:py:mod:`dissect.target.plugins.os.windows.certlog` =================================================== .. py:module:: dissect.target.plugins.os.windows.certlog Module Contents --------------- Classes ~~~~~~~ .. autoapisummary:: dissect.target.plugins.os.windows.certlog.CertLogPlugin Functions ~~~~~~~~~ .. autoapisummary:: :nosignatures: dissect.target.plugins.os.windows.certlog.format_fingerprint dissect.target.plugins.os.windows.certlog.format_serial_number dissect.target.plugins.os.windows.certlog.serial_number_as_int Attributes ~~~~~~~~~~ .. autoapisummary:: dissect.target.plugins.os.windows.certlog.RequestAttributeRecord dissect.target.plugins.os.windows.certlog.CertificateExtensionRecord dissect.target.plugins.os.windows.certlog.CertificateRecord dissect.target.plugins.os.windows.certlog.RequestRecord dissect.target.plugins.os.windows.certlog.CRLRecord dissect.target.plugins.os.windows.certlog.CertLogRecord dissect.target.plugins.os.windows.certlog.FIELD_MAPPINGS dissect.target.plugins.os.windows.certlog.FORMATING_FUNC .. py:data:: RequestAttributeRecord .. py:data:: CertificateExtensionRecord .. py:data:: CertificateRecord .. py:data:: RequestRecord .. py:data:: CRLRecord .. py:data:: CertLogRecord .. py:data:: FIELD_MAPPINGS .. py:function:: format_fingerprint(input_hash: str | None) -> tuple[str | None, str | None, str | None] .. py:function:: format_serial_number(serial_number_as_hex: str | None) -> str | None .. py:function:: serial_number_as_int(serial_number_as_hex: str | None) -> int | None .. py:data:: FORMATING_FUNC :type: dict[str, collections.abc.Callable[[Any], Any]] .. py:class:: CertLogPlugin(target: dissect.target.target.Target) Bases: :py:obj:`dissect.target.plugin.Plugin` Return all available data stored in CertLog databases. Certificate Authority databases are databases related to the Active Directory Certificate Services (AD CS) feature. .. rubric:: References - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-csra/5f06c74c-1a29-4fdf-b8dd-ae3300d1b90d - https://assets.crowdstrike.com/is/content/crowdstrikeinc/investigating-active-directory-certificate-abusepdf - https://learn.microsoft.com/en-gb/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/move-certificate-server-database-log-files .. py:attribute:: __namespace__ :value: 'certlog' Defines the plugin namespace. .. py:method:: check_compatible() -> None Perform a compatibility check with the target. This function should return ``None`` if the plugin is compatible with the current target (``self.target``). For example, check if a certain file exists. Otherwise it should raise an :class:`UnsupportedPluginError`. :raises UnsupportedPluginError: If the plugin could not be loaded. .. py:method:: read_records(table_name: str, record_type: CertLogRecord) -> collections.abc.Iterator[CertLogRecord] .. py:method:: requests() -> collections.abc.Iterator[RequestRecord] Return the contents of the ``Requests`` table from all Certificate Authority databases. Gives insight into certificates requested (caller name, request ID, request attributes). .. py:method:: request_attributes() -> collections.abc.Iterator[RequestAttributeRecord] Return the contents of the ``RequestAttributes`` table from all Certificate Authority databases. Gives insight into attributes of requested certificates (same information as in ``request_attributes`` field of ``Requests`` table). .. py:method:: crls() -> collections.abc.Iterator[CRLRecord] Return the contents of the ``CRLs`` table from all Certificate Authority databases. Gives insight into the Certificate Revocation List of a Certificate Authority. .. py:method:: certificates() -> collections.abc.Iterator[CertificateRecord] Return the contents of ``Certificates`` table from all Certificate Authority databases. Gives insight into issued certificates for a Certificate authority (public key, validity date). .. py:method:: certificate_extensions() -> collections.abc.Iterator[CertificateExtensionRecord] Return the contents of ``CertificateExtensions`` table from all Certificate Authority databases. Gives insight into certificate extensions for a CA.