Fallback SID resolving functionality (Velocidex#3617)

Added fallback sid resolving functionality in vql via `HKEY_LOCAL_MACHINE/Software/Microsoft/Windows NT/CurrentVersion/ProfileList` in artifacts for cases when: - lookupSid does not yield results - lookupSid is not available (in deaddisk mode) This resolves the issue described in Velocidex#3601 Also added caching mechanisms to `Windows.EventLogs.EvtxHunter` (as I suspect that one will do a lot of resolving) Note that I tested `Windows.Sys.Users`, `Windows.Sys.AllUsers` and `Windows.EventLogs.EvtxHunter` but was not able to test `Windows.Forensics.SRUM` via the collects I currently have. --------- Co-authored-by: Mike Cohen <mike@velocidex.com>
zn-lab · Jul 16, 2024 · 13bd483 · 13bd483
1 parent 18dadcb
commit 13bd483
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 24 deletions.
diff --git a/artifacts/definitions/Windows/EventLogs/EvtxHunter.yaml b/artifacts/definitions/Windows/EventLogs/EvtxHunter.yaml
@@ -69,6 +69,9 @@ parameters:
     type: timestamp
     description: "search for events before this date. YYYY-MM-DDTmm:hh:ssZ"
 
+imports:
+  - Windows.Sys.AllUsers
+
 sources:
   - query: |
       LET VSS_MAX_AGE_DAYS <= VSSAnalysisAge
@@ -97,7 +100,7 @@ sources:
                     System.EventID.Value as EventID,
                     System.EventRecordID as EventRecordID,
                     System.Security.UserID as UserSID,
-                    lookupSID(sid=System.Security.UserID) as Username,
+                    LookupSIDCache(SID=System.Security.UserID || "") AS Username,
                     get(field="EventData") as EventData,
                     get(field="UserData") as UserData,
                     get(field="Message") as Message,

diff --git a/artifacts/definitions/Windows/Forensics/SRUM.yaml b/artifacts/definitions/Windows/Forensics/SRUM.yaml
@@ -32,15 +32,13 @@ parameters:
     type: bool
 
 export: |
-  LET resolveESEId(OSPath, Accessor, Id) = cache(
+  LET ResolveESEId(OSPath, Accessor, Id) = cache(
       name="ESE",
       func=srum_lookup_id(file=OSPath, accessor=Accessor, id=Id),
       key=format(format="%v-%v-%v", args=[OSPath, Accessor, Id]))
 
-  LET lookupSIDCache(OSPath, Accessor, Id) = cache(
-      name="SID",
-      func=lookupSID(sid=srum_lookup_id(file=OSPath, accessor=Accessor, id=Id)),
-      key=format(format="%v-%v-%v", args=[OSPath, Accessor, Id]))
+imports:
+  - Windows.Sys.AllUsers
 
 sources:
   - name: Upload
@@ -56,12 +54,12 @@ sources:
 
         SELECT  AutoIncId AS ID,
                 TimeStamp,
-                resolveESEId(OSPath=SRUMFiles.OSPath,
+                ResolveESEId(OSPath=SRUMFiles.OSPath,
                              Accessor=accessor, Id=AppId) AS App,
-                resolveESEId(OSPath=SRUMFiles.OSPath,
+                ResolveESEId(OSPath=SRUMFiles.OSPath,
                              Accessor=accessor, Id=UserId) AS UserSid,
-                lookupSIDCache(OSPath=SRUMFiles.OSPath,
-                          Accessor=accessor, Id=UserId) AS User,
+                LookupSIDCache(SID=srum_lookup_id(
+                    file=SRUMFiles, accessor=accessor, id=UserId) || "") AS User,
                 timestamp(winfiletime=EndTime) AS EndTime,
                 DurationMS,
                 NetworkBytesRaw
@@ -75,12 +73,12 @@ sources:
 
         SELECT AutoIncId as SRUMId,
                TimeStamp,
-               resolveESEId(OSPath=SRUMFiles.OSPath,
+               ResolveESEId(OSPath=SRUMFiles.OSPath,
                             Accessor=accessor, Id=AppId) AS App,
-               resolveESEId(OSPath=SRUMFiles.OSPath,
+               ResolveESEId(OSPath=SRUMFiles.OSPath,
                             Accessor=accessor, Id=UserId) AS UserSid,
-               lookupSIDCache(OSPath=SRUMFiles.OSPath,
-                         Accessor=accessor, Id=UserId) AS User,
+               LookupSIDCache(SID=srum_lookup_id(
+                    file=SRUMFiles, accessor=accessor, id=UserId) || "") AS User,
                ForegroundCycleTime,
                BackgroundCycleTime,
                FaceTime,
@@ -106,12 +104,12 @@ sources:
 
         SELECT AutoIncId as SRUMId,
              TimeStamp,
-             resolveESEId(OSPath=SRUMFiles.OSPath,
+             ResolveESEId(OSPath=SRUMFiles.OSPath,
                           Accessor=accessor, Id=AppId) AS App,
-             resolveESEId(OSPath=SRUMFiles.OSPath,
+             ResolveESEId(OSPath=SRUMFiles.OSPath,
                           Accessor=accessor, Id=UserId) AS UserSid,
-             lookupSIDCache(OSPath=SRUMFiles.OSPath,
-                       Accessor=accessor, Id=UserId) AS User,
+             LookupSIDCache(SID=srum_lookup_id(
+                    file=SRUMFiles, accessor=accessor, id=UserId) || "") AS User,
              InterfaceLuid,
              ConnectedTime,
              timestamp(winfiletime=ConnectStartTime) AS StartTime
@@ -125,12 +123,12 @@ sources:
 
         SELECT AutoIncId as SRUMId,
              TimeStamp,
-             resolveESEId(OSPath=SRUMFiles.OSPath,
+             ResolveESEId(OSPath=SRUMFiles.OSPath,
                           Accessor=accessor, Id=AppId) AS App,
-             resolveESEId(OSPath=SRUMFiles.OSPath,
+             ResolveESEId(OSPath=SRUMFiles.OSPath,
                           Accessor=accessor, Id=UserId) AS UserSid,
-             lookupSID(OSPath=SRUMFiles.OSPath,
-                       Accessor=accessor, Id=UserId) AS User,
+             LookupSIDCache(SID=srum_lookup_id(
+                    file=SRUMFiles, accessor=accessor, id=UserId) || "") AS User,
              UserId,
              BytesSent,
              BytesRecvd,

diff --git a/artifacts/definitions/Windows/Sys/AllUsers.yaml b/artifacts/definitions/Windows/Sys/AllUsers.yaml
@@ -20,6 +20,18 @@ parameters:
   - name: remoteRegKey
     default: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\*
 
+export: |
+  -- Cache function for lookupSID
+  LET LookupSIDCache(SID) = cache(name="SID", key=SID,
+     func=lookupSID(sid=SID) ||
+
+     -- resolve usernames via registry if lookupSID is not available
+     -- or yields no results
+
+          pathspec(parse=stat(accessor="registry",
+               filename="HKEY_LOCAL_MACHINE/Software/Microsoft/Windows NT/CurrentVersion/ProfileList/" +
+                      SID + "/ProfileImagePath").Data.value).Basename || "")
+
 sources:
   - precondition:
       SELECT OS From info() where OS = 'windows'
@@ -32,7 +44,7 @@ sources:
           SELECT
              split(string=Key.OSPath.Basename, sep="-")[-1] as Uid,
              "" AS Gid,
-             lookupSID(sid=Key.OSPath.Basename) || "" AS Name,
+             LookupSIDCache(SID=Key.OSPath.Basename || "") AS Name,
              Key.OSPath as Description,
              ProfileImagePath as Directory,
              Key.OSPath.Basename as UUID,

diff --git a/artifacts/definitions/Windows/Sys/Users.yaml b/artifacts/definitions/Windows/Sys/Users.yaml
@@ -12,6 +12,9 @@ parameters:
   - name: remoteRegKey
     default: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\*
 
+imports:
+  - Windows.Sys.AllUsers
+
 sources:
   - precondition:
       SELECT OS From info() where OS = 'windows'
@@ -23,7 +26,7 @@ sources:
         -- lookupSID() may not be available on deaddisk analysis
         SELECT split(string=Key.OSPath.Basename, sep="-")[-1] as Uid,
            "" AS Gid,
-           lookupSID(sid=Key.OSPath.Basename) || "" AS Name,
+           LookupSIDCache(SID=Key.OSPath.Basename || "") AS Name,
            Key.OSPath as Description,
            ProfileImagePath as Directory,
            Key.OSPath.Basename as UUID,