added pcap and eslogger start and stop with options

stuartjash · stuartjash · Jun 29, 2023 · May 31, 2023 · Jun 2, 2023 · Jun 2, 2023
commit 51b12263abfed883bee664c1d34f82b83120c1b6
diff --git a/aftermath/Command.swift b/aftermath/Command.swift
@@ -17,6 +17,8 @@
      static let collectDirs = Options(rawValue: 1 << 4)
      static let unifiedLogs = Options(rawValue: 1 << 5)
      static let disableBrowserKillswitch = Options(rawValue: 1 << 6)
+     static let esLogs = Options(rawValue: 1 << 7)
+     static let disableESLogs = Options(rawValue: 1 << 8)
 
  }
 
@@ -27,7 +29,8 @@ class Command {
     static var outputLocation: String = "/tmp"
     static var collectDirs: [String] = []
     static var unifiedLogsFile: String? = nil
-    static let version: String = "1.2.1"
+    static var esLogs: [String] = ["create", "exec", "mmap"]
+    static let version: String = "1.3.0"
 
     static func main() {
         setup(with: CommandLine.arguments)
@@ -51,11 +54,6 @@ class Command {
              case "-d", "--deep": Self.options.insert(.deep)
              case "--pretty": Self.options.insert(.pretty)
              case "--disable-browser-killswitch": Self.options.insert(.disableBrowserKillswitch)
-             case "-o", "--output":
-                 if let index = args.firstIndex(of: arg) {
-                     Self.options.insert(.output)
-                     Self.outputLocation = args[index + 1]
-                 }
              case "--analyze":
                  if let index = args.firstIndex(of: arg) {
                      Self.options.insert(.analyze)
@@ -70,11 +68,27 @@ class Command {
                          i += 1
                      }
                  }
+             case "--disable-es-logs": Self.options.insert(.disableESLogs)
+             case "--es-logs":
+                 if let index = args.firstIndex(of: arg) {
+                     Self.options.insert(.esLogs)
+                     self.esLogs = []
+                     var i = 1
+                     while (index + i) < args.count && !args[index + i].starts(with: "-") {
+                         self.esLogs.append(contentsOf: [args[index + i]])
+                         i += 1
+                     }
+                 }
              case "-l", "--logs":
                  if let index = args.firstIndex(of: arg) {
                      Self.options.insert(.unifiedLogs)
                      Self.unifiedLogsFile = args[index + 1]
                  }
+             case "-o", "--output":
+                 if let index = args.firstIndex(of: arg) {
+                     Self.options.insert(.output)
+                     Self.outputLocation = args[index + 1]
+                 }
              case "-v", "--version":
                  print(version)
                  exit(1)
@@ -141,6 +155,15 @@ class Command {
              mainModule.addTextToFile(atUrl: CaseFiles.metadataFile, text: "file,birth,modified,accessed,permissions,uid,gid,xattr,downloadedFrom")
 
 
+             // Start logging Endpoint Security data
+             mainModule.log("Starting ES logging...")
+             let esModule = ESModule()
+             esModule.run()
+
+             mainModule.log("Running pcap...")
+             let pcapModule = NetworkModule()
+             pcapModule.pcapRun()
+
              // System Recon
              mainModule.log("Started system recon")
              let systemReconModule = SystemReconModule()
@@ -188,6 +211,13 @@ class Command {
              unifiedLogModule.run()
              mainModule.log("Finished logging unified logs")
 
+
+             mainModule.log("Finished running pcap")
+
+
+             // End logging Endpoint Security data
+             mainModule.log("Finished ES logging")
+
              mainModule.log("Finished running Aftermath collection")
 
              // Copy from cache to output
@@ -202,9 +232,6 @@ class Command {
          // remove any aftermath directories from /var/folders/zz and clean up /tmp if running this as a standalone command
         var potentialPaths = ["/var/folders/zz"]
         if !defaultRun { potentialPaths.append("/tmp") }
-        else {
-            print("Cleaning up temporary directories prior to starting...")
-        }
 
          for p in potentialPaths {
              let enumerator = FileManager.default.enumerator(atPath: p)
@@ -233,8 +260,12 @@ class Command {
          print("--collect-dirs -> specify locations of (space-separated) directories to dump those raw files")
          print("    usage: --collect-dirs /Users/<USER>/Downloads /tmp")
          print("--deep -> performs deep scan and captures metadata from Users entire directory (WARNING: this may be time-consuming)")
+         print("--es-logs -> specify which Endpoint Security events (space-separated) to collect (defaults are: create exec mmap)")
+         print("    usage: --es-logs exec open rename")
          print("--logs -> specify an external text file with unified log predicates to parse")
          print("    usage: --logs /Users/<USER>/Desktop/myPredicates.txt")
+         print("--disable-browser-killswitch -> by default, browsers are force-closed during collection. This will disable the force-closing of browsers.")
+         print("--disable-es-logs -> by default, es logs of create, exec, and mmap are collected. This will disable this default behavior")
          print("--pretty -> colorize Terminal output")
          print("--cleanup -> remove Aftermath Folders in default locations")
          exit(1)