Triage

Windows TOML collection focusing on quickly collecting data related to a Windows alert.

system = "windows"

[output]
name = "triage_collection"
directory = "./tmp"
format = "json"
compress = true
endpoint_id = "6c51b123-1522-4572-9f2a-0bd5abd81b82"
collection_id = 1
output = "local"

[[artifacts]]
artifact_name = "processes"
[artifacts.processes]
md5 = true
sha1 = false
sha256 = false
metadata = true

[[artifacts]]
artifact_name = "prefetch"
[artifacts.prefetch]

[[artifacts]]
artifact_name = "userassist"
[artifacts.userassist]

[[artifacts]]
artifact_name = "script"
[artifacts.script]
name = "office_mru"
# Pulls back recently opened Office documents for all users from NTUSER.DAT files
script = "Ly8gaHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL3B1ZmZ5Y2lkL2FydGVtaXMtYXBpL21hc3Rlci9zcmMvd2luZG93cy9yZWdpc3RyeS50cwpmdW5jdGlvbiBnZXRSZWdpc3RyeShwYXRoKSB7CiAgY29uc3QgZGF0YSA9IERlbm8uY29yZS5vcHMuZ2V0X3JlZ2lzdHJ5KHBhdGgpOwogIGNvbnN0IHJlc3VsdHMgPSBKU09OLnBhcnNlKGRhdGEpOwogIHJldHVybiByZXN1bHRzOwp9CgovLyBodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vcHVmZnljaWQvYXJ0ZW1pcy1hcGkvbWFzdGVyL3NyYy9lbnZpcm9ubWVudC9lbnYudHMKZnVuY3Rpb24gZ2V0RW52VmFsdWUoa2V5KSB7CiAgY29uc3QgZGF0YSA9IGVudi5lbnZpcm9ubWVudFZhbHVlKGtleSk7CiAgcmV0dXJuIGRhdGE7Cn0KCi8vIGh0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9wdWZmeWNpZC9hcnRlbWlzLWFwaS9tYXN0ZXIvc3JjL2ZpbGVzeXN0ZW0vZGlyZWN0b3J5LnRzCmFzeW5jIGZ1bmN0aW9uIHJlYWREaXIocGF0aCkgewogIGNvbnN0IGRhdGEgPSBKU09OLnBhcnNlKGF3YWl0IGZzLnJlYWREaXIocGF0aCkpOwogIHJldHVybiBkYXRhOwp9CgovLyBodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vcHVmZnljaWQvYXJ0ZW1pcy1hcGkvbWFzdGVyL3NyYy9maWxlc3lzdGVtL2ZpbGVzLnRzCmZ1bmN0aW9uIHN0YXQocGF0aCkgewogIGNvbnN0IGRhdGEgPSBmcy5zdGF0KHBhdGgpOwogIGNvbnN0IHZhbHVlID0gSlNPTi5wYXJzZShkYXRhKTsKICByZXR1cm4gdmFsdWU7Cn0KCi8vIG1haW4udHMKYXN5bmMgZnVuY3Rpb24gbWFpbigpIHsKICBjb25zdCBkcml2ZSA9IGdldEVudlZhbHVlKCJTeXN0ZW1Ecml2ZSIpOwogIGlmIChkcml2ZSA9PT0gIiIpIHsKICAgIHJldHVybiBbXTsKICB9CiAgY29uc3Qgb2ZmaWNlX2FycmF5ID0gW107CiAgY29uc3QgdXNlcnMgPSBgJHtkcml2ZX1cXFVzZXJzYDsKICBmb3IgKGNvbnN0IGVudHJ5IG9mIGF3YWl0IHJlYWREaXIodXNlcnMpKSB7CiAgICB0cnkgewogICAgICBjb25zdCBwYXRoID0gYCR7dXNlcnN9XFwke2VudHJ5LmZpbGVuYW1lfVxcTlRVU0VSLkRBVGA7CiAgICAgIGNvbnN0IHN0YXR1cyA9IHN0YXQocGF0aCk7CiAgICAgIGlmICghc3RhdHVzLmlzX2ZpbGUpIHsKICAgICAgICBjb250aW51ZTsKICAgICAgfQogICAgICBjb25zdCByZWdfcmVzdWx0cyA9IGdldFJlZ2lzdHJ5KHBhdGgpOwogICAgICBmb3IgKGNvbnN0IHJlZ19lbnRyeSBvZiByZWdfcmVzdWx0cykgewogICAgICAgIGlmICghcmVnX2VudHJ5LnBhdGgubWF0Y2goCiAgICAgICAgICAvTWljcm9zb2Z0XFxPZmZpY2VcXDEoNHw1fDYpXC4wXFwuKlxcKEZpbGUgTVJVfCBVc2VyIE1SVVxcLipcXEZpbGUgTVJVKS8KICAgICAgICApKSB7CiAgICAgICAgICBjb250aW51ZTsKICAgICAgICB9CiAgICAgICAgZm9yIChjb25zdCB2YWx1ZSBvZiByZWdfZW50cnkudmFsdWVzKSB7CiAgICAgICAgICBpZiAoIXZhbHVlLnZhbHVlLmluY2x1ZGVzKCJJdGVtICIpKSB7CiAgICAgICAgICAgIGNvbnRpbnVlOwogICAgICAgICAgfQogICAgICAgICAgY29uc3Qgd2luZG93c19uYW5vID0gMWU3OwogICAgICAgICAgY29uc3Qgc2Vjb25kc190b191bml4ID0gMTE2NDQ0NzM2MDA7CiAgICAgICAgICBjb25zdCBmaWxldGltZSA9IHBhcnNlSW50KAogICAgICAgICAgICB2YWx1ZS5kYXRhLnNwbGl0KCJbVCIpWzFdLnNwbGl0KCJdIilbMF0sCiAgICAgICAgICAgIDE2CiAgICAgICAgICApOwogICAgICAgICAgY29uc3QgdW5peGVwb2NoID0gZmlsZXRpbWUgLyB3aW5kb3dzX25hbm8gLSBzZWNvbmRzX3RvX3VuaXg7CiAgICAgICAgICBjb25zdCBtcnUgPSB7CiAgICAgICAgICAgIGZpbGVfcGF0aDogdmFsdWUuZGF0YS5zcGxpdCgiKiIpWzFdLAogICAgICAgICAgICByZWdfcGF0aDogcmVnX2VudHJ5LnBhdGgsCiAgICAgICAgICAgIGxhc3Rfb3BlbmVkOiB1bml4ZXBvY2gsCiAgICAgICAgICAgIGxhc3Rfb3BlbmVkX2ZpbGV0aW1lOiBmaWxldGltZSwKICAgICAgICAgICAgcmVnX2ZpbGVfcGF0aDogcGF0aAogICAgICAgICAgfTsKICAgICAgICAgIG9mZmljZV9hcnJheS5wdXNoKG1ydSk7CiAgICAgICAgfQogICAgICB9CiAgICB9IGNhdGNoIChfZSkgewogICAgICBjb250aW51ZTsKICAgIH0KICB9CiAgcmV0dXJuIG9mZmljZV9hcnJheTsKfQptYWluKCk7Cg=="

[[artifacts]]
artifact_name = "script"
[artifacts.script]
name = "recent_files"
# Parses all recent accessed files (shortcuts/lnk files) for all users
script = "Ly8gaHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL3B1ZmZ5Y2lkL2FydGVtaXMtYXBpL21hc3Rlci9zcmMvd2luZG93cy9zaG9ydGN1dHMudHMKZnVuY3Rpb24gZ2V0TG5rRmlsZShwYXRoKSB7CiAgY29uc3QgZGF0YSA9IERlbm8uY29yZS5vcHMuZ2V0X2xua19maWxlKHBhdGgpOwogIGNvbnN0IHJlc3VsdHMgPSBKU09OLnBhcnNlKGRhdGEpOwogIHJldHVybiByZXN1bHRzOwp9CgovLyBodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vcHVmZnljaWQvYXJ0ZW1pcy1hcGkvbWFzdGVyL3NyYy9lbnZpcm9ubWVudC9lbnYudHMKZnVuY3Rpb24gZ2V0RW52VmFsdWUoa2V5KSB7CiAgY29uc3QgZGF0YSA9IGVudi5lbnZpcm9ubWVudFZhbHVlKGtleSk7CiAgcmV0dXJuIGRhdGE7Cn0KCi8vIGh0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9wdWZmeWNpZC9hcnRlbWlzLWFwaS9tYXN0ZXIvc3JjL2ZpbGVzeXN0ZW0vZGlyZWN0b3J5LnRzCmFzeW5jIGZ1bmN0aW9uIHJlYWREaXIocGF0aCkgewogIGNvbnN0IGRhdGEgPSBKU09OLnBhcnNlKGF3YWl0IGZzLnJlYWREaXIocGF0aCkpOwogIHJldHVybiBkYXRhOwp9CgovLyBtYWluLnRzCmFzeW5jIGZ1bmN0aW9uIG1haW4oKSB7CiAgY29uc3QgZHJpdmUgPSBnZXRFbnZWYWx1ZSgiU3lzdGVtRHJpdmUiKTsKICBpZiAoZHJpdmUgPT09ICIiKSB7CiAgICByZXR1cm4gW107CiAgfQogIGNvbnN0IHVzZXJzID0gYCR7ZHJpdmV9XFxVc2Vyc2A7CiAgY29uc3QgcmVjZW50X2ZpbGVzID0gW107CiAgZm9yIChjb25zdCBlbnRyeSBvZiBhd2FpdCByZWFkRGlyKHVzZXJzKSkgewogICAgdHJ5IHsKICAgICAgY29uc3QgcGF0aCA9IGAke3VzZXJzfVxcJHtlbnRyeS5maWxlbmFtZX1cXEFwcERhdGFcXFJvYW1pbmdcXE1pY3Jvc29mdFxcV2luZG93c1xcUmVjZW50YDsKICAgICAgZm9yIChjb25zdCBlbnRyeTIgb2YgYXdhaXQgcmVhZERpcihwYXRoKSkgewogICAgICAgIGlmICghZW50cnkyLmZpbGVuYW1lLmVuZHNXaXRoKCJsbmsiKSkgewogICAgICAgICAgY29udGludWU7CiAgICAgICAgfQogICAgICAgIGNvbnN0IGxua19maWxlID0gYCR7cGF0aH1cXCR7ZW50cnkyLmZpbGVuYW1lfWA7CiAgICAgICAgY29uc3QgbG5rID0gZ2V0TG5rRmlsZShsbmtfZmlsZSk7CiAgICAgICAgcmVjZW50X2ZpbGVzLnB1c2gobG5rKTsKICAgICAgfQogICAgfSBjYXRjaCAoX2Vycm9yKSB7CiAgICAgIGNvbnRpbnVlOwogICAgfQogIH0KICByZXR1cm4gcmVjZW50X2ZpbGVzOwp9Cm1haW4oKTsK"

[[artifacts]]
artifact_name = "script"
[artifacts.script]
name = "logons_7_days"
# Pulls back all logons within the past seven (7) days (logoffs are not included)
script = "Ly8gaHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL3B1ZmZ5Y2lkL2FydGVtaXMtYXBpL21hc3Rlci9zcmMvd2luZG93cy9ldmVudGxvZ3MudHMKZnVuY3Rpb24gZ2V0RXZlbnRsb2dzKHBhdGgpIHsKICBjb25zdCByZXN1bHRzID0gRGVuby5jb3JlLm9wcy5nZXRfZXZlbnRsb2dzKHBhdGgpOwogIGNvbnN0IGRhdGEgPSBKU09OLnBhcnNlKHJlc3VsdHMpOwogIHJldHVybiBkYXRhOwp9CgovLyBtYWluLnRzCmZ1bmN0aW9uIG1haW4oKSB7CiAgY29uc3QgcGF0aCA9ICJDOlxcV2luZG93c1xcU3lzdGVtMzJcXHdpbmV2dFxcTG9nc1xcU2VjdXJpdHkuZXZ0eCI7CiAgY29uc3QgcmVjb3JkcyA9IGdldEV2ZW50bG9ncyhwYXRoKTsKICBjb25zdCBsb2dvbnMgPSBbXTsKICBjb25zdCB0aW1lX25vdyA9IG5ldyBEYXRlKCk7CiAgY29uc3QgbWlsbGlzZWNvbmRzID0gdGltZV9ub3cuZ2V0VGltZSgpOwogIGNvbnN0IG5hbm9zZWNvbmRzID0gbWlsbGlzZWNvbmRzICogMWU2OwogIGNvbnN0IHNldmVuX2RheXMgPSA2MDQ4ZTExOwogIGNvbnN0IHN0YXJ0X2xvZ29ucyA9IG5hbm9zZWNvbmRzIC0gc2V2ZW5fZGF5czsKICBmb3IgKGNvbnN0IHJlY29yZCBvZiByZWNvcmRzKSB7CiAgICBpZiAocmVjb3JkLmRhdGFbIkV2ZW50Il1bIlN5c3RlbSJdWyJFdmVudElEIl0gIT0gNDYyNCAmJiByZWNvcmQuZGF0YVsiRXZlbnQiXVsiU3lzdGVtIl1bIkV2ZW50SUQiXVsiI3RleHQiXSAhPSA0NjI0KSB7CiAgICAgIGNvbnRpbnVlOwogICAgfQogICAgaWYgKHJlY29yZC50aW1lc3RhbXAgPCBzdGFydF9sb2dvbnMpIHsKICAgICAgY29udGludWU7CiAgICB9CiAgICBjb25zdCBlbnRyeSA9IHsKICAgICAgdGltZXN0YW1wOiByZWNvcmQudGltZXN0YW1wLAogICAgICB0YXJnZXRfc2lkOiByZWNvcmQuZGF0YVsiRXZlbnQiXVsiRXZlbnREYXRhIl1bIlRhcmdldFVzZXJTaWQiXSwKICAgICAgdGFyZ2V0X3VzZXJuYW1lOiByZWNvcmQuZGF0YVsiRXZlbnQiXVsiRXZlbnREYXRhIl1bIlRhcmdldFVzZXJOYW1lIl0sCiAgICAgIHRhcmdldF9kb21haW46IHJlY29yZC5kYXRhWyJFdmVudCJdWyJFdmVudERhdGEiXVsiVGFyZ2V0RG9tYWluTmFtZSJdLAogICAgICB0eXBlOiByZWNvcmQuZGF0YVsiRXZlbnQiXVsiRXZlbnREYXRhIl1bIkxvZ29uVHlwZSJdLAogICAgICBob3N0bmFtZTogcmVjb3JkLmRhdGFbIkV2ZW50Il1bIkV2ZW50RGF0YSJdWyJXb3Jrc3RhdGlvbk5hbWUiXSwKICAgICAgaXBfYWRkcmVzczogcmVjb3JkLmRhdGFbIkV2ZW50Il1bIkV2ZW50RGF0YSJdWyJJcEFkZHJlc3MiXSwKICAgICAgcHJvY2Vzc19uYW1lOiByZWNvcmQuZGF0YVsiRXZlbnQiXVsiRXZlbnREYXRhIl1bIlByb2Nlc3NOYW1lIl0sCiAgICAgIHJhdzogcmVjb3JkCiAgICB9OwogICAgbG9nb25zLnB1c2goZW50cnkpOwogIH0KICByZXR1cm4gbG9nb25zOwp9Cm1haW4oKTsK"

[[artifacts]]
artifact_name = "script"
[artifacts.script]
name = "powershell"
# Parses PowerShell logs looking for EIDs 400,4104,4103, and 800
script = "Ly8gaHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL3B1ZmZ5Y2lkL2FydGVtaXMtYXBpL21hc3Rlci9zcmMvd2luZG93cy9ldmVudGxvZ3MudHMKZnVuY3Rpb24gZ2V0RXZlbnRsb2dzKHBhdGgpIHsKICBjb25zdCByZXN1bHRzID0gRGVuby5jb3JlLm9wcy5nZXRfZXZlbnRsb2dzKHBhdGgpOwogIGNvbnN0IGRhdGEgPSBKU09OLnBhcnNlKHJlc3VsdHMpOwogIHJldHVybiBkYXRhOwp9CgovLyBtYWluLnRzCmZ1bmN0aW9uIG1haW4oKSB7CiAgY29uc3QgcGF0aHMgPSBbCiAgICAiQzpcXFdpbmRvd3NcXFN5c3RlbTMyXFx3aW5ldnRcXExvZ3NcXFdpbmRvd3MgUG93ZXJTaGVsbC5ldnR4IiwKICAgICJDOlxcV2luZG93c1xcU3lzdGVtMzJcXHdpbmV2dFxcTG9nc1xcTWljcm9zb2Z0LVdpbmRvd3MtUG93ZXJTaGVsbCU0T3BlcmF0aW9uYWwuZXZ0eCIKICBdOwogIGNvbnN0IGJsb2NrcyA9IFtdOwogIGNvbnN0IHBvd2VyID0gW107CiAgY29uc3QgZWlkcyA9IFs0MDAsIDgwMCwgNDEwNCwgNDEwM107CiAgZm9yIChjb25zdCBwYXRoIG9mIHBhdGhzKSB7CiAgICBjb25zdCByZWNvcmRzID0gZ2V0RXZlbnRsb2dzKHBhdGgpOwogICAgZm9yIChjb25zdCByZWNvcmQgb2YgcmVjb3JkcykgewogICAgICBpZiAoIWVpZHMuaW5jbHVkZXMocmVjb3JkLmRhdGFbIkV2ZW50Il1bIlN5c3RlbSJdWyJFdmVudElEIl0pICYmICFlaWRzLmluY2x1ZGVzKHJlY29yZC5kYXRhWyJFdmVudCJdWyJTeXN0ZW0iXVsiRXZlbnRJRCJdWyIjdGV4dCJdKSkgewogICAgICAgIGNvbnRpbnVlOwogICAgICB9CiAgICAgIGlmIChwYXRoLmluY2x1ZGVzKCJXaW5kb3dzIFBvd2VyU2hlbGwuZXZ0eCIpKSB7CiAgICAgICAgY29uc3QgcG93ZXJzaGVsbCA9IHsKICAgICAgICAgIHRpbWVzdGFtcDogcmVjb3JkLnRpbWVzdGFtcCwKICAgICAgICAgIGRhdGE6IHJlY29yZC5kYXRhWyJFdmVudCJdWyJFdmVudERhdGEiXVsiRGF0YSJdWyIjdGV4dCJdLAogICAgICAgICAgcmF3OiByZWNvcmQKICAgICAgICB9OwogICAgICAgIHBvd2VyLnB1c2gocG93ZXJzaGVsbCk7CiAgICAgIH0gZWxzZSB7CiAgICAgICAgY29uc3QgYmxvY2sgPSB7CiAgICAgICAgICB0aW1lc3RhbXA6IHJlY29yZC50aW1lc3RhbXAsCiAgICAgICAgICBwYXRoOiByZWNvcmQuZGF0YVsiRXZlbnQiXVsiRXZlbnREYXRhIl1bIlBhdGgiXSwKICAgICAgICAgIHRleHQ6IHJlY29yZC5kYXRhWyJFdmVudCJdWyJFdmVudERhdGEiXVsiU2NyaXB0QmxvY2tUZXh0Il0sCiAgICAgICAgICBpZDogcmVjb3JkLmRhdGFbIkV2ZW50Il1bIkV2ZW50RGF0YSJdWyJTY3JpcHRCbG9ja0lkIl0sCiAgICAgICAgICByYXc6IHJlY29yZAogICAgICAgIH07CiAgICAgICAgYmxvY2tzLnB1c2goYmxvY2spOwogICAgICB9CiAgICB9CiAgfQogIGNvbnN0IGxvZ3MgPSB7CiAgICBzY3JpcHRibG9ja3M6IGJsb2NrcywKICAgIHBvd2Vyc2hlbGw6IHBvd2VyCiAgfTsKICByZXR1cm4gbG9nczsKfQptYWluKCk7Cg=="

macOS TOML collection focusing on quickly collecting data related to a macOS alert.

system = "macos"

[output]
name = "triage_collection"
directory = "./tmp"
format = "json"
compress = true
endpoint_id = "6c51b123-1522-4572-9f2a-0bd5abd81b82"
collection_id = 1
output = "local"
filter_name = "unifiedlogs_fsevents_filter"
# Filter for all logs and FsEvents that contain ".dmg" or "Downloads
filter_script="ZnVuY3Rpb24gZmlsdGVyTG9ncyhkYXRhKSB7CiAgY29uc3QgbG9ncyA9IFtdOwogIGNvbnN0IGxvZ0RhdGEgPSBKU09OLnBhcnNlKGRhdGEpOwogIGZvciAobGV0IGVudHJ5ID0gMDsgZW50cnkgPCBsb2dEYXRhLmxlbmd0aDsgZW50cnkrKykgewogICAgaWYgKCFsb2dEYXRhW2VudHJ5XS5tZXNzYWdlLmluY2x1ZGVzKCJEb3dubG9hZHMiKSAmJiAhbG9nRGF0YVtlbnRyeV0ubWVzc2FnZS5pbmNsdWRlcygiLmRtZyIpKSB7CiAgICAgIGNvbnRpbnVlOwogICAgfQogICAgbG9ncy5wdXNoKGxvZ0RhdGFbZW50cnldKTsKICB9CiAgcmV0dXJuIGxvZ3M7Cn0KZnVuY3Rpb24gZmlsdGVyRXZlbnRzKGRhdGEpIHsKICBjb25zdCBldmVudHMgPSBbXTsKICBjb25zdCBldmVudHNEYXRhID0gSlNPTi5wYXJzZShkYXRhKTsKICBmb3IgKGNvbnN0IGVudHJ5IG9mIGV2ZW50c0RhdGEpIHsKICAgIGlmICghZW50cnkucGF0aC5pbmNsdWRlcygiLmRtZyIpICYmICFlbnRyeS5wYXRoLmluY2x1ZGVzKCJEb3dubG9hZHMiKSkgewogICAgICBjb250aW51ZTsKICAgIH0KICAgIGV2ZW50cy5wdXNoKGVudHJ5KTsKICB9CiAgcmV0dXJuIGV2ZW50czsKfQoKZnVuY3Rpb24gbWFpbigpIHsKICBjb25zdCBhcmdzOiBzdHJpbmdbXSA9IFNUQVRJQ19BUkdTOwogIGlmIChhcmdzLmxlbmd0aCAhPSAyKSB7CiAgICByZXR1cm4gIm1pc3NpbmcgYXJncyIKICB9CiAgaWYgKGFyZ3NbMV0gPT09ICJ1bmlmaWVkbG9ncyIpIHsKICAgIHJldHVybiBmaWx0ZXJMb2dzKGFyZ3NbMF0pOwogIH0KICBpZiAoYXJnc1sxXSA9PT0gImZzZXZlbnRzZCIpIHsKICAgIHJldHVybiBmaWx0ZXJFdmVudHMoYXJnc1swXSk7CiAgfQoKICByZXR1cm4gSlNPTi5wYXJzZShhcmdzWzBdKTsKfQptYWluKCk7Cg=="

[[artifacts]]
artifact_name = "processes"
[artifacts.processes]
md5 = true
sha1 = false
sha256 = false
metadata = true

[[artifacts]]
artifact_name = "unifiedlogs"
filter = true
[artifacts.unifiedlogs]
sources = ["Persist"]

[[artifacts]]
artifact_name = "fseventsd"
filter = true

[[artifacts]]
artifact_name = "chromium-history"

[[artifacts]]
artifact_name = "chromium-downloads"

[[artifacts]]
artifact_name = "firefox-history"

[[artifacts]]
artifact_name = "firefox-downloads"

[[artifacts]]
artifact_name = "safari-history"

[[artifacts]]
artifact_name = "safari-downloads"