Clean up

ForensicArtifacts · Mar 5, 2019 · ab08733 · ab08733
1 parent 79ec638
commit ab08733
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 15 deletions.
diff --git a/data/antivirus.yaml b/data/antivirus.yaml
@@ -14,8 +14,10 @@ sources:
 - type: FILE
   attributes:
     paths:
-      - '%%environ_allusersappdata%%\Microsoft\Microsoft Antimalware\Quarantine\**'
-      - '%%environ_allusersappdata%%\Microsoft\Windows Defender\Quarantine\**'
+    - '%%environ_allusersprofile%%\Application Data\Microsoft\Microsoft Antimalware\Quarantine\**'
+    - '%%environ_allusersprofile%%\Application Data\Microsoft\Windows Defender\Quarantine\**'
+    - '%%environ_programdata%%\Microsoft\Microsoft Antimalware\Quarantine\**'
+    - '%%environ_programdata%%\Microsoft\Windows Defender\Quarantine\**'
     separator: '\'
 supported_os: [Windows]
 labels: [Antivirus]
@@ -28,7 +30,9 @@ sources:
   supported_os: [Darwin]
 - type: FILE
   attributes:
-    paths: ['%%environ_allusersappdata%%\Sophos\Sophos Anti-Virus\Logs\*']
+    paths:
+    - '%%environ_allusersprofile%%\Application Data\Sophos\Sophos Anti-Virus\Logs\*'
+    - '%%environ_programdata%%\Sophos\Sophos Anti-Virus\Logs\*'
     separator: '\'
   supported_os: [Windows]
 supported_os: [Darwin, Windows]
@@ -42,7 +46,9 @@ sources:
   supported_os: [Darwin]
 - type: FILE
   attributes:
-    paths: ['%%environ_allusersappdata%%\Sophos\Sophos Anti-Virus\INFECTED\*']
+    paths:
+    - '%%environ_allusersprofile%%\Application Data\Sophos\Sophos Anti-Virus\INFECTED\*'
+    - '%%environ_programdata%%\Sophos\Sophos Anti-Virus\INFECTED\*'
     separator: '\'
   supported_os: [Windows]
 supported_os: [Darwin, Windows]
@@ -54,8 +60,9 @@ sources:
 - type: FILE
   attributes:
     paths:
-      - '%%environ_allusersappdata%%\Symantec\Symantec Endpoint Protection\*\Data\Logs\*.log'
-      - '%%users.localappdata%%\Symantec\Symantec Endpoint Protection\Logs\*.log'
+    - '%%environ_allusersprofile%%\Application Data\Symantec\Symantec Endpoint Protection\*\Data\Logs\*.log'
+    - '%%environ_programdata%%\Symantec\Symantec Endpoint Protection\*\Data\Logs\*.log'
+    - '%%users.localappdata%%\Symantec\Symantec Endpoint Protection\Logs\*.log'
     separator: '\'
   supported_os: [Windows]
 supported_os: [Windows]
@@ -66,7 +73,9 @@ doc: Symantec Anti-Virus Quarantine (Infected) files.
 sources:
 - type: FILE
   attributes:
-    paths: ['%%environ_allusersappdata%%\Symantec\Symantec Endpoint Protection\**5.vbn']
+    paths:
+    - '%%environ_allusersprofile%%\Application Data\Symantec\Symantec Endpoint Protection\**5.vbn'
+    - '%%environ_programdata%%\Symantec\Symantec Endpoint Protection\**5.vbn'
     separator: '\'
   supported_os: [Windows]
 supported_os: [Windows]

diff --git a/data/tomcat.yaml b/data/tomcat.yaml
@@ -6,8 +6,8 @@ sources:
 - type: ARTIFACT_GROUP
   attributes:
     names:
-      - 'TomcatLogFiles'
-      - 'TomcatPasswordFile'
+    - 'TomcatLogFiles'
+    - 'TomcatPasswordFile'
 labels: [Software]
 supported_os: [Darwin,Linux,Windows]
 ---
@@ -17,10 +17,14 @@ sources:
 - type: FILE
   attributes:
     paths:
-    - '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat*\logs\**\access_log*'
-    - '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat*\logs\access_log*'
-    - '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat*\logs\**\catalina.out'
-    - '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat*\logs\catalina.out'
+    - '%%environ_allusersprofile%%\Application Data\Apache Software Foundation\Tomcat*\logs\**\access_log*'
+    - '%%environ_allusersprofile%%\Application Data\Apache Software Foundation\Tomcat*\logs\access_log*'
+    - '%%environ_allusersprofile%%\Application Data\Apache Software Foundation\Tomcat*\logs\**\catalina.out'
+    - '%%environ_allusersprofile%%\Application Data\Apache Software Foundation\Tomcat*\logs\catalina.out'
+    - '%%environ_programdata%%\Apache Software Foundation\Tomcat*\logs\**\access_log*'
+    - '%%environ_programdata%%\Apache Software Foundation\Tomcat*\logs\access_log*'
+    - '%%environ_programdata%%\Apache Software Foundation\Tomcat*\logs\**\catalina.out'
+    - '%%environ_programdata%%\Apache Software Foundation\Tomcat*\logs\catalina.out'
     - '%%environ_programfiles%%\Apache Software Foundation\Tomcat*\logs\**\access_log*'
     - '%%environ_programfiles%%\Apache Software Foundation\Tomcat*\logs\access_log*'
     - '%%environ_programfiles%%\Apache Software Foundation\Tomcat*\logs\**\catalina.out'
@@ -78,7 +82,8 @@ sources:
 - type: FILE
   attributes:
     paths:
-    - '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat*\conf\tomcat-users.xml'
+    - '%%environ_allusersprofile%%\Application Data\Apache Software Foundation\Tomcat*\conf\tomcat-users.xml'
+    - '%%environ_programdata%%\Apache Software Foundation\Tomcat*\conf\tomcat-users.xml'
     - '%%environ_programfiles%%\Apache Software Foundation\Tomcat*\conf\tomcat-users.xml'
     - '%%environ_programfilesx86%%\Apache Software Foundation\Tomcat*\conf\tomcat-users.xml'
     separator: '\'

diff --git a/data/windows.yaml b/data/windows.yaml
@@ -1596,7 +1596,9 @@ doc: Windows Search database (Windows.edb).
 sources:
 - type: FILE
   attributes:
-    paths: ['%%environ_allusersappdata%%\Microsoft\Search\Data\Applications\Windows\Windows.edb']
+    paths:
+    - '%%environ_allusersprofile%%\Application Data\Microsoft\Search\Data\Applications\Windows\Windows.edb'
+    - '%%environ_programdata%%\Microsoft\Search\Data\Applications\Windows\Windows.edb'
     separator: '\'
 labels: [Software]
 supported_os: [Windows]