles_btn"); + handles_btn.textContent = "Click here to compute Handles for PID " + process; + handles_btn.addEventListener('click', function (e) { + handles_btn.textContent = ""; + handles_btn.appendChild(span_loading); + ComputeHandles(process, case_id); + handles_btn.textContent = "Click here to compute Handles for PID " + process; + }); + } +} + +function DisplayTimeline(case_id, date) { + $('.spinner-review').removeClass("d-none"); + $('#TimelineTab').addClass('d-none'); + var url = $("#TimelineTab").attr('data-url'); + var date = date.toString(); + $.get(url, { 'case': case_id, 'date': date }, // url + function (response, textStatus, jqXHR) { // success callback + if (textStatus == "success") { + if (response['message'] == "success") { + FillTimeline(JSON.parse(response['artifacts']['Timeliner'])); + $('#TimelineTab').removeClass('d-none'); + $('.spinner-review').addClass("d-none"); + } + if (response['message'] == "error") { + $('#proc-error-message').html("Something went wrong."); + $('.toast-proc-error').toast('show'); + } + } + }); +} + +function ComputeHandles(process, case_id){ + $('#processHandles').addClass('d-none'); + var url = $("#handles_btn").attr("data-url"); + $.get(url, { 'case': case_id, 'pid': process }, // url + function (response, textStatus, jqXHR) { // success callback + if (textStatus == "success") { + if (response['message'] == "success") { + FillHandles(JSON.parse(response['artifacts']['Handles'])); + } + if (response['message'] == "error") { + $('#proc-error-message').html("Something went wrong."); + $('.toast-proc-error').toast('show'); + } + } + }); + +} + + +function FillCmdLine(artifacts) { + // Create the html elements for each line + $('#cmdline').empty(); + $.each(artifacts, function (i, item) { + var tbody = document.getElementById('cmdline'); + const tr = document.createElement('tr'); + const td_1 = document.createElement('td'); + const td_2 = document.createElement('td'); + const td_3 = document.createElement('td'); + const td_4 = document.createElement('td'); + td_1.textContent = item.fields.PID; + td_2.textContent = item.fields.Process; + td_3.textContent = item.fields.Args; + td_3.setAttribute('class', 'w-50'); + + // Tag conditions and system + const dropdown = document.createElement('div'); + dropdown.setAttribute('class', 'dropdown no-arrow'); + + const button = document.createElement('button'); + button.setAttribute('class', 'btn btn-link btn-sm dropdown-toggle'); + + button.setAttribute('aria-expanded', 'true'); + button.setAttribute('data-bs-toggle', 'dropdown'); + button.setAttribute('type', 'button'); + + const dots = document.createElement('i'); + dots.setAttribute('class', 'fas fa-ellipsis-v text-gray-400'); + button.appendChild(dots); + + const dropdown_menu = document.createElement('div'); + dropdown_menu.setAttribute('class', 'dropdown-menu shadow dropdown-menu-end animated--fade-in'); + const tagm = document.createElement('p'); + tagm.setAttribute('class', 'text-center dropdown-header'); + tagm.textContent = "Tag as"; + + + const span_suspicious = document.createElement('span'); + span_suspicious.textContent = " Suspicious"; + + const span_evidence = document.createElement('span'); + span_evidence.textContent = " Evidence"; + + const badge_suspicious = document.createElement('a'); + badge_suspicious.setAttribute('class', 'dropdown-item'); + badge_suspicious.setAttribute('href', '#'); + badge_suspicious.addEventListener('click', function (e) { + Tag('CmdLine', item.pk, "Suspicious"); + }); + + const pill_orange = document.createElement('strong'); + pill_orange.setAttribute('class', 'badge bg-warning text-wrap text-warning'); + pill_orange.textContent = ' '; + badge_suspicious.appendChild(pill_orange); + badge_suspicious.appendChild(span_suspicious); + + + const badge_evidence = document.createElement('a'); + badge_evidence.setAttribute('class', 'dropdown-item'); + badge_evidence.setAttribute('href', '#'); + badge_evidence.addEventListener('click', function (e) { + Tag('CmdLine', item.pk, "Evidence"); + }); + + + const pill_red = document.createElement('strong'); + pill_red.setAttribute('class', 'badge bg-danger text-wrap text-danger'); + pill_red.textContent = ' ' + + badge_evidence.appendChild(pill_red); + badge_evidence.appendChild(span_evidence); + + + const divider = document.createElement('div'); + divider.setAttribute('class', 'dropdown-divider'); + + const badge_clear = document.createElement('a'); + badge_clear.setAttribute('class', 'dropdown-item'); + badge_clear.setAttribute('href', '#'); + badge_clear.addEventListener('click', function (e) { + Tag('CmdLine', item.pk, "Clear"); + }); + badge_clear.textContent = " Clear tag"; + + + const tag_evidence = document.createElement('strong'); + const tag_suspicious = document.createElement('strong'); + + if (item.fields.Tag == "Evidence") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap tag_evidence_' + item.pk + '_CmdLine'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_CmdLine'); + } + + else if (item.fields.Tag == "Suspicious") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_CmdLine'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap tag_suspicious_' + item.pk + '_CmdLine'); + } + + else { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_CmdLine'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_CmdLine'); + } + + tag_evidence.textContent = "Evidence"; + tag_suspicious.textContent = "Suspicious"; + + dropdown_menu.appendChild(tagm); + dropdown_menu.appendChild(badge_suspicious); + dropdown_menu.appendChild(badge_evidence); + dropdown_menu.appendChild(divider); + dropdown_menu.appendChild(badge_clear); + + button.appendChild(dots); + dropdown.appendChild(button); + dropdown.appendChild(tag_evidence); + dropdown.appendChild(tag_suspicious); + dropdown.appendChild(dropdown_menu); + td_4.appendChild(dropdown); + + tr.appendChild(td_1); + tr.appendChild(td_2); + tr.appendChild(td_3); + tr.appendChild(td_4); + + tbody.appendChild(tr); + }); +} + +function FillPrivileges(artifacts) { + // Create the html elements for each line + $('#processPriv').empty(); + $.each(artifacts, function (i, item) { + var tbody = document.getElementById('processPriv'); + const tr = document.createElement('tr'); + const td_1 = document.createElement('td'); + const td_2 = document.createElement('td'); + const td_3 = document.createElement('td'); + const td_4 = document.createElement('td'); + const td_5 = document.createElement('td'); + const td_6 = document.createElement('td'); + const td_7 = document.createElement('td'); + td_1.textContent = item.fields.PID; + td_2.textContent = item.fields.Process; + td_3.textContent = item.fields.Privilege; + td_4.textContent = item.fields.Attributes; + td_5.textContent = item.fields.Description; + td_6.textContent = item.fields.Value; + + // Tag conditions and system + const dropdown = document.createElement('div'); + dropdown.setAttribute('class', 'dropdown no-arrow'); + + const button = document.createElement('button'); + button.setAttribute('class', 'btn btn-link btn-sm dropdown-toggle'); + + button.setAttribute('aria-expanded', 'true'); + button.setAttribute('data-bs-toggle', 'dropdown'); + button.setAttribute('type', 'button'); + + const dots = document.createElement('i'); + dots.setAttribute('class', 'fas fa-ellipsis-v text-gray-400'); + button.appendChild(dots); + + const dropdown_menu = document.createElement('div'); + dropdown_menu.setAttribute('class', 'dropdown-menu shadow dropdown-menu-end animated--fade-in'); + const tagm = document.createElement('p'); + tagm.setAttribute('class', 'text-center dropdown-header'); + tagm.textContent = "Tag as"; + + + const span_suspicious = document.createElement('span'); + span_suspicious.textContent = " Suspicious"; + + const span_evidence = document.createElement('span'); + span_evidence.textContent = " Evidence"; + + const badge_suspicious = document.createElement('a'); + badge_suspicious.setAttribute('class', 'dropdown-item'); + badge_suspicious.setAttribute('href', '#'); + badge_suspicious.addEventListener('click', function (e) { + Tag('Privs', item.pk, "Suspicious"); + }); + + const pill_orange = document.createElement('strong'); + pill_orange.setAttribute('class', 'badge bg-warning text-wrap text-warning'); + pill_orange.textContent = ' '; + badge_suspicious.appendChild(pill_orange); + badge_suspicious.appendChild(span_suspicious); + + + const badge_evidence = document.createElement('a'); + badge_evidence.setAttribute('class', 'dropdown-item'); + badge_evidence.setAttribute('href', '#'); + badge_evidence.addEventListener('click', function (e) { + Tag('Privs', item.pk, "Evidence"); + }); + + + const pill_red = document.createElement('strong'); + pill_red.setAttribute('class', 'badge bg-danger text-wrap text-danger'); + pill_red.textContent = ' '; + + badge_evidence.appendChild(pill_red); + badge_evidence.appendChild(span_evidence); + + + const divider = document.createElement('div'); + divider.setAttribute('class', 'dropdown-divider'); + + const badge_clear = document.createElement('a'); + badge_clear.setAttribute('class', 'dropdown-item'); + badge_clear.setAttribute('href', '#'); + badge_clear.addEventListener('click', function (e) { + Tag('Privs', item.pk, "Clear"); + }); + badge_clear.textContent = " Clear tag"; + + + const tag_evidence = document.createElement('strong'); + const tag_suspicious = document.createElement('strong'); + + if (item.fields.Tag == "Evidence") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap tag_evidence_' + item.pk + '_Privs'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_Privs'); + } + + else if (item.fields.Tag == "Suspicious") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_Privs'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap tag_suspicious_' + item.pk + '_Privs'); + } + + else { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_Privs'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_Privs'); + } + + tag_evidence.textContent = "Evidence"; + tag_suspicious.textContent = "Suspicious"; + + dropdown_menu.appendChild(tagm); + dropdown_menu.appendChild(badge_suspicious); + dropdown_menu.appendChild(badge_evidence); + dropdown_menu.appendChild(divider); + dropdown_menu.appendChild(badge_clear); + + button.appendChild(dots); + dropdown.appendChild(button); + dropdown.appendChild(tag_evidence); + dropdown.appendChild(tag_suspicious); + dropdown.appendChild(dropdown_menu); + td_7.appendChild(dropdown); + + tr.appendChild(td_1); + tr.appendChild(td_2); + tr.appendChild(td_3); + tr.appendChild(td_4); + tr.appendChild(td_5); + tr.appendChild(td_6); + tr.appendChild(td_7); + tbody.appendChild(tr); + }); +} + +function FillEnvars(artifacts) { + // Create the html elements for each line + $('#processEnv').empty(); + $.each(artifacts, function (i, item) { + var tbody = document.getElementById('processEnv'); + const tr = document.createElement('tr'); + const td_1 = document.createElement('td'); + const td_2 = document.createElement('td'); + const td_3 = document.createElement('td'); + const td_4 = document.createElement('td'); + const td_5 = document.createElement('td'); + td_5.setAttribute('class', 'w-50 text-break'); + const td_6 = document.createElement('td'); + td_6.setAttribute('class', 'w-10'); + + td_1.textContent = item.fields.Block; + td_2.textContent = item.fields.PID; + td_3.textContent = item.fields.Process; + td_4.textContent = item.fields.Variable; + td_5.textContent = item.fields.Value; + + // Tag conditions and system + const dropdown = document.createElement('div'); + dropdown.setAttribute('class', 'dropdown no-arrow'); + + const button = document.createElement('button'); + button.setAttribute('class', 'btn btn-link btn-sm dropdown-toggle'); + + button.setAttribute('aria-expanded', 'true'); + button.setAttribute('data-bs-toggle', 'dropdown'); + button.setAttribute('type', 'button'); + + const dots = document.createElement('i'); + dots.setAttribute('class', 'fas fa-ellipsis-v text-gray-400'); + button.appendChild(dots); + + const dropdown_menu = document.createElement('div'); + dropdown_menu.setAttribute('class', 'dropdown-menu shadow dropdown-menu-end animated--fade-in'); + const tagm = document.createElement('p'); + tagm.setAttribute('class', 'text-center dropdown-header'); + tagm.textContent = "Tag as"; + + + const span_suspicious = document.createElement('span'); + span_suspicious.textContent = " Suspicious"; + + const span_evidence = document.createElement('span'); + span_evidence.textContent = " Evidence"; + + const badge_suspicious = document.createElement('a'); + badge_suspicious.setAttribute('class', 'dropdown-item'); + badge_suspicious.setAttribute('href', '#'); + badge_suspicious.addEventListener('click', function (e) { + Tag('Envars', item.pk, "Suspicious"); + }); + + const pill_orange = document.createElement('strong'); + pill_orange.setAttribute('class', 'badge bg-warning text-wrap text-warning'); + pill_orange.textContent = ' '; + badge_suspicious.appendChild(pill_orange); + badge_suspicious.appendChild(span_suspicious); + + + const badge_evidence = document.createElement('a'); + badge_evidence.setAttribute('class', 'dropdown-item'); + badge_evidence.setAttribute('href', '#'); + badge_evidence.addEventListener('click', function (e) { + Tag('Envars', item.pk, "Evidence"); + }); + + + const pill_red = document.createElement('strong'); + pill_red.setAttribute('class', 'badge bg-danger text-wrap text-danger'); + pill_red.textContent = ' '; + + badge_evidence.appendChild(pill_red); + badge_evidence.appendChild(span_evidence); + + + const divider = document.createElement('div'); + divider.setAttribute('class', 'dropdown-divider'); + + const badge_clear = document.createElement('a'); + badge_clear.setAttribute('class', 'dropdown-item'); + badge_clear.setAttribute('href', '#'); + badge_clear.addEventListener('click', function (e) { + Tag('Envars', item.pk, "Clear"); + }); + badge_clear.textContent = " Clear tag"; + + + const tag_evidence = document.createElement('strong'); + const tag_suspicious = document.createElement('strong'); + + if (item.fields.Tag == "Evidence") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap tag_evidence_' + item.pk + '_Envars'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_Envars'); + } + + else if (item.fields.Tag == "Suspicious") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_Envars'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap tag_suspicious_' + item.pk + '_Envars'); + } + + else { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_Envars'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_Envars'); + } + + tag_evidence.textContent = "Evidence"; + tag_suspicious.textContent = "Suspicious"; + + dropdown_menu.appendChild(tagm); + dropdown_menu.appendChild(badge_suspicious); + dropdown_menu.appendChild(badge_evidence); + dropdown_menu.appendChild(divider); + dropdown_menu.appendChild(badge_clear); + + button.appendChild(dots); + dropdown.appendChild(button); + dropdown.appendChild(tag_evidence); + dropdown.appendChild(tag_suspicious); + dropdown.appendChild(dropdown_menu); + td_6.appendChild(dropdown); + + tr.appendChild(td_1); + tr.appendChild(td_2); + tr.appendChild(td_3); + tr.appendChild(td_4); + tr.appendChild(td_5); + tr.appendChild(td_6); + tbody.appendChild(tr); + }); +} + +function FillDlls(artifacts) { + // Create the html elements for each line + $('#dlllist').empty(); + $.each(artifacts, function (i, item) { + var tbody = document.getElementById('dlllist'); + const tr = document.createElement('tr'); + const td_1 = document.createElement('td'); + const td_2 = document.createElement('td'); + const td_3 = document.createElement('td'); + const td_4 = document.createElement('td'); + const td_5 = document.createElement('td'); + const td_6 = document.createElement('td'); + const td_7 = document.createElement('td'); + const td_8 = document.createElement('td'); + const td_9 = document.createElement('td'); + + td_1.textContent = item.fields.Process; + td_2.textContent = item.fields.PID; + td_3.textContent = item.fields.Base; + td_4.textContent = item.fields.Name; + td_5.textContent = item.fields.Path; + td_6.textContent = item.fields.Size; + td_7.textContent = item.fields.LoadTime; + td_8.textContent = item.fields.Fileouput; + + // Tag conditions and system + const dropdown = document.createElement('div'); + dropdown.setAttribute('class', 'dropdown no-arrow'); + + const button = document.createElement('button'); + button.setAttribute('class', 'btn btn-link btn-sm dropdown-toggle'); + + button.setAttribute('aria-expanded', 'true'); + button.setAttribute('data-bs-toggle', 'dropdown'); + button.setAttribute('type', 'button'); + + const dots = document.createElement('i'); + dots.setAttribute('class', 'fas fa-ellipsis-v text-gray-400'); + button.appendChild(dots); + + const dropdown_menu = document.createElement('div'); + dropdown_menu.setAttribute('class', 'dropdown-menu shadow dropdown-menu-end animated--fade-in'); + const tagm = document.createElement('p'); + tagm.setAttribute('class', 'text-center dropdown-header'); + tagm.textContent = "Tag as"; + + + const span_suspicious = document.createElement('span'); + span_suspicious.textContent = " Suspicious"; + + const span_evidence = document.createElement('span'); + span_evidence.textContent = " Evidence"; + + const badge_suspicious = document.createElement('a'); + badge_suspicious.setAttribute('class', 'dropdown-item'); + badge_suspicious.setAttribute('href', '#'); + badge_suspicious.addEventListener('click', function (e) { + Tag('DllList', item.pk, "Suspicious"); + }); + + const pill_orange = document.createElement('strong'); + pill_orange.setAttribute('class', 'badge bg-warning text-wrap text-warning'); + pill_orange.textContent = ' '; + badge_suspicious.appendChild(pill_orange); + badge_suspicious.appendChild(span_suspicious); + + + const badge_evidence = document.createElement('a'); + badge_evidence.setAttribute('class', 'dropdown-item'); + badge_evidence.setAttribute('href', '#'); + badge_evidence.addEventListener('click', function (e) { + Tag('DllList', item.pk, "Evidence"); + }); + + + const pill_red = document.createElement('strong'); + pill_red.setAttribute('class', 'badge bg-danger text-wrap text-danger'); + pill_red.textContent = ' '; + + badge_evidence.appendChild(pill_red); + badge_evidence.appendChild(span_evidence); + + + const divider = document.createElement('div'); + divider.setAttribute('class', 'dropdown-divider'); + + const badge_clear = document.createElement('a'); + badge_clear.setAttribute('class', 'dropdown-item'); + badge_clear.setAttribute('href', '#'); + badge_clear.addEventListener('click', function (e) { + Tag('DllList', item.pk, "Clear"); + }); + badge_clear.textContent = " Clear tag"; + + + const tag_evidence = document.createElement('strong'); + const tag_suspicious = document.createElement('strong'); + + if (item.fields.Tag == "Evidence") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap tag_evidence_' + item.pk + '_DllList'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_DllList'); + } + + else if (item.fields.Tag == "Suspicious") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_DllList'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap tag_suspicious_' + item.pk + '_DllList'); + } + + else { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_DllList'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_DllList'); + } + + tag_evidence.textContent = "Evidence"; + tag_suspicious.textContent = "Suspicious"; + + dropdown_menu.appendChild(tagm); + dropdown_menu.appendChild(badge_suspicious); + dropdown_menu.appendChild(badge_evidence); + dropdown_menu.appendChild(divider); + dropdown_menu.appendChild(badge_clear); + + button.appendChild(dots); + dropdown.appendChild(button); + dropdown.appendChild(tag_evidence); + dropdown.appendChild(tag_suspicious); + dropdown.appendChild(dropdown_menu); + td_9.appendChild(dropdown); + + tr.appendChild(td_1); + tr.appendChild(td_2); + tr.appendChild(td_3); + tr.appendChild(td_4); + tr.appendChild(td_5); + tr.appendChild(td_6); + tr.appendChild(td_7); + tr.appendChild(td_8); + tr.appendChild(td_9); + tbody.appendChild(tr); + }); +} + +function FillNetStat(artifacts) { + // Create the html elements for each line + $('#netstat').empty(); + $.each(artifacts, function (i, item) { + var tbody = document.getElementById('netstat'); + const tr = document.createElement('tr'); + const td_1 = document.createElement('td'); + const td_2 = document.createElement('td'); + const td_3 = document.createElement('td'); + const td_4 = document.createElement('td'); + const td_5 = document.createElement('td'); + const td_6 = document.createElement('td'); + const td_7 = document.createElement('td'); + const td_8 = document.createElement('td'); + const td_9 = document.createElement('td'); + const td_10 = document.createElement('td'); + const td_11 = document.createElement('td'); + td_11.setAttribute('class', 'w-10'); + + td_1.textContent = item.fields.Created; + td_2.textContent = item.fields.Offset; + td_3.textContent = item.fields.Owner; + td_4.textContent = item.fields.Proto; + td_5.textContent = item.fields.LocalAddr; + td_6.textContent = item.fields.LocalPort; + td_7.textContent = item.fields.ForeignAddr; + td_8.textContent = item.fields.ForeignPort; + td_9.textContent = item.fields.State; + td_10.textContent = item.fields.PID; + + + // Tag conditions and system + const dropdown = document.createElement('div'); + dropdown.setAttribute('class', 'dropdown no-arrow'); + + const button = document.createElement('button'); + button.setAttribute('class', 'btn btn-link btn-sm dropdown-toggle'); + + button.setAttribute('aria-expanded', 'true'); + button.setAttribute('data-bs-toggle', 'dropdown'); + button.setAttribute('type', 'button'); + + const dots = document.createElement('i'); + dots.setAttribute('class', 'fas fa-ellipsis-v text-gray-400'); + button.appendChild(dots); + + const dropdown_menu = document.createElement('div'); + dropdown_menu.setAttribute('class', 'dropdown-menu shadow dropdown-menu-end animated--fade-in'); + const tagm = document.createElement('p'); + tagm.setAttribute('class', 'text-center dropdown-header'); + tagm.textContent = "Tag as"; + + + const span_suspicious = document.createElement('span'); + span_suspicious.textContent = " Suspicious"; + + const span_evidence = document.createElement('span'); + span_evidence.textContent = " Evidence"; + + const badge_suspicious = document.createElement('a'); + badge_suspicious.setAttribute('class', 'dropdown-item'); + badge_suspicious.setAttribute('href', '#'); + badge_suspicious.addEventListener('click', function (e) { + Tag('NetStat', item.pk, "Suspicious"); + }); + + const pill_orange = document.createElement('strong'); + pill_orange.setAttribute('class', 'badge bg-warning text-wrap text-warning'); + pill_orange.textContent = ' '; + badge_suspicious.appendChild(pill_orange); + badge_suspicious.appendChild(span_suspicious); + + + const badge_evidence = document.createElement('a'); + badge_evidence.setAttribute('class', 'dropdown-item'); + badge_evidence.setAttribute('href', '#'); + badge_evidence.addEventListener('click', function (e) { + Tag('NetStat', item.pk, "Evidence"); + }); + + + const pill_red = document.createElement('strong'); + pill_red.setAttribute('class', 'badge bg-danger text-wrap text-danger'); + pill_red.textContent = ' '; + + badge_evidence.appendChild(pill_red); + badge_evidence.appendChild(span_evidence); + + + const divider = document.createElement('div'); + divider.setAttribute('class', 'dropdown-divider'); + + const badge_clear = document.createElement('a'); + badge_clear.setAttribute('class', 'dropdown-item'); + badge_clear.setAttribute('href', '#'); + badge_clear.addEventListener('click', function (e) { + Tag('NetStat', item.pk, "Clear"); + }); + badge_clear.textContent = " Clear tag"; + + + const tag_evidence = document.createElement('strong'); + const tag_suspicious = document.createElement('strong'); + + if (item.fields.Tag == "Evidence") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap tag_evidence_' + item.pk + '_NetStat'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_NetStat'); + } + + else if (item.fields.Tag == "Suspicious") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_NetStat'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap tag_suspicious_' + item.pk + '_NetStat'); + } + + else { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_NetStat'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_NetStat'); + } + + tag_evidence.textContent = "Evidence"; + tag_suspicious.textContent = "Suspicious"; + + dropdown_menu.appendChild(tagm); + dropdown_menu.appendChild(badge_suspicious); + dropdown_menu.appendChild(badge_evidence); + dropdown_menu.appendChild(divider); + dropdown_menu.appendChild(badge_clear); + + button.appendChild(dots); + dropdown.appendChild(button); + dropdown.appendChild(tag_evidence); + dropdown.appendChild(tag_suspicious); + dropdown.appendChild(dropdown_menu); + td_11.appendChild(dropdown); + + tr.appendChild(td_1); + tr.appendChild(td_2); + tr.appendChild(td_3); + tr.appendChild(td_4); + tr.appendChild(td_5); + tr.appendChild(td_6); + tr.appendChild(td_7); + tr.appendChild(td_8); + tr.appendChild(td_9); + tr.appendChild(td_10); + tr.appendChild(td_11); + tbody.appendChild(tr); + }); +} + +function FillNetScan(artifacts) { + // Create the html elements for each line + $('#netscan').empty(); + $.each(artifacts, function (i, item) { + var tbody = document.getElementById('netscan'); + const tr = document.createElement('tr'); + const td_1 = document.createElement('td'); + const td_2 = document.createElement('td'); + const td_3 = document.createElement('td'); + const td_4 = document.createElement('td'); + const td_5 = document.createElement('td'); + const td_6 = document.createElement('td'); + const td_7 = document.createElement('td'); + const td_8 = document.createElement('td'); + const td_9 = document.createElement('td'); + const td_10 = document.createElement('td'); + const td_11 = document.createElement('td'); + td_11.setAttribute('class', 'w-10'); + + td_1.textContent = item.fields.Created; + td_2.textContent = item.fields.Offset; + td_3.textContent = item.fields.Owner; + td_4.textContent = item.fields.Proto; + td_5.textContent = item.fields.LocalAddr; + td_6.textContent = item.fields.LocalPort; + td_7.textContent = item.fields.ForeignAddr; + td_8.textContent = item.fields.ForeignPort; + td_9.textContent = item.fields.State; + td_10.textContent = item.fields.PID; + + + // Tag conditions and system + const dropdown = document.createElement('div'); + dropdown.setAttribute('class', 'dropdown no-arrow'); + + const button = document.createElement('button'); + button.setAttribute('class', 'btn btn-link btn-sm dropdown-toggle'); + + button.setAttribute('aria-expanded', 'true'); + button.setAttribute('data-bs-toggle', 'dropdown'); + button.setAttribute('type', 'button'); + + const dots = document.createElement('i'); + dots.setAttribute('class', 'fas fa-ellipsis-v text-gray-400'); + button.appendChild(dots); + + const dropdown_menu = document.createElement('div'); + dropdown_menu.setAttribute('class', 'dropdown-menu shadow dropdown-menu-end animated--fade-in'); + const tagm = document.createElement('p'); + tagm.setAttribute('class', 'text-center dropdown-header'); + tagm.textContent = "Tag as"; + + + const span_suspicious = document.createElement('span'); + span_suspicious.textContent = " Suspicious"; + + const span_evidence = document.createElement('span'); + span_evidence.textContent = " Evidence"; + + const badge_suspicious = document.createElement('a'); + badge_suspicious.setAttribute('class', 'dropdown-item'); + badge_suspicious.setAttribute('href', '#'); + badge_suspicious.addEventListener('click', function (e) { + Tag('NetScan', item.pk, "Suspicious"); + }); + + const pill_orange = document.createElement('strong'); + pill_orange.setAttribute('class', 'badge bg-warning text-wrap text-warning'); + pill_orange.textContent = ' '; + badge_suspicious.appendChild(pill_orange); + badge_suspicious.appendChild(span_suspicious); + + + const badge_evidence = document.createElement('a'); + badge_evidence.setAttribute('class', 'dropdown-item'); + badge_evidence.setAttribute('href', '#'); + badge_evidence.addEventListener('click', function (e) { + Tag('NetScan', item.pk, "Evidence"); + }); + + + const pill_red = document.createElement('strong'); + pill_red.setAttribute('class', 'badge bg-danger text-wrap text-danger'); + pill_red.textContent = ' '; + + badge_evidence.appendChild(pill_red); + badge_evidence.appendChild(span_evidence); + + + const divider = document.createElement('div'); + divider.setAttribute('class', 'dropdown-divider'); + + const badge_clear = document.createElement('a'); + badge_clear.setAttribute('class', 'dropdown-item'); + badge_clear.setAttribute('href', '#'); + badge_clear.addEventListener('click', function (e) { + Tag('NetScan', item.pk, "Clear"); + }); + badge_clear.textContent = " Clear tag"; + + + const tag_evidence = document.createElement('strong'); + const tag_suspicious = document.createElement('strong'); + + if (item.fields.Tag == "Evidence") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap tag_evidence_' + item.pk + '_NetScan'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_NetScan'); + } + + else if (item.fields.Tag == "Suspicious") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_NetScan'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap tag_suspicious_' + item.pk + '_NetScan'); + } + + else { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_NetScan'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_NetScan'); + } + + tag_evidence.textContent = "Evidence"; + tag_suspicious.textContent = "Suspicious"; + + dropdown_menu.appendChild(tagm); + dropdown_menu.appendChild(badge_suspicious); + dropdown_menu.appendChild(badge_evidence); + dropdown_menu.appendChild(divider); + dropdown_menu.appendChild(badge_clear); + + button.appendChild(dots); + dropdown.appendChild(button); + dropdown.appendChild(tag_evidence); + dropdown.appendChild(tag_suspicious); + dropdown.appendChild(dropdown_menu); + td_11.appendChild(dropdown); + + tr.appendChild(td_1); + tr.appendChild(td_2); + tr.appendChild(td_3); + tr.appendChild(td_4); + tr.appendChild(td_5); + tr.appendChild(td_6); + tr.appendChild(td_7); + tr.appendChild(td_8); + tr.appendChild(td_9); + tr.appendChild(td_10); + tr.appendChild(td_11); + tbody.appendChild(tr); + }); +} + +function FillTimeline(artifacts) { + // Create the html elements for each line + $('#TimelineTab').empty(); + $.each(artifacts, function (i, item) { + + var tbody = document.getElementById('TimelineTab'); + const tr = document.createElement('tr'); + const td_1 = document.createElement('td'); + const td_2 = document.createElement('td'); + const td_3 = document.createElement('td'); + const td_4 = document.createElement('td'); + const td_5 = document.createElement('td'); + const td_6 = document.createElement('td'); + const td_7 = document.createElement('td'); + td_7.setAttribute('class', 'w-10'); + + td_1.textContent = item.fields.CreatedDate; + td_2.textContent = item.fields.ChangedDate; + td_3.textContent = item.fields.AccessedDate; + td_4.textContent = item.fields.Description; + td_5.textContent = item.fields.ModifiedDate; + td_6.textContent = item.fields.Plugin; + + + // Tag conditions and system + const dropdown = document.createElement('div'); + dropdown.setAttribute('class', 'dropdown no-arrow'); + + const button = document.createElement('button'); + button.setAttribute('class', 'btn btn-link btn-sm dropdown-toggle'); + + button.setAttribute('aria-expanded', 'true'); + button.setAttribute('data-bs-toggle', 'dropdown'); + button.setAttribute('type', 'button'); + + const dots = document.createElement('i'); + dots.setAttribute('class', 'fas fa-ellipsis-v text-gray-400'); + button.appendChild(dots); + + const dropdown_menu = document.createElement('div'); + dropdown_menu.setAttribute('class', 'dropdown-menu shadow dropdown-menu-end animated--fade-in'); + const tagm = document.createElement('p'); + tagm.setAttribute('class', 'text-center dropdown-header'); + tagm.textContent = "Tag as"; + + + const span_suspicious = document.createElement('span'); + span_suspicious.textContent = " Suspicious"; + + const span_evidence = document.createElement('span'); + span_evidence.textContent = " Evidence"; + + const badge_suspicious = document.createElement('a'); + badge_suspicious.setAttribute('class', 'dropdown-item'); + badge_suspicious.setAttribute('href', '#'); + badge_suspicious.addEventListener('click', function (e) { + Tag('Timeliner', item.pk, "Suspicious"); + }); + + const pill_orange = document.createElement('strong'); + pill_orange.setAttribute('class', 'badge bg-warning text-wrap text-warning'); + pill_orange.textContent = ' '; + badge_suspicious.appendChild(pill_orange); + badge_suspicious.appendChild(span_suspicious); + + + const badge_evidence = document.createElement('a'); + badge_evidence.setAttribute('class', 'dropdown-item'); + badge_evidence.setAttribute('href', '#'); + badge_evidence.addEventListener('click', function (e) { + Tag('Timeliner', item.pk, "Evidence"); + }); + + + const pill_red = document.createElement('strong'); + pill_red.setAttribute('class', 'badge bg-danger text-wrap text-danger'); + pill_red.textContent = ' '; + + badge_evidence.appendChild(pill_red); + badge_evidence.appendChild(span_evidence); + + + const divider = document.createElement('div'); + divider.setAttribute('class', 'dropdown-divider'); + + const badge_clear = document.createElement('a'); + badge_clear.setAttribute('class', 'dropdown-item'); + badge_clear.setAttribute('href', '#'); + badge_clear.addEventListener('click', function (e) { + Tag('Timeliner', item.pk, "Clear"); + }); + badge_clear.textContent = " Clear tag"; + + + const tag_evidence = document.createElement('strong'); + const tag_suspicious = document.createElement('strong'); + + if (item.fields.Tag == "Evidence") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap tag_evidence_' + item.pk + '_Timeliner'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_Timeliner'); + } + + else if (item.fields.Tag == "Suspicious") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_Timeliner'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap tag_suspicious_' + item.pk + '_Timeliner'); + } + + else { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_Timeliner'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_Timeliner'); + } + + tag_evidence.textContent = "Evidence"; + tag_suspicious.textContent = "Suspicious"; + + dropdown_menu.appendChild(tagm); + dropdown_menu.appendChild(badge_suspicious); + dropdown_menu.appendChild(badge_evidence); + dropdown_menu.appendChild(divider); + dropdown_menu.appendChild(badge_clear); + + button.appendChild(dots); + dropdown.appendChild(button); + dropdown.appendChild(tag_evidence); + dropdown.appendChild(tag_suspicious); + dropdown.appendChild(dropdown_menu); + td_7.appendChild(dropdown); + + tr.appendChild(td_1); + tr.appendChild(td_2); + tr.appendChild(td_3); + tr.appendChild(td_4); + tr.appendChild(td_5); + tr.appendChild(td_6); + tr.appendChild(td_7); + tbody.appendChild(tr); + }); +} + +function FillHandles(artifacts) { + // Create the html elements for each line + $('#processHandles').empty(); + $.each(artifacts, function (i, item) { + + var tbody = document.getElementById('processHandles'); + const tr = document.createElement('tr'); + const td_1 = document.createElement('td'); + const td_2 = document.createElement('td'); + const td_3 = document.createElement('td'); + const td_4 = document.createElement('td'); + const td_5 = document.createElement('td'); + const td_6 = document.createElement('td'); + const td_7 = document.createElement('td'); + const td_8 = document.createElement('td'); + td_8.setAttribute('class', 'w-10'); + + td_1.textContent = item.fields.Process; + td_2.textContent = item.fields.PID; + td_3.textContent = item.fields.Offset; + td_4.textContent = item.fields.Name; + td_5.textContent = item.fields.HandleValue; + td_6.textContent = item.fields.GrantedAccess; + td_7.textContent = item.fields.Type; + + // Tag conditions and system + const dropdown = document.createElement('div'); + dropdown.setAttribute('class', 'dropdown no-arrow'); + + const button = document.createElement('button'); + button.setAttribute('class', 'btn btn-link btn-sm dropdown-toggle'); + + button.setAttribute('aria-expanded', 'true'); + button.setAttribute('data-bs-toggle', 'dropdown'); + button.setAttribute('type', 'button'); + + const dots = document.createElement('i'); + dots.setAttribute('class', 'fas fa-ellipsis-v text-gray-400'); + button.appendChild(dots); + + const dropdown_menu = document.createElement('div'); + dropdown_menu.setAttribute('class', 'dropdown-menu shadow dropdown-menu-end animated--fade-in'); + const tagm = document.createElement('p'); + tagm.setAttribute('class', 'text-center dropdown-header'); + tagm.textContent = "Tag as"; + + + const span_suspicious = document.createElement('span'); + span_suspicious.textContent = " Suspicious"; + + const span_evidence = document.createElement('span'); + span_evidence.textContent = " Evidence"; + + const badge_suspicious = document.createElement('a'); + badge_suspicious.setAttribute('class', 'dropdown-item'); + badge_suspicious.setAttribute('href', '#'); + badge_suspicious.addEventListener('click', function (e) { + Tag('Handles', item.pk, "Suspicious"); + }); + + const pill_orange = document.createElement('strong'); + pill_orange.setAttribute('class', 'badge bg-warning text-wrap text-warning'); + pill_orange.textContent = ' '; + badge_suspicious.appendChild(pill_orange); + badge_suspicious.appendChild(span_suspicious); + + + const badge_evidence = document.createElement('a'); + badge_evidence.setAttribute('class', 'dropdown-item'); + badge_evidence.setAttribute('href', '#'); + badge_evidence.addEventListener('click', function (e) { + Tag('Handles', item.pk, "Evidence"); + }); + + + const pill_red = document.createElement('strong'); + pill_red.setAttribute('class', 'badge bg-danger text-wrap text-danger'); + pill_red.textContent = ' '; + + badge_evidence.appendChild(pill_red); + badge_evidence.appendChild(span_evidence); + + + const divider = document.createElement('div'); + divider.setAttribute('class', 'dropdown-divider'); + + const badge_clear = document.createElement('a'); + badge_clear.setAttribute('class', 'dropdown-item'); + badge_clear.setAttribute('href', '#'); + badge_clear.addEventListener('click', function (e) { + Tag('Handles', item.pk, "Clear"); + }); + badge_clear.textContent = " Clear tag"; + + + const tag_evidence = document.createElement('strong'); + const tag_suspicious = document.createElement('strong'); + + if (item.fields.Tag == "Evidence") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap tag_evidence_' + item.pk + '_Handles'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_Handles'); + } + + else if (item.fields.Tag == "Suspicious") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_Handles'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap tag_suspicious_' + item.pk + '_Handles'); + } + + else { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_Handles'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_Handles'); + } + + tag_evidence.textContent = "Evidence"; + tag_suspicious.textContent = "Suspicious"; + + dropdown_menu.appendChild(tagm); + dropdown_menu.appendChild(badge_suspicious); + dropdown_menu.appendChild(badge_evidence); + dropdown_menu.appendChild(divider); + dropdown_menu.appendChild(badge_clear); + + button.appendChild(dots); + dropdown.appendChild(button); + dropdown.appendChild(tag_evidence); + dropdown.appendChild(tag_suspicious); + dropdown.appendChild(dropdown_menu); + td_8.appendChild(dropdown); + + tr.appendChild(td_1); + tr.appendChild(td_2); + tr.appendChild(td_3); + tr.appendChild(td_4); + tr.appendChild(td_5); + tr.appendChild(td_6); + tr.appendChild(td_7); + tr.appendChild(td_8); + tbody.appendChild(tr); + $('#processHandles').removeClass('d-none'); + }); +} + + diff --git a/docker/Dockerfile b/docker/Dockerfile index f29b6f6..6f9f38c 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -22,7 +22,7 @@ RUN mkdir -p $APP_HOME/staticfiles WORKDIR $APP_HOME USER app -RUN pip install 'volatility3==2.0.1' +RUN pip install 'volatility3==2.4.0' USER root COPY requirements.txt $APP_HOME RUN pip install --upgrade pip diff --git a/investigations/templates/investigations/review_invest.html b/investigations/templates/investigations/review_invest.html index 15caa11..7f83ba7 100644 --- a/investigations/templates/investigations/review_invest.html +++ b/investigations/templates/investigations/review_invest.html @@ -103,7 +103,7 @@
{{case.title}}
{% if case.os_version == "Linux" %} -
+
-
+
-
- -
-
-
-
-
- - {% for process in PsScan %}
- -
+
{% include "investigations/windows/processes/privileges.html" %} {% include "investigations/windows/processes/cmdline.html" %} {% include "investigations/windows/processes/envars.html" %} @@ -473,15 +443,15 @@
{{case.title}}
{% else %} {% endif %} {% endblock content %} \ No newline at end of file diff --git a/investigations/templates/investigations/windows/processes/cmdline.html b/investigations/templates/investigations/windows/processes/cmdline.html index 325c94e..cc5db9c 100644 --- a/investigations/templates/investigations/windows/processes/cmdline.html +++ b/investigations/templates/investigations/windows/processes/cmdline.html @@ -20,42 +20,6 @@ - {% for process in CmdLine %} - - {{process.PID }} - {{process.Process}} - {{process.Args}} - -
- {% if process.Tag == "Evidence"%} - Evidence - Suspicious - {% elif process.Tag == "Suspicious" %} - Suspicious - Evidence - {% else %} - Evidence - Suspicious - {% endif %} - -
-

Tag as

- -   -  Suspicious - - -   -  Evidence - -
-
-  Clear tag -
-
- - - {% endfor %}
diff --git a/investigations/templates/investigations/windows/processes/dlllist.html b/investigations/templates/investigations/windows/processes/dlllist.html index c4a8fdd..aec52ce 100644 --- a/investigations/templates/investigations/windows/processes/dlllist.html +++ b/investigations/templates/investigations/windows/processes/dlllist.html @@ -25,50 +25,6 @@ - {% for process in DllList %} - - {{process.Process}} - {{process.PID}} - {{process.Base}} - {{process.Name}} - {{process.Path}} - {{process.Size}} - {{process.LoadTime}} - {{process.Fileoutput}} - -
- {% if process.Tag == "Evidence"%} - Evidence - Suspicious - {% elif process.Tag == "Suspicious" %} - Suspicious - Evidence - {% else %} - Evidence - Suspicious - {% endif %} - -
-

Tag as

- -   -  Suspicious - - -   -  Evidence - -
-
-  Clear tag -
-
- - - {% endfor %} - - Nothing was found -
diff --git a/investigations/templates/investigations/windows/processes/envars.html b/investigations/templates/investigations/windows/processes/envars.html index f2d9e06..b7be02d 100644 --- a/investigations/templates/investigations/windows/processes/envars.html +++ b/investigations/templates/investigations/windows/processes/envars.html @@ -21,47 +21,6 @@ - {% for process in Envars %} - - {{process.Block}} - {{process.PID}} - {{process.Process}} - {{process.Variable}} - {{process.Value}} - -
- {% if process.Tag == "Evidence"%} - Evidence - Suspicious - {% elif process.Tag == "Suspicious" %} - Suspicious - Evidence - {% else %} - Evidence - Suspicious - {% endif %} - -
-

Tag as

- -   -  Suspicious - - -   -  Evidence - -
-
-  Clear tag -
-
- - - {% endfor %} - - Nothing was found -
diff --git a/investigations/templates/investigations/windows/processes/handles.html b/investigations/templates/investigations/windows/processes/handles.html index a3fb77c..279aad3 100644 --- a/investigations/templates/investigations/windows/processes/handles.html +++ b/investigations/templates/investigations/windows/processes/handles.html @@ -5,6 +5,11 @@ Included in the "review_invest.html", this file represent the "Handles" tab. --->
+
+ +
+ +
@@ -22,51 +27,9 @@ + - {% for process in Handles %} - - {{process.Process}} - {{process.PID}} - {{process.Offset}} - {{process.Name}} - {{process.HandleValue}} - {{process.GrantedAccess}} - {{process.Type}} - -
- {% if process.Tag == "Evidence"%} - Evidence - Suspicious - {% elif process.Tag == "Suspicious" %} - Suspicious - Evidence - {% else %} - Evidence - Suspicious - {% endif %} - -
-

Tag as

- -   -  Suspicious - - -   -  Evidence - -
-
-  Clear tag -
-
- - - {% endfor %} - - Nothing was found -
diff --git a/investigations/templates/investigations/windows/processes/malfind.html b/investigations/templates/investigations/windows/processes/malfind.html index 14c6572..a23aff4 100644 --- a/investigations/templates/investigations/windows/processes/malfind.html +++ b/investigations/templates/investigations/windows/processes/malfind.html @@ -19,7 +19,7 @@ {% for matches in Malfind %} -
+
{{matches.PID}} - {{matches.Process}}
diff --git a/investigations/templates/investigations/windows/processes/network.html b/investigations/templates/investigations/windows/processes/network.html index a602ab8..e78160e 100644 --- a/investigations/templates/investigations/windows/processes/network.html +++ b/investigations/templates/investigations/windows/processes/network.html @@ -33,49 +33,6 @@

NetStat

- {% for process in NetStat %} - - {{process.Created}} - {{process.Offset}} - {{process.Owner}} - {{process.Proto}} - {{process.LocalAddr}} - {{process.LocalPort}} - {{process.ForeignAddr}} - {{process.ForeignPort}} - {{process.State}} - {{process.PID}} - -
- {% if process.Tag == "Evidence"%} - Evidence - Suspicious - {% elif process.Tag == "Suspicious" %} - Suspicious - Evidence - {% else %} - Evidence - Suspicious - {% endif %} - -
-

Tag as

- -   -  Suspicious - - -   -  Evidence - -
-
-  Clear tag -
-
- - - {% endfor %}
@@ -109,49 +66,6 @@

NetScan

- {% for process in NetScan %} - - {{process.Created}} - {{process.Offset}} - {{process.Owner}} - {{process.Proto}} - {{process.LocalAddr}} - {{process.LocalPort}} - {{process.ForeignAddr}} - {{process.ForeignPort}} - {{process.State}} - {{process.PID}} - -
- {% if process.Tag == "Evidence"%} - Evidence - Suspicious - {% elif process.Tag == "Suspicious" %} - Suspicious - Evidence - {% else %} - Evidence - Suspicious - {% endif %} - -
-

Tag as

- -   -  Suspicious - - -   -  Evidence - -
-
-  Clear tag -
-
- - - {% endfor %}
diff --git a/investigations/templates/investigations/windows/processes/privileges.html b/investigations/templates/investigations/windows/processes/privileges.html index 52ee675..ee85ac3 100644 --- a/investigations/templates/investigations/windows/processes/privileges.html +++ b/investigations/templates/investigations/windows/processes/privileges.html @@ -13,7 +13,7 @@ PID - Process Value + Process Privilege Attributes Description @@ -22,49 +22,6 @@ - {% for process in Privs %} - - {{process.PID}} - {{process.Process}} - {{process.Privilege}} - {{process.Attributes}} - {{process.Description}} - {{process.Value}} - -
- {% if process.Tag == "Evidence"%} - Evidence - Suspicious - {% elif process.Tag == "Suspicious" %} - Suspicious - Evidence - - {% else %} - Evidence - Suspicious - {% endif %} - -
-

Tag as

- -   -  Suspicious - - -   -  Evidence - -
-
-  Clear tag -
-
- - - {% endfor %} - - Nothing was found -
diff --git a/investigations/templates/investigations/windows/processes/tree.html b/investigations/templates/investigations/windows/processes/tree.html index 24d876e..464712d 100644 --- a/investigations/templates/investigations/windows/processes/tree.html +++ b/investigations/templates/investigations/windows/processes/tree.html @@ -28,7 +28,7 @@ treechart.tooltip().format("{%name}\n\n \ pid: {%PID}\n \ Create Time : {%CreateTime}\n \ - Exite Time : {%ExitTime}\n \ + Exit Time : {%ExitTime}\n \ Threads : {%Threads}"); treechart.draw(); diff --git a/investigations/templates/investigations/windows/timeline/timeline.html b/investigations/templates/investigations/windows/timeline/timeline.html index b3ae129..9357f78 100644 --- a/investigations/templates/investigations/windows/timeline/timeline.html +++ b/investigations/templates/investigations/windows/timeline/timeline.html @@ -17,55 +17,16 @@ + - - - {% for event in Timeliner %} - - - - - - - - - - {% endfor %} +
Created Date Accessed Date Changed DateCreated Date Description Modified Date Pluging
{{event.AccessedDate}}{{event.ChangedDate}}{{event.CreatedDate}}{{event.Description}}{{event.ModifiedDate}}{{event.Plugin}} -
- {% if event.Tag == "Evidence"%} - Evidence - Suspicious - {% elif event.Tag == "Suspicious" %} - Suspicious - Evidence - {% else %} - Evidence - Suspicious - {% endif %} - -
-

Tag as

- -   -  Suspicious - - -   -  Evidence - -
-
-  Clear tag -
-
-
@@ -73,11 +34,8 @@
+ +
diff --git a/investigations/templates/investigations/windows/processes/ldrmodules.html b/investigations/templates/investigations/windows/processes/ldrmodules.html new file mode 100644 index 0000000..c130ec1 --- /dev/null +++ b/investigations/templates/investigations/windows/processes/ldrmodules.html @@ -0,0 +1,27 @@ + +
+
+ + + + + + + + + + + + + + + + +
PIDProcessBaseInInitInLoadInMemMappedPath
+
+
diff --git a/investigations/templates/investigations/windows/processes/sessions.html b/investigations/templates/investigations/windows/processes/sessions.html new file mode 100644 index 0000000..28c6ce5 --- /dev/null +++ b/investigations/templates/investigations/windows/processes/sessions.html @@ -0,0 +1,26 @@ + +
+
+ + + + + + + + + + + + + + + +
Process IDProcessSession IDSession TypeUser NameCreate Time
+
+
diff --git a/investigations/views.py b/investigations/views.py index f85d555..337e4c1 100755 --- a/investigations/views.py +++ b/investigations/views.py @@ -277,6 +277,7 @@ def review_invest(request): 'ImageSignature': ImageSignature.objects.get(investigation_id=id), 'PsScan': windows_engine.PsScan.objects.filter(investigation_id=id), 'PsTree': windows_engine.PsTree.objects.get(investigation_id=id), + 'DeviceTree': windows_engine.DeviceTree.objects.get(investigation_id=id), 'NetGraph': windows_engine.NetGraph.objects.get(investigation_id=id), 'Hashdump': windows_engine.Hashdump.objects.filter(investigation_id=id), 'Lsadump': windows_engine.Lsadump.objects.filter(investigation_id=id), diff --git a/requirements.txt b/requirements.txt index cf42d28..40b4282 100644 --- a/requirements.txt +++ b/requirements.txt @@ -3,7 +3,7 @@ gunicorn==20.1.0 psycopg2==2.9.3 bcrypt==3.2.0 cryptography==3.4.7 -Django==3.2.15 +Django==3.2.16 django-crispy-forms==1.12.0 volatility3==2.4.0 yara-python==4.1.3 diff --git a/windows_engine/migrations/0017_sessions.py b/windows_engine/migrations/0017_sessions.py new file mode 100644 index 0000000..7e4f881 --- /dev/null +++ b/windows_engine/migrations/0017_sessions.py @@ -0,0 +1,29 @@ +# Generated by Django 3.2.15 on 2022-12-27 10:48 + +from django.db import migrations, models +import django.db.models.deletion + + +class Migration(migrations.Migration): + + dependencies = [ + ('investigations', '0001_initial'), + ('windows_engine', '0016_filescan_tag'), + ] + + operations = [ + migrations.CreateModel( + name='Sessions', + fields=[ + ('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')), + ('CreateTime', models.TextField(null=True)), + ('Process', models.TextField(null=True)), + ('ProcessID', models.IntegerField(null=True)), + ('SessionID', models.IntegerField(null=True)), + ('SessionType', models.TextField(null=True)), + ('UserName', models.TextField(null=True)), + ('Tag', models.CharField(choices=[('Evidence', 'Evidence'), ('Suspicious', 'Suspicious')], max_length=11, null=True)), + ('investigation', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='windows_sessions_investigation', to='investigations.uploadinvestigation')), + ], + ), + ] diff --git a/windows_engine/migrations/0018_ldrmodules.py b/windows_engine/migrations/0018_ldrmodules.py new file mode 100644 index 0000000..57623a5 --- /dev/null +++ b/windows_engine/migrations/0018_ldrmodules.py @@ -0,0 +1,29 @@ +# Generated by Django 3.2.15 on 2022-12-27 13:17 + +from django.db import migrations, models +import django.db.models.deletion + + +class Migration(migrations.Migration): + + dependencies = [ + ('investigations', '0001_initial'), + ('windows_engine', '0017_sessions'), + ] + + operations = [ + migrations.CreateModel( + name='LdrModules', + fields=[ + ('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')), + ('Base', models.BigIntegerField(null=True)), + ('InInit', models.TextField(null=True)), + ('InLoad', models.TextField(null=True)), + ('InMem', models.TextField(null=True)), + ('MappedPath', models.TextField(null=True)), + ('Pid', models.IntegerField(null=True)), + ('Process', models.CharField(choices=[('Evidence', 'Evidence'), ('Suspicious', 'Suspicious')], max_length=11, null=True)), + ('investigation', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='windows_ldrmodules_investigation', to='investigations.uploadinvestigation')), + ], + ), + ] diff --git a/windows_engine/migrations/0019_auto_20221227_1321.py b/windows_engine/migrations/0019_auto_20221227_1321.py new file mode 100644 index 0000000..7177868 --- /dev/null +++ b/windows_engine/migrations/0019_auto_20221227_1321.py @@ -0,0 +1,23 @@ +# Generated by Django 3.2.15 on 2022-12-27 13:21 + +from django.db import migrations, models + + +class Migration(migrations.Migration): + + dependencies = [ + ('windows_engine', '0018_ldrmodules'), + ] + + operations = [ + migrations.AddField( + model_name='ldrmodules', + name='Tag', + field=models.CharField(choices=[('Evidence', 'Evidence'), ('Suspicious', 'Suspicious')], max_length=11, null=True), + ), + migrations.AlterField( + model_name='ldrmodules', + name='Process', + field=models.TextField(null=True), + ), + ] diff --git a/windows_engine/migrations/0020_devicetree.py b/windows_engine/migrations/0020_devicetree.py new file mode 100644 index 0000000..5e44142 --- /dev/null +++ b/windows_engine/migrations/0020_devicetree.py @@ -0,0 +1,23 @@ +# Generated by Django 3.2.15 on 2022-12-27 14:07 + +from django.db import migrations, models +import django.db.models.deletion + + +class Migration(migrations.Migration): + + dependencies = [ + ('investigations', '0001_initial'), + ('windows_engine', '0019_auto_20221227_1321'), + ] + + operations = [ + migrations.CreateModel( + name='DeviceTree', + fields=[ + ('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')), + ('graph', models.JSONField(null=True)), + ('investigation', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='windows_devicetree_investigation', to='investigations.uploadinvestigation')), + ], + ), + ] diff --git a/windows_engine/models.py b/windows_engine/models.py index 1486b36..ac72dda 100644 --- a/windows_engine/models.py +++ b/windows_engine/models.py @@ -40,6 +40,16 @@ class PsTree(models.Model): graph = models.JSONField(null=True) +class DeviceTree(models.Model): + investigation = models.ForeignKey( + UploadInvestigation, + on_delete=models.CASCADE, + related_name="windows_devicetree_investigation" + + ) + graph = models.JSONField(null=True) + + class NetGraph(models.Model): investigation = models.ForeignKey( UploadInvestigation, @@ -104,6 +114,35 @@ class Privs(models.Model): Description = models.TextField(null=True) Tag = models.CharField(null=True, max_length=11, choices=TAGS) +class Sessions(models.Model): + investigation = models.ForeignKey( + UploadInvestigation, + on_delete=models.CASCADE, + related_name="windows_sessions_investigation" + ) + CreateTime = models.TextField(null=True) + Process = models.TextField(null=True) + ProcessID = models.IntegerField(null=True) + SessionID = models.IntegerField(null=True) + SessionType = models.TextField(null=True) + UserName = models.TextField(null=True) + Tag = models.CharField(null=True, max_length=11, choices=TAGS) + +class LdrModules(models.Model): + investigation = models.ForeignKey( + UploadInvestigation, + on_delete=models.CASCADE, + related_name="windows_ldrmodules_investigation" + ) + Base = models.BigIntegerField(null=True) + InInit = models.TextField(null=True) + InLoad = models.TextField(null=True) + InMem = models.TextField(null=True) + MappedPath = models.TextField(null=True) + Pid = models.IntegerField(null=True) + Process = models.TextField(null=True) + Tag = models.CharField(null=True, max_length=11, choices=TAGS) + class Envars(models.Model): investigation = models.ForeignKey( diff --git a/windows_engine/report.py b/windows_engine/report.py index 146452e..c5caefb 100644 --- a/windows_engine/report.py +++ b/windows_engine/report.py @@ -13,12 +13,19 @@ def report(case): privs_suspicious = Privs.objects.filter(investigation=case, Tag="Suspicious") privs_evidence = Privs.objects.filter(investigation=case, Tag="Evidence") + sessions_suspicious = Sessions.objects.filter(investigation=case, Tag="Suspicious") + sessions_evidence = Sessions.objects.filter(investigation=case, Tag="Evidence") + envars_suspicious = Envars.objects.filter(investigation=case, Tag="Suspicious") envars_evidence = Envars.objects.filter(investigation=case, Tag="Evidence") dlllist_suspicious = DllList.objects.filter(investigation=case, Tag="Suspicious") dlllist_evidence = DllList.objects.filter(investigation=case, Tag="Evidence") + ldrmodules_suspicious = LdrModules.objects.filter(investigation=case, Tag="Suspicious") + ldrmodules_evidence = LdrModules.objects.filter(investigation=case, Tag="Evidence") + + handles_suspicious = Handles.objects.filter(investigation=case, Tag="Suspicious") handles_evidence = Handles.objects.filter(investigation=case, Tag="Evidence") @@ -91,6 +98,13 @@ def report(case): html += markdown.markdown(table, extensions=['tables']) text += table + if sessions_evidence: + table = "Process ID | Process | Session ID | Session Type | User Name | Create Time | Source \n ------------- | ------------- | ------------- | ------------- | ------------- | ------------- | -------------\n" + for process in sessions_evidence: + table += f" {process.ProcessID} | {process.Process} | {process.SessionID} | {process.SessionType} | {process.UserName} | {process.CreateTime} | Sessions \n" + html += markdown.markdown(table, extensions=['tables']) + text += table + if privs_evidence: table = "PID | Process Value | Privilege | Attributes | Description | Value | Source | \n ------------- | ------------- | ------------- | ------------- | ------------- | ------------- | -------------\n" @@ -113,6 +127,13 @@ def report(case): html += markdown.markdown(table, extensions=['tables']) text += table + if ldrmodules_evidence: + table = "Process | PID | Base | Name | Path | Size | Source \n ------------- | ------------- | ------------- | ------------- | ------------- | ------------- | -------------\n" + for process in ldrmodules_evidence: + table += f"{process.Process} | {process.Pid} | {process.Base} | {process.InInit} | {process.InLoad} | {process.InLoad} | {process.MappedPath} | LdrModules \n" + html += markdown.markdown(table, extensions=['tables']) + text += table + if handles_evidence: table = "Process | PID | Offset | Name | Handle Value | Granted Access | Type | Source \n ------------- | ------------- | ------------- | ------------- | ------------- | ------------- | ------------- | -------------\n" for process in handles_evidence: @@ -174,6 +195,13 @@ def report(case): html += markdown.markdown(table, extensions=['tables']) text += table + if sessions_suspicious: + table = "Process ID | Process | Session ID | Session Type | User Name | Create Time | Source \n ------------- | ------------- | ------------- | ------------- | ------------- | ------------- | -------------\n" + for process in sessions_suspicious: + table += f" {process.ProcessID} | {process.Process} | {process.SessionID} | {process.SessionType} | {process.UserName} | {process.CreateTime} | Sessions \n" + html += markdown.markdown(table, extensions=['tables']) + text += table + if privs_suspicious: table = "PID | Process Value | Privilege | Attributes | Description | Value | Source | \n ------------- | ------------- | ------------- | ------------- | ------------- | ------------- | -------------\n" for process in privs_suspicious: @@ -195,6 +223,13 @@ def report(case): html += markdown.markdown(table, extensions=['tables']) text += table + if ldrmodules_suspicious: + table = "Process | PID | Base | Name | Path | Size | Source \n ------------- | ------------- | ------------- | ------------- | ------------- | ------------- | -------------\n" + for process in ldrmodules_suspicious: + table += f"{process.Process} | {process.Pid} | {process.Base} | {process.InInit} | {process.InLoad} | {process.InLoad} | {process.MappedPath} | LdrModules \n" + html += markdown.markdown(table, extensions=['tables']) + text += table + if handles_suspicious: table = "Process | PID | Offset | Name | Handle Value | Granted Access | Type | Source \n ------------- | ------------- | ------------- | ------------- | ------------- | ------------- | ------------- | -------------\n" for process in handles_suspicious: diff --git a/windows_engine/views.py b/windows_engine/views.py index 36c3ae1..2c6f029 100644 --- a/windows_engine/views.py +++ b/windows_engine/views.py @@ -107,6 +107,8 @@ def get_artifacts(request): 'Envars': json_serializer.serialize(Envars.objects.filter(investigation_id=id, PID=pid)), 'NetScan': json_serializer.serialize(NetScan.objects.filter(investigation_id=id, PID=pid)), 'NetStat': json_serializer.serialize(NetStat.objects.filter(investigation_id=id, PID=pid)), + 'Sessions': json_serializer.serialize(Sessions.objects.filter(investigation_id=id, ProcessID=pid)), + 'LdrModules': json_serializer.serialize(LdrModules.objects.filter(investigation_id=id, Pid=pid)), } return JsonResponse({'message': "success", 'artifacts': artifacts}) return JsonResponse({'message': "error"}) @@ -181,6 +183,7 @@ def dump_process(request): return JsonResponse({'message': "failed"}) else: return JsonResponse({'message': "error"}) + return JsonResponse({'message': "error"}) @login_required diff --git a/windows_engine/vol_windows.py b/windows_engine/vol_windows.py index e183317..14e25f4 100755 --- a/windows_engine/vol_windows.py +++ b/windows_engine/vol_windows.py @@ -90,16 +90,16 @@ def dump_process(dump_path, pid, output_path): plugin_list = volatility3.framework.list_plugins() base_config_path = "plugins" context = contexts.Context() - context.config['plugins.PsList.pid'] = [int(pid)] - context.config['plugins.PsList.dump'] = True - constructed = build_context(dump_path, context, base_config_path, plugin_list['windows.pslist.PsList'], output_path) + context.config['plugins.Memmap.pid'] = int(pid) + context.config['plugins.Memmap.dump'] = True + + constructed = build_context(dump_path, context, base_config_path, plugin_list['windows.memmap.Memmap'], output_path) if constructed: result = DictRenderer().render(constructed.run()) else: logger.info("Error") - for artifact in result: - artifact = {x.translate({32: None}): y - for x, y in artifact.items()} + artifact = {x.translate({32: None}): y + for x, y in result[0].items()} return artifact['Fileoutput'] @@ -182,10 +182,13 @@ def run_volweb_routine_windows(dump_path, case_id, case): # Process 'PsScan': {'plugin': plugin_list['windows.psscan.PsScan']}, 'PsTree': {'plugin': plugin_list['windows.pstree.PsTree']}, + 'DeviceTree': {'plugin': plugin_list['windows.devicetree.DeviceTree']}, 'CmdLine': {'plugin': plugin_list['windows.cmdline.CmdLine']}, + 'Sessions': {'plugin': plugin_list['windows.sessions.Sessions']}, 'Privs': {'plugin': plugin_list['windows.privileges.Privs']}, 'Envars': {'plugin': plugin_list['windows.envars.Envars']}, 'DllList': {'plugin': plugin_list['windows.dlllist.DllList']}, + 'LdrModules': {'plugin': plugin_list['windows.ldrmodules.LdrModules']}, # Network 'NetScan': {'plugin': plugin_list['windows.netstat.NetStat']}, 'NetStat': {'plugin': plugin_list['windows.netscan.NetScan']}, @@ -205,10 +208,10 @@ def run_volweb_routine_windows(dump_path, case_id, case): 'SkeletonKeyCheck': {'plugin': plugin_list['windows.skeleton_key_check.Skeleton_Key_Check']}, 'FileScan': {'plugin': plugin_list['windows.filescan.FileScan']}, } + """Progress Function""" - def update_progress(case): - MODULES_TO_RUN = len(volweb_knowledge_base) + 2 + MODULES_TO_RUN = len(volweb_knowledge_base) + 3 percentage = str(format(float(case.percentage) + float(100 / MODULES_TO_RUN), '.0f')) logger.info(f"Status : {percentage} %") case.percentage = percentage @@ -261,7 +264,7 @@ def update_progress(case): """STEP 3.1 : We can now inject the results inside the django database""" for runable in volweb_knowledge_base: - if runable != 'PsTree' and runable != 'UserAssist': + if runable != 'PsTree' and runable != 'UserAssist' and runable != 'DeviceTree': for artifact in volweb_knowledge_base[runable]['result']: artifact = {x.translate({32: None}): y for x, y in artifact.items()} @@ -275,7 +278,7 @@ def update_progress(case): """STEP 3.2 : Construct and inject the graphs""" - def rename(node): + def rename_pstree(node): if len(node['__children']) == 0: node['children'] = node['__children'] node['name'] = node['ImageFileName'] @@ -287,17 +290,53 @@ def rename(node): del (node['__children']) del (node['ImageFileName']) for children in node['children']: - rename(children) + rename_pstree(children) + + def rename_devicetree(node): + if len(node['__children']) == 0: + node['children'] = node['__children'] + + node['name'] = "" + + if node['DeviceName']: + node['name'] += node['DeviceName'] + if node['DeviceType']: + node['name'] += "/" + node['DeviceType'] + if node['DriverName']: + node['name'] += "/" + node['DriverName'] + del (node['__children']) + else: + node['children'] = node['__children'] + + node['name'] = "" + + if node['DeviceName']: + node['name'] += node['DeviceName'] + if node['DeviceType']: + node['name'] += "/" + node['DeviceType'] + if node['DriverName']: + node['name'] += "/" + node['DriverName'] + + del (node['__children']) + for children in node['children']: + rename_devicetree(children) json_pstree_artifact = [] + json_devicetree_artifact = [] json_netgraph_artifact = [] json_timeline_graph_artifact = [] if volweb_knowledge_base['PsTree']['result']: pstree_artifact = volweb_knowledge_base['PsTree']['result'] for tree in pstree_artifact: - rename(tree) + rename_pstree(tree) json_pstree_artifact = json.dumps(pstree_artifact) + if volweb_knowledge_base['DeviceTree']['result']: + devicetree_artifact = volweb_knowledge_base['DeviceTree']['result'] + for tree in devicetree_artifact: + rename_devicetree(tree) + json_devicetree_artifact = json.dumps(devicetree_artifact) + if volweb_knowledge_base['NetScan']['result'] or volweb_knowledge_base['NetStat']['result']: json_netgraph_artifact = json.dumps(generate_network_graph( volweb_knowledge_base['NetScan']['result'] + volweb_knowledge_base['NetStat']['result'])) @@ -306,6 +345,7 @@ def rename(node): json_timeline_graph_artifact = json.dumps(build_timeline(volweb_knowledge_base['Timeliner']['result'])) PsTree(investigation_id=case_id, graph=json_pstree_artifact).save() + DeviceTree(investigation_id=case_id, graph=json_devicetree_artifact).save() NetGraph(investigation_id=case_id, graph=json_netgraph_artifact).save() TimeLineChart(investigation_id=case_id, graph=json_timeline_graph_artifact).save() @@ -331,5 +371,5 @@ def fill_userassist(list, case_id): if volweb_knowledge_base['UserAssist']['result']: fill_userassist(volweb_knowledge_base['UserAssist']['result'], case_id) - + update_progress(case) return partial_results From 0c1bcb2906923148f364cf2d91b9c19398c3c8d9 Mon Sep 17 00:00:00 2001 From: k1nd0ne Date: Wed, 28 Dec 2022 18:05:42 +0100 Subject: [PATCH 3/5] Bug Fix : Double analysis start, Linux Investigation dynamic fetch --- dashboard/static/js/linux.js | 723 +++++++++++++++++- dashboard/static/js/windows.js | 29 +- .../linux/others/mountinfo.html | 74 ++ .../linux/others/tty_check.html | 6 +- .../investigations/linux/processes/bash.html | 37 - .../investigations/linux/processes/elfs.html | 40 +- .../investigations/linux/processes/lsof.html | 37 - .../investigations/linux/processes/maps.html | 43 -- .../investigations/linux/processes/psaux.html | 23 + .../investigations/review_invest.html | 26 +- .../investigations/windows/files/files.html | 6 +- .../windows/processes/handles.html | 1 - investigations/views.py | 9 +- linux_engine/forms.py | 4 + linux_engine/migrations/0009_pslist_tid.py | 18 + linux_engine/migrations/0010_pslist_offset.py | 18 + .../migrations/0011_auto_20221227_1801.py | 81 ++ .../migrations/0012_alter_psaux_comm.py | 18 + linux_engine/migrations/0013_mountinfo.py | 34 + linux_engine/migrations/0014_psaux_tag.py | 18 + linux_engine/models.py | 56 +- linux_engine/report.py | 36 + linux_engine/urls.py | 1 + linux_engine/views.py | 31 + linux_engine/vol_linux.py | 44 +- windows_engine/urls.py | 2 +- windows_engine/views.py | 6 +- windows_engine/vol_windows.py | 22 +- 28 files changed, 1215 insertions(+), 228 deletions(-) create mode 100644 investigations/templates/investigations/linux/others/mountinfo.html create mode 100644 investigations/templates/investigations/linux/processes/psaux.html create mode 100644 linux_engine/migrations/0009_pslist_tid.py create mode 100644 linux_engine/migrations/0010_pslist_offset.py create mode 100644 linux_engine/migrations/0011_auto_20221227_1801.py create mode 100644 linux_engine/migrations/0012_alter_psaux_comm.py create mode 100644 linux_engine/migrations/0013_mountinfo.py create mode 100644 linux_engine/migrations/0014_psaux_tag.py diff --git a/dashboard/static/js/linux.js b/dashboard/static/js/linux.js index 40a19c9..c805f5f 100644 --- a/dashboard/static/js/linux.js +++ b/dashboard/static/js/linux.js @@ -1,4 +1,5 @@ -function Tag(url, plugin_name, artifact_id, status){ +function Tag(plugin_name, artifact_id, status){ + var url = $("#tabs").attr("data-url"); const csrf = document.getElementsByName('csrfmiddlewaretoken'); const fd = new FormData(); fd.append('csrfmiddlewaretoken', csrf[0].value); @@ -104,3 +105,723 @@ $("#searchTtyCheck").on("keyup", function() { $(this).toggle($(this).text().toLowerCase().indexOf(value) > -1) }); }); + + +function DisplayArtifacts(collapse, process, case_id) { + if ($('#' + collapse).attr("aria-expanded") == "true") { + $('#Bash').addClass('d-none'); + $('#Elfs').addClass('d-none'); + $('#Lsof').addClass('d-none'); + $('#PsAux').addClass('d-none'); + $('#processMaps').addClass('d-none'); + + $('.spinner-review').removeClass("d-none"); + var url = $("#" + collapse).attr('data-url'); + $.get(url, { 'case': case_id, 'pid': process }, // url + function (response, textStatus, jqXHR) { // success callback + if (textStatus == "success") { + if (response['message'] == "success") { + FillPsAux(JSON.parse(response['artifacts']['PsAux'])); + FillBash(JSON.parse(response['artifacts']['Bash'])); + FillElfs(JSON.parse(response['artifacts']['Elfs'])); + FillLsof(JSON.parse(response['artifacts']['Lsof'])); + FillProcMaps(JSON.parse(response['artifacts']['ProcMaps'])); + + $('#Bash').removeClass('d-none'); + $('#Elfs').removeClass('d-none'); + $('#Lsof').removeClass('d-none'); + $('#PsAux').removeClass('d-none'); + $('#processMaps').removeClass('d-none'); + + $('.processes_tab').removeClass('d-none'); + $('.default-td').removeClass('d-none'); + $('.spinner-review').addClass("d-none"); + } + if (response['message'] == "error") { + $('#proc-error-message').html("Something went wrong."); + $('.toast-proc-error').toast('show'); + } + } + }); + } +} + + +function FillPsAux(artifacts) { + // Create the html elements for each line + $('#PsAux').empty(); + $.each(artifacts, function (i, item) { + var tbody = document.getElementById('PsAux'); + const tr = document.createElement('tr'); + const td_1 = document.createElement('td'); + const td_2 = document.createElement('td'); + const td_3 = document.createElement('td'); + const td_4 = document.createElement('td'); + const td_5 = document.createElement('td'); + + td_1.textContent = item.fields.PID; + td_2.textContent = item.fields.PPID; + td_3.textContent = item.fields.COMM; + td_4.textContent = item.fields.ARGS; + + // Tag conditions and system + const dropdown = document.createElement('div'); + dropdown.setAttribute('class', 'dropdown no-arrow'); + + const button = document.createElement('button'); + button.setAttribute('class', 'btn btn-link btn-sm dropdown-toggle'); + + button.setAttribute('aria-expanded', 'true'); + button.setAttribute('data-bs-toggle', 'dropdown'); + button.setAttribute('type', 'button'); + + const dots = document.createElement('i'); + dots.setAttribute('class', 'fas fa-ellipsis-v text-gray-400'); + button.appendChild(dots); + + const dropdown_menu = document.createElement('div'); + dropdown_menu.setAttribute('class', 'dropdown-menu shadow dropdown-menu-end animated--fade-in'); + const tagm = document.createElement('p'); + tagm.setAttribute('class', 'text-center dropdown-header'); + tagm.textContent = "Tag as"; + + + const span_suspicious = document.createElement('span'); + span_suspicious.textContent = " Suspicious"; + + const span_evidence = document.createElement('span'); + span_evidence.textContent = " Evidence"; + + const badge_suspicious = document.createElement('a'); + badge_suspicious.setAttribute('class', 'dropdown-item'); + badge_suspicious.setAttribute('href', '#'); + badge_suspicious.addEventListener('click', function (e) { + Tag('PsAux', item.pk, "Suspicious"); + }); + + const pill_orange = document.createElement('strong'); + pill_orange.setAttribute('class', 'badge bg-warning text-wrap text-warning'); + pill_orange.textContent = ' '; + badge_suspicious.appendChild(pill_orange); + badge_suspicious.appendChild(span_suspicious); + + + const badge_evidence = document.createElement('a'); + badge_evidence.setAttribute('class', 'dropdown-item'); + badge_evidence.setAttribute('href', '#'); + badge_evidence.addEventListener('click', function (e) { + Tag('PsAux', item.pk, "Evidence"); + }); + + const pill_red = document.createElement('strong'); + pill_red.setAttribute('class', 'badge bg-danger text-wrap text-danger'); + pill_red.textContent = ' ' + + badge_evidence.appendChild(pill_red); + badge_evidence.appendChild(span_evidence); + + + const divider = document.createElement('div'); + divider.setAttribute('class', 'dropdown-divider'); + + const badge_clear = document.createElement('a'); + badge_clear.setAttribute('class', 'dropdown-item'); + badge_clear.setAttribute('href', '#'); + badge_clear.addEventListener('click', function (e) { + Tag('PsAux', item.pk, "Clear"); + }); + badge_clear.textContent = " Clear tag"; + + + const tag_evidence = document.createElement('strong'); + const tag_suspicious = document.createElement('strong'); + + if (item.fields.Tag == "Evidence") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap tag_evidence_' + item.pk + '_PsAux'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_PsAux'); + } + + else if (item.fields.Tag == "Suspicious") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_PsAux'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap tag_suspicious_' + item.pk + '_PsAux'); + } + + else { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_PsAux'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_PsAux'); + } + + tag_evidence.textContent = "Evidence"; + tag_suspicious.textContent = "Suspicious"; + + dropdown_menu.appendChild(tagm); + dropdown_menu.appendChild(badge_suspicious); + dropdown_menu.appendChild(badge_evidence); + dropdown_menu.appendChild(divider); + dropdown_menu.appendChild(badge_clear); + + button.appendChild(dots); + dropdown.appendChild(button); + dropdown.appendChild(tag_evidence); + dropdown.appendChild(tag_suspicious); + dropdown.appendChild(dropdown_menu); + td_5.appendChild(dropdown); + + tr.appendChild(td_1); + tr.appendChild(td_2); + tr.appendChild(td_3); + tr.appendChild(td_4); + tr.appendChild(td_5); + + tbody.appendChild(tr); + }); +} + +function FillBash(artifacts) { + // Create the html elements for each line + $('#Bash').empty(); + $.each(artifacts, function (i, item) { + var tbody = document.getElementById('Bash'); + const tr = document.createElement('tr'); + const td_1 = document.createElement('td'); + const td_2 = document.createElement('td'); + const td_3 = document.createElement('td'); + const td_4 = document.createElement('td'); + const td_5 = document.createElement('td'); + + td_1.textContent = item.fields.PID; + td_2.textContent = item.fields.Process; + td_3.textContent = item.fields.CommandTime; + td_4.textContent = item.fields.Command; + + // Tag conditions and system + const dropdown = document.createElement('div'); + dropdown.setAttribute('class', 'dropdown no-arrow'); + + const button = document.createElement('button'); + button.setAttribute('class', 'btn btn-link btn-sm dropdown-toggle'); + + button.setAttribute('aria-expanded', 'true'); + button.setAttribute('data-bs-toggle', 'dropdown'); + button.setAttribute('type', 'button'); + + const dots = document.createElement('i'); + dots.setAttribute('class', 'fas fa-ellipsis-v text-gray-400'); + button.appendChild(dots); + + const dropdown_menu = document.createElement('div'); + dropdown_menu.setAttribute('class', 'dropdown-menu shadow dropdown-menu-end animated--fade-in'); + const tagm = document.createElement('p'); + tagm.setAttribute('class', 'text-center dropdown-header'); + tagm.textContent = "Tag as"; + + + const span_suspicious = document.createElement('span'); + span_suspicious.textContent = " Suspicious"; + + const span_evidence = document.createElement('span'); + span_evidence.textContent = " Evidence"; + + const badge_suspicious = document.createElement('a'); + badge_suspicious.setAttribute('class', 'dropdown-item'); + badge_suspicious.setAttribute('href', '#'); + badge_suspicious.addEventListener('click', function (e) { + Tag('Bash', item.pk, "Suspicious"); + }); + + const pill_orange = document.createElement('strong'); + pill_orange.setAttribute('class', 'badge bg-warning text-wrap text-warning'); + pill_orange.textContent = ' '; + badge_suspicious.appendChild(pill_orange); + badge_suspicious.appendChild(span_suspicious); + + + const badge_evidence = document.createElement('a'); + badge_evidence.setAttribute('class', 'dropdown-item'); + badge_evidence.setAttribute('href', '#'); + badge_evidence.addEventListener('click', function (e) { + Tag('Bash', item.pk, "Evidence"); + }); + + + const pill_red = document.createElement('strong'); + pill_red.setAttribute('class', 'badge bg-danger text-wrap text-danger'); + pill_red.textContent = ' ' + + badge_evidence.appendChild(pill_red); + badge_evidence.appendChild(span_evidence); + + + const divider = document.createElement('div'); + divider.setAttribute('class', 'dropdown-divider'); + + const badge_clear = document.createElement('a'); + badge_clear.setAttribute('class', 'dropdown-item'); + badge_clear.setAttribute('href', '#'); + badge_clear.addEventListener('click', function (e) { + Tag('Bash', item.pk, "Clear"); + }); + badge_clear.textContent = " Clear tag"; + + + const tag_evidence = document.createElement('strong'); + const tag_suspicious = document.createElement('strong'); + + if (item.fields.Tag == "Evidence") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap tag_evidence_' + item.pk + '_Bash'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_Bash'); + } + + else if (item.fields.Tag == "Suspicious") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_Bash'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap tag_suspicious_' + item.pk + '_Bash'); + } + + else { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_Bash'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_Bash'); + } + + tag_evidence.textContent = "Evidence"; + tag_suspicious.textContent = "Suspicious"; + + dropdown_menu.appendChild(tagm); + dropdown_menu.appendChild(badge_suspicious); + dropdown_menu.appendChild(badge_evidence); + dropdown_menu.appendChild(divider); + dropdown_menu.appendChild(badge_clear); + + button.appendChild(dots); + dropdown.appendChild(button); + dropdown.appendChild(tag_evidence); + dropdown.appendChild(tag_suspicious); + dropdown.appendChild(dropdown_menu); + td_5.appendChild(dropdown); + + tr.appendChild(td_1); + tr.appendChild(td_2); + tr.appendChild(td_3); + tr.appendChild(td_4); + tr.appendChild(td_5); + + tbody.appendChild(tr); + }); +} + +function FillElfs(artifacts) { + // Create the html elements for each line + $('#Elfs').empty(); + $.each(artifacts, function (i, item) { + var tbody = document.getElementById('Elfs'); + const tr = document.createElement('tr'); + const td_1 = document.createElement('td'); + const td_2 = document.createElement('td'); + const td_3 = document.createElement('td'); + const td_4 = document.createElement('td'); + const td_5 = document.createElement('td'); + const td_6 = document.createElement('td'); + + td_1.textContent = item.fields.Start; + td_2.textContent = item.fields.End; + td_3.textContent = item.fields.FilePath; + td_4.textContent = item.fields.Process; + td_5.textContent = item.fields.PID; + + + // Tag conditions and system + const dropdown = document.createElement('div'); + dropdown.setAttribute('class', 'dropdown no-arrow'); + + const button = document.createElement('button'); + button.setAttribute('class', 'btn btn-link btn-sm dropdown-toggle'); + + button.setAttribute('aria-expanded', 'true'); + button.setAttribute('data-bs-toggle', 'dropdown'); + button.setAttribute('type', 'button'); + + const dots = document.createElement('i'); + dots.setAttribute('class', 'fas fa-ellipsis-v text-gray-400'); + button.appendChild(dots); + + const dropdown_menu = document.createElement('div'); + dropdown_menu.setAttribute('class', 'dropdown-menu shadow dropdown-menu-end animated--fade-in'); + const tagm = document.createElement('p'); + tagm.setAttribute('class', 'text-center dropdown-header'); + tagm.textContent = "Tag as"; + + + const span_suspicious = document.createElement('span'); + span_suspicious.textContent = " Suspicious"; + + const span_evidence = document.createElement('span'); + span_evidence.textContent = " Evidence"; + + const badge_suspicious = document.createElement('a'); + badge_suspicious.setAttribute('class', 'dropdown-item'); + badge_suspicious.setAttribute('href', '#'); + badge_suspicious.addEventListener('click', function (e) { + Tag('Elfs', item.pk, "Suspicious"); + }); + + const pill_orange = document.createElement('strong'); + pill_orange.setAttribute('class', 'badge bg-warning text-wrap text-warning'); + pill_orange.textContent = ' '; + badge_suspicious.appendChild(pill_orange); + badge_suspicious.appendChild(span_suspicious); + + + const badge_evidence = document.createElement('a'); + badge_evidence.setAttribute('class', 'dropdown-item'); + badge_evidence.setAttribute('href', '#'); + badge_evidence.addEventListener('click', function (e) { + Tag('Elfs', item.pk, "Evidence"); + }); + + + const pill_red = document.createElement('strong'); + pill_red.setAttribute('class', 'badge bg-danger text-wrap text-danger'); + pill_red.textContent = ' ' + + badge_evidence.appendChild(pill_red); + badge_evidence.appendChild(span_evidence); + + + const divider = document.createElement('div'); + divider.setAttribute('class', 'dropdown-divider'); + + const badge_clear = document.createElement('a'); + badge_clear.setAttribute('class', 'dropdown-item'); + badge_clear.setAttribute('href', '#'); + badge_clear.addEventListener('click', function (e) { + Tag('Elfs', item.pk, "Clear"); + }); + badge_clear.textContent = " Clear tag"; + + + const tag_evidence = document.createElement('strong'); + const tag_suspicious = document.createElement('strong'); + + if (item.fields.Tag == "Evidence") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap tag_evidence_' + item.pk + '_Elfs'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_Elfs'); + } + + else if (item.fields.Tag == "Suspicious") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_Elfs'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap tag_suspicious_' + item.pk + '_Elfs'); + } + + else { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_Elfs'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_Elfs'); + } + + tag_evidence.textContent = "Evidence"; + tag_suspicious.textContent = "Suspicious"; + + dropdown_menu.appendChild(tagm); + dropdown_menu.appendChild(badge_suspicious); + dropdown_menu.appendChild(badge_evidence); + dropdown_menu.appendChild(divider); + dropdown_menu.appendChild(badge_clear); + + button.appendChild(dots); + dropdown.appendChild(button); + dropdown.appendChild(tag_evidence); + dropdown.appendChild(tag_suspicious); + dropdown.appendChild(dropdown_menu); + td_6.appendChild(dropdown); + + tr.appendChild(td_1); + tr.appendChild(td_2); + tr.appendChild(td_3); + tr.appendChild(td_4); + tr.appendChild(td_5); + tr.appendChild(td_6); + + tbody.appendChild(tr); + }); +} + +function FillLsof(artifacts) { + // Create the html elements for each line + $('#Lsof').empty(); + $.each(artifacts, function (i, item) { + var tbody = document.getElementById('Lsof'); + const tr = document.createElement('tr'); + const td_1 = document.createElement('td'); + const td_2 = document.createElement('td'); + const td_3 = document.createElement('td'); + const td_4 = document.createElement('td'); + const td_5 = document.createElement('td'); + + td_1.textContent = item.fields.FD; + td_2.textContent = item.fields.PID; + td_3.textContent = item.fields.Path; + td_4.textContent = item.fields.Process; + + + // Tag conditions and system + const dropdown = document.createElement('div'); + dropdown.setAttribute('class', 'dropdown no-arrow'); + + const button = document.createElement('button'); + button.setAttribute('class', 'btn btn-link btn-sm dropdown-toggle'); + + button.setAttribute('aria-expanded', 'true'); + button.setAttribute('data-bs-toggle', 'dropdown'); + button.setAttribute('type', 'button'); + + const dots = document.createElement('i'); + dots.setAttribute('class', 'fas fa-ellipsis-v text-gray-400'); + button.appendChild(dots); + + const dropdown_menu = document.createElement('div'); + dropdown_menu.setAttribute('class', 'dropdown-menu shadow dropdown-menu-end animated--fade-in'); + const tagm = document.createElement('p'); + tagm.setAttribute('class', 'text-center dropdown-header'); + tagm.textContent = "Tag as"; + + + const span_suspicious = document.createElement('span'); + span_suspicious.textContent = " Suspicious"; + + const span_evidence = document.createElement('span'); + span_evidence.textContent = " Evidence"; + + const badge_suspicious = document.createElement('a'); + badge_suspicious.setAttribute('class', 'dropdown-item'); + badge_suspicious.setAttribute('href', '#'); + badge_suspicious.addEventListener('click', function (e) { + Tag('Lsof', item.pk, "Suspicious"); + }); + + const pill_orange = document.createElement('strong'); + pill_orange.setAttribute('class', 'badge bg-warning text-wrap text-warning'); + pill_orange.textContent = ' '; + badge_suspicious.appendChild(pill_orange); + badge_suspicious.appendChild(span_suspicious); + + + const badge_evidence = document.createElement('a'); + badge_evidence.setAttribute('class', 'dropdown-item'); + badge_evidence.setAttribute('href', '#'); + badge_evidence.addEventListener('click', function (e) { + Tag('Lsof', item.pk, "Evidence"); + }); + + + const pill_red = document.createElement('strong'); + pill_red.setAttribute('class', 'badge bg-danger text-wrap text-danger'); + pill_red.textContent = ' ' + + badge_evidence.appendChild(pill_red); + badge_evidence.appendChild(span_evidence); + + + const divider = document.createElement('div'); + divider.setAttribute('class', 'dropdown-divider'); + + const badge_clear = document.createElement('a'); + badge_clear.setAttribute('class', 'dropdown-item'); + badge_clear.setAttribute('href', '#'); + badge_clear.addEventListener('click', function (e) { + Tag('Lsof', item.pk, "Clear"); + }); + badge_clear.textContent = " Clear tag"; + + + const tag_evidence = document.createElement('strong'); + const tag_suspicious = document.createElement('strong'); + + if (item.fields.Tag == "Evidence") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap tag_evidence_' + item.pk + '_Lsof'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_Lsof'); + } + + else if (item.fields.Tag == "Suspicious") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_Lsof'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap tag_suspicious_' + item.pk + '_Lsof'); + } + + else { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_Lsof'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_Lsof'); + } + + tag_evidence.textContent = "Evidence"; + tag_suspicious.textContent = "Suspicious"; + + dropdown_menu.appendChild(tagm); + dropdown_menu.appendChild(badge_suspicious); + dropdown_menu.appendChild(badge_evidence); + dropdown_menu.appendChild(divider); + dropdown_menu.appendChild(badge_clear); + + button.appendChild(dots); + dropdown.appendChild(button); + dropdown.appendChild(tag_evidence); + dropdown.appendChild(tag_suspicious); + dropdown.appendChild(dropdown_menu); + td_5.appendChild(dropdown); + + tr.appendChild(td_1); + tr.appendChild(td_2); + tr.appendChild(td_3); + tr.appendChild(td_4); + tr.appendChild(td_5); + + tbody.appendChild(tr); + }); +} + +function FillProcMaps(artifacts) { + // Create the html elements for each line + $('#processMaps').empty(); + $.each(artifacts, function (i, item) { + var tbody = document.getElementById('processMaps'); + const tr = document.createElement('tr'); + const td_1 = document.createElement('td'); + const td_2 = document.createElement('td'); + const td_3 = document.createElement('td'); + const td_4 = document.createElement('td'); + const td_5 = document.createElement('td'); + const td_6 = document.createElement('td'); + const td_7 = document.createElement('td'); + const td_8 = document.createElement('td'); + const td_9 = document.createElement('td'); + const td_10 = document.createElement('td'); + const td_11 = document.createElement('td'); + + td_1.textContent = item.fields.Start; + td_2.textContent = item.fields.End; + td_3.textContent = item.fields.FilePath; + td_4.textContent = item.fields.Flags; + td_5.textContent = item.fields.Inode; + td_6.textContent = item.fields.Major; + td_7.textContent = item.fields.Minor; + td_8.textContent = item.fields.PID; + td_9.textContent = item.fields.PgOff; + td_10.textContent = item.fields.Process; + + + + // Tag conditions and system + const dropdown = document.createElement('div'); + dropdown.setAttribute('class', 'dropdown no-arrow'); + + const button = document.createElement('button'); + button.setAttribute('class', 'btn btn-link btn-sm dropdown-toggle'); + + button.setAttribute('aria-expanded', 'true'); + button.setAttribute('data-bs-toggle', 'dropdown'); + button.setAttribute('type', 'button'); + + const dots = document.createElement('i'); + dots.setAttribute('class', 'fas fa-ellipsis-v text-gray-400'); + button.appendChild(dots); + + const dropdown_menu = document.createElement('div'); + dropdown_menu.setAttribute('class', 'dropdown-menu shadow dropdown-menu-end animated--fade-in'); + const tagm = document.createElement('p'); + tagm.setAttribute('class', 'text-center dropdown-header'); + tagm.textContent = "Tag as"; + + + const span_suspicious = document.createElement('span'); + span_suspicious.textContent = " Suspicious"; + + const span_evidence = document.createElement('span'); + span_evidence.textContent = " Evidence"; + + const badge_suspicious = document.createElement('a'); + badge_suspicious.setAttribute('class', 'dropdown-item'); + badge_suspicious.setAttribute('href', '#'); + badge_suspicious.addEventListener('click', function (e) { + Tag('ProcMaps', item.pk, "Suspicious"); + }); + + const pill_orange = document.createElement('strong'); + pill_orange.setAttribute('class', 'badge bg-warning text-wrap text-warning'); + pill_orange.textContent = ' '; + badge_suspicious.appendChild(pill_orange); + badge_suspicious.appendChild(span_suspicious); + + + const badge_evidence = document.createElement('a'); + badge_evidence.setAttribute('class', 'dropdown-item'); + badge_evidence.setAttribute('href', '#'); + badge_evidence.addEventListener('click', function (e) { + Tag('ProcMaps', item.pk, "Evidence"); + }); + + + const pill_red = document.createElement('strong'); + pill_red.setAttribute('class', 'badge bg-danger text-wrap text-danger'); + pill_red.textContent = ' ' + + badge_evidence.appendChild(pill_red); + badge_evidence.appendChild(span_evidence); + + + const divider = document.createElement('div'); + divider.setAttribute('class', 'dropdown-divider'); + + const badge_clear = document.createElement('a'); + badge_clear.setAttribute('class', 'dropdown-item'); + badge_clear.setAttribute('href', '#'); + badge_clear.addEventListener('click', function (e) { + Tag('ProcMaps', item.pk, "Clear"); + }); + badge_clear.textContent = " Clear tag"; + + + const tag_evidence = document.createElement('strong'); + const tag_suspicious = document.createElement('strong'); + + if (item.fields.Tag == "Evidence") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap tag_evidence_' + item.pk + '_ProcMaps'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_ProcMaps'); + } + + else if (item.fields.Tag == "Suspicious") { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_ProcMaps'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap tag_suspicious_' + item.pk + '_ProcMaps'); + } + + else { + tag_evidence.setAttribute('class', 'badge bg-danger text-wrap d-none tag_evidence_' + item.pk + '_ProcMaps'); + tag_suspicious.setAttribute('class', 'badge bg-warning text-wrap d-none tag_suspicious_' + item.pk + '_ProcMaps'); + } + + tag_evidence.textContent = "Evidence"; + tag_suspicious.textContent = "Suspicious"; + + dropdown_menu.appendChild(tagm); + dropdown_menu.appendChild(badge_suspicious); + dropdown_menu.appendChild(badge_evidence); + dropdown_menu.appendChild(divider); + dropdown_menu.appendChild(badge_clear); + + button.appendChild(dots); + dropdown.appendChild(button); + dropdown.appendChild(tag_evidence); + dropdown.appendChild(tag_suspicious); + dropdown.appendChild(dropdown_menu); + td_11.appendChild(dropdown); + + tr.appendChild(td_1); + tr.appendChild(td_2); + tr.appendChild(td_3); + tr.appendChild(td_4); + tr.appendChild(td_5); + tr.appendChild(td_6); + tr.appendChild(td_7); + tr.appendChild(td_8); + tr.appendChild(td_9); + tr.appendChild(td_10); + tr.appendChild(td_11); + + tbody.appendChild(tr); + }); +} \ No newline at end of file diff --git a/dashboard/static/js/windows.js b/dashboard/static/js/windows.js index 55e770a..8e1f1d9 100644 --- a/dashboard/static/js/windows.js +++ b/dashboard/static/js/windows.js @@ -67,9 +67,19 @@ function GetReport(url, case_id) { }); } - - function DisplayArtifacts(collapse, process, case_id) { + const span_loading = document.createElement("span"); + span_loading.setAttribute('class','spinner-border spinner-border-sm'); + span_loading.setAttribute('role','status'); + $("#handles_btn").removeClass("d-none"); + const handles_btn = document.getElementById("handles_btn"); + handles_btn.textContent = "Click here to compute Handles for PID " + process; + handles_btn.addEventListener('click', function (e) { + $("#processHandles").textContent = ""; + handles_btn.textContent = ""; + handles_btn.appendChild(span_loading); + ComputeHandles(process, case_id); + }); if ($('#' + collapse).attr("aria-expanded") == "true") { $('#cmdline').addClass('d-none'); $('#processPriv').addClass('d-none'); @@ -114,18 +124,7 @@ function DisplayArtifacts(collapse, process, case_id) { } } }); - - const span_loading = document.createElement("span"); - span_loading.setAttribute('class','spinner-border spinner-border-sm'); - span_loading.setAttribute('role','status'); - const handles_btn = document.getElementById("handles_btn"); - handles_btn.textContent = "Click here to compute Handles for PID " + process; - handles_btn.addEventListener('click', function (e) { - handles_btn.textContent = ""; - handles_btn.appendChild(span_loading); - ComputeHandles(process, case_id); - handles_btn.textContent = "Click here to compute Handles for PID " + process; - }); + } } @@ -151,6 +150,7 @@ function DisplayTimeline(case_id, date) { } function ComputeHandles(process, case_id){ + $('#processHandles').addClass('d-none'); var url = $("#handles_btn").attr("data-url"); $.get(url, { 'case': case_id, 'pid': process }, // url @@ -158,6 +158,7 @@ function ComputeHandles(process, case_id){ if (textStatus == "success") { if (response['message'] == "success") { FillHandles(JSON.parse(response['artifacts']['Handles'])); + $("#handles_btn").addClass("d-none"); } if (response['message'] == "error") { $('#proc-error-message').html("Something went wrong."); diff --git a/investigations/templates/investigations/linux/others/mountinfo.html b/investigations/templates/investigations/linux/others/mountinfo.html new file mode 100644 index 0000000..f0c5cec --- /dev/null +++ b/investigations/templates/investigations/linux/others/mountinfo.html @@ -0,0 +1,74 @@ + +
+
+ + + + + + + + + + + + + + + + + + + {% for entry in MountInfo %} + + + + + + + + + + + + + + + {% endfor %} + +
FIELDSFSTYPEMAJOR:MINORMNT_NS_IDMOUNT IDMOUNT_OPTIONSMOUNT_POINTMOUNT_SRCPARENT_IDROOTSB_OPTIONS
{{entry.FIELDS}}{{entry.FSTYPE}}{{entry.MAJOR_MINOR}}{{entry.MNT_NS_ID}}{{entry.MOUNTID}}{{entry.MOUNT_OPTIONS}}{{entry.MOUNT_POINT}}{{entry.MOUNT_SRC}}{{entry.PARENT_ID}}{{entry.ROOT}}{{entry.SB_OPTIONS}} +
+ {% if entry.Tag == "Evidence"%} + Evidence + Suspicious + {% elif entry.Tag == "Suspicious" %} + Suspicious + Evidence + {% else %} + Evidence + Suspicious + {% endif %} + +
+

Tag as

+ +   +  Suspicious + + +   +  Evidence + +
+
+  Clear tag +
+
+
+
+
diff --git a/investigations/templates/investigations/linux/others/tty_check.html b/investigations/templates/investigations/linux/others/tty_check.html index 62a0454..737f0e6 100644 --- a/investigations/templates/investigations/linux/others/tty_check.html +++ b/investigations/templates/investigations/linux/others/tty_check.html @@ -41,17 +41,17 @@

Tag as

- +    Suspicious - +    Evidence
-  Clear tag +  Clear tag
diff --git a/investigations/templates/investigations/linux/processes/bash.html b/investigations/templates/investigations/linux/processes/bash.html index f40b832..fac0197 100644 --- a/investigations/templates/investigations/linux/processes/bash.html +++ b/investigations/templates/investigations/linux/processes/bash.html @@ -20,43 +20,6 @@ - {% for entry in Bash %} - - {{entry.PID}} - {{entry.Process}} - {{entry.CommandTime}} - {{entry.Command}} - -
- {% if process.Tag == "Evidence"%} - Evidence - Suspicious - {% elif process.Tag == "Suspicious" %} - Suspicious - Evidence - {% else %} - Evidence - Suspicious - {% endif %} - -
-

Tag as

- -   -  Suspicious - - -   -  Evidence - -
-
-  Clear tag -
-
- - - {% endfor %}
diff --git a/investigations/templates/investigations/linux/processes/elfs.html b/investigations/templates/investigations/linux/processes/elfs.html index ca5a466..30a9e32 100644 --- a/investigations/templates/investigations/linux/processes/elfs.html +++ b/investigations/templates/investigations/linux/processes/elfs.html @@ -4,7 +4,7 @@ Description : Included in the "review_invest.html", this file represent the "ELFs" tab. ---> -
+
@@ -21,44 +21,6 @@ - {% for process in Elfs %} - - {{process.Start}} - {{process.End}} - {{process.FilePath}} - {{process.Process}} - {{process.PID}} - -
- {% if process.Tag == "Evidence"%} - Evidence - Suspicious - {% elif process.Tag == "Suspicious" %} - Suspicious - Evidence - {% else %} - Evidence - Suspicious - {% endif %} - -
-

Tag as

- -   -  Suspicious - - -   -  Evidence - -
-
-  Clear tag -
-
- - - {% endfor %}
diff --git a/investigations/templates/investigations/linux/processes/lsof.html b/investigations/templates/investigations/linux/processes/lsof.html index 16645e2..7c6e426 100644 --- a/investigations/templates/investigations/linux/processes/lsof.html +++ b/investigations/templates/investigations/linux/processes/lsof.html @@ -20,43 +20,6 @@ - {% for entry in Lsof %} - - {{entry.FD}} - {{entry.PID}} - {{entry.Path}} - {{entry.Process}} - -
- {% if process.Tag == "Evidence"%} - Evidence - Suspicious - {% elif process.Tag == "Suspicious" %} - Suspicious - Evidence - {% else %} - Evidence - Suspicious - {% endif %} - -
-

Tag as

- -   -  Suspicious - - -   -  Evidence - -
-
-  Clear tag -
-
- - - {% endfor %}
diff --git a/investigations/templates/investigations/linux/processes/maps.html b/investigations/templates/investigations/linux/processes/maps.html index 048103e..13c2f92 100644 --- a/investigations/templates/investigations/linux/processes/maps.html +++ b/investigations/templates/investigations/linux/processes/maps.html @@ -26,49 +26,6 @@ - {% for process in ProcMaps %} - - {{process.Start}} - {{process.End}} - {{process.FilePath}} - {{process.Flags}} - {{process.Inode}} - {{process.Major}} - {{process.Minor}} - {{process.PID}} - {{process.PgOff}} - {{process.Process}} - -
- {% if process.Tag == "Evidence"%} - Evidence - Suspicious - {% elif process.Tag == "Suspicious" %} - Suspicious - Evidence - {% else %} - Evidence - Suspicious - {% endif %} - -
-

Tag as

- -   -  Suspicious - - -   -  Evidence - -
-
-  Clear tag -
-
- - - {% endfor %}
diff --git a/investigations/templates/investigations/linux/processes/psaux.html b/investigations/templates/investigations/linux/processes/psaux.html new file mode 100644 index 0000000..ca619b7 --- /dev/null +++ b/investigations/templates/investigations/linux/processes/psaux.html @@ -0,0 +1,23 @@ + +
+
+ + + + + + + + + + + + +
PIDPPIDCOMMArgs
+
+
diff --git a/investigations/templates/investigations/review_invest.html b/investigations/templates/investigations/review_invest.html index 8c0239b..3a2e57a 100644 --- a/investigations/templates/investigations/review_invest.html +++ b/investigations/templates/investigations/review_invest.html @@ -111,11 +111,14 @@
{{case.title}}
+ style="color: var(--bs-purple);"> TtyCheck + + -
+
@@ -123,8 +126,8 @@
{{case.title}}
{% for process in PsList %}
-
+ {% include "investigations/linux/processes/psaux.html" %} {% include "investigations/linux/processes/elfs.html" %} {% include "investigations/linux/processes/maps.html" %} {% include "investigations/linux/processes/lsof.html" %} @@ -234,6 +242,7 @@
{{case.title}}
{% include "investigations/linux/processes/tree.html" %} {% include "investigations/linux/others/tty_check.html" %} + {% include "investigations/linux/others/mountinfo.html" %} {% include "investigations/linux/report.html" %} @@ -283,7 +292,7 @@
{{case.title}}
{% for process in PsScan %}
-
+ Add new IOC -
-
-
-
-
-
-
-
 Name
-
 Context
-
 Value
-
Linked Investigation
-
Actions
-
-
- {% if iocs %} - {% for ioc in iocs %} -
-
-
- {{ioc.name}}
-
- {{ioc.context}}
-
- {{ioc.value}}
-
{{ioc.linkedInvestigation.title}}
-
-
- -
- -
- - -
-
- {% endfor %} - {% endif %} - -
- -
- {% csrf_token %} -
- - -{% endblock content %} \ No newline at end of file diff --git a/iocs/templates/iocs/new_ioc.html b/iocs/templates/iocs/new_ioc.html deleted file mode 100644 index 5d2e1b3..0000000 --- a/iocs/templates/iocs/new_ioc.html +++ /dev/null @@ -1,60 +0,0 @@ -{% extends "dashboard/base.html" %} -{% block content %} - -
 Back -
-

New string based IOC

-
-
- {% csrf_token %} -
-
-

Fill in the required fields *

-
-
-
-
-
{{form.name}} -
-
-
-
{{form.context}}
-
-
-
{{form.value}}
-
-
- {{form.linkedInvestigation}} -
-
-
-
-
-
-
- - -{% endblock content %} \ No newline at end of file diff --git a/iocs/tests.py b/iocs/tests.py deleted file mode 100644 index 7ce503c..0000000 --- a/iocs/tests.py +++ /dev/null @@ -1,3 +0,0 @@ -from django.test import TestCase - -# Create your tests here. diff --git a/iocs/urls.py b/iocs/urls.py deleted file mode 100644 index 9f02542..0000000 --- a/iocs/urls.py +++ /dev/null @@ -1,9 +0,0 @@ -from django.urls import path -from . import views - -urlpatterns = [ - path('', views.iocs, name='iocs'), - path('new_ioc', views.new_ioc, name='new_ioc'), - path('custom_ioc//', views.custom_ioc, name='custom_ioc'), - path('delete_ioc', views.delete_ioc, name='delete_ioc'), -] diff --git a/iocs/views.py b/iocs/views.py deleted file mode 100644 index e8e5088..0000000 --- a/iocs/views.py +++ /dev/null @@ -1,87 +0,0 @@ -from django.shortcuts import render, redirect -from investigations.models import UploadInvestigation -from django.contrib.auth.decorators import login_required -from .forms import * -from .models import IOC -from django.http import JsonResponse - -customize_context = {} - - -@login_required -def iocs(request): - """The string based iocs dashboard - - Arguments: - request : http request object - - Comment: Display all the string based iocs - """ - return render(request, 'iocs/iocs.html', - {'iocs': IOC.objects.all(), 'investigations': UploadInvestigation.objects.all()}) - - -@login_required -def new_ioc(request): - """Create a new string base IOC - - Arguments: - request : http request object - - Comment: Create a new IOC if the form is correct. - """ - if request.method == "POST": - form = IOCForm(request.POST) - if form.is_valid(): - form.save() - return redirect('/iocs/') - form = IOCForm() - return render(request, 'iocs/new_ioc.html', {'form': form, 'investigations': UploadInvestigation.objects.all()}) - - -@login_required -def custom_ioc(request, pk): - """Modify an ioc - - Arguments: - request : http request object - - Comments: - GET : Load the form page with instanced fields. - POST : Apply the modifications - """ - ioc_record = IOC.objects.get(pk=pk) - if request.method == 'GET': - custom_form = IOCForm(instance=ioc_record) - if request.method == 'POST': - form = IOCForm(request.POST, instance=ioc_record) - if form.is_valid(): - ioc_record.save() - return redirect('/iocs/') - return render(request, 'iocs/custom_ioc.html', - {'form': custom_form, 'investigations': UploadInvestigation.objects.all()}) - - -@login_required -def delete_ioc(request): - """Delete an ioc - - Arguments: - request : http request object - - Comments: - Delete the IOC selected by the user. - """ - if request.method == "POST": - form = ManageIOC(request.POST) - if form.is_valid(): - id = form.cleaned_data['ioc_id'] - # Delete the ioc - ioc = IOC.objects.get(pk=id) - ioc.delete() - return redirect('/iocs/') - else: - # Return a django error message (need to set up toast) - form = NewIOCForm() - return render(request, 'iocs/new_ioc.html', - {'form': form, 'investigations': UploadInvestigation.objects.all()})