LastActivityView is a tool for Windows operating system that collects information from various sources on a running system, and displays a log of actions made by the user and events occurred on this computer. The activity displayed by LastActivityView includes: Running .exe file, Opening open/save dialog-box, Opening file/folder from Explorer or other software, software installation, system shutdown/start, application or system crash, network connection/disconnection and more…
name: Custom.Windows.Nirsoft.LastActivityView
description: |
LastActivityView is a tool for Windows operating system that collects information from various sources on a running system, and displays a log of actions made by the user and events occurred on this computer. The activity displayed by LastActivityView includes: Running .exe file, Opening open/save dialog-box, Opening file/folder from Explorer or other software, software installation, system shutdown/start, application or system crash, network connection/disconnection and more...
author: Yaniv Radunsky @ 10rootCyberSecurity
tools:
- name: lastactivityview
url: https://www.nirsoft.net/utils/lastactivityview.zip
precondition: SELECT OS From info() where OS = 'windows'
sources:
- name: Upload
query: |
LET Hostname <= SELECT Hostname as Host FROM info()
-- Fetch the binary
LET Toolzip <= SELECT FullPath
FROM Artifact.Generic.Utils.FetchBinary(ToolName="lastactivityview", IsExecutable=FALSE)
LET TmpDir <= tempdir()
-- Unzip the binary
LET _ <= SELECT * FROM unzip(filename=Toolzip.FullPath, output_directory=TmpDir)
-- Set EXE
LET LastActivityViewExe <= TmpDir + '\\LastActivityView.exe'
-- Build the exec command
LET LastActivityViewCmd <= filter(list=(LastActivityViewExe, "/scomma", TmpDir + "\\" + Hostname.Host[0] + "-LastActivityView.csv" )
, regex=".+")
-- Run the tool.
LET ExecLastActivityView <= SELECT *
FROM execve(argv=LastActivityViewCmd,sep="\n", length=10000)
-- Upload CSV to the hunt
LET Upload <= SELECT Name, upload(file=FullPath,name=relpath(base=TmpDir + Hostname.Host[0] + "-LastActivityView.csv", path=FullPath)) as FileDetails
FROM glob(globs="/**", root=TmpDir)
WHERE Name =~ "(csv)$"
-- Parse CSV to Notebook
SELECT * FROM parse_csv(filename= TmpDir + "\\" + Hostname.Host[0] + "-LastActivityView.csv")