From 81a5f91f057f404e312519044abe6f9606a259ea Mon Sep 17 00:00:00 2001 From: Thiago Canozzo Lahr Date: Sun, 7 Jan 2024 11:15:14 -0300 Subject: [PATCH] artif: update artifact Update artifact collection. --- CHANGELOG.md | 15 ++++++++++----- LICENSES.md | 1 - README.md | 18 +++++++++--------- artifacts/files/browsers/brave.yaml | 19 ++++++++++++++++++- artifacts/files/browsers/chrome.yaml | 19 ++++++++++++++++++- artifacts/files/browsers/edge.yaml | 19 ++++++++++++++++++- artifacts/files/browsers/opera.yaml | 19 ++++++++++++++++++- artifacts/files/browsers/vivaldi.yaml | 19 ++++++++++++++++++- 8 files changed, 109 insertions(+), 20 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 688225a6..8595de96 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,15 +6,20 @@ - files/applications/box_drive.yaml: Renamed to box.yaml. - files/applications/box.yaml: Added collection support for Box log files [macos]. -- files/applications/wget.yaml: Added collection support for wget hsts file. This file is used to store the HSTS cache for the wget utility [aix, esxi, freebsd, linux, macos, netbsd, openbsd, solaris]. -- files/system/etc.yaml: Added "master.passwd" and "spwd.db" to the exclude_name_pattern list as they contain the hashed passwords of local users [freebsd, netbsd, netscaler, openbsd]. -- files/system/etc.yaml: Added exclusion for the group shadow files 'gshadow' and 'gshadow-'. Those files contain password hashes for groups [linux]. +- files/applications/wget.yaml: Added collection support for wget hsts file. This file is used to store the HSTS cache for the wget utility [aix, esxi, freebsd, linux, macos, netbsd, openbsd, solaris] (by [firexfly](https://github.com/firexfly)). +- files/browsers/brave.yaml: Updated collection support for Flatpak version [linux]. +- files/browsers/chrome.yaml: Updated collection support for Flatpak version [linux]. +- files/browsers/edge.yaml: Updated collection support for Flatpak version [linux]. +- files/browsers/opera.yaml: Updated collection support for Flatpak version [linux]. +- files/browsers/vivaldi.yaml: Updated collection support for Flatpak version [linux]. +- files/system/etc.yaml: Added "master.passwd" and "spwd.db" to the exclude_name_pattern list as they contain the hashed passwords of local users [freebsd, netbsd, netscaler, openbsd] (by [Herbert-Karl](https://github.com/Herbert-Karl)). +- files/system/etc.yaml: Added exclusion for the group shadow files 'gshadow' and 'gshadow-'. Those files contain password hashes for groups [linux] (by [Herbert-Karl](https://github.com/Herbert-Karl)). - live_response/network/ss.yaml: Updated collection support for processes listening on UDP ports/sockets [android, linux]. ### Profiles -- profiles/offline.yaml: New 'offline' profile that can be used during offline collections. +- profiles/offline.yaml: New 'offline' profile that can be used during offline collections (by [randomaccess3](https://github.com/randomaccess3)). ### Tools -- ```statx``` source code was moved to a dedicated repository at https://github.com/tclahr/statx \ No newline at end of file +- statx source code was moved to a dedicated repository at https://github.com/tclahr/statx \ No newline at end of file diff --git a/LICENSES.md b/LICENSES.md index d6013ca7..89879f52 100644 --- a/LICENSES.md +++ b/LICENSES.md @@ -5,4 +5,3 @@ Use of the following Third-Party Software is subject to the license agreements a |AVML|Use rights in accordance with the information displayed at: https://github.com/microsoft/avml/blob/main/LICENSE|https://github.com/microsoft/avml| |linux_procmemdump.sh|Use rights in accordance with the information displayed at: https://creativecommons.org/licenses/by-sa/4.0|| |statx|Use rights in accordance with the information displayed at: https://github.com/tclahr/statx/blob/main/LICENSE|https://github.com/tclahr/statx| -|zip|Use rights in accordance with the information displayed at: https://infozip.sourceforge.net/license.html|https://infozip.sourceforge.net| diff --git a/README.md b/README.md index ab448bd9..531d2dd5 100644 --- a/README.md +++ b/README.md @@ -27,15 +27,15 @@ Project documentation page: [https://tclahr.github.io/uac-docs](https://tclahr.g ## 🌟 Main Features -- Runs everywhere with no dependencies (no installation required). +- Run everywhere with no dependencies (no installation required). - Customizable and extensible collections and artifacts. -- Respects the order of volatility during artifacts collection. -- Collects information from processes running without a binary on disk. -- Hashes running processes and executable files. -- Extracts information from files and directories to create a bodyfile (including enhanced file attributes for ext4). -- Collects user and system configuration files and logs. -- Collects artifacts from applications. -- Acquires volatile memory from Linux systems using different methods and tools. +- Respect the order of volatility during artifact collection. +- Collect information from processes running without a binary on disk. +- Hash running processes and executable files. +- Extract information from files and directories to create a bodyfile (including enhanced file attributes for ext4). +- Collect user and system configuration files and logs. +- Collect artifacts from applications. +- Acquire volatile memory from Linux systems using different methods and tools. *** @@ -80,7 +80,7 @@ Common usage scenarios may include the following: ./uac -a live_response/\*,bodyfile/bodyfile.yaml . ``` -**Collect all artifacts based on the ```full``` profile, but excludes the ```bodyfile/bodyfile.yaml``` artifact, and create the output file in ```/tmp```.** +**Collect all artifacts based on the ```full``` profile, but exclude the ```bodyfile/bodyfile.yaml``` artifact, and create the output file in ```/tmp```.** ```shell ./uac -p full -a \!bodyfile/bodyfile.yaml /tmp diff --git a/artifacts/files/browsers/brave.yaml b/artifacts/files/browsers/brave.yaml index a252ab67..de88a52b 100644 --- a/artifacts/files/browsers/brave.yaml +++ b/artifacts/files/browsers/brave.yaml @@ -1,4 +1,4 @@ -version: 2.0 +version: 3.0 artifacts: - description: Collect Brave browser files. @@ -17,6 +17,23 @@ artifacts: file_type: d ignore_date_range: true exclude_nologin_users: true + - + description: Collect Brave browser files (Flatpak version). + supported_os: [linux] + collector: file + path: /%user_home%/.var/app/com.brave.Browser + name_pattern: ["Bookmarks*", "Cookies*", "DownloadMetadata", "Extension Cookies*", "Favicons*", "History*", "Login Data*", "Media History*", "Network Action Predictor*", "Network Persistent State", "Preferences", "QuotaManager*", "Reporting and NEL*", "SecurePreferences", "Shortcuts*", "SyncData.sqlite3", "Top Sites*", "Trust Tokens*", "Visited Links", "Web Data*"] + ignore_date_range: true + exclude_nologin_users: true + - + description: Collect Brave browser directories (Flatpak version). + supported_os: [linux] + collector: file + path: /%user_home%/.var/app/com.brave.Browser + name_pattern: ["Extensions", "File System", "Sessions"] + file_type: d + ignore_date_range: true + exclude_nologin_users: true - description: Collect Brave browser files (Snap version). supported_os: [linux] diff --git a/artifacts/files/browsers/chrome.yaml b/artifacts/files/browsers/chrome.yaml index dafe0741..e4db2ce2 100644 --- a/artifacts/files/browsers/chrome.yaml +++ b/artifacts/files/browsers/chrome.yaml @@ -1,4 +1,4 @@ -version: 2.0 +version: 3.0 artifacts: - description: Collect Chrome browser files. @@ -17,6 +17,23 @@ artifacts: file_type: d ignore_date_range: true exclude_nologin_users: true + - + description: Collect Chrome browser files (Flatpak version). + supported_os: [linux] + collector: file + path: /%user_home%/.var/app/com.google.Chrome + name_pattern: ["Bookmarks*", "Cookies*", "DownloadMetadata", "Extension Cookies*", "Favicons*", "History*", "Login Data*", "Media History*", "Network Action Predictor*", "Network Persistent State", "Preferences", "QuotaManager*", "Reporting and NEL*", "SecurePreferences", "Shortcuts*", "SyncData.sqlite3", "Top Sites*", "Trust Tokens*", "Visited Links", "Web Data*"] + ignore_date_range: true + exclude_nologin_users: true + - + description: Collect Chrome browser directories (Flatpak version). + supported_os: [linux] + collector: file + path: /%user_home%/.var/app/com.google.Chrome + name_pattern: ["Extensions", "File System", "Sessions"] + file_type: d + ignore_date_range: true + exclude_nologin_users: true - description: Collect Chrome browser files. supported_os: [macos] diff --git a/artifacts/files/browsers/edge.yaml b/artifacts/files/browsers/edge.yaml index 5e734227..0c7f9719 100644 --- a/artifacts/files/browsers/edge.yaml +++ b/artifacts/files/browsers/edge.yaml @@ -1,4 +1,4 @@ -version: 2.0 +version: 3.0 artifacts: - description: Collect Edge browser files. @@ -17,6 +17,23 @@ artifacts: file_type: d ignore_date_range: true exclude_nologin_users: true + - + description: Collect Edge browser files (Flatpak version). + supported_os: [linux] + collector: file + path: /%user_home%/.var/app/com.microsoft.Edge + name_pattern: ["Bookmarks*", "Cookies*", "DownloadMetadata", "Extension Cookies*", "Favicons*", "History*", "Login Data*", "Media History*", "Network Action Predictor*", "Network Persistent State", "Preferences", "QuotaManager*", "Reporting and NEL*", "SecurePreferences", "Shortcuts*", "SyncData.sqlite3", "Top Sites*", "Trust Tokens*", "Visited Links", "Web Data*"] + ignore_date_range: true + exclude_nologin_users: true + - + description: Collect Edge browser directories (Flatpak version). + supported_os: [linux] + collector: file + path: /%user_home%/.var/app/com.microsoft.Edge + name_pattern: ["Extensions", "File System", "Sessions"] + file_type: d + ignore_date_range: true + exclude_nologin_users: true - description: Collect Edge browser files. supported_os: [macos] diff --git a/artifacts/files/browsers/opera.yaml b/artifacts/files/browsers/opera.yaml index 5a288fd7..c46abdc4 100644 --- a/artifacts/files/browsers/opera.yaml +++ b/artifacts/files/browsers/opera.yaml @@ -1,4 +1,4 @@ -version: 2.0 +version: 3.0 artifacts: - description: Collect Opera browser files. @@ -17,6 +17,23 @@ artifacts: file_type: d ignore_date_range: true exclude_nologin_users: true + - + description: Collect Opera browser files (Flatpak version). + supported_os: [linux] + collector: file + path: /%user_home%/.var/app/com.opera.Opera + name_pattern: ["Bookmarks*", "Cookies*", "DownloadMetadata", "Extension Cookies*", "Favicons*", "History*", "Login Data*", "Media History*", "Network Action Predictor*", "Network Persistent State", "Preferences", "QuotaManager*", "Reporting and NEL*", "SecurePreferences", "Shortcuts*", "SyncData.sqlite3", "Top Sites*", "Trust Tokens*", "Visited Links", "Web Data*"] + ignore_date_range: true + exclude_nologin_users: true + - + description: Collect Opera browser directories (Flatpak version). + supported_os: [linux] + collector: file + path: /%user_home%/.var/app/com.opera.Opera + name_pattern: ["Extensions", "File System", "Sessions"] + file_type: d + ignore_date_range: true + exclude_nologin_users: true - description: Collect Opera browser files (Snap version). supported_os: [linux] diff --git a/artifacts/files/browsers/vivaldi.yaml b/artifacts/files/browsers/vivaldi.yaml index a35aafe9..a5ad0a24 100644 --- a/artifacts/files/browsers/vivaldi.yaml +++ b/artifacts/files/browsers/vivaldi.yaml @@ -1,4 +1,4 @@ -version: 2.0 +version: 3.0 artifacts: - description: Collect Vivaldi browser files. @@ -17,6 +17,23 @@ artifacts: file_type: d ignore_date_range: true exclude_nologin_users: true + - + description: Collect Vivaldi browser files (Flatpak version). + supported_os: [linux] + collector: file + path: /%user_home%/.var/app/com.vivaldi.Vivaldi + name_pattern: ["Bookmarks*", "Cookies*", "DownloadMetadata", "Extension Cookies*", "Favicons*", "History*", "Login Data*", "Media History*", "Network Action Predictor*", "Network Persistent State", "Preferences", "QuotaManager*", "Reporting and NEL*", "SecurePreferences", "Shortcuts*", "SyncData.sqlite3", "Top Sites*", "Trust Tokens*", "Visited Links", "Web Data*"] + ignore_date_range: true + exclude_nologin_users: true + - + description: Collect Vivaldi browser directories (Flatpak version). + supported_os: [linux] + collector: file + path: /%user_home%/.var/app/com.vivaldi.Vivaldi + name_pattern: ["Extensions", "File System", "Sessions"] + file_type: d + ignore_date_range: true + exclude_nologin_users: true - description: Collect Vivaldi browser files. supported_os: [macos]