Linking Windows Users to Evidence of Execution
This example demonstrates how 2 gfear scripts interact with each other. The scenario uses one gfear script that is responsible for codifying details of a Windows User Account. This script will accept a number of fields that the second script will not.
The first gfear script is based on details that could be extracted from a Security Account Manager (SAM) file within the Windows Operating System.
The second gfear script is based on details that could be extracted from a prefetch file using a program called pecmd.exe by Eric Zimmerman.
For brevity of the scripts, these work off modified outputs of data to demonstrate the way the scripts work.
Constructing a Windows Accounts
The following code is used to construct a WindowsAccount
.
define codifier("WindowsUserAccount", "GraphCodify/CaseOntology/WindowsUserAccount");
ontology("https://ontology.caseontology.org/case", "case");
ontology("https://ontology.unifiedcyberontology.org/uco/", "uco");
include rdf, rdfs, xsd, owl, xml;
prefix("sh" , "http://www.w3.org/ns/shacl#");
prefix("uco-core", "uco:core");
prefix("uco-observable", "uco:observable");
accepts(UID, SID, MID, Username, LastLogonTime, AccountExpiryTime, LastLoginFailureTime, FailedLogonCount, TotalLogonCount);
result account as uco-observable:WindowsAccount with {
create entity digitalAccountFacet as uco-observable:DigitalAccountFacet with {
create property uco-observable:displayName as xsd:String with Username;
create property uco-observable:accountLogin as xsd:String with Username;
create property uco-observable:lastLoginTime as xsd:DateTime with LastLogonTime;
} identified by required uco-observable:displayName, required uco-observable:accountLogin, optional uco-observable:lastLoginTime;
create entity accountFacet as uco-observable:AccountFacet with {
create property uco-observable:accountIdentifier as xsd:int with UID;
create property uco-observable:accountIdentifier as xsd:String with SID;
create entity accountIssuer as uco-observable:AccountIssuer with {
create property uco-observable:accountIssuerName as xsd:String with MID;
} identified by required uco-observable:accountIssuerName;
create property uco-observable:accountIssuer with entity accountIssuer;
} identified by required uco-observable:accountIdentifier;
create property uco-core:hasFacet with entity digitalAccountFacet;
create property uco-core:hasFacet with entity accountFacet;
} identified by required entity uco-core:hasFacet accountFacet, optional entity uco-core:hasFacet digitalAccountFacet;
Constructing Evidence of Execution (Prefetch)
define codifier("WindowsPrefetch", "GraphCodify/CaseOntology/WindowsPrefetch");
ontology("https://ontology.caseontology.org/case", "case");
ontology("https://ontology.unifiedcyberontology.org/uco/", "uco");
ontology("http://www.w3.org/ns/prov#", "prov");
include rdf, rdfs, xsd, owl, xml;
prefix("sh" , "http://www.w3.org/ns/shacl#");
prefix("uco-core", "uco:core");
prefix("uco-observable", "uco:observable");
prefix("uco-action", "uco:action");
accepts(Name, SID, Path, ExecutionCount, LoadedDlls);
result prefetch as uco-observable:Application with
{
create property uco-core:name with Name;
create property uco-observable:filePath as xsd:String with Path;
create property uco-observable:mostRecentRunTime as xsd:DateTime with LastExecutionDateTime;
create property uco-action:actionCount as xsd:int with ExecutionCount;
create collection loadedDllList as rdf:Bag of uco-observable:File;
foreach Dll in LoadedDlls
{
create entity dllEntry as uco-observable:File with
{
create entity fileFacet as uco-observable:FileFacet with
{
create property uco-observable:filePath with Dll;
} identified by required uco-observable:filePath;
create property uco-core:hasFacet with entity fileFacet;
} identified by required entity uco-core:hasFacet fileFacet;
append entity dllEntry to loadedDllList;
}
create property prov:wasDerivedFrom with collection loadedDllList;
create entity windowsAccount as uco-observable:WindowsAccount with {
create entity accountFacet as uco-observable:AccountFacet with {
create property uco-observable:accountIdentifier as xsd:String with SID;
} identified by required uco-observable:accountIdentifier;
create property uco-core:hasFacet with entity accountFacet;
} identified by required entity uco-core:hasFacet accountFacet;
create property uco-observable:effectiveUser with entity windowsAccount;
} identified by required uco-core:name;