Linking Windows Users to Evidence of Execution

This example demonstrates how 2 gfear scripts interact with each other. The scenario uses one gfear script that is responsible for codifying details of a Windows User Account. This script will accept a number of fields that the second script will not.

The first gfear script is based on details that could be extracted from a Security Account Manager (SAM) file within the Windows Operating System.

The second gfear script is based on details that could be extracted from a prefetch file using a program called pecmd.exe by Eric Zimmerman.

For brevity of the scripts, these work off modified outputs of data to demonstrate the way the scripts work.

Constructing a Windows Accounts

The following code is used to construct a WindowsAccount.

define codifier("WindowsUserAccount", "GraphCodify/CaseOntology/WindowsUserAccount");
ontology("https://ontology.caseontology.org/case", "case");
ontology("https://ontology.unifiedcyberontology.org/uco/", "uco");

include rdf, rdfs, xsd, owl, xml;
prefix("sh" , "http://www.w3.org/ns/shacl#");
prefix("uco-core", "uco:core");
prefix("uco-observable", "uco:observable");

accepts(UID, SID, MID, Username, LastLogonTime, AccountExpiryTime, LastLoginFailureTime, FailedLogonCount, TotalLogonCount);
result account as uco-observable:WindowsAccount with {
    create entity digitalAccountFacet as uco-observable:DigitalAccountFacet with {
        create property uco-observable:displayName as xsd:String with Username;
        create property uco-observable:accountLogin as xsd:String with Username;
        create property uco-observable:lastLoginTime as xsd:DateTime with LastLogonTime;
    } identified by required uco-observable:displayName, required uco-observable:accountLogin, optional uco-observable:lastLoginTime;

    create entity accountFacet as uco-observable:AccountFacet with {
        create property uco-observable:accountIdentifier as xsd:int with UID;
        create property uco-observable:accountIdentifier as xsd:String with SID;

        create entity accountIssuer as uco-observable:AccountIssuer with {
            create property uco-observable:accountIssuerName as xsd:String with MID;
        } identified by required uco-observable:accountIssuerName;

        create property uco-observable:accountIssuer with entity accountIssuer;
    } identified by required uco-observable:accountIdentifier;

    create property uco-core:hasFacet with entity digitalAccountFacet;
    create property uco-core:hasFacet with entity accountFacet;

} identified by required entity uco-core:hasFacet accountFacet, optional entity uco-core:hasFacet digitalAccountFacet;

Constructing Evidence of Execution (Prefetch)

define codifier("WindowsPrefetch", "GraphCodify/CaseOntology/WindowsPrefetch");
ontology("https://ontology.caseontology.org/case", "case");
ontology("https://ontology.unifiedcyberontology.org/uco/", "uco");
ontology("http://www.w3.org/ns/prov#", "prov");

include rdf, rdfs, xsd, owl, xml;
prefix("sh" , "http://www.w3.org/ns/shacl#");
prefix("uco-core", "uco:core");
prefix("uco-observable", "uco:observable");
prefix("uco-action", "uco:action");

accepts(Name, SID, Path, ExecutionCount, LoadedDlls);
result prefetch as uco-observable:Application with 
{
    create property uco-core:name with Name;  
    create property uco-observable:filePath as xsd:String with Path;  
    create property uco-observable:mostRecentRunTime as xsd:DateTime with LastExecutionDateTime;
    create property uco-action:actionCount as xsd:int with ExecutionCount;

    create collection loadedDllList as rdf:Bag of uco-observable:File;
    foreach Dll in LoadedDlls
    {  
        create entity dllEntry as uco-observable:File with 
		{
            create entity fileFacet as uco-observable:FileFacet with 
            {
                create property uco-observable:filePath with Dll;  
            } identified by required uco-observable:filePath;

            create property uco-core:hasFacet with entity fileFacet;
		} identified by required entity uco-core:hasFacet fileFacet;

        append entity dllEntry to loadedDllList;
    }

    create property prov:wasDerivedFrom with collection loadedDllList;

    create entity windowsAccount as uco-observable:WindowsAccount with {
        create entity accountFacet as uco-observable:AccountFacet with {
            create property uco-observable:accountIdentifier as xsd:String with SID;
        } identified by required uco-observable:accountIdentifier;
        create property uco-core:hasFacet with entity accountFacet;
    } identified by required entity uco-core:hasFacet accountFacet;

    create property uco-observable:effectiveUser with entity windowsAccount;

} identified by required uco-core:name;