dissect.target.plugins.os.windows.log.evt
#
Module Contents#
Classes#
Base class for plugins. |
Attributes#
- dissect.target.plugins.os.windows.log.evt.re_illegal_characters#
- dissect.target.plugins.os.windows.log.evt.EvtRecordDescriptor#
- dissect.target.plugins.os.windows.log.evt.EVT_GLOB = '*.evt'#
- class dissect.target.plugins.os.windows.log.evt.WindowsEventlogsMixin#
- EVENTLOG_REGISTRY_KEY = 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Eventlog'#
- LOGS_DIR_PATH#
- get_logs(filename_glob='*') List[pathlib.Path] #
- get_logs_from_dir(logs_dir: str, filename_glob: str = '*') List[pathlib.Path] #
- get_logs_from_registry(filename_glob: str = '*') List[pathlib.Path] #
- check_compatible()#
- class dissect.target.plugins.os.windows.log.evt.EvtPlugin(target: dissect.target.Target)#
Bases:
WindowsEventlogsMixin
,dissect.target.plugin.Plugin
Base class for plugins.
Plugins can optionally be namespaced by specifying the
__namespace__
class attribute. Namespacing results in your plugin needing to be prefixed with this namespace when being called. For example, if your plugin has specifiedtest
as namespace and a function calledexample
, you must call your plugin withtest.example
:A
Plugin
class has the following private class attributes:__namespace__
__record_descriptors__
With the following three being assigned in
register()
:__plugin__
__functions__
__exports__
Additionally, the methods and attributes of
Plugin
receive more private attributes by using decorators.The
export()
decorator adds the following private attributes__exported__
__output__
: Set with theexport()
decorator.__record__
: Set with theexport()
decorator.
The
internal()
decorator andInternalPlugin
set the__internal__
attribute. Finally.args()
decorator sets the__args__
attribute.- Parameters:
target – The
Target
object to load the plugin for.
- LOGS_DIR_PATH = 'sysvol/windows/system32/config'#
- NEEDLE = b'LfLe'#
- CHUNK_SIZE = 65536#
- evt(log_file_glob: str = EVT_GLOB, logs_dir: Optional[str] = None) Generator[flow.record.Record, None, None] #
Parse Windows Eventlog files (*.evt).
Yields dynamically created records based on the fields in the event. At least contains the following fields:
hostname (string): The target hostname. domain (string): The target domain. ts (datetime): The TimeCreated_SystemTime field of the event. Provider_Name (string): The Provider_Name field of the event. EventID (int): The EventID of the event.
- scraped_evt() Generator[flow.record.Record, None, None] #
Yields EVT log file records scraped from target disks