Collecting User-Defined Artifact

You can collect artifact information required to an administrator from an agent system. Enter YAML syntax to collect the artifact information.

Note Note

If an invalid YAML syntax is entered, you cannot search for artifact information or some information can be missing.

Example for AhnLab EAC(Endpoint Artifacts Collector) File

To collect the required Artifact file, enter sentences using YAML 1.1 syntax. The following shows examples for YAML syntax and artifact information collected.

Follow AhnLab EAC Definition to use YAML 1.1, which is required for YAML syntax. The following information will be gathered based on the examples below:

Collect File: Gathers folders under the path of %Profile%\Downloads including the subordinate folders. Files will be collected only in the operating systems with a major version, 6 or higher.
Collect Task List: Gathers process, module and server information.
Collect Hardware Information: Gathers device, processor and main board information.
Collect System Event Logs: Gathers system event logs.
Sample File for YAML Syntax: custom_eac_sample.yaml

classes:

- class: Summary

subclasses:

- class: Files

attributes:

path: '%Profile%\Downloads'

flags: [include_subdirectory]

condition: os_version >= 6

- class: Tasks

subclasses:

- class: Tasks.Processes

- class: Tasks.Modules

- class: Tasks.Services

- class: Hardware

subclasses:

- class: Hardware.Devices

- class: Hardware.Processors

- class: Hardware.Mainboard

files:

# SystemEventLog

- paths: ['%System%\winevt\Logs\System.evtx']

condition: os_version >= 6

- paths: ['%System%\winevt\Logs\SysEvent.evt']

condition: os_version < 6

You can view the gathered artifact information using the syntax above in Response > Collect AhnReport/Artifact.

1. AhnLab EAC(Endpoint Artifacts Collector) Definition File

The AhnLab EAC definition file includes items that EAC gathers and follows YAML 1.1 syntax. For more details about YAML syntax refer to the official YAML website or Wikipedia. The following shows examples for using YAML syntax.

AhnLab EAC Definition Syntax

Collecting AhnLab EAC files is done based on YAML 1.1 syntax.

Note Note

Refer to the following websites for YAML 1.1 syntax.
- official web site, wikipedia

Supports UTF-8 and UTF-16. Supports both with or without BOM.
A space is allowed but a tab is not allowed for a blank space.
A number sign(#) is used to indicate annotation and a sentence in the same string will be regarded as one annotation. A blank space should be entered to use annotation in the middle of a string.
Use a hyphen (-) for a list to save in a single string. To use multiple lists in a single string, use a square parenthesis ([]) and separate with a comma (,) and a space.

1.1. Classes:

A artifact list is gathered in a tree architecture and a single class is created in a tree structure. The collected information will be compressed and saved in a file (AhnRpt.arpj) with a JSON format.

Class: Indicates a class compatible with AhnLab EAC class names. If multiple classes are located at root , classes will be registered at a default class .
Attribute: (Optional). Determine class attribute. There are common attributes assignable to all classes while there are specific class attributes, which can be assigned by class type.
Name: (Optional). Indicates a displayed name and if an attribute is not defined, a default attribute of class will be used.
Flags: (Optional). There are common flagsassignable to all classes while there are specific class flags, which can be assigned by class type. Common flags have no_sort.

no_sort: Not arranged
Condition: (Optional). Defines detailed condition to collect information. If condition does not match, classes and their subclasses will not be gathered.
Subclasses: (Optional).Registers subclasses.

1.2. Files

Indicates a list of files to additionally gather.

Paths: Indicates a path of files to gather.
You can use wild card characters (*,?) for a file name.
You can also define a path using variables).
If Virtualization is enabled, the related folders will be gathered. Use variables to specify a path. (ex: %ProgramData%\Company)

Location: (Optional). Indicates a folder name of compressed files.

Do not specify this field to save files at the root folder .
If this attribute is not defined, the entered path information will be saved. ex) %ProgramFiles%\AhnLab\*.log →ProgramFiles\AhnLab
Files gathered in the Virtualization folder are saved in VirtualStore . ex) VirtualStore\ProgramData

Condition: (Optional) Specify file gathering condition.

2. Class names

Indicates the classes compatible with AhnReport EAC.

2.1. Summary

Class name	Description
Summary	System Summary

2.2. Tasks

Class name	Description
Tasks.Processes	Executed Processes
Tasks.Modules	Loaded Modules
Tasks.Startup	Start Programs
Tasks.Services	Service
Tasks.Schedule_tasks	Scheduled Task

2.3. System

Class name	Description
System.Shares	Share
System.Certificates	Certificate
System.Problem_reports	Problem Reports
System.Event_log.Application	Windows Event Log - Program
System.Event_log.Security	Windows Event Log - Security
System.Event_log.System	Windows Event Log – System
System.Event_log.Windows_Defender_Operational System.Event_log.Windows_Defender_WHC	Windows Event Log - Windows Defender

2.4. Network

Class name	Description
Network.Firewall Firewall	Firewall
Network.Firewall.Firewall_rules	Firewall Rule
Network.Network_connections	Network Connection
Network.IP_configuration	IP Configuration
Network.DNS_resolver_cache	DNS resolover cache
Network.Routing_table	Routing table
Network.ARP_cache	ARP cache
Network.Hosts	Hosts

2.5. Hardware

Class name	Description
Hardware.Devices	Devices
Hardware.Processors	Processor
Hardware.Mainboard	Mainboard
Hardware.Drives	Drives
Hardware.Disks	Disk
Hardware.Display	Display
Hardware.Display_adapters	Display Adapters
Hardware.Printers	Printers

2.6. Programs

Class name	Description
Programs	Installed Programs
Programs.Updates	Update
Programs.Update_history	Update History
Programs.Program_Files	Program files

2.7. Timeline

Class name	Description
Timeline	Class of artifacts with timeline.

Artifact information gathered from a timeline

Artifact	Short name	Date
BAM	bam	Last executed time
Chrome	CrmH CrmC CrmD	Chrome accessed time Indicates the last time when a cachewas used in Chrome. Download start time from Chrome
Firefox	FfxH FfxD	Firefox accessed time Download start time from Firefox
Internet Explorer 10+	IEH IEC IED	Access time to the IE 10 or higher version Indicates the last time when a cachewas used in the IE 10 or higher version. Download time from the IE 10 or higher version
Internet Explorer 5 to 9	IEH IEC	Access time to IE 5 to 9 Indicates the last time when a cachewas used in IE 5 to 9.
Jump lists	JL	File opened time
Java cache	JavaC	Access time
Microsoft Edge	EdgeH EdgeC EdgeD	Microsoft Edge accessed time Indicates the last time when a cachewas used in Microsoft Edge. Download start time from Microsoft Edge
Naver Whale	WhaleH WhaleC WhaleD	Naver Whale accessed time Indicates the last time when a cachewas used in Naver Whale. Download start time from Naver Whale
Opera	OprH OprC OprD	Opera accessed time Indicates the last time when a cachewas used in Opera. Download start time from Opera
Prefetch	Pf	Last executed time
Recent files	RF	Last time when a file was used
Recycle bin	RB	Time when a file was sent to the trash bin
Swing	SwingH SwingC SwingD	Swing browser accessed time Indicates the last time when a cachewas used in the Swing browser. Download start time from the Swing browser
UserAssist	UA	Last executed time
WebCache	H C D	Web access time usingan application , which uses WebCache Last time whena cache was used , which uses WebCachefrom an application. Download start time from an application, which uses WebCache.
Windows Timeline	WT	Activity start time

2.8. Collecting Specified Information

You can defined specific information to gather. The following classes should be specified for class attributes.

Class name	Description
Files	File information in the specified folders
Registry	Specified registry values
Registry.Key	Specified registry key
System.Event_log	Specified Windows event logs
WMI	WMI query

3. Class attributes

3.1. Files

attributes:

path: '%Profile%\Downloads'

flags: [include_subdirectory]

Path: You can specify a directory to gather data using variables. (ex: %ProgramFiles%\internet explorer)

Note Note

Refer to Variables for details.

Flags: (Optional).
include_subdirectory: Gathers information including subdirectories.

3.2. Registry

attributes:

values:

- {key: 'HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', value: ' Shell'}

- {key: 'HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows', value: 'Run'}

Values: Indicates a list of registry values to gather. Composed of key and value and abbreviation defined in Key can be used.
If you want to gather 32 bit registry information from 64 bit Windows, suffix 32 to a key .(ex: HKLM32) (In 32 bit Windows this setting will be overridden.
If a value is not specified,, a default value of key will be gathered.

3.3. Registry.Key

Specifies a registry key to gather.

attributes:

key: 'HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'

flags: [include_subkey]

You can use the following abbreviations for registry keys.

Key	Description
HKLM	HKEY_LOCAL_MACHINE
HKCU	HKEY_CURRENT_USER
HKCR	HKEY_CLASSES_ROOT
HKU	HKEY_USERS

key: Indicates a registry key to gather. If you want to gather 32 bit registry information from 64 bit Windows, suffix 32 to a key .(ex: HKLM32). This setting will be overridden in 32 bit Windows.
Flags: (Optional).
include_subkey: Gathers information including subkeys.

3.4. System.Event_log

Gathers system event logs.

attributes:

channel: Application

days: 7

The following indicates a channel name and a representative name is as follow:

Channel	Description
Application	Application
Security	Security
System	System

Query: (Optional). Uses to gather specific events. If a query attribute is defined, properties such as from, to, days and default gathering period will be overridden. When events for a specific period is required, specify a data gathering period as well. (Apply to Windows Vista/2008 or higher version)
XPATH 1.0 query or XML querycan be used. Refer to Consuming Events for details. ex) query: '*[System[(Level <= 3) and TimeCreated[timediff(@SystemTime) <= 86400000]]]'

From: (Optional). Specifies a start time for gathering data. If a property for “To” is not defined, all logs beginning from the time specified in “From” will be gathered. If a property for Query is defined, this value will be overridden.
'YYYY-MM-DDThh:mm:ssZ' or 'YYYY-MM-DDThh:mm:ss.fffZ’ will be used. Time is UTC. ex) 2018-11-19T01:30:00.123Z

To: (Optional)n. Specifies an end time for gathering data. If a property for “From” is not defined, all data until the end time specified in “To” will be gathered and if a property for Query is defined, this value will be overridden.
'YYYY-MM-DDThh:mm:ssZ' or 'YYYY-MM-DDThh:mm:ss.fffZ’ will be used. Time is UTC. ex) 2018-11-19T01:30:00.123Z

Days: (Optional). Specifies a gathering period in days. If any of Query, From or To is defined, this value will be overridden, but if none of Query, From, To or Days is defined, all logs for the last 30 days after a default log gathering period passed will be gathered.
For example, 7 days are specified for the period, logs for the last 7 days will be gathered. If a property is 0, all logs from beginning to ending will be gathered.

3.5. WMI

Gathers WMI information.

attributes:

query: 'SELECT * FROM Win32_ComputerSystemProduct'

Query: WMI query written sing WQL(WMI Query Language).
Flags: (Optional).
datetime_to_time: A column for datetime data type will be regarded as a string in WMI. Ex) If '20181119152505.391000+540’ is used for datetime instead of a string, "2018-11-19 3:25:05 PM” will e displayed. Date information like "20150702000000.000000+000”, where time information is not included, should not be specified as it is not intuitive.

4. Condition

Syntax used to compare conditions.

A blank space should be entered between an arithmetic operator and an item. ex: os_version == 6.1
You can define priorities using a parenthesis. ex) 64bit:) 64bit or (os_version >= 6 and os_version < 10)
Use a double quotation mark ("), or a single quotation mark (') for a space. Carefully use YAML syntax. ex) 'os_version == "6.1"'
Enter a value name right before the related operator. "6.1 == os_version” is an example of incorrect use. (not exclude)

Value used for condition

You can use values for the following cases:

Name	Type	Description	Example
os_version	Version string	OS version (<major>.<minor>) (*minor version can be omitted)	os_version == 6.1 os_version >= 6
os_build_number	Number	OS build number	os_build_number >= 10.0.17134
64bit	Boolean	If it is 64-bit OS, true	64bit and os_version >= 6
system_type	String	One among x86, x64 or arm64	system_type == x64
server	Boolean	If it's a server, true	server and os_version >= 6

*Version string: Compares digits in digits and separators combined.

Using related operators

You can use the related operators as follows, and if strings are compared, it is not case-sensitive.

Operator	Description
equals is ==	Both are same, true
notequals isnot !=	Both are not same, true
contains	If a preceding value includes a following value, true
notcontains	If a preceding value does not include a following value, true
>	If a preceding value is greater than a following value, true
>=	If a preceding value is equal to or greater than a following value, true
<	If a preceding value is less than a following value, true
<=	If a preceding value is equal to or less than a following value, true

If a related operator does not exist

If a related operator does not exist, it works as follows.

Type	Description
String	value != ""
Version string	value > 0.0.0.0
Number	value != 0
Boolean	value != false

Using logical operators

You can use logical operators as follows.

Operator	Description	Example
and &&	If any element is false, false.	64bit and os_version >= 6
or \|\|	If any element is true, true.	64bit or server
not	If a preceding element is false, true, (! is not compatible as its syntax does not allow to enter it at the foremost location to prevent conflict.)	not 64bit and os_version >= 6

5. Variables

If a variable is used, the following format of ‘%VariableName%’ can be used and Windows environment variables can be used. ex) %windir%\explorer.exe

Variable name

Description

ProgramData

Windows Vista or higher: %ProgramData% (%SystemDrive%\ProgramData)

Windows XP, 2003: %ALLUSERSPROFILE%\Application Data

ProgramFiles

%ProgramFiles% (%SystemDrive%\Program Files)

ProgramFilesX86

64bit Windows: %ProgramFiles(x86)% (%SystemDrive%\Program Files (x86))

32bit Windows: %ProgramFiles% (%SystemDrive%\Program Files)

ProgramFilesCommon

%ProgramFiles%\Common Files

ProgramFilesCommonX86

64bit Windows: %ProgramFiles(x86)%\Common Files

32bit Windows: %ProgramFiles%\Common Files

Public

Windows Vista+: %PUBLIC% (%SystemDrive%\Users\Public)

Windows XP, 2003: %ALLUSERSPROFILE%

System

%windir%\System32

SystemX86

64bit Windows: %windir%\SysWOW64

32bit Windows: %windir%\System32

SystemDrive

%SystemDrive%

Ex) C:

Windows

%SystemRoot%, %windir%

Ex) C:\Windows

Use of variables by user type

Different values can be used based on a user type as follows:

If a user is not specified, current user information will be gathered for variables per user type.
Use '(CurrentUser)' prefix to specify the settings. ex) %Profile(CurrentUser)%\Downloads
If information is gathered using a SYSTEM account, SYSTEM account information will be gathered. Use '(ActiveUser)' prefix to gather the current logged-in user information from SYSTEM accounts. ex) %Profile(ActiveUser)%\Downloads

Variable name	Description
LocalAppData	Windows Vista or higher: %LOCALAPPDATA% (%USERPROFILE%\AppData\Local) Windows XP, 2003: %USERPROFILE%\Local Settings\Application Data
LocalAppDataLow	Windows Vista or higher: %USERPROFILE%\AppData\LocalLow
Profile	Windows Vista or higher: %USERPROFILE% (%SystemDrive%\Users\%USERNAME%) Windows XP, 2003: %USERPROFILE% (%SystemDrive%\Documents and Settings\%USERNAME%)
RoamingAppData	Windows Vista or higher: %APPDATA% (%USERPROFILE%\AppData\Roaming) Windows XP, 2003: %APPDATA% (%USERPROFILE%\Application Data)
SID	String-format SID (security identifier)
Temp	%Temp% ex) C:\Users\Username\AppData\Local\Temp